Schneier on Security
A blog covering security and security technology.
January 2010 Archives
I have no idea how to explain this.
This is well worth watching.
How unique is your browser? Can you be tracked simply by its characteristics? The EFF is trying to find out. Their site Panopticlick will measure the characteristics of your browser setup and tell you how unique it is.
I just ran the test on myself, and my browser is unique amongst the 120,000 browsers tested so far. It's my browser plugin details; no one else has the exact configuration I do. My list of system fonts is almost unique; only one other person has the exact configuration I do. (This seems odd to me, I have a week old Sony laptop running Windows 7, and I haven't done anything with the fonts.)
EDITED TO ADD (1/29): There's a lot in the comments leading me to question the accuracy of this test. I'll post more when I know more.
EDITED TO ADD (2/12): Comments from one of the project developers.
Me, I'm celebrating -- but I'm not going to tell you how.
The team propose using a particle accelerator to alternately smash ionised hydrogen molecules and deuterium ions into targets of carbon and boron respectively. The collisions produce beams of gamma rays of various energies as well as neutrons. These beams are then passed through the cargo.
This seems like a bad idea:
Police in the UK are planning to use unmanned spy drones, controversially deployed in Afghanistan, for the "routine" monitoring of antisocial motorists, protesters, agricultural thieves and fly-tippers, in a significant expansion of covert state surveillance.
Once again, laws and technologies deployed against terrorism are used against much more mundane crimes.
Nice. Of course, this means that the TSA will start banning wallets on airplanes.
The notion that U.S. intelligence should have "connected the dots," and caught Abdulmutallab, isn't going away. This is a typical example:
So you'd need come "articulable facts" which could "reasonably warrant a determination" that the guy may be a terrorist based on his behavior. And one assumes his behavior would have to catch the attention of the authorities, correct?
Kevin Drum responds to this line by line:
...the more we learn, the less this seems to be holding water. Let's go through the list one by one:
I'd go even further on point 9. I fly 240,000 miles a year, and I almost never check luggage. And that goes double when flying in or out of the Third World. And I've also read that he didn't have a coat, something else that -- living in Minneapolis -- I regularly see.
As I keep saying, everything is obvious in hindsight. After the fact, it's easy to point to the bits of evidence and claim that someone should have "connected the dots." But before the fact, when there are millions of dots -- some important but the vast majority unimportant -- uncovering plots is a lot harder.
I wrote in 2002:
The problem is that the dots can only be numbered after the fact. With the benefit of hindsight, it's easy to draw lines from people in flight school here, to secret meetings in foreign countries there, over to interesting tips from foreign governments, and then to INS records. Before 9/11 it's not so easy. Rather than thinking of intelligence as a simple connect-the-dots picture, think of it as a million unnumbered pictures superimposed on top of each other. Or a random-dot stereogram. Is it a lion, a tree, a cast iron stove, or just an unintelligible mess of dots? You try and figure it out.
It's certainly possible that intelligence missed something that could have alerted them. And there have been reports saying that a misspelling of Abdulmutallab's name caused the Department of State to miss an alert. (I've also heard, although I can't find a link, that some database truncated his name because it was too long for the database field.) And I'm sure that a lot of the money we're wasting on full body scanners and other airport security measures could be much better spent increasing our intelligence and investigation capabilities. But be careful before you claim something that's obvious after the fact should have been obvious before the fact.
EDITED TO ADD (2/8): An essay along similar lines.
Okay, it's really the Rick Mercer Report.
The video is worth watching, even if you don't speak German. The scanner caught a subject's cell phone and Swiss Army knife -- and the microphone he was wearing -- but missed all the components to make a bomb that he hid on his body. Admittedly, he only faced the scanner from the front and not from the side. But he also didn't hide anything in a body cavity other than his mouth -- I didn't think about that one -- he didn't use low density or thinly sliced PETN, and he didn't hide anything in his carry-on luggage.
Full-body scanners: they're not just a dumb idea, they don't actually work.
Neat pictures. I would never have noticed it, which is precisely the point.
The bluestreak cleaner wrasse (Labroides dimidiatus) operates an underwater health spa for larger fish. It advertises its services with bright colours and distinctive dances. When customers arrive, the cleaner eats parasites and dead tissue lurking in any hard-to-reach places. Males and females will sometimes operate a joint business, working together to clean their clients. The clients, in return, dutifully pay the cleaners by not eating them.
I'm not sure what I can add to this: politically motivated attacks against Gmail from China. I've previously written about hacking from China. Shishir Nagaraja and Ross Anderson wrote a report specifically describing how the Chinese have been hacking groups that are politically opposed to them. I've previously written about censorship, Chinese and otherwise. I've previously written about broad government eavesdropping on the Internet, Chinese and otherwise. Seems that the Chinese got in through back doors installed to facilitate government eavesdropping, which I even talked about in my essay on eavesdropping. This new attack seems to be highly sophisticated, which is no surprise.
This isn't a new story, and I wouldn't have mentioned it at all if it weren't for the surreal sentence at the bottom of this paragraph:
The Google-China flap has already reignited the debate over global censorship, reinvigorating human rights groups drawing attention to abuses in the country and prompting U.S. politicians to take a hard look at trade relations. The Obama administration issued statements of support for Google, and members of Congress are pushing to revive a bill banning U.S. tech companies from working with governments that digitally spy on their citizens.
Of course, the bill won't go anywhere, but shouldn't someone inform those members of Congress about what's been going on in the United States for the past eight years?
EDITED TO ADD (1/19): Commentary on Google's bargaining position.
I don't know if this is real, but it seems perfectly reasonable that all of Facebook is stored in a huge database that someone with the proper permissions can access and modify. And it also makes sense that developers and others would need the ability to assume anyone's identity.
Rumpus: You've previously mentioned a master password, which you no longer use.
The phone's ringer is a pretty simple thing: there's a coil, a magnet and a hammer controlled by the magnet that hits the gongs when there is AC current in the coil. The ringer system is connected directly to the phone line when the phone is on hook. (Actually through a capacitor that protects the ringer system from DC current normally present in the line.)
Any facility executive involved in the design of a new building would agree that security is one important goal for the new facility. These days, facility executives are likely to say that green design is another priority. Unfortunately, these two goals are often in conflict. Consider the issues that arise when even a parking lot is being designed. From a security perspective, bright lights in the parking lot enable security cameras to pick up all activity at night. From a green point of view, a brightly lit parking lot is a waste of energy and a source of light pollution. An advocate of green design would argue for plenty of leafy trees and bushes in the parking lot to minimize the urban heat island effect; a security consultant would reply that trees in the lot will block surveillance cameras and provide hiding places for would-be criminals.
When he went to court for hearings, he could see the system was flawed. He would arrive on the twelfth floor in handcuffs and attached at the waist to a dozen other inmates. A correction officer would lead them into the bull pen, an area where inmates wait for their lawyers. From the bull pen, the inmates would follow their lawyers or court officials either up a set of back stairs into a courtroom or down a set of stairs.
President Obama, in his speech last week, rightly focused on fixing the intelligence failures that resulted in Umar Farouk Abdulmutallab being ignored, rather than on technologies targeted at the details of his underwear-bomb plot. But while Obama's instincts are right, reforming intelligence for this new century and its new threats is a more difficult task than he might like. We don't need new technologies, new laws, new bureaucratic overlords, or -- for heaven's sake -- new agencies. What prevents information sharing among intelligence organizations is the culture of the generation that built those organizations.
The U.S. intelligence system is a sprawling apparatus, spanning the FBI and the State Department, the CIA and the National Security Agency, and the Department of Homeland Security -- itself an amalgamation of two dozen different organizations -- designed and optimized to fight the Cold War. The single, enormous adversary then was the Soviet Union: as bureaucratic as they come, with a huge budget, and capable of very sophisticated espionage operations. We needed to defend against technologically advanced electronic eavesdropping operations, their agents trying to bribe or seduce our agents, and a worldwide intelligence gathering capability that hung on our every word.
In that environment, secrecy was paramount. Information had to be protected by armed guards and double fences, shared only among those with appropriate security clearances and a legitimate "need to know," and it was better not to transmit information at all than to transmit it insecurely.
Today's adversaries are different. There are still governments, like China, who are after our secrets. But the secrets they're after are more often corporate than military, and most of the other organizations of interest are like al Qaeda: decentralized, poorly funded and incapable of the intricate spy versus spy operations the Soviet Union could pull off.
Against these adversaries, sharing is far more important than secrecy. Our intelligence organizations need to trade techniques and expertise with industry, and they need to share information among the different parts of themselves. Today's terrorist plots are loosely organized ad hoc affairs, and those dots that are so important for us to connect beforehand might be on different desks, in different buildings, owned by different organizations.
Critics have pointed to laws that prohibited inter-agency sharing but, as the 9/11 Commission found, the law allows for far more sharing than goes on. It doesn't happen because of inter-agency rivalries, a reliance on outdated information systems, and a culture of secrecy. What we need is an intelligence community that shares ideas and hunches and facts on their versions of Facebook, Twitter and wikis. We need the bottom-up organization that has made the Internet the greatest collection of human knowledge and ideas ever assembled.
The problem is far more social than technological. Teaching your mom to "text" and your dad to Twitter doesn't make them part of the Internet generation, and giving all those cold warriors blogging lessons won't change their mentality -- or the culture. The reason this continues to be a problem, the reason President George W. Bush couldn't change things even after the 9/11 Commission came to much the same conclusions as President Obama's recent review did, is generational. The Internet is the greatest generation gap since rock and roll, and it's just as true inside government as out. We might have to wait for the elders inside these agencies to retire and be replaced by people who grew up with the Internet.
A version of this op-ed previously appeared in the San Francisco Chronicle.
I wrote about this in 2002.
EDITED TO ADD (1/17): Another opinion.
Interesting TED talk:
Loretta Napoleoni details her rare opportunity to talk to the secretive Italian Red Brigades -- an experience that sparked a lifelong interest in terrorism. She gives a behind-the-scenes look at its complex economics, revealing a surprising connection between money laundering and the US Patriot Act.
Good commentary from former CIA analyst Ray McGovern:
The short answer to the second sentence is: Yes, it is inevitable that "certain plots will succeed."
I've written about this sort of thing before:
A robber bored a hole through the wall of jewelry shop and walked off with about 200 luxury watches worth 300 million yen ($3.2 million) in Tokyo's upscale Ginza district, police said Saturday.
From Secrets and Lies, p. 318:
Threat modeling is, for the most part, ad hoc. You think about the threats until you can’t think of any more, then you stop. And then you’re annoyed and surprised when some attacker thinks of an attack you didn’t. My favorite example is a band of California art thieves that would break into people’s houses by cutting a hole in their walls with a chainsaw. The attacker completely bypassed the threat model of the defender. The countermeasures that the homeowner put in place were door and window alarms; they didn’t make a difference to this attack.
One of the important things to consider in threat modeling is whether the attacker is looking for any victim, or is specifically targeting you. If the attacker is looking for any victim, then countermeasures that make you a less attractive target than other people are generally good enough. If the attacker is specifically targeting you, then you need to consider a greater level of security.
At least one company is touting its technology:
Nesch, a company based in Crown Point, Indiana, may have a solution. It’s called diffraction-enhanced X-ray imaging or DEXI, which employs proprietary diffraction enhanced imaging and multiple image radiography
Excellent commentary from The Register:
As the smoke clears following the case of Umar Farouk Abdul Mutallab, the failed Christmas Day "underpants bomber" of Northwest Airlines Flight 253 fame, there are just three simple points for us Westerners to take away.
Research result #1: "A Generalized Fission-Fusion Model for the Frequency of Severe Terrorist Attacks," by Aaron Clauset and Frederik W. Wiegel.
Plot the number of people killed in terrorists attacks around the world since 1968 against the frequency with which such attacks occur and you’ll get a power law distribution, that’s a fancy way of saying a straight line when both axis have logarithmic scales.
Research Result #2: "Universal Patterns Underlying Ongoing Wars and Terrorism," by Neil F. Johnson, Mike Spagat, Jorge A. Restrepo, Oscar Becerra, Juan Camilo Bohorquez, Nicolas Suarez, Elvira Maria Restrepo, and Roberto Zarama.
In the case of the Iraq war, we might ask how many conflicts causing ten casualties are expected to occur over a one-year period. According to the data, the answer is the average number of events per year times 10-2.3, or 0.005. If we instead ask how many events will cause twenty casualties, the answer is proportional to 20-2.3. Taking into account the entire history of any given war, one finds that the frequency of events on all scales can be predicted by exactly the same exponent.
This doesn't surprise me; power laws are common in naturally random phenomena.
Good essay from the Wall Street Journal:
It might be unrealistic to expect the average citizen to have a nuanced grasp of statistically based risk analysis, but there is nothing nuanced about two basic facts:(1) America is a country of 310 million people, in which thousands of horrible things happen every single day; and
Kevin Drum takes issue with the analysis:
Two things. First, this line of argument -- that terrorism is statistically harmless compared to lots of other activities -- will never work. For better or worse, it just won't. So we should knock it off.
While I agree that arguing that terrorism is statistically harmless isn't going to win any converts, I still think it's an important point to make. We routinely overestimate rare risks and underestimate common risks, and the more we recognize that cognitive bias, the better chance we have for overcoming it.
And Kevin illustrates another cognitive bias: we fear risks deliberately perpetrated by other people more than we do risks that occur by accident. And while we fear the unknown -- the "reminder that al-Qaeda is still out there and still eager to expand its reach and kill thousands if we ever decide to let our guard down a little bit" -- more than the familiar, the reality is that automobiles will kill over 3,000 people this month, next month, and every month from now until the foreseeable future, irrespective of whether we let our guard down or not. There simply isn't any reasonable scenario by which terrorism even approaches that death toll.
Yes, the risks are different. Your personal chance of dying in a car accident depends on where you live, how much you drive, whether or not you drink and drive, and so on. But your personal chance of dying in a terrorist attack also depends on these sorts of things: where you live, how often you fly, what you do for a living, and so on. (There's also a control bias at work: we underestimate the risk in situations where we're in control, or think we're in control -- like driving -- and overestimate the risks in situations where we're not in control.) But as a nation we get to set our priorities, and decide how to spend our money. No one is suggesting we ignore the risks of terrorism -- and making people feel safe is a good thing to do -- but it makes no sense to focus so much effort and money on it when there are far worse risks to Americans.
Remember, the terrorists want us to be terrorized, and they've chosen this tactic precisely because we have all these cognitive biases that magnify their actions. We can fight back by refusing to be terroroized.
I think we should start calling them the "underpants of mass destruction."
On December 12, 2009, we factored the 768-bit, 232-digit number RSA-768 by the number field sieve. The number RSA-768 was taken from the now obsolete RSA Challenge list as a representative 768-bit RSA modulus. This result is a record for factoring general integers. Factoring a 1024-bit RSA modulus would be about a thousand times harder, and a 768-bit RSA modulus is several thousands times harder to factor than a 512-bit one. Because the first factorization of a 512-bit RSA modulus was reported only a decade ago it is not unreasonable to expect that 1024-bit RSA moduli can be factored well within the next decade by an academic effort such as ours.... Thus, it would be prudent to phase out usage of 1024-bit RSA within the next three to four years.
Light-up squid quilt.
Jon Stewart didn't use the words "security theater," but he was pretty funny on January 4.
Kind of a dumb mistake:
The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. Therefore, the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism. When analysing the relevant Windows program, the SySS security experts found a rather blatant flaw that has quite obviously slipped through testers' nets. During a successful authorisation procedure the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations -- and this is the case for all USB Flash drives of this type.
Nice piece of analysis work.
The article goes on to question the value of the FIPS certification:
The real question, however, remains unanswered how could USB Flash drives that exhibit such a serious security hole be given one of the highest certificates for crypto devices? Even more importantly, perhaps what is the value of a certification that fails to detect such holes?
The problem is that no one really understands what a FIPS 140-2 certification means. Instead, they think something like: "This crypto thingy is certified, so it must be secure." In fact, FIPS 140-2 Level 2 certification only means that certain good algorithms are used, and that there is some level of tamper resistance and tamper evidence. Marketing departments of security take advantage of this confusion -- it's not only FIPS 140, it's all the security standards -- and encourage their customers to equate conformance to the standard with security.
So when that equivalence is demonstrated to be false, people are surprised.
I wrote about intelligence failures back in 2002.
EDITED TO ADD (1/7): Tom Toles cartoon on connecting the dots.
In the headlong rush to "fix" security after the Underwear Bomber's unsuccessful Christmas Day attack, there's been far too little discussion about what worked and what didn't, and what will and will not make us safer in the future.
The security checkpoints worked. Because we screen for obvious bombs, Umar Farouk Abdulmutallab -- or, more precisely, whoever built the bomb -- had to construct a far less reliable bomb than he would have otherwise. Instead of using a timer or a plunger or a reliable detonation mechanism, as would any commercial user of PETN, he had to resort to an ad hoc and much more inefficient homebrew mechanism: one involving a syringe and 20 minutes in the lavatory and we don't know exactly what else. And it didn't work.
Yes, the Amsterdam screeners allowed Abdulmutallab onto the plane with PETN sewn into his underwear, but that's not a failure, either. There is no security checkpoint, run by any government anywhere in the world, designed to catch this. It isn't a new threat; it's more than a decade old. Nor is it unexpected; anyone who says otherwise simply isn't paying attention. But PETN is hard to explode, as we saw on Christmas Day.
Additionally, the passengers on the airplane worked. For years, I've said that exactly two things have made us safer since 9/11: reinforcing the cockpit door and convincing passengers that they need to fight back. It was the second of these that, on Christmas Day, quickly subdued Abdulmutallab after he set his pants on fire.
To the extent security failed, it failed before Abdulmutallab even got to the airport. Why was he issued an American visa? Why didn't anyone follow up on his father's tip? While I'm sure there are things to be improved and fixed, remember that everything is obvious in hindsight. After the fact, it's easy to point to the bits of evidence and claim that someone should have "connected the dots." But before the fact, when there are millions of dots -- some important but the vast majority unimportant -- uncovering plots is a lot harder.
Despite this, the proposed fixes focus on the details of the plot rather than the broad threat. We're going to install full-body scanners, even though there are lots of ways to hide PETN -- stuff it in a body cavity, spread it thinly on a garment -- from the machines. We're going to profile people traveling from 14 countries, even though it's easy for a terrorist to travel from a different country. Seating requirements for the last hour of flight were the most ridiculous example.
The problem with all these measures is that they're only effective if we guess the plot correctly. Defending against a particular tactic or target makes sense if tactics and targets are few. But there are hundreds of tactics and millions of targets, so all these measures will do is force the terrorists to make a minor modification to their plot.
It's magical thinking: If we defend against what the terrorists did last time, we'll somehow defend against what they do next time. Of course this doesn't work. We take away guns and bombs, so the terrorists use box cutters. We take away box cutters and corkscrews, and the terrorists hide explosives in their shoes. We screen shoes, they use liquids. We limit liquids, they sew PETN into their underwear. We implement full-body scanners, and they're going to do something else. This is a stupid game; we should stop playing it.
But we can't help it. As a species, we're hardwired to fear specific stories -- terrorists with PETN underwear, terrorists on subways, terrorists with crop dusters -- and we want to feel secure against those stories. So we implement security theater against the stories, while ignoring the broad threats.
What we need is security that's effective even if we can't guess the next plot: intelligence, investigation, and emergency response. Our foiling of the liquid bombers demonstrates this. They were arrested in London, before they got to the airport. It didn't matter if they were using liquids -- which they chose precisely because we weren't screening for them -- or solids or powders. It didn't matter if they were targeting airplanes or shopping malls or crowded movie theaters. They were arrested, and the plot was foiled. That's effective security.
Finally, we need to be indomitable. The real security failure on Christmas Day was in our reaction. We're reacting out of fear, wasting money on the story rather than securing ourselves against the threat. Abdulmutallab succeeded in causing terror even though his attack failed.
If we refuse to be terrorized, if we refuse to implement security theater and remember that we can never completely eliminate the risk of terrorism, then the terrorists fail even if their attacks succeed.
This essay previously appeared on Sphere, the AOL.com news site.
EDITED TO ADD (1/8): Similar sentiment.
Slate is hosting an airport security suggestions contest: ideas "for making airport security more effective, more efficient, or more pleasant." Deadline is midday Friday.
I had already submitted a suggestion before I was asked to be a judge. Since I'm no longer eligible, here's what I sent them:
Reduce the TSA's budget, and spend the money on:
Probably not what they were looking for, and certainly not anything the government is even going to remotely consider -- but the smart solution all the same.
Retail theft by employees has always been a problem, but gift cards make it easier:
At the Saks flagship store in Manhattan, a 23-year-old sales clerk was caught recently ringing up $130,000 in false merchandise returns and siphoning the money onto a gift card.
That last tactic is particularly Grinch-like.
Over at fivethirtyeight.com, Nate Silver crunches the numbers and concludes that, at least as far as terrorism is concerned, air travel is safer than it's ever been:
In the 2000s, a total of 469 passengers (including crew and terrorists) were killed worldwide as the result of Violent Passenger Incidents, 265 of which were on 9/11 itself. No fatal incidents have occurred since nearly simultaneous bombings of two Russian aircraft on 8/24/2004; this makes for the longest streak without a fatal incident since World War II. The overall death toll during the 2000s is about the same as it was during the 1960s, and substantially less than in the 1970s and 1980s, when violent incidents peaked. The worst individual years were 1985, 1988 and 1989, in that order; 2001 ranks fourth.
Why? Because over the past decade, the risk of airplane terrorism has been very low:
Over the past decade, according to BTS, there have been 99,320,309 commercial airline departures that either originated or landed within the United States. Dividing by six, we get one terrorist incident per 16,553,385 departures.
In 2008, 37,000 people died in automobile accidents -- the lowest number since 1961. Even so, that's more than a 9/11 worth of fatalities every month, month after month, year after year.
David Brooks makes some very good points in this New York Times op-ed from last week:
All this money and technology seems to have reduced the risk of future attack. But, of course, the system is bound to fail sometimes. Reality is unpredictable, and no amount of computer technology is going to change that. Bureaucracies are always blind because they convert the rich flow of personalities and events into crude notations that can be filed and collated. Human institutions are always going to miss crucial clues because the information in the universe is infinite and events do not conform to algorithmic regularity.
There's a pervasive belief in this society that perfection is possible. So if something bad occurs, it can never be because we just got unlucky. It must be because something went wrong and someone is at fault, and therefore things must be fixed. Sometimes, though, this simply isn't true. Sometimes it's better not to fix things: either there is no fix, or the fix is more expensive than living with the problem, or the side effects of the fix are worse than the problem. And sometimes you can do everything right and have it still turn out wrong. Welcome to the real world.
EDITED TO ADD (1/8): Glenn Greenwald on "The Degrading Effects of Terrorism Fears."
Over at "Ask the Pilot," Patrick Smith has a great idea:
Calling all artists: One thing TSA needs, I think, is a better logo and a snappy motto. Perhaps there's a graphic designer out there who can help with a new rendition of the agency's circular eagle-and-flag motif. I'm imagining a revised eagle, its talons clutching a box cutter and a toothpaste tube. It says "Transportation Security Administration" around the top. Below are the three simple words of the TSA mission statement: "Tedium, Weakness, Farce."
Let's do it. I'm announcing the TSA Logo Contest. Rules are simple: create a TSA logo. People are welcome to give ideas in the comments, but only actual created logos are eligible to compete. (When my website administrator wakes up, I'll ask him how we can post images in the comments.) Contest ends on February 6. Winner receives copies of my books, copies of Patrick Smith's book, an empty 12-ounce bottle labeled "saline" that you can refill and get through any TSA security checkpoint, and a fake boarding pass on any flight for any date.
EDITED TO ADD (1/6): Please leave links to your submissions in the comments, and I will add them to the post. After the contest is over, I'll choose five finalists and post them. The winner will be chosen by popular acclaim.
EDITED TO ADD: vote on the finalists here.
An unidentified man breached airport security at Newark Airport on Sunday, walking into the secured area through the exit, prompting the evacuation of a terminal and flight delays that continued into the next day. This isn't common, but it happens regularly. The result is always the same, and it's not obvious that fixing the problem is the right solution.
This kind of security breach is inevitable, simply because human guards are not perfect. Sometimes it's someone going in through the out door, unnoticed by a bored guard. Sometimes it's someone running through the checkpoint and getting lost in the crowd. Sometimes it's an open door that should be locked. Amazing as it seems to frequent fliers, the perpetrator often doesn't even know he did anything wrong.
Basically, whenever there is -- or could be -- an unscreened person lost within the secure area of an airport, there are two things the TSA can do. They can say "this isn't a big deal," and ignore it. Or they can evacuate everyone inside the secure area, search every nook and cranny -- inside the large boxes of napkins at the fast food restaurant, above the false ceilings in the bathrooms, everywhere -- looking for anyone hiding or anything anyone hid, and then rescreen everybody: causing delays of six, eight, twelve, or more hours. That's it; those are the options. And there's no way someone in charge will choose to ignore the risk; even if the odds of a terrorist exploit are minuscule, it'll cost him his career if he's wrong.
Several European airports have their security screening organized differently. At Schipol Airport in Amsterdam, for example, passengers are screened at the gates. This is more expensive and requires a substantially different airport design, but it does mean that if there is a security breach, only the gate has to be evacuated and searched, and the people rescreened.
American airports can do more to secure against this risk, but I'm reasonably sure it's not worth it. We could double the guards to reduce the risk of inattentiveness, and redesign the airports to make this kind of thing less likely, but those are expensive solutions to an already rare problem. As much as I don't like saying it, the smartest thing is probably to live with this occasional but major inconvenience.
This essay originally appeared on ThreatPost.com.
EDITED TO ADD (1/9): A first-person account of the chaos at Newark Airport, with observations and recommendations.
"Unpredictable" security as applied to air passenger screening means that sometimes (perhaps most of the time), certain checks that might detect terrorist activity are not applied to some or all passengers on any given flight. Passengers can't predict or influence when or whether they are be subjected to any particular screening mechanism. And so, the strategy assumes, the would-be terrorist will be forced to prepare for every possible mechanism in the TSA's arsenal, effectively narrowing his or her range of options enough to make any serious mischief infeasible.
EDITED TO ADD (1/5): In this blog post, a reader of Andrew Sullivan's blog argues that the terrorist didn't care if he blew the plane up or not, that he went back to his seat instead of detonating the explosive in the toilet precisely because he wanted his fellow passengers to see his attempt -- just in case it failed.
I've been reading a lot recently -- like this article on the Israeli airport security model, and how we should adopt more of the Israeli security model here in the U.S. This sums up the problem with that idea nicely:
On the other hand, no matter how safe or how wonderful the flying experience on El Al, it is TINY airline by U.S. standards, with only 38 aircraft, 46 destinations, and fewer than two million passengers in 2008. As near as I can tell, Cairo is their only destination in a majority Muslim country. Delta, before the Northwest merger is included, reported 449 aircraft and 375 destinations.
Simply put, the Israeli airport security model does not scale.
EDITED TO ADD (1/7): More.
EDITED TO ADD (1/12): Interview with El Al's former head of security.
This is refreshing:
Father Lombardi said it was not realistic to think the Vatican could ensure 100% security for the Pope and that security guards appeared to have acted as quickly as possible.
EDITED TO ADD (1/4): This is particularly enlightened in comparison to the fears that somehow the U.S. president was endangered by people sneaking into a dinner with him. Presidents meet and shake hands with uncleared random people all the time; the Secret Service knows how to deal with that sort of thing.
With all the talk about the failure of airport security to detect the PETN that the Christmas bomber sewed into his underwear -- and to think I've been using the phrase "underwear bomber" as a joke all these years -- people forget that airport security played an important role in foiling the plot.
In order to get through airport security, Abdulmutallab -- or, more precisely, whoever built the bomb -- had to construct a far less reliable bomb than he would have otherwise; he had to resort to a much more ineffective detonation mechanism. And, as we've learned, detonating PETN is actually very hard.
Additionally, I don't think it's fair to criticize airport security for not catching the PETN. The security systems at airports aren't designed to catch someone strapping a plastic explosive to his body. Even more strongly: no security system, at any airport, in any country on the planet, is designed to catch someone doing this. This isn't a surprise. It isn't even a new idea. It wasn't even a new idea when I said this to then TSA head Kip Hawley in 2007: "I don't want to even think about how much C4 I can strap to my legs and walk through your magnetometers." You can try to argue that the TSA, and other airport security organizations around the world, should have been redesigned years ago to catch this, but anyone who is surprised by this attack simply hasn't been paying attention.
EDITED TO ADD (1/4): I don't know what to make of this:
Ben Wallace, who used to work at defence firm QinetiQ, one of the companies making the technology, warned it was not a "big silver bullet".
You probably can't walk into a bank wearing this.
Powered by Movable Type. Photo at top by Per Ervland.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.