Theater of the Absurd at the T.S.A.
By Randall Stross
New York Times
December 17, 2006
FOR theater on a grand scale, you can't do better than the audience-participation dramas performed at airports, under the direction of the Transportation Security Administration.
As passengers, we tender our boarding passes and IDs when asked. We stand in lines. We empty pockets. We take off shoes. We do whatever is asked of us in these mass rites of purification. We play our assigned parts, comforted in the belief that only those whose motives are good and true will be permitted to pass through.
Of course, we never see the actual heart of the security system: the government's computerized no-fly list, to which our names are compared when we check in for departure. The T.S.A. is much more talented, however, in the theater arts than in the design of secure systems. This becomes all too clear when we see that the agency's security procedures are unable to withstand the playful testing of a bored computer-science student.
In late October, Christopher Soghoian, a Ph.D. student in the School of Informatics at Indiana University, found his attention wandering during a lecture in his Cryptographic Protocols class. While sitting in class, he created a Web site he called "Chris's Northwest Airlines Boarding Pass Generator."
A visitor to the site could plug in any name, and Mr. Soghoian's software would create a page suitable for printing with a facsimile of a boarding pass, identical in appearance to one a passenger who had bought a Northwest Airlines ticket would generate when using the airline's at-home check-in option.
The fake pass could not be used to actually board a plane — boarding passes are checked at the gate against the roster of ticket buyers in the airline's database — but it could come in handy for several other purposes, Mr. Soghoian suggested, such as passing through airport security so you could meet your elderly grandparents at the gate.
Or, as he told his site's visitors, it could "demonstrate that the T.S.A. Boarding Pass/ID check is useless." It worked well, indeed.
No cryptographic recipe was cracked; no airline computer system was compromised. Without visiting an airport, Mr. Soghoian needed access to nothing other than a public Web site to embarrass those responsible for airport security.
To thank Mr. Soghoian for helping the government identify security weaknesses, the T.S.A. sent him a letter warning of possible felony criminal charges and fines, and ordered him to cease operations, which he promptly did. It was too late, however, to spare his apartment from an F.B.I. raid.
Richard L. Adams, the T.S.A.'s acting federal security director, said Mr. Soghoian's generator "could pose a threat to aviation security."
But Bruce Schneier, chief technology officer at BT Counterpane, a security consulting firm in Mountain View, Calif., emphatically disagreed. Anybody with Photoshop could create a fake boarding pass, he said. Mr. Soghoian's Web site simply eliminated the need to use Photoshop. The T.S.A.'s profession of outrage is nothing but "security theater," Mr. Schneier said, using the phrase he coined in 2003 to describe some of the agency's procedures.
Mr. Schneier is not alone in his view that the T.S.A. vilifies people who point out its flaws. Matthew Blaze, an associate professor of computer science at the University of Pennsylvania, did not regard Mr. Soghoian's generator as a dangerous breach of national security, either. "If a grad student can figure it out," he said, "we can assume agents of Al Qaeda can do the same."
The root problem, as some experts see it, is the T.S.A.'s reliance on IDs that are so easily obtained under false pretenses. "It would be wonderful if Osama bin Laden carried a photo ID that listed his occupation of ‘Evildoer,' " permitting the authorities to pluck him from a line, Mr. Schneier said. "The problem is, we try to pretend that identity maps to intentionality. But it doesn't."
Woe to him or her who happens to have a name identical to someone else deemed a possible menace to society and who finds, upon check-in, that the no-fly list places one's own name by Mr. bin Laden's. When a terror suspect's alias using the Kennedy name appeared on the list, gate agents blocked Senator Edward M. Kennedy of Massachusetts from boarding in Washington. And Boston. And Palm Beach, Fla. And New York. Each time, supervisors interceded on his behalf, but only because of his status as an elected official.
T.S.A. officials have said they think that the effectiveness of the no-fly list, as well as a "selectee" list — which permits flying but brings an extra round of physical screening — will improve if the task of comparing names against the lists is taken out of the airlines' hands and given to the agency. The name of this initiative is "Secure Flight."
Ostensibly interested in what security specialists and legal authorities on privacy issues thought of its Secure Flight plans, the agency convened an advisory group in January 2005. (Mr. Schneier was a member.) Nine months later, when the advisers turned in their final report, it showed that the T.S.A.'s planners had given little or no thought to basic security issues, such as the problem of stolen identities.
Expressing frustration, the T.S.A.'s advisers said in their report that the T.S.A. had been so tight-lipped when talking to them that they never received the information they needed to make a single substantive recommendation.
Professor Blaze has a great deal of experience publicly discussing the most sensitive of security vulnerabilities. He acknowledged that disclosure of a security weakness prompts "a natural and human response: ‘Why should we help the bad guys?' " The answer, he said, is that the bad guys aren't helped — because they almost certainly already know a system's weak points — and that disclosing the weaknesses brings pressure on government agencies and their suppliers to improve security for the good guys.
Last year, when Professor Blaze and his graduate students discovered a host of techniques for thwarting or deceiving government wiretapping systems, he said his group initially felt a spasm of hesitation about publishing academic papers about their findings. But they quickly returned to first principles — criminals had undoubtedly discovered the techniques; scientific inquiry requires openness — and prepared to publish their results.
Before proceeding, they called in the F.B.I. to explain and braced for an attempt to suppress their work. "To their credit," Professor Blaze said, "they understood and did nothing to try to stop it."
The T.S.A. shows no signs of similar enlightenment. The agency's investigation of Mr. Soghoian's short-lived boarding-pass experiment was continuing, a spokesman, Christopher White, said last week.
WHEN I asked Mr. Schneier of BT Counterpane what he would do if he were appointed leader of the T.S.A., he said he would return to the basic procedures for passenger screening used before the 2001 terrorist attacks, which was designed to do nothing more ambitious than "catch the sloppy and the stupid."
He said he would also ensure that passengers' bags fly only if the passenger does, improve emergency response capabilities and do away entirely with ID checks and secret databases and no-fly and selectee lists. He added that he would shift funds into basic investigation and intelligence work, which he believes produces results like the arrests of the London bomb suspects. "Put smart, trained officers in plainclothes, wandering in airports — that is by far the best thing the T.S.A. could do," he said.
The issues raised by the discovery of security vulnerabilities are not new. A. C. Hobbs, a locksmith who in 1853 wrote the book on locks and safes (the title: "Locks and Safes") knew that "many well-meaning persons" assume that public exposure of a lock's insecure design will end up helping criminals.
His response to this concern is no less apt today than it was then:
"Rogues are very keen in their profession, and know already much more than we can teach them."
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..