Schneier on 60 Minutes
I’ll be on 60 Minutes this Sunday. I honestly don’t know how it will look; it wasn’t my best interview.
EDITED TO ADD (12/23): Here’s the segment.
Entries Tagged "air travel"
Page 22 of 46
Bypassing Airport Checkpoints
From a reader:
I always get a giggle from reading about TSA security procedures, because of what I go through during my occasional job at an airport. I repair commercial kitchen cooking equipment—restaurants etc. On occasion I have to go to restaurants inside a nearby airport terminal to repair equipment, sometimes needing a return trip with parts.
So here’s the scene. I park inside the parking garage area in my company truck. I carry my 30 pound toolbox and a large cardboard box, about 2 1/2 feet long with parts for a broiler to be repaired. I go to a restaurant outside the security zone and pick up an “escort”, typically a kid of maybe 25 years old. I obviously can’t go through the TSA checkpoint, as they’d have absolute conniptions about my tools and large parts. So, without ever having to show ID, or even looking at what I may have in the large cardboard box or my large metal toolbox, the escort takes me down an elevator, out onto the tarmac, past waiting planes pulled up to the terminal, back inside the terminal building and coming out on the other side of the TSA checkpoint, then off to the restaurant to be repaired. Then, when I’m done, they escort my out the normal way, past the TSA screening area, with my toolbox and large cardboard box in hand. No one bats an eye as to what might have transpired or how my stuff magically appeared on the “secure” side and is now leaving right in front of them
And people wonder why I call it all security theater?
Ed Felten on TSA Behavioral Screening
Good comment:
Now suppose that TSA head Kip Hawley came to you and asked you to submit voluntarily to a pat-down search the next time you travel. And suppose you knew, with complete certainty, that if you agreed to the search, this would magically give the TSA a 0.1% chance of stopping a deadly crime. You’d agree to the search, wouldn’t you? Any reasonable person would accept the search to save (by assumption) at least 0.001 lives. This hypothetical TSA program is reasonable, even though it only has a 0.1% arrest rate. (I’m assuming here that an attack would cost only one life. Attacks that killed more people would justify searches with an even smaller arrest rate.)
So the commentators’ critique is weak—but of course this doesn’t mean the TSA program should be seen as a success. The article says that the arrests the system generates are mostly for drug charges or carrying a false ID. Should a false-ID arrest be considered a success for the system? Certainly we don’t want to condone the use of false ID, but I’d bet most of these people are just trying to save money by flying on a ticket in another person’s name—which hardly makes them Public Enemy Number One. Is it really worth doing hundreds of searches to catch one such person? Are those searches really the best use of TSA screeners’ time? Probably not.
Right. It’s not just about the hit rate. It’s the cost vs. benefit: cost in taxpayer money, passenger time, TSA screener attention, fundamental liberties, etc.
Flying While Armed
Two years ago, all it took to bypass airport security was filling out a form:
Grant was flying from Boston to San Diego on Jan. 1, 2007, when he approached an American Airlines ticket counter at Logan International Airport and flashed a badge he carries as a part-time assistant harbor master in Chatham, according to federal prosecutors.
Grant, a medical supplies salesman, also filled out a “flying while armed” form and wrote that he worked for the Department of Homeland Security, prosecutors said.
[…]
He allegedly did the same on his return trip to Boston three days later.
But this time, according to court documents, he was invited into the cockpit, was told the identity of the two air marshals on the flight, and was informed who else on the plane was armed, which raises security concerns.
Since then, the TSA has made changes in procedure.
At the airport, law enforcers now need advance permission to fly armed.
“We have added substantial layers of security to this process,” said TSA spokesman George Naccara.
The case took almost two years to come to light so federal authorities could tighten airport security and prevent similar incidents, said Christina DiIorio-Sterling, a spokeswoman for the U.S. attorney’s office.
“The flying public can be assured that this has led to a change of procedures to ensure that credentials are properly vetted,” said Ann Davis, a spokeswoman for the Transportation Security Administration.
TSA Aiding Luggage Thieves
In this story about luggage stealing at Los Angeles International Airport, we find this interesting paragraph:
They both say there are organized rings of thieves, who identify valuables in your checked luggage by looking at the TSA x-ray screens, then communicate with baggage handlers by text or cell phone, telling them exactly what to look for.
Someone should investigate the extent to which the TSA’s security measures facilitate crime.
When Sky Marshals Do Bad Things
They’re not even close to perfect:
Since 9/11, more than three dozen federal air marshals have been charged with crimes, and hundreds more have been accused of misconduct, an investigation by ProPublica, a non-profit journalism organization, has found. Cases range from drunken driving and domestic violence to aiding a human-trafficking ring and trying to smuggle explosives from Afghanistan.
The meta-problem is that the kind of person who wants to be federal air marshal is the exact kind of person we don’t want for the job.
Before 9/11, the Air Marshal Service was a nearly forgotten force of 33 agents with a $4.4 million annual budget. Now housed in the Transportation Security Administration, the agency has a $786 million budget and an estimated 3,000 to 4,000 air marshals, although the official number is classified.
And 3,000 to 4,000 is a lot of people to hire quickly; it’s hard to weed out the bad eggs.
Schneier for TSA Administrator
It’s been suggested. For the record, I don’t want the job.
Since the election, the newspapers and Internet have been flooded with unsolicited advice for President-elect Barack Obama. I’ll go ahead and add mine.
[…]
And by “revamp,” I mean “start over.” Most security experts agree that the rigmarole we go through at the airport is mere security theater, designed not to make us safer, but to make us feel safer by making it increasingly inconvenient to fly. TSA’s approach to security is too reactionary—too set on preventing attacks and attempted attacks that have already happened. And please, whatever you do, resist the temptation to let TSA workers unionize. Security from terror attacks should not be a federal jobs program. You need the authority to fire underperforming screeners quickly and effortlessly. Three game-changing possibilities to head up TSA: security guru Bruce Schneier, Cato Institute security and technology scholar Jim Harper, or Ohio State University’s John Mueller.
Although I’d be happy to see either Jim or John with it.
I don’t want it because it’s too narrow. I think the right thing for the government to do is to give the TSA a lot less money. I’d rather they defend against the broad threat of terrorism than focus on the narrow threat of airplane terrorism, and I’d rather they defend against the myriad of threats that face our society than focus on the singular threat of terrorism. But the head of the TSA can’t have those opinions; he has to take the money he’s given and perform the specific function he’s assigned to perform. Not very much fun, really.
But I’d be happy to advise whoever Obama choses to head the TSA.
The job of the nation’s CTO would be more interesting, but I don’t think I want it, either. (Have you seen the screening process?)
TSA News
Item 1: Kip Hawley says that the TSA may reduce size restrictions on liquids. You’ll still have to take them out of your bag, but they can be larger than three ounces. The reasons—so he states—are that technologies are getting better, not that the threat is reduced.
I’m skeptical, of course. But read his post; it’s interesting.
Item 2: Hawley responded to my response to his blog post about an article about me in The Atlantic.
Item 3: The Atlantic is holding a contest, based on Hawley’s comment that the TSA is basically there to catch stupid terrorists:
And so, a contest: How would the Hawley Principle of Federally-Endorsed Mediocrity apply to other government endeavors?
Not the same as my movie-plot threat contest, but fun all the same.
Item 4: What would the TSA make of this?
Keeping Contraband Out of Prisons
Chilling story of a death-row inmate with a contraband cell phone.
If we can’t keep contraband out of prisons, how can we possibly hope to keep it out of airports?
Kip Hawley Responds to My Airport Security Antics
Kip Hawley, head of the TSA, has responded to my airport security penetration testing, published in The Atlantic.
Unfortunately, there’s not really anything to his response. It’s obvious he doesn’t want to admit that they’ve been checking ID’s all this time to no purpose whatsoever, so he just emits vague generalities like a frightened squid filling the water with ink. Yes, some of the stunts in article are silly (who cares if people fly with Hezbollah T-shirts?) so that gives him an opportunity to minimize the real issues.
Watch-lists and identity checks are important and effective security measures. We identify dozens of terrorist-related individuals a week and stop No-Flys regularly with our watch-list process.
It is simply impossible that the TSA catches dozens of terrorists every week. If it were true, the administration would be trumpeting this all over the press—it would be an amazing success story in their war on terrorism. But note that Hawley doesn’t exactly say that; he calls them “terrorist-related individuals.” Which means exactly what? People so dangerous they can’t be allowed to fly for any reason, yet so innocent they can’t be arrested—even under the provisions of the Patriot Act.
And if Secretary Chertoff is telling the truth when he says that there are only 2,500 people on the no-fly list and fewer than 16,000 people on the selectee list—they’re the ones that get extra screening—and that most of them live outside the U.S., then it is just plain impossible that the TSA identifies “dozens” of these people every week. The math just doesn’t make sense.
And I also don’t believe this:
Behavior detection works and we have 2,000 trained officers at airports today. They alert us to people who may pose a threat but who may also have items that could elude other layers of physical security.
It does work, but I don’t see the TSA doing it properly. (Fly El Al if you want to see it done properly.) But what I think Hawley is doing is engaging in a little bit of psychological manipulation. Like sky marshals, the real benefit of behavior detection isn’t whether or not you do it but whether or not the bad guys believe you’re doing it. If they think you are doing behavior detection at security checkpoints, or have sky marshals on every airplane, then you don’t actually have to do it. It’s the threat that’s the deterrent, not the actual security system.
This doesn’t impress me, either:
Items carried on the person, be they a ‘beer belly’ or concealed objects in very private areas, are why we are buying over 100 whole body imagers in upcoming months and will deploy more over time. In the meantime, we use hand-held devices that detect hydrogen peroxide and other explosives compounds as well as targeted pat-downs that require private screening.
Optional security measures don’t work, because the bad guys will opt not to use them. It’s like those air-puff machines at some airports now. They’re probably great at detecting explosive residue off clothing, but every time I have seen the machines in operation, the passengers have the option whether to go through the lane with them or another lane. What possible good is that?
The closest thing to a real response from Hawley is that the terrorists might get caught stealing credit cards.
Using stolen credit cards and false documents as a way to get around watch-lists makes the point that forcing terrorists to use increasingly risky tactics has its own security value.
He’s right about that. And, truth be told, that was my sloppiest answer during the original interview. Thinking about it afterwards, it’s far more likely is that someone with a clean record and a legal credit card will buy the various plane tickets.
This is new:
Boarding pass scanners and encryption are being tested in eight airports now and more will be coming.
Ignoring for a moment that “eight airports” nonsense—unless you do it at every airport, the bad guys will choose the airport where you don’t do it to launch their attack—this is an excellent idea. The reason my attack works, the reason I can get through TSA checkpoints with a fake boarding pass, is that the TSA never confirms that the information on the boarding pass matches a legitimate reservation. If all TSA checkpoints had boarding pass scanners that connected to the airlines’ computers, this attack would not work. (Interestingly enough, I noticed exactly this system at the Dublin airport earlier this month.)
Stopping the “James Bond” terrorist is truly a team effort and I whole-heartedly agree that the best way to stop those attacks is with intelligence and law enforcement working together.
This isn’t about “Stopping the ‘James Bond’ terrorist,” it’s about stopping terrorism. And if all this focus on airports, even assuming it starts working, shifts the terrorists to other targets, we haven’t gotten a whole lot of security for our money.
FYI: I did a long interview with Kip Hawley last year. If you haven’t read it, I strongly recommend you do. I pressed him on these and many other points, and didn’t get very good answers then, either.
EDITED TO ADD (10/28): Kip Hawley responds in comments. Yes, it’s him.
EDITED TO ADD (11/17): Another article on those boarding pass verifiers.
Sidebar photo of Bruce Schneier by Joe MacInnis.