Entries Tagged "physical security"

Page 11 of 25

Post-Underwear-Bomber Airport Security

In the headlong rush to “fix” security after the Underwear Bomber’s unsuccessful Christmas Day attack, there’s been far too little discussion about what worked and what didn’t, and what will and will not make us safer in the future.

The security checkpoints worked. Because we screen for obvious bombs, Umar Farouk Abdulmutallab—or, more precisely, whoever built the bomb—had to construct a far less reliable bomb than he would have otherwise. Instead of using a timer or a plunger or a reliable detonation mechanism, as would any commercial user of PETN, he had to resort to an ad hoc and much more inefficient homebrew mechanism: one involving a syringe and 20 minutes in the lavatory and we don’t know exactly what else. And it didn’t work.

Yes, the Amsterdam screeners allowed Abdulmutallab onto the plane with PETN sewn into his underwear, but that’s not a failure, either. There is no security checkpoint, run by any government anywhere in the world, designed to catch this. It isn’t a new threat; it’s more than a decade old. Nor is it unexpected; anyone who says otherwise simply isn’t paying attention. But PETN is hard to explode, as we saw on Christmas Day.

Additionally, the passengers on the airplane worked. For years, I’ve said that exactly two things have made us safer since 9/11: reinforcing the cockpit door and convincing passengers that they need to fight back. It was the second of these that, on Christmas Day, quickly subdued Abdulmutallab after he set his pants on fire.

To the extent security failed, it failed before Abdulmutallab even got to the airport. Why was he issued an American visa? Why didn’t anyone follow up on his father’s tip? While I’m sure there are things to be improved and fixed, remember that everything is obvious in hindsight. After the fact, it’s easy to point to the bits of evidence and claim that someone should have “connected the dots.” But before the fact, when there are millions of dots—some important but the vast majority unimportant—uncovering plots is a lot harder.

Despite this, the proposed fixes focus on the details of the plot rather than the broad threat. We’re going to install full-body scanners, even though there are lots of ways to hide PETN—stuff it in a body cavity, spread it thinly on a garment—from the machines. We’re going to profile people traveling from 14 countries, even though it’s easy for a terrorist to travel from a different country. Seating requirements for the last hour of flight were the most ridiculous example.

The problem with all these measures is that they’re only effective if we guess the plot correctly. Defending against a particular tactic or target makes sense if tactics and targets are few. But there are hundreds of tactics and millions of targets, so all these measures will do is force the terrorists to make a minor modification to their plot.

It’s magical thinking: If we defend against what the terrorists did last time, we’ll somehow defend against what they do next time. Of course this doesn’t work. We take away guns and bombs, so the terrorists use box cutters. We take away box cutters and corkscrews, and the terrorists hide explosives in their shoes. We screen shoes, they use liquids. We limit liquids, they sew PETN into their underwear. We implement full-body scanners, and they’re going to do something else. This is a stupid game; we should stop playing it.

But we can’t help it. As a species, we’re hardwired to fear specific stories—terrorists with PETN underwear, terrorists on subways, terrorists with crop dusters—and we want to feel secure against those stories. So we implement security theater against the stories, while ignoring the broad threats.

What we need is security that’s effective even if we can’t guess the next plot: intelligence, investigation, and emergency response. Our foiling of the liquid bombers demonstrates this. They were arrested in London, before they got to the airport. It didn’t matter if they were using liquids—which they chose precisely because we weren’t screening for them—or solids or powders. It didn’t matter if they were targeting airplanes or shopping malls or crowded movie theaters. They were arrested, and the plot was foiled. That’s effective security.

Finally, we need to be indomitable. The real security failure on Christmas Day was in our reaction. We’re reacting out of fear, wasting money on the story rather than securing ourselves against the threat. Abdulmutallab succeeded in causing terror even though his attack failed.

If we refuse to be terrorized, if we refuse to implement security theater and remember that we can never completely eliminate the risk of terrorism, then the terrorists fail even if their attacks succeed.

This essay previously appeared on Sphere, the AOL.com news site.

EDITED TO ADD (1/8): Similar sentiment.

Posted on January 7, 2010 at 1:18 PMView Comments

Breaching the Secure Area in Airports

An unidentified man breached airport security at Newark Airport on Sunday, walking into the secured area through the exit, prompting the evacuation of a terminal and flight delays that continued into the next day. This isn’t common, but it happens regularly. The result is always the same, and it’s not obvious that fixing the problem is the right solution.

This kind of security breach is inevitable, simply because human guards are not perfect. Sometimes it’s someone going in through the out door, unnoticed by a bored guard. Sometimes it’s someone running through the checkpoint and getting lost in the crowd. Sometimes it’s an open door that should be locked. Amazing as it seems to frequent fliers, the perpetrator often doesn’t even know he did anything wrong.

Basically, whenever there is—or could be—an unscreened person lost within the secure area of an airport, there are two things the TSA can do. They can say “this isn’t a big deal,” and ignore it. Or they can evacuate everyone inside the secure area, search every nook and cranny—inside the large boxes of napkins at the fast food restaurant, above the false ceilings in the bathrooms, everywhere—looking for anyone hiding or anything anyone hid, and then rescreen everybody: causing delays of six, eight, twelve, or more hours. That’s it; those are the options. And there’s no way someone in charge will choose to ignore the risk; even if the odds of a terrorist exploit are minuscule, it’ll cost him his career if he’s wrong.

Several European airports have their security screening organized differently. At Schipol Airport in Amsterdam, for example, passengers are screened at the gates. This is more expensive and requires a substantially different airport design, but it does mean that if there is a security breach, only the gate has to be evacuated and searched, and the people rescreened.

American airports can do more to secure against this risk, but I’m reasonably sure it’s not worth it. We could double the guards to reduce the risk of inattentiveness, and redesign the airports to make this kind of thing less likely, but those are expensive solutions to an already rare problem. As much as I don’t like saying it, the smartest thing is probably to live with this occasional but major inconvenience.

This essay originally appeared on ThreatPost.com.

EDITED TO ADD (1/9): A first-person account of the chaos at Newark Airport, with observations and recommendations.

Posted on January 6, 2010 at 6:10 AMView Comments

Separating Explosives from the Detonator

Chechen terrorists did it in 2004. I said this in an interview with then TSA head Kip Hawley in 2007:

I don’t want to even think about how much C4 I can strap to my legs and walk through your magnetometers.

And what sort of magical thinking is behind the rumored TSA rule about keeping passengers seated during the last hour of flight? Do we really think the terrorist won’t think of blowing up their improvised explosive devices during the first hour of flight?

For years I’ve been saying this:

Only two things have made flying safer [since 9/11]: the reinforcement of cockpit doors, and the fact that passengers know now to resist hijackers.

This week, the second one worked over Detroit. Security succeeded.

EDITED TO ADD (12/26): Only one carry on? No electronics for the first hour of flight? I wish that, just once, some terrorist would try something that you can only foil by upgrading the passengers to first class and giving them free drinks.

Posted on December 26, 2009 at 5:43 PMView Comments

Plant Security Countermeasures

The essay is about veganism and plant eating, but I found the descriptions of plant security countermeasures interesting:

Plants can’t run away from a threat but they can stand their ground. “They are very good at avoiding getting eaten,” said Linda Walling of the University of California, Riverside. “It’s an unusual situation where insects can overcome those defenses.” At the smallest nip to its leaves, specialized cells on the plant’s surface release chemicals to irritate the predator or sticky goo to entrap it. Genes in the plant’s DNA are activated to wage systemwide chemical warfare, the plant’s version of an immune response. We need terpenes, alkaloids, phenolics—let’s move.

“I’m amazed at how fast some of these things happen,” said Consuelo M. De Moraes of Pennsylvania State University. Dr. De Moraes and her colleagues did labeling experiments to clock a plant’s systemic response time and found that, in less than 20 minutes from the moment the caterpillar had begun feeding on its leaves, the plant had plucked carbon from the air and forged defensive compounds from scratch.

Just because we humans can’t hear them doesn’t mean plants don’t howl. Some of the compounds that plants generate in response to insect mastication—their feedback, you might say—are volatile chemicals that serve as cries for help. Such airborne alarm calls have been shown to attract both large predatory insects like dragon flies, which delight in caterpillar meat, and tiny parasitic insects, which can infect a caterpillar and destroy it from within.

Enemies of the plant’s enemies are not the only ones to tune into the emergency broadcast. “Some of these cues, some of these volatiles that are released when a focal plant is damaged,” said Richard Karban of the University of California, Davis, “cause other plants of the same species, or even of another species, to likewise become more resistant to herbivores.”

There’s more in the essay.

Posted on December 23, 2009 at 7:50 AMView Comments

Hotel Safe Scam

This is interesting:

Since then, his scams have tended to take place in luxury hotels around the world.

Typically, he would arrive at a hotel, claim to be a guest, and then tell security that he had forgotten the combination code to his safe.

When hotel staff helped him to open the safe, he would pocket the contents and make his escape.

Doesn’t the hotel staff ask for ID before doing something like that?

Posted on October 7, 2009 at 1:07 PMView Comments

"Security Theater in New York City"

For the U.N. General Assembly:

For those entranced by security theater, New York City is a sight to behold this week. A visit to one of the two centers of the action—the Waldorf Astoria, where the presidents of China, Russia, the Prime Ministers of Israel and the Palestinian Authority, and the President of the United States—are all staying. (Who gets the presidential suite? Our POTUS.) Getting to the Waldorf is a little intimidating, which is the point. Wade through the concrete barriers, the double-parked police cars, the NYPD mobile command post, a signals post, acreages of metal fencing, snipers, counter surveillance teams, FBI surveillance teams in street clothes, dodge traffic and a dignitary motorcade or two, and you’re right at the front door of the hotel. A Secret Service agent from the Midwest gestured dismissively when a reporter showed him a press credential. “You don’t need it. Just go in that door over there.”

At the door over there, another agent sent the reporter back to the first agent. The two agents—each from different field offices, no doubt—argued a bit over which of the Waldorf front doors they were going to let the general public in. Maybe the agents had just been “pushed”—or there was a shift change. In any event, the agents didn’t seem to mind when the reporter walked right past them. A standard magnetometer and x-ray screening later, and I was in the packed front lobby. African heads of state were just about to have a group lunch, and about three dozen members of the continental press corps awaited some arrivals. Some of the heads of state walked in through the front, tailed by a few of their own bodyguards and tired looking USSS agents.

Posted on October 2, 2009 at 12:23 PMView Comments

Reproducing Keys from Photographs

Reproducing keys from distant and angled photographs:

Abstract:
The access control provided by a physical lock is based on the assumption that the information content of the corresponding key is private—that duplication should require either possession of the key or a priori knowledge of how it was cut. However, the ever-increasing capabilities and prevalence of digital imaging technologies present a fundamental challenge to this privacy assumption. Using modest imaging equipment and standard computer vision algorithms, we demonstrate the effectiveness of physical key teleduplication—extracting a key’s complete and precise bitting code at a distance via optical decoding and then cutting precise duplicates. We describe our prototype system, Sneakey, and evaluate its effectiveness, in both laboratory and real-world settings, using the most popular residential key types in the U.S.

Those of you who carry your keys on a ring dangling from a belt loop, take note.

Posted on October 1, 2009 at 2:09 PMView Comments

1 9 10 11 12 13 25

Sidebar photo of Bruce Schneier by Joe MacInnis.