Slashdot Mirror
Schneier, Journalist Poke Holes In TSA Policies
Fallen Andy points out an article in The Atlantic written by Jeffrey Goldberg. He and Bruce Schneier teamed up to put the TSA's policies to the test at the Minneapolis-St. Paul International Airport. They found plenty of evidence for security theater, and rather less for actual security. Quoting:
"'The whole system is designed to catch stupid terrorists,' Schneier told me. ... As I stood in the bathroom, ripping up boarding passes, waiting for the social network of male bathroom users to report my suspicious behavior, I decided to make myself as nervous as possible. I would try to pass through security with no ID, a fake boarding pass, and an Osama bin Laden T-shirt under my coat. I splashed water on my face to mimic sweat, put on a coat (it was a summer day), hid my driver's license, and approached security with a bogus boarding pass that Schneier had made for me. ... 'All right, you can go,' [an airport security supervisor] said, pointing me to the X-ray line. 'But let this be a lesson for you.'"
I wouldn't doubt that the whole system isn't there to catch actual terrorists, but to simply condition the populace into accepting this kind of routine as a the standard quo. Fo
Still #1 -- Lonely Gay Geek
"'But let this be a lesson for you.'"
Yes, the security checks are total bogus. Glad we have shown that in the open right now...
Knowledge is power. Knowledge shared is power lost.
I agree. I miss the Schneier who was the author of Applied Cryptography , an icon for the cypherpunks who seemed to foretell a coming golden age of privacy, where the average man would sock it to the Man with strong crypto. I understand his view that crypto isn't everything anymore, but he has gone from being an inspiring figure to a guy who seems like he just wants to look sagely and get lots of clients for his consulting business.
When I went through at JFK and asked questions about why they were segregating my bag the supervisor came over and accused me of suffering from "Obamaism".
I complained and TSA dismissed my complaint that the supervisor was making a joke. Really? TSA thinks that a citizen asking about his rights is a joke? Really?
After all, they didn't arrest, because he didn't present a threat. And he didn't. So it's a bit difficult to say that the system failed, based on this story.
However, it's interesting to see exactly how little actual security there is at the airport. Bruce is right - the only thing new is better cockpit doors and passengers who'd rather die than get high-jacked.
Those who can, do. Those who can't, sue.
1. It's trivial to get around airport security.
2. Everyone knows this.
3. There hasn't been any hijackings.
Therefore:
4. There is no-one attempting hijackings.
How we know is more important than what we know.
You would think that if it were effective, they would be capturing people with provable ill intent. And you'd further think that if they did this, they'd want to tell th e world, loudly! After all, they could justify their own existence that way.
Yet somehow, we haven't heard of one Mighty Terrorist being caught by TSA. ONe must assume that this is because they are not /being/ caught. So... if TSA is not catching terrorists, what the hell are they doing?
The sole purpose is to make people feel protected (or violated, depending on your perspective). There's a sizeable portion of the population who feels reassured when senior citizens and soccer moms get pulled out of line for a closer search.
Land of the free.
Right.
I think the current state of airport security is just that - the best the agency can do, with it's current resources, budget and enormous demand for speedy throughput.
I myself have pondered the possibility of some kind of conspiracy, but all I'm seeing is an outdated, overwhelmed structure under a lot of pressure.
This is a very difficult problem to solve:
- fast processing of people
- spotting potential threats with minimum resources
- overstretched, tired, worn-out employees
- far from state-of-the-art equipment
- unbeliavable throughput
If the throughput is 1/100 of the LAX or JFK demands, then maybe it would be possible to look at each passanger, "check in" with them, evaluate their level of nervousness, clothing, carefully check for tell-signs etc.
With 1 second per passenger that's impossible and the best an agency can do is issue blanket policies including racial/name-based profiling, travel patterns, databases of destinations etc. and hope for the best.
I truly believe that the security policies are not an adequate protection. I don't think that's by design, rather a limitation of the design.
No conspiracy theory here, just lots of frustration with what I perceive as needless delay and inconvenience, bordering with disrespect and abuse in some cases (large-scale profiling and temporary detention of people entering the US etc.).
The flag features, as its charming main image, an upraised fist clutching an AK-47 automatic rifle. Atop the rifle is a line of Arabic writing that reads Then surely the party of God are they who will be triumphant. The officer took the flag and spread it out on the inspection table. She finished her inspection, gave me back my flag, and told me I could go. I said, "That's a Hezbollah flag." She said, "Uh-huh."
Correct me if I am wrong, but all the TSA crew are meant to watch for is if you are bringing anything onto a plane that could then be used to bring it down or hijack it.
Propaganda on the other hand cannot possibly bring down a plane from the sky, and it is surely protected to some extent by freedom of speech.
You have a point; but I'm not sure whether the change is a result of selling out, or a principled(if very depressing) change in his view of security, based on subsequent experience. After all, the broader cultural appeal of the "cypherpunks sticking it to the man on the unregulable internet that treats censorship as damage and routes around it" has fallen massively. You used to hear it all the time; both from various luminaries and in regurgitated form from flacks and cheerleaders, not nearly as much anymore.
I suspect that it has something to do with his focus on the human element of security. The fact that you can build a cryptosystem that the feds can't break on your own computer with free tools, a modest knowledge of c, and some acquaintance with number theory is pretty damn cool. The fact that your fellow citizens will cheer as the feds waterboard the key out of you really puts that in perspective, though. It is hard to be a cypherpunk utopian when less than 1% of the population can be bothered to follow a step-by-step FAQ to set up PGP, and even geeks respond to google's data mining of their email by telling you how nice the interface is. Techies can argue, correctly, that the great firewall or any other censorware is full of fairly pitiful holes. That doesn't change the fact that it puts up enough resistance(which isn't much) to keep 95% of china's equivalent of average Joe from trying to get past it.
In a way, I think that the cypherpunk ideal fell apart when they built it and nobody came. All sorts of strong crypto are available to everybody, for free, and aren't even all that much trouble to use. Almost nobody bothers, probably so few that those who do just stand out by doing so.
I don't like the idea; but I strongly suspect that Schneier's decline in inspiration has more to do with his assessment of the state of security than it does with any specific sellout.
How does Schneier putting on theater test whether they can detect a real terrorist? This is like those experiments where the researchers set up shocks or some such for the monkeys, they provide bogus explanations for the monkeys' behavior that totally excludes the fact that there were researchers behind the scenes doing things, which the monkeys were aware of.
Worse than that, it seems like anyone who knows anything about cryptography is automatically suspect these days. "If you have nothing to hide, then why do you need that"?
Well, you gut the first attendant, while they are on the ground screaming in pain the other passengers will look on horrified and panic.
Kick the cockpit door in(there pretty easy) and make your demands, meanwhile your partner(s) also gut a few people to keep everyone in order.
Sound familiar?
The Kruger Dunning explains most post on
They used to check you ID both before you enter security and at the gate (and when checking in bags). A couple years back they dropped the gate check and now they only check it before the security line. They mark the boarding pass at security but it's not like a retarded five year couldn't copy that.
I agree on one hand, but in a way I think that he is asking the TSA to do what I don't want them to do in many ways, which is behavioral profiling. This also does not work (at least has a very low specificity and sensitivity), and could make our lives a lot worse by harassment instead of uniform policies.
Stopping somebody because they are sweating is a bit ambitious, and is similar to what has been going on:
http://govtsecurity.com/transportation_security/TSAsSPOTunit/
which is worse for most nerds. I am not surprised by this article, and do not have any quick solutions. We can't stop the security theater (honestly, would you want to not have ANY Xray of luggage or metal detection?) and I am not sure that any behavioral detection is better...
Slashdotter, ID #101. UIDs are in binary, right?
Much of the article talks about someone not getting things that are not illegal to fly with confiscated. He makes a big deal about carrying a flag. The screener looked at the flag. It wasn't confiscated. BIG DEAL. It isn't illegal to carry a flag on board. He wasn't arrested for ripping up paper in a bathroom. BIG DEAL. It isn't illegal to rip up paper in a bathroom. He wasn't stopped for wearing a teeshirt.
He starts out by saying he was doing things that terrorists wouldn't do, and then complains because he wasn't questioned about doing those things.
Then the "saline solution" hole. Yes, every time you create exemptions from rules you create loopholes for bad guys to get through. Thanks for advertising the saline solution loophole, I'll remember it. Do you think that the TSA screeners should be testing fluids for what they are? There are an awful lot of different things, and any false positive is going to be lept on as another example of TSA stupidity while some poor schmuck is detained for nothing.
So, a terrorist who isn't stupid steals a credit card and buys a ticket under someone else's name. He prints a fake boarding pass with his real name (?) to get past TSA. Then he uses the original pass to get on the plane. We're told that this hole can be closed by simply checking the names at the time someone gets on the plane.
Uhhh, hand raised here. Question? If a terrorist is smart enough to steal a credit card with someone else's name to buy the ticket, won't he be smart enough to get a FAKE DRIVER'S LICENSE WITH THE SAME NAME so he can get past your new, stricter policy? You haven't closed the triangle at all. You've just made everyone feel more secure when they aren't. That's the game you are complaining about.
Hey. Every security measure can be bypassed by someone intent enough on doing it. TSA didn't find some of the things this guy was carrying that he shouldn't have been. Gee. Humans aren't perfect. Combine that and the ability to bypass anything, of course you get the logical result that we might as well not do anything to stop people from taking whatever they want on board.
He rocks the boat...
And therin lies the fundamental difference between a noted expert in the Security field and the average joe. Bruce can and does rock the boat, where the average joes opinion would barely make a splash against the side of an inflatable raft.
While I agree there seems to be more grandstanding nowadays, if anyone is going to effect some level of change, the chances are far greater with his sig at the bottom of the Security report.
As with all things Security, it's always taken in baby steps unless something VERY large happens.
No, the one advance in security is not the door to the cockpit, it's the understanding on everyone's part that cooperating with a hijacker isn't in anyone's interest anymore, and the half a dozen guys (and maybe a few women) who will be beating the terrorist to a bloody pulp as the rest of the passengers applaud.
United 93 was a test. The next time, the plane won't go down while the bad guys get killed.
United 93 was a test. The next time, the plane won't go down while the bad guys get killed.
Yep. Had to happen once, but won't happen twice.
You'll have that sometimes...
No no, it all makes perfect sense. It's all about behavior profiling. You see, any terrorist will take pains to hide his activities. Therefore anyone who looks like a terrorist most certainly isn't one. Anyone who carries guns, bombs, or other contraband openly is by definition safe, and so doesn't need to be searched.
That's a good theory but ... what if they know that we know they're trying to hide their activities? And what if we know that they know that we know they're trying to hide ... that means that they would have to try and hide ... because then we'd know they knew we knew they were trying to hide ... so they wouldn't bother. See? It's really simple when you sit down and analyze it.
The higher the technology, the sharper that two-edged sword.
This isn't something I have to worry about forgetting, it's something he better not forget. He's not going to make it.
Or the other one...the pilot with a .40 Glock who's trained to kill people with it under his arm. I know, my brother is one.
Quiz: True or False -- On a scale of 1 to 10, what is your middle name?
Worse than that, it seems like anyone who knows anything about cryptography is automatically suspect these days. "If you have nothing to hide, then why do you need that"?
Sad but true. Of course, if people actually thought about this, they'd all have strong crypto. If the Feds grab your laptop, for example, they'll look for anything they can nail you on, "terroristic" or not. This confiscatory behavior on the part of the TSA is officially called "intelligence gathering" but what it really is is a widespread fishing expedition.
... would you really trust that machine to pass scrutiny by agents highly motivated to get something on you for their trouble? That's the real problem here. As has been discussed many times here on Slashdot, so many things are felonies nowadays that odds are, if they want you, they'll make something stick. Believe me, you don't ever want to be inside the Justice System as an ordinary citizen. You just don't, and forget about whether you're innocent or not. Fortunately, precedent has been set that encryption passphrases are subject to the Fifth Amendment: let's hope that sticks.
If any of you carry computers around with you that are used regularly by, say, your co-workers
So folks, encrypt your stuff. It's easy, it's painless and it's free, and it wouldn't hurt to proselytize a bit, and get your friends and family to try it out as well. The more popular encryption becomes, the harder it will be to outlaw.
The higher the technology, the sharper that two-edged sword.
I wonder how likely this is to happen. Think about it - we have a government that has systematically become of the most purposelessly invasive influences in our lives, that has routinely skirted the law, and routinely questioned the validity of our constitutional democracy - if we can't stand up to that by throwing out the yahoos in office who vote for this stuff, would they seriously be able to stand up to someone on a plane?
Oh, and don't forget the second advance. The FFDO program. (Commonly known as the "Guns in the cockpit program") By the time you get your second kick in on that door the pilot will be responding with a hail of bullets.
I knew a guy who worked airport security pre-9/11. One day they were running a security drill, and pulled him aside when he let a guy through the checkpoint with a two-piece rifle. Why did he allow him to pass? "Because it wasn't a working rifle. It wasn't put together."
Dewey, what part of this looks like authorities should be involved?
The fact that your fellow citizens will cheer as the feds waterboard the key out of you really puts that in perspective, though.
Not needed. M$ (and almost certainly the US government through a secret security letter) have full and almost unhindered access to every network connected windows, and possibly linux, box on earth.
To preempt one argument: No, they're not going to be easily detected - they'll use steganography for network traffic and only install the spying software (via M$ update) on "persons/countries of interest".
Encryption is pointless when they have the keys to your computer. They built it after all and the general population intuitively understands that.
---
WGA. Guilty until proven innocent. For millions. Again and again.
Very interesting, care to elaborate on that? A nice bit of evidence would be well appreciated.
All those moments will be lost in time, like tears in rain. Time to die.
Yes, but you miss my point. Average Joe, the guy with a good job, and a family, and everything to live for is going to hesitate to throw all that away. More to the point, however, is that going up against armed men requires more than just a knowledge that you're going to die: you have to be willing to die now, and not hope that someone else will be brave enough to do what has to be done. Furthermore, you really should have some idea of how to fight.
As a culture, we've pretty conclusively shown that we'd rather someone else do the dirty work. We'll see: it'll happen again.
The higher the technology, the sharper that two-edged sword.
At this point, you're going to run up against the one advance in airplane security that *has* been made post-9/11: you're not getting through the reinforced cockpit door with anything less than a battering ram.
No, the one advance in security is not the door to the cockpit, it's the understanding on everyone's part that cooperating with a hijacker isn't in anyone's interest anymore, and the half a dozen guys (and maybe a few women) who will be beating the terrorist to a bloody pulp as the rest of the passengers applaud.
United 93 was a test. The next time, the plane won't go down while the bad guys get killed.
Don't be so god damned cocksure.
Do you really think that it's completely impossible that a half-dozen well-trained terrorists with effective weapons of some kind operating together as a team following a well-thought-out plan wouldn't be able to control an untrained, uncoordinated, and basically unarmed mob in a very confined space long enough to get through the cockpit door?
Because the next bunch of hijackers will be prepared to handle the passengers as well as the crew.
Do you really think that's not possible?
If so, why?
Meh.
The only REAL improvement in airline security comes from the fact that there's a good chance that the pilots in the cockpit are ARMED.
So when Mohammed cracks through the cockpit door, he is subject to an immediate 9mm brain splattering.
And THAT is BY FAR the biggest deterrent to any hijacking attempt. There's no way a terrorist organization can afford to invest the resources necessary to pull off a suicide hijacking unless it's almost certain to be successful. Even on 9/11, only the pilots knew it was a suicide attack, IIRC. That means that with years of planning, Al Qaeda could only find four terrorists with the ability and the will to perform a suicide hijacking. The "muscle" on 9/11 didn't need to have the will to perform suicide attacks.
Now they do.
Think any terrorist organization would waste half-a-dozen motivated-for-suicide, fanatical, and highly effective operatives on a hijacking when it's all too likely to end with a BANG BANG BANG the moment the cockpit door gets opened?
voting someone out requires voting someone else in, and that may not be the best choice. There is also a level of abstraction to the conduct of our government in washington.
on the other hand, being confronted by someone who wishes to directly cause harm to you and those around you is not nearly as abstract, and doesnt have to be replaced with someone that you hope has better intentions. The jackass on the plane just needs to be stopped.
There are two types of free, I think there are also two types of sheep.
Clearly, I cannot drink the wine in front of you!
What's really funny is that I got modded Insightful.
The higher the technology, the sharper that two-edged sword.