Skating on Stilts

By eleven days!  Boy, this news cycle business is easier than it looks.

In addition to his comments on this blog, Matt Blaze has responded to the post below.  He doesn't dispute my point that scanning boarding passes at the checkpoint will close the security hole that Schneier and Soghoian publicized. 

In the comments to my post, I challenge Matt to explain why he thought his exploit was a real risk: "Maybe you can tell me what bad thing would happen if people could switch flights as you describe."  He responds not with an actual example but by pointing out that TSA has said that it may decide to impose additional screening on particular routes if it has reason to be concerned about those routes.  If TSA thinks it sometimes needs to focus on travelers using a particular route, he wonders, won't that screening be undone by ticket switching? 

It's a fair point in theory but not in practice.  Threats to routes have been very rare, and TSA has usually responded to those threats in an ad hoc fashion -- setting up special screening measures for passengers boarding those flights (you've probably seen some hand searches at the point of boarding, for example; an intensive version of those checks is eminently possible when a particular flight is threatened).  That can include one-off checks of ID.  That's a lot less expensive than completely redesigning the checkpoint system, which is apparently what Matt thinks TSA should do.

From a terrorist's point of view, even occasional gate checks make the Blazean exploit unattractive, because the consequences of having bad ID at that stage would be very serious for the terrorist.  He'd immediately stand out from all the other travelers, and not in a good way.  So relying on the ability to do one-off spot checks is a reasonable response to the rare occasions when intelligence pinpoints a particular route as under threat.

So we're back where we started.  Matt hasn't identified a security hole that requires a massive change in TSA procedures, and he certainly hasn't proven his original claim that scanning boarding passes at the checkpoint is ineffective and ill-conceived.

TSA has taken another couple of steps to improve air security.  For starters, airline ID checkers are actually checking IDs -- with black lights and magnifying glasses.  And now they're getting ready to scan boarding passes in order to make it harder to use a fake boarding pass. 

You'd think the agency would get a bit of praise for trying to improve security without slowing travelers.  Instead, among privacy advocates, there is only one possible response to TSA security measures: condescension.  They have to sneer, even if they make themselves look a lot dumber than the agency in the process.

To take one example, Matt Blaze, a well-known privacy advocate and security buff, is criticizing TSA's new boarding-pass scanners as "ineffective" and "ill-conceived"  with "little actual gain in security".  Matt's a pretty smart guy, but his criticism is inexplicable.  TSA has fixed a real security hole and deserves credit for the new security.  Instead, in an effort to sneer at TSA, Matt has invented a fake security hole and then criticized the agency for not fixing the fake hole too.

Let's remember the security concern that got this started.  A student named Chris Soghoian demonstrated that a terrorist could avoid the no-fly list with a five-step process:  (1) he buys his tickets in a fake name (2) he gets a boarding pass in that name and stuffs it in his pocket (3) he then pulls out a fake boarding pass in his real name that he prepared on a home printer (4) he shows his real ID plus the fake boarding pass at the TSA checkpoint, and (5) he uses the real boarding pass with the fake name to board the plane. 

Or, as put more succinctly by the Washington Post,"the loophole is that boarding passes are compared to a person's ID only at initial security checkpoints, not at the gates where passengers board planes. Also, the passes are scanned and verified only at departure gates, not security checkpoints."

(Long double-pointed aside:  to be fair, the hole had been pointed out before, by Bruce Schneier.  Soghoian's contribution was irresponsible but attention-getting.  He created a website where anyone, including terrorists who needed a little technical help, could generate fake boarding passes.  Soghoian was investigated for criminal violations by the FBI and for civil violations by TSA.  Rep. Edward J. Markey (D-Mass.) first called for Soghoian's arrest but later called the stunt a public service.  "He picked a lousy way of doing it, but he should not go to jail for his bad judgment," Markey said.  In the end, no charges were pressed.) 

Okay, back to the thread:  If the security hole is that "the passes are scanned and verified only at departure gates, not security checkpoints," doesn't TSA's new approach actually close that hole -- by, you know, scanning and verifying the passes at the security checkpoint?  Seems like this really will keep people from using a fake boarding pass to get past security.

So how can Matt Blaze call TSA's new measure "ineffective" and "ill-conceived"  with "little actual gain in security"? 

Only by changing the subject. 

Blaze recasts the security problem from avoiding the no-fly list to "anonymous flying."  Blaze says "it's still as easy for a bad guy to get on a plane without the government knowing his or her true name."  But he means that in a very special way apparently comprehensible only to privacy advocates.  When he says that the government won't know the bad guy's true name, he means that the government actually will know the bad guy's true name, but that it might not know which plane the bad guy got on. 

Here's how Blaze says you can avoid the new security measure.  First buy two real tickets, one in a fake name and one in your real name.  You then use your real-name boarding pass and ID to get past the security check, at which point you can board the other flight using your fake-name boarding pass.

Well, that might be a devastating hole -- if TSA's job were to prevent "anonymous flying."  But it's not.  TSA's new measure is meant to keep people on the no-fly list from, well, from flying.  If the only way for bad guys to beat the system is to buy tickets in their own names, then they'll be caught by the no-fly list.

The whole point of the Soghoian caper and the Schneier critique was that you never needed to give your real name to the airlines, so your real name wouldn't be checked against the no-fly list.  Now you do, and now it will will be. 

Matt can only describe the new measures as "ineffective" by ignoring the security hole that Soghoian was trying to dramatize and that TSA is trying to fix. 

Moral:  Sneering at TSA may seem like shooting fish in a barrel, but first make sure your foot isn't under the barrel.

According to Stratfor the terrorist who attacked Prince Mohammed bin Nayef was able to get through security searches because he hid the IED in what the organization delicately describes as his "anal cavity."  Of course it's hard to do much damage with the amount of explosives you can get in there, so the attack only lightly wounded the prince. 

How did the terrorist manage to set off the explosives?  Well, he was allowed to call Yemen just before the explosion, so it seems likely that his accomplices in that country used a cell phone as a detonator. 

Yes, it's true.  Al Qaeda is now reduced to making booty calls.