« Whatever you do, don't tell TSA | Main | More on TSA and boarding pass scanning »

Sep 19, 2009

Comments

Hi Stewart,

I must admit, I don't get your point here. You seems to be taking me to task for pointing out that the TSA's new (and presumably expensive) security measure can be easily defeated, as opposed, I guess, to praising them for trying.

Unfortunately, that's not how security protocol design works. Weak protocols are weak, regardless of how well intentioned they might be, and the only way to make them stronger is to identify the weaknesses. Surely you of all people, someone who once represented America's premier designer of security protocols, understand this.

The TSA's new system fails to achieve the security goal of preventing suspected bad guys from boarding planes under false names. One of the problems is that the new scanners are in the wrong places -- at the security checkpoints instead of at the boarding gates. But you must already know this, because the quote that you included in your post (from the Washington Post) points out exactly that:

"...the loophole is that boarding passes are compared to a person's ID only at initial security checkpoints, not at the gates where passengers board planes."

In the new system, ID check is still being performed in the wrong place -- at the security checkpoint, rather than at the boarding gate, which is where we find out who is actually getting on what planes.

Maybe the TSA deserves praise for trying. I agree (and have pointed out myself) that they have an impossible job, with no clear success metrics and a poor public relations history. But that doesn't change the fact that protocol is still flawed, broken in essentially the same way that it was before they tried to fix it.

-matt

I should add, in particular, the new system improves security only against people on the "no fly" list, but still fails to track those in the (much larger) "selectee" and "watch" databases.

Stewart,

Not only had the no-fly list flaw been previously pointed out by Bruce Schneier, but it had also been repeatedly highlighted by Senator Chuck Schumer see (http://schumer.senate.gov/new_website/record.cfm?id=259517). TSA not only ignored the warnings of a widely known security expert, but a US Senator.

In your post, you call my actions "irresponsible". Now that you are no longer a government employee, perhaps you can reveal the actions that you took internally to address the gigantic security flaw which made the no-fly list an ineffective, (even bigger) waste of money and resources.

This was, of course, not my only interaction with TSA.

In February 2007, I revealed that a TSA website was collecting private passenger information in a highly insecure manner. The website was intended to provide a way for passengers to file disputes in the event that they were incorrectly included on the No fly list. Passengers who submitted their information through the website were at risk of identity theft. TSA shut down, fixed and then relaunched the website within days, after the press picked up the story.

In January 2008, The House Committee on Oversight and Government Reform issued a report on the website flaw, after a several month investigation.

The report stated that the flawed website had operated insecurely for over four months during which over 247 people had submitted personal information using the insecure web-forms. According to the report, the TSA manager responsible for assigning the contract was a high-school friend and former employee of the owner of the firm that created the website.

The report also noted that "neither [the private contractor] nor the technical lead on the traveler redress Web site have been sanctioned by TSA for their roles in the deployment of an insecure Web site. TSA continues to pay Desyne to host and maintain two major Web-based information systems. TSA has taken no steps to discipline the technical lead, who still holds a senior program management position at TSA."

While you clearly don't appreciate my tactics, perhaps you will at least acknowledge that the taxpayer is better off due to my work.

Matt, Chris,

I see you both subscribe to Google blog alerts.

Matt, I disagree that TSA has implemented weak but “well intentioned" security. As far as I can see, you haven’t explained what is "weak" about TSA's measure. You've just asserted weakness without demonstrating it. As I see it, you do that by assuming a “security goal” that hasn't been met – “the security goal of preventing suspected bad guys from boarding planes under false names." But you don’t offer any evidence that that is TSA's goal or that it should be TSA’s goal.

Why do you think that the checks have to take place at the gate or they’re ineffective? Checks at the gate would only be necessary if we wanted different security protocols for different flights. That doesn’t seem like a particularly useful security measure to me, and it would be astonishingly expensive, so I think it's fair to ask on you to explain why it’s necessary.

The new system is not broken. It addresses a real security concern. That doesn’t mean that there aren’t other security risks, but I can’t for the life of me figure out why you think your “exploit” is one of them. Maybe you can tell me what bad thing would happen if people could switch flights as you describe.

(I also question your view that the new system protects against no-flys but won’t protect against selectees. An electronic system at the checkpoint should allow more secure and fine-grained communication about selectees than the current system.)

Stewart

Chris,

I called your action irresponsible because that's what it was. No one defended what you did. Responsible advocates don't dramatize their views by helping bad guys exploit security breaches.

Matt Blaze’s assessment at the time was typical: “as a researcher who often faces the dilemma of disclosing exploitable weaknesses in fielded systems, I'm not entirely comfortable defending all of Mr. Soghoian's choices in creating his demo and putting it online.” He was right.

So before you demand answers for your questions – or praise for your tactics – I think you ought to answer one of mine: Have you ever apologized?

Stewart

Um, haven't we been saying that identification doesn't solve the problem of securing airplane flight? So why should doing a better job of identification cause us to want to give the TSA any props? A great solution to a wrong problem definition simply gives us reason for MORE scorn.

Um, maybe so, but I think you're wrong. Identification is critical to good security. Everyone thinks the Israeli air security system is pretty good. Try getting past them without presenting ID.

Um, maybe so, but flour is a key ingredient to cake. Everyone thinks that cake is delicious. Try getting something delicious without flour.

Stewart, the Israeli air security system is pretty good, but not because they look at IDs. It's good because they do behavioral profiling. They don't care if I'm John Smith or George Dubya; they are a lot more interested in what country I'm from, what I've been doing there (or what I'm planning to do there if I'm arriving), etc. The ID check just gives an opportunity to observe behavior.

TSA security, on the other hand, is like protecting against pink elephants - the fact that no pink elephants have ever gotten through TSA, and they'll continue to do a great job preventing them from getting through, has nothing to do with security. It has to do with illusions.

A few years ago I noticed a copy of Brave New World sitting on top of the TSA scanner at Dulles. Was it left there intentionally by a customer? Maybe by a TSA employee who understands the silliness of his/her actions?

Jeremy,

I agree that the Israelis are interested in all of the things you say, but to suggest they "don't care" who you are is, well, preposterous. They would certainly care whether the things you say are true, and so they want to know that you are who you say you are. If they want to check your story, they will also need your ID.

Stewart,

I have never apologized for my activism. I did, however, fly out to Washington DC a couple times to meet with TSA officials (once the investigation was over), and participated in a blue skies threat analysis exercise. TSA did not first require an apology before they paid for my plane tickets and hotel.

Frankly, I do not think you are at all qualified to criticize the manner in which "responsible advocates" disclose and publicize security vulnerabilities. How many vulnerabilities have you discovered and disclosed (responsibly or otherwise)?

While there is still no disclosure "norm" in the security field, the "responsible disclosure" method generally involves tipping off the vulnerable party a few weeks/months ahead of the public release.

That is the disclosure model I followed when I discovered and disclosed a security flaw in the Firefox browser add-on update process. Mozilla, Google, Yahoo and Facebook (whose toolbars were also vulnerable) were provided with advanced notice, giving them enough time to roll out a fix before the flaw was announced. See: http://voices.washingtonpost.com/securityfix/2007/05/bungled_addon_updates_endanger.html

In the case of TSA's boarding pass vulnerability, there was simply no point in following the responsible disclosure model -- because TSA had known about the vulnerability for years, and had not done anything to fix it. Responsible disclosure is appropriate for vendors that are willing and ready to develop and deploy a fix. Since TSA had proven themselves unwilling to listen to both security experts and a US Senator, I saw no need to provide them with prior notice.

Stewart,

There are two very different threat cases that positive ID is attempting to solve. One is a small list (order of 1,000 names) of people so dangerous that they cannot fly under any circumstance. The other are the lists of somewhere between 50,000 and 100,000 people requiring extra screening and alerting the government of their flight plans, and 100,000+ people requiring alerting the government of their flight plans.

For the 1,000 no fly list members, this new system will prevent them from passing through security by presenting an ID with their real name on it. But I'm betting these guys have some better tricks up their sleeves.

For the second and third categories, they are allowed to fly, just under increased scrutiny. If they are allowed to fly, then there is no reason for them to care about using their real name at the checkpoint other than avoiding SSSSSSS. Assuming they get past screening successfully, things are exactly the same as they were before this improved protocol was enacted, except we positively know that a selectee or watch list traveler may or may not be on board one of the hundreds of flights leaving the airport. So how does this new system improve security in this case?

I can think of two big security measures off the top of my head which are vulnerable to Matt's "fake security hole", however:

1) The air marshal program: Perhaps we'd like to put air marshals on the flights with selectees and watch listers, and not some other flight. Hell, if I were a Bad Guy I'd use a 14 hour international flight or alaska to miami red-eye as my real name cover flight just to stretch the air marshals thin and kill the TSA's budget.

2) Traffic analysis: Presumably knowing which subjects were in the same city at the same time is useful for our intelligence agencies. If I can board a different flight under a fake name while the spooks are all looking in the wrong city for a big meet-up I think I'm ahead.

So either Matt has pointed out a serious (I'd say more serious than the comparatively limited no fly list) vulnerability in the selectee and watch lists and the security assumptions around them, or you're claiming that we can get rid of the requirement that airlines report the flight details of people on the selectee and watch lists to the government, because they aren't used for anything.

So yes, this new positive ID at checkpoint check doesn't make us less secure and helps in a fairly narrow (but PR poisonous to the layman) case. But it ignores the broader security risks and the interaction of various security measures with one another.

Putting bars over the windows when the barn door is missing...

EC,

1. We agree that the new system adds security against no-flys.

2. You think it does nothing for selectees. I disagree. It allows greater scrutiny at the point that matters -- the checkpoint. As with no-flys, bad guys can't avoid the scrutiny by flashing a Soghoian-style forged boarding pass.

3. You think there are still two other security holes that Blazeans could exploit:
a. If they bought two tickets, they could get air marshals to take the wrong flight, though they'd never know whether that (expensive) scam succeeded. I can't call that a serious security hole. More like a prank.
b. We couldn't count on airline reservations for intelligence purposes to identify the travel plans of bad guys. Of course we couldn't before, either, so at worst this means we haven't solved every problem under the sun. And think how artificial this alleged security hole is. The bad guy has to think that he's being surveilled. He has to want to go to an out of town meeting with other bad guys despite the surveillance. And he is willing to buy two tickets to throw people off the track. Why not just drive? And he'd better not buy the second ticket with his credit card or use his phone to make the reservation because, remember, he's under surveillance. And, of course, from TSA's point of view, that's not an air security hole, it's an investigative demi-semi-hole. It doesn't make us less safe except in a very roundabout way.

Finally, let's remember what started this debate. Matt Blaze said that the new measures are "ineffective" and "ill-conceived" and yield "little actual gain in security". If your hypotheticals are the worst that can be said about the new measures, Matt's still dead wrong.

"Identification is critical to good security."

I keep hearing this from TSA and its apologists, and yet none of them are capable of explaining what identification does to enhance security. It's almost like they're lying or something.

John,

Is that a bit of sneering I hear?

If you read all the exchanges above, you wouldn't do that. In one sentence, the reason is this: We have a lot of information about people who shouldn't fly without careful scrutiny, but it's organized by name and birthdate, so if bad guys can use bad ID to change their names and birthdates, they can beat our security system.

TSA: They're not lying, and they're not stupid.

Stewart

The airlines might check names against the no fly list, but the person doing the id check at either the primary checkpoint or the gate has no idea of who is on the no fly list. I often fly and have never, ever seen a computer terminal at the id checker's desk. So it follows that TSA either over estimates it's ability to detect a bogus flyer or it makes the assumption that motion equals work. Either way the ID check is nothing but a smoke screen.

Please explain how ID checking contributes, in any way, shape or form, to security. The original 9/11 hijackers flew under their own name and were known to the FBI and CIA. More to the point, the Watch List doesn't contain the names of the most dangerous terrorists -- another "security precaution." Finally, please explain how the TSA can claim to keep us safe when it STILL does not inspect all cargo and U.S. mail, both of which are loaded aboard every single commercial flight.

Enough with the dog-and-pony show, already. We who are frequent fliers know better. TSA provides no additional security beyond what we had before 9/11, and trespasses on constitutionally-reserved rights on a daily basis. Stop being a cheerleader for tyranny.

I know frequent travelers are annoyed by TSA checkpoints, but if you had read the rest of the comments, you wouldn't be asking for the explanation, and you wouldn't think that the 9/11 experience was an irrefutable demonstration. Also, don't you think it's a bit inconsistent to claim that TSA's process does nothing for security and, shockingly, hasn't been extended to cargo and mail? Reminds me of the old joke: "The food here is terrible." "Yes, and the portions are disappointingly small."

Hmmm, annoyed at the checkpoints? No, much more annoyed at the inconsistencies of the checkpoints as a bag that gets not a second glance at one airport gets disassembled at another while TSA allows totally unscreened cargo to fly because it costs too much and TSA lacks the man-power to check it on a timely basis.

We read the EOS blog and expect a new procedure to go as published, only to find that the new procedure publicly published bears little to no resemblance to reality at the checkpoints. We're told to read the instructions at the TSA website and find the documents poorly written, full of conflicting information and not in agreement between documents. Sort of hard for a traveler to make much sense of what the government wants us to do under those conditions isn't it Stewart?

TSA had a chance to deal with these and other issues early on and chose to ignore valid complaints about:

Abuse of authority
Luggage thefts due to TSA mandating luggage be left unlocked
Gate grope (ever had your scrotum felt up during a pat down while attempting to board the aircraft Stewart?)
War on liquids
War on shoe bombs (Richard Reid and only once in hundreds of millions of passengers)
Constitutional violations (exceeding the authority of the administrative search for weapons, explosives, and incendiary devices)

You don't get out much it looks like, so why don't you pop on over to the security section of Flyertalk, get an account and post. The kind folks over there will be more than willing to share their experiences with TSA. Try it out.

Too much security, too little security -- the only thing consistent in AngryMiller's comment is that TSA is always wrong. No wonder you're angry. But I don't think you qualify as much of a security commenter if you object to shoe checks because the use of shoe bombs only happened "once in hundreds of millions of passengers." Do you think our adversaries are idiots? If we hadn't taken action to stop shoe bombs, they'd have used them again. And again. Instead of nursing your anger you might ask yourself what you would have done about shoebombs -- and how you'd have explained what you did to the families of the dead if you got it wrong.

(And if it makes you feel better, I'm closing in on 1 million lifetime airline miles, and I've had TSA patdowns that I would usually allow only after a very nice dinner, and a second date.)

Stewart, do you believe in security at any cost? What is an acceptable cost vs threat level to you? We've spent billions of dollars on the shoe carnival and have gotten how much in return? Is the threat of terrorism much higher here in the US than any other nation on the face of the earth? Why invest so much on one of a multitude of threats facing the US when there's so many much softer targets available to terrorists?

Please show me where I said TSA is always wrong. TSA was a good idea, but very poorly put into action. The lack of response from TSA management to valid complaints/concerns shows a callous disregard for customer service and the citizens it supposedly protects.

I wasn't snarky towards you, but what can you expect from a government sycophant, eh?

Stewart, you should listen to Harry Shearer's Le Show and his segment on "Tales of Airport Security". Practically every experience I've had with TSA screeners has left me incredibly aware of how fucking retarded the security is at airports. I've had a small screwdriver confiscated from a bag, but the screener didn't see the other three screwdrivers sitting next to it. I like the comment that it's a dog and pony show, because that's what it is. A giant pain in the ass for the illusion of security, all because people like you don't listen to people like Matt Blaze. Instead of getting defensive, maybe you should pull your head out and listen to what the problems are. He's got a point, you know.

Any security process that doesn't do effective profiling is a waste of time. Spending as much time on a family with three small children as on a single-adult traveling one-way, that's just not effective security screening.

Also, 9/11 was an inside job, and at least 7 of the 9/11 hijackers are still alive, which I think is what makes me so annoyed at the increased hassle of flying these days.

The comments to this entry are closed.