TSA has taken another couple of steps to improve air security. For starters, airline ID checkers are actually checking IDs -- with black lights and magnifying glasses. And now they're getting ready to scan boarding passes in order to make it harder to use a fake boarding pass.
You'd think the agency would get a bit of praise for trying to improve security without slowing travelers. Instead, among privacy advocates, there is only one possible response to TSA security measures: condescension. They have to sneer, even if they make themselves look a lot dumber than the agency in the process.
To take one example, Matt Blaze, a well-known privacy advocate and security buff, is criticizing TSA's new boarding-pass scanners as "ineffective" and "ill-conceived" with "little actual gain in security". Matt's a pretty smart guy, but his criticism is inexplicable. TSA has fixed a real security hole and deserves credit for the new security. Instead, in an effort to sneer at TSA, Matt has invented a fake security hole and then criticized the agency for not fixing the fake hole too.
Let's remember the security concern that got this started. A student named Chris Soghoian demonstrated that a terrorist could avoid the no-fly list with a five-step process: (1) he buys his tickets in a fake name (2) he gets a boarding pass in that name and stuffs it in his pocket (3) he then pulls out a fake boarding pass in his real name that he prepared on a home printer (4) he shows his real ID plus the fake boarding pass at the TSA checkpoint, and (5) he uses the real boarding pass with the fake name to board the plane.
Or, as put more succinctly by the Washington Post,"the loophole is that boarding passes are compared to a person's ID only at initial security checkpoints, not at the gates where passengers board planes. Also, the passes are scanned and verified only at departure gates, not security checkpoints."
(Long double-pointed aside: to be fair, the hole had been pointed out before, by Bruce Schneier. Soghoian's contribution was irresponsible but attention-getting. He created a website where anyone, including terrorists who needed a little technical help, could generate fake boarding passes. Soghoian was investigated for criminal violations by the FBI and for civil violations by TSA. Rep. Edward J. Markey (D-Mass.) first called for Soghoian's arrest but later called the stunt a public service. "He picked a lousy way of doing it, but he should not go to jail for his bad judgment," Markey said. In the end, no charges were pressed.)
Okay, back to the thread: If the security hole is that "the passes are scanned and verified only at departure gates, not security checkpoints," doesn't TSA's new approach actually close that hole -- by, you know, scanning and verifying the passes at the security checkpoint? Seems like this really will keep people from using a fake boarding pass to get past security.
So how can Matt Blaze call TSA's new measure "ineffective" and "ill-conceived" with "little actual gain in security"?
Only by changing the subject.
Blaze recasts the security problem from avoiding the no-fly list to "anonymous flying." Blaze says "it's still as easy for a bad guy to get on a plane without the government knowing his or her true name." But he means that in a very special way apparently comprehensible only to privacy advocates. When he says that the government won't know the bad guy's true name, he means that the government actually will know the bad guy's true name, but that it might not know which plane the bad guy got on.
Here's how Blaze says you can avoid the new security measure. First buy two real tickets, one in a fake name and one in your real name. You then use your real-name boarding pass and ID to get past the security check, at which point you can board the other flight using your fake-name boarding pass.
Well, that might be a devastating hole -- if TSA's job were to prevent "anonymous flying." But it's not. TSA's new measure is meant to keep people on the no-fly list from, well, from flying. If the only way for bad guys to beat the system is to buy tickets in their own names, then they'll be caught by the no-fly list.
The whole point of the Soghoian caper and the Schneier critique was that you never needed to give your real name to the airlines, so your real name wouldn't be checked against the no-fly list. Now you do, and now it will will be.
Matt can only describe the new measures as "ineffective" by ignoring the security hole that Soghoian was trying to dramatize and that TSA is trying to fix.
Moral: Sneering at TSA may seem like shooting fish in a barrel, but first make sure your foot isn't under the barrel.
Hi Stewart,
I must admit, I don't get your point here. You seems to be taking me to task for pointing out that the TSA's new (and presumably expensive) security measure can be easily defeated, as opposed, I guess, to praising them for trying.
Unfortunately, that's not how security protocol design works. Weak protocols are weak, regardless of how well intentioned they might be, and the only way to make them stronger is to identify the weaknesses. Surely you of all people, someone who once represented America's premier designer of security protocols, understand this.
The TSA's new system fails to achieve the security goal of preventing suspected bad guys from boarding planes under false names. One of the problems is that the new scanners are in the wrong places -- at the security checkpoints instead of at the boarding gates. But you must already know this, because the quote that you included in your post (from the Washington Post) points out exactly that:
"...the loophole is that boarding passes are compared to a person's ID only at initial security checkpoints, not at the gates where passengers board planes."
In the new system, ID check is still being performed in the wrong place -- at the security checkpoint, rather than at the boarding gate, which is where we find out who is actually getting on what planes.
Maybe the TSA deserves praise for trying. I agree (and have pointed out myself) that they have an impossible job, with no clear success metrics and a poor public relations history. But that doesn't change the fact that protocol is still flawed, broken in essentially the same way that it was before they tried to fix it.
-matt
Posted by: Matt Blaze | Sep 19, 2009 at 04:27 PM
I should add, in particular, the new system improves security only against people on the "no fly" list, but still fails to track those in the (much larger) "selectee" and "watch" databases.
Posted by: Matt Blaze | Sep 19, 2009 at 04:44 PM
Stewart,
Not only had the no-fly list flaw been previously pointed out by Bruce Schneier, but it had also been repeatedly highlighted by Senator Chuck Schumer see (http://schumer.senate.gov/new_website/record.cfm?id=259517). TSA not only ignored the warnings of a widely known security expert, but a US Senator.
In your post, you call my actions "irresponsible". Now that you are no longer a government employee, perhaps you can reveal the actions that you took internally to address the gigantic security flaw which made the no-fly list an ineffective, (even bigger) waste of money and resources.
This was, of course, not my only interaction with TSA.
In February 2007, I revealed that a TSA website was collecting private passenger information in a highly insecure manner. The website was intended to provide a way for passengers to file disputes in the event that they were incorrectly included on the No fly list. Passengers who submitted their information through the website were at risk of identity theft. TSA shut down, fixed and then relaunched the website within days, after the press picked up the story.
In January 2008, The House Committee on Oversight and Government Reform issued a report on the website flaw, after a several month investigation.
The report stated that the flawed website had operated insecurely for over four months during which over 247 people had submitted personal information using the insecure web-forms. According to the report, the TSA manager responsible for assigning the contract was a high-school friend and former employee of the owner of the firm that created the website.
The report also noted that "neither [the private contractor] nor the technical lead on the traveler redress Web site have been sanctioned by TSA for their roles in the deployment of an insecure Web site. TSA continues to pay Desyne to host and maintain two major Web-based information systems. TSA has taken no steps to discipline the technical lead, who still holds a senior program management position at TSA."
While you clearly don't appreciate my tactics, perhaps you will at least acknowledge that the taxpayer is better off due to my work.
Posted by: Christopher Soghoian | Sep 19, 2009 at 05:57 PM
Matt, Chris,
I see you both subscribe to Google blog alerts.
Matt, I disagree that TSA has implemented weak but “well intentioned" security. As far as I can see, you haven’t explained what is "weak" about TSA's measure. You've just asserted weakness without demonstrating it. As I see it, you do that by assuming a “security goal” that hasn't been met – “the security goal of preventing suspected bad guys from boarding planes under false names." But you don’t offer any evidence that that is TSA's goal or that it should be TSA’s goal.
Why do you think that the checks have to take place at the gate or they’re ineffective? Checks at the gate would only be necessary if we wanted different security protocols for different flights. That doesn’t seem like a particularly useful security measure to me, and it would be astonishingly expensive, so I think it's fair to ask on you to explain why it’s necessary.
The new system is not broken. It addresses a real security concern. That doesn’t mean that there aren’t other security risks, but I can’t for the life of me figure out why you think your “exploit” is one of them. Maybe you can tell me what bad thing would happen if people could switch flights as you describe.
(I also question your view that the new system protects against no-flys but won’t protect against selectees. An electronic system at the checkpoint should allow more secure and fine-grained communication about selectees than the current system.)
Stewart
Chris,
I called your action irresponsible because that's what it was. No one defended what you did. Responsible advocates don't dramatize their views by helping bad guys exploit security breaches.
Matt Blaze’s assessment at the time was typical: “as a researcher who often faces the dilemma of disclosing exploitable weaknesses in fielded systems, I'm not entirely comfortable defending all of Mr. Soghoian's choices in creating his demo and putting it online.” He was right.
So before you demand answers for your questions – or praise for your tactics – I think you ought to answer one of mine: Have you ever apologized?
Stewart
Posted by: Stewart Baker | Sep 19, 2009 at 10:40 PM
Um, haven't we been saying that identification doesn't solve the problem of securing airplane flight? So why should doing a better job of identification cause us to want to give the TSA any props? A great solution to a wrong problem definition simply gives us reason for MORE scorn.
Posted by: Russell Nelson | Sep 19, 2009 at 11:37 PM
Um, maybe so, but I think you're wrong. Identification is critical to good security. Everyone thinks the Israeli air security system is pretty good. Try getting past them without presenting ID.
Posted by: Stewart Baker | Sep 19, 2009 at 11:55 PM
Um, maybe so, but flour is a key ingredient to cake. Everyone thinks that cake is delicious. Try getting something delicious without flour.
Posted by: Koz | Sep 20, 2009 at 06:51 AM
Stewart, the Israeli air security system is pretty good, but not because they look at IDs. It's good because they do behavioral profiling. They don't care if I'm John Smith or George Dubya; they are a lot more interested in what country I'm from, what I've been doing there (or what I'm planning to do there if I'm arriving), etc. The ID check just gives an opportunity to observe behavior.
TSA security, on the other hand, is like protecting against pink elephants - the fact that no pink elephants have ever gotten through TSA, and they'll continue to do a great job preventing them from getting through, has nothing to do with security. It has to do with illusions.
A few years ago I noticed a copy of Brave New World sitting on top of the TSA scanner at Dulles. Was it left there intentionally by a customer? Maybe by a TSA employee who understands the silliness of his/her actions?
Posted by: Jeremy | Sep 20, 2009 at 08:55 AM
Jeremy,
I agree that the Israelis are interested in all of the things you say, but to suggest they "don't care" who you are is, well, preposterous. They would certainly care whether the things you say are true, and so they want to know that you are who you say you are. If they want to check your story, they will also need your ID.
Posted by: Stewart Baker | Sep 20, 2009 at 09:32 AM
Stewart,
I have never apologized for my activism. I did, however, fly out to Washington DC a couple times to meet with TSA officials (once the investigation was over), and participated in a blue skies threat analysis exercise. TSA did not first require an apology before they paid for my plane tickets and hotel.
Frankly, I do not think you are at all qualified to criticize the manner in which "responsible advocates" disclose and publicize security vulnerabilities. How many vulnerabilities have you discovered and disclosed (responsibly or otherwise)?
While there is still no disclosure "norm" in the security field, the "responsible disclosure" method generally involves tipping off the vulnerable party a few weeks/months ahead of the public release.
That is the disclosure model I followed when I discovered and disclosed a security flaw in the Firefox browser add-on update process. Mozilla, Google, Yahoo and Facebook (whose toolbars were also vulnerable) were provided with advanced notice, giving them enough time to roll out a fix before the flaw was announced. See: http://voices.washingtonpost.com/securityfix/2007/05/bungled_addon_updates_endanger.html
In the case of TSA's boarding pass vulnerability, there was simply no point in following the responsible disclosure model -- because TSA had known about the vulnerability for years, and had not done anything to fix it. Responsible disclosure is appropriate for vendors that are willing and ready to develop and deploy a fix. Since TSA had proven themselves unwilling to listen to both security experts and a US Senator, I saw no need to provide them with prior notice.
Posted by: Christopher Soghoian | Sep 20, 2009 at 04:28 PM
Stewart,
There are two very different threat cases that positive ID is attempting to solve. One is a small list (order of 1,000 names) of people so dangerous that they cannot fly under any circumstance. The other are the lists of somewhere between 50,000 and 100,000 people requiring extra screening and alerting the government of their flight plans, and 100,000+ people requiring alerting the government of their flight plans.
For the 1,000 no fly list members, this new system will prevent them from passing through security by presenting an ID with their real name on it. But I'm betting these guys have some better tricks up their sleeves.
For the second and third categories, they are allowed to fly, just under increased scrutiny. If they are allowed to fly, then there is no reason for them to care about using their real name at the checkpoint other than avoiding SSSSSSS. Assuming they get past screening successfully, things are exactly the same as they were before this improved protocol was enacted, except we positively know that a selectee or watch list traveler may or may not be on board one of the hundreds of flights leaving the airport. So how does this new system improve security in this case?
I can think of two big security measures off the top of my head which are vulnerable to Matt's "fake security hole", however:
1) The air marshal program: Perhaps we'd like to put air marshals on the flights with selectees and watch listers, and not some other flight. Hell, if I were a Bad Guy I'd use a 14 hour international flight or alaska to miami red-eye as my real name cover flight just to stretch the air marshals thin and kill the TSA's budget.
2) Traffic analysis: Presumably knowing which subjects were in the same city at the same time is useful for our intelligence agencies. If I can board a different flight under a fake name while the spooks are all looking in the wrong city for a big meet-up I think I'm ahead.
So either Matt has pointed out a serious (I'd say more serious than the comparatively limited no fly list) vulnerability in the selectee and watch lists and the security assumptions around them, or you're claiming that we can get rid of the requirement that airlines report the flight details of people on the selectee and watch lists to the government, because they aren't used for anything.
So yes, this new positive ID at checkpoint check doesn't make us less secure and helps in a fairly narrow (but PR poisonous to the layman) case. But it ignores the broader security risks and the interaction of various security measures with one another.
Putting bars over the windows when the barn door is missing...
Posted by: E.C. | Sep 23, 2009 at 02:56 PM
EC,
1. We agree that the new system adds security against no-flys.
2. You think it does nothing for selectees. I disagree. It allows greater scrutiny at the point that matters -- the checkpoint. As with no-flys, bad guys can't avoid the scrutiny by flashing a Soghoian-style forged boarding pass.
3. You think there are still two other security holes that Blazeans could exploit:
a. If they bought two tickets, they could get air marshals to take the wrong flight, though they'd never know whether that (expensive) scam succeeded. I can't call that a serious security hole. More like a prank.
b. We couldn't count on airline reservations for intelligence purposes to identify the travel plans of bad guys. Of course we couldn't before, either, so at worst this means we haven't solved every problem under the sun. And think how artificial this alleged security hole is. The bad guy has to think that he's being surveilled. He has to want to go to an out of town meeting with other bad guys despite the surveillance. And he is willing to buy two tickets to throw people off the track. Why not just drive? And he'd better not buy the second ticket with his credit card or use his phone to make the reservation because, remember, he's under surveillance. And, of course, from TSA's point of view, that's not an air security hole, it's an investigative demi-semi-hole. It doesn't make us less safe except in a very roundabout way.
Finally, let's remember what started this debate. Matt Blaze said that the new measures are "ineffective" and "ill-conceived" and yield "little actual gain in security". If your hypotheticals are the worst that can be said about the new measures, Matt's still dead wrong.
Posted by: Stewart Baker | Sep 23, 2009 at 09:55 PM
"Identification is critical to good security."
I keep hearing this from TSA and its apologists, and yet none of them are capable of explaining what identification does to enhance security. It's almost like they're lying or something.
Posted by: John Smith | Sep 24, 2009 at 11:03 AM
John,
Is that a bit of sneering I hear?
If you read all the exchanges above, you wouldn't do that. In one sentence, the reason is this: We have a lot of information about people who shouldn't fly without careful scrutiny, but it's organized by name and birthdate, so if bad guys can use bad ID to change their names and birthdates, they can beat our security system.
TSA: They're not lying, and they're not stupid.
Stewart
Posted by: Stewart Baker | Sep 24, 2009 at 06:44 PM
The airlines might check names against the no fly list, but the person doing the id check at either the primary checkpoint or the gate has no idea of who is on the no fly list. I often fly and have never, ever seen a computer terminal at the id checker's desk. So it follows that TSA either over estimates it's ability to detect a bogus flyer or it makes the assumption that motion equals work. Either way the ID check is nothing but a smoke screen.
Posted by: Angry Miller | Sep 24, 2009 at 08:02 PM
Please explain how ID checking contributes, in any way, shape or form, to security. The original 9/11 hijackers flew under their own name and were known to the FBI and CIA. More to the point, the Watch List doesn't contain the names of the most dangerous terrorists -- another "security precaution." Finally, please explain how the TSA can claim to keep us safe when it STILL does not inspect all cargo and U.S. mail, both of which are loaded aboard every single commercial flight.
Enough with the dog-and-pony show, already. We who are frequent fliers know better. TSA provides no additional security beyond what we had before 9/11, and trespasses on constitutionally-reserved rights on a daily basis. Stop being a cheerleader for tyranny.
Posted by: PTravel | Sep 24, 2009 at 08:38 PM
I know frequent travelers are annoyed by TSA checkpoints, but if you had read the rest of the comments, you wouldn't be asking for the explanation, and you wouldn't think that the 9/11 experience was an irrefutable demonstration. Also, don't you think it's a bit inconsistent to claim that TSA's process does nothing for security and, shockingly, hasn't been extended to cargo and mail? Reminds me of the old joke: "The food here is terrible." "Yes, and the portions are disappointingly small."
Posted by: Stewart Baker | Sep 25, 2009 at 06:08 AM
Hmmm, annoyed at the checkpoints? No, much more annoyed at the inconsistencies of the checkpoints as a bag that gets not a second glance at one airport gets disassembled at another while TSA allows totally unscreened cargo to fly because it costs too much and TSA lacks the man-power to check it on a timely basis.
We read the EOS blog and expect a new procedure to go as published, only to find that the new procedure publicly published bears little to no resemblance to reality at the checkpoints. We're told to read the instructions at the TSA website and find the documents poorly written, full of conflicting information and not in agreement between documents. Sort of hard for a traveler to make much sense of what the government wants us to do under those conditions isn't it Stewart?
TSA had a chance to deal with these and other issues early on and chose to ignore valid complaints about:
Abuse of authority
Luggage thefts due to TSA mandating luggage be left unlocked
Gate grope (ever had your scrotum felt up during a pat down while attempting to board the aircraft Stewart?)
War on liquids
War on shoe bombs (Richard Reid and only once in hundreds of millions of passengers)
Constitutional violations (exceeding the authority of the administrative search for weapons, explosives, and incendiary devices)
You don't get out much it looks like, so why don't you pop on over to the security section of Flyertalk, get an account and post. The kind folks over there will be more than willing to share their experiences with TSA. Try it out.
Posted by: AngryMiller | Sep 25, 2009 at 06:32 AM
Too much security, too little security -- the only thing consistent in AngryMiller's comment is that TSA is always wrong. No wonder you're angry. But I don't think you qualify as much of a security commenter if you object to shoe checks because the use of shoe bombs only happened "once in hundreds of millions of passengers." Do you think our adversaries are idiots? If we hadn't taken action to stop shoe bombs, they'd have used them again. And again. Instead of nursing your anger you might ask yourself what you would have done about shoebombs -- and how you'd have explained what you did to the families of the dead if you got it wrong.
(And if it makes you feel better, I'm closing in on 1 million lifetime airline miles, and I've had TSA patdowns that I would usually allow only after a very nice dinner, and a second date.)
Posted by: Stewart Baker | Sep 25, 2009 at 12:54 PM
Stewart, do you believe in security at any cost? What is an acceptable cost vs threat level to you? We've spent billions of dollars on the shoe carnival and have gotten how much in return? Is the threat of terrorism much higher here in the US than any other nation on the face of the earth? Why invest so much on one of a multitude of threats facing the US when there's so many much softer targets available to terrorists?
Please show me where I said TSA is always wrong. TSA was a good idea, but very poorly put into action. The lack of response from TSA management to valid complaints/concerns shows a callous disregard for customer service and the citizens it supposedly protects.
I wasn't snarky towards you, but what can you expect from a government sycophant, eh?
Posted by: AngryMiller | Sep 25, 2009 at 03:17 PM
Stewart, you should listen to Harry Shearer's Le Show and his segment on "Tales of Airport Security". Practically every experience I've had with TSA screeners has left me incredibly aware of how fucking retarded the security is at airports. I've had a small screwdriver confiscated from a bag, but the screener didn't see the other three screwdrivers sitting next to it. I like the comment that it's a dog and pony show, because that's what it is. A giant pain in the ass for the illusion of security, all because people like you don't listen to people like Matt Blaze. Instead of getting defensive, maybe you should pull your head out and listen to what the problems are. He's got a point, you know.
Any security process that doesn't do effective profiling is a waste of time. Spending as much time on a family with three small children as on a single-adult traveling one-way, that's just not effective security screening.
Also, 9/11 was an inside job, and at least 7 of the 9/11 hijackers are still alive, which I think is what makes me so annoyed at the increased hassle of flying these days.
Posted by: Jeff L. | Dec 05, 2009 at 09:22 PM