For a long time I attributed this to the fact that I would intentionally wear clothes to the airport which marked me as working for the feds. I learned the power of flying with a federal logo stamped on you once when confronted by a slightly baffled TSA employee who had recently extracted a cast-iron wok from my carry-on luggage (long story).
"What is this?"
"That, sir," I slid my thumbs along the top of the zipper of my ratty hoodie to flick what would have been the collar forward, emphasizing the federal logo on the right breast, "is a wok."
"Oh," he said, but I watched his eyes catch the logo.
"Will that be all?"
"Uh, yes," he said and handed me the wok. I took it and walked before hearing one of the last calls for the boarding on my flight, at which point I bolted down the terminal, still carrying the cooking implement in my left hand, trying to hold it as little like a club as possible. The TSA employee never said a word, he had probably gone on to the next customer by that time.
The "official-looking" hoodie was out of the gift shop. It wasn't like there had been a whole lot of other places to buy clothes when you're stranded on a federal base.
After I was given my uniform jacket I felt comfortable pushing the limitations much further to almost no resistance. Eventually I decided to forgo the effort of donning the jacket, as while it is very comfortable I dislike the stares I collect when wearing it in public.
It seems I am not alone in this activity. In this hilarious and rather well-written article one Jeffrey Goldberg describes bringing scissors, multiple large bottles of anything he pleases so long as they are labeled to be contact solution, a false beer belly of beer, a knife, and various other things as carry on. To make this more amusing he did it while also carrying things like a three foot by four foot Hezbollah flag and wearing shirts printed with lines like "Osama Bin Ladin: Hero of Islam." His article brought up another fun issue in the ID triangle: namely that you can fly if you are on the no fly list. This is done in a few simple steps.
- Buy a ticket that isn't in your real name. This is where the name is checked against the no-fly list and so your fake name will not trigger anything.
- Print your real boarding pass.
- Print a fake boarding pass with your real name.
- Go through security with your fake boarding pass and your real ID. All that is checked here is that your boarding pass matches your ID. It is not checked against the master no-fly list.
- Present your real ticket at the gate. Since your ID is not checked here, nobody will notice the name does not match. Since it is a real boarding pass it will pass the barcode scanner, when your fake one would not.
More disturbing are the words of Bruce Schneier (of crypto war fame) from 2002 warning (summarized by another author: Mann) about these large scale systems, which have also been primarily ignored.
The argument that a system which relies on secrecy to function (as our airport security system does) is inherently ineffective because such secrets are not well kept is part of what has made modern cryptology what it is today, and considered a well-beaten dead horse by many.
However, some other concepts pulled from the article I found quite novel. For example, if a piece of facial recognition software is accurate 99.32% of the time as claimed by certain manufacturers, and if good-quality photographs of all the terrorists are available, and if an airport had 25 million people go through it a year (such as Boston according to 2001 statistics) then you flag up to 170,000 people each year as terrorists from a single medium-sized airport. Consider that we have had well under 100 terrorists on airplanes nation-wide over a span of about 10 years and that this alarm would go off approximately 500 times a day per airport of this size. This is an alarm which would get rapidly downplayed or ignored by stressed-out TSA employees who are just trying to contain a small mob of people who are all frantically trying to make their flights. What does this mean? It means the enterprising young hacker will still be in an environment where a little charisma will get him through the gate, and the same of a terrorist.
Biometric information suffers many of the same abuses in the article: that as long as we continue to put our absolute faith in imperfect technology (as all technology always is) and have no proper situation to handle its failure, we will be left disappointed in the results. Inattentive guards in the Mann article permitted researchers to game the fingerprint and other biometric readers in any number of ways in the middle of airports. This included doing things like holding masks up over their eyes to fake a retina scan.
Part of this we have fed ourselves. To admit that our systems are fallible or downright ineffective would be to admit a mistake. Every time something bad happens the public wants to believe that Something Is Being Done, and as time passes we are putting more into making sure that our "corrections" are highly visible than that they have impact. Here's a great example:
Special measures have been taken to make it impossible for a terrorist to repeat the Detroit bombing attempt. Mr Abdulmutallab had emerged from the toilet, put a blanket on his lap complaining of an upset stomach, then tried to set off the bomb. Passengers and crew restrained him as flames leapt from his clothing.Aside from the ACLU which I am sure is already drooling over the fact that use of a lavatory is generally not considered something you can reasonably deny a person in need (it is not legal for things like schools to operate when the bathrooms are broken for this reason) comes the general point that causing a four year old child to piss themselves will not make America safer. Small children (like most sane people) hate plane bathrooms. They are renowned for holding it in as long as possible, and for disregarding parent's warnings that "if you don't go now there won't be another stop for a while." Ask any parent who has taken a small child on a significant car ride. Furthermore, I'm pretty sure whoever gets to sit in a wet seat next flight won't feel America is a whole lot safer either. What will, for the most part, happen? When people have to go, they have to go, and the attendants will probably let them go if they beg hard enough.In the final hour before landing in the US, passengers are now banned from standing up, using toilets and holding blankets.
What does that mean? It means this is a rule we will put our faith in, but that people will not keep. This is a common security problem: take offices where password changes are mandated so often that people have trouble remembering them. Instead they just slap an incrementing number on the end of the password or write it on a slip of paper on their desk. Other examples are the numerous recorded times when government officials have taken restricted information off of the protected government networks to unsecured computers. They do this because doing work on the secured computers is made slow and tedious by the oppressive security measures.
As long as our government continues to take this heavy-handed blanket approach to our security in airports people will keep adding loopholes, where formal (such as permitting people to print their own boarding passes) or informal (such as using tha bathroom), to keep the system functioning. These gaps, combined with our absolute faith in the technology which is meant to prevent them, provide fantastic exploratory spaces for hackers. I genuinely hope to see many published exploits in the coming months from clever young minds, and I hope they are found, made public enough to be an embarrassment, and corrected before anybody malicious takes advantage of them.
Happy hunting.
Related Posts:
Posts
