[SecurityRatty] tag: airport

Airport 'X-ray art' courts TSA trouble

Wed, 01 Oct 2008 20:00:00 +0000

Techno-artist/open-source developer Evan Roth has a message for the Transportation Safety Administration -- several messages, actually -- about what he considers excessive airport security "theater." He also has chosen an intentionally provocative method of delivering those messages: the TSA's own X-ray screening machines.

Really Good Point From Schneier ...

Wed, 01 Oct 2008 10:36:00 +0000

Read all here; the key point is: "The same is true for knitting needles [...] and whatever else the airport screeners are confiscating this week. If there's no consequence to getting caught with it, then confiscating it only hurts innocent people. At best, it mildly annoys the terrorists.

To fix this, airport security has to make a choice. If something is dangerous, treat it as dangerous and treat anyone who tries to bring it on as potentially dangerous. If it's not dangerous, then stop trying to keep it off airplanes. Trying to have it both ways just distracts the screeners from actually making us safer."

Doesn't it just make sense?!

$20M Cameras at New York's Freedom Tower are Pretty Sophisticated

Thu, 25 Sep 2008 02:32:08 +0000

They're trying to detect anomalies:

If you have ever wondered how security guards can possibly keep an unfailingly vigilant watch on every single one of dozens of television monitors, each depicting a different scene, the answer seems to be (as you suspected): they can't.
Instead, they can now rely on computers to constantly analyze the patterns, sizes, speeds, angles and motion picked up by the camera and determine -- based on how they have been programmed -- whether this constitutes a possible threat. In which case, the computer alerts the security guard whose own eyes may have been momentarily diverted. Or shut.

An alarm can be raised, for instance, if the computer discerns a vehicle that has been standing still for too long (say, a van in the drop-off lane of an airport terminal) or a person who is loitering while everyone else is in motion. By the same token, it will spot the individual who is moving rapidly while everyone else is shuffling along. It can spot a package that has been left behind and identify which figure in the crowd abandoned it. Or pinpoint the individual who is moving the wrong way down a one-way corridor.

Because one person's "abnormal situation" is another person's "hot dog vendor attracting a small crowd," the computers can be programmed to discern between times of the day and days of the week.

Certainly interesting.

The Two Classes of Airport Contraband

Tue, 23 Sep 2008 01:47:04 +0000

Airport security found a jar of pasta sauce in my luggage last month. It was a 6-ounce jar, above the limit; the official confiscated it, because allowing it on the airplane with me would have been too dangerous. And to demonstrate how dangerous he really thought that jar was, he blithely tossed it in a nearby bin of similar liquid bottles and sent me on my way.

There are two classes of contraband at airport security checkpoints: the class that will get you in trouble if you try to bring it on an airplane, and the class that will cheerily be taken away from you if you try to bring it on an airplane. This difference is important: Making security screeners confiscate anything from that second class is a waste of time. All it does is harm innocents; it doesn't stop terrorists at all.

Let me explain. If you're caught at airport security with a bomb or a gun, the screeners aren't just going to take it away from you. They're going to call the police, and you're going to be stuck for a few hours answering a lot of awkward questions. You may be arrested, and you'll almost certainly miss your flight. At best, you're going to have a very unpleasant day.

This is why articles about how screeners don't catch every -- or even a majority -- of guns and bombs that go through the checkpoints don't bother me. The screeners don't have to be perfect; they just have to be good enough. No terrorist is going to base his plot on getting a gun through airport security if there's decent chance of getting caught, because the consequences of getting caught are too great.

Contrast that with a terrorist plot that requires a 12-ounce bottle of liquid. There's no evidence that the London liquid bombers actually had a workable plot, but assume for the moment they did. If some copycat terrorists try to bring their liquid bomb through airport security and the screeners catch them -- like they caught me with my bottle of pasta sauce -- the terrorists can simply try again. They can try again and again. They can keep trying until they succeed. Because there are no consequences to trying and failing, the screeners have to be 100 percent effective. Even if they slip up one in a hundred times, the plot can succeed.

The same is true for knitting needles, pocketknives, scissors, corkscrews, cigarette lighters and whatever else the airport screeners are confiscating this week. If there's no consequence to getting caught with it, then confiscating it only hurts innocent people. At best, it mildly annoys the terrorists.

'Checkpoint friendly' laptop bags explained

Sun, 21 Sep 2008 20:00:00 +0000

Back in early August, the U.S. Transportation Security Administration (TSA) announced new rules covering "checkpoint friendly" laptop bags. The goal of these regulations is to increase the speed and efficiency of airport security checkpoints by allowing passengers to keep their laptop computers in their bags during X-ray screening. However, there's quite a bit of confusion about what, exactly, constitutes a checkpoint-friendly bag and the specific rules for using one. Today's Mobile Mac gives you the lowdown.

TSA Employees Bypassing Airport Screening

Fri, 19 Sep 2008 04:01:03 +0000

Airport screeners are now able to bypass airport screening :

The Transportation Security Administration (TSA) rolled out the new uniforms and new screening policy at airports nationwide on Sept. 11.
The new policy says screeners can arrive for work and walk behind security lines without any of their belongings examined or X-rayed.

"Lunch or a bomb, you can walk right through with it," said Mike Boyd, an aviation consultant in Evergreen. "This is a major security issue."

Actually, it's not. Screeners have to go in and out of security all the time as they work. Yes, they can smuggle things in and out of the airport. But you have to remember that the airport screeners are trusted insiders for the system: there are a zillion ways they could break airport security.

On the other hand, it's probably a smart idea to screen screeners when they walk through airport security when they aren't working at that checkpoint at that time. The reason is the same reason you should screen everyone , including pilots who can crash their plane: you're not screening screeners (or pilots), you're screening people wearing screener (or pilot) uniforms and carrying screener (or pilot) IDs. You can either train your screeners to recognize authentic uniforms and IDs, or you can just screen everybody. The latter is just easier.

But this isn't a big deal.

Security Matters: Airport Pasta-Sauce Interdiction Considered Harmful

Thu, 18 Sep 2008 14:00:00 +0000

---

Bruce Schneier is chief security technology officer of BT. His new book is Schneier on Security.

A Wild Tangent

Wed, 17 Sep 2008 16:39:56 +0000

As I sit at Dulles Airport outside DC, waiting for yet another delayed flight, I feel compelled to write a post about traveling as part of the cost of doing business. This morning I had a flight scheduled that was supposed to leave at 6:45am. During dinner last night I got an e-mail from United stating that the flight would instead be leaving at 7:30a. As I arrived at the airport this morning I received another e-mail saying it would instead leave at 8:15a. Since then the flight time has been announced as 7:45, 7:10 and now 7:16. Is there anyone left out there that wonders why the airlines are always struggling? Who really wants to put themselves through the torture of travel? I look forward to the day that we all have a Cisco Telepresence type set-up at our offices and even “face-to-face” meetings can be virtual.

What’s really set me off this morning is the back and forth on the flight time. I know that there are many things that can cause a flight delay, but to move the departure time, in both directions, four times within one hour, how is that possible? I can only imagine the reaction of ScienceLogic customers if we announced the release date for the next version of the product and then proceeded to change it four times that week. There really isn’t another business in the world, other than the airlines, that could get away with this.

Assuming I eventually get to Interop NY, I will be on the look out for vendors that are working on ways to send me to my next meeting over Gigabit Ethernet!

8 laptop bags that will speed you through airport security

Sat, 13 Sep 2008 20:00:00 +0000

While no one questions the need to properly scan laptops when going through airport security, the requirement to remove them from their protective cases is a different story. "Naked" notebooks can easily get dropped, damaged, forgotten and even stolen outright. One study done for Dell estimated that about 12,000 laptops are lost in U.S. airports every week -- a claim that has been challenged by the Transportation Security Administration (TSA) . Whatever the numbers are, you don't want your machine, with all its precious data, to become a statistic.

It Was Sposed to Be So Eaaasy

Wed, 10 Sep 2008 03:12:42 +0000

Earlier this year, I gave a talk with on Breaking Web Services with Brian Chess at RSA. We pointed out that adding security into Web services is an exercise left to the implementer, the standards bodies and vendors give you some primitives, but it is still up to you to figure out all of the items on the Web services security checklist should work together in a cohesive system. Needless to say, there are many ways to shoot yourself in the foot.

So during our talk, someone from Oracle stands up and says, "hey, you guys are making this stuff sound hard. Its not hard we support WS-Security..." etc. Again, the whole point of our presentation was *not* that there are not very interesting general purpose security capabilities in Web services, our point was that you need to figure out the architecture yourself, and then bend the tools to your will. Oh, and deliver on time.

So imagine my surprise, when I read this article "Digitally Signing and Verifying Messages in Web Services" which talks about using Oracle's WSM tools to sign Web service messages and verify signatures in Web service messages, but only addresses integrity - absolutely nowt on authenticity! Integrity is important, but there are lots of times when it is not enough. Many times your service needs to be concerned with replay attacks, authentication policies and so on. To deal with those things, we would typically add policies and capabilities for timestamps, nonces and other primitives into the signature block, but the article is silent on those things. (Rad Mark O'Neill's post on this as well)

Its not about _can_ the standards do something or other, I mean given the right resources the standards can put a monkey on the moon, its about what use cases have they engineered in and what is supported in the tools today. I firmly believe SAML has such great adoption across the industry because they have a use case centric view and so gave the vendors something to engineer and optimize for. I think we'll still get there in WS-Security and other areas as well, but the use cases are not built into the spec (as with SAML) and so its taking longer.

One of our points in the talk was - we want you vendors to do your job better and instead of shipping a box Legos, ship a Lego gas station, a Lego airport, and so on. Connect some dots for your customers.

What I see in training on this topic, is sort of the following - 1) Do I need Web service security? 2) Oh ok, well can I get by with SSL? 3) Oh wait that doesn't actually protect my assets, can I just use WS-Security? 4) Oh wait, WS-Security isn't just a checkbox for security, I need to figure out timestamps, nonces, signatures, encryption policies and so on. And finally 5) How do I accomplish this?

Once we get to step 5 then the real work can begin. Its not easy to get a lot of developers through all of this, and again this is before the real work begins. Even once the lead developers and architects figure this out, there is still the little matter of transitioning it to the rest of the team.

I remember I was working with an enterprise architect several years ago, and he bought a Web service XML gateway like Vordel to add WS-Security support into his Web services apps, but he didn't even buy it as a runtime tool, he bought it as Security API, the runtime enforcement in his opinion was a bonus! He said in effect, well I know I need to do this, but I can't expose all these security primitives directly to my developers.

So yeah, I wish it was easier, but in my experience its not right now. Its not about raw capabilities its about use case realization. I think learning from what has worked well is the way to go. SAML's use case centric approach is one that has.