[Infowarrior] - Theater of the Absurd at the T.S.A.

[Richard Forno]

December 17, 2006
Digital Domain
Theater of the Absurd at the T.S.A.
By RANDALL STROSS
http://www.nytimes.com/2006/12/17/business/yourmoney/17digi.html?_r=2&oref=s
login&pagewanted=print

FOR theater on a grand scale, you can¹t do better than the
audience-participation dramas performed at airports, under the direction of
the Transportation Security Administration.

As passengers, we tender our boarding passes and IDs when asked. We stand in
lines. We empty pockets. We take off shoes. We do whatever is asked of us in
these mass rites of purification. We play our assigned parts, comforted in
the belief that only those whose motives are good and true will be permitted
to pass through.

Of course, we never see the actual heart of the security system: the
government¹s computerized no-fly list, to which our names are compared when
we check in for departure. The T.S.A. is much more talented, however, in the
theater arts than in the design of secure systems. This becomes all too
clear when we see that the agency¹s security procedures are unable to
withstand the playful testing of a bored computer-science student.

In late October, Christopher Soghoian, a Ph.D. student in the School of
Informatics at Indiana University, found his attention wandering during a
lecture in his Cryptographic Protocols class. While sitting in class, he
created a Web site he called ³Chris¹s Northwest Airlines Boarding Pass
Generator.²

A visitor to the site could plug in any name, and Mr. Soghoian¹s software
would create a page suitable for printing with a facsimile of a boarding
pass, identical in appearance to one a passenger who had bought a Northwest
Airlines ticket would generate when using the airline¹s at-home check-in
option.

The fake pass could not be used to actually board a plane ‹ boarding passes
are checked at the gate against the roster of ticket buyers in the airline¹s
database ‹ but it could come in handy for several other purposes, Mr.
Soghoian suggested, such as passing through airport security so you could
meet your elderly grandparents at the gate.

Or, as he told his site¹s visitors, it could ³demonstrate that the T.S.A.
Boarding Pass/ID check is useless.² It worked well, indeed.

No cryptographic recipe was cracked; no airline computer system was
compromised. Without visiting an airport, Mr. Soghoian needed access to
nothing other than a public Web site to embarrass those responsible for
airport security.

To thank Mr. Soghoian for helping the government identify security
weaknesses, the T.S.A. sent him a letter warning of possible felony criminal
charges and fines, and ordered him to cease operations, which he promptly
did. It was too late, however, to spare his apartment from an F.B.I. raid.

Richard L. Adams, the T.S.A.¹s acting federal security director, said Mr.
Soghoian¹s generator ³could pose a threat to aviation security.²

But Bruce Schneier, chief technology officer at BT Counterpane, a security
consulting firm in Mountain View, Calif., emphatically disagreed. Anybody
with Photoshop could create a fake boarding pass, he said. Mr. Soghoian¹s
Web site simply eliminated the need to use Photoshop. The T.S.A.¹s
profession of outrage is nothing but ³security theater,² Mr. Schneier said,
using the phrase he coined in 2003 to describe some of the agency¹s
procedures.

Mr. Schneier is not alone in his view that the T.S.A. vilifies people who
point out its flaws. Matthew Blaze, an associate professor of computer
science at the University of Pennsylvania, did not regard Mr. Soghoian¹s
generator as a dangerous breach of national security, either. ³If a grad
student can figure it out,² he said, ³we can assume agents of Al Qaeda can
do the same.²

The root problem, as some experts see it, is the T.S.A.¹s reliance on IDs
that are so easily obtained under false pretenses. ³It would be wonderful if
Osama bin Laden carried a photo ID that listed his occupation of ŒEvildoer,¹
² permitting the authorities to pluck him from a line, Mr. Schneier said.
³The problem is, we try to pretend that identity maps to intentionality. But
it doesn¹t.²

Woe to him or her who happens to have a name identical to someone else
deemed a possible menace to society and who finds, upon check-in, that the
no-fly list places one¹s own name by Mr. bin Laden¹s. When a terror
suspect¹s alias using the Kennedy name appeared on the list, gate agents
blocked Senator Edward M. Kennedy of Massachusetts from boarding in
Washington. And Boston. And Palm Beach, Fla. And New York. Each time,
supervisors interceded on his behalf, but only because of his status as an
elected official.

T.S.A. officials have said they think that the effectiveness of the no-fly
list, as well as a ³selectee² list ‹ which permits flying but brings an
extra round of physical screening ‹ will improve if the task of comparing
names against the lists is taken out of the airlines¹ hands and given to the
agency. The name of this initiative is ³Secure Flight.²

Ostensibly interested in what security specialists and legal authorities on
privacy issues thought of its Secure Flight plans, the agency convened an
advisory group in January 2005. (Mr. Schneier was a member.) Nine months
later, when the advisers turned in their final report, it showed that the
T.S.A.¹s planners had given little or no thought to basic security issues,
such as the problem of stolen identities.

Expressing frustration, the T.S.A.¹s advisers said in their report that the
T.S.A. had been so tight-lipped when talking to them that they never
received the information they needed to make a single substantive
recommendation.

Professor Blaze has a great deal of experience publicly discussing the most
sensitive of security vulnerabilities. He acknowledged that disclosure of a
security weakness prompts ³a natural and human response: ŒWhy should we help
the bad guys?¹ ² The answer, he said, is that the bad guys aren¹t helped ‹
because they almost certainly already know a system¹s weak points ‹ and that
disclosing the weaknesses brings pressure on government agencies and their
suppliers to improve security for the good guys.

Last year, when Professor Blaze and his graduate students discovered a host
of techniques for thwarting or deceiving government wiretapping systems, he
said his group initially felt a spasm of hesitation about publishing
academic papers about their findings. But they quickly returned to first
principles ‹ criminals had undoubtedly discovered the techniques; scientific
inquiry requires openness ‹ and prepared to publish their results.

Before proceeding, they called in the F.B.I. to explain and braced for an
attempt to suppress their work. ³To their credit,² Professor Blaze said,
³they understood and did nothing to try to stop it.²

The T.S.A. shows no signs of similar enlightenment. The agency¹s
investigation of Mr. Soghoian¹s short-lived boarding-pass experiment was
continuing, a spokesman, Christopher White, said last week.

WHEN I asked Mr. Schneier of BT Counterpane what he would do if he were
appointed leader of the T.S.A., he said he would return to the basic
procedures for passenger screening used before the 2001 terrorist attacks,
which was designed to do nothing more ambitious than ³catch the sloppy and
the stupid.²

He said he would also ensure that passengers¹ bags fly only if the passenger
does, improve emergency response capabilities and do away entirely with ID
checks and secret databases and no-fly and selectee lists. He added that he
would shift funds into basic investigation and intelligence work, which he
believes produces results like the arrests of the London bomb suspects. ³Put
smart, trained officers in plainclothes, wandering in airports ‹ that is by
far the best thing the T.S.A. could do,² he said.

The issues raised by the discovery of security vulnerabilities are not new.
A. C. Hobbs, a locksmith who in 1853 wrote the book on locks and safes (the
title: ³Locks and Safes²) knew that ³many well-meaning persons² assume that
public exposure of a lock¹s insecure design will end up helping criminals.

His response to this concern is no less apt today than it was then:

³Rogues are very keen in their profession, and know already much more than
we can teach them.²

Randall Stross is an author based in Silicon Valley and a professor of
business at San Jose State University. E-mail: digitaldomain at nytimes.com.