NYT on the TSA, our Naked Security Emperor

The Times piece is called Theater of the Absurd at the T.S.A., so you can imagine the content. We’re sure some at DHS and TSA will whine about the piece, but it’s hard to fault its conclusions. We’re doing the wrong things for airport security, and for poor reasons, and nobody in power seems to have the balls to admit it even though everyone outside the system seems to know that it’s all bullshit.

The root problem, as some experts see it, is the T.S.A.’s reliance on IDs that are so easily obtained under false pretenses. “It would be wonderful if Osama bin Laden carried a photo ID that listed his occupation of ‘Evildoer,'” permitting the authorities to pluck him from a line, [Security expert] Mr. Schneier said. “The problem is, we try to pretend that identity maps to intentionality. But it doesn’t.”

What’s worse, the TSA is actively hostile to attempts at improvement:

Ostensibly interested in what security specialists and legal authorities on privacy issues thought of its Secure Flight plans, the agency convened an advisory group in January 2005. (Mr. Schneier was a member.) Nine months later, when the advisers turned in their final report, it showed that the T.S.A.’s planners had given little or no thought to basic security issues, such as the problem of stolen identities.

Expressing frustration, the T.S.A.’s advisers said in their report that the T.S.A. had been so tight-lipped when talking to them that they never received the information they needed to make a single substantive recommendation.

Professor Blaze [CS at the University of Pennsylvania] has a great deal of experience publicly discussing the most sensitive of security vulnerabilities. He acknowledged that disclosure of a security weakness prompts “a natural and human response: ‘Why should we help the bad guys?'” The answer, he said, is that the bad guys aren’t helped — because they almost certainly already know a system’s weak points — and that disclosing the weaknesses brings pressure on government agencies and their suppliers to improve security for the good guys.

Emph. added. This isn’t news; anyone worth a damn in cryptography knows that knowledge of an encryption algorithm shouldn’t give you an advantage in trying to crack it — or, at least, it won’t if the algorithm is sound. Secret encryption methods are assumed to be insecure.

The article concludes:

The issues raised by the discovery of security vulnerabilities are not new. A. C. Hobbs, a locksmith who in 1853 wrote the book on locks and safes (the title: “Locks and Safes”) knew that “many well-meaning persons” assume that public exposure of a lock’s insecure design will end up helping criminals.

His response to this concern is no less apt today than it was then:

“Rogues are very keen in their profession, and know already much more than we can teach them.”

It’s not any different now, but apparently the TSA thinks it is. It’s horrifying how wrong they are.

Comments are closed.