Thursday, September 27, 2012

The water bottle which could have blown up Logan

It's amazing what a walk-through metal detector can do. It can take a potentially lethal bottle filled with an unknown liquid and turn it in to water. Today, departing in Boston, I forgot to empty one of my water bottles. My bag was flagged, and the TSA "officer" found the offending item. My options were to relinquish the bottle to the TSA (which I didn't want to do) or to go out of security, pour out the water, and be rescreened.
This could have blown up
a security checkpoint.

Could I pour it in the waste basket an arm's length away? No. Why not? Because the bottle might contain an explosive liquid (even though it sure looked like water). 

Could I drink it? No. I joked that "then I might blow up" and the TSO agreed a little too seriously.

So, I took option number 3: I marched through the metal detector (Luckily, Terminal A at Boston rarely has their AIT scanners in use). Once we were through this magical force field, I wondered what the TSO, her gloved hand still holding this potentially lethal water bottle, might do. Obviously, on the airplane side of security, it could have burst in to flames. But having passed through this magical, magnetic force field, the possibly deadly liquid morphed in to a much more benign substance.

"Here ya go" she said, and handed me the bottle.

I was perplexed. Not 30 seconds before, this bottle had been so potentially dangerous that I could not touch it, and it could not be opened, lest it burst in to flames. Yet, 50 feet away, it was readily handed to me to pour in to a receptacle very similar to the one on the other side of security. And we hadn't even walked through an advanced imaging machine, but a simple metal detector.

This is your TSA at work.

Yes. I screwed up. I brought—gosh!—hydrogen dioxide through the scary security curtain. But, obviously, it was harmless; I was allowed to deposit it in to a trash can in between two crowded security lines, where it could have exploded and injured dozens. So what is it about the trash can on the in-security side of the airport that is so different (other than having fewer people congregating around it)? Why couldn't the TSA take the bottle and do me the favor of disposing of it? And who, in their right mind, wrote these kinds of regulations and thought that it made any sense?

Tuesday, September 11, 2012

What the TSA doesn't do (anymore)

A few years ago, in a great article about the foibles of the TSA, Bruce Schneier said that there were exactly two things since September 11 which made travel safer:
“Counter­terrorism in the airport is a show designed to make people feel better,” he said. “Only two things have made flying safer: the reinforcement of cockpit doors, and the fact that passengers know now to resist hijackers.” This assumes, of course, that al-Qaeda will target airplanes for hijacking, or target aviation at all. “We defend against what the terrorists did last week,” Schnei­er said. He believes that the country would be just as safe as it is today if airport security were rolled back to pre-9/11 levels. “Spend the rest of your money on intelligence, investigations, and emergency response.”
Very true. In the article, Schneier goes on to print fake boarding passes that he uses to gain access to the airport, circumventing millions of dollars worth of security with Photoshop and a $50 printer. He talks about how a potential terrorist would take advantage of the system:
[T]he terrorist uses a stolen credit card to buy a ticket under a fake name. “Then you print a fake boarding pass with your real name on it and go to the airport. You give your real ID, and the fake boarding pass with your real name on it, to security. They’re checking the documents against each other. They’re not checking your name against the no-fly list—that was done on the airline’s computers. Once you’re through security, you rip up the fake boarding pass, and use the real boarding pass that has the name from the stolen credit card. Then you board the plane, because they’re not checking your name against your ID at boarding.”
Well, that could be clarified as "they're not checking your name against ID at boarding anymore." For a couple of years after September 11, there was actually decent security in what Schneier calls the "security triangle." You purchased your ticket and the government checked your name against terrorist databases. You then printed out your boarding pass at a kiosk at the airport—or obtained it from an agent, who checked your ID. In either case, spoofing the paper stock and font of the pass is not something simple to do at home. Finally, your ID was checked both at the security checkpoint and at the gate when you boarded, so you couldn't use a fake boarding pass (and real name) to get through security and then discard it for the real pass at the gate. Circumventable? Probably. But difficult.

Within a year, two provisions of this, the proprietary printing and the gate searches, were dropped. Airlines encouraged at-home printing (it saves them money on ink and paper) and gate searches were quietly discontinued (which sped plane boarding). And a huge loophole was opened for anyone who could reasonably use Photoshop to spoof a name. A few airports are now installing systems which read your phone or ticket's QR code or bar code and display the actual name, which again is very hard to spoof. But for nine or ten years, we've had no real security going through the airports, despite the TSA's scribbling and the best radiation money can buy. And I can't imagine these systems, which have bar code reader and display, actually cost $100,000 each. Maybe that includes the initial cost of the building the back end. But give the TSA some iPhones and some coders a few grand and you'd probably have a handheld system in hours. (I'm a big-government liberal, and this pisses me off to no end!)

I would surmise, however, that spending the hundreds of millions we've spent on MMW and Backscatter radiation would be better spent on intelligence, as Schneier contends, and that we could check everyone's ticketed name against their ID for a small fraction of that sum. But try telling that to the Blue Shirts.