Tuesday, September 11, 2012

What the TSA doesn't do (anymore)

A few years ago, in a great article about the foibles of the TSA, Bruce Schneier said that there were exactly two things since September 11 which made travel safer:
“Counter­terrorism in the airport is a show designed to make people feel better,” he said. “Only two things have made flying safer: the reinforcement of cockpit doors, and the fact that passengers know now to resist hijackers.” This assumes, of course, that al-Qaeda will target airplanes for hijacking, or target aviation at all. “We defend against what the terrorists did last week,” Schnei­er said. He believes that the country would be just as safe as it is today if airport security were rolled back to pre-9/11 levels. “Spend the rest of your money on intelligence, investigations, and emergency response.”
Very true. In the article, Schneier goes on to print fake boarding passes that he uses to gain access to the airport, circumventing millions of dollars worth of security with Photoshop and a $50 printer. He talks about how a potential terrorist would take advantage of the system:
[T]he terrorist uses a stolen credit card to buy a ticket under a fake name. “Then you print a fake boarding pass with your real name on it and go to the airport. You give your real ID, and the fake boarding pass with your real name on it, to security. They’re checking the documents against each other. They’re not checking your name against the no-fly list—that was done on the airline’s computers. Once you’re through security, you rip up the fake boarding pass, and use the real boarding pass that has the name from the stolen credit card. Then you board the plane, because they’re not checking your name against your ID at boarding.”
Well, that could be clarified as "they're not checking your name against ID at boarding anymore." For a couple of years after September 11, there was actually decent security in what Schneier calls the "security triangle." You purchased your ticket and the government checked your name against terrorist databases. You then printed out your boarding pass at a kiosk at the airport—or obtained it from an agent, who checked your ID. In either case, spoofing the paper stock and font of the pass is not something simple to do at home. Finally, your ID was checked both at the security checkpoint and at the gate when you boarded, so you couldn't use a fake boarding pass (and real name) to get through security and then discard it for the real pass at the gate. Circumventable? Probably. But difficult.

Within a year, two provisions of this, the proprietary printing and the gate searches, were dropped. Airlines encouraged at-home printing (it saves them money on ink and paper) and gate searches were quietly discontinued (which sped plane boarding). And a huge loophole was opened for anyone who could reasonably use Photoshop to spoof a name. A few airports are now installing systems which read your phone or ticket's QR code or bar code and display the actual name, which again is very hard to spoof. But for nine or ten years, we've had no real security going through the airports, despite the TSA's scribbling and the best radiation money can buy. And I can't imagine these systems, which have bar code reader and display, actually cost $100,000 each. Maybe that includes the initial cost of the building the back end. But give the TSA some iPhones and some coders a few grand and you'd probably have a handheld system in hours. (I'm a big-government liberal, and this pisses me off to no end!)

I would surmise, however, that spending the hundreds of millions we've spent on MMW and Backscatter radiation would be better spent on intelligence, as Schneier contends, and that we could check everyone's ticketed name against their ID for a small fraction of that sum. But try telling that to the Blue Shirts.

No comments:

Post a Comment