Airports: Neither Secure Nor Convenient

Reading time ~5 minutes

When discussing computer security with people, something I often bring up is this very simple equation:

What this means is that "secure" things tend not be convenient to use. For example, a powered down computer in a metal box secured by locks, and put in a safe protected by armed guards 24x7 might be relatively safe from theft, but it's not very usable, is it?

Conversely, convenient things aren't secure. For example, not having a lock on your house might make it easier for you to come and go as you please, but it sure makes it easy for would-be thieves to get into your house and take whatever they'd like.

Something else to note about this equation. Assuming security and convenience are expressed in terms of real numbers greater than or equal to zero, As convenience decreases towards zero, security increases towards infinity. If security is zero, conveniences doesn't matter (because both inconvenient and convenient things can be insecure). However, if convenience hits zero, then security is undefined. You can't divide by zero. You also can't make something absolutely secure :)

Another thing that comes up in security--computer or otherwise--cost. What is it we are trying to secure? What does it cost to reduce that risk? What is the likelihood that a "loss" will occur and how much will that lost cost? It seems silly, for instance, to spend $100 to secure a $10 item, unless that $10 item has $1,000 (or more) worth of data on it :)

Anyway, this article is not about computer security. It's really about airport security, or rather insecurity. This topic entered my consciousness again when I found out about the idiot who tried to explode something on an international flight landing in Detroit on Christmas Day. My immediate response was "oh crap, they're going to make it more painful to travel again."

And yes, they are. While the TSA hasn't said anything officially yet, there are a number of reports from many sources, including the New York Times, that suggests measures similar to the following will be taking place on all flights inbound to the US:

  • Passengers will have to remain in their seats one hour before landing with no access to anything they may have brought on board or have access to on the airplane (e.g. inflight magazine, pillows, blankets, etc).
  • Passengers will not be told when they will land or be given any clue where they are.
  • Passengers will be subject to extra screening at the boarding gate.
  • Only one carryon item will be permitted to be brought onboard per passenger.

I question how many of these security measures will actually be effective at either deterring or preventing a real security event, which for the purposes of this discussion are a loss of life by one or more passengers caused by the actions of one or more passengers on the plane (e.g. because of a terrorist-type event).

Let's look at what the folks from the TSA have done since September 11, 2001 in order to "improve security" at our nation's airports (notwithstanding the "new rules" being implemented since Friday):

  • Liquid Restrictions: Considering the 3.2oz/100ml or less bottles of liquids in a quart-size plastic bag are subjected to a simple Xray scan and not anything more, one could easily slip in a relatively dangerous liquid past security. Several passengers could, in concert, do this together.
  • Shoes Off: We can thank¬†Richard Reid, the infamous Shoe Bomber¬†for this stupid rule. Again, all they are doing is Xraying the shoes. I'm sure the bad guys can find ways to hide explosives in shoes without getting caught by the Xray.
  • Laptops Out: Don't understand the rationale behind this one at all. I suppose it's to get a better look at everything. I would be more concerned about smaller devices.
  • Need Photo ID: How easy is it to fake an ID or a passport?
  • The¬†No Fly List: How easy is it to fake an ID or a passport and use a name that isn't on the list? Seems like all it does is inconveniences people with names similar to suspected terrorists.
  • Barking The Rules: I've heard a number of personal accounts of TSA agents yelling at everyone in line about what the rules are going through the security line. I've also experienced this myself. They don't exactly do this in a friendly, courteous way.
  • More Secure Cockpit Doors: This is, perhaps, one of the few "good" things that came from the last round of major changes to airport security. This probably did not cost that much in the grand scheme of things and has a measurable impact on the safety of the people of the pilots. It's debatable how much this does for the passengers safety, of course.

This is all, as Bruce Schneier calls it, Security Theater. Stuff that's designed to make us "feel" more secure without actually making us more secure. These measures made traveling inconvenient. The new ones they are implementing are going to make it that much worse. I can think of many ways around all these "restrictions" without a lot of thought. I'm sure a real bad guy could come up with even more, especially given lots of time and motivation!

Having been through Israeli airport security twice in the past 6 months, I can tell you that "better" security (or at least better security theater) is both time-consuming and costly, both in terms of machines and people-power. Persons and belongings are throughly screened before getting anywhere near an airplane, and you don't have to take off your shoes in the process. The TSA screening that comes after my Tel Aviv flight but before my connecting flight home is almost insulting in comparison.

So now what? How do we make our flights more secure, yet not so inconvenient that people don't want to fly?While we can argue about different screening procedures ad-infinitum, the best defense is an aware, active traveling public. As long as passengers remain watchful of suspicious activity and act accordingly, situations that do break out on planes can easily be neutralized before they become serious threats. It certainly happened with this most recent threat.

An Updated Word About Competition in the Information Security Industry

A year ago, I had written a post about competition in the informationsecurity space, of which I work as a part of for a vendor that has b...… Continue reading