Wait, so it's containers now?

|
From Steve Bellovin over in IP:
Today's Wall Street Journal has an article on the liquid carry-on rules promulgated by TSA. Much of it is familiar to readers of this list, including the screeners who don't really understand the rules. One thing that I haven't seen mentioned much before is that they're really concerned about containers, not just liquids:
To travelers, some of the regulations are bewildering. You can buy a filled water bottle at an airport shop inside security, for example, but you can't carry your own empty water bottle through security and fill it at a water fountain inside security. Mr. Hawley says there's a classified security reason for that related to the characteristics of liquid explosives. In addition, X-ray machines can detect containers, just not what's inside. So getting all containers out of carry-on bags speeds up security screening.

"As stupid as we may look, we didn't miss that one," Mr. Hawley said.

...

Mr. Hawley said there is method in the madness of requiring everything to be in a bag and strictly limiting the size of containers, not the volume of liquid or gel. Containers larger than three ounces could pose a threat -- a place to mix enough liquid explosives to create a bomb. "It's not the ounces. It's the container we're after," he said.

I don't even know where to start here.

  1. They do let you carry on empty bottles of liquid onto the plane. I've flown twice with an empy Nalgene bottle.
  2. Any water bottle you can buy inside security will be >3 oz. so I don't see how this really restricts containers. Heck, in the duty free shop you can buy a glass wine bottle, suitable for all sorts of chemical reactions. And get this, after you get on the plan, airline employees come through the aisles to hand you 12 ounce aluminum containers!
  3. You're still allowed to carry all sorts of things which could be used as containers in a pinch. For instance, my messenger bag is vinyl-lined and waterproof.

Wouldn't it be nice if the TSA actually did some real threat modelling rather than just making up stuff on the spot?