January 31, 2008

The TSA blog

In what is probably not the most astute PR move ever, the TSA has decided to start a blog. It's sort of weirdly earnest and self-justifying. For example:

There is no time to talk, to listen, to engage with each other. There isn't much opportunity for our Security Officers to explain the 'why,' of what we ask you to do at the checkpoint, just the 'what' needs to be done to clear security. The result is that the feedback and venting ends up circulating among passengers with no real opportunity for us to learn from you or vice versa. We get feedback verbally and non-verbally at the checkpoint and see a lot in the blogs, again without a real dialogue.

Our ambition is to provide here a forum for a lively, open discussion of TSA issues. While I and senior leadership of TSA will" participate in the discussion, we are turning the keyboard over to several hosts who represent what's best about TSA (its people). Our hosts aren't responsible for TSA's policies, nor will they have to defend them -- their job is to engage with you straight-up and take it from there. Our hosts will have access to senior leadership but will have very few editorial constraints. Our postings from the public will be reviewed to remove the destructive but not touch the critical or cranky.

Truth be told, they really haven't censored the comments much, and the comments thread on the first post seem to be split about 20/20/60 (this is just a rough estimate, it's not like I actually counted all of them) between:

Unsurprisingly, I don't see a lot of real engagement with the points being raised by commenters. It's mostly the same sort of vague defensiveness you see in the TSA's more formal communications with the public. For instance, this post wants to be a justification of the shoe policy:

It's not all about Richard Reid when it comes to the screening of shoes. Post all of your thoughts about shoes in this blog post. To learn more about how the shoe fits in with the TSA, check out our web page on "why we screen shoes". Then come back here and let's talk.

The article this is referring to is here and transitively these "recently declassified" (nothing like that to give the air of authenticity) photos of x-rays of shoes with explosives in them:

Wow, that's totally convincing, except for the fact that (1) you can get hard (machinable) explosives which you could form into the whole sole of the shoe, pretty much making this sort of contrast technique useless and (2) there are lots of ways to conceal the explosive (non-magnetic, remember) parts of a bomb on your body [*].

People of course point this out in the comments section, but the TSA people don't respond, so the whole exercise is kind of pointless. Do they really expect this to make anyone have a more positive opinion of TSA?

Posted by ekr at 9:15 PM | Comments (7)

January 5, 2008

Holy airgap, Batman!

Check out this Wired article and the FAA Report on which it is based about how the Boeing 787 control network is connected to the in-cabin entertainment network, which is probably not the design your average security guy would have chosen:
These special conditions are issued for the Boeing Model 787-8 airplane. This airplane will have novel or unusual design features when compared to the state of technology envisioned in the airworthiness standards for transport category airplanes. These novel or unusual design features are associated with connectivity of the passenger domain computer systems to the airplane critical systems and data networks. For these design features, the applicable airworthiness regulations do not contain adequate or appropriate safety standards for protection and security of airplane systems and data networks against unauthorized access. These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing standards.

The FAA imposes the following requirement:

The design shall prevent all inadvertent or malicious changes to, and all adverse impacts upon, all systems, networks, hardware, software, and data in the Aircraft Control Domain and in the Airline Information Domain from all points within the Passenger Information and Entertainment Domain.

Obviously, this specifies a goal rather than a design, but it's pretty hard to see how this goal could be met without at minimum an airgap between the ACD/AID, and the PIED. I'm unaware of any networking technologogy which allows you to connect two networking domains together which can also guarantee that computers in the untrusted domains can't negatively impact computers in the trusted domains. The classic solution that falls short of airgaps is of course firewalls, but then you have to worry about vulnerabilities in the firewall, so this certainly doesn't prevent all attacks.

The more interesting question is whether an airgap is enough? An airgap provides good protection against logical attacks from the PIED network, but not against physical ones. Even if the ACD/AID cables are physically separate from the PIED cables, do they run through areas which are potentially accessible from the passenger cabin (especially the lavs!)? Do they use cryptography so that an attacker who accessed them couldn't directly talk to the ACD/AID network? Note that this isn't perfect protection, but it could substantially lower the attack surface.

Two other things worth noting here:

I don't know that much about how this kind of in-flight network is usually designed or how much security analysis usually goes into it, but to the extent to which we're concerned about passenger subversion of flight control systems, this seems like an unusually hostile threat environment. In particular, if the plane is completely fly by wire, does that mean that someone who controlled the computers could potentially fly the plane where (or into) anything they wanted? What features are provided for regaining manual control in the case of such subversion?

Posted by ekr at 9:51 AM | Comments (4)

December 28, 2007

8 grams of lithium-what?

Schneier notes the TSA's new rules about lithium ion batteries. Here's their overall policy:
The following quantity limits apply to both your spare and installed batteries. The limits are expressed in grams of “equivalent lithium content.” 8 grams of equivalent lithium content is approximately 100 watt-hours. 25 grams is approximately 300 watt-hours:
  • Under the new rules, you can bring batteries with up to 8-gram equivalent lithium content. All lithium ion batteries in cell phones are below 8 gram equivalent lithium content. Nearly all laptop computers also are below this quantity threshold.
  • You can also bring up to two spare batteries with an aggregate equivalent lithium content of up to 25 grams, in addition to any batteries that fall below the 8-gram threshold. Examples of two types of lithium ion batteries with equivalent lithium content over 8 grams but below 25 are shown below.
  • For a lithium metal battery, whether installed in a device or carried as a spare, the limit on lithium content is 2 grams of lithium metal per battery. Almost all consumer-type lithium metal batteries are below 2 grams of lithium metal. But if you are unsure, contact the manufacturer!

This seems like it will be a lot of fun. I'm really looking forward to watching TSA reps try to figure out whether a given device has over 8-gram equivalents of lithium in it, let alone trying to add up the watt hours in various devices to decide if they are over 300 (note that 8 grams is claimed to be about 100 watt-hours, so what if you have 302 watt-hours, which is over 300, but probably less than 25 grams). This "contact the manufacturer" thing is pretty nuts. TSA needs to have a list to decide what they want to accept. Why don't they just publish it?

Another thing that's weird is that you can't have spare batteries in your checked luggage, but you are allowed to have such batteries installed in your devices. I'm sure my laptop will contain any fires or explosions. Outstanding!

Posted by ekr at 8:24 PM | Comments (5)

December 27, 2007

On testing airport security effectiveness

Linos, Linos, and Colditz's BMJ paper on airport screening is getting a lot of attention. LLN write:
We systematically reviewed the literature on airport security screening tools. A systematic search of PubMed, Embase, ISI Web of Science, Lexis, Nexis, JSTOR, and Academic Search Premier (EBSCOhost) found no comprehensive studies that evaluated the effectiveness of x ray screening of passengers or hand luggage, screening with metal detectors, or screening to detect explosives. When research teams requested such information from the US Transportation Security Administration they were told that evaluating new screening programmes might be useful, but it was overshadowed by "time pressures to implement needed security measures quickly."16 In addition, we noticed that new airport screening protocols were implemented immediately after news reports of terror threats (fig 1).

It's unsurprising that there are no real studies on this topic, but it's not at all clear that even if we wanted to do some it would be practical, or even possible to do so. The authors suggest a controlled trial of screening effectiveness at detecting specific types oxsxsf attacks:

After informing the airport managers, gaining approval from research ethics committees and police, and registering our trial with one of the acceptable International Committee of Medical Journal Editors trial registries, we would select passengers at random at the check-in desks and give each traveller a small wrapped package to put in their carry-on bags. (We would do this after they have answered the question about anyone interfering with their luggage.) A total of 600 passengers would be randomised to receive a package, containing a 200 ml bottle of a non-explosive liquid, a knife, or a bag of sand of similar weight (control package) in a 1:1:1 ratio. Investigators and passengers would be blinded to the contents of the package. Our undercover investigators would measure how long it takes to get through security queues and record how many of the tagged customers are stopped and how many get through. A passenger who is stopped and asked to open the wrapped box would be classed as a positive test result, and any unopened boxes would be considered a negative test result.

This study design seems problematic as a measure for screening effectiveness. Security screening is fundamentally different from screening for diseases because disease screening isn't adversarial.

To take the simplest case, consider genetic diseases. When you screen for Tay-Sachs, the Tay-Sachs gene isn't trying to figure out how to evade your screen. Even in cases like cystic fibrosis where there are genotypes which produce pathology but aren't detectable with standard screening methods (the basic CF screen only detects 80% of mutations) there's not selective pressure for the undetectable genotype, just pressure against the detectable ones. The undetectable genotypes don't increase in the population.

To take a slightly more complicated case, consider non-genetic diseases, which do evolve. HIV, for instance, regularly evolves resistance to the antiretrovirals we use to treat it. [Warning, I'm working from general principles here. If there are cases of evolved resistance to screening, I'd love to hear about them.] Screening is a different case, though, for at least two reasons. First, the reason you get HIV drug resistance is to a great extent due to selective pressure between the genotypes present in a given patient, so when you treat that patient with antiretrovirals, this exerts selective pressure against the susceptible genotypes and so you end up with a much higher fraction of resistant genotypes within the patient. But of course when you're doing screening, any nontrivial fraction of detectable organisms leads to a positive result and (presumably) treatment, so you don't get as much selective pressure between the detectable and undetectable variants. Second, virii and bacteria aren't intelligently trying to evade your screening, so even if there is some evolved stealth, you would likely have plenty of time to adapt and test your screening technology.

By contrast, in the case of airline screening, you have an intelligent attacker with a very short reaction cycle, so as soon as they know what kind of screening you are using they can move to evade it. Also, you don't need each attacker to independently evolve defenses—as soon as someone figures out a defense technique, they can tell a lot of other attackers about it. (This is also why signature-based virus detection is such a hard problem with relatively high false negative rates). This makes the problem of evaluating whether a given set of screening techniques work as the authors propose very problematic. By the time you've done your effectiveness study, it's already obsolete.

More importantly, this study design sort of confuses a technique (stopping people from bringing weapons through the security checkpoint) with the goal (stopping people from blowing up airplanes). But of course thse aren't the same thing. For instance, you could jump the fence and smuggle explosives into the sterile area. So, the question you really want to ask is whether airport security decreases the chance of planes being bombed. In order to do this, you need a different study design: one which compares various security regimes in terms of the number of terrorist attacks that occur under them. This is a much harder study to do, for a number of reasons.

First, you have the "outrun the bear problem". Say that you have both good and bad security and terrorists preferentially attack airports with bad security. This doesn't necessarily tell you that if everyone adopted good security you would see fewer attacks. The terrorist might just be lazy enough to choose the softer targets, but would mount attacks anyway—this is a variant of the adaptiveness problem. We just don't understand the supply model that well.

Second, ignoring this problem, it's not clear we have enough data to do a meaningful study, because the number of terrorist attacks is so low. Remember that there have been no successful US airline hijackings or bombings since September 11th 2001, so if you'd run a study of this type starting in 2002, you would not be able to reject the null hypothesis that good airline security (assuming, as seems likely, that there's existing variation in screening quality) was useless. We just don't know whether the reason we haven't had any attacks in over five years is because of good security or because people aren't trying, and you'd need a lot more data to get a significant result.

Given these issues, it's pretty hard to imagine what kind of study would let you decide these issues. That's not to say that I think that the current flavor of airport security is useful, but that doesn't mean that it's that meaningful a criticism that there aren't studies that show that it is.

Posted by ekr at 10:34 PM | Comments (8)

October 6, 2007

Automatic terrorist detection

I have to admit that I was initially pretty skeptical of U. Buffalo's proposed automatic terrorist threat assessment tool but now that Cory Doctorow—my lodestar to the reflexive geek position—has rubbished it (he compares it to phrenology), I figured I'd take another look. The basic idea seems to be to apply machine learning to videos of suspects being interviewed:
"We are developing a prototype that examines a video in a number of different security settings, automatically producing a single, integrated score of malfeasance likelihood," he said.

A key advantage of the UB system is that it will incorporate machine learning capabilities, which will allow it to "learn" from its subjects during the course of a 20-minute interview.

That's critical, Govindaraju said, because behavioral science research has repeatedly demonstrated that many behavioral clues to deceit are person-specific.

"As soon as a new person comes in for an interrogation, our program will start tracking his or her behaviors, and start computing a baseline for that individual 'on the fly'," he said.

The researchers caution that no technology, no matter how precise, is a substitute for human judgment.

"No behavior always guarantees that someone is lying, but behaviors do predict emotions or thinking and that can help the security officer decide who to watch more carefully," said Frank.

He noted that individuals often are randomly screened at security checkpoints in airports or at border crossings.

The question of whether this will work involves two subquestions:

It's certainly widely believed that techniques like this work in principle, and in fact can be made to work by human interviewers. After all, the police regularly use interviews to attempt to figure out whether suspects are guilty, and interviews are the basis of El Al's vaunted security measures. That said, there's data that suggests that humans aren't that great at detecting lies either. So, I'd say the jury is still out on whether it's possible to detect terrorists by observing their behavior in interviews. But certainly believing that it will work wouldn't put you outside of mainstream opinion.

That leaves us with the question of whether our current machine learning techniques can do the job. That seems a bit less likely; even our facial recognition technology doesn't really work that well and this seems like a rather harder problem. But that's why this a research project and being done at the University of Buffalo as opposed to being contracted out to Lockheed Martin.

Posted by ekr at 8:53 PM | Comments (1)

August 13, 2007

First reactions to the Secure Flight proposal

Just looked over DHS's new Secure Flight proposal. (By the way, it's a scanned printout, which is super-annoying.) Some initial reactions: Of course, like any name-based blacklist, the security of this system depends on (1) the quality of the algorithm generating the blacklist and (2) the level of difficulty required to obtain fake ID that will be accepted by the blacklist enforcers. It's not clear that either of these is really adequate at this time.

Posted by ekr at 7:38 PM | Comments (2)

August 9, 2007

Airline blacklist version whatever

DHS is revamping the no-fly/watchlist yet again. I haven't read this yet, so no useful comments, other than my general suspicion of name-based passenger screening.

One interesting point, though:

TSA is also proposing that each boarding pass will have a unique, scannable mark, which could be authenticated by a TSA employee with a wireless device at the head of the screening line. While the TSA hasn't chosen what technologies to use for this system, the move starts to eliminate a long-standing hole in the current system. That hole allows a watch listed person to avoid being banned from flying or encountering extra screening by modifying a print-at-home boarding pass.

Well, extra screening, perhaps, but not banned from flying, since you can just make up a fake name and then say you forgot your ID.

Posted by ekr at 9:48 PM

August 4, 2007

Wait, you're not asking for ID?

I recently renewed my driver's license. Normally you can just renew my mail but after you've had two renewals by mail you have to go back into the DMV (carrying the form they send you). There seem to be two purposes here:

Here's the weird part: they didn't check my current license (though as I remember, the form they send you say you need to bring it). They just took my money, checked my vision (in that order, which is also kind of weird) and then gave me the provisional license printout. You then walk over to a different window where they take your thumbprint and picture.

Assuming this is standard practice, and not just an error by the clerk, then attacker who pulled the form out of your mail, could just walk in and complete this process. In theory, they might catch you by comparing your existing biometrics (photo, thumbprint) against the newly captured biometrics. I don't know if they do that or not, but it seems like it would be relatively easy to bypass: people's looks change a lot in 15 years and while thumbprints don't change, there are also known techniques for cheating thumbprint scanners--assuming they check this stuff at all.

Obviously, if you went to the DMV and found someone else had already renewed your license, that might be something you'd notice, but it's not clear what the State would do about it. The wrong person would still have an ID in your name. There's no normal procedure for revoking driver's licenses. This isn't catastrophic, of course, unless you have some system that depends on positive identification of people, like say, a no-fly list.1

1. And of course if the person who's identity you were stealing was cooperating, then they wouldn't even have to report it. This doesn't make sense ordinarily, but you could use it to exchange the identity of someone who was on a no-fly list for a plant who was not.

Posted by ekr at 6:49 PM

July 28, 2007

Confirming Wallach on flying without ID

A few weeks ago, Dan Wallach told me about his experience flying without ID. Dan had forgotten his ID and didn't have time to go back and get it. After some fumbling, the airlines and the TSA figured out that he could still fly as long as he went through secondary screening. I can more or less confirm this procedure.

On my flight back from ORD this morning, I presented my drivers license, which was expired by less than a week. The contractor checking my ID started counting on her fingers (figuring out what the date was? seeing if I was within some grace period?) and then asked me if I had an extension. I didn't1 , so she told me I had to go through secondary screening. I said "OK", and she wrote "NO ID" on my ticket and sent me over to secondary, where I got the same slightly less cursory than usual screening as I would have gotten if I'd been randomly selected.

By the way, when did your right to be frisked by someone of the same gender turn into the requirement that you be frisked by someone of the same gender? I and two other men stood in line for about five minutes waiting for a male TSA agent to be available, even though a female agent was free. The man in front of me explicitly offered to waive the gender match requirement but no dice.

1. Truth be told, I did have my passport, but I was curious what would happen. Also, I will note that the ticket counter agent took my ID with no problem.

Posted by ekr at 8:03 PM | Comments (3)

April 2, 2007

Airport screening doesn't work... don't tell anyone!

Colorado's 9News reports on the TSA's Red Team tests of the screeners at DIA. They're not doing the most impressive job:
The Transportation Security Administration (TSA) screeners failed most of the covert tests because of human error, sources told 9NEWS. Alarms went off on the machines, but sources said screeners violated TSA standard operating procedures and did not hand-search suspicious luggage, wand, or pat down the undercover agents.

The Red Team uses very expensive chemical simulates in the test devices that look, smell and taste like real explosives, except they do not explode. To the CTX bomb detection machines at DIA, they are real explosives, according to a former Red Team leader.

Sources told 9NEWS the Red Team was able to sneak about 90 percent of simulated weapons past checkpoint screeners in Denver. In the baggage area, screeners caught one explosive device that was packed in a suitcase. However later, screeners in the baggage area missed a book bomb, according to sources.

Of course the TSA says this test is unrepresentative, but that this kind of result should be kept secret:

Morris says other agents, not with the Red Team, test and train screeners every day at the nation's 450 airports and says screeners pass most of those tests. In those kinds of tests, he said Denver has done well in the past.

However, tests done by the Department of Homeland Security's Office of Inspector General and the U.S. Government Accountability Office in 2006 found widespread failures. According to the GAO, screeners at 15 airports missed 90 percent of the explosives and guns agents tried to sneak past checkpoints.

...

Most test results, including results from the Red Team, are secret, classified as SSI or sensitive security information. Morris says they do not make them public because they could point out holes in the system.

So, there are two types of information here: the first is that the security screening has an incredibly high false negative rate. The second is the specific things you could do to get past security. It's certainly true that knowing specific ways to exploit security would be useful to terrorists, but it's not clear that the Red Team did anything particularly surprising or sophisticated here. In one of the tests, the agent appears to merely have outbluffed the screeners.

Now, one could argue that the mere fact that screening is so inaccurate is in and of itself useful to the terrorists, since this makes airports a more attractive target. But then this is hardly secret information. First, GAO tests showing very similar results have already been published. Second, all you have to do is know how the screening technology works (and that's no secret) and watch how screening is performed to know that it's not going to work that well. On the other hand, it's perfectly clear why TSA would wish to keep such embarassing information secret.

Posted by ekr at 8:51 PM | Comments (3)

March 9, 2007

Remote control airplanes

According to this article Boeing is designing an "Uninterruptible Autopilot System". The idea here is that if the plane is being hijacked you trigger the UAS. Once it's engaged, the plane can't be controlled by the pilot but is remotely controllable from the ground.

It's important to remember here that there are two kinds of hijacking:

This seems to be mostly targeted at the second type of hijacking, since the first type depends principally on people complying under a threat and this threat is at least 95% as credible when the pilot is on the ground as if they're in the air with you. You just threaten someone on the plane instead of the pilot. On the other hand, if your objective is to fly the plane into some building, presumably the flight controllers on the ground won't allow that no matter how much you threaten to kill passengers.

That said, it's not entirely clear that 9/11-style hijacking can work even without this technology. If you're a passenger on a hijacked plane and you expect the hijackers to fly it into a building you've got a pretty good incentive to try to take back the plane regardless of what weapons the hijackers have. As has been often observed, 9/11 was successful because people's responses to hijacking were predicated on the assumption that it was the first type—who had heard of the second?

From a security guy's perspective, the interesting question is what safeguards are in place to prevent accidental activation and control by attackers? Imagine you get your hands on the control unit for an aircraft and can somehow get it put into UAS mode. Congratulations, you've got yourself a remote controlled, manned cruise missile. Presumably there are safeguards in place to defend against this sort of attack. Minimally, one would hope that some sort of cryptography is used to limit control to authorized units. The COMSEC techniques here are of course relatively straightforward.

The second thing you would like would is for it to be impossible to remotely put the plane into UAS mode, thus minimizing the damage from any compromise of a control unit/control unit keying material. For instance, the UAS radio receiver could be physically disconnected until engaged onboard the plane.

Even if proper COMSEC techniques are used, there still is a residual risk if it's possible to jam the signal. In order for the system to work, it needs to be fairly sensitive so that any attempt to take over the cockpit triggers it (hence the proposed pressure sensors on the cockpit door). But this potentially enables an attacker onboard to trigger the UAS while a confederate on the ground holds the plane hostage by jamming the control signal. Again, there are techniques to make signals harder to jam (though the authentication techniques you're likely to use make the control channel very sensitive to errors so you'd need a lot of forward error correction).

I'd certainly be interested in hearing more about the design of the proposed system. p

Posted by ekr at 10:15 PM | Comments (2)

January 8, 2007

The end of Gilmore v. Gonzales

The Supremes have declined to hear Gilmore v. Gonzales. I can't say I'm too surprised; Americans seem in general pretty inured to airport searches, in part due to an exaggerated sense of the danger of air travel (both due to accidents and terrorism).

Posted by ekr at 10:06 AM | Comments (15)

January 6, 2007

Airport security advertising

Via Interesting People, I see that TSA is starting a pilot program to show ads during security screening:
"TSA plans to launch a one-year pilot program where airport operators may enter into an agreement with vendors, who will provide divestiture bins, divestiture and composure tables, and metal-free bin return carts at no cost to TSA," said spokeswoman Amy Kudwa. "In return for the equipment, TSA will allow airport operator-approved advertisements to be displayed on the bottom of the inside of the bins."

Your average security checkpoint looks to me to have about 100 plastic bins. Comparable bins go for about $11 retail. They also have maybe 5-10 plastic tables, something like this, which goes for $150 retail. I haven't specced out the little bins you put your keys in, but let's assume they're $11/too. So, assuming we're just talking storage and not expensive stuff like metal detectors, you should be able to outfit your TSA checkpoint for under $5000. A big airport like SFO might have 10 security checkpoints, so you're looking at $50,000 one time cost (with maybe 20%/year for breakage, though these plastic tubs look pretty indestructible). That's a trivial part of the cost of running airport security. So, if vendors are really getting advertising for the cost of providing free hardware they're getting a great deal. The airports should want revenue sharing.

This brings me to my second point: incentives. The longer you spend standing around the TSA checkpoint and the more crap you have to take out of your pockets and put in separate bins the more advertising you get exposed to. The airports and TSA have some control over this, so to the extent they make money from advertising, their interests aren't really aligned with yours, which include getting through the checkpoint as fast as possible. See the clear program for another example of such an incentive conflict.

Most importantly, with all the pulling stuff out of your bag and stuffing it back in, it's pretty easy to leave things at the checkpoint, say at the bottom of your bin. In order to minimize this, you want the bottom of the bins and the tops of the tables to be as uncluttered a visual field as possible and one that is most likely to contrast with people's belongings. I'm not sure exactly what that would look like (though I'd imagine bright white, though the grey seems not terrible), but since the whole purpose of advertising is to attract people's attention to the ad, I suspect it's probably going to be pretty bad for having you notice that you left stuff in the bin. I'd much rather that TSA and the airports optimize for me not leaving my valuables at the security checkpoint than for extracting an extra few million a year from advertisers.

Posted by ekr at 7:59 AM | Comments (3)

December 30, 2006

Automated International checkin

One of the annoyances of checkin on international flights is the need to show some human your passport. No longer:

At least in YVR, United's automated checkin system will scan your passport (and green card in the same scanner which is kind of cool since they're a different size). Maybe next year our robot overlords can replace the human customs and immigration inspectors.

Posted by ekr at 10:24 AM | Comments (3)