Shostack + Friends Blog Archive


Small Bits of Security Chaos: Airports (2), Bastille Linux adds metrics

  • The Department of Homeland Security Office of Inspector General has written a report on TSA security:

    Improvements are still needed in the screening process to ensure that dangerous prohibited items are not being carried into the sterile areas of airports, or do not enter the checked baggage system. In our report on the results of our first round of testing (OIG-04-036), which we issued in September 2004, we made several recommendations for improvements in the areas of training, equipment, policies and procedures, and management practices. For the most part, TSA agreed with our recommendations and is taking action to implement them. However, despite the fact that the majority of screeners with whom our testers came in contact were diligent in the performance of their duties and conscious of the responsibility those duties carry, the lack of improvement since our last audit indicates that significant improvement in performance may not be possible without greater use of new technology.

    But doesn’t ask, do we need to screen better? Is the current system good enough?

  • ABC News
    Report: Private Screeners Outdo Public:

    A congressional investigation found airport screeners employed by private companies do a better job detecting dangerous objects than government screeners, according to a House member who has seen the classified report.

    The Government Accountability Office found statistically significant evidence that passenger screeners, who work at five airports under a pilot program, perform better than their federal counterparts at some 450 airports, Rep. John Mica, R-Fla. and chairman of the House aviation subcommittee, said on Tuesday.

    And we haven’t had a repeat of 9/11? Maybe we don’t need a new program to invade the privacy of people world-round to secure aircraft? (Maybe we do; I think we need to take a re-think.)

    Via InfoSecNews, who have additional Keystone Koppery.

  • Cryptome (offsite) points to two more DHS reports from the DHS Inspector General: DHS on TSA Security Operations Irregularities, and DHS on TSA Passenger Baggage Thefts. Both big PDFs. [Added in an update.]
  • Jay Beale has this to say about the new release of Bastille Linux, a tool that hardens your operating system against attack:

    The score idea is actually pretty central here. When I first heard about it, I thought it was overly simplistic, but people really do get motivated and sometimes even jazzed up about improving the score on a system. They’ll get a lower score than their ego tells them they should and will turn around and harden a few items on the box just to achieve a more encouraging score.