Shostack + Friends Blog Archive


The New School of Air Travel Security?

As I simmer with anger over how TSA is subpoening bloggers, it occurs to me that the state of airline security is very similar to that of information security in some important ways:

  • Failures are rare
  • Partial failures are generally secret
  • Actual failures are analyzed in secret
  • Procedures are secret
  • Procedures seem bizarre and arbitrary
  • External analysis seems to show that the procedures are fundamentally flawed
  • Those charged with doing the work appear to develop a bunker mentality

In this situation, anyone can offer up their opinions, and most of us do.

It’s hard to figure out which analysis are better than others, because the data about partial failures is harder to get than opinions. And so most opinions are created and appear equal. Recommendations in airline security are all ‘best practices’ which are hard to evaluate.

Now, as Peter Swire has pointed out, the disclosure debate pivots on if an attacker needs to expose themselves in order to test a hypothesis. If the attacker needs to show up and risk arrest or being shot to understand if a device will make it through a magnometer, that’s very different than if an attacker needs to send packets over the internet.

I believe much of this swivels on the fact that most of the security layers have been innocently exposed in many ways. The outline of how the intelligence agencies and their databases work is public. The identity checking is similarly public. It’s easy to discover at home or at the airport that you’re on a list. The primary and secondary physical screening layers are well and publicly described. The limits of tertiary screening are easily discovered, as an unlucky friend discovered when he threw a nazi salute at a particularly nosy screener in Amsterdam’s Schiphol airport. And then some of it comes out when government agencies accidentally expose it. All of this boils down to partial and unstructured disclosure in three ways:

  1. Laws or public inquiries require it
  2. The public is exposed to it or can “innocently” test it
  3. Accidents

In light of all of this, the job of a terrorist mastermind is straightforward: figure out a plan that bypasses the known defenses, then find someone to carry it out. Defending the confidentiality of approaches is hard. Randomization is an effort to change attacker’s risk profiles.

But here’s the thing: between appropriate and important legal controls and that the public goes through the system, there are large parts of it which cannot be kept secret for any length of time. We need to acknowledge that and design for it.

So here’s my simple proposal:

  1. Publish as much of the process as can be published, in accordance with the intent of Executive Order on Classified National Security Information:

    “Agency heads shall complete on a periodic basis a comprehensive review of the agency’s classification guidance, particularly classification guides, to ensure the guidance reflects current circumstances and to identify classified information that no longer requires protection and can be declassified,”

    That order lays out a new balance between openness and national security, including terrorism. TSA’s current approach does not meet that new balance.

  2. Publish information about failed attempts and the costs of the system
  3. Stop harassing and intimidating those like Chris Soghoian, Steven Frischling or Christopher Elliott who discuss details of the system.
  4. Encourage and engage in a fuller debate with facts, rather than speculation.

There you have it. We will get better security through a broad set of approaches being brought to the problems. We will get easier travel because we will understand what we’re being asked to do and why. Everyone understand we need some level of security for air travel. Without an acrimonious, ill-informed firestorm, we’ll get more security with less pain and distraction.

2 comments on "The New School of Air Travel Security?"

  • Chris Palmer says:

    I don’t agree that failures are rare in information security. They are rare if you consider the ratio of bad attacks :: successful transactions (e.g. a normal day in’s business), but they are not rare if you consider bad attacks :: day or victims :: attack. Tens of millions of people can be affected by a single breach, as we have seen. And breaches seem to keep happening, don’t they?
    Another difference is that in infosec, failures are more and more analyzed in public — and we’re learning from them. They are not public enough, and they are not analyzed well enough, but it’s definitely starting to work. Attackers agree that attacking Windows is much harder now than it used to be.
    Finally, infosec procedures are not bizarre and arbitrary. Maybe input validation seems bizarre and arbitrary to a newbie web app developer, but to the rest of us it makes a lot of sense. People who think BitLocker is bizarre and arbitrary tend to stop thinking that after their first laptop theft.
    TSA truly is bizarre and arbitrary. That is because they are incompetent and probably malicious. But software vendors have to satisfy paying customers who often have alternatives in the market, so they tend to get their act together in the medium term or die out.
    Can you come up with any compelling, specific examples of modern/state-of-the-art infosec being as bad as modern air travel security? For example, Microsoft in the 90s does not count as “modern”, nor do those software vendors who still think we live in the 90s (names omitted to protect the guilty).

  • Dan Weber says:

    I’m not sure I buy Matt Blaze’s argument that randomization of security procedures benefits the terrorists. The people trying to bring down planes have finite resources, and they have to decide whether they send their good people on an untested mission or their expendable people to test security.

Comments are closed.