Comments on: Penetration testing the TSA http://www.cydeweys.com/blog/2008/04/27/penetration-testing-the-tsa/ Wed, 08 Feb 2012 16:39:44 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: JR Dallas http://www.cydeweys.com/blog/2008/04/27/penetration-testing-the-tsa/comment-page-1/#comment-23919 JR Dallas Fri, 02 May 2008 04:21:24 +0000 http://www.cydeweys.com/blog/?p=764#comment-23919 This whole system is a joke, the only way to get any form of decent government and security in our lives is to overthrow the current establishment, look who we have elected, look who we have the choice to elect, pathetic. Lets raise up and throw off this yoke, not necessarily a yoke of oppresion, but of keeping us in fear, of keeping us ignorant, of putting us thru these rediculous security measures. Only if we destroy Washington will we be free. This whole system is a joke, the only way to get any form of decent government and security in our lives is to overthrow the current establishment, look who we have elected, look who we have the choice to elect, pathetic. Lets raise up and throw off this yoke, not necessarily a yoke of oppresion, but of keeping us in fear, of keeping us ignorant, of putting us thru these rediculous security measures. Only if we destroy Washington will we be free.

]]> By: arensb http://www.cydeweys.com/blog/2008/04/27/penetration-testing-the-tsa/comment-page-1/#comment-23580 arensb Mon, 28 Apr 2008 22:02:24 +0000 http://www.cydeweys.com/blog/?p=764#comment-23580 Kelly Martin: <blockquote>Frankly I think most of the TSA screening processes are intended to create the impression that the TSA is doing something</blockquote> The phrase you're looking for is "security theater". Bruce Schneier talks about it in his excellent book <cite>Beyond Fear</cite>. He also points out that some security theater can be a good thing (e.g., it can be reassuring to see a cop on the beat every once in a while, even if most law enforcement is done through surveillance cameras and such), but obviously it shouldn't be done at the expense of real security, or in such a way that it causes other security problems (e.g., long lines of people at airports, that could be seen as targets). Another problem endemic to the security field is that it's often hard to judge how effective any given measure is: sure, the US hasn't been attacked with hijacked airliners since 9/11, but is that because Al Qaeda is in disarray because of the war in Afghanistan? Or because better intelligence coordination through DHS allows such plots to be stopped before they get to the airport? Or because the TSA confiscates shampoo bottles? Or simply because the bad guys haven't tried a repeat of 9/11? Without knowing how many attempts there have been, it's impossible to tell how effective a security measure is. Kelly Martin:

Frankly I think most of the TSA screening processes are intended to create the impression that the TSA is doing something

The phrase you’re looking for is “security theater”. Bruce Schneier talks about it in his excellent book Beyond Fear. He also points out that some security theater can be a good thing (e.g., it can be reassuring to see a cop on the beat every once in a while, even if most law enforcement is done through surveillance cameras and such), but obviously it shouldn’t be done at the expense of real security, or in such a way that it causes other security problems (e.g., long lines of people at airports, that could be seen as targets).

Another problem endemic to the security field is that it’s often hard to judge how effective any given measure is: sure, the US hasn’t been attacked with hijacked airliners since 9/11, but is that because Al Qaeda is in disarray because of the war in Afghanistan? Or because better intelligence coordination through DHS allows such plots to be stopped before they get to the airport? Or because the TSA confiscates shampoo bottles? Or simply because the bad guys haven’t tried a repeat of 9/11? Without knowing how many attempts there have been, it’s impossible to tell how effective a security measure is.

]]> By: Kelly Martin http://www.cydeweys.com/blog/2008/04/27/penetration-testing-the-tsa/comment-page-1/#comment-23535 Kelly Martin Mon, 28 Apr 2008 10:49:51 +0000 http://www.cydeweys.com/blog/?p=764#comment-23535 Last time I was in Portland I was required to go through the "puffer" (they were making everyone with a laptop go through it). Frankly I think most of the TSA screening processes are intended to create the impression that the TSA is doing something, without any real concern as to whether they actually reduce the risk of an actual terrorist getting through. I think there is also the whole need to make excuses to spend government money on technology that doesn't necessarily help with reducing risk but definitely does help with padding profit margins. Last time I was in Portland I was required to go through the “puffer” (they were making everyone with a laptop go through it). Frankly I think most of the TSA screening processes are intended to create the impression that the TSA is doing something, without any real concern as to whether they actually reduce the risk of an actual terrorist getting through. I think there is also the whole need to make excuses to spend government money on technology that doesn’t necessarily help with reducing risk but definitely does help with padding profit margins.

]]> By: Cyde Weys http://www.cydeweys.com/blog/2008/04/27/penetration-testing-the-tsa/comment-page-1/#comment-23510 Cyde Weys Mon, 28 Apr 2008 04:07:37 +0000 http://www.cydeweys.com/blog/?p=764#comment-23510 Funnily enough, the past few times I've gone through airport security, they've had different apparatii at different stations. In Hartford, one station had the walk-through machine that puffs you with air to detect explosives residue, while one did not. I elected to go through the newfangled machine (and it took a little bit longer to boot) just to see what it was like (it was underwhelming), but I easily had the choice of not doing it. And then earlier today at BWI I had a choice of going through a simple X-ray machine or a backscatter radiation machine. Obviously I did not elect to go through the radiation machine. It makes you wonder though, how are we stopping the terrorists if we're giving them a choice of choosing the laxer security screening? Shouldn't <i>all</i> of the stations in an airport have the same equipment? It's kind of like how you have to plug <i>all</i> of the holes in a ship to prevent it from sinking. Funnily enough, the past few times I’ve gone through airport security, they’ve had different apparatii at different stations. In Hartford, one station had the walk-through machine that puffs you with air to detect explosives residue, while one did not. I elected to go through the newfangled machine (and it took a little bit longer to boot) just to see what it was like (it was underwhelming), but I easily had the choice of not doing it. And then earlier today at BWI I had a choice of going through a simple X-ray machine or a backscatter radiation machine. Obviously I did not elect to go through the radiation machine.

It makes you wonder though, how are we stopping the terrorists if we’re giving them a choice of choosing the laxer security screening? Shouldn’t all of the stations in an airport have the same equipment? It’s kind of like how you have to plug all of the holes in a ship to prevent it from sinking.

]]> By: drinian http://www.cydeweys.com/blog/2008/04/27/penetration-testing-the-tsa/comment-page-1/#comment-23458 drinian Sun, 27 Apr 2008 19:42:46 +0000 http://www.cydeweys.com/blog/?p=764#comment-23458 They are getting really good at noticing bottles, and I generally carry a roll of quarters with me that apparently looks suspicious on X-ray. I get stopped for that much more often than for the giant bird's nest of cables that usually hangs around my laptop bag. But there's still no rhyme or reason to most of the decisions they make for extra screening, it seems. If the TSA really wanted to do a good job of security, they would hire enough people to ensure that there is never a line waiting, enabling them to take their time with each person. They've already bought the hardware at most locations; it's been sitting dormant for years (political pork, most likely). Then they could start training their screeners to use some knowledge along with the rote rules they have now. Incidentally, Japan has <a href="http://www.iht.com/articles/ap/2006/12/11/asia/AS_GEN_Japan_Terrorism.php" rel="nofollow">used liquid explosive detectors for two years now</a>. Why no-one in the TSA seems aware of this seems beyond me. They are getting really good at noticing bottles, and I generally carry a roll of quarters with me that apparently looks suspicious on X-ray. I get stopped for that much more often than for the giant bird’s nest of cables that usually hangs around my laptop bag. But there’s still no rhyme or reason to most of the decisions they make for extra screening, it seems.

If the TSA really wanted to do a good job of security, they would hire enough people to ensure that there is never a line waiting, enabling them to take their time with each person. They’ve already bought the hardware at most locations; it’s been sitting dormant for years (political pork, most likely). Then they could start training their screeners to use some knowledge along with the rote rules they have now.

Incidentally, Japan has used liquid explosive detectors for two years now. Why no-one in the TSA seems aware of this seems beyond me.

]]>