Security notyourtypicaltechguy Security notyourtypicaltechguy

Security theater at the airport

I traveled recently to Belize for a wonderful vacation on Glover's Reef Atoll.  It was paradise.  On the way down there, I had left a Chobani yogurt in my carry-on bag and was flagged by TSA airport security.  Apparently yogurt is considered a liquid and it isn't allowed.  Slightly annoyed but with plenty of time to spare, I went to eat my yogurt outside security and while doing so did a search on Twitter for #securitytheater (try for yourself here).  For those that have never heard the term, "security theater" is used to describe security measures put in place to give the appearance of safety, even if they have obvious gaps or are minimizing an extremely small risk.

I've always been a little jaded about security since 9/11.  To be clear, 9/11 was a horrific event for this country and especially for those directly impacted by it, and I'm a FULL supporter of programs that will prevent something like that from happening again.  However, the programs put in place need to protect the rights of US citizens and be reasonably effective and efficient.  In other words, we could go out and hire another 5 million police officers, but I don't think that would be an efficient program.  We could also allow any citizen to be searched at any time for any reason, but I don't think I'd want to live in a country like that.

So what's bothered me personally over the years?  For starters, there was the time I accidentally carried a pocket knife in my carry-on coming back from Alaska and didn't get caught.  There have been a few times when I've had to exit the airport security line to empty my Nalgene bottle.  Then there is my personal favorite:  the random bag checks at the MBTA stops in Boston, which usually involve about 8 people (6 of which do nothing but stand there) and are completely pointless because if you get asked to be searched you can refuse and simply not get on the subway at that stop (I'm not making this up, see the MBTA policy here).  Logically, these random searches will only catch people that have bombs on them and don't know it or are REALLY STUPID, and I'm sure they come at a pretty steep expense to the MBTA.

With that said, what really disturbed me as I read more at the airport was this article from The Atlantic (read here) which interviewed the well known TSA critic Bruce Schnei­er.  The first thing that really disturbed me, particularly since I've had to empty water bottles on multiple occasions was this:

Later, Schnei­er would carry two bottles labeled saline solution—24 ounces in total—through security. An officer asked him why he needed two bottles. “Two eyes,” he said. He was allowed to keep the bottles.

But if you are a terrorist, you probably have your name in some database and so you'd never even be allowed to carry on 24 ounces of liquid, right?  That's why the "ID triangle" (a term I'd never heard before) was setup: the fact that you need to buy a ticket with a credit card, show a boarding pass and valid photo ID at security, and show a boarding pass again before getting on the plane.  This seems pretty secure at first glance, but if you really think it through it does little to protect us from smart terrorists, even if they are on every single government watch list. As the article explains:

“The goal is to make sure that this ID triangle represents one person,” he explained. “Here’s how you get around it. Let’s assume you’re a terrorist and you believe your name is on the watch list.” It’s easy for a terrorist to check whether the government has cottoned on to his existence, Schnei­er said; he simply has to submit his name online to the new, privately run CLEAR program, which is meant to fast-pass approved travelers through security. If the terrorist is rejected, then he knows he’s on the watch list.

To slip through the only check against the no-fly list, the terrorist uses a stolen credit card to buy a ticket under a fake name. “Then you print a fake boarding pass with your real name on it and go to the airport. You give your real ID, and the fake boarding pass with your real name on it, to security. They’re checking the documents against each other. They’re not checking your name against the no-fly list—that was done on the airline’s computers. Once you’re through security, you rip up the fake boarding pass, and use the real boarding pass that has the name from the stolen credit card. Then you board the plane, because they’re not checking your name against your ID at boarding.”

Each year millions of Americans are subjected to intrusive security policies that not only waste time but also cost them $7 billion per year.  It might make everyone feel a little safer, but in reality the programs will do little to protect us from a smart terrorist.  If security programs have such big gaps, I think we might as well eliminate them or spend more money to close those gaps.  Putting on a security show doesn't make us much safer, costs a lot of money, and is really inconvenient.  If the risks are high as we've been told, isn't this worth investing in?

Read More
Security notyourtypicaltechguy Security notyourtypicaltechguy

Creative Facebook security feature

Kudos to Facebook for using some of the insane amounts of data they have stored about its users for a good purpose.  I tried logging in from India a few weeks ago and was prompted to identify Facebook "friends" shown in randomly tagged photos using  a multiple choice list of names.  It was easy, fast, and virtually impossible for a bot or some random hacker to crack effectively.

Read More