The Wrong Approach to Security

Posted on Saturday 28 October 2006

Wired.com has an interesting article on the controversy created by Christopher Soghoian, a security researcher, who had created a website application that allowed one to generate authentic looking, but completely bogus, Northwest Airline Boarding Passes. He created the application in hopes of getting Congress to take a real look at the security vulnerabilities of the aviation system.

Rep. Edward Markey, a Massachusetts Democrat on the House Homeland Security committee, is calling for the arrest of Soghoian. Unfortunately, Markey’s response is both short-sighted and shows his great ignorance of true security. The fake boarding pass document security loophole has been around for a long time. Security guru Bruce Schneier wrote about it as far back as 2003.

Schneier has often pointed out that security through obscurity is not a genuine solution, yet that seems to be what Markey would like to do. Except, in this case, it is far too late to do anything of the sort. Slate.com had an article about it in 2005, and Markey’s colleague, Sen. Chuck Schumer, a New York Democrat, mentioned the same security hole earlier this year.

Soghoian also points out that his application isn’t even necessary for faking boarding passes, as that can be done in any web browser. It could also be done after the fact using a scanner and any decent desktop publishing program. Any incongruities between the name, the bar code and flight numbers is very unlikely to be noticed, as there is no authentication of the boarding pass at the TSA security check points, where they are presented to allow a person access to the airport gate areas.

The TSA and the Department of Homeland Security seem to be incapable of addressing even well-known security issues in a timely manner. The fact that members on the House Homeland Security Committee have no basic understand of what true security is makes it far more likely that ineffective measures will continue to take place, leaving a the public with a very false sense of security.

What is truly laughable about the article is the statement from TSA spokesman Christopher White.

“Submitting fraudulent documents to airline security is illegal. But the site will not aid anyone in circumventing security, since a boarding pass offers entry into a TSA security checkpoint and TSA ensures that every person and their property is fully screened.”

There have been many articles, over the past several years, showing the TSA to be almost completely ineffective at detecting and stopping bombs and other dangerous items from making it through airline security. Their ban on “moisture” is another prime example of how ineffective their policies are. Another good example is their ban on lighters—if the TSA could truly prevent terrorists from getting onto the plane with explosive materials, the ban on lighters would be wholly unnecessary.

Like many bureaucrats, there is no real motivation for the Department of Homeland Security to address the real issues of security, as that would lead to a reduction in their political power and most likely a corresponding reduction in their budget. There is far too little motivation for any of them to take actual effective measures to truly ensure the security of the American people, especially since most of the politically appointed positions, high up in the DHS, have strong reasons to keep the American populace in a constant state of near-panic and fear, as this helps keep the politicians who appointed them in power.

2006 11 03 Update:  Wired.com has an article from Bruce Schneier regarding the fake boarding pass security problem.


No comments have been added to this post yet.

Leave a comment

(required)

(required)


Information for comment users
Line and paragraph breaks are implemented automatically. Your e-mail address is never displayed. Please consider what you're posting.

All comments are subject to review and approval
before being posted on this site.

Use the buttons below to customise your comment.


RSS feed for comments on this post | TrackBack URI