ummm GG.....if I were you I'd take a look over your shoulder and outside the window....those guys with the black suits and black sunglasses ......they are not trying out for MIBIII!

Great vid GG!!

woodsmoke

A few comments, if I may. (*)

* TSA talks the talk about "security layers" and "risk-based mitigations," but in reality their procedures reveal otherwise.
* Implementing compensating controls (3.4 oz. liquids, removing shoes) that react to previous threats have zero bearing on preparing for future threats.
* John Pistole has never been regarded by anyone who matters in the security industry as a clueful person.
* The psychology of security often trumps the science: Americans place more value in visible measures that feel secure than in invisible measures that actually are secure.

(*) Having spent most of my career in information security, I have a certain degree of confidence in my claims. For it matters very little whether you're protecting a computer from an attacker, an airplane from a terrorist, or a nation from its enemies -- the science and practice of protection is applicable across all disciplines.

Good points, Steve.

I've often wondered why it is that we don't adopt the Israeli security procedures. Not Invented Here?

A couple reasons. One is that we don't face the same risks they do. Another is that their process wouldn't scale up to the number of airports and daily flights in this country.

So, using their methods in, say, Kansas City, might work but not in Atlanta?

I would hazard that if the money that was spent or R & D and actual production of the machines and cutting the present TSA workforce in half, since they wouldn't be needed for the machines might get us to a ballpark of even with what we would spend on doing what the Isralies do.

Espcially since a lot of the smaller airports could use the "express pass" system almost completely for outgoing flights since most of the outgoing passengers would be easily verifiieable for the express pass.

Then the money could be concentrated in the larger hubs.

Just a ballpark and probably way off.

woodsmoke

Interesting comments, and worthy of further examination.

In the abstract, such an assertion might seem reasonable. But we must remember that adversaries become skilled at detecting patterns. So in one respect, introducing a measure of randomness into mitigation procedures is a good thing. The challenge here is that humans are essentially highly evolved pattern seeking machines. We don't like randomness. So the tendency will be to implement a procedure like this:
Procedures, by definition, cannot be random. Atlanta will immediately fall into the until loop because at any given time it's the busiest airport in the US. Kansas City will alternate between the while and until loops with a predictable pattern. Boise will always stay in the while loop. Both Atlanta and Kansas City run the risk of falling out of both loops and into the least secure default, and the times at which these occur are observable. Patterns become vulnerabilities, and vulnerabilities become methods of exploit.

The only way to defend against this is to continually introduce new forms of randomness. Such introduction must always exceed the rate of pattern recognition evolution. To do this right is a task that most people underestimate and are, frankly, not capable of fathoming.

Aviation security in most of the world is fundamentally broken because it concentrates too much on attempting to detect bad things, when in fact the real dangers are bad people. Mitigating bad people is largely an invisible exercise, requiring thorough, time-consuming, and boring investigation. Such activity is, in fact, what really stopped the London liquid bombers in 2006. British police work intervened and intercepted the planned attack; the attackers hadn't even bought tickets yet. Ideally, then, the problem should have been considered to be solved.

But no: J. Ordinary Passenger would resolutely refuse to believe the police have such capability. Instead, he demands that the world "do something!," the result of which is a hugely expensive industrial-security complex that focuses almost entirely on detecting bad things while downplaying the threats of bad people. Massive amounts of money changes hands, politicians who know how to exploit fear remain in office, the traveling public endures completely stupid and wholly ineffective privacy invasions, and America projects a "go-the-f**k-away" attitude to the rest of the world.

I suspect you have in mind the TSA's Registered Traveler experiment. This program has been discontinued and the private firms managing it have, for the most part, shuttered their businesses. Registered Traveler was broken from the moment of its inception, because it required a ridiculous trade-off: members paid a (not insignificant) fee to essentially be granted permission to cut in front of everyone else in line at the checkpoints. Members were not exempt from any security procedures, because they were not required to submit to any form of trust verification.

The overarching secret -- and it's a very dirty one, one that few people are prepared to consider rationally -- is that not every passenger boarding an airplane is an equal threat. Therefore, applying equal detection and mitigation techniques is essentially a waste of resources. Too many resources will be spent evaluating passenger types that aren't threats (i.e., trustworthy passengers), while too little resources will be spent evaluating passenger types that really are threats. Fundamentally, the only way to get this right is to re-balance the distribution of (necessarily scarce) detection and mitigation resources. TSA's Pre Check program, currently in pilot mode at certain airports, actually recognizes this basic tenet of security science.

you are so smart!

woodsmoke

Nice pseudo code! Copyright it, patent it, and then sue the TSA for IP violations!

Policies driven and controlled by Political Correctness are only a recipe for disaster. However, it's good to hear that the TSA is trying to focus its resources with a program like "Pre Check".

The disconcerting thing is that the TSA is no longer satisfied with preflight checks of airplane passengers. They are branching out onto the Interstate, bus stops, and now random highway stops anywhere they want. This effectively moves many Constitutional Rights off of the Endangered List and onto the Extinct List.

BTW, that was one of the best posts on the general concepts of security that I have ever read.

I'm not that evil

Thanks very much. I do enjoy thinking and writing about this stuff. It's important that America, and the world, start to think more critically about security, risks, and tradeoffs.