Bad Security 301: TSA   5 comments

Picking on the TSA is almost too easy, but this story made my jaw drop. From the article:

At San Diego International Airport, tests are run by passengers whom local TSA managers ask to carry a fake bomb, said screener Cris Soulia, an official in a screeners union. “It’s nobody we would ever expect,” Soulia said.

“That seems perfectly reasonable, Pat, what’s your problem with *that*???” someone may say. Read these stories and posts and you may get some idea. Imagine you’re a normal citizen, and a pair of official looking types come up to you and flash badges. Then they say, “We’re with the Transportation Security Administration, and we’re testing our screeners today. You’ve been chosen because you don’t look suspicious, we’ve had trouble with some screeners at some airports not adequately screening people with children. We’d like you to carry this fake bomb through the screening station, to see if they catch it. Can you assist us?”

Except you’re a normal citizen, you have no idea what a real TSA badge looks like, and you have no idea what a real bomb looks like. Guess what? You may have just volunteered to carry a real explosive through a security checkpoint! The best part about this from the terrorist point of view is that with a remote detonator, they can even remove the risk that you can identify them – if the screeners actually appear like they’re going to catch the bomb, they can detonate it from afar, blowing up their involuntary suicide bomber and causing a messy affair of minor terrorism to boot.

— edited to add —

More on this story over at Bruce’s blog.  Beat him to the punch for a change 🙂

Advertisements

Posted October 18, 2007 by padraic2112 in news, security

5 responses to “Bad Security 301: TSA

Subscribe to comments with RSS.

  1. Uh, don’t you think TSA staff can authenticate themselves more effectively than you have assumed here? E.g. please follow me to this area secured by a guard and an access controlled door…

  2. Yes, I think they probably can.

    However, that’s not the point… the TSA can probably do a good job of identifying itself, but that doesn’t mean that someone else can’t do a credible job of faking authentication as a TSA agent.

    For years now the principle in air travel is “don’t accept anything from anyone to carry on the plane” and “keep your luggage under your control from when you pack it until it gets on the plane.” Those are pretty reasonable defaults. Now they’re violating their own principle: “don’t accept anything from anyone to carry on the plane… unless it’s someone that says their from the TSA, that’s okay.”

    The problem isn’t that the TSA can’t identify itself credibly, it’s that the public can’t differentiate between a credible identification and a merely plausible one.

  3. padraic2112> However, that’s not the point… the TSA can probably do a good job of identifying itself, but that doesn’t mean that someone else can’t do a credible job of faking authentication as a TSA agent.

    Non sequitur. That risk already existed, is ever present, and is not influenced by what the TSA does in some particular testing program. The same is true for cops, security guards, locksmiths, anyone dealing in physical security.

    padraic2112> Those are pretty reasonable defaults. Now they’re violating their own principle: “don’t accept anything from anyone to carry on the plane… unless it’s someone that says their from the TSA, that’s okay.”

    If it is in fact someone from the TSA, I would say yes, that is okay. It’s simple and natural. What would you have them do? Who better to test the system than actual passengers, who already look legitimate in every way and are already passing through the airport and willing to help out at no additional charge? I think it’s an excellent idea.

    You’re assuming that because the authentication method is unstated, it must be weak, and that therefore the TSA must be undermining their own efforts. This assumption is unsubstantiated by the report. Yes, the TSA does some stupid crap, but that’s no reason to assume that *everything* they do is stupid.

    In addition, TSA may be testing passenger behavior at the same time.

  4. > That risk is already present

    True.

    > Is not influenced by what the TSA does in some particular testing program.

    I disagree. If the TSA is going to suggest to some class of citizen that they should violate the long standing policy “Don’t accept packages for your luggage” then that should be changed and publicized, “If you are selected to test TSA screening, here is what to expect.”

    > Who better to test the system than actual passengers, who already look legitimate in every way

    Do they still look legitimate after they’ve been told they’re part of a secret screening process? I would imagine that the average traveler would act somewhat different than they normally would if they thought they were part of a testing procedure.

    > help out at no additional charge?

    Point taken; it’s certainly cheaper than paying TSA testers.

    > In addition, TSA may be testing passenger behavior at the same time

    Intentionally or not, they are testing passenger behavior, I just think that what they ought to be learning here is, “What does it take to convince an otherwise normal passenger to carry an object through security?” Now *there* is a useful test…

  5. padraic2112> I disagree. If the TSA is going to suggest to some class of citizen that they should violate the long standing policy “Don’t accept packages for your luggage” then that should be changed and publicized, “If you are selected to test TSA screening, here is what to expect.”

    As for the selected class, no doubt they are informed when they are inducted.

    As for the rest of us, note that the TSA didn’t announce this. It was leaked, and the other commentary came from a screeners’ union official. Give them a few days; maybe they will announce something, but also bear in mind that only San Diego was identified, so this may be a simple pilot project.

    padraic2112> I would imagine that the average traveler would act somewhat different

    Agreed, but so would a “legitimate” terrorist, so the test remains a good simulation. And the TSA folks have the opportunity to vet the passengers before sending them through so they can cull out the nervous nellies. Also, the passenger is a much more innocuous mule than a trained TSA operative whom the screeners may well recognize, especially if you can afford to send through a few every day.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: