Emergent Chaos
"Let's play 'airport security'," says Foriegn Policy. It's like playing Doctor, only with latex gloves and inappropriate touching.
In an effort to help children understand and be comfortable and confident in the need and process of higher security protocols we've developed a new play and learning toy and resource web site to promote and educate security procedures.It's not really clear who "we" refers to here. The operationcheckpoint.com, also refers to "SampleRewards.com." That sounds like the sort of pliable marketing channel who'll sell anything for a buck, so maybe it's not them who's really behind this thing. OperationCheckpoint has four different names on a single landing page. (OperationCheckpoint, SampleRewards.com, Wizard Idustries and Product Exposure Services.) If only we had ID for the forces of evil. Maybe these guys could carry sample National ID cards, and kid's tattoo guns, too.
Previously, "From the mouths of toymakers:"
Bookmark this post:
Bookmark this post:
Cat Le-Huy is a friend of friends who has been "detained" entering Dubai. I put detained in quotes, because he's been thrown into prison, where he's now spent a few weeks.
He claims he was carrying melatonin, which is legal in Dubai, and the authorities have charged that there was .001 gram (1 milligram) of hashish, which is basically some specs of dust. The law firm representing him wants a £25,000 retainer.
It used to be that the United States, the United Kingdom (where Cat lives), and Germany had a certain moral high ground with regards to the arbitrary detention of their citizens. Unfortunately, the executives of our countries have tossed away that high ground with our own arbitrary detentions. In the US, we detain not only foreigners, but our own citizens.
So, what does this mean to you?
First, please donate to Cat's legal defense fund.
Second, don't go to Dubai. They're competing to be the next "Disneyland with the Death Penalty," and that should hurt their businesses and that should hurt their bizarre attempts to bring in tourists.
It might mean other things, but we'll leave that for future blog posts.
[Updated: fixed donation link.]
Bookmark this post:
First exposed nearly a year ago, by DIY boarding pass mastermind Chris Soghoian, a TSA web site intended to help travelers improperly recorded on watch lists has been slammed by a House Oversight and Government Reform Committee report:
TSA awarded the website contract without competition. TSA gave a small, Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress website. According to an internal TSA investigation, the “Statement of Work” for the contract was “written such that Desyne Web was the only vendor that could meet program requirements.”House Oversight and Government Reform CommitteeThe TSA official in charge of the project was a former employee of the contractor The TSA official who was the “Technical Lead” on the website project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne’s owner.
TSA did not detect the website's security weaknesses for months. The redress website was launched on October 6, 2006, and was not taken down until after February 13, 2007, when an internet blogger exposed the security vulnerabilities. During this period, TSA Administrator Hawley testified before Congress that the agency had assured “the privacy of users and the security of the system” before its launch. Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage.
TSA did not provide sufficient oversight of the website and the contractor. The internal TSA investigation found that there were problems with the “planning, development, and operation” of the website and that the program managers were “overly reliant on contractors for information technology expertise” and had failed to properly oversee the contractor, which as a result, “made TSA vulnerable to non-performance and poor quality work by the contractor.”
As for accountability,
Neither Desyne nor the Technical Lead on the traveler redress website has been sanctioned by TSA for their roles in the deployment of an insecure website. TSA continues to pay Desyne to host and maintain two major web-based information systems: TSA’s claims management system and a governmentwide traveler redress program. TSA has taken no steps to discipline the Technical Lead, who still holds a senior program management position at TSA.
Bookmark this post:
If you are someone who suspects that what is billed as “aviation security” is often more show than substance, you are not alone. In fact, you are part of what Nixon aides used to call the “silent majority.” The security bureaucracy seems to think that as long as it is seen as doing something, and so long as another terror attack does not occur, the public will at least feel secure enough not to insist that it do whatever needs to be done actually to make us secure.It's a bit more unusual when that someone is the former inspector general of the Department of Homeland Security. Go read what Ervin has to say in "Screening Dreams."
Bookmark this post:
If you travel a lot, you're used to dealing with many network difficulties. For a while now, I've been traveling with an Airport Express, which has made life a lot easier. I set it up to use DHCP, plug it into the hotel Ethernet, and go. At the very least, it means I can work from the bed, rather than from a desk that is inevitably at the wrong height.
Even more so, I now travel with at least three devices that have WiFi -- my laptop, my phone, and my iPod. I travel about half the time with my SO, who also has a laptop and an iPod with a network. I said "at least" because I also have a Nokia slate, which is a specialized device (I lug it along when I don't want to lug a laptop, for example).
Also, for some reason the better the hotel you stay in, the more they charge you for Internet access. Sleep in a cheap hotel, and the network is free. Stay in an expensive one, and they charge you $10 to $15 a night. Stay in the UK, and you can face £18 a day for your net.
This is changing. Ramada and Radisson, are doing a lot of free Internet. Fairmont gives free Internet to their President's Club members (no better reason to join, for me). However, this still means that you have to figure out how to share your one obscenely expensive net connection with the coalition of devices in your room.
However, another way that this is changing is that there's more and more wireless going into hotel rooms, and less wired. For us, wired is good, because you just plug a basestation into the net and you go. But with wireless, you need a basestation that listens on a wireless connection while re-broadcasting another.
For quite some time, I've been complaining that the appropriate router doesn't exist. A few weeks ago, however, a friend told me about the D-Link DWL-G730AP, which purports to do what I want. I also found on my own research the Linksys WTR54-GS. They appear on the surface to be mostly equivalent. The Linksys comes in a compact package that has an AC plug bundled into the unit. The D-Link has a separate transformer, but can also be powered from USB. I ended up getting the Linksys. The deciding factor was that both units have manuals on the web, and the D-Link manual is a high-level installation guide that describes several possible configurations, but the one I want is missing. The Linksys has a detailed manual that tells how to set it up from its internal web server, do MAC address spoofing, port mapping and redirection, and so on. A manual that told how to set up what I want was the clincher. I bought it right before a trip to the UK, and wanted to avoid buying wireless access. There are a couple of annoying things about the Linksys. It cannot be a client onto a secured network, which meant that I didn't set it up before I left. I would have taken time I didn't have to pull the "security" off of my my G network to experiment. (It's just WEP, hence the quotes around "security." I consider it a no-tresspassing sign.) Once in a hotel, I have not yet figured out how to put a password on the network it broadcasts. Each of my attempts resulted in having to hard-reset the device. It has a nice, convenient hard-reset button. On the other hand, I've been busy and in various stages of sleep-deprived brain damage, so I don't know that it's their fault that I haven't figured it out. I settled for hiding the SSID. I don't actually care if someone mooches on my hotel wireless, if they leave enough bandwidth for me. If the D-Link will work as a wireless-to-wireless router, it has an advantage over the Linksys in being USB-powered. That means you can easily plug it in to your laptop while using paid wireless, and rebroadcast for your phone or iPod or SO. I just don't know that you can. If someone has a definitive answer, place a comment below. If you're from D-Link and reading this, make a note that you lost a sale solely because your manual confused me.
Bookmark this post:
Bookmark this post:
There's a story in USA Today, "Most fake bombs missed by screeners." It describes how screeners at LAX find only 25% of bombs, at ORD, they find 40%, and at SFO, 80%:
At Chicago O'Hare International Airport, screeners missed about 60% of hidden bomb materials that were packed in everyday carry-ons — including toiletry kits, briefcases and CD players. San Francisco International Airport screeners, who work for a private company instead of the TSA, missed about 20% of the bombs, the report shows. The TSA ran about 70 tests at Los Angeles, 75 at Chicago and 145 at San Francisco.I could go on at length about how bad air travel has gotten, and how security theatre is crushing the travel and tourism industries in the US. Rather I'd like to focus on the emergent chaos aspects of this story: the reality that even TSA bureaucracy can't impose standards on airports, and why that would be a good thing, if they could accept it.
Before I do, I want to comment that missing 75% of the bombs is probably ok. There are very few airliners bombed in the US. I think it's less than 10 in history. So the issue is not really false negatives, where the screener misses a real fake bomb, but false positives, where the screener shuts down either someone's day or the airport. Given that every single bomb smuggled past security last year at US airports was fake, they are far more likely than real bombs.
Now, there's an opportunity for dramatic improvement in the way we run airport security. "Just run them all like they run SFO!" Orin Kerr makes this point, "I would think the real story is the dramatic gap between the performance of TSA employees and private sector employees."
More importantly, what comes out of this study for me is the emergent chaos of running a large mission like airport security, and the value of that variation for learning.
If all airports were run exactly the same, we'd have missed this opportunity for learning.
So ask yourself, what do I standardize on too much? Where is there too much structure, inhibiting learning? How can we harness chaos, and what emerges? (I talk in more deatil about a very similar point in the latest post in my threat modeling series on the SDL blog, "Making Threat Modeling Work Better.")
Photo: Frisk, by Tim Whyers. (Machine by Tim Hunkin, we've mentioned it previously.)
Bookmark this post:
"We are committed to testing technologies that improve security while protecting passenger privacy," said TSA administrator Kip Hawley in a statement. "Privacy is ensured through the anonymity of the image: It will never be stored, transmitted, or printed, and it will be deleted immediately once viewed." (Emphasis added)Hey Kip, precisely how do images go to a remote location to be viewed without being transmitted?Ensuring privacy, as the TSA describes it, involves having security officers view images from remote locations. Thus, the security officer cannot identify the passenger, visually or by some other means, but can send word to fellow officers if a threat is detected.
Call Congress and ask why TSA is allowed to outright lie to people.
There's other good analysis of the proposal in the Information Week article. I simply wanted to comment on the obvious inconsistency in what TSA is claiming.
Bookmark this post:
Good commentary and context at Threat Level, "Howto: Check Your Homeland Security Travel File."
Bookmark this post:
I wrote this post sitting on a plane to Montreal. There were all sorts of announcements about how you had to be on international flights thirty minutes before takeoff, to make Congress happy:
Congress mandated that DHS’ Customs and Border Protection (CBP) establish a requirement to receive advance information on international passengers traveling by air prior to their departure, as part of the 2004 Intelligence Reform and Terrorism Prevention Act (IRTPA)... The final APIS predeparture regulation will require air carriers to transmit manifests 30 minutes prior to departure of the aircraft or provide manifest information on passengers as each passenger checks in for the flight, up to the time when aircraft doors are secured. ("DHS Announces Predeparture Screening of International Passengers and First Step Toward Secure Flight")I couldn't help but ask what this costs. It's 30 minutes per person flying to or from the US. According to the US Department of Transportation "US International Air Passenger and Freight Statistics," there were 154 million international air passengers in 2006. That's 154 million people with at least half an hour wasted. That's 77 million hours. 3.2 million days. That's 570 years. At minimum wage ($5.85) that's 450 million bucks in wasted time. I don't think minimum wage is really the right number to use. Most international flyers are probably at least of average income. Wikipedia claims ("Personal income in the United States") that's just under $40,000 per person who's employed full time. That's $20 an hour, and at that rate, this policy costs the public $1.5 billion a year.
For that kind of money, maybe TSA could buy faster computers?
With all that time wasted, no wonder Congress is worried about how people behave in airport bathrooms.
First aside: The minimum wage is $5.85. Wow. Set to raise to 7.25 in July 2009. Before taxes, that's $234 a week. Or slightly more than two weeks income for the ticket I'm on right now. I had to stop and remember how lucky I am to be in a high-demand industry.
Second aside: all of this ignores that the US is a wealthy country, and some fraction of travelers come from poorer places, where some people live on as little as a dollar or two per day. I think it's reasonable to assume that the average person traveling by air internationally has enough money to do so.
Photo: Aereoporti: bambini in coda by andrea.lagala.
Bookmark this post:
The Beeb reports, "Goats sacrificed to fix Nepal jet," in which we learn that two goats were slaughtered in sacrifice to the Hindu god of sky protection, Akash Bhairab, in front of a Boeing 757. Airline official Raju KC said to Reuters, "The snag in the plane has now been fixed and the aircraft has resumed its flights." Local media have blamed an electrical fault, which actually makes sense if you know anything about goats. American Airlines has not responded to inquiries about whether they will be trying this at DFW.
The Consumerist reports, "Southwest Airlines Thinks Your Outfit Is Inappropriate" in which a 23-year-old Hooters waitress was asked to leave the plane for wearing the outfit shown in the photo here. She had been in Tucson, where the temperatures where 106 degrees, so perhaps wearing a sweater got their goat.
Bookmark this post:
Riffing on Adam's last post, it has been amusing to watch the whole problem with Senator Craig. However, as I've chomped my popcorn, there's been one thing I keep thinking: what if the guy's telling the truth?
What if he was stupidly caught for not doing much of anything, and the stupidly plead guilty in the naïve hope it would go away?
Yes, I know that some gay activists have said that it's been an "open secret" that he's gay. Many people believe that if someone is rabidly anti-gay, then it's likely that there's something fueling that rabidity. They think that the rabid person's Kinsey Scale Rating might be a positive number. I am one of those many people. But rumors that amount to, "oh, I bet he's closeted" about someone who is anti-gay contain no information. That sort latent hypocrisy is now cliché.
I also realize that when they arrested Ted Kaczynski I thought, "Hey, what if they found the other lone wacko in Montana who hates the modern world and likes blowing things up?" My track record on my own doubt-spirals is bad enough that I have to make baseball metaphors to defend it. Batting .250 is good! Really!
Nonetheless, what if the Senator is telling the truth?
I am suspicious of a policeman who is sent in to investigate lewd behavior and finds it in a non-obvious form. Not because I think he's got ill intent of his own, but because of selection bias. I believe he's a guy just doing an icky job -- cleaning out the restrooms. He's there to find lewd behavior and from that lens, he found it, and it even plead. And yet I hear Tom Lehrer singing in my head:
...filth (I'm glad to say) is in
The mind of the beholder
When correctly viewed
Everything is lewd.
I could tell you things about Peter Pan
And the Wizard of Oz, there's a dirty old man
Or Batman and Robin, for Pete's sake.
I will also admit that being the contrarian that I am, watching the Republican leadership scattering from gay-cooties like roaches from the kitchen light also makes me ask if the guy was caught for foot-tapping in a public place. If he were a bearded, swarthy young man who was nabbed for terrorist-lite behavior and stupidly plead guilty to a lesser crime and yet denied doing anything, we'd have eyebrows up, so why not this?
In The Daily Kos, kharma brings up the same issue by telling an old joke. It is is important enough that you read it that I will reprint here and not merely link to it:
Two weeks ago, the kids and I went on a trip to visit friends in San Antonio, Texas. On the way we stopped at a rest area just off the interstate. What happened next made me very uneasy...
I was drinking coffee heavily so that I would stay awake and needed to relieve myself pretty badly. I pulled into a rest area, locked the car doors, left the kids sleeping in the car, and went into the restroom. When I entered I noticed it was unoccupied except for a pair of sneakers visible under the second stall.
As I unzipped at one of the urinals and began to relieve my burning bladder I heard a voice say "Hey, what's up?". I looked around and there was no one else in the restroom. After a moments hesitation, I answered "Not much".
A little time went by and he says, "What ya doing?".
I didn't feel very comfortable talking to someone in a stall but I didn't want to be rude and answered, "Uh...we are heading to San Antonio to visit friends."
"Want to come over?", he says.
At this point I am really uncomfortable and I finish up and scoot over to the sink to wash up. "No I don't think so.", I replied. Wow, was this something else. I had never even had someone next to me with a wide stance before and now I've got someone in the stall asking me over!
As I reached for the paper towels to dry my hands I hear, "Hey man, can I call you back? There's some asshole in the bathroom answering every thing I say."
So I ask again: what if the guy's telling the truth?
Bookmark this post:
This is a new twist on an old trick. SFGate reports in, "'I didn't eat and I didn't sleep' -- Coin dealer flies dime worth $1.9 million to NYC'" that coin dealer John Feigenbaum transported a $1.9M rare coin (an 1894-S dime) from its previous owner, Daniel Rosenthal, who lives in the Bay Area to its new, unidentified owner in New York, by hand-carrying it.
Feigenbaum dressed in a T-shirt, "grubby" jeans, and flip-flops and flew on the red eye from San Jose to Newark, carrying it himself with little fanfare.
There was an unexpected problem, however:
Feigenbaum had purchased a coach ticket, to avoid suspicion, but found himself upgraded to first class. That was a worry, because people in flip-flops, T-shirts and grubby jeans do not regularly ride in first class. But it would have been more suspicious to decline a free upgrade. So Feigenbaum forced himself to sit in first class, where he found himself to be the only passenger in flip-flops.
He shouldn't have worried too much, actually. Scruffy people often do fly first class, trust me. They're the ones who travel too much, so they want to be comfy. Read the whole article, it's amusing.
I am reminded of another occasion when a similar trick was used, although for a diamond.
Photo courtesy of Tiffibunny.
Bookmark this post:
The New York Times reports, "U.S. Will Allow Most Types of Lighters on Planes"
Three cheers for them learning! I can only hope that the stupid liquids ban will fall next. We know that we've trained people to be efficient at finding water bottles over finding bombs, even when they're in the same bag.Federal aviation authorities have decided to stop enforcing a two-year-old rule against taking cigarette lighters on airplanes, concluding that it was a waste of time to search for them before passengers boarded.
The ban was imposed at the insistence of Congress after a passenger, Richard Reed, tried to ignite a bomb in his shoe in 2001 on a flight from Paris to Miami.
Lawmakers said that if Mr. Reid had used a lighter, instead of matches, he might have been able to ignite the bomb, but Kip Hawley, assistant secretary for the Transportation Security Administration, said in an interview on Thursday that the ban had done little to improve aviation security because small batteries could be used to set off a bomb.
Matches have never been prohibited on flights.
“Taking lighters away is security theater,” Mr. Hawley said. “It trivializes the security process.”
The policy change, which is to go into effect on Aug. 4, applies to disposable butane lighters, like Bics, and refillable lighters, like Zippos. Torch lighters, which have thin, hotter flames, will continue to be banned.
Security officers have been collecting some 22,000 lighters a day nationwide, slowing down lines at check points. Even so, many smokers had found ways to sneak lighters through checkpoints, often by placing more than one in a carry-on bag. Disposing of the seized lighters has cost about $4 million a year.
By lifting the ban, Mr. Hawley said, security officers could spend more time looking for bombs or bomb parts. “The No. 1 threat for us is someone trying to bring bomb components through the security check point,” he said. “We don’t want anything that distracts concentration from searching for that.”
Bookmark this post:
Director Mike Figgis flew into LAX airport and was detained for five hours because he oopsed. He said, "I'm here to shoot a pilot."
On the one hand, yes indeed, on the list of things you shouldn't say while in Immigration, "I'm here to shoot a pilot" is right up there with being careful how you greet your friend John.
But on the other hand, is the US government really filled full of so many beady-eyed, mouth breathers with brains the size of cashews that it takes five hours to clear this up? And in Los Angeles, of all places? Dear God, click on the link above. It's a Google search for "Mike Figgis." All ten links on the first page point to the director, celebrity, and film maker Mike Figgis. Link #1 (IMDB), link #3 (filmbug.com), and link #5 (mooviees.com) all have pictures of him.
Admittedly, IMDB says he was born in Cumbria, England, and hollywood.com (link #4) says he was "Kenyan-born." Hmmm. Highly suspicious. But filmbug says,
Born in Carlisle, England, Figgis moved to Nairobi, Kenya as a baby. He lived there until his family relocated to Newcastle in the north of England when he was eight.
And that seems to clear it up a bit. Mooviees tells us: Born: Saturday, February 28, 1948 (Carlisle, Cumbria, England, UK), and that seems to let us know that Carlisle is in Cumbria, and hey, there's a date that might be on his passport! Wikipedia (link #2) agrees with that date, but says, "Cumberland" instead of "Cumbria" and unless you've taken Latin, that might look suspicious as well.
So what happened? Did the dates not match properly? Did he cut the curls and go all Bruce Willis? Surely there must be some reasonable explanation. Maybe they really hated Leaving Las Vegas. Or perhaps it was that Sopranos episode. Maybe he called the Immigration agent "Sugartits."
Tip of the hat to 27 B Stroke 6. Original article from The Guardian. Photo of the perp along with Saffron Burrows shamelessly stolen from IMDB, whom I would have linked to if they'd made it easy.
Update on 31 May 2007: This story is apparently too good to be true. Boing Boing got told by people in the know that it's not true.
Bookmark this post:
Woo hoo! I feel so much safer! The TSA reports, "Transportation Security Officers SPOT Passenger in Fake Military Uniform at Florida Airport." Picture at right is my foofification of the picture on the TSA site.
Our brave protectors write:
A TSA behavior detection team at a Florida airport helped catch a passenger allegedly impersonating a member of the military on May 10 as he went through the security checkpoint.The passenger, who was en route to New York's John F. Kennedy International Airport, exhibited suspicious behavior that caught the attention of officers. In addition, he was in a military uniform but had long hair, which is not consistent with military regulations, and had conflicting rank insignias on the uniform.
When officers asked for his military identification, the passenger said he had none. He was then questioned about the irregularities of his uniform. The passenger first claimed that the uniform was his brother's, and later, that it was his nephew's.
TSA contacted law enforcement partners at the airport who interviewed the passenger. The passenger was arrested on a state charge of impersonating a U.S. soldier.
Behavior detection officers are trained to focus on behavior and not physical characteristics as part of TSA's Screening of Passengers by Observation Techniques (SPOT) program.
I have questions:
Based solely on the information above, it does not appear that he actually impersonated a soldier. It appears that he was walking around with irregular bits of regalia, and someone called him on it, and he got nervous. Many people get nervous when confronted with authorities like police or TSA, and actually, the better a person you are, the more likely it is that you'll say "brother" when you meant "brother's kid."
I got this courtesy of Bruce, who advocates procedures like "SPOT" which look for "hinky" behavior.
I agree with Bruce, that it's better to look for hinky than rip apart every laptop bag, but the TSA needs to look at this as a failure, even if this guy was actually guilty of a crime worthy of punishment stronger than an afternoon with Carson Kressley. This ain't what we're paying you for.
Let me finish with an anecdote. Like many people in this industry, I have clothing with NSA logos on it, or embroidery that says, "National Security Agency." The NSA sells them in the gift shop of the National Cryptologic Museum as part of their widows-and-orphans fund.
A few Defcons ago, I was wearing such a shirt as I checked out of my hotel. The doorman pointed at the logo as he was getting me a cab and asked, "Do you work for them?"
I met his gaze, smiled and replied, "If I did, I wouldn't be able to answer that question, would I?"
I locked my eyes to his as he went compute-bound for a good three seconds, which is a long time when someone's not flinching. He finally nodded sharply, said, "Right," and pulled my cab over.
Here are some essay questions:
