Emergent Chaos

In the eight months that I was the head of security under the Andolino administration, the commissioner of the busiest airport of the world, depending on who’s taking the survey, the busiest airport in the world, never once had a meeting with the head of security for the busiest airport in the world. Never once.

Mayor Richard Daley, who appointed the former security boss, says the man is just “disgruntled.”

Daley’s comment is a fascinating confirmation. Maurer, the head of security, ought to be disgruntled if he was completely blocked from getting anything done.

And good for him for speaking out.

Audio at WBEZ and comments (quoted) from Consumerist.

In related news, “TSA told airport to issue badge to convicted robber.”

• Ed Hasbrouck on “Lessons from the case of the man who set his underpants on fire”
• A Canadian woman who’s been through the new process is too scared to fly. “Woman, 85, ‘terrified’ after airport search.” Peter Arnett reported
  

  “‘It became necessary to destroy the town to save it,’ a TSA major said today. He was talking about the decision by allied commanders to shock and awe the public regardless of civilian casualties, to rout al Qaeda.”

• Ethan Ackerman on risks of ionizing radiation, via Froomkin, but also see Technology Review, “How Terahertz Waves Tear Apart DNA.”
• TSA has been telling us that the machines “can’t” record you naked, while ordering machines that can. See EPIC Posts TSA Documents on Body Scanners. TSA responded, and Ed Hasbrouck responds TSA lies again.
• The EU is objecting to new US rules, and the Pirate Party of Berlin is protesting them.
• If you want to see why they’re protesting, watch this not safe for work video, “Body scanner, with detailed genitalia reporting”
• There’s a well worth reading article by Paul Campos in the Wall St. Journal, “Undressing the Terror Threat:”
  

  I’m not much of a basketball player. Middle-age, with a shaky set shot and a bad knee, I can’t hold my own in a YMCA pickup game, let alone against more organized competition. But I could definitely beat LeBron James in a game of one-on-one. The game just needs to feature two special rules: It lasts until I score, and when I score, I win.

  We might have to play for a few days, and Mr. James’s point total could well be creeping toward five figures before the contest ended, but eventually the gritty gutty competitor with a lunch-bucket work ethic (me) would subject the world’s greatest basketball player to a humiliating defeat.

  The world’s greatest nation seems bent on subjecting itself to a similarly humiliating defeat, by playing a game that could be called Terrorball. The first two rules of Terrorball are:

  1. The game lasts as long as there are terrorists who want to harm Americans; and
  2. If terrorists should manage to kill or injure or seriously frighten any of us, they win.

As I simmer with anger over how TSA is subpoening bloggers, it occurs to me that the state of airline security is very similar to that of information security in some important ways:

• Failures are rare
• Partial failures are generally secret
• Actual failures are analyzed in secret
• Procedures are secret
• Procedures seem bizarre and arbitrary
• External analysis seems to show that the procedures are fundamentally flawed
• Those charged with doing the work appear to develop a bunker mentality

In this situation, anyone can offer up their opinions, and most of us do.

It’s hard to figure out which analysis are better than others, because the data about partial failures is harder to get than opinions. And so most opinions are created and appear equal. Recommendations in airline security are all ‘best practices’ which are hard to evaluate.

Now, as Peter Swire has pointed out, the disclosure debate pivots on if an attacker needs to expose themselves in order to test a hypothesis. If the attacker needs to show up and risk arrest or being shot to understand if a device will make it through a magnometer, that’s very different than if an attacker needs to send packets over the internet.

I believe much of this swivels on the fact that most of the security layers have been innocently exposed in many ways. The outline of how the intelligence agencies and their databases work is public. The identity checking is similarly public. It’s easy to discover at home or at the airport that you’re on a list. The primary and secondary physical screening layers are well and publicly described. The limits of tertiary screening are easily discovered, as an unlucky friend discovered when he threw a nazi salute at a particularly nosy screener in Amsterdam’s Schiphol airport. And then some of it comes out when government agencies accidentally expose it. All of this boils down to partial and unstructured disclosure in three ways:

1. Laws or public inquiries require it
2. The public is exposed to it or can “innocently” test it
3. Accidents

In light of all of this, the job of a terrorist mastermind is straightforward: figure out a plan that bypasses the known defenses, then find someone to carry it out. Defending the confidentiality of approaches is hard. Randomization is an effort to change attacker’s risk profiles.

But here’s the thing: between appropriate and important legal controls and that the public goes through the system, there are large parts of it which cannot be kept secret for any length of time. We need to acknowledge that and design for it.

So here’s my simple proposal:

1. Publish as much of the process as can be published, in accordance with the intent of Executive Order on Classified National Security Information:
   

   “Agency heads shall complete on a periodic basis a comprehensive review of the agency’s classification guidance, particularly classification guides, to ensure the guidance reflects current circumstances and to identify classified information that no longer requires protection and can be declassified,”

   That order lays out a new balance between openness and national security, including terrorism. TSA’s current approach does not meet that new balance.

2. Publish information about failed attempts and the costs of the system
3. Stop harassing and intimidating those like Chris Soghoian, Steven Frischling or Christopher Elliott who discuss details of the system.
4. Encourage and engage in a fuller debate with facts, rather than speculation.

There you have it. We will get better security through a broad set of approaches being brought to the problems. We will get easier travel because we will understand what we’re being asked to do and why. Everyone understand we need some level of security for air travel. Without an acrimonious, ill-informed firestorm, we’ll get more security with less pain and distraction.

• Air Canada is canceling US flights because of security. (Thanks, @nselby!)
• The New York Times reports that “Britain Rejected Visa Renewal for Suspect.” NPR reported that the State Department may have raised some sort of flag, but I don’t have a link.
• ABC is reporting that two of the “al Qaeda Leaders Behind Northwest Flight 253 Terror Plot Were Released by U.S..”
• Spencer Acerkman talks about “al-Qaeda’s Desperate Bid For Relevance, The Failed Plane Attack & Afghanistan:” “First, al-Qaeda’s signatures are redundance and simultaneity. Think 9/11, Madrid, London: all used multiple operatives focused on multiple targets, acting in unison. That’s to ensure something blows up if and when something goes wrong.” (Hmmm, also think US Cole, but the article is worth reading.) Thanks to Jim Harper, who also mentions that-
• On January 13th, CATO will be holding a forum on “The Obama Administration’s Counterterrorism Policy at One Year.”

And for the prurient interest, the underwear, apparently still containing the explosives. It looks like they were cut off with scissors, implying that he was wearing them at the time. I wonder how much explosive energy a human thigh absorbs?

In conversation, a friend mentioned that the media whirlwind overwhelms the right response, which is to go on with our lives. Which is what I shall now do. Look! A burning goat!

Since there’s been so much discussion about the Chrismas Bomber, I want to avoid going over the same ground everyone else is. So as much as I can, I’m going to try to stick to lightly-treaded ground.

This is a failure for the terrorists. A big one. Think about it; put yourself on the other side of the chessboard and read this movie-plot description. Yemeni Al Qaeda has a newly-radicalized, rich engineering student who wants to strike a blow against the evilness of George Clooney and Vera Farmiga. Despite being ratted out by his father, the student gets a visa, likely because he’s “wealthy, quiet, unassuming.” Using the very clever tactic of getting on a plane in Africa and transferring onto an American flight, he has one of the most powerful high explosives known sewn into his pants. Before landing in MoTown, he — fails to detonate it. Think about that again. An engineering student from one of the best universities in the world fails to set off a bomb in his lap. Worse, he ended up with a fire in his pants, leading to many humiliating jokes.

Fail, fail, fail. Epic fail. Face-palm-worthy epic fail. Worse, the US is sending counter-terrorism folks to Yemen to help find the people who planned this epic failure. For them, this is just bad, and about as bad as it gets. Supposedly, recruit these guys with promises of a half-gross of virgins, not with burning their nuts off. Ridicule is one of the most powerful forces there is, and this is deserved.

On top of this, now that the would-be bomber has been captured, he is singing like the proverbial canary. So that means that the planners really should be looking for new places to stay, because even their allies will want to purge losers from their ranks, or at least not take the fall for them.

Yet, all is not lost for the forces of terrorism. The world’s security services have panicked and instituted to security procedures that will actually make it easier for the next person by setting up rules that everyone’s supposed to stay in their seats in the last hour of flight. But that’s pretty slim pickings for them. It’s not even as good as the one-last-shocker in the traditional horror film.

Defense-in-Depth Works. The major problem in fighting terrorism is that the fraction of figure to ground is between six and nine orders of magnitude. If you look at it as a signal processing issue, that’s -60 to -90 decibels of signal in noise.

Any detection system has to deal with false positives and false negatives. In the counter-terrorism biz, that means you have to deal with the inevitability that for every terrorist, you’ll be stopping tens if not hundreds of thousands of innocents. And remember as well, the times that the terrorist is not actually on a terror mission, they’re innocents.

So yeah, the guy was on a watch list. So are a million other people. (And yes, this is a reason why we need to trim the watch list, but that’s a different issue and has a different set of problems.) (And yes, yes, those million other people are only the US citizens on the list.) This still leaves the problem of what they’re supposed to do when some rich guy complains that his son has fallen in with the wrong crowd.

Here are some hard questions: Do we search every kid who pissed off a relative? Do we search everyone who ever went to Yemen? Damascus? How about people who change planes? Travel in carry-on? Have funny underwear?

The answer is that we can’t do that, and even if we do, we merely teach the bad guys how to adapt. The point of defense-in-depth is that you stack a series of defenses, each of which is only a partial solution and the constellation of them works, not any given one. Airport screening worked some — he didn’t get in a good detonator. Passenger resistance worked some — once there was a firecracker-like explosion and a fire, they saved the plane. Defense-in-depth in toto worked.

This is not the reason to disband DHS. This is not the reason to sack Napolitano. Note that I did not say that DHS shouldn’t be disbanded. Nor did I say that Napolitano shouldn’t be sacked, merely that if you’re looking for a reason, this isn’t it.

If we look at what happened and think about what we could do better, DHS isn’t involved. The visa issue is the one to examine and DHS doesn’t give out visas, State does.

My criticism of DHS is that they flinched. They’ve put up these brain-dead stupid policies that are going to annoy travelers and are as likely to make us less safe, not more safe. They should have said that the system worked and there will be no changes so have a happy new year and stay calm.

I am willing to cut them a bit of slack, but if they don’t change their tune to “Keep Calm and Carry On,” then there will be a reason to start demanding heads. Sending people to Yemen was the right response. No headphones on the plane is the wrong one.

If DHS and TSA want to give people reason to call for firings and disbandings, they should keep doing what they’re doing now, not then.

Life is Risk. Keep calm and carry on is good advice for the rest of us, too. The vast majority of us are more likely to be struck by lightning while being eaten by a shark than we are to be a victim of a terrorist. Nonetheless, there are bad, crazy people out there. Sooner or later, no matter what we do, somethings’s going to happen. A plane will go down, a ship will have a bomb on it, a train will be attacked, or something will happen.

The actual risk of terrorism is so low that most adaptations are worse than the threat. More people died in traffic accidents as a result of shunning airplanes after 9/11 than in the actual attacks. After those attacks, the best terrorist second punch would have been a simple suicide bomber in the airport security lines.

When we wring our hands because we think that risk should be zero, we’re part of the problem, too. Schneier is right: we need more investigation and counter-terrorism and less security. Kudos to CNN and Maddow for airing a bit of reason.

So we should all thank our lucky stars that PETN isn’t as easy to detonate as we’re told. We should thank the same stars for passenger resistance. And we should breathe a sigh of relief for an incident that was botched so badly it’ll make others think twice or three times or more. And while you’re at it, don’t play with sharks in a thunderstorm.

• The Economist “The latest on Northwest flight 253:” “the people who run America’s airport security apparatus appear to have gone insane” and “This is the absolute worst sort of security theatre: inconvenient, absurd, and, crucially, ineffective.”
• Business Travel Coalition, via Dave Farber and Esther Dyson, “Aviation Security After Detroit:” “It is welcome news that President Obama has ordered an airline industry security review so long as it is strategic in nature.”
• Stuart Baker, “Six Uncomfortable Answers” which seems to boil down to “identity-based security has failed, let’s not address the good reasons why, and build more of it.” Usually Stewart has been more insightful than this. But then he writes “I asked several questions about how good the screening was in Nigeria and at Schiphol. I now think that it barely matters how good a job those screeners did. Without a reason to treat Abdulmutallab differently from other passengers, the current level of screening wasn’t likely to find the explosives.” Actually, as he points out, no acceptable level of screening is likely to find the explosives.
• The New York Times points out that “Questions Arise on Why Terror Suspect Was Not Stopped :” “That meant no flags were raised when he used cash to buy a ticket to the United States and boarded a plane, checking no bags.” It used to be that that got you extra screening. Why did we stop?
• Gawker, “The Shady Mainstream Media Payday of Flight 253 Hero Jasper Schuringa”
• I lost the link, but someone else pointed out that the new, alleged TSA rules would have made it a crime to get up and stop Abdulmutallab when he tried to set off his bomb.
• This comment on the Flyertalk thread raises the interesting question: are terrorists planning to fail, expecting over-reaction by governments? Provocation would not be a new page in terror playbooks.
• Alleged text of SD 1544-09-06
• Every international traveller to the US is being asked to spend an extra hour on these measures. Cormac Herley’s “So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users” is absolutely irrelevant, unless travel to the US falls. Again. Which, of course, makes the odds of each remaining traveller being a terrorist materially higher.

Apparently, in the wake of thousands of deaths from idiots paying more attention to GPS, cell phones, GameBoys, iPods and other such electronic devices, TSA has announced a ban on all use of such devices for the last hour of your commute.

No, just kidding. Apparently, they may be imposing new secret restrictions on use of electronics during the last hour of flight.

How can we break the cycle of terrorist does something irksome, we all pay forever? Our current oversight isn’t restraining DHS or TSA.

Via Gary Leff, we learn that “The TSA Puts Their Sensitive Security Screening Procedures Online For All To See (oops).”

It’s another “we blacked out the doc without blacking out the data” story. The doc is 93 pages, and I don’t have time to more than skim it right now. I think that the redactions are generally reasonable, covering things like the gauge of wire which needs to be detectable for an xray machine to be considered operational. That’s not something we need to know about to debate the right of free travel. We can assume that there’s some level that the machines are set to, and that’s ok. There are a few redactions where I disagree, like ones about who’s exempted from special security treatment. In a democratic society, we should be able to ask “should members of Congress be subject to the same treatment as the rest of us?”

Generally, what’s in the document is not likely to surprise anyone who flies often and pays attention. What’s most interesting to me are actually some of the non-redacted bits:

2.7. PHOTOGRAPHING, VIDEOTAPING, AND FILMING SCREENING LOCATIONS
A. TSA does not prohibit the public, passengers, or press from photographing, videotaping, or filming screening locations unless the activity interferes with a TSO’s ability to perform his or her duties or
prevents the orderly flow of individuals through the screening location. Requests by commercial entities to photograph an airport screening location must be forwarded to TSA’s Office of Strategic Communications and Public Affairs. Photographing EDS (Explosive Detection Systems) or ETD (Explosive Trace Detection) monitor screens or emitted images is
not permitted.
B. TSA must not confiscate or destroy the photographic equipment or film of any person photographing the
screening location.

That’s very interesting, and not in accordance with signs I’ve seen.

2.11. INDIVIDUALS WHO REFUSE SCREENING OF THEIR PERSON
The screening process of an individual begins when he or she walks through a WTMD (or an ETP if it is placed ahead of the WTMD at ETP-equipped checkpoints), or a TSO grants an individual’s request for specialized screening. Once screening has begun, an individual may not withdraw from the screening process. [...]
B. If an individual refuses to complete screening after screening has begun, the TSO must notify the STSO. The STSO must advise the individual that the screening process must be completed. The STSO must then offer the individual a final opportunity to complete the screening process. If the individual continues to
refuse screening, the STSO must:
1) Notify an LEO and request that the LEO assist in completing screening of the individual
2) Ensure that screening of the individual’s accessible property is completed
3) Inform TSA management if the LEO permits the individual to return to the public area without completing screening
C. If the individual, who has refused to complete screening, returns to the public area prior to clearance or the arrival of an LEO:
1) Screening personnel must attempt to keep the individual under constant observation until an LEO arrives.
2) Screening personnel must not physically detain or hinder the movement of the individual.

This is also a very interesting section. The individual “may not withdraw” but TSA may not detain or hinder someone who tries to leave. I believe that there have been questions raised about this, and now that this is public, I expect more.

Finally, I found 3.9.2.B, “TIP User ID requirements” interesting

The user ID number must contain at least four alphanumeric characters, usually comprised of the last four digits of the employee’s Social Security number, and it must be no greater than the number of characters
permitted by the x-ray manufacturer. Each user must choose a unique password containing at least four, but no greater than six, alphanumeric characters.

At first, I boggled at this. A 6 character password? Really? Then, as I thought about it, I realized that this isn’t that unreasonable. The machines are in physically secured areas. The data on them isn’t that valuable. It’s probably reasonable.

As an aside, are there fewer than 10,000 TIP operators? If not, there are certainly collisions in the user ID space. Otherwise, it’s a birthday problem.

[Update: Jon Stewart has assembled up some of the news reports, and Ed Hasbrouck covers the FOIA and legal aspects. ]

According to the Wall St Journal, “Iranian Crackdown Goes Global ,” Iran is monitoring Facebook, and in a move reminiscent of the Soviets, arresting people whose relatives criticize the regime online.

That trend is part of a disturbing tendency to criminalize thoughts, intents, and violations of social norms, those things which are bad because they are prohibited, not bad in themselves. It’s important if we want to export freedom of speech and freedom from self-incrimination, to push for an international norm of limiting the powers of governments, not of people. Of course, since the main way that the international reach of governments is limited is through treaties negotiated by, umm, governments, I don’t expect a lot of that soon.

Not to mention the creation of fake Facebook accounts by Iranian intelligence.

But most interesting is this:

Five interviewees who traveled to Iran in recent months said they were forced by police at Tehran’s airport to log in to their Facebook accounts. Several reported having their passports confiscated because of harsh criticism they had posted online about the way the Iranian government had handled its controversial elections earlier this year.

and

One 28-year-old physician who lives in Dubai said that in July he was asked to log on to his Facebook account by a security guard upon arrival in Tehran’s airport. At first, he says, he lied and said he didn’t have one. So the guard took him to a small room with a laptop and did a Google search for his name. His Facebook account turned up, he says, and his passport was confiscated.

Click for the original.