This is from one of the IT security guys in the USA about Airport scanners


               by Bruce Schneier from his CRYPTO-GRAM, December 15, 201
       Chief Security Technology Officer, BT
              [log in to unmask]
             http://www.schneier.com


      Airline Security: A Waste of Money and Time

A short history of airport security: We screen for guns and bombs, so 
the terrorists use box cutters. We confiscate box cutters and 
corkscrews, so they put explosives in their sneakers. We screen 
footwear, so they try to use liquids. We confiscate liquids, so they put 
PETN bombs in their underwear. We roll out full-body scanners, even 
though they wouldn't  have caught the Underwear Bomber, so they put a 
bomb in a printer cartridge. We ban printer cartridges over 16 ounces -- 
the level of magical thinking here is amazing -- and they're going to do 
something else.

This is a stupid game, and we should stop playing it.

It's not even a fair game. It's not that the terrorist picks an attack 
and we pick a defense, and we see who wins. It's that we pick a defense, 
and then the terrorists look at our defense and pick an attack designed 
to get around it. Our security measures only work if we happen to guess 
the plot correctly. If we get it wrong, we've wasted our money. This 
isn't security; it's security theater.

There are two basic kinds of terrorists. The are the sloppy planners, 
like the guy who crashed his plane into the Internal Revenue Service 
building in Austin. He's going to be sloppy and stupid, and even 
pre-9/11 airplane security is going to catch him. The second is the 
well-planned, well-financed, and much rarer sort of plot. Do you really 
expect the T.S.A. screeners, who are busy confiscating water bottles and 
making people take off their belts -- and now doing uncomfortable 
pat-downs -- to stop them?

Of course not. Airport security is the last line of defense, and it's 
not a very good one. What works is investigation and intelligence: 
security that works regardless of the terrorist tactic or target. Yes, 
the target matters too; all this airport security is only effective if 
the terrorists target airports. If they decide to bomb crowded shopping 
malls instead, we've wasted our money.

That being said, airplanes require a special level of security for 
several reasons: they're a favored terrorist target; their failure 
characteristics mean more deaths than a comparable bomb on a bus or 
train; they tend to be national symbols; and they often fly to foreign 
countries where terrorists can operate with more impunity.

But all that can be handled with pre-9/11 security. Exactly two things 
have made airplane travel safer since 9/11: reinforcing the cockpit 
door, and convincing passengers they need to fight back. Everything else 
has been a waste of money. Add screening of checked bags and airport 
workers and we're done. Take all the rest of the money and spend it on 
investigation and intelligence.

Immediately after the Christmas Day Underwear Bomber's plot failed, 
Homeland Security Secretary Janet Napolitano called airplane security a 
success. She was pilloried in the press and quickly backpedaled, but I 
think it was one of the most sensible things said on the subject. Plane 
lands safely, terrorist in custody, nobody injured except the terrorist: 
what more do people want out of a security success?

Look at what succeeded. Because even pre-9/11 security screened for 
obvious bombs, Abdulmutallab had to construct a far less reliable bomb 
than he would have otherwise. Instead of using a timer or a plunger or a 
reliable detonation mechanism, as would any commercial user of PETN, 
Abdulmutallab had to resort to an ad hoc and much more inefficient 
detonation mechanism involving a syringe, 20 minutes in the lavatory, 
and setting his pants on fire. As a result, his actions came to the 
notice of the other passengers, who subdued him.

Neither the full-body scanners or the enhanced pat-downs are making 
anyone safer. They're more a result of politicians and government 
appointees capitulating to a public that demands that "something must be 
done," even when nothing should be done; and a government bureaucracy 
that is more concerned about the security of their careers if they fail 
to secure against the last attack than what happens if they fail 
anticipate the next one.


Copyright Bruce Schneier.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^