This is from one of the IT security guys in the USA about Airport scanners
by Bruce Schneier from his CRYPTO-GRAM, December 15, 201
Chief Security Technology Officer, BT
[log in to unmask]
http://www.schneier.com
Airline Security: A Waste of Money and Time
A short history of airport security: We screen for guns and bombs, so
the terrorists use box cutters. We confiscate box cutters and
corkscrews, so they put explosives in their sneakers. We screen
footwear, so they try to use liquids. We confiscate liquids, so they put
PETN bombs in their underwear. We roll out full-body scanners, even
though they wouldn't have caught the Underwear Bomber, so they put a
bomb in a printer cartridge. We ban printer cartridges over 16 ounces --
the level of magical thinking here is amazing -- and they're going to do
something else.
This is a stupid game, and we should stop playing it.
It's not even a fair game. It's not that the terrorist picks an attack
and we pick a defense, and we see who wins. It's that we pick a defense,
and then the terrorists look at our defense and pick an attack designed
to get around it. Our security measures only work if we happen to guess
the plot correctly. If we get it wrong, we've wasted our money. This
isn't security; it's security theater.
There are two basic kinds of terrorists. The are the sloppy planners,
like the guy who crashed his plane into the Internal Revenue Service
building in Austin. He's going to be sloppy and stupid, and even
pre-9/11 airplane security is going to catch him. The second is the
well-planned, well-financed, and much rarer sort of plot. Do you really
expect the T.S.A. screeners, who are busy confiscating water bottles and
making people take off their belts -- and now doing uncomfortable
pat-downs -- to stop them?
Of course not. Airport security is the last line of defense, and it's
not a very good one. What works is investigation and intelligence:
security that works regardless of the terrorist tactic or target. Yes,
the target matters too; all this airport security is only effective if
the terrorists target airports. If they decide to bomb crowded shopping
malls instead, we've wasted our money.
That being said, airplanes require a special level of security for
several reasons: they're a favored terrorist target; their failure
characteristics mean more deaths than a comparable bomb on a bus or
train; they tend to be national symbols; and they often fly to foreign
countries where terrorists can operate with more impunity.
But all that can be handled with pre-9/11 security. Exactly two things
have made airplane travel safer since 9/11: reinforcing the cockpit
door, and convincing passengers they need to fight back. Everything else
has been a waste of money. Add screening of checked bags and airport
workers and we're done. Take all the rest of the money and spend it on
investigation and intelligence.
Immediately after the Christmas Day Underwear Bomber's plot failed,
Homeland Security Secretary Janet Napolitano called airplane security a
success. She was pilloried in the press and quickly backpedaled, but I
think it was one of the most sensible things said on the subject. Plane
lands safely, terrorist in custody, nobody injured except the terrorist:
what more do people want out of a security success?
Look at what succeeded. Because even pre-9/11 security screened for
obvious bombs, Abdulmutallab had to construct a far less reliable bomb
than he would have otherwise. Instead of using a timer or a plunger or a
reliable detonation mechanism, as would any commercial user of PETN,
Abdulmutallab had to resort to an ad hoc and much more inefficient
detonation mechanism involving a syringe, 20 minutes in the lavatory,
and setting his pants on fire. As a result, his actions came to the
notice of the other passengers, who subdued him.
Neither the full-body scanners or the enhanced pat-downs are making
anyone safer. They're more a result of politicians and government
appointees capitulating to a public that demands that "something must be
done," even when nothing should be done; and a government bureaucracy
that is more concerned about the security of their careers if they fail
to secure against the last attack than what happens if they fail
anticipate the next one.
Copyright Bruce Schneier.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|