Chris,
Great article. Yep, all true, just put in nuclear weapons and we have described the arms race.

The point though is that each iteration makes the attack that much harder and reduces the chances.  Take crude technology of early phones and compare it to the latest iphone. I could hack a old phone very easily.  By contrast, I would have no clue as to how to begin to hack the physical elements of the iphone because the technology is more complex.

I can hack it a different way, such as with a computer programme, but already I have to have access to a computer and the know-how to carry it out. I cannot achieve it by tinkering.  I have to have intent, motive, technology and time.

The screening creates that need for an attacker.  Thus they need an organisation to support them and herein lies the residual weakness.  Individuals may commit suicide, but organisations want to live and do not commit suicide.  Thus, the focus has to be on both, screening (obviously can be done a lot better) and intelligence (going after the organisation and making it harder for it to recruit, finance and operate) for security to work.
The only way to make the organisation vulnerable is to make it show itself and its intent by raising the bar to entry in the market.  The thought experiments run this way.  Try to imagine two plots to assassinate a world leader of note.  In one try to survive and in the other you accept that you will either die in the attempt or be caught but still succeed.  Now imagine the organisation you need to create the opportunity as well as supply the method for either. Then consider that any approach is already being actively counter measured.  As a result few attempts are made and even fewer are successful.  Is it fun being a world leader or even trying to meet them, (no) but that is the cost of doing business.

Ultimately we will reach a stage of less overtly intrusive methods that are actually more invasive to the person both physically and in terms of information.  We see this already in terms of the sharing of passenger lists for travel to the usa.

Best

Lawrence



Lawrence W. Serewicz
Principal Information Management Officer
Room 4/140
Durham County Council
DH1 5UF
0191-372-8371


----- Original Message -----
From: This list is for those interested in Data Protection issues <[log in to unmask]>
To: [log in to unmask] <[log in to unmask]>
Sent: Wed Dec 15 22:13:20 2010
Subject: [data-protection] Airport full body scanners - interesting views

This is from one of the IT security guys in the USA about Airport scanners


               by Bruce Schneier from his CRYPTO-GRAM, December 15, 201
       Chief Security Technology Officer, BT
              [log in to unmask]
             http://www.schneier.com


      Airline Security: A Waste of Money and Time

A short history of airport security: We screen for guns and bombs, so
the terrorists use box cutters. We confiscate box cutters and
corkscrews, so they put explosives in their sneakers. We screen
footwear, so they try to use liquids. We confiscate liquids, so they put
PETN bombs in their underwear. We roll out full-body scanners, even
though they wouldn't  have caught the Underwear Bomber, so they put a
bomb in a printer cartridge. We ban printer cartridges over 16 ounces --
the level of magical thinking here is amazing -- and they're going to do
something else.

This is a stupid game, and we should stop playing it.

It's not even a fair game. It's not that the terrorist picks an attack
and we pick a defense, and we see who wins. It's that we pick a defense,
and then the terrorists look at our defense and pick an attack designed
to get around it. Our security measures only work if we happen to guess
the plot correctly. If we get it wrong, we've wasted our money. This
isn't security; it's security theater.

There are two basic kinds of terrorists. The are the sloppy planners,
like the guy who crashed his plane into the Internal Revenue Service
building in Austin. He's going to be sloppy and stupid, and even
pre-9/11 airplane security is going to catch him. The second is the
well-planned, well-financed, and much rarer sort of plot. Do you really
expect the T.S.A. screeners, who are busy confiscating water bottles and
making people take off their belts -- and now doing uncomfortable
pat-downs -- to stop them?

Of course not. Airport security is the last line of defense, and it's
not a very good one. What works is investigation and intelligence:
security that works regardless of the terrorist tactic or target. Yes,
the target matters too; all this airport security is only effective if
the terrorists target airports. If they decide to bomb crowded shopping
malls instead, we've wasted our money.

That being said, airplanes require a special level of security for
several reasons: they're a favored terrorist target; their failure
characteristics mean more deaths than a comparable bomb on a bus or
train; they tend to be national symbols; and they often fly to foreign
countries where terrorists can operate with more impunity.

But all that can be handled with pre-9/11 security. Exactly two things
have made airplane travel safer since 9/11: reinforcing the cockpit
door, and convincing passengers they need to fight back. Everything else
has been a waste of money. Add screening of checked bags and airport
workers and we're done. Take all the rest of the money and spend it on
investigation and intelligence.

Immediately after the Christmas Day Underwear Bomber's plot failed,
Homeland Security Secretary Janet Napolitano called airplane security a
success. She was pilloried in the press and quickly backpedaled, but I
think it was one of the most sensible things said on the subject. Plane
lands safely, terrorist in custody, nobody injured except the terrorist:
what more do people want out of a security success?

Look at what succeeded. Because even pre-9/11 security screened for
obvious bombs, Abdulmutallab had to construct a far less reliable bomb
than he would have otherwise. Instead of using a timer or a plunger or a
reliable detonation mechanism, as would any commercial user of PETN,
Abdulmutallab had to resort to an ad hoc and much more inefficient
detonation mechanism involving a syringe, 20 minutes in the lavatory,
and setting his pants on fire. As a result, his actions came to the
notice of the other passengers, who subdued him.

Neither the full-body scanners or the enhanced pat-downs are making
anyone safer. They're more a result of politicians and government
appointees capitulating to a public that demands that "something must be
done," even when nothing should be done; and a government bureaucracy
that is more concerned about the security of their careers if they fail
to secure against the last attack than what happens if they fail
anticipate the next one.


Copyright Bruce Schneier.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^