[wordup] Airline Security Regulations

[Adam Shand]

this is one part of the most recent crypt-o-gram which is written by a
fairly well known computer security expert (bruce schneier).  there are
lots of interesting reference urls at the stories url.

From: http://www.counterpane.com/crypto-gram-0109a.html

Computer security experts have a lot of expertise that can be applied to
the real world. First and foremost, we have well-developed senses of what
security looks like. We can tell the difference between real security and
snake oil. And the new airport security rules, put in place after
September 11, look and smell a whole lot like snake oil.

All the warning signs are there: new and unproven security measures, no
real threat analysis, unsubstantiated security claims. The ban on cutting
instruments is a perfect example. It's a knee-jerk reaction: the
terrorists used small knives and box cutters, so we must ban them. And
nail clippers, nail files, cigarette lighters, scissors (even small ones),
tweezers, etc. But why isn't anyone asking the real questions: what is the
threat, and how does turning an airplane into a kindergarten classroom
reduce the threat? If the threat is hijacking, then the countermeasure
doesn't protect against all the myriad of ways people can subdue the pilot
and crew. Hasn't anyone heard of karate? Or broken bottles? Think about
hiding small blades inside luggage. Or composite knives that don't show up
on metal detectors.

Parked cars now must be 300 feet from airport gates. Why? What security
problem does this solve? Why doesn't the same problem imply that passenger
drop-off and pick-up should also be that far away? Curbside check-in has
been eliminated. What's the threat that this security measure has solved?
Why, if the new threat is hijacking, are we suddenly worried about bombs?

The rule limiting concourse access to ticketed passengers is another one
that confuses me. What exactly is the threat here? Hijackers have to be on
the planes they're trying to hijack to carry out their attack, so they
have to have tickets. And anyone can call Priceline.com and "name their
own price" for concourse access.

Increased inspections -- of luggage, airplanes, airports -- seem like a
good idea, although it's far from perfect. The biggest problem here is
that the inspectors are poorly paid and, for the most part, poorly
educated and trained. Other problems include the myriad ways to bypass the
checkpoints -- numerous studies have found all sorts of violations -- and
the impossibility of effectively inspecting everybody while maintaining
the required throughput. Unidentified armed guards on select flights is
another mildly effective idea: it's a small deterrent, because you never
know if one is on the flight you want to hijack.

Positive bag matching -- ensuring that a piece of luggage does not get
loaded on the plane unless its owner boards the plane -- is actually a
good security measure, but assumes that bombers have self-preservation as
a guiding force. It is completely useless against suicide bombers.

The worst security measure of them all is the photo ID requirement. This
solves no security problem I can think of. It doesn't even identify
people; any high school student can tell you how to get a fake ID. The
requirement for this invasive and ineffective security measure is secret;
the FAA won't send you the written regulations if you ask. Airlines are
actually more stringent about this than the FAA requires, because the
"security" measure solves a business problem for them.

The real point of photo ID requirements is to prevent people from
reselling tickets. Nonrefundable tickets used to be regularly advertised
in the newspaper classifieds. Ads would read something like "Round trip,
Boston to Chicago, 11/22 - 11/30, female, $50." Since the airlines didn't
check ID but could notice gender, any female could buy the ticket and fly
the route. Now this doesn't work. The airlines love this; they solved a
problem of theirs, and got to blame the solution on FAA security
requirements.

Airline security measures are primarily designed to give the appearance of
good security rather than the actuality. This makes sense, once you
realize that the airlines' goal isn't so much to make the planes hard to
hijack, as to make the passengers willing to fly. Of course airlines would
prefer it if all their flights were perfectly safe, but actual hijackings
and bombings are rare events and they know it.

This is not to say that all airport security is useless, and that we'd be
better off doing nothing. All security measures have benefits, and all
have costs: money, inconvenience, etc. I would like to see some rational
analysis of the costs and benefits, so we can get the most security for
the resources we have.

One basic snake-oil warning sign is the use of self-invented security
measures, instead of expert-analyzed and time-tested ones. The closest the
airlines have to experienced and expert analysis is El Al. Since 1948 they
have been operating in and out of the most heavily terroristic areas of
the planet, with phenomenal success. They implement some pretty heavy
security measures. One thing they do is have reinforced, locked doors
between their airplanes' cockpit and the passenger section. (Notice that
this security measure is 1) expensive, and 2) not immediately perceptible
to the passenger.) Another thing they do is place all cargo in
decompression chambers before takeoff, to trigger bombs set to sense
altitude. (Again, this is 1) expensive, and 2) imperceptible, so
unattractive to American airlines.) Some of the things El Al does are so
intrusive as to be unconstitutional in the U.S., but they let you take
your pocketknife on board with you.