April 15, 2012
by Bruce Schneier
Chief Security Technology Officer, BT
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at <http://www.schneier.com/crypto-gram-1204.html>. These same essays and news items appear in the “Schneier on Security” blog at <http://www.schneier.com/blog>, along with a lively comment section. An RSS feed is available.
In this issue:
- Harms of Post-9/11 Airline Security
- Congressional Testimony on the TSA
- Bomb Threats As a Denial-of-Service Attack
- Can the NSA Break AES?
- Rare Spanish Enigma Machine
- Schneier News
- Buying Exploits on the Grey Market
- Hacking Critical Infrastructure
I debated former TSA Administrator Kip Hawley on the “Economist” website. I didn’t bother reposting my opening statement and rebuttal, because — even though I thought I did a really good job with them — they were largely things I’ve said before. In my closing statement, I talked about specific harms post-9/11 airport security has caused. This is mostly new, so here it is, British spelling and punctuation and all.
In my previous two statements, I made two basic arguments about post-9/11 airport security. One, we are not doing the right things: the focus on airports at the expense of the broader threat is not making us safer. And two, the things we are doing are wrong: the specific security measures put in place since 9/11 do not work. Kip Hawley doesn’t argue with the specifics of my criticisms, but instead provides anecdotes and asks us to trust that airport security — and the Transportation Security Administration (TSA) in particular — knows what it’s doing.
He wants us to trust that a 400-ml bottle of liquid is dangerous, but transferring it to four 100-ml bottles magically makes it safe. He wants us to trust that the butter knives given to first-class passengers are nevertheless too dangerous to be taken through a security checkpoint. He wants us to trust the no-fly list: 21,000 people so dangerous they’re not allowed to fly, yet so innocent they can’t be arrested. He wants us to trust that the deployment of expensive full-body scanners has nothing to do with the fact that the former secretary of homeland security, Michael Chertoff, lobbies for one of the companies that makes them. He wants us to trust that there’s a reason to confiscate a cupcake (Las Vegas), a 3-inch plastic toy gun (London Gatwick), a purse with an embroidered gun on it (Norfolk, VA), a T-shirt with a picture of a gun on it (London Heathrow) and a plastic lightsaber that’s really a flashlight with a long cone on top (Dallas/Fort Worth).
The Fourth Amendment reads:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
The fact that searches are both random and broadly applied makes it clear that there is no probable cause. “Enhanced pat-downs” are especially egregious: What would otherwise be considered sexual assault and a gross violation of our rights is legitimized and mandated in the name of security. Being unconstitutional, these searches are, in my opinion, illegal and criminal.
The Norton vs. Shelby County decision (1886) found that “an unconstitutional act is not law; it … (is) inoperative as though it had never been passed.”
Legal status aside, this is not security, it is security theater. Any terrorist would simply have to get a job as an airport employee, or send a bomb via the rarely-screened air mail, or find any of the innumerable other weak links to exploit. Responsibility and liability for security should fall on the airports and airlines themselves.
In 1775, Benjamin Franklin wrote, “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.”
When crossing a TSA checkpoint, you may have nothing to hide, but you do have something to protect — your innate and constitutionally-guaranteed right to your life and liberty.