Security in Tech and Life

So much has been written lately about security and privacy, particularly because of the Apple vs. FBI feud. It scares me that so many people with the potential to influence the final outcome don't seem to understand the technical issues, nor the long term implications. The same technology that protects my family and me also protects the US President and any Americans overseas in scary countries without many civil liberty protections. 

Blake Ross' excellent wise-guy summary gives some great real world examples of security that everyone can understand, but also does a great job of giving a cliff notes overview of why building secure software is so difficult. Also, I had somehow never known the details of how they secure airplanes now:

 "For as much money and time as we’ve wasted on printer-powered air security, only one innovation has prevented another 9/11: Locked, reinforced cockpit doors. These doors can withstand gunfire and even small grenades.

But sometimes, 6 hours into a Cancun flight, 3 helpings into Delta’s Cargo-Class Seafood, a pilot needs to deposit a few small grenades of his own. So there’s a handshake protocol:

  1. When the pooping pilot wants to reenter the cockpit, he calls the flying pilot on the intercom to buzz him in.
  2. If there’s no answer, the outside pilot enters an emergency keycode. If the flying pilot doesn’t deny the request within 30 seconds, the door unlocks.
  3. The flying pilot can flip a switch to disable the emergency keypad for 5 to 20 minutes (repeatedly)."



Security theater at the airport

I traveled recently to Belize for a wonderful vacation on Glover's Reef Atoll.  It was paradise.  On the way down there, I had left a Chobani yogurt in my carry-on bag and was flagged by TSA airport security.  Apparently yogurt is considered a liquid and it isn't allowed.  Slightly annoyed but with plenty of time to spare, I went to eat my yogurt outside security and while doing so did a search on Twitter for #securitytheater (try for yourself here).  For those that have never heard the term, "security theater" is used to describe security measures put in place to give the appearance of safety, even if they have obvious gaps or are minimizing an extremely small risk.

I've always been a little jaded about security since 9/11.  To be clear, 9/11 was a horrific event for this country and especially for those directly impacted by it, and I'm a FULL supporter of programs that will prevent something like that from happening again.  However, the programs put in place need to protect the rights of US citizens and be reasonably effective and efficient.  In other words, we could go out and hire another 5 million police officers, but I don't think that would be an efficient program.  We could also allow any citizen to be searched at any time for any reason, but I don't think I'd want to live in a country like that.

So what's bothered me personally over the years?  For starters, there was the time I accidentally carried a pocket knife in my carry-on coming back from Alaska and didn't get caught.  There have been a few times when I've had to exit the airport security line to empty my Nalgene bottle.  Then there is my personal favorite:  the random bag checks at the MBTA stops in Boston, which usually involve about 8 people (6 of which do nothing but stand there) and are completely pointless because if you get asked to be searched you can refuse and simply not get on the subway at that stop (I'm not making this up, see the MBTA policy here).  Logically, these random searches will only catch people that have bombs on them and don't know it or are REALLY STUPID, and I'm sure they come at a pretty steep expense to the MBTA.

With that said, what really disturbed me as I read more at the airport was this article from The Atlantic (read here) which interviewed the well known TSA critic Bruce Schnei­er.  The first thing that really disturbed me, particularly since I've had to empty water bottles on multiple occasions was this:

Later, Schnei­er would carry two bottles labeled saline solution—24 ounces in total—through security. An officer asked him why he needed two bottles. “Two eyes,” he said. He was allowed to keep the bottles.

But if you are a terrorist, you probably have your name in some database and so you'd never even be allowed to carry on 24 ounces of liquid, right?  That's why the "ID triangle" (a term I'd never heard before) was setup: the fact that you need to buy a ticket with a credit card, show a boarding pass and valid photo ID at security, and show a boarding pass again before getting on the plane.  This seems pretty secure at first glance, but if you really think it through it does little to protect us from smart terrorists, even if they are on every single government watch list. As the article explains:

“The goal is to make sure that this ID triangle represents one person,” he explained. “Here’s how you get around it. Let’s assume you’re a terrorist and you believe your name is on the watch list.” It’s easy for a terrorist to check whether the government has cottoned on to his existence, Schnei­er said; he simply has to submit his name online to the new, privately run CLEAR program, which is meant to fast-pass approved travelers through security. If the terrorist is rejected, then he knows he’s on the watch list.

To slip through the only check against the no-fly list, the terrorist uses a stolen credit card to buy a ticket under a fake name. “Then you print a fake boarding pass with your real name on it and go to the airport. You give your real ID, and the fake boarding pass with your real name on it, to security. They’re checking the documents against each other. They’re not checking your name against the no-fly list—that was done on the airline’s computers. Once you’re through security, you rip up the fake boarding pass, and use the real boarding pass that has the name from the stolen credit card. Then you board the plane, because they’re not checking your name against your ID at boarding.”

Each year millions of Americans are subjected to intrusive security policies that not only waste time but also cost them $7 billion per year.  It might make everyone feel a little safer, but in reality the programs will do little to protect us from a smart terrorist.  If security programs have such big gaps, I think we might as well eliminate them or spend more money to close those gaps.  Putting on a security show doesn't make us much safer, costs a lot of money, and is really inconvenient.  If the risks are high as we've been told, isn't this worth investing in?