Security Through Obscurity TSA/GSM Edition

It’s impossible to write code these days without having to study security to some extent. The byproduct of this is that since digital security concepts are based largely on real life, you see the obvious gaps in real life “security”. The quotes are intentional because many/most attempts only provide the feeling of security as opposed to real security.

“Security through obscurity” is perhaps one of the most insane of ideas. The principle being that if the implementation is kept secret the entire application is secure (emphasis on if). If it’s compromised, then you’re in trouble.

TSA “Security”

Books have been written about how poor the TSA is at security. Bruce Schneier is likely one of the best when it comes to pointing out the silly practices and how little it actually does for actual security.

The latest security directive was sent to thousands of individuals at airlines around the world. Needless to say it was leaked (imagine that). Of course the TSA wasn’t thrilled about that. What this does show is that the TSA is simply hoping any potential terrorist is too dumb to do something original. See Bruce Schneier’s piece linked above which draws the same conclusion.

The fake boarding pass scheme is another great example.

Millimeter wave scanner’s (those fully body scanners) haven’t even been 100% implemented yet and have been defeated. Al Qaeda has already figured out that they could mimic drug smugglers and place bombs in certain body cavities. A CT scan would detect that but a full body CT scan is too much radiation and too slow for routine use. No sane person would use a CT scan for security. You would certainly kill more than you would save. That means a complementary prostate exam or “bend and spread” (limited success in prison) is pretty much the only solution. Of course surgical implantation would defeat that as well.

Edit 1/1/2010 @ 3:00 PM EST: The TSA has apparently realized how pointless their legal efforts were and have withdrawn its subpoena.

GSMA “Security”

GSMA (GSM Association) are the folks behind GSM A5/1 encryption used in the majority of phones worldwide which is supposed to keep your calls secure and safe from prying ears. Karsten Nohl figured out how it can be broken. It’s noteworthy that this is an 18-year-old standard from days when computing power was much more limited. It’s also noteworthy that most governments and criminals have likely figured this stuff out already (they just aren’t sharing). The GSMA response:

“What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.”

Mike Masnick at TechDirt decoded the PR speak decoded:

… First, claiming it’s “theoretically possible, but practically unlikely” means that it’s very, very possible and quite likely. To then say that no one else had broken the code since its adoption fifteen years ago is almost certainly false. What she means is that no one else who’s broken the code has gone public with it — probably because it’s much more lucrative keeping that info to themselves…

Wikipedia has a rundown of the security of A5/1.

Leave a Reply

Your email address will not be published. Required fields are marked *

Connect with Facebook

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>