Security Through Obscurity TSA/GSM Edition

It’s impossible to write code these days without having to study security to some extent. The byproduct of this is that since digital security concepts are based largely on real life, you see the obvious gaps in real life “security”. The quotes are intentional because many/most attempts only provide the feeling of security as opposed to real security.

“Security through obscurity” is perhaps one of the most insane of ideas. The principle being that if the implementation is kept secret the entire application is secure (emphasis on if). If it’s compromised, then you’re in trouble.

TSA “Security”

Books have been written about how poor the TSA is at security. Bruce Schneier is likely one of the best when it comes to pointing out the silly practices and how little it actually does for actual security.

The latest security directive was sent to thousands of individuals at airlines around the world. Needless to say it was leaked (imagine that). Of course the TSA wasn’t thrilled about that. What this does show is that the TSA is simply hoping any potential terrorist is too dumb to do something original. See Bruce Schneier’s piece linked above which draws the same conclusion.

The fake boarding pass scheme is another great example.

Millimeter wave scanner’s (those fully body scanners) haven’t even been 100% implemented yet and have been defeated. Al Qaeda has already figured out that they could mimic drug smugglers and place bombs in certain body cavities. A CT scan would detect that but a full body CT scan is too much radiation and too slow for routine use. No sane person would use a CT scan for security. You would certainly kill more than you would save. That means a complementary prostate exam or “bend and spread” (limited success in prison) is pretty much the only solution. Of course surgical implantation would defeat that as well.

Edit 1/1/2010 @ 3:00 PM EST: The TSA has apparently realized how pointless their legal efforts were and have withdrawn its subpoena.

GSMA “Security”

GSMA (GSM Association) are the folks behind GSM A5/1 encryption used in the majority of phones worldwide which is supposed to keep your calls secure and safe from prying ears. Karsten Nohl figured out how it can be broken. It’s noteworthy that this is an 18-year-old standard from days when computing power was much more limited. It’s also noteworthy that most governments and criminals have likely figured this stuff out already (they just aren’t sharing). The GSMA response:

“What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.”

Mike Masnick at TechDirt decoded the PR speak decoded:

… First, claiming it’s “theoretically possible, but practically unlikely” means that it’s very, very possible and quite likely. To then say that no one else had broken the code since its adoption fifteen years ago is almost certainly false. What she means is that no one else who’s broken the code has gone public with it — probably because it’s much more lucrative keeping that info to themselves…

Wikipedia has a rundown of the security of A5/1.

Hacking The TSA

Everyone’s favorite security guru has a great blog post on how to prevent loss of an expensive camera that must be checked luggage rather than carry on. To summarize, you can pack it with a starter pistol so that the TSA takes extra precautions to prevent it’s loss (they don’t want to loose a gun, but don’t mind losing your expensive possessions).

This is really quite brilliant. Here’s some info on requirements. According to this you could also just carry a replica, or even bullet, or a piece of a gun.

That’s got to be the most clever solution to the problem. Finally we can all carry our laptops and expensive equipment around without fear of loss. You know the TSA won’t loose a gun, since that would spark a major controversy.

I must admit this solution is beyond clever, it’s outright brilliant.

Monkey’s On A Plane

Oh boy would “Monkey’s On A Plane” be a blockbuster. Just a blank tape with that title would make millions. Film a real movie, and it’s [pinky in mouth] billions.

Well, apparently enough monkeys travel on commercial airlines every year to warrant their own section in on the TSA website. I’d love to have a monkey sitting near me, rather than a small crying child. Why do I get stuck with kids near me, instead of a chimp?

Excerpt copied below to ensure this gem is never lost:

Monkey Helpers

  • When a monkey is being transported in a carrier, the monkey must be removed from the carrier by the handler prior to screening,
  • The monkey must be controlled by the handler throughout the screening process.
  • The monkey handler should carry the monkey through the WTMD while the monkey remains on a leash.
  • When the handler and monkey go through the WTMD and the WTMD alarms, both the handler and the monkey must undergo additional screening.
  • Since monkeys may likely draw attention, the handler will be escorted to the physical inspection area where a table is available for the monkey to sit on.  Only the handler will touch or interact with the monkey.
  • TSOs have been trained to not touch the monkey during the screening process.
  • TSOs will conduct a visual inspection on the monkey and will coach the handler on how to hold the monkey during the visual inspection.
  • The inspection process may require that the handler take off the monkey’s diaper as part of the visual inspection.

Source: TSA.gov

Hat Tip to JWZ.

Vacation

I’m back from vacation. Like two years ago, I spent some time in Holland visiting family, and then some vacation time in Spain (Mallorca to be exact), then back to Holland for a day and a half. Just starting to catch up on things, so be patient if your expecting a reply from me. I’m tired after an a long day with a flight at 9:30 (GMT +1) that landed 12:00 (GMT -5). So here are some random thoughts in bullet form:

  • Security wasn’t to bad considering all that has been happening. The only thing encountered was no liquids or gels in hand luggage… Interestingly every hour, or less a flight attendant came around with cups of water. I guess they are afraid someone could become dehydrated and sue. An obvious change from procedures prior (on the way over that happened no more than 2x as I recall).
  • Constantly check that that your flight isn’t delayed, so you don’t spend 11hrs in Schiphol Shithole (after 11hrs that’s an appropriate name for any airport). Definitely not a great way to spend a day. Teletext, Phone, Internet, Smoke signals. Whatever it takes. Check and check again.
  • Just because a hotel advertises that it has air conditioning doesn’t mean that it works, works well, or works constantly. Hotels that only let it run when your in the room (usually activated by room key) only can work if it’s very powerful and can cool off a room quickly. Yet another thing to be aware of
  • When traveling trans-Atlantic, wide body aircraft, such as a Boeing 767, 777, 747 are preferable to a Boeing 757. Because it’s seated 3 and 3 with 1 isle, and bathrooms in front and back of coach, that’s a lot of traffic in 1 isle. Wide body aircraft such as the 767 seem much more capable of handling a long haul without feeling so tiny. Just a personal preference.
  • I had this notion that most old stone structures remained semi-cool in hot weather, but the Cathedral in Palma completely ruinied that.
  • There should be First Class, Business Class, Kid-Free Class, and Family Class. For those who want to sleep on the plane, you options.
  • I ate way to much… and enjoyed it all.
  • Beautiful beaches
  • Did I mention the food?

TSA locks up terrorist #1

Via Aebrahim’s blog, John Barlow’s story of the TSA “protecting America”. I’d say it’s a must read, though pretty depressing.

A real brilliant example of how America is becoming “safer”. Sadly, it’s pretty safe to say the government to date has spent thousands (plural) of dollars “protecting” us from John.

Good luck to him. Good luck to all Americans who attempt to live normal lives. I’m still waiting for some nun or priest to be arrested for carrying a crucifix, which could technically be used as a weapon (often sharp point towards the bottom). When that happens, it’s time to move to Iraq, since we’ve has spent some time restoring liberty there.