Monday, May 2, 2011

The futility of the TSA during the War on Terror

One advantage of having been involved in Internet Security for a considerable time is that you see what doesn't (and can't) work.  This very often applies to the Real World.

Consider antivirus.  "Everybody knows" that they need to have one.  "Everybody knows" that they need to keep it updated.  The antivirus program works hard - you can see your computer slow down when it fires up to do a scan.  The antivirus companies work hard - you get a daily update that contains hundreds or thousands of new signatures, each day, every day.

And it doesn't work:

Signature-based antimalware detection is increasingly ineffective against an explosion in the number of malware variants as well as an increase in the number of financially motivated targeted attacks.

Does this mean we get rid of antivirus technology altogether? Not at all.

What it means is that we can no longer protect endpoints using signature-based mechanisms alone. Endpoints must be protected using a combination of mechanisms – whitelisting, blacklisting and behavioral-based approaches — working together as a system.
What we see is that the Bad Guys have adapted to the prevalence of antivirus by writing so much new malware - and testing it against commercial antivirus, tweaking it until it gets missed - that your antivirus may only have a 25% chance of catching something new, because a whole Black Hat industry has grown up to make avoiding antivirus detection easy:
For the last six months there has been an explosion in malware scanning portals that cater specifically to the demands of professional malware authors and botnet masters. These portals provide guarantees on privacy of submitted samples and include specialized services designed to suit their criminal clientele – for example, the ability to bulk-upload caches of new samples for testing, CSV formatted reports, automatic tweaking of samples to avoid certain antivirus engines, continuous testing of samples (i.e. alerting of when an antivirus update appears that is capable of detecting a submitted sample) and multiple alerting features (e.g. email, SMS text messaging, IRC/Jabber alerts, etc.).
The Internet Security industry is adapting, by adding different techniques (whitelisting, behavioral based stuff, etc) because it needs to remain viable to the market.  If it doesn't adapt, the companies will become irrelevant and go out of business.  Basically, the industry has to provide results or die.

The TSA doesn't.  The TSA is interesting, because it takes what is basically the same approach as antivirus: looking for known bad things.  It is extremely intrusive when it does this (just like antivirus), and makes a great show of how busy it is (lots of uniformed TSA folks manning lots of checkpoints).

From a results point of view, it doesn't work.  The TSA has caught precisely zero terrorists (although they have caught some run of the mill criminals during their inspections).  It's because they're always looking for the old attack that the terrorists don't try anymore.  Like with antivirus, it's "security in the rear view mirror", focused on the process, not the end result.

Unlike the Internet Security industry, the TSA is not correcting by adding new techniques that might make it more effective.  The reason is captured in a nutshell in this short video by Internet Security guru Bruce Schneier:



Shielded from market forces, the TSA doesn't have to stop new attacks.  To keep its budget, all it has to do is stop old attacks.  And so it implements increasingly expensive, draconian, and futile searches, chasing after the last attack.  It's spent millions of dollars installing expensive X-Ray machines that generate ten times the radiation that we were told:

The results of tests on the radiation levels at x-ray body scanners that have been put in airports acorss America are flawed, the Transportation Security Administration admits.

The tests came back showing ten times more radiation than was expected.
But don't opt out of the scan, or you will be sexually assaulted, like a former Miss USA:

The latest report of molestation at the hands of TSA agents comes from former Miss USA Susie Castillo, whose tearful account of her experience at the Dallas Fort Worth Intl. Airport already has more than 200,000 views on YouTube.

"I'm crying because, as an American, I have to go through this," she says in the video.

...

Castillo said that an older woman who worked for the airport attempted to comfort her as she sat crying, saying, "Well honey, you know what, I'd rather go through the scanner or get a pat-down than, you know, be blown up." In the video Castillo recalls thinking, "Okay, I guess I'm supposed to find comfort in that, but I didn't."

TSA has since reviewed the incident and a representative reportedly told TMZ, "We have reviewed this passenger's screening experience and found that the officer followed proper procedures."
And it's all futile, just like today's antivirus signatures.  Tomorrow's malware is already tested against these signatures before it is unleashed, just like the terrorists don't do the old attacks.  They make up new attacks.

As Schneier says, "It's a stupid game, and we shouldn't play."

The only one that wins this game is the TSA, whose budget and headcount continually increases while they sexually assault citizens and entirely fail to catch any terrorists.  This is broken, because they aren't responsive to the market.

There is a solution, that I modestly offer here.  A bold (read: media whoring) Governor should federalize airport security in his state.  He should send in the State Police and arrest any TSA agent that engages in sexual assault.  He can have the security outsourced to a company that will actually be responsive to the market.

The TSA, of course, will have a cow.  They will threaten legal action.  Andrew Jackson's dictum will prove popular: The Supreme Court has made its ruling.  Now let it enforce it.  It's unlikely that this visible battle royal will make the Governor less popular; on the contrary, the TSA is at best ignored and at worst despised by most of the country.  Our Governor will be seen as a hero by many registered voters.

The TSA will threaten to close down air traffic to that State.  And here's where we see where the battle will have to be fought.  If you shut down flights to, say, Providence, people will simply fly to Boston.  Can't fight on those terms.  But what about Texas?

You shut down DFW, and you bring America's air travel to a grinding halt.  Matter of fact, if you shut down Atlanta Hartsfield, you bring air travel to a halt.  Same with Chicago O'Hare, and (maybe) Denver.

I wouldn't expect that the Illinois Governor will want to play this game.  But Rick Perry might.  And here's the fun part: during what looks like the slide into a double dip recession just as the 2012 election cycle kicks off, the Obama Administration will fold like a house of cards in a tornado.

And so my plea: Help us Obi-Wan Perry, you're our only hope.

UPDATE 3 May 2011 09:38: Welcome visitors from View From The Porch, and as always thanks, Tam. I left out something important, which I'll add here.

Schneier is absolutely correct that the general public doesn't really understand just how little security they're getting, and will look at the TSA as "people protecting me".  That assessment is wrong, but is the starting point - we have to get past a knee-jerk "but who will protect me" reaction to keep this popular.

That's why it's so very important to bring in some sort of screening company as a replacement.  The Security Kabuki will have to go on, in a less intrusive (and less costly) manner.  Pure Libertarian types won't like it (heck, I don't like it), but there will be no traction with Polly Public without this.

And the messaging has to be 100% "sexual assault is a crime, and will not be tolerated".  Polly Public is almost certain to line up behind this, by large margins.

As Tam said, this is a Hail Mary sort of plan.  As such, it contains all sorts of things I'd really rather not have to put up with.  But the best is enemy of a good dang start.

Next target can be the EPA ...

19 comments:

  1. You're absolutely right about Illinois' governor not having the cahones to do this. We don't call him Governor Jell-o for nothing. But what a great idea.

    ReplyDelete
  2. You have too much faith in Governor Good Hair. He's a spineless weasel and I can't stand him. Unfortunately, there's never anyone running that is a better choice. Sad.

    ReplyDelete
  3. I attended a presentation last week by Barry Greene where he said that malware authors are using obfuscation techniques stolen from the computer gaming industry's DRM schemes to hide their "product" from scanners. Fascinating stuff.

    ReplyDelete
  4. Excellent post, BP. The TSA is forever condemned to "fight the last war", and always be reactionary. They focus on signatures - things - not people. As long as they focus on things, they will never find the next thing.

    Should the tangos pull off a mall attack or an attack on something like a Grand Central Station, and the response - not the attack - could shut down this country.

    ReplyDelete
  5. TSA has since reviewed the incident and a representative reportedly told TMZ, "We have reviewed this passenger's screening experience and found that the officer followed proper procedures."

    If that doesn't send a chill all the way down your spine, you should be very, very worried.

    Jim

    ReplyDelete
  6. "screening experience"? I just love the turn of that phrase, like it's an event intended to elicit pleasure that for whatever inexplicable reason, just went wrong.

    ReplyDelete
  7. If only from your lips to all the Governors' ears!

    ReplyDelete
  8. I would e-mail/call governor offices but I'm not a US resident.

    Well, did you e-mail/call governor Rick Perry?

    Did anyone?

    ReplyDelete
  9. Methinks you mean the governor should state-tize the security system, as what we have now is the result of airport security being federalized.

    Any governor doing this is going to have some definite federal preemption issues with replacing the TSA with a state agency for airport security enforcement (for an example see Immigration, Arizona, brouhaha).

    Good idea, but I believe the execution will be limited and ultimately overturned. Not to mention if any terrorist gets through that governor will never hear the end of it due to his cops not following TSA "proper procedures"

    wv: colatic - the next proposed TSA procedure if you refuse the body scan.

    ReplyDelete
  10. Aaron, I just added an update about why I think this will work.

    Arresting TSA agents for sexual assault (and prosecuting them, and convicting some) - with the cameras rolling - will fit into the "Sexual assault will not be tolerated in this state". Whether the TSA stops the pat downs, or shuts down the screening (in which case the Governor can claim that he's keeping things open) is a bit immaterial. There's no way the TSA wins this.

    Either the Administration has to back down in the face of a public humiliation, or they have to take the chance of shutting down the Airline industry. I simply don't think that if the Governor replaces the TSA after they shut down air travel that the public won't line up behind the Governor. Especially when the public's daughters are being strip searched.

    ReplyDelete
  11. Dead on, BP. The purpose of government, as currently structured, is to perpetuate and expand government. If the citizenry get actual service in the process, that's just a happy coincidence. This is true whether it's city, county, state or federal government.

    To change the paradigm government would have to be very substantially reduced in size (and cost/expenditure) so that it has no choice but narrow its scope of operation, and, hopefully, placed in competition with free market entrepreneurs for many of the remaining tasks it is called on to perform.

    Short of a cataclysmic occurrence I don't see that happening. But, we may have something of a cataclysm in the foreseeable future if we can't get government spending under control, so we may get to try that approach at some point.

    It would be interesting to see a state like Texas or Georgia follow your approach, but using the extremely effective Israeli airline security model, and see if that doesn't provoke the collapse of the entire house of cards, beginning with TSA.

    ReplyDelete
  12. Lovely idea.

    Dropping fantasy for reality for a moment if I may.

    I'm an actual State prosecutor. There is an actual airport in a nearby State. It is staffed with actual TSA screeners. They actually screen. I've seen a hundred or so pat downs here and maybe 400 elsewhere while going through it myself.

    There's a link to the the actual State criminal code of sexual offenses in that State on my post about this.

    In the actual world, which crime can I convince a jury of twelve, unanimously and beyond a reasonable doubt, that an actual screener commits when screening/patting down?

    This is a serious question, I'd like to know what commenters here see as the crime GIVEN THE ACTUAL LAW, not fantasy law.

    And if you please, copy them over at my blog, follow this link or the one above.

    ReplyDelete
  13. I have to agree with staghounds. I just looked it up for Texas. Assault or aggravated assault are the only charges I can see. The TSA drones would have to be armed for agg assault to stick.

    I don't Perry ever doing that, though.

    ReplyDelete
  14. 'Patch - If TX needs a poster child, I will (as a resident) volunteer. I opted out of the porn-o-scan, and recieved the "enhanced" pat-down. I didn't sleep for three days. I would give all that I own to take that decision back.



    tweaker

    ReplyDelete
  15. Staghounds, thanks for leaving the comment. IANL, and so I actually don't want to answer your specific question, as I have no idea how this would turn out in a courtroom.

    However, because IANL, I can speak for many potential jurors in that if a TSA Agent were brought up essentially for fondling a young girl, I know how I would want to vote.

    And that's kind of my point. This is a political issue, a potential opportunity for a grandstanding politician to make some hay. How the legal issues ultimately work out three years later is sort of irrelevant.

    If there is to be any pushback at all by the States against this Administration's (and in all honesty, the last few Administration's) power grab, you can't find a better place to start than Big Bad Government people strip searching young girls.

    Your mileage may vary, void where prohibited, do not remove tag under penalty of law.

    Cross-posting this comment over at Staghounds' place.

    ReplyDelete
  16. Staghounds, to repeat BP, IANL, however, if the need is to have a charge to levy against offenders for this to work, (whether or not that actually sees a trial may be irrelevant) wouldn't "39-13-527. Sexual battery by an authority figure" fit the bill. The argument can be made that working for the TSA in the capacity of a screener is not forced. And that knowing that you would have to perform duties such as inappropriately touching the genital areas of minors and adults, one can easily conclude that some level of satisfaction or 'gratification' is obtained by terrorizing free people!

    If the bad guys can twist the wording of statutes to get them off, the reverse must be allowed too!

    ReplyDelete
  17. Staghounds,

    IANAL, so take this for what its worth:

    Everyone has heard of examples of juries refusing to convict a person who, beyond a shadow of a doubt, committed a crime (ala A Time to Kill). Essentially the facts of the case are not in doubt, but the jury chooses to ignore the law. I believe the term is "jury nullification" when this happens.

    There may be no legal precedent for it, at least none that I know of, but couldnt a jury similarly ignore a judges instructions about the black letter of the law to force a conviction where it was questionable that the law applied? (I used to be a cop in TN, and I know that charges might not make it past arraignment or a Grand Jury...been there done that...but supposing it made it to jury trial...)

    Isnt the whole point of jury trial that the citizenry ultimately decides what the law means and whether it applies to their fellow citizen, not some dude in black robes? Whats the point if we can say "Nope, that law dosent apply here" if we cant turn around and say "We want that law to apply here!"

    ReplyDelete
  18. I am not a lawyer either. Still, I remind you what you already know:
    1. The prosecutor has disgression on what charges he files.
    2. The judge has significant say on what charges he permits.
    3. From those charges, the Jury can select which ones on which they return a guilty verdict.
    4. Jury selection is also cropped. California uses federal procedure, and the Judge can remove any number of jurors from the panel for cause, and a fixed number can be removed by prosecution or defense without public statement of cause.
    5. Then a unanimous jury is required to convict.

    That tends to limit the chances of libertarians on the Jury convicting a government agent in the performance of his duty.

    ReplyDelete
  19. Heh... "Everybody Knows" they need anti-malware.. except this guy:

    "Why do I refuse to use these massively popular widely-used products? Simple. I am convinced that in my case, they may cause more harm than good, and that they foster a false sense of security - leading some users to engage in riskier behavior. Further, antivirus software is almost always behind the curve - by definition, the antivirus people are playing catch-up with the malware writers. It's a good living for them, but I choose not to contribute to it."

    "Think about it: antivirus software has to intercept many system functions, monitor, detect and deter malicious activity - even if the software is flawless, which it isn't, it will slow your computer, and consume memory and other system resources. And let's not forget that you must now pay a recurring fee in order to feel safe"

    -- Living without antivirus software

    Some of us do just fine without buying in to the illusion of security.

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.