3 "Only Ones" arrested for theft

TSA agents stole money from passengers at screening points in Miami:

Three Transportation Security Administration agents who work at Miami International Airport were arrested on fraud charges.

According to investigators, Elizabeth Fuster, Josue Gonzalez and Labarrius Williams worked together to steal cash from passengers’ purses and bags while they were being screened at the airport, June 29.

The agents were removed after a TSA employee followed up on a complaint, watched surveillance video and shared findings with the police, who took immediate action and placed them under arrest on Thursday.

But remember, only government agents can be trusted with firearms.

Security guru Bruce Schneier has been saying for years that TSA is a total waste of money (c.f. the 90+% failure to detect phony bombs during testing), and that if he were put in charge of it he would give all the budget back to the treasury.

 

The inability of government security programs to work

A reporter once asked security guru Bruce Schneier what he would do to make the TSA more effective. Schneier replied that if he had the agency's budget, he'd give it back.  He added that only two things have improved airline safety after 9/11: strong cockpit doors and the passenger's realization that they have to fight to live.  And yet airport security is worse now than it was then.

This post from ten years ago still rings true.

The world's cutest terror suspect

Todd Brown is the proud dad of an adorable little girl. A little girl that he found out, is on the TSA's list of potential terrorists.

It seems that if you're willing to do a fair amount of leg work, this sort of silliness actually gets cleared up. So well done to Mr. Brown, and I guess to the TSA for making the skies safe for cuteness.

Mr. Brown makes a good point, that there's nothing to tell you that you're on the list, and need to grovel your way through the TSA's unhelpful web site to find the required form. You could plausibly claim that this is a security feature - if the special someone on the list actually were a terrorist, you wouldn't want to let them know.

Which ignores the issue that it's idiotic to have someone so dangerous that they shouldn't be allowed to fly, but not dangerous enough to arrest. That's a discussion for another day. Today, the issue is false positives, the erroneous report that someone or something matches a particular categorization, when they actually don't.

This is why you get a second opinion when your doctor tells you that you have a serious disease. Any diagnosis will be less than 100% accurate, and you don't want to go on an expensive and invasive regime if you're one of the 2% that don't actually have the disease.

An anonymous commenter left this, over in Brown's comments:

They efficiently shifted the cost of false positives to you.

Bingo.

A long time ago, I posted about false positives and why the TSA doesn't go after everyone on one of its lists:

If we really thought these folks were actually terrorists, we'd investigate them. A reasonable investigation involves a lot of effort - wire taps (first, get a warrant), stakeouts, careful collection of a case by Law Enforcement, prosecution. Probably a million dollars between police, lawyers, courts, etc - probably a lot more, if there's a trial. For each of the 700 [people in our thought experiment]. We're looking at a billion dollars, and this assumes a ridiculously low false positive rate.

There are on the order of a hundred thousand people in TSA's no-fly or watch databases. Not 700. If you investigated them all, you're talking a hundred billionbucks. So they turn the system off.

And that's actually the right answer. The data's lousy, joining lousy data with more lousy data makes the results lousier, and it's too expensive to make it work. How lousy is the data? Sky Marshals are on the No-Fly list. No, really.  5 year olds, too.

Actually, they haven't turned the system off. Rather, they've shifted the cost of the investigation to Mr. Brown and people like him.

From the TSA's perspective, this makes sense. From our perspective, it's annoying. It's double-plus annoying when there's nothing that tells you that you're likely a false positive in their system. There is, of course, a sure-fire way to reduce your chance of triggering a false positive in the TSA's system to zero. Guaranteed to work every time.

Drive.

So what product does the TSA produce?

Travel delays.  I posted this ten years ago and precisely nothing has changed.

The TSA's Maginot Line

Philip Greenspun discussed the Fed.Gov in general, and the TSA in particular, marveling at the sheer cost of all the uselessness:

In “TSA: Taxes Spent Absurdly”, Becky Akers asks “How do you turn an industry that costs $700 million annually into one that eats $6 billion?” The answer turns out to be “Nationalize it, as Congress did airport screening after Sept. 11, 2001.” She goes on to note that “The TSA’s nearly 50,000 screeners have delayed, frustrated and harassed passengers at airport checkpoints from Maine to Hawaii. What they haven’t done after eight years and $48 billion is catch a single terrorist.” 

Akers is certainly understating the cost of aviation security imposed after 9/11. At our little airport there is a state trooper employed to fingerprint student pilots. An average Massachusetts State Trooper, including pension, is paid over $200,000 per year. A couple of airport employees help with background checks, security education, and issuing badges. Until a student or renter gets a badge, which takes at least four weeks, the customer must be escorted by a flight school employee at a cost of perhaps $25 per hour. The customer who does a thorough pre-flight inspection of an airplane may take all of the profit out of the rental.

It all reminds me of this:

After World War I, the French were understandably nervous about a rematch. They built a hideously expensive set of fortifications from the Swiss border all the way to Belgium. Called the "Maginot Line", it was state-of-the-art for Trench Warfare. Unfortunately, les Boscheweren't interested in Trench Warfare, and France fell in 6 weeks as the Blitzkreig bypassed it.

The TSA spends truckloads of cash at every airport in the land - including, as Professor Greenspun points out, small, commercial ones. This is what they do. Their product is slowing passengers down. High-visibility security kabuki. Of course they haven't caught any terrorists. The terrorists are targeting other targets.

There are two things that have improved air safety since 9/11: real locks on the cockpit doors, and passengers who know they have to fight back. Nothing else has made any difference (with the possible exception of Air Marshalls, but they haven't stopped anyone so far). You may not have noticed, but baggage screening still isn't what it should be, and that problem would be solved if the TSA weren't allocating all their resources elsewhere.

Sort of like the French building forts instead of armored divisions.

None of this poor prioritization should come as a surprise. In other news, we hear that the California government is introducing new TV energy standards:

Energy regulators on Friday moved forward with a plan that could ban the sale of the most power-hungry televisions from California retail stores.The California Energy Commission released what it hopes will be the nation's first energy-efficiency requirements for the flat-screen TVs. A final vote on the regulation is expected in November.

What's wrong with this picture? California is broke. But they still have enough money to issue new regulations that will make things more expensive. And this isn't the first time.

My budget at work periodically gets cut, as business gets better or worse. These cuts force me to prioritize. If you're clever, you can do anything - you just can't do everything. Cut government 10% across the board, and you'd make a good down payment on health care, you know? Plus you'd do 10% less damage to the economy, with higher employment and tax levels that result.

Ten years ago on this blog

Yup

Actually, this explains a lot.

Postscript: It seems that on this day ten years ago, I posted six times.  Crazy kid ...

Totally Stupid Agency screws up your locks

Facepalm:

Air travelers who don’t have firearms in their checked luggage probably use a special Transportation Security Administration (TSA) approved lock. What is a TSA approved lock? I’ll let the TSA’s very own Blogger Bob explain:

TSA has worked with several companies to develop locks that can be opened by security officers using universal “master” keys so that the locks may not have to be cut. These locks are available at most airports and many travel stores nationwide. The packaging on the locks indicates whether they can be opened by TSA.

In other words TSA approved locks are locks with an included backdoor that can be used by TSA officers to access your luggage. I will take a moment to note that the use of TSA approved locks is not lawful when firearms are in your checked luggage so those of us who do fly with them do not, and legally can not, use TSA approved locks.

Guess what happened with the TSA's backdoor key?

Golly gosh, let's all remember to thank the Republicans for this smoking crater of a failed Agency.  And let's make sure to vote for some more Republicans so we can get even more!

Now you can play TSA in the comfort and privacy of your own home!

PervScan™ (Rapiscan) scanner for sale on eBay.  Amaze and impress your friends!  See under their clothes!  Tons of fun for parties ...

Image vie the Wik

Only $8000.  Two available.  What's the over/under on whether the image files were erased before the systems went up on eBay?

(via)

Just how bad is the security of the TSA's PervScan® machines?

They run on Windows 98.  I'm not making this up:

KASPERSKY SECURITY ANALYST SUMMIT 2014 -- Punta Cana, Dominican Republic -- A widely deployed carry-on baggage X-ray scanner used in most airports could easily be manipulated by a malicious TSA insider or an outside attacker to sneak weapons or other banned items past airline security checkpoints.

Billy Rios, director of threat intelligence at Qualys, here today said he and colleague Terry McCorkle purchased a secondhand Rapiscan 522 B X-ray system via eBay and found several blatant security weaknesses that leave the equipment vulnerable to abuse: It runs on the outdated Windows 98 operating system, stores user credentials in plain text, and includes a feature called Threat Image Projection used to train screeners by injecting .bmp images of contraband, such as a gun or knife, into a passenger carry-on in order to test the screener's reaction during training sessions. The weak logins could allow a bad guy to project phony images on the X-ray display.

But fear not, Citizen.  The TSA is staffed by professionals.  And Government processes will ensure that the outcome is over determined:

"This reminded me a lot of voting machines. When you design these government systems under procurement rules, you end up using old stuff. No one is paying attention to updating it, so security is crap because no one is analyzing it," says Bruce Schneier, CTO of Co3 Systems. "Stuff done in secret gets really shoddy security ... We know what gives us security is the constant interplay between the research community and vendors."

Yeah, good luck with that here.

"These bugs are actually embarrassing. It was embarrassing to report them to DHS -- the ability to bypass the login screen. These are really lame bugs," Rios says.

Wonder if they're going to put him on the No-Fly list now.

Security Smorgasboard

The NSA has weaponized the Internet:

According to revelations about the QUANTUM program, the NSA can “shoot” (their words) an exploit at any target it desires as his or her traffic passes across the backbone. It appears that the NSA and GCHQ were the first to turn the internet backbone into a weapon; absent Snowdens of their own, other countries may do the same and then say, “It wasn’t us. And even if it was, you started it.”

If the NSA can hack Petrobras, the Russians can justify attacking Exxon/Mobil. If GCHQ can hack Belgacom to enable covert wiretaps, France can do the same to AT&T.

Securely deleting cache, cookies, and sensitive data:

BleachBit quickly frees disk space and tirelessly guards your privacy. Free cache, delete cookies, clear Internet history, shred temporary files, delete logs, and discard junk you didn't know was there. Designed for Linux and Windows systems, it wipes clean a thousand applications including Firefox, Internet Explorer, Adobe Flash, Google Chrome, Opera, Safari,and more. Beyond simply deleting files, BleachBit includes advanced features such as shredding files to prevent recovery, wiping free disk space to hide traces of files deleted by other applications, and vacuuming Firefox to make it faster. Better than free, BleachBit is open source.

Seems like quite a good idea, even if you don't lean towards the tin foil hat side of the spectrum.

A live OS from USB that lets you browse anonymously via TOR:

Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:

• use the Internet anonymously and circumvent censorship;
  all connections to the Internet are forced to go through the Tor network;
• leave no trace on the computer you are using unless you ask it explicitly;
• use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.

This also seems like an interesting idea.

Private Instant Messaging:

Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing:

Encryption

No one else can read your instant messages.

Authentication

You are assured the correspondent is who you think it is.

Deniability

The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.

Perfect forward secrecy

If you lose control of your private keys, no previous conversation is compromised.

Boy, the NSA sure has inspired the security guru community.  Way to go, NSA!

Oh, and the TSA is completely useless:

Back in 2006, I -- and others -- explained how to print your own boarding pass and evade the photo-ID check, a trick that still seems to work. In 2008, I demonstrated carrying two large bottles of liquid through airport security. Here's a paper about stabbing people with stuff you can take through airport security. And here's a German video of someone building a bomb out of components he snuck through a full-body scanner. There's lots more if you start poking around the Internet.

So, what's the moral here? It's not like the terrorists don't know about these tricks. They're no surprise to the TSA, either. If airport security is so porous, why aren't there more terrorist attacks? Why aren't the terrorists using these, and other, techniques to attack planes every month?

I think the answer is simple: airplane terrorism isn't a big risk. There are very few actual terrorists, and plots are much more difficult to execute than the tactics of the attack itself.

But hey, those citizens won't grope themselves.  Mission Accomplished, G-Man!

Of course the airport shooting was at the security checkpoint

This is the obvious place.

Why the TSA is the Totally Stupid Agency, part XCIII

They tried to swipeseize Chewbacca's Light Saber cane.  They were obstinate until he live-tweeted it, then folded like a house of cards:

North Texas resident and "Star Wars" Chewbacca actor Peter Mayhew had a dust-up with Transportation Security Administration agents in Denver when they attempted to confiscate his light saber-shaped cane.

Mayhew was returning to Dallas-Fort Worth International Airport from an appearance at Denver ComicCon when TSA agents refused to let Chewie board his plane with his one-of-a-kind cane.

Idiots. Just wait until they're running your health care. They're already reading your email.

Just how stupid is the IRS?

It's pretty stupid to target the enemies of the current Administration, to be sure, but that's not what I'm getting at.  It's stupider - so, so stupider - to get caught:

You'll remember that Californians who donated to help pass Proposition 8 were boycotted.

The IRS gave NOM's chief political rival its donor list. I believe so that a similar boycott could be had.

This was, of course, illegal. And making it worse is proof of consciousness of guilt -- whoever leaked the document took pains to redact the internal stamps and markings that would show it was leaked from the IRS.

But NOM was able to go to an expert to "see under" the black bars of redaction.

What do we know from this? We know that the IRS doesn't have anyone who knows the first thing about computer security, because there's a long, long history of people recovering "redacted" information from PDF documents.  The reason is that people who don't know what they're doing simply put black boxes over the text to be redacted.  If you have two brain cells to rub together, you simply remove the black boxes and voila! - there's the incriminating text in all its glory.

Everyone who's been to a computer security rodeo or two knows this.  The Justice Department knows this.  El Wik goes rather on and on about it.  Heck, Adobe (the creators of PDF, hello) blogs about it.

I guess that the IRS is too busy grilling non-profit organizations about what's in the prayers at their meetings or something.  But don't feel bad, IRS - the TSA doesn't get it, either.  That should make you feel better, that you're as smart as the Totally Stupid Agency.

Maroons.

"Libertarian" statist pricks

You don't normally expect to run across drool-worthy, jaw droopingly idiotic blog posts over at the Volokh Conspiracy, particularly not ones going full frontal in their advocacy of the most useless, wasteful, freedom-infringing, Statist Prick delighting Federal Agency ever devised.

Stewart Baker just did that.  Boy, howdy: The Sex secrets of the TSA?

It’s Thanksgiving weekend, when most of us get to spend at least some time thinking about TSA. I’ve spent mine puzzling over the roots of TSA-hatred.

There’s no doubt that it’s virulent. As a privacy skeptic and national security conservative, I’m used to hostile comments.  But it’s only when I defend TSA that the comments go beyond hostile to visceral and occasionally even spittle-flecked.

Why is that? Notwithstanding the venom of the TSA-haters, polls show that most Americans support TSA, including the decision to use whole body scanners. But for a very vocal minority opposing the agency isn’t political. It’s personal.

I can’t explain the women who hate TSA with a passion, though I’m not sure how many there are.

Wow.  The comments to that post are interesting, as are the comments to Jonathan Adler's Wow, didn't Stewart really open a can of worms one.  The first comment to that post is interesting:

Baker's post "touched a nerve" because it is insulting and beyond idiotic. The idea that women are going to be turned on by the involuntary guy on guy action in the security line, combined with the idea that men object to the screenings because of some kind of anxiety over their performance while being groped, is terribly offensive and litteraly the stupidest thing anybody has ever written on this blog. The fact that Baker would make this comments as one of the authors of the TSA policy shows him to be just a sick individual. It is not at all surprising that this is the TSA mindset.

[emphasis mine]  Note that the blog allows readers to rate a comment as positive or negative.  As I write this the score is 110 like vs. 2 dislike.

This shows that even a "libertarian" blog can be infested with statist pricks.  I had not known that Baker had been the #2 (or #3) man at the Department of Homeland Security.  But his view into the American Psyche is telling - the commenter to Adler's post has it precisely correct.  Baker wrote TSA policy.  The TSA is his baby.

Own it, Baker.

This was quite an insight for me as to the Volokh Conspiracy site.  Branding is a simple thing, but people forget that it's a two way street - people you work with can help your brand, but they can also hurt it.  I'll never run across that blog without the words "statist pricks" whispering in the back of my head.

And oh yeah, you should read Ken at Popehat on this, where our very own TJIC shows up in the comments with his patented form of snark.

Musing

Has a Federal Agency every been mocked more brutally than the TSA on South Park?  The "Toilet Security Administration"?  "Sir, I need to check your asshole."

I wonder what Blogger Bob has to say about this.  Me, I think this is unspinnable, but I'm dying to get his take on it.  I expect his explanation will be dazzling.