By Peter Cochrane, 12 November 2007 14:53
COMMENT
Written in an Edinburgh hotel and dispatched via a free wi-fi service
Recently I've been flying in and out of the UK on a variety of international carriers including some of the so-called low-cost airlines. Airport procedures have been more or less the same - except at London Stansted which excels in exacerbating all forms of traveller misery.
Standing in the security snake I marvel at the calmness and patience of passengers. In particular, I watch the reaction of those passing through the UK who suddenly discover that, unlike elsewhere on the planet, passengers are limited to one bag of hand luggage each. Their fortitude amazes me.
Weary and disoriented, having already passed through all the US security checks eight hours earlier, they have to deal with the irrationality of flying into the UK with two bags only to be told that even on a flight transfer across the airport, they can only carry one.
Worse, the dimensions of the one permitted bag are smaller than anything a self-respecting American would carry. At this point the fun starts - and very often it isn't a pretty sight.
There is only one question to ask: does the UK, one-bag limit improve security? I think not. Since 9/11 many independent tests have shown the size or number of bags makes no difference. The determined can still get through if they are sufficiently cunning.
I have been testing security systems for decades and in my view airport systems are no better or worse than any other that employ humans as the primary agents. And the basic reason is that being vigilant is very hard work.
Since 9/11, only two airports have discovered one of the dozen or so illegitimate test items I deliberately carry. In Austin Texas they confiscated an item with plenty of ballyhoo, while in Paris the French decided I didn't look like a terrorist and gave me back the same item.
At London Stansted security staff became completely diverted by a bottle of shampoo and a few other items because they weren't in the regulation plastic bag and totally missed all my test items.
The really farcical nature of all this is after passing through security at most airports I find it so easy to buy as many bags as I like, many of which bust the UK regulation size, and bottles of whisky and other potential weapons.
Browsing the shelves of the pharmacies on the concourse of airports I often find an assortment of really useful items that would be handy for anyone suddenly deciding to cross over to the dark side.
The fortunate truth is the vast majority of people on this planet are good and well intentioned and airport security systems are not 100 per cent overt.
Of course, the security snake is just one aspect and the reality is security starts much earlier in the day and observation and testing is continual. But it would be good to think we were heading towards a system that was far more reliable, less fallible and less people-based.
My most recent security revelation has been garnered from travelling on the same low-cost airline several times with a clear view of the cockpit door. Each time a hostess or member of the flight crew entered the flight deck I could see the key code used and could therefore have gained entry with ease.
Who designed the system with a keypad in passenger gaze and who briefed the crew to stand back so fingers and keys are visible? Don't these people ever use an ATM?
Some decades ago I formulated the following security laws, which still seem to hold true today:
- Resources are deployed in inverse proportion to actual risk.
- Perceived risk never equals actual risk.
- Security people are never their own customer.
- Cracking systems is 100 times more fun than defending them.
- Security standards are an oxymoron.
- There is always a threat.
- The biggest threat is always in a direction you're not looking.
- You need two security departments - one to defend and one to attack.
- People expect 100 per cent electronic security.
- Nothing is 100 per cent secure.
- Security and operational requirements are mutually exclusive.
- Hackers are smarter than you - they are younger.
- Legislation is always more than X years behind.
- As life becomes faster and more chaotic, it automatically becomes less secure but the good news is that half-lives are getting shorter too.
- People are always the number one risk factor. Machines are perverse but they are not devious or vindictive - yet.
Comments
There are 18 comments. Join the discussion
1. jon
I'm curious - what exactly are these test items?
2. Jack Hughes
I recently flew from East Midlands Airport to Limoges airport, in France. I still remember the look on the face of the X-Ray machine operator as my bag went through. Shortly afterwards I got a glimpse of the screen as she showed it to her colleague whose job it was to search my bag.
Basically, the machine just showed my bag as one large lump of metal, so the security attendant didn't spend too much time going through my bag after realising that it was just full of the assortment of chargers and gadgets I was taking for my fortnight stay.
I could have quite easily had a small knife or other contraband in there, not even hidden and it would not have been found.
Let's be honest though, the only way an aircraft hijacking becomes serious is when the aircraft is flown into a densely populated area, which, after the WTC disaster simply would not be allowed to happen. I see any threats not coming from aircraft but other situations such as the Underground. Even then, any risk is currently negligible, surely.
Perhaps we just like something to worry about.
3. John H Woods
Proportionality of response would be the best defence against terrorism: in fact an argument can be made that the most effective part of terrorism is inducing a response from governments and the general public out of all proportion to the actual risk.
The worst thing that can happen when a plane comes under the control of terrorists is that the plane itself is used as a weapon, as in 9/11. 7/7 was shocking for the UK and a terrible event, but had a 100 times lower death toll (less than 1/4 of the annual London transport fatality total).
Let's concentrate on mitigating the risks of major events and accept that low level terrorism, whilst an awful thing, claims relatively few lives.
4. Haydn Rees
The problem is defensive security. How do you sharpen it up to the necessary level? To borrow from biology, evolution occurs fastest when the environment is hostile.
You can't afford to have the only game in town as Defensive Security vs. Blackhat penetration. Now if only there was a way of setting them against non-malevolent opposition; tame but aggressive predators - ideally more aggressive than the wild ones.
This is a workmanlike set of axioms, that need hard money invested in them to identify and quantify risk, and align resources accordingly. I think the only people competent to identify such priorities are the pen-testers, but that's a hard sell.
Forget Polo; White-hat security penetration testing sounds like the sport of Kings - it must become one of the most interesting career paths available to attract talent.
The amount of infrastructure now controlled over the web expands the definition of critical infrastructure, because it explodes the number of points of vulnerability.
The only way to get the resources would be a regulatory environment which sees prisons littered with company directors whose physical and technical systems weren't pen-tested regularly enough.
We will need an industry almost exactly like this during the Olympics, which means we will need a run up.
Professionalised whitehat penetration testing? Where do I sign up?
5. Don Tregartha
Immigration is no better. On a trip back from Italy with the family, we were subjected to an endless queue whilst an immigration official scanned each of the passports of every single inbound traveller. At a time when we just want to go home, some unpleasant, officious, and judging from recent news reports possibly less qualified as a citizen of the UK, officer scowled at each of us in turn. Okay, I'm not expecting the "did you have a great holdiay?" routine, but the general approach infuriated me to the point of declaring to said stone faced individual - "it's my country too!"
Let's not get so scared of the bogeyman that we become prepared to put with any sort of cr*p from the authorities.
6. Simon Jones
It has always bemused me that you can still buy glass bottles in duty free, surely one of the easiest things to make a deadly weapon out of.
Also what is the point of having tight security one side and not the other? Coming back from Crete recently I witnessed to baggage scanner guy completely ignoring the screen, as a stream of unchecked bags passed by. His attention was diverted as he was busy texting on his mobile
7. Paul M
I discovered the one carry-on bag recently at Gatwick... I had a modest camera bag and a just-right-size carry-on - the check-in staff didn't comment on my having two bags.
When I got to security I realised my mistake and had to go away and repack very carefully to get everything into the carry-on; nothing in it was particularly well protected but it was only like that for the five minutes passing thru security. Once through, I repacked and had two hand luggage items again.
8. Jeremy Wickins
It is insane - the whole idea of proportionality has gone. Bruce Schnieier has said that there is only one piece of security that has reduced the risk of a 9/11 happening again, and that is the fitting of locks to the pilots cabin. All the other stuff is just security theatre. Nonetheless, it does seem weird what attracts the attention of the security bods. Recently at Doncaster Robin Hood I had a key ring ornament taken away from me, because it was "a tool" (A Claas tractors promo that looked like a spanner with an allen key head attached). This had gone on dozens of flights with me previously, going through security in many airports (including Doncaster only a week before!!), usually in plain view, but suddenly I can use it to dismantle a plane, or something! The bag with the electronics - including the laptop (one of my tests for airport security - never been asked to take it out of the bag), external hard drive, transformers, chargers, MP3, radio, etc. never got a second look! Coming back from Prague a few weeks later, same electronics, no questions, but the bottle of water - guess what sort of a look I got!
9. Mark Hosey
“Hackers are smarter than you - they are younger.”? You do me (I’m over 50) and many other older and experienced engineers and technical workers a disservice. I’m still as smart as I ever was. OK, so I’m more cynical and less inclined to comply with corporate demands. I’m more inclined to spend time with my family rather than work unpaid overtime in the vain hope of a promotion. My perceived lack of professional recognition and the demands of family life have tempered my ambitions. But I can still hold my own in any technical discussion, I still have ideas that would knock your socks off and I am still capable of learning new skills. In addition, I have 30 years experience and have developed a fairly open mind to my subject that graduates and new starts often lack
Perhaps hackers do what they do, not because they are smart and have some skill or knowledge I or my older colleagues lack. Perhaps they do it because they are rebellious, mischievous, ignorant of the true consequences of their actions and lack respect for the technology and social structures we have all contributed to and developed.
Perhaps you would advocate us old guys developing a few viruses and hack into a few big data bases. But we won’t, not because we can’t but because we are not that irresponsible any more.
10. A. Non
At Stansted passengers in front of me with laptops in laptop bags were asked to remove them & send them through the scanner separately. I didn't lie, but as the guy never asked if my rucksack had a laptop in it I didn't volunteer the information, and nor was I 'pulled up' as it went throught the machine. At the same time a young girl was admonished for not having a small tube of prescription medication in a clear plastic bag - its nonsese!
11. Peter Cochrane
Jon = My test items include a set of srewdrivers, file, knife, scissors, nail file, tweezers, bottles of oversize fluids and gells. Peter
12. Peter Cochrane
Jack = Yes indeed it is all in the packing! Peter
13. Peter Cochrane
John = Good observation in line with my "Laws of Security"! Peter
14. Peter Cochrane
Haydn = Society/the authorities/media, politicians no longer have the whit to assess what the actual risk is in any given situation. We now have a 'jobs worth culture' with 'jobs worths' calling the shots. Over reaction by >10 fold is now the norm to any risk or threat. Peter
15. Peter Cochrane
Paul = I do that with my computer bag all the time too! Peter
16. Peter Cochrane
Mark = My body is 61, but my mind about 19. I have an iPhone purchased in the USA on sale exclusively for ATT network use, hacked and operating in the UK, but not on O2. Why? Because I can!! Peter
17. Peter Cochrane
A Non = Nice one - and I have pulled that one too - it always seems to work. But I find putting my laptop on the belt along with my phone, pen. money and trouser belt and shoes etc a really good distracting technique. Magicians are really good at this stuff too! Peter
18. Peter Summersgill
You're very lucky, Peter. While travelling with my family this year we have had nailfiles, a penknife, deodorant, tweezers, a multitool and a precision screwdriver keyring confiscated :)