53 comments

[ 2.9 ms ] story [ 110 ms ] thread
WikiLeaks which provides anonymous leaking services for things just like this has recently stopped due to lack of funding (and this document would likely have been leaked there if it hadn't been stopped).

Please consider donating to them (they need both money and technical services/expertise) at http://wikileaks.org/ to help them carry on if you'd like to support the freedom to whistleblow.

Any info as to if donating to wikileaks could put you at risk?
It's time for the TSA to go.
And be replaced with what? I'm as irritated with all the stupid TSA crap as anyone else and now go out of my way to avoid flying because of it---but the post-9/11 pre-TSA period was even worse as far as fickleness and inconsistency of security.

TSA needs a lot of fixing. But on the whole I think nationalised airline security is probably the right way to go.

Two things:

1) Reinforced cockpit doors and armed pilots so terrorists can't get control over the plane.

2) Better intelligence and policing on the ground; remember, in the last attempted attack the guys father had raised concerns about him beforehand.

Airport screening is basically security theater.

Some airport screening is necessary otherwise you can easily bring significant weaponry on board which makes the reinforced doors and armed pilots fairly useless. However, reinforced doors let you ignore knives etc, which drastically reduce the amount of screening you need to do.
Alternatively, use the screening expenses to subsidize ticket discounts for (qualified) citizens willing to bring their personal carry piece on board with safety rounds supplied. :)
Arming someone isn't necessarily a benefit. If you can hold a deadly weapon, you can also lose that weapon in a fight, at which point the weapon may be used against you. Especially if you're sitting down in a tiny cockpit when someone bursts in.

If you'd arm anyone at all, you'd want to be sure they are very well trained (e.g. a police officer, infantryman or equivalent) and in a better position to help.

>>you'd want to be sure they are very well trained

I doubt they would just issue a firearm along with the uniforms. Many airline pilots are ex-military and quite capable of using a sidearm. Training/restrictions would certainly be available for those that aren't.

That's the point of reinforcing the doors. Attackers can't just burst in. The firearms are just a last line of defense if someone manages to get through them somehow.
Could we have planes be rigged to release ether into the cabin to put everyone except the pilots to sleep in the event of a hijacking? It could be controlled by the ground, or by silent alarms that the pilots or flight attendants could hit.
Any form of sleep/anaesthesia has a nonzero chance of killing somebody. I don't even want to think what the insurance and liability issues would look like for this.

You can say, "well, only if there's a hijacking" and I'll say, "but how could they be 100% sure, and what would insurance companies make them do to be sure before allowing them to potentially kill innocent passengers, with that insurance company liable?"

It's time for there to be a clear law protecting these journalists from malicious government agencies like the TSA. Apparently, "Congress shall make no law abridging the ... freedom of the press" is not clear enough.
Flagged. This one seems straight from the submission guidelines:

Off-Topic: Most stories about politics, or crime, or sports, unless they're evidence of some interesting new phenomenon. Videos of pratfalls or disasters, or cute animal pictures. If they'd cover it on TV news, it's probably off-topic.

I find it very relative hacker news and this isn't a story that will be covered on TV news. This is behind the scenes and is about how the internet is completely disrupting the control of information by governments.
Hmmm, maybe. However, I could definitely see TSA harassment as something be covered on TV news. I mostly saw this from the political/legal angle which is rather trite and has been covered many times before.

This is behind the scenes and is about how the internet is completely disrupting the control of information by governments.

I didn't think of this at first but you may be right. Although, I would have preferred an analysis from that perspective in this case, rather than a reporting of the legal circumstances.

I think a question of whether bloggers enjoy journalistic privileges or not is a leading indicator of how things will go for new media where journalists aren't necessarily under the wing of a large publisher with an experienced legal department. To me this is the same sort of issue as an exploit advisory.
While we're being sticklers for the guidelines...

If you flag something, please don't also comment that you did.

I'm wondering if there are any of us who would suggest that right after a terrorist attack, it might be a good idea _not_ to share with the bad guys how we're going to stop them? I mean, maybe hold off for a week or so while we figure out if:

A) There are more attacks coming.

B) How we are going to stop them.

You are assuming that what TSA was doing, is doing and is planning to do stopped/is stopping/will stop terrorist attacks.

Their track record is so horrible that they should be fired on the spot, be asked to apologize to everyone they harassed over the years and be forced to return tax payer's money they wasted for expensive x-ray vision and air puffing machines.

To bring back an analogy I made in a previous post, they are like the witch doctor that is trying to cure cancer with a rattle or a voodoo doll. The patients keep dying so as far as they can see, the rattle is not advanced enough. Now they've enhanced the rattle with more bells and added more rules that patients have to follow to get cured.

Of course, those who see through the farce and write about it, get some personal attention and home visits...

Wow, that's a lot of vitriol and indignation, considering their record is actually perfect. Did they get lucky a few times to keep that perfect record? Sure they did. But you can't know what would have happened if they hadn't been there.

The air puffing machines were a pretty ambitious project, carried out in the haste that comes from knowing that every day you delay may be the day that a preventable tragedy occurs. It's easy to make bad decisions in such a situation. To be able to do chemical analysis, in the field, sampling completely uncontrolled inputs, all completely automated with no chemical analysis expert on-hand to vet the results, and the expectation of no false positives to inconvenience anybody. Seems like you could cut them a little slack.

As for the "x-ray vision", as you call it. That seems to work great. It's hampered by public body modesty taboos because it works too well.

Anyway, I'm surprised at your level of angst over this.

Given TSA screeners have failed to detect most fake bombs I think you can put their success rate down to terrorism being incredibly rare rather than competence on their part:

"Screeners at Los Angeles International Airport missed about 75% of simulated explosives and bomb parts that Transportation Security Administration testers hid under their clothes or in carry-on bags at checkpoints, the TSA report shows."

(source:http://www.usatoday.com/news/nation/2007-10-17-airport-secur...)

That's why the air puffer would have been really cool, had it worked. Again, we're to the body modesty. Short of clothing penetrating scanners, either visual or chemical, you're left with somebody caressing you thoroughly to detect these bombs.

Caressing you very, very thoroughly. This last guy's underwear bomb was actually molded into the shape of his butt, as near as I could tell from the photo they showed.

At this point, the public isn't willing to allow that sort of intimacy between them and their security personnel, and, frankly, the TSA operators are probably also not willing to do it. At some point, as it usually does, I suspect technology will solve this.

If you think technology will solve terrorism I think you're entirely on the wrong path.

As security in the computer world shows it takes only a relatively small number of miscreants before you have the ability to hinder the lives of a very large number of people.

You need a near 100% success rate in order to control the problem through technology, something you are unlikely to achieve.

A real solution, therefore, must be sought outside the technological arena and at a much earlier stage in the lives of the would-be-terrorists than several hours before they are about to detonate a bomb.

Countering radicalization is probably a much better way to spend all that money than by spending it on technology.

Okay, I'm interested in some more detail regarding your concerns. In particular, why do you consider their track record to be horrible, and what actions should they have been taking to prevent liquid detonated PETN bombs?

Off the top of my head, I can fault the TSA for only two things:

1. They don't have Full Body Scanners in place. The technology has been around for 3+ years, and would have caught the PETN sewn into the underwear.

2. They still allow liquids onto planes, which can be used to detonate and/or do significant damage to the inside of an airplane.

You clearly have your own list of steps the TSA could have taken - I'm wondering what they are?

1. There have been numerous "breaches" conducted by journalists, etc. over the years.

2. I think the greater point isn't that the TSA is ineffective but rather that they are inefficient. Making millions of travelers each year jump through more and more hoops isn't making any of us safer. A smart, determined, terrorist will easily smuggle something aboard. I've personally walked through security a half dozen times with a lighter in my bag (forgot it was even there) when flying both domestic and international, including going from AMS to IAD. Plus how many TSA screeners have you seen just aimlessly do their job? You think these guys have real incentive to catch smart/determined terrorists?

The fact is the TSA has burned through billions of dollars (your money) that may have been better spent on intelligence and more robust "threat list" monitoring systems. Not to mention on a bevy of other issues they could have tackled with that money.

The TSA going after a few bloggers is inane. Do you feel safer knowing that a bunch of knucklehead TSA agents wasted tax payer money to intimidate a bunch of bloggers? Will the confidentiality of a stupid list of hoops travelers must jump through make you safer?

Is the end-result even a net positive for society? Is it even CLOSE?

I forgot that I had a multitool attached to my keys when I went through security about a year ago. I actually took my keys out, put them in the basket, and walked through. No agent said anything until the return trip, where I was asked to either check my bag or throw it away.
I used to have a mini-Leatherman attached to my key ring, which had a small knife on it. I'd often forget to take it off when traveling, and it made it through airport security on at least 4 trips (so at least 8 times through the x-ray machine), probably more. Ironically, it wasn't the TSA who eventually took it from me, but security outside a club in San Francisco.
1) A more exhaustive list of faults can be found at wikipedia (http://en.wikipedia.org/wiki/Transportation_Security_Adminis...)

2) The liquids threat has been overblown; there are doubts that they pose a significant threat and in the 2006 transatlantic aircraft plot (which was going to be supposedly carried out with liquids) the plotters were arrested on the ground days before any attack was to occur. To reiterate, they were arrested by old fashioned police work, not airport screening procedures.

>> You clearly have your own list of steps the TSA could have taken - I'm wondering what they are?

The best thing to do would be to scale back the focus on the TSA and spend the money on better policing and intelligence work.

Well as I said their track record is very bad. They have not stopped red-handed a single terrorist or a single real bomb. It is usually an air marshal, other intelligence or just near-by passengers that did the work for them.

Yet they have sucked billions of dollars of our money. If we "the people" are the employers and TSA is working for us to keep us safe, it would be reasonable for us to fire them immediatly.

As for your concerns:

> 1. They don't have Full Body Scanners in place. The technology has been around for 3+ years, and would have caught the PETN sewn into the underwear.

There are also body cavities. Would you suggest probing everyone's cavities then?

> 2. They still allow liquids onto planes, which can be used to detonate and/or do significant damage to the inside of an airplane.

Refer to my answer to point 1. Body cavities can hide liquids, powder gels, anything non-metalic.

Even with their existing control they have let liquids and weapons through on numerous time.

So my list of steps that TSA could have taken is:

  1. Quit
It was a document sent to thousands of people at airports and airlines internationally, it wasn't classified, and it describes what millions of passengers are going to experience firsthand going through security lines. In other words: not exactly a secret, and certainly not worth going brownshirt on bloggers for.
No.

1) The TSA is a farce. They've done more damage to the US economy than the terrorists themselves.

2) The changes themselves aren't intended to stop terrorism. They're intended to satisfy the public that "something is being done".

3) Terrorism is extremely rare anyway. If people spent more time worrying about not smoking (for example) and less time worrying about terrorists we'd save thousands of lives every year.

The best thing we could do to fight the bad guys is ignore them and get on with our lives.

I'm sort of a staunch law & order kind of guy, but this is why you never talk to the police. If they want to talk to you, they can have ample opportunity to do so in your lawyer's offices, in a comfortable plush chair, right into the tape recorder, after giving you blanket immunity for anything resulting from what you are about to tell them.

I will also happily let the authorities image my hard drive if they can convince a judge to issue a search warrant for the entire thing. It isn't that I don't trust you, officer, it is just that I desire to renew our traditional understanding that my papers and effects are mine and not to be trifled with lightly.

But if the TSA turn up at your door, claiming they'll put you on the no-fly list if you don't co-operate? Once on the no-fly list, it's close to impossible to get off the list.

It's a government agency with far too much power and no transparency.

Once on the no-fly list, it's close to impossible to get off the list.

Sure, if you don't want to change your name. Go to your local courthouse, change the spelling of your name, get a new ID, you're off the list. That's why the no-fly list is such a joke.

Also, you can bet that they would not make this threat in the company of your lawyer. This is just a scare tactic.

From personal experience, your position, in many U.S. locales, would most likely be poorly received by a police officer. For example, if you are in your car, they can simply arrest you (no charges, but can hold you for 72 hours) and then fully search your person and vehicle and use whatever they find, probable cause be damned.

There are many not well understood and not well court tested Federal rules that can be used against you in much the same way.

I highly recommend when dealing with law enforcement to not use a phrase like "my papers and effects are mine and not to be trifled with lightly". You may get away with this with a senior government official but less likely with a run of the mill police officer.

if you are in your car, they can simply arrest you (no charges, but can hold you for 72 hours)

Are you sure that you can be arrested and held without charges, generally speaking, in the U.S.?

100% sure, everywhere in the U.S., as of at least the early '90s. Practices vary; some places will charge you with something meaningless and drop it when they release you.

According to wikipedia http://en.wikipedia.org/wiki/Detention_of_suspects you can be held without charge for 2 days. I have been told by criminal lawyers the time is 72 hours (maybe that is with charge, regardless of if its dropped or manginess).

> It isn't that I don't trust you, officer, it is just that I desire to renew our traditional understanding that my papers and effects are mine and not to be trifled with lightly.

That's a very nice (and very quotable) way of putting it.

My favorite quote: "Frischling said [the TSA agents] had to go to WalMart to buy a hard drive, but when they returned were unable to get it to work."
An unexpected fringe benefit of owning 2TB drives: the cops can't buy them at WalMart.
This is why all of my disks are encrypted. Power turns off, data is gone. If someone shows up at your door threatening you to provide them with a disk image, you can happily comply. When they realize the data is useless without the Constitutionally-protected secret key that only exists in your mind, they will have to file charges, and get a judge to order you to testify against yourself. And right about then, the investigation stops, because you committed no crime, and the order to testify against yourself is illegal. (If anything, it means you have plenty of time to talk to your attorney. They are not getting the data any other way, so you have the power to say, "wait, let me get my lawyer first", even if they physically seize your hardware.)

I also have a few drives in my house that look like LUKS encrypted disks, but are actually a LUKS header with random data following it. There is no way I could ever decrypt these disks, as there is no data on them; just random bits.

Anyway, you can tell that this was never a real criminal investigation, because a real investigator would get Gmail records from Google, not from some random guy with a laptop. This was purely to scare the blogger into not publishing information about the TSA anymore. "Chilling effect."

What would you suggest for disk encryption? I was looking into PGP and Truecrypt for Mac OS X, but not sure if there are better alternatives?
Your fake encrypted disks are so that you can't be forced to decrypt every disk, even under thermorectal cryptanalysis? Did you do that after reading about pre-commitment in game theory, and do you have a plan to avoid the flaw in pre-commitment strategies under asymmetric information exposed in Dr. Strangelove?
My main enemy is some random person in the airport stealing my laptop bag. My theoretical enemy is the government.

Neither of these adversaries can afford a technical attack. The guy at the airport will say "oh well", format the disk, and eBay it. The government will try to convince me that I do know the key, will fail, and will have to support its (theoretical, of course) case against me with actual evidence instead.

There is one thing I just thought of, though; the SMART log shows how much activity the disk has experienced. It should be easy to check this log to see which disk I use the most. I will come up with some way to plug this leak :)

But anyway, I am not sure this would "prove beyond a reasonable doubt" that I know the key. If any case against me ever depended on me decrypting my disk, I would first refuse. Then, theoretically, a charge of obstruction of justice would be filed against me, and the government would have to prove that before they could even consider their original case. (And that's no cakewalk, as there is case law saying I don't have to give up the password, and I don't think SMART data has ever been used in court.)

So anyway, I think my system is good enough. I don't have any friends in the government feeding me classified information, anyway :( So, it's likely that I will never get to test my system. But I hope the "Real Criminals" read this and perhaps use this information to help themselves stay safe from their oppressive regime.

Be sure that you are aware of the laws on where you travel to. In the United Kingdom, the police can seek a warrant that requires you to either decrypt a specific piece of data or to surrender any encryption private key or password under Part III of the Regulation of Investigatory Powers Act 2000. Refusing to do so under this act is a criminal offence with a sentence of two years in prison (longer if they allege that the encrypted data is either related to terrorist activity or child pornography).

The crazy thing about the TSA: I flew back from SFO to London last month. I had three laptops in my carry-on bag. I also had a can of Red Bull. Apparently, the can of Red Bull is highly suspicious, but the three laptops are not. I had a perfect excuse though: one was running OS X, another was running Linux and the last was running XP.

The TSA is not supposed to care if you are doing something illegal, they are only supposed to prevent you from bringing certain things into the secure area of the airport. Liquids (or cans that contained them) are what they are supposed to watch for. Laptops are fine.

Customs is another story; they would probably ask about your laptops.

There's the difference between Joe-blogger and someone who's an actual journalist. Granted, I don't know that "writes a column for the Washington Post" is exactly hard-hitting journalism, but I find it interesting that he did not turn over any information on his source whereas the guy who was just a blogger complied.
Presumably, the Washington Post has lawyers that deal with this sort of thing, and they have a newspaper that can publish all the details to a wide readership. The Post journalist presumably took some journalism courses, where they probably teach you to not talk to the police in these circumstances.

The blogger probably had none of those, and just wanted to take care of his kids that night.

Wait, the TSA has their own subpoena-serving law enforcement agents?

I wonder if they instead used the FBI, if those agents might have been able to get an external hard drive to work?