About Me

My photo
Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Monday, November 29, 2010

What computer security and airport security have in common

Like many others out there, my wife and I took a plane to visit family for Thanksgiving.  In fact, due to a work travel obligation I had to take four flights in the past two weeks, which is about what I usually fly in a year.  That means four trips through airport security, although I managed to avoid the x-ray naked body scanners each time.  My wife had to opt-out on our return from Thanksgiving (luckily, the screeners we encountered were professional), although others have not been so fortunate.  You can request a private room to prevent that sort of abuse.

There are potential health risks.  In particular, I want to know what safeguards there are for misconfigured backscatter machines.  TSA claims that when the machines function normally there is minimal risk, but sometimes machines malfunction or are misconfigured due to poor training and TSA is already known to have poor training standards.  There are the obvious privacy losses associated with naked pictures being taken of travellers.  TSA assures us that the images will never be saved or made public, but that promise has been broken once already by the US Marshalls.  I for one don't trust that it won't happen again.

 However, these issues are specific to airport security and the naked scanners in particular.  The bigger problem in my mind is that this continues to provide a static defense against a particular type of problem.  Like the French Maginot line, TSA checkpoints have become an elaborate but static defense designed to prevent the types of invasions that have come in the recent past.  Like the Maginot line, the attackers see that we're currently obsessed with one particular avenue of approach and are starting to switch tactics to bypass them.  Bruce Schneier recently wrote a consice summary of the airport problem: 

A short history of airport security: We screen for guns and bombs, so the terrorists use box cutters. We confiscate box cutters and corkscrews, so they put explosives in their sneakers. We screen footwear, so they try to use liquids. We confiscate liquids, so they put PETN bombs in their underwear. We roll out full-body scanners, even though they wouldn’t have caught the Underwear Bomber, so they put a bomb in a printer cartridge. We ban printer cartridges over 16 ounces — the level of magical thinking here is amazing — and they’re going to do something else.


This is a stupid game, and we should stop playing it.
The same problem exists in modern computer security.  So much attention both on the corporate and personal level is focused on the firewall, trying to block people from entering the network.  It's the same situation as on an airplane, just replace luggage searches with packet inspection and no-fly lists with port blocking.  As long as airport and computer security is entirely focused on preventing intrusions at the border, it will fail.  When we realize we need to also have measures in place to respond to intrusions, we can begin to detect attackers early and prevent damage from being done.  This is how both Richard Reid and Umar Farouk Abdulmutallab were stopped after TSA failed.  Note, no Air Marshalls were on their flights, these attackers were stopped by the random passengers that were nearby.

That's stopping people at the last minute, though.  Like any crime, there's a process of deciding to attack, identifying a target, reconnaissance, positioning, attacking, and response.  That link refers mostly to violent crime, but with some modifications it applies to burglary or hacking as well.  Having an adaptable security procedures and a responsive law enforcement presence that is able to take proactive measures to disrupt criminal or terrorist gangs will massively improve safety, far more than naked body scanners ever could hope to.

But that brings me to the final common element between computer and airport security.  Safety is not something you HAVE.  It's something you WORK TOWARDS.  There's no way to be perfectly safe/secure.  There's no way to stop every attack.  Hacker-proof, burglar-proof or terrorist-proof only exists for politicians and salespeople, in the real world there is always risk.  All we can do is prevent what we can and minimize the damage from what we can't.

Agree with my post?  Disagree completely?  Share your thoughts, post a comment.