I’m finally back in town after spending a lot of time in airports the past couple of weeks, and I have to concur with those who assess that the current state of airport security as totally unacceptable.

According to the article:

Posing as passengers, the decoys try to take dummy bombs, unloaded guns and other contraband through the airport’s security checkpoints. But the lawsuit said Covenant tracked the decoys via closed-circuit television cameras and tipped off workers at security gates to expect a test.

As a result, Covenant’s personnel intercepted as many as 90 percent of the federal decoys in the tests, according to the complaint.

First off, let me steal Schneier’s commentary:

All security systems require trusted people: people that must be trusted in order for the security to work. If the trusted people turn out not to be trustworthy, security fails.

Next, let’s consider what else this tells us–that even under perfect conditions (screeners alerted to the fact a test was coming), they still missed 10% of the threats!. This means that even when the target was identified, they were unable to find the hidden Bad Thing. In reality, people get things through that they shouldn’t have all the time. I watched an Air Marshall walk through the metal detector with his weapon plainly visible and it didn’t go off. So much for the Technology Factor.

I’ve got a couple more personal observations from my time spent in airports in the past few days. Nothing new or interesting, really, but distressing/irritating nonetheless.

First off, the TSA is a porkbarrel jobs program. What is the benefit of checking the name on my ID against the name on my Web Check-In boarding pass three times in a row, but never validating it against a computer? All I can come up with is that it allowed the TSA to employ two more people than it would have otherwise. This gaping hole in security process has been thoroughly documented, but is not getting any better from what I can see.

Second, Random Security Checks are easy to bypass. (Note: This may or may not be entirely correct unless processes are identical between multiple airports.) In two of the airports I was in, one of the people who checked my ID against my boarding pass would mark some boarding passes with an orange hi-liter. This, he told the person behind me, singled him out for a “special security check.” A few days later, I got my boarding pass marked up, though I was not specifically told I’d been singled out. I did note that no one else around me got marked up. When I got to the metal detector, I simply took the receipt copy of the boarding pass (un-hi-lite’d) and stuck it in my shirt pocket. The guard looked at that receipt (rather than the actual boarding pass) and didn’t wave me over to the “special” line.

While the ability to avoid Special Treatment isn’t foolproof, the fact that the “token” (my marked up boarding pass) is given back to me and I’m mixed back into the herd until the screener at the gate pulls me out again makes this pretty easy to bypass. I could have simply brought a second copy of my boarding pass with me and presented the “clean” one to the security screener, if I really wanted to avoid a patdown or wanding.

Heck, I actually had two “real” boarding passes with me–I’d used Web check-in, then changed my flight at the airport, which brings me to my third point. There is no guarantee that only travellers have made it past security. It’s easy to dummy up a boarding pass which will get you through security. Most people have focused on the ability to alter the name. But what if I just wanted to get inside the gate area? All I need is a reasonable facsimile of a boarding pass and I’m good-to-go. I’m not quite sure what I’d do with that ability off the top of my head, but cruising for unattended laptop cases, snooping on the various wi-fi offerings most airports now provide, sneaking parts of a weapon through one-at-a-time, or producing low-cost reconnaissance on airport security procedures jump immediately to mind.

Regardless of what I chose to do with that access, unless it’s to pay too much for tacky souvineers in the gift shop, it’s probably not for the best.

The wheat and chaff approach to breaking security is one that I think would always work well, it certainly does when talking about electronic security. The system is not designed to look for long time-base issues - only extremely short time-base, or single instance issues. As Schneier has said, it’s not anything more than the appearance of security for the unwashed masses. If anything, airports and airplanes are *less* secure today than they were 4 years ago.