I once made the mistake of calling these devices “alarm systems” while in front of the manufacturing plant manager. He corrected me.
“Mark,” he said. “These are not ‘alarm systems’. We don’t call these products ‘alarm systems’ because they don’t alarm anyone – certainly not crooks and bad guys.” I thought he was joking at first, but he was watching me very seriously. “Instead, we call them ‘security systems’ because having one of these systems installed makes our customers feel more secure!”
I was recently reminded of this while reading an article about airport security that was recently published in The Atlantic by Jeffrey Goldberg. Mr. Goldberg writes that all of the extra “security” measures that were installed after 9/11 have been essentially useless “security theater” used to make the customer feel safe. I think my old bosses would have agreed with the term “security theater”.
From the article, security expert Bruce Schneier explained to Goldberg how to avoid the dreaded “No Fly” list maintained by the government.
As we stood at an airport Starbucks, Schneier spread before me a batch of fabricated boarding passes for Northwest Airlines flight 1714, scheduled to depart at 2:20 p.m. and arrive at Reagan National at 5:47 p.m. He had taken the liberty of upgrading us to first class, and had even granted me “Platinum/Elite Plus” status, which was gracious of him. This status would allow us to skip the ranks of hoi-polloi flyers and join the expedited line, which is my preference, because those knotty, teeming security lines are the most dangerous places in airports: terrorists could paralyze U.S. aviation merely by detonating a bomb at any security checkpoint, all of which are, of course, entirely unsecured.
“We proved that the ID triangle is hopeless,” Schneier said.
The ID triangle: before a passenger boards a commercial flight, he interacts with his airline or the government three times—when he purchases his ticket; when he passes through airport security; and finally at the gate, when he presents his boarding pass to an airline agent. It is at the first point of contact, when the ticket is purchased, that a passenger’s name is checked against the government’s no-fly list. It is not checked again, and for this reason, Schneier argued, the process is merely another form of security theater.
To slip through the only check against the no-fly list, the terrorist uses a stolen credit card to buy a ticket under a fake name. “Then you print a fake boarding pass with your real name on it and go to the airport. You give your real ID, and the fake boarding pass with your real name on it, to security. They’re checking the documents against each other. They’re not checking your name against the no-fly list—that was done on the airline’s computers. Once you’re through security, you rip up the fake boarding pass, and use the real boarding pass that has the name from the stolen credit card. Then you board the plane, because they’re not checking your name against your ID at boarding.”
What if you don’t know how to steal a credit card?
“Then you’re a stupid terrorist and the government will catch you,” he said.
What if you don’t know how to download a PDF of an actual boarding pass and alter it on a home computer?
“Then you’re a stupid terrorist and the government will catch you.”
This is why I don’t trust downloadable documents from an unreliable source. It is too easy to alter them using simple software. Without encryption verification of ownership documents carry little validity. People too often believe what is written.
Update – The TSA Responds! Their response is pretty weak. They get ripped apart in the comments.