Security-by-credential or security-by-inspection

Petro petro at bounty.org
Tue Nov 13 03:56:51 PST 2001 

On Thursday, November 8, 2001, at 04:10 PM, Nomen Nescio wrote:

> There are so many misconceptions floating around here it's hard to know
> where to begin.  But let's start with two points of agreement.
>
> First, airport screening is far from perfect.  There is no way to detect
> all possible threats coming on the airplane.  And given the technology
> and time available, it will always be possible to smuggle aboard knives,
> explosives and other dangerous devices more than sufficient to risk the
> lives of everyone on that airplane.
>
> Second, no ID based system is perfect, either.  People can falsify their
> ID with varying degrees of expense and difficulty.  Moving to biometrics
> can help but these can be spoofed as well.
>
> But to conclude from these points that we should just let everyone
> walk onto a plane with no more than the cursory inspection that has
> been used in the past is pure bullshit.  Absence of perfection is no

	No, it isn't.

	Since the rise of terrorism as a common practice among the worlds 
political underclass, what percentage of passengers died or were injured 
in such incidents?

	I'd bet (I don't have the relevant numbers at hand) that it 
approaches (but of course does not reach) 0.0 percent.

	And even further, I'd be that if *no* checks were done, that the 
number would drop even further, airline costs would drop (no need for 
expensive x-ray machines and expensive security guard payrolls (yes, I 
know they aren't paid that well, but to maintain the numbers of security 
personnel, support personnel for the security personnel etc. is 
expensive).

	The vast majority of people are not terrorists, are not willing to 
die for a cause, and are generally too afraid of the Law to commit 
dangerous levels of violence on an aircraft.

> argument against a system.  Someone once said that "all cryptography
> is economics."  Well, all security is economics as well.  Any argument
> which is based on the fact that loopholes and failures will exist is
> irrelevant.  The point of security is to raise the cost of breaching it.
> That's all.  Understanding and accepting this would raise the level of
> the dialog considerably.

	While the above is relatively true, there are not, and would not be 
"Airline Hackers" as you have "Computer Hackers" today. The marginal 
cost of compromising a computer system is fairly small for the gains 
received, you don't have to leave home, you rarely get caught, you can 
get scripts which all you to try thousands of systems an hour etc.

	None of this applies to the Airline sphere. The costs are massively 
greater, as are the risks. You cannot "anonymously" hijack a plane 
(although planting a bomb could still be done) (side note, how hard 
would it be to bomb a US Postal service plane using several small 
packages all mailed to the same town, all set with a pressure sensitive 
switch what would cause the explosion at a certain air pressure?) you 
have to be there in person to wave the weapon around, and you expose 
yourself directly to a bunch of people who really don't want you to 
succeed. If even one of them is armed, you are going to fail miserably.

> Given this fact, it makes no sense to intentionally blind screeners
> to relevant data when performing their security analysis.  Those guards
> should have every scrap of information possible available to them.  
> People
> who have a history of violence, who make threats, who are associates

	How many people who have a "history of violence" (i.e. beat the 
shit out of a drunk pawing their date) fly routinely and never cause a 
problem?

> with known terrorists, all represent correspondingly greater risks.
> An efficient screening system will use this information to determine
> how carefully each passenger is examined.

	An efficient police system would have 92% if the population behind 
bars.


> Resources are finite, and it is highly inefficient to apply exactly the

	Resources are sufficient to give each passenger a .41 derringer 
loaded with 2 .410 shot shells.

	No more planes will be hijacked. Guaranteed.

> same procedure to each individual.  You'll have far more security for 
> the
> same cost by allocating greater security resources to those individuals
> who pose the greatest risk based on the data available.  They are the 
> ones
> who need their bags hand-searched.  They need the metal detector wand 
> run
> over their entire bodies.  They can empty their pockets and have their
> shoes removed and inspected.  It is not practical to apply this level of
> scrutiny to every passenger.  But by making use of public information,
> high risk individuals can be subjected to high levels of inspection.

	They are also the most likely to have the resources and connections 
to spoof the system.

> Some have claimed to object only because the government is involved in
> the search.  That's a red herring in this case.  Yes, the government is
> setting security policies, but they are only responding to public 
> demand.

	They are generating the public demand.

> Any fully private security system would see the same kinds of checks in
> order to get the flying public back into the air.  No one wants to fly
> with someone who has a history of calling for the violent overthrow of
> the U.S. government at a time when planes are being turned into guided
> missiles.

	I don't want to fly on an airline who treats any passenger as a 
fucking criminal, who insists on a background check before boarding.

	And I'm putting my money where my mouth is. In december I plan on 
riding to the midwest to see my daughter, 2000-2500 miles each way in 
winter on a rather small bike *just* so I don't have to deal with the 
airlines and give them even more of my money.

> What about Chaum credentials?  Well, how would they help?  Are you
> going to show a not-a-terrorist credential?  No one is in a position
> to issue such a thing.  And even if you had one, how would you prove

	If no one is in a position to issue such a thing, then no one is in 
a position to institute the kind of data-gathering you would need for 
your scheme.

> When confronted with an unpleasant reality, cypherpunks retreat into
> their imaginary world of abstractions.  That doesn't help when planes
> are falling from the skies.  Try to stick with reality for a few minutes

	Really? how many have "fallen" in the last 30 years?

	And how many of those were mechanical failures as opposed to 
terrorist acts?

	"Planes are falling from the skies" is rhetorical fecees. Our 
government, and our country got the military equivelent of a black eye. 
Yes, it hurts, yes it's embarassing as all hell, but it's being used as 
an excuse for all the police state bullshit that the fascists under 
Reagan, Bush, Clinton, and Bush wanted.

	And you're at the trough lapping it up.

--
"Remember, half-measures can be very effective if all you deal with are
half-wits."--Chris Klein

More information about the cypherpunks-legacy mailing list