Also, just going to throw this out there, but it is fairly possible that the email is totally fake.
Even hinting that any media not cover this or ANY story is so, so far beyond the purview of TSA that it is shocking (or should be shocking—it has become rather hard to be shocked by TSA) that they would even consider pulling this.
The Supreme Court should slap them so hard that their acronym gets mixed up. This is an outrage.
(edited to add snark) I thought of the perfect new acronym! STA: Security Theater Administration.
The Supreme Court can't "slap them" for anything; someone with standing would have to bring a case, and for that case to have merit, some journalistic outlet would have had to have its discretion actually impinged by the TSA.
If you want to stick to the theatrical vocabulary while being pedantic, you could talk about security phantasmagoria
I'm one of those folks that when I see a redacted email like that with most of the identity cookie in it I wonder if one could track down the original. I mean mail.fourtentech.com actually has a web server sitting on it and all.
Anyway, it could be a viralish stunt, but sadly its pretty credible that the TSA might say this.
[1] http://tsaoutofourpants.files.wordpress.com/2012/03/caution_...
This does not make me a cheerleader for the TSA.
Problem solved.
For an organization who's sole purpose is the security of the American people, they're awfully bad at doing things that ensure the security of the American people.
This is an all-too-common mistake. I am sure we have all seen it in the IT industry. I am surprised we don't just recognize it and call it out as such when we see the federal government doing the same.
in the 1970s when it was found that people could highjack planes by delivery a threatening note or bomb and using a parachute to jump out with money what do you think the airlines did?\
They took the statistically significant thing and changed how planes were designed to prevent people being able to jump out of airliners through the back escape doors.
It did not cost billions of dollars and no extra xray scanning machines were used either..
First act of de-toothing TSA is putting those qualified on security of airlines..the airlines themselves back in charge of security!'
Their sole purpose is to make money. They obviously don't give a damn about security.
Great - now the time to get through security just went up!
I mean, the TSA idiots STILL require us to remove our shoes because of some joker with a lighter attempting to burn his foot.
I'm not saying the TSA flak won't be vindictive if a reporter covers the story. I'm just saying, there's not an immediate reason to jump to this conclusion. You don't get to be TSA flak by writing thinly-veiled threats that are easily retrieved through public records requests.
You have to remember that journalists rely on sources, and some of those sources come from government agencies. A strong caution contains an implied threat of non-cooperation, i.e. if you cover that story, we will be feeding other journalists more info than we feed you.
We've already been seeing this a lot with the current administration, regarding trying to ban Fox News from the press pool (ok, I am no fan of Fox News, and I was a fan of Obama in 2008, but COME ON). In context, this is a meaningful threat.
However, I wonder if the issue has to do more with the "get rid of the TSA" rhetoric in the post than it does with the security hole.
I've covered TSA and edit a blog that just covered this very story. http://www.wired.com/threatlevel/2012/03/bodyscanner-video/
Sometimes a flak can save you embarrassment and other times you disregard them because you know its a story.
"And then we will send you to Gitmo for spreading misinformation."
http://boingboing.net/2012/03/07/howto-get-metal-through-a-t...
I can't imagine any BoingBoing writers sitting still if the TSA forced something like this to be removed from the site.
Some countries hold referendums to vote on controversial topics. It would be a great solution to hold one in the U.S. at the federal level asking a very simple question: "Should the TSA be shut down? Yes/No". Direct democracy at its best. Unfortunately the U.S. constitution does not provide for referendums at the federal level... http://en.wikipedia.org/wiki/Referendum#United_States
Left to "democracy in the United States", a referendum that requested the elimination of the "opt-out" process in favor of 0.5s of wait time at the security lines would probably pass in a landslide. Thankfully, we're governed not just by a legislature but by a Constitution interpreted by a panel of judges with lifetime tenure.
[1] http://www.projectposner.org/
[2] http://www.uscourts.gov/JudgesAndJudgeships/JudicialCompensa...
[3] http://www.supremecourt.gov/publicinfo/year-end/2010year-end...
The choice people have is between these scanners and a highly intrusive "pat down" which typically includes some TSA agent's hands on your junk. That's not much of a choice.
Don't the politicians and bureaucrats -- the ones we're trusting to look out for our interests -- bear some responsibility?
It would be interesting, since travel distances are not really the issue, if each state was represented in the Senate not by 2 Senators but by that state's Governor. Seems like you would get a much better response.
There's a difference between "telling/informing" and mandating. The latter is bad; the former is...well, part of a government's job is to disseminate information.
The question then, is it in the public interest not to cover this story. I'd say it would probably not matter so much from a security standpoint, but more so for the amount of mayhem that could ensue at airport security if this was public knowledge.
The biggest oddity to me is that it's been over 10 years and this debate hasn't actually happened in the mainstream media.
I think one aspect of most orgs that have entrenched power is that they are always very deferent toward government. NPR is a great example... there is lots of coverage of various wall street schemes, mention of greed as a problem in the private sector, etc., but the underlying message in most of the stories is that government is beyond reproach.
Republicans largely support the things that we're objecting to here, along with Obama.
All the TSA are saying is "exercise caution with reporting on bloggers that make random statements because you can end up looking stupid". They're wrong in this case, of course, and most likely know they're wrong, but that doesn't make their statement be intimidation (nor should it be read as such). Let's stay reasoned and calm, people.
It doesn't have to be "we will put you on a no-fly list" so much as "well, that's our right but we don't have to let you in to any press conferences anymore...."
Is the above sentence a threat? Of course it is. Not literally (I did not directly say that I would send thugs to loot your shop if you refused to pay me protection money) but a reasonable person would, more likely than not, interpret it as a threat.
If I did not mean it that way but was so dumb as not to anticipate that you would read it that way, I would deserve to go to jail for extortion anyway.
And the TSA, by virtue of having the power to add people to the No Fly List without public scrutiny and knowing of all the rumours of them having added people for political reasons, they should expect any "request" they make to be interpreted that way, and they should take extra care to ensure that it isn't.
Since this observation isn't so much "insightful" as it is "completely obvious on its face", to me, Occam's Razor suggests that what the TSA was implying was that the guy was wrong, and that his story was going to make the media look dumb.
Since I have never once seen anyone from the TSA land on the right side of an argument, from airport security to spelling and grammar, we don't have to argue about which one of us is more vehemently contemptuous of it, or, in this case, its argument.
I have no especial objection to the original story, but it's little more than a marketing exercise: a hyperbolic headline attached to a banal observation, which shoots at a large target and unsurprisingly, hits it. When you think about it, government procuremet on this scale is almost always slow and suffers from stable-door syndrome. As I've said before, nothing is going to happen with the TSA until after the election, because the minute Obama proposes loosening security at airports he'll be accused of inviting terrorists onto planes. Have you not noticed how none the congresspeople who say they are outraged - outraged! - over the TSA's intrusive security methods have made any attempt to cut the agency's funding?
Edit: Seriously, what does that prove? Someone faking an email can Google for TSA spokeswomen just as easily as someone trying to verify it.
2. There is absolutely nothing wrong with having an agenda.
Of course, if some TSA or government representatives show me proof that he was wrong, and in addition prove to me that this is not security theater for the personal profit of government cronies by dismantling some of Bruce Schneier's premises, I'll be 100% behind them too. It's just not likely that'll happen because this guy and Schneier show their work.
If he makes a bundle of money in the course of defending our freedoms, then my hat is off to him. Bravo!
From an economics perspective, the fact that someone has turned a profit (in a free market) is prima facie evidence that he has delivered something of value.
Doesn't work on the Internet. Doesn't work in real-life.
Passwords are from perfect at that of course, but it's not correct to call them 'obscurity' either.
The distinction between security and obscurity derives from Kerckhoffs's principle. https://en.wikipedia.org/wiki/Kerckhoffs%27s_Principle
However, the whole controversy also seems to lack common sense. An easy "solution" to this whole problem is to ask people to go into the machine and do a 360 degree rotation before emerging on the other side. I'll call this the "Airport Dance" :-)
What? It's not like we aren't made to dance already!
Besides, I've got no idea if the machines in place have microwave units that can withstand a high duty cycle like that. I wouldn't be surprised if they can't.
The only situation that would make this "obvious" is if the technology is inadequate. Basically by saying that, they're admitting to a large amount of security through obscurity.
Imagine a bank's website saying "For obvious security reasons, we can’t discuss how our passwords are store in detail". Wait, why not? If the technology is adequate to the task you should be able to explain exactly how it works without compromising anything!
Bruce Schneier must be getting a kick out of this.
Some thoughts about this.
The main defense that the TSA offers over the body scanners in this regard is that it is somehow better/harder to circumvent than the metal detectors, and that it's only one part of a larger program using layers of security.
We can argue about the specifics but the idea of layers of security is one thing the TSA is doing right. One of my complaints about the body scanners is that they are not implemented in a way that makes full use of this (tandem to a metal detector, as separate layers, ideally in conjunction with behavioral indicators). But that's neither here nor there. I want to talk about testing.
As a software engineer, I know there is testing, and there is testing. Extensive pre-deployment testing is important. There can't be any doubt of that. However, it is also by definition incomplete. Stuff will always get missed. Real testing in a security environment involves the sorts of things that this video involves--- many people looking for ways to circumvent a given technology and doing so. A few professional testers will miss stuff because everyone has blind spots. This has to be an ongoing thing, and it has to rely on independent individuals not beholden to the organization ordering the testing.
In the computer software field, while the stakes are lower, we deal with a level of constant attack unmatched in any physical security field. A firewall in the rural US is under more constant attack than any US troops on any battlefield and I have logs to prove this, so in my industry we have had to find better ways of dealing with these problems than we see with the Department of Homeland Security today. While my life may not depend on my firewall holding up, my livelihood very well might, as does all of your credit card data depend on firewalls of places like Amazon.
The video I linked to yesterday, while I don't agree with all of the political remedies proposed is a solid example of penetration testing, and the sort that makes us more secure. We should no more trust the TSA with securing our airports than we should trust Microsoft with securing our data. Microsoft can't get there without armies of white-hat hackers reporting vulnerabilities before the bad guys find and exploit them. The TSA shouldn't attempt this either.
Just this week we saw a massive security hole discovered at Github, which many open source projects use. This hole allowed anyone who had an account (and anyone can sign up!) the ability to commit software changes to any project on the system. The severity of this problem was just unbelievable. In all likelihood this would have gone at least partially unfixed (given past attempts to get the software fixed) had it not been for one daring individual breaking into the system in a reasonably responsible (as far as we know, but if you use github, audit your code!) way.
But imagine if a bad guy did this? What critical systems would be vulnerable for years because of malware planted? The fact that it was reported in a public way after a previous fix was attempted and fell flat was a good thing.
I have been on the receiving end of accusations of fearmongering for exposing security holes (in software). The fact though is that this is usually the first step to getting the problem fixed. Whatever else is discussed, we need to keep that in mind.
The correct response should have been, "We are evaluating this report and, once we are finished doing so, will institute whatever corrective steps appear to be necessary to solve the problem." This is not it.
Amusingly their portfolio includes a major project for the NYPD building a automated surveillance network designed for (amongst other functions) "detecting unauthorized individuals in secure areas of the financial district" -- http://www.fourtentech.com/mcs-nypd.html
What gets me is that the person who pointed out this flaw actually demonstrated it. I shutter to think what would have happened to this information had he only provided anecdotal hypothesis.
http://tsaoutofourpants.wordpress.com/2012/03/06/1b-of-nude-...
I don't wish to be specifically judgmental of CNN, and I don't wish to over-analyze my mock-scenario. Instead I'm using the thought experiment of a news report on this topic to express frustrations with journalistic practices I have already seen elsewhere. It seems to me there isn't as much motivation on behalf of larger news organizations to put together a verified report, when you can replay something from YouTube and people will believe it much the same.
But maybe there are positive aspects? Crowdsourcing the genesis of news topics allows for a better breadth of topics, clearly. And I recognize there is a need for it in situations such as the Syrian unrest, Tibet, or any place that foreign journalists can't easily access. I get the feeling though, when I go to 'old' media, that I expect old media standards and practices. When I go to 'old' media and get a replay of internet videos followed by an equally-long segment of internet comments, I wonder why I'm not just browsing the internet for myself.
Its job is not to prop up the establishment, but rather to keep it responsible.
http://www.popehat.com/2012/03/08/in-which-i-strongly-cautio...
