from the don't-you-feel-safer-now? dept
Schneier, of course, has been making this point for years, so it was interesting to see what sort of response Goldberg was then able to get out of the TSA's boss, Kip Hawley. His responses seem to fall into one of two categories. First, he suggests that the TSA is well aware of the potential vulnerability described, but he can't really explain how it's been fixed, or secondly, he insists that any odd behavior will be spotted by trained employees and stopped. Except that Goldberg tested that theory too, attempting to behave quite strangely -- including ripping up a bunch of fake boarding passes in plain view of people... who all ignored him.
Hawley's responses at times border on incomprehensible:
"What do you do about vulnerabilities?" he asked, rhetorically. "All the time you hear reports and people saying, 'There's a vulnerability.' Well, duh. There are vulnerabilities everywhere, in everything. The question is not 'Is there a vulnerability?' It's 'What are you doing about it?'"Either there's some totally secret system that the TSA is using to actually stop these vulnerabilities, or there isn't a system and Hawley is just being confusing in order to create some doubt. I'm not sure either one makes me feel any safer about flying. While some may claim that we should feel safer because there might be a more secretive plan in place that Hawley won't talk about, consider me a skeptic. Security through obscurity has rarely proven to be as effective as a real and open security plan. I'm not saying that the TSA should reveal everything it does, but given Goldberg's experiences in "probing" the system, it's not clear that any "secret plan," whether real or implied, is working particularly well.
Well, what are you doing about it?
"There are vulnerabilities where you have limited ways to address it directly. So you have to put other layers around it, other things that will catch them when that vulnerability is breached. This is a universal problem. Somebody will identify a very small thing and drill down and say, 'I found a vulnerability.'"