TSA subpoenas bloggers

On Tuesday, December 29, 2009, Federal agents from the TSA visited the homes of two people who had blogged copies of TSA Security Directive 1544-09-06 dated December 25, 2009. Armed with subpoenas, the agents wanted to know the source of the document.

The Directive, issued after the failed Christmas 2009 terrorist bombing attempt on a Northwest/Delta flight, was sent to airlines and airports world-wide and specifies new security measures: pat-downs, seated for the last hour of flight, no in-flight indications of aircraft location, and many others. It's not a secret or classified document, and it was not distributed publicly. But of course, air travelers quickly learn what the new measures are - because they experience them directly.

The reports by blogger Steven Frischling and travel writer Christopher Elliott (the Washington Post, MSNBC, others) indicate that the TSA was somewhat aggressive in demanding their source, and Frischling's computer was taken for a period of time.

Rob Mark, over at JetWhine.com, posted an audio interview with Mary Kirby from FlightGlobal on this. Listen to that at TSA and Bloggers Tied 1-1.

The TSA has a bit of a problem here. Actually a couple of problems.

First, going after journalists/bloggers/writers like this accomplishes nothing good and only damages the public image of the TSA. There isn't any real harm reading in advance that you won't be able to get up to go to the bathroom in the last hour of your flight, so what's the big deal?

Second, maybe the TSA has an internal leak that they need to address. Frischling says he doesn't know for sure the identity of the person who emailed him the document, but in the past this person has said he was a TSA employee.

It was bad enough that the security measures initially enacted by the TSA were bordering on nonsensical, but now we see them making a huge fuss about nothing. I think we have a leadership issue here.

Sources:

New York Times, TSA Subpoenas Bloggers, Demands Names of Sources

Wired, TSA Threatens Blogger Who Posted New Screening Directive

Elliott.org, Full text of SD 1544-09-06 authorizing pat-downs, physical inspections

Elliott.org, Full text of my subpoena from the Department of Homeland Security

Flying With Fish, The Fallout From SD-1544-09-06 : The Feds At My Door

Should we fire the TSA?

Reader Larry from Texas sent in a note expressing his frustration with the "rules" the TSA implemented immediately after the Christmas bombing attempt on Northwest Flight 253. Recall that these rules included restrictions on what passengers were allowed to do in the final hour of a flight. Since these were reportedly the same actions taken by the terrorist (a visit to the bathroom, covering up with a blanket, etc.), we assume the subsequent restrictions were enacted to prevent another bombing attempt.

Here's Larry:

"This most recent attack attempt is an Islamic issue, is it not? Even our President Obama will not call it what it is. Will you?"

Well, I think it is an extremist Islamic issue. We shouldn't conclude that all of Islam is a problem, but we should understand mainstream Islam in order to help understand the extremist minority.

"Only in the United States of America can restricting your urinary needs fight terrorism!"

I agree that it is a comical reaction. On the face of it, getting up from your seat in the final hour of flight is not a terrorist act, nor is it required to perform a terrorist act. Saying you can't pee then doesn't seem to make sense.

Now, I did hear something from Dr. Todd Curtis at AirSafe.com that started to make a little sense. He said a temporary restriction like this might deter copycat terrorists - people who just try to recreate the same bomb attempt without really thinking it through. I guess, but it's a little hard to imagine someone out there doing that.

"Here is the deal as I see it. An educated fool from a piss pot place like Nigeria is allowed to board an airliner with so many red flags flown for so many of the so called overseers of aviation security. Nigeria is a given that security is nil. How the idiot passed through the Dutch system even as an international passenger is a shocker. The Dutch don’t play games with security. How the idiot did not end up on the “No Fly” list after his own father denounced him to the Americans is a disgrace! The failure was an American failure in the final result. The idiot was allowed on an American carrier! Only his stupidity and the quick action of passengers and crew prevented a disaster on Christmas."

This is a problem. The U.S. Government is not as connected across all it's agencies as it could be. Little bits of intelligence can exist here and there, but there is not always a process that connects all the related bits. We need to change that, but carefully so as not to create a "central repository" of all your personal information that can be abused. I don't necessarily mean "abused" in an evil way. It wouldn't be too hard to abuse the information in well intended ways.

"Someone in the American government quickly dictated that there would be no toilet use in the last hour of flight to fight terrorism! A NO PEE rule will prevent terrorist attacks! We have not been told who is the originator of that ruling but we should know. We should also know that that person has been fired from government service. Rather than find out how this string of human and system failures happened this government employee focused on the NO PEE regulation!

"How many passengers have medical conditions that cause sudden and frequent need for urination? If you notice the radio and television commercials most must have something going on in the PEE-PEE department. How many would chance arrest by defying the NO PEE rule over wetting his/her pants in flight? I would! What in the name of enlarged prostates is this government doing? I will not wet my pants on any flight!"

As a member of the enlarged prostate club, I can easily identify with Larry on this. There are times when I just gotta go! I could probably write a book on "interesting places I have pee'd" and there are plenty of people out there who have other issues that cause them to need a bathroom on very short notice. I know some of them who don't fly for just this reason. Those of us in the commercial aviation industry want to see more flyers, not fewer!

Now, on the issue of how these rules came into effect, I'd be very interested to know the process the TSA goes through to arrive at actions immediately following a terrorist act. Sure, we want them to react quickly, but not without thought and some process of vetting the proposed rules.

"A stupid religious nut from the third world has outfoxed the American Government again. How bloody sad! Only Americans can allow this kind of politically correct bowing to the Muslim community to continue or to be abruptly halted and reversed. If you knew you were in the sights of the next Islamic attack would you be politically correct or in prevent it? Profile and neutralize the enemy!

"I do not care if Muslims are offended. I AM OFFENDED that Muslims think I should walk on eggs for fear that they might be insulted if I protect my safety in the air! I am offended when my government, media, and even our universities are bowing to the Muslim community not wanting to offend them.

"This most recent attack attempt is an Islamic issue, is it not? Even our President Obama will not call it what it is. Will you?"

Here I differ a little from Larry, although I do respect his viewpoint. Again, I think it is an Islamic extremist issue - one that we need to understand and effectively deal with. I'd like to hope that we could do so without "collateral" damage to non-extremist Muslims who are innocents, but I recognize this might be hard. Especially if the frequency or scope of terrorist acts increases.

My views probably won't satisfy reader Larry, but I'd be interested in your thoughts. Write a comment to this post and tell us what you think. The comments are moderated so please don't be offensive or hateful and keep it PG-rated. Thanks.

Obama on Airline Security

At a press conference December 29, 2009, President Barack Obama made some statements about airline security in the wake of the attempted bombing of Northwest Flight 253 on Christmas 2009.

"...I announced two reviews, a review of our terrorist watch list system and a review of our air travel screening so we can find out what went wrong, fix it, and prevent future attacks. Those reviews began on Sunday and are now underway."

Obama means to move quickly and he "directed the preliminary findings be provided to the White House by this Thursday." He admitted to several deficiencies in the system:

"It's been widely reported that the father of the suspect in the Christmas incident warned U.S. officials in Africa about his son's extremist views. It now appears that weeks ago this information was passed to a component of our intelligence community but was not effectively distributed so as to get the suspect's name on a no-fly list."

You take this fact, and combine it with other "clues" (a ticket to the U.S. purchased with cash, no luggage) and it makes you wonder how the security establishment failed to flag the accused terrorist. No doubt a conclusion from the reviews ordered by Obama will be the need for greater communication between government agencies around the world. That, of course, means connecting databases and there are a whole series of issues there - including privacy concerns.

"Had this critical information been shared, it could have been compiled with other intelligence, and a fuller, clearer picture of the suspect would have emerged. The warning signs would have triggered red flags, and the suspect would have never been allowed to board that plane for America."

In his remarks, Obama hinted at something we all wonder about - other terrorist attempts that have been thwarted but not made public:

"Now, the professionalism of the men and women in our intelligence, counterterrorism, and law enforcement, and homeland security communities is extraordinary... They have targeted and taken out violent extremists. They have disrupted plots and saved countless American lives."

It would be interesting to learn the "inside story" about that some day.

For all of President Obama's comments, see The Washington Post Transcript of Obama remarks on Detroit case and airline security.

How we could have prevented the Christmas bomber

There's a lot of Monday quarterbacking going on since Umar Farouk Abdulmutallab attempted to ignite some sort of exposive or incendiary device on Northwest flight 253 Christmas Day 2009. The press and others seem to think this was preventable and the fact that it was not shows the system is deficient.

That all may be true, but we should not automatically assume it is.

An example: I'm seeing news articles (repeated on Twitter) that a backscatter X-ray machine would have prevented this bombing attempt. Well, maybe, if Abdulmutallab (or whoever orchestrated this) is not very smart.

You see, you can use a technology to eliminate a few terrorist methods, but that doesn't mean you've eliminated the threat - only that you've (hopefully) eliminated those methods. If you are a terrorist and you know that backscatter will pick up the bomb materials, what do you do? Well, if you have a brain you pick a different method. If that new method gets thwarted by some counter measure, then you move on again.

It's obvious, no?

So yes, we might have prevented this specific incident, but that by no means assures us that doing so would have prevented SOME incident.

As I mentioned in the podcast, we're still taking our shoes off to thwart one method. All that does is prevent shoe bombs. This latest incident employed the same bomb materials, just implemented with a new method. We can thwart that method too, but doesn't it seem silly to employ a strategy that chases from one terrorist method to another, after the fact?

So, I don't want to hear any more statements about "this could have been prevented!" If those people are so smart, tell me NOW how the NEXT terrorist act could be prevented.

Michael O'Leary vs. Italy

Business Week reports in Ryanair threatens to stop local flights in Italy that Ryanair is upset about new rules in Italy for valid ID documents. Air passengers will soon find they can pass through airport gates with such documents as driving licenses, government badges, and fishing and hunting licenses. Ryanair's always vocal Michael O'Leary believes this to be a weakening of airport security and just can't stand it, so he won't be flying to Italy under these conditions. Or so he says now.

Frankly, I'm siding with O'Leary on this one, at least as far as the security angle goes. Unless it's as hard to get a fishing license in Italy as it is to get a passport!

Cloning passport card RFIDs

This YouTube video by Chris Paget demonstrates how a low-cost mobile device can surreptitiously read RFID tags embedded in United States passport cards and enhanced drivers' licenses.



The Wi-Fi Planet article, RFID Passport Tags Save Time, Risk Privacy provides more information on this topic:

It’s important to note that there’s a key difference between e-passports (passport books) and passport cards. While passport cards use vicinity RFID (EPC Gen 2) technology, which can be read at distances of up to 30 feet, e-passports use ISO 14443 contactless smart card tech with a read range of a few inches. To compensate for their readibility (and therefore hackability) at a distance, passport cards only transmit an ID number that relates back to information stored in a secure central database, while e-passports store and transmit much more detailed information about the passport holder.

RFID vulnerability

The annual DefCon conference is always entertaining, even if you are not a hacker - and by "hacker" I mean either the white hat or black hat type. This gathering of the technically proficient and those who watch them (typically agencies that go by 3-letter acronyms) has produced insights into the vulnerabilities of RFID-enabled identity cards and documents like passports.

This year was no exception. Wired describes in Feds at DefCon Alarmed After RFIDs Scanned that there was yet another demonstration of a reader that can capture your travel document information without your knowledge.

The reader, connected to a web camera, sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks as they passed a table where the equipment was stationed in full view.

It seems this was set up by a some security researchers and consultants who wanted to make a point:

When the reader caught an RFID chip in its sights — embedded in a company or government agency access card, for example — it grabbed data from the card, and the camera snapped the card holder’s picture.

So just be aware: things are not always as they seem when it comes to your private information.

The Blog @ Homeland Security

A press release from the Department of Homeland Security:

The U.S. Department of Homeland Security (DHS)... launched The Blog @ Homeland Security, a new addition to the Department’s web presence designed to increase transparency and facilitate the dialogue between DHS and the American public.

“The Blog reflects our ongoing commitment to communicate directly with the American people about the Department’s efforts across the country and around the world,” said DHS Secretary Napolitano.

The Blog will include frequent updates on the Department’s activities, including breaking news, public events and new initiatives.

The inaugural post, found at http://www.dhs.gov/theblog, features a video message from Secretary Napolitano outlining the Department’s five overarching responsibilities and an invitation for visitors to comment on and provide suggestions for The Blog.