I suppose I could make this a really short blog and simply say “Do it like the TSA does”. It would be accurate, but perhaps doesn’t explain enough. In case you don’t know, TSA is said to stand for "Transportation Security Administration", but I tend to think it means Terrorist Support Agency, as they do more to make terrorism work than actually make transportation safer. The point of terrorism is disruption and only the airport security people at Heathrow do disruption better than the TSA. The recent “failed” terrorist attack was pretty successful. Even though the terrorist couldn't blow up the airplane he did succeed at causing disruption and probably terrorizing some people who will be afraid to fly. Primarily, the TSA enabled the success of the operation. The main thrust of TSA processes are to make people believe they are safer, rather than to actually make people safer. It’s called security theatre because it is for show. You can read more about that at http://www.cnn.com/2009/OPINION/12/29/schneier.air.travel.security.theater/index.html.
An example of how truly for show some of these practices are. I can’t bring 4 ounces of water through security UNLESS I put it in a bottle marked “Saline Solution”. Then I can bring lots of the liquid. Yes, it is right to allow people to bring saline solution for their contacts, but prohibiting a 12 ounce bottle of water when a 12 ounce bottle of saline solution is allowed is not security at all.

Just a month ago the TSA published classified document because some of their employees were not properly trained on how to remove the classified portions of the document before they tried to publish the unclassified portions. As a result, the whole document was published and the method used to black out the classified portion was easily removed, exposing the entire document. Now it is on the internet and there is no way to take it back. Average computer users often do things, like using hotel business center computers that lead to the loss of confidential data.

The latest TSA debacle is that they sent out 10,000 copies of a security process and were surprised when it got published. You can read about it at http://www.wired.com/threatlevel/2009/12/dhs-threatens-blogger/

In reality, this is quite similar to what many people do with social networking sites. People put a lot of personal information on the web and fail to realize that this information can be used to gain their trust. You can’t send something to 10,000 or more people and not expect it to become public information.

There are many security practices the TSA gets wrong, but you can’t really pass it off as “the government” as there are many corollaries in private computer use.

For the record, the Department of Homeland Security has some really great security programs, but TSA is not one of them.

Perhaps I better add that in particular this blog is my opinion and may  not reflect the views and opinions of anyone else at ESET.

Randy Abrams
Director of Technical Education