“Airport Security” Is Impossible

“Airport Security” Is Impossible
Ohio Scientific C8P-DF

Ohio Scientific Model C8P-DF

As a boy, when my friends and I played Star Trek in the back yard, I was always Spock.  The character held an “A7 computer expert” rating.  When questioned about his qualifications during Kirk‘s court-martial, he testified simply:  “I know all about them.”  He was an expert with a Tricorder, able to extend its functionality using primitive technology.

In 1979 (I was 14 years old), my father purchased his first business computer.  It was a state-of-the-art Ohio Scientific C8P-DF, notable for its dual 8″ floppy drives capable of storing a massive 275K.

I was hooked.

The first computer I owned was the venerable Commodore 64.  Even today, it remains the best-selling personal computer of all time.  It sold over 17 million units and boasted over 10,000 software titles.

Motorola Droid Tricorder App

Android Tricorder App

My current computer of choice is the Motorola Droid.  Aside from scanning for life forms, it embodies all the functions of the Tricorder — and considerably more.

I eventually made my career in computing.  I have touched IBM mainframes, AS/400s, servers, PCs, Macs, laptops, netbooks, blades, virtual machines, iPod/Phone/Pads, Androids, routers, switches, load-balancers, mass storage devices, and firewalls.

With a career in computing comes degrees (I hold both an Associate and Bachelor of Science in Computer Science) and certifications.

One of these is the CISSP or “Certified Information Systems Security Professional.”  I obtained this in the year 2000 — before the tragic events of 9/11.  I might also add that it is the single most difficult exam I’ve ever taken.  No college exam in any subject, nor any other certification, comes close to the difficulty of the CISSP exam.

A typical data center

A typical data center.

While the CISSP is devoted to security as it relates to information systems, a major part deals with physical security as it relates to data centers.  This is important, as today’s data center can hold exabytes of data.

An exabyte is a million terabytes: roughly one million times the amount of data found on modern commercial hard drives.  Indeed, it’s estimated that Google alone processes about 24 petabytes of data every day (only a thousand times the size of commercial hard drives).

Information stored in modern data centers can include everything from your financial and medical history to the blog you’re reading now.  Obviously, one of the jobs of a qualified CISSP is to make sure that no one can simply walk into a data center and access the data storage hardware.

It was while studying the physical security section of the CISSP that I realized that what’s called “airport security” is nothing of the kind.  In fact, “airport security” is simply impossible.

The concept of “airport security” is actually Access Control.  “Access Control” is a catch-all concept that basically boils down to the idea of controlling who can get into a particular area and who can’t.

The reason that access control is impossible in an airport is very, very simple.  The underpinning of all access control is this concept:

Deny access to everyone but a few individuals.

“Airport security” attempts the reverse:

Allow access to everyone but a few individuals.

This is flatly impossible.

No individual, company, military, or government has ever devised a method to allow everyone in but keep a few out.  Every single individual, company, military, or government in existence implements access control by denying access to everyone but a select few.

Imagine, for a moment, that the Secret Service were to emulate “airport security” as regards access control to the President of the United States.  Starting tomorrow, anyone who wanted access to the President could have it and the Secret Service would concentrate on screening out those individuals bent on doing him harm.

The President could count his life expectancy in hours — perhaps only minutes.

The Secret Service handles access control the only way possible:  by establishing a perimeter around the President.  This perimeter denies access to everyone and only allows through a select few that were screened.

Maintaining this perimeter when the President is in public is what causes Secret Service agents to have nightmares.  It’s why entire freeways close when his motorcade passes.  It’s why Air Force One exists instead of the President flying via commercial jet.

Access control in a public place (such as an airport) is by definition impossible.

I’m rather naturally prone to a certain level of paranoia.  It’s part of what makes me good at information security:  I’m willing to imagine that which the average individual will not.  It’s why I’ve engaged in a now 15-year-long series of mental exercises regarding “airport security.”

TSA Porn

This is not “security”.

Since the Oklahoma City Bombing, every time I’ve been in line at “airport security,” I have amused myself imagining ways to subvert it.  Nothing — I repeat, nothing — the Transportation Security Agency has ever put in place would deter me from causing death and destruction if I so desired.  This includes their most recent institution of invasive X-Ray machines and “pat-downs” that would qualify as sexual assault were it to occur anywhere other than airports.

Indeed, I’m absolutely certain that I could smuggle a small-frame revolver onto any aircraft I liked.  I’ll not go into details unless asked, but there is absolutely no barrier to a determined individual doing so if they wish.

Were airports to institute true access control, their makeup would change radically — and in the process violate every one of the Bill of Rights.

The precepts of physical access control rest on three pillars:

  1. Something you have
  2. Something you are
  3. Something you know

Something you have is usually a magnetic key card issued solely to you.  If lost or stolen, it is immediately reported so that it will invalidated and a new one issued.  Magnetic key cards are swiped or held against a scanner that then checks with a computer database to ensure that this key has access to the area being controlled.

Something you are is biometric data, usually hand or fingerprints (though retinal and other biometric information is becoming more common).  The user places their hand on a scanner which then checks it against a computer database to ensure that this hand/fingerprint has access to the area being controlled.  It’s cross-referenced against the key card to ensure that the individual associated with the key card is also the individual associated with the hand/fingerprint.

Something you know is usually a password or PIN that the user changes at regular intervals.  Password rules are typically enforced as well, so as to prevent the user from choosing one that is easily deduced.  This password is also checked against a database and cross-referenced with both the key card and hand/fingerprint to assure that all three are assigned to the same individual.

Let’s imagine an airport where true access control is implemented:

Firstly, freedom of movement would be restricted.  Anyone who wished to travel by air would be required to undergo an extensive background investigation of the kind usually associated with government security clearances.  This is at best a multi-month process involving reams of paperwork in which the passenger would be required to report everything from their blood type to their credit history.

A handprint.

If the individual passed the background investigation, they would then be issued a permanent air access pass.  Their fingerprints, hand prints, and other biometric information would be collected by the TSA and held permanently.  They would be establish a secure password, which they would be required to change every few weeks, regardless of whether they’ve traveled by air or not.

A "secure" airport

A truly secure airport.

Physically, airports would resemble prisons.  At the least they would be surrounded with high fences (optimally concrete) topped with barbed wire.  Optimally, they would be entirely enclosed, save for jetways, aircraft parking slots, and runways.

Passengers would not have access via car, limousine, or public transportation.  Commercial vehicles of any kind would be restricted to parking areas well outside the airport.

A passenger wishing to enter would swipe their permanently issued pass key, place their palm on a hand-reader, and enter their password.  This would allow them physical access to the airport facility, but not allow access to any boarding area or flight.

Diagram of a Man-Trap

Diagram of a man-trap.

The passenger would then enter a man-trap.  This is a hallway containing two doors.  Only one door will open at a time: the entry door are closed before the exit door open.  The interior consists of concrete walls, floor, and ceiling.

At this point, the passenger would be required to surrender their baggage by leaving it in the man-trap.  There would be no carry-on baggage.  It would be placed on a stand resting in front of the only other exit from the man-trap:  a suitcase-sized 6″-thick steel sliding door operated remotely.

Utilizing the pass-key/handprint/password again, the passenger would leave the man-trap.

Baggage Search

Mandatory baggage search.

An operator would then open the baggage door and baggage would be transported via conveyor to inspectors.  The inspectors would then subject it to a rigorous manual search prior to tagging it with a radio sensor for tracking and appropriate routing.

Meanwhile, the passenger would proceed to the boarding area for their flight, again utilizing the key card, hand/fingerprint, and password to enter the boarding area.  The system would allow entry only to the boarding area of the flight for which the passenger is booked.

When boarding the flight, the passenger would enter the jetway via the same method.  The jetway, however, would be another man-trap, allowing only a single passenger at a time.  Entry to the aircraft would be accomplished using the key card, hand/fingerprint and password.

The same methods would then be used at the passenger’s destination, in reverse.

That would be airport security.

Understand that anyone with training in access control knows that it is impossible to secure a public place.  Every officer in every military in every country knows it.  Every Secret Service agent knows it.  Every FBI or CIA agent knows it.

Every TSA agent knows it.

What is occurring now, with naked x-rays and pat-down-rapes provides absolutely no barrier to terrorists.  Every single individual who has ever had experience with true access control knows this, and that includes every President, Vice-President, Speaker of the House, Congressman, and Senator.

What, then, is the purpose of “airport security” if not to provide a barrier to terrorists?

It’s two-fold:

Firstly, the overwhelming majority of individuals in the United States has no experience with true access control.  Their experience is limited to their workplace, which may issue a magnetic key card.  By itself, a key card offers very limited security, but in the workplace, it’s typically adequate.

After 9/11, passengers realized that airports could be accessed by terrorists and demanded the Federal Government “do something.”  Since there is no way to implement access control at a public place, those in power chose to use the event to establish procedures that offer no barrier to terrorists — but that are mistaken as such by the general public.

Over the next decade, these procedures became increasingly draconian, to the point where we are today:  airports that afford easy access to terrorists while only violating the rights of all passengers in the process.

The second (perhaps unintentional) purpose of “airport security” is far more dangerous and sinister than simply making passengers feel safer:

It has conditioned almost an entire generation of Americans that their rights are taken from them any time government claims it’s for the “common good.”

In short:  it has conditioned us to be sheep.

Is there a solution to the problem of terrorists having access to aircraft?  Indeed there is, and it can be implemented without resorting to the means described above.  It costs nothing, and in fact will allow the TSA to be disbanded and all “airport security” to be torn down.

The Bill of Rights

The Bill of Rights

The solution is simple:  enforce the Bill of Rights on aircraft.

That is, instead of making sure that every passenger is disarmed, degraded, and treated like criminals, simply allow the Second Amendment to be exercised by anyone who cares to do so.

There is, after all, no wording in the Second Amendment that says “unless the Federal Government says otherwise.”

I’m sure there are readers who will find this an alarming solution, but consider:

Until 1978, any passenger could board any aircraft in America with any form of firearm.

You read that right:  from 1903 until 1978 — a period of 74 years — any American could board any aircraft carrying any weapon of his/her choice.  Knives, handguns, and rifles were permitted; either concealed, carried openly, or packed in a briefcase.

For almost a three-quarters of a century, not a single individual was shot, nor a single cabin depressurized by a stray bullet, nor a single aircraft flown into a building.

It’s true that aircraft were occasionally hijacked.  It should be noted that their success depended on the Federal Aviation Administration’s policy of complying with a hijacker’s demands.

In a post-9/11 world, no would-be terrorist would successfully hijack a plane filled with armed passengers.  They would simply overwhelm the terrorist, even if it meant injury or death to some passengers in the process.

The alternative — another 9/11 or worse — would be unthinkable to armed passengers.

Indeed, there is ample evidence that were aircraft filled with individuals capable of defending themselves with lethal force, a would-be terrorist wouldn’t even make the attempt.

Since a picture is worth a thousand words, I’ll leave you with the immortal contribution to this subject by the fantastic Scott Beiser.  Even if you place guns in the hands of the would-be terrorists, it makes no difference.

Scott Bieser September 11 Cartoon

What might have happened on 9/11 if this were truly the “Land of the Free”