Security theater: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
No edit summary
No edit summary
Line 47: Line 47:
* With the aim of preventing individuals on a [[No Fly List]] from flying in commercial airliners, U.S. airports require all passengers to show valid picture ID (e.g. a passport or driver's license) along with their boarding pass before entering the boarding terminal. At this checkpoint, the name on the ID is matched to that on the boarding pass, but is not recorded. In order to be effective, this practice must assume that 1) the ticket was bought under the passenger's real name (at which point the name was recorded and checked against the [[No Fly List]]), 2) the boarding pass shown is real, and 3) the ID shown is real. However, the rise of print-at-home boarding passes, which can be easily forged, allows a potential attacker to buy a ticket under someone else's name, to go into the boarding terminal using a real ID and a fake boarding pass, and then to fly on the ticket that has someone else's name on it.<ref>[http://www.boingboing.net/2005/02/07/slates_andy_bowers_o.html Slate's Andy Bowers on Airport Security loopholes - Boing Boing<!-- Bot generated title -->]</ref><ref>[http://www.schneier.com/crypto-gram-0308.html#6 Crypto-Gram: August 15, 2003<!-- Bot generated title -->]</ref><ref>[http://slate.msn.com/id/2113157/fr/rss/ A dangerous loophole in airport security. - By Andy Bowers - Slate Magazine<!-- Bot generated title -->]</ref><ref>[http://www.boingboing.net/2006/11/01/fake_boarding_pass_g.html Fake Boarding Pass Generator mirror site - Boing Boing<!-- Bot generated title -->]</ref> Additionally, recent investigations show that obviously false IDs can be used when claiming a boarding pass and entering the departures terminal, so a person on the No Fly List can simply travel under a different name.<ref>http://www.kctv5.com/Global/story.asp?S=6511234</ref><ref>[http://www.boingboing.net/2007/05/15/flying_without_id_wo.html Flying without ID won't work? Try making your own ID. - Boing Boing<!-- Bot generated title -->]</ref>
* With the aim of preventing individuals on a [[No Fly List]] from flying in commercial airliners, U.S. airports require all passengers to show valid picture ID (e.g. a passport or driver's license) along with their boarding pass before entering the boarding terminal. At this checkpoint, the name on the ID is matched to that on the boarding pass, but is not recorded. In order to be effective, this practice must assume that 1) the ticket was bought under the passenger's real name (at which point the name was recorded and checked against the [[No Fly List]]), 2) the boarding pass shown is real, and 3) the ID shown is real. However, the rise of print-at-home boarding passes, which can be easily forged, allows a potential attacker to buy a ticket under someone else's name, to go into the boarding terminal using a real ID and a fake boarding pass, and then to fly on the ticket that has someone else's name on it.<ref>[http://www.boingboing.net/2005/02/07/slates_andy_bowers_o.html Slate's Andy Bowers on Airport Security loopholes - Boing Boing<!-- Bot generated title -->]</ref><ref>[http://www.schneier.com/crypto-gram-0308.html#6 Crypto-Gram: August 15, 2003<!-- Bot generated title -->]</ref><ref>[http://slate.msn.com/id/2113157/fr/rss/ A dangerous loophole in airport security. - By Andy Bowers - Slate Magazine<!-- Bot generated title -->]</ref><ref>[http://www.boingboing.net/2006/11/01/fake_boarding_pass_g.html Fake Boarding Pass Generator mirror site - Boing Boing<!-- Bot generated title -->]</ref> Additionally, recent investigations show that obviously false IDs can be used when claiming a boarding pass and entering the departures terminal, so a person on the No Fly List can simply travel under a different name.<ref>http://www.kctv5.com/Global/story.asp?S=6511234</ref><ref>[http://www.boingboing.net/2007/05/15/flying_without_id_wo.html Flying without ID won't work? Try making your own ID. - Boing Boing<!-- Bot generated title -->]</ref>
* Random searches on [[subway system]]s, such as those taking place on the [[New York City Subway]] system, have been criticized by the [[American Civil Liberties Union]] and others as security theater. They allege that since such searches are only at some stations and that people may decline such a search and simply leave that station, a terrorist could simply find a station where no searches were occurring and board there.{{Citation needed|date=February 2007}}
* Random searches on [[subway system]]s, such as those taking place on the [[New York City Subway]] system, have been criticized by the [[American Civil Liberties Union]] and others as security theater. They allege that since such searches are only at some stations and that people may decline such a search and simply leave that station, a terrorist could simply find a station where no searches were occurring and board there.{{Citation needed|date=February 2007}}
* The 1950s "[[duck and cover]]" drills in U.S. public schools – which suggested that ducking under a desk is a reasonable way to protect oneself from the detonation of an [[atomic bomb]] – have been cited as an example of security theater.
* The 1950s "[[duck and cover]]" drills in U.S. public schools – which suggested that ducking under a desk is a reasonable way to protect oneself from the detonation of an [[atomic bomb]].
* [[Facial recognition system|Facial recognition]] technology was introduced at [[Manchester Airport]] in August 2008. A journalist for ''[[The Register]]'' claimed that "the gates in Manchester were throwing up so many false results that staff effectively turned them off.<ref>[http://www.theregister.co.uk/2009/11/17/cardiff_biometric/ Cardiff Airport gets more security theatre]</ref> Previously matches had to be 80% the same – this was quickly changed to 30%. Author John Oates wrote that the machines were unable to distinguish between the faces of [[Winona Ryder]] and [[Osama bin Laden]].{{Citation needed|date=August 2011}}
* [[Facial recognition system|Facial recognition]] technology was introduced at [[Manchester Airport]] in August 2008. A journalist for ''[[The Register]]'' claimed that "the gates in Manchester were throwing up so many false results that staff effectively turned them off.<ref>[http://www.theregister.co.uk/2009/11/17/cardiff_biometric/ Cardiff Airport gets more security theatre]</ref> Previously matches had to be 80% the same – this was quickly changed to 30%. Author John Oates wrote that the machines were unable to distinguish between the faces of [[Winona Ryder]] and [[Osama bin Laden]].{{Citation needed|date=August 2011}}
* Australian airline authorities now prohibit any liquids, aerosols, and gels in a container larger than 100&nbsp;ml in luggage hand carried onto international flights. They would prohibit a tube of toothpaste labelled able to contain more than 100&nbsp;ml, even if it were squeezed empty. They would, however, allow the carrying on of 2 or 3 tubes of paste provided each is labelled to carry less than 100&nbsp;ml.<ref>http://travelsecure.infrastructure.gov.au/international/lags/index.aspx</ref>
* Australian airline authorities now prohibit any liquids, aerosols, and gels in a container larger than 100&nbsp;ml in luggage hand carried onto international flights. They would prohibit a tube of toothpaste labelled able to contain more than 100&nbsp;ml, even if it were squeezed empty. They would, however, allow the carrying on of 2 or 3 tubes of paste provided each is labelled to carry less than 100&nbsp;ml.<ref>http://travelsecure.infrastructure.gov.au/international/lags/index.aspx</ref>
Line 95: Line 95:


==See also==
==See also==
* [[Christopher Soghoian]]
* [[Christopher Soghoian]], creator of a website that generated fake airline boarding passes


==References==
==References==

Revision as of 17:42, 13 September 2011

Security theater is a term that describes security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security.[1] The term was coined by computer security specialist and writer Bruce Schneier for his book Beyond Fear,[2] but has gained currency in security circles, particularly for describing airport security measures. It is also used by some experts such as Edward Felten[3] to describe the airport security repercussions due to the September 11 attacks. Security theater gains importance both by satisfying and exploiting the gap between perceived risk and actual risk.[citation needed]

Disadvantages

Security theater has real monetary costs but does not necessarily provide tangible security benefits. Security theater typically involves restricting certain aspects of people's behaviour in very visible ways, that could involve potential restrictions of personal liberty and privacy, ranging from negligible (where bottled water can be purchased) to significant (prolonged screening of individuals to the point of harassment).

The direct costs of security theater may be lower than that of more elaborate security measures. However, it may divert portions of the budget for effective security measures without resulting in an adequate, measurable gain in security.[4] In many cases, intrusive security theater measures also create secondary negative effects whose real cost is hard to quantify and likely to dwarf the direct expenses.[citation needed]

Such ripple effects are often connected to fear; visible measures such as armed guards and highly intrusive security measures may lead people to believe that there must be a real risk associated with their activity. Other reasons for ripple effects may be that people are simply unwilling to undergo such intrusions as would be required for some activity by the security measures imposed on it.

An example for both issues is that after a recent increase in restrictions in air travel, many frequent air travellers have expressed that they will try to avoid flying in the future. Incongruously, car travel, which is often considered as the alternative, is in fact riskier than air travel.[5]

Security theater encourages people to make uninformed, counterproductive political decisions.[citation needed] The feeling of (and wished for) safety can actually increase the real risk.

The disruption, cost, and fear caused by security theater acts as positive feedback for those who wish to exploit it: even if they fail to take lives, they can cause large economic costs.

Critics such as the American Civil Liberties Union have argued that the benefits of security theater are temporary and illusory since after such security measures inevitably fail, not only is the feeling of insecurity increased, but there is also loss of belief in the competence of those responsible for security.

Benefits

While it may seem that security theater must always cause loss, it may actually be beneficial, at least in a localised situation. This is because perception of security is sometimes more important than security itself.[6] If the potential victims of an attack feel more protected and safer as a result of the measures, then they may carry on activities they would have otherwise avoided. In addition, if the security measures in place appear effective, potential attackers may be dissuaded from proceeding or may direct their attention to a target perceived as less secure. Unsophisticated adversaries in particular may be frightened by superficial impressions of security (such as seeing multiple people in uniform or observing cameras) and not even attempt to find weaknesses or determine effect.

Security theater may also be useful where a threat is perceived to be more likely than it really is; in these cases, it can bring the risk's perception in line with its reality. For example, a gated community might have weak enough security that the gates don't really reduce the risk of crime, but if it is in a low-crime area anyway the gates can help ensure that people feel as safe as they ought to.

Security theater has also proven itself effective in reducing shoplifting, particularly for businesses too small or otherwise unwilling to spend money on actual security measures. Examples of this include the use of mock surveillance cameras and empty camera housings; attachment of devices with blinking indicator lamps (and no other function) to high theft goods; and placing periodic make-believe security-related announcements on the store's public address system such as, "Inventory control...Please zoom cameras, focus and record zones 5, 8, and 9."[citation needed]

Examples

It is inherently difficult to give examples of security theater that are clear and uncontroversial, because once it is agreed by all that a measure is ineffective, the measure seldom has any noticeable influence on perceived risk. As such the following are examples of alleged security theater.

  • National Guardsmen carrying automatic weapons in airport lobbies in the months following the September 11 attacks.[7] Reports varied on whether the weapons were loaded or unloaded; loaded weapons would apparently pose an extreme danger to the dense crowds found at an airport in the case of an actual incident.
  • The announcement after the September 11th suicide attacks that airports would be discontinuing curbside check-in, which had no relationship to the tactics Al Qaeda employed in hijacking the aircraft and would pose no barrier to a suicide bomber who fully intended to board the aircraft with a bomb bag anyway.
  • The air travel industry uses a screening system called Computer Assisted Passenger Prescreening System. This system relies on static screening of passenger profiles to choose which people should be searched. Systems of this nature have been demonstrated to reduce the effectiveness of searching below that of random searches since terrorists can test the system and use those who are searched least often for their operations.[8]
  • With the aim of preventing individuals on a No Fly List from flying in commercial airliners, U.S. airports require all passengers to show valid picture ID (e.g. a passport or driver's license) along with their boarding pass before entering the boarding terminal. At this checkpoint, the name on the ID is matched to that on the boarding pass, but is not recorded. In order to be effective, this practice must assume that 1) the ticket was bought under the passenger's real name (at which point the name was recorded and checked against the No Fly List), 2) the boarding pass shown is real, and 3) the ID shown is real. However, the rise of print-at-home boarding passes, which can be easily forged, allows a potential attacker to buy a ticket under someone else's name, to go into the boarding terminal using a real ID and a fake boarding pass, and then to fly on the ticket that has someone else's name on it.[9][10][11][12] Additionally, recent investigations show that obviously false IDs can be used when claiming a boarding pass and entering the departures terminal, so a person on the No Fly List can simply travel under a different name.[13][14]
  • Random searches on subway systems, such as those taking place on the New York City Subway system, have been criticized by the American Civil Liberties Union and others as security theater. They allege that since such searches are only at some stations and that people may decline such a search and simply leave that station, a terrorist could simply find a station where no searches were occurring and board there.[citation needed]
  • The 1950s "duck and cover" drills in U.S. public schools – which suggested that ducking under a desk is a reasonable way to protect oneself from the detonation of an atomic bomb.
  • Facial recognition technology was introduced at Manchester Airport in August 2008. A journalist for The Register claimed that "the gates in Manchester were throwing up so many false results that staff effectively turned them off.[15] Previously matches had to be 80% the same – this was quickly changed to 30%. Author John Oates wrote that the machines were unable to distinguish between the faces of Winona Ryder and Osama bin Laden.[citation needed]
  • Australian airline authorities now prohibit any liquids, aerosols, and gels in a container larger than 100 ml in luggage hand carried onto international flights. They would prohibit a tube of toothpaste labelled able to contain more than 100 ml, even if it were squeezed empty. They would, however, allow the carrying on of 2 or 3 tubes of paste provided each is labelled to carry less than 100 ml.[16]
  • As demonstrated on the Discovery Channel show It Takes a Thief, most low-end locks and security systems provide very minimal actual protection against an experienced burglar. Commercially constructed doors without deadbolts can be simply overpowered by human kicks, and police response times to security alarms are frequently far too slow to catch a thief before he is finished ransacking the house and in flight.
  • The use of virus scanners to detect malware on computer systems. In order to be "scanned", a piece of malware (be it a virus, trojan horse, spyware, rootkit, etc.) needs to be identified and recognized by the company developing the software to create a "signature" for it and deploy this to machines running its software. This reveals some considerable doubts about the approach in general in that:
    • First, if a virus or piece of malware is not identified, it will not be detected in time to prevent it from delivering its payload. In the case of a rootkit it is usually insufficient to simply "scan and remove" it, requiring a restore or reinstall to guarantee a clean system.[17][18]
    • Second, if the antivirus company refuses to identify a virus or other piece of malware or acknowledge it, the malware gets a free pass, regardless of damage caused or data compromised. This was the case in the Sony rootkit fiasco.[19]
    • Third, a computer system which can be compromised via an automated method such as viruses or malware has inherent security flaws which could just as easily be exploited by an individual looking to exploit the flaw.[20]

Usage

Theater of the Absurd at the T.S.A. For theater on a grand scale, you can't do better than the audience-participation dramas performed at airports, under the direction of the Transportation Security Administration. ... The T.S.A.'s profession of outrage is nothing but 'security theater,' Mr. Schneier said, using the phrase he coined in 2003 to describe some of the agency's procedures.

— The New York Times; December 17, 2006[21]

Report: Plane Lighter Ban to Be Lifted. Airline passengers will be able to bring many types of cigarette lighters on board again starting next month after authorities found that a ban on the devices did little to make flying safer, a newspaper reported Friday. 'Taking lighters away is security theater,' Transportation Security Administration chief Kip Hawley told The (New York) Times in an interview.

— Associated Press; July 20, 2007[22]

See also

References

  1. ^ Schneier, Bruce (2003). Beyond Fear: Thinking Sensibly about Security in an Uncertain World. Copernicus Books. p. 38. ISBN 0-387-02620-7.
  2. ^ 60 Minutes (2008-12-21). "Expert: TSA Screening is Security Theater". CBS News. Retrieved 2009-07-22.{{cite web}}: CS1 maint: numeric names: authors list (link)
  3. ^ Edward Felten (2004-07-09). "Security Theater". Retrieved 2009-07-22.
  4. ^ Zack Phillips (2007-08-01). "FEATURES Security Theater". Government Executive. Retrieved 2009-07-22.
  5. ^ "Executive Protection - Alternate travel issues" (PDF). ÆGIS e-journal. 6 (12): 5–6. 2003. {{cite journal}}: Unknown parameter |month= ignored (help)
  6. ^ Peter N. Glaskowsky (2008-04-09). "Bruce Schneier's new view on Security Theater". Retrieved 2009-07-22.
  7. ^ http://www.pbs.org/newshour/bb/terrorism/july-dec01/airline_10-2.html
  8. ^ Chakrabarti, Samidh and Strauss, Aaron (2002-05-16). "Carnival Booth: An Algorithm for Defeating the Computer-Assisted Passenger Screening System". Massachusetts Institute of Technology. Retrieved 2006-09-06. {{cite journal}}: Cite journal requires |journal= (help)CS1 maint: multiple names: authors list (link)
  9. ^ Slate's Andy Bowers on Airport Security loopholes - Boing Boing
  10. ^ Crypto-Gram: August 15, 2003
  11. ^ A dangerous loophole in airport security. - By Andy Bowers - Slate Magazine
  12. ^ Fake Boarding Pass Generator mirror site - Boing Boing
  13. ^ http://www.kctv5.com/Global/story.asp?S=6511234
  14. ^ Flying without ID won't work? Try making your own ID. - Boing Boing
  15. ^ Cardiff Airport gets more security theatre
  16. ^ http://travelsecure.infrastructure.gov.au/international/lags/index.aspx
  17. ^ "McAfee Customers Complain of Ineffective Scanning". McAfee Communities. 2010-04-17. Retrieved 2011-01-25.
  18. ^ Danseglio, Mike (2005-10-06). "Rootkits: The Obscure Hacker Attack". Microsoft Technet. Retrieved 2011-01-25.
  19. ^ Schneier, Bruce (2005-11-17). "Real Story of the Rogue Rootkit". Wired.com. Retrieved 2011-01-25.
  20. ^ Moen, Rick (2010-09-29). "Should I Get Antivirus Software for My Linux Box?". LinuxMafia. Retrieved 2011-01-25.
  21. ^ Theater of the Absurd at the T.S.A.
  22. ^ http://www.cbsnews.com/stories/2007/07/20/national/main3080127.shtml TSA To Lift Ban On Most Lighters On Planes/Security Chief Says Taking Lighters Away From Passengers Was "Security Theater"

External links

Retrieved from "https://en.wikipedia.org/w/index.php?title=Security_theater&oldid=450327875"