Tuesday, September 26, 2006

TSA = arbitrary rules

When you're pulled over by a Police Officer for speeding, things are fairly cut and dry. He tells you you're speeding, and if you have any questions as to why this is a problem, he can cite the specific local/state laws which prohibit the type of behavior/speeds that you were engaged in.

When you're ordered to do something by TSA, or worse, told that you're breaking the rules, you're in rough shape. Mainly because most of their rules are secret. As amusing as it was to test the TSA screening rules against a bottle of sex lube, I was at least lucky enough to be testing a rule which they post on their website.

Their rules for who must or need not show ID, or who can decline to go through puffer machines (and if so, what they must submit to in exchange for this) are all covered by secret rules that the TSA keep to themselves. TSA deems these "Secret Security Directives" and as such, is not required to share these with the public. Even though you are forced to submit yourself to these rules, and in spite of the fact that the TSA employees cite the rules when telling you what to do, you have no way of keeping them in check.

Checks and balances are extremely important. Without them, we become victims of those who abuse their powers. One day, they enforce the rules, the next day, they don't. They can pick and choose who to enforce them against (i.e. males with darker skin, those who don't shave, or anyone with a foreign sounding name).

I've sent an email to Rene Harris of the Indianapolis TSA office to seek clarification for their seemingly arbitrary rules regarding who can and cannot opt out of the puffer machines. Esp. after successfully avoiding them at DCA, it'll be very interesting to see what he says.

Washington National TSA experience

I assumed that security would be even tighter at Washington National (DCA), what with it being in the Nation's Capital, home to half of the 9/11 attacks, etc...

Having learned from my mistakes last week, I walked up to the Northwest desk with the boarding pass issued to me by the easy-checkin machine, and asked them to print me up a new one marked "SSSS" as I did not have ID. After verbally confirming that I was without ID, the agent printed me out a new pass.

Next stop: The TSA Checkpoint.

The contractor manning the pre-checkpoint security station received the news rather well (Note: "I don't have ID" works far better than "I am envoking my court-recognized right not to show ID", esp. for 8 dollar an hour security folks who don't want their jobs made more difficult). She wrote the words "NO ID" in very large red letters on my boarding pass, and shoo'ed me into the checkpoint line.

Alas, at DCA, selectees/terrorists to be must stand in the same lines as everyone else, and so I didn't get rushed to the front as at Indianapolis.

DCA, at least at the domestic Northwest checkpoint, has 2 lines. One line with just an x-ray/metal detector, and another with a High Tech "Smiths" creepy puffer machine.
As opposed to other airports where you are randomly selected for the puffer machine, at this airport, everyone going through the sole-xray line is spared the puffer treatment, and everyone unfortunate enough to think that the puffer line is shorter is subjected to a few blasts of air.

I approached the guy manning the Smiths machine - handed him my boarding pass (clearly marked "SSSS" and "NO ID"), and explained that I did not want to go through the puffer machine, and that I was happy to undergo additional screening.

2 supervisors later, after carefully explaining to me that by not going through the Smiths machine, that they would be looking at every individual item in my carry on bag, they let me skip it.

Success. Thus, while Indianapolis airport's TSA folks insisted that I go through the puffer machine, the folks at DCA let me skip it after speaking to a supervisor.

The rest of the story is the same as Wednesday for the most part. Again, they tried to take away my sex lube, and yet again, I had to pull over a supervisor and remind her of what the TSA website states.

Other than that. I yet again made it onto an airplane without showing a single piece of ID, and the entire search/TSA experience didn't take more than 15 minutes.

Friday, September 22, 2006

TSA Love

I flew from Indianapolis to Washington DC yesterday. Given that my flight was pretty early in the afternoon, and with a fairly free schedule, I figured I'd take John Gilmore up on the public challenge he issued earlier in the summer, and try to fly without my ID.

I arrived at Indy airport at 4:30ish, walked straight to the computer-easy-checkin machine that Northwest had at the curbside, inserted my credit card, selected my seats, and then promptly recieved my boarding pass. A friendly Northwest employee assisted me with the touch-screen which needed to be pressed rather firmly, but didn't ask for any ID.

Score. With my boarding pass in hand, I walked to the security checkpoint for the northwest terminal.

However, before I could get to TSA, I had to pass the 3rd party contractors who check ID/boarding passes. I walked up to a friendly 70 year old woman with a uniform on, gave her my boarding pass, and told her that I was declining to show ID. I didn't want to make her life too difficult, and asked her if I could speak to one of the TSA officers.

It seems that these guys are paid by the airlines, and not TSA - and as such, their responsibility is to the airline paying them. She had been told not to let people past without an ID, or a boarding pass stating that they didn't have an ID, and so she walked me to the Northwest checkin counter.

There, I spoke to their head supervisor. I explained what I was doing, that I was exercising my right to not show ID, and that I would be happy to undergo secondary screening. She was really nice, and told me that in the future, I should just tell them I had forgotten my ID (as there are standard procedures to deal with this). She had one of her employees print me up a new boarding pass which clearly listed me as "SSSS" - which is their lingo for Secondary Screening Selectee.

Armed with this new boarding pass, I was ushered into a special line at the TSA checkpoint, allowing me to bypass all the other people in line. Not bad! As I approached the x-ray machine, the words "We have a number 2 coming" were echoed down the line of TSA employees. It seems that SSSS = Number two.

In general, I tend to refuse to be screened by the fancy GE entryscan machines - the high tech gadgets that shoot air at you, and then analyze the particles which it dislodges. They freak me out, and I consider them a intrusion into my private space. After all, you never know what they're checking for, in addition to bomb making chemicals.

I declined to go through the easyscan machine as normal, and was mid-way through being hand-searched by a TSA guy with a hand-held metal detector when a supervisor came over, and informed me that as an SSSS selectee, I didn't have the right to decline the GE air-shooting machine. I could either submit to a search by the machine, or I could not fly. If I had any objection to this choice, he would be happy to summon a police officer who could explain it to me.

I could easily see that this could turn nasty, so I took down his name, got the business card of the TSA customer service person assigned to Indy airport, and consented to the creepy air-blast search.

Once that was done, they moved on to searching my bags...

The only thing worth mentioning, is that I had brought a bottle of personal lubricant (i.e. KY Jelly) - after seeing it on the TSA website as one of the medical necessity liquid items that you're allowed to bring.

During the rather extensive search of my bag, they of course found this.

The exchange went something like this:

TSA screener: You can't have this sir.
Me: I checked the TSA website, it says I can have 4.0oz of KY. That's 3.8. It's allowed.
TSA screener: I'm sorry sir, no liquids.
Me: Please get your supervisor.

The supervisor arrives..

Me: I checked your website, and this is on the list of approved items.
TSA Supervisor 1: No. You are not allowed to take it onboard.
Me: But the website....
TSA Supervisor 1: The sign over there says no liquids. That means no liquids.
Me: Can I speak to your supervisor?

Finally, a 2nd supervisor arrives:

Me: I checked your website. It clearly states I can have this. Why am I being forbidden from taking it on?
TSA Supervisor 2: That is for items of medical necessity like preperation H.
TSA Supervisor 2: What medical necessity do you have that you need KY on board?
Me: Are you a doctor? Are you qualified to decide what is and isn't a medical necessity. It's on the website as approved.
TSA Supervisor 2 grumbles and then intructs the junior officer to test the KY
for bomb-materials and then let it through.

Success!

In the end, the screening process took about 10 minutes - it was quite interesting to see them all at work. I successfully boarded an airplane without showing a single piece of ID to anyone at the airport, and managed to get bottle of sex lube onto
the plane without TSA taking it away.

I've emailed the TSA customer service rep to get a clarification on the SSSS/mandatory air-blast test issue, and to also find out why all of the TSA
staffmembers are not aware of the list of approved liquids.. I'll update the blog
once I hear back.

Wednesday, September 06, 2006

Facebook fun

Now that I'm a student again, it's time to join the masses and start playing with facebook.

I'll leave it to plenty of other people out there to point out how insane it is that people post rather important information on themselves. For fun, do a quick search for people between the age of 18-20 who list beer as a hobby/interest.

It's a shame that federal student loan data is private (and probably a federal crime to dig through if its not private) - as it'd be a rather fun query to see the intersection of students who list marijuana as an interest and those who receive student aid - given that you lose your right to get student aid forever if you ever get caught smoking pot.

So instead, lets focus on another fun feature of Facebook... privacy.

A user can specify that their profile is private, and thus only their friends can view it. Someone browsing through profiles will just see their name, a photo, and their school/year.

However, if you search for specific terms, Facebook will return all positive matches - including those people who have marked their profile as private.

Case in point. Which IU students moonlight at strip clubs in Bloomington:

http://indiana.facebook.com/s.php?adv&k=10010&n=-1&cy=Night%20Moves&o=4
http://indiana.facebook.com/s.php?adv&k=10010&n=-1&cy=Legends&o=4

From this, we learn that [redacted] ('06) works at Night Moves, but her profile is public, so this is not such a revelation.

However, far more interesting is that [redacted] ('07) also works there, and has marked her profile as private.

And what the hell. Since we're looking, it's also worth noting that [redacted] lists marijuana as one of her interests: [redacted facebook query]
Now, what about Legends.

Well, this is somewhat tougher.

[redacted] ('10), [redacted] ('09) and [redacted] ('06) all return a positive match.

[redacted]'s profile is public, and reveals the fact that she works at the Legends Title company. Drat, it seems there are false positives due to common names.

However, a quick search for Legends Title only returns Shelley's name (http://indiana.facebook.com/s.php?adv&k=10010&n=-1&cy=Legends%20Title&o=4), thus leading me to believe that either [redacted] and [redacted] work at the Legends strip club in Bloomington, or some other company whose name has legends in it.

Clearly, this is not foolproof.

I'm willing to bet that in the case of Night Moves, we won't have any false positives due to the uniqueness of that company's name.

And the moral of this story is:

Just because you mark something private on facebook, doesn't necessarily mean it is private....

Tuesday, September 05, 2006

First (sorta) Day of Classes

Due to Burning Man last week, I missed the real first week of classes. Thus, this week was the first for me.

Jean's class was a blast - and covered such fun topics as:
rightwing nutjobs posting the names of abortion doctors,
the right to privacy of john/jane doe in lawsuits,
the right of consenting adults to engage in non-typical sexual behavior,
and more craziness on the part of republicans.

It's really really cool to be taking a security related class with someone who is actually willing to talk about the societal + legal related issuesthat come along for the ride.

It's also awesome to be able to bring up Lawrence v. Texas and data protection in the same discussion.

Major high hopes for this class.

---

Markus's class proved to be exceedingly cool - mainly due to the fact that Roger Dingledine and Paul Syverson are in town for the next 2 weeks doing a guest lecture/visiting researcher thing.

They spent the class giving an intro to Tor, which wasn't too informative - due to the fact that I'm an avid Tor user, and implemented the v1 onion routing protocol as a class project back at Hopkins.

Markus's class is going to involve significant amounts of groupwork - which I'm always weary of. You never know who you're going to end up with, and how lazy/incompentent they'll be.

I've been assigned to a group doing something Phishing related.

The other half of the class is working on Click-Fraud - which is easily much much sexier and hot. However, it's probably a good idea for me to keep away from click-fraud related stuff for the near future, just to keep on the good side of my Google NDA.

---

My 3rd and final class is a security seminar. 4 students, one professor, we each present 2 papers - which we are assigned from a shortlist of 5 papers we give to the prof.

It doesn't look too bad. I'm just hoping my peers don't choose insanely boring papers.

---

The evening was wrapped up with a 3 hour dinner with Paul and Roger over turkish food.

Quite a few things were discussed - including open problems facing the Tor project.

Roger and I still don't see eye to eye on the future of Tor - but thats ok, because its his project ;)

To be able to sell my case, I need a sexy story.

The problem here, is that Chinese pro-democracy dissidents don't currently need to be able to use Bit Torrent anonymously. In fact, they really don't need to exchange multiple gigabytes of data on a regular basis...

Thus, I need to find a new and improved story - one that is better than Chinese Dissidents, and involves vast amounts of anonymous data.

Sunday, September 03, 2006

Terrorist Hummous

En route back from Burning Man, I stopped in Reno for the night.

Reno has a Trader Joes - and after a week of mostly cliff bars, this was too good to be true.

Alas, the Transportation Safety Administration doesn't see things my way.

In their view, factory sealed stuffed-grape leaves, Hummous, and yoghurt are all liquids - and thus components of a bomb.

My conversation with the TSA goons went something like this:

Them: You can't take these on board. They're liquids.
Me: No. They're solid foods. The hummous is more of a paste than a liquid.
Them: You can't take it through.
Me: I realize that hummous and Al Qaeda come from the same part of the world - but well, so does Algebra.
Me: Israel also produces lots and lots of hummous, and our government loves them.
Him: Sir, you're going to have to make up your mind. There are other people waiting.


Needless to say, when I eventually went back through the security checkpoint after having a rushed breakfast, I was "randomly" selected to be thoroughly screened....

Saturday, September 02, 2006

Back to Blogging

Now that I'm no longer a full time Google employee, it seems like a good idea to start blogging again.

Given that I'm also no longer travelling full time, this blog will be moving away from the documenting-my-backpacking-craziness subject matter, and well, will become more an outlet for my daily life and PhD student geekiness.