[mdip]

The argument that will be made against something like this is "We can't use a product that would let the bad guys see how it works!" I know it sounds ridiculous, but in my limited experience, "Security through Obscurity" is a key feature required by everything related to the (ineffective) methods used to secure the airports in the US. I believe this fact was even alluded to in the original article related to the justification for why a PRNG hooked up to a boolean cost USD$1.4M or USD$47,000 or whatever price over an hour's wage of a government intern it actually cost.

[grecy]

Big business thinks the same way.

Someone took the time to explain FOSS to a Director at the telco I worked at, and he went on a month-long campaign to eliminate it from the entire company, ranting about security, etc. He didn't want me using Firefox on my desktop, because security.

Most of us tried as hard as we could not to laugh in his face, given the entire data center with 500+ VM's is sitting on Linux, and almost all the hundreds of millions of dollars of network elements run some flavor of linux.

[hellking4u]

Security through Obscurity is just not a great way of going about it. NIST notes "System security should not depend on the secrecy of the implementation or its components."[1]

Kerckhoffs's principle is also a relevant read.

As professor Bellovin notes :

"It helps, I think, to go back to Kerckhoffs' second principle, translated as "The system must not require secrecy and can be stolen by the enemy without causing trouble," per http://petitcolas.net/fabien/kerckhoffs/). Kerckhoffs said neither "publish everything" nor "keep everything secret"; rather, he said that the system should still be secure even if the enemy has a copy."

[1] http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123...

[geofft]

Kerckhoffs' principle applies to ciphers with keys. For the threat model the TSA is up against, security by obscurity is actually very close to reasonable.

Specifically, if you're talking about ciphers (as Kerckhoffs does), or system software (as NIST does), or anything else, you know in advance who's authorized and who's not. You've solved the hard problem; the rest is simply math, and we're fortunate to live in a time where the math is well-studied. You can give the secret key to the people who are authorized, and not to those who aren't, and your security rests on that key -- and your competence at figuring out who should have been given the key.

The TSA has no such luxury. They have no good way to distinguish me, a random person walking through the airport with a valid boarding pass and too many electronics, from a terrorist, also with a valid boarding pass and many electronics. If they could give me a key in advance, and not the terrorist, they would. (In fact, this is basically what Pre-Check is, and that works okay, although it only reduces the screening because they know Pre-Check can't be perfect.) But there's nothing that reliably distinguishes me and you and hundreds of millions of other non-terrorists from the small number of terrorists, and there's certainly no practical way to publish a key to us hundreds of millions, while keeping it away from terrorists.

So they rely on heuristics, because there is no better option. You cannot build a system that satisfies Kerckhoff's principle, because there is no key separate from the system itself. And any public, keyless system can be gamed trivially. (Think of, say, unkeyed SHA-256 checksums attesting to software integrity. Without a signature, i.e., without a key, anyone can tamper with both the software and the checksum, regardless of how good SHA-256 is.) So the system must be kept private in order for it to work at all... or we give up, and decide that the only people who can fly are those that we can conduct foolproof background checks on. That seems like a worse world.

It is rather like anti-spam and anti-virus. If you could just give a key to all legitimate email or legitimate software, you would. And in fact there are things that attempt to do that. But they can't be complete, and the remainder of the screening works on security-by-obscurity because there is no better option. Either we give up entirely on the ability to receive unsigned mail or run unsigned software (and even that won't be 100% reliable), or we go with the secret heuristics. It's not great, but it's the best we can do.