I have been cleaning up my flat in preparation for the move when I ran across a few small TSA locks. Sure I have used them when traveling to and from the United States but it certainly seemed to be a pretty sketchy to keep your things safe.
Oh, sure it must have seemed like a good idea when it first came up in that meeting.
Why don’t we require all the passengers use locks that we have keys to. It would make it a lot easier if we need to search a suitcase that looks questionable.
I suspect it might indeed make things faster if there is a key-chain on the wall with the master keys for all of the locks. I couldn’t find any statistics on how many suitcases are opened every year but I suspect that despite the number opened the percentage is pretty small compared to the 432 million scanned.
It does actually make a lot of sense having these master keys as some traveler might be trying to smuggle money, drugs or art artifacts in their suitcase. These activities are all illegal and most law abiding people would agree that the law should be obeyed the criminals should be caught and punished. Right?
The only problem with that is that scenario is that people are only human and some of the species are drawn to taking short cuts in order to achieve their goals. Some people might even be using their position to get copy of such a key. The security on these keys is (hopefully) very tight but it is not necessary enough to prevent someone from stealing a key.
People can be greedy or unscrupulous but they also have another attribute – sometimes they are sloppy. Just like accidentally saying to much to a boss or a friend, during an article on TSA travel security, a picture was published of these master keys.
I am not a locksmith but it apparently just a hop skip and a jump from a photograph of a key to creating a physical key of your own.
So while it might seem like a good idea at first to have a number of different TSA padlocks and have the authorities control the keys it really isn’t. Humans find it is pretty much impossible to keep a secret and have a very hard time with good operational security.
Despite having a limit number of locations where these locks will be used there is a market for making bootleg keys available – even years after the key leaks. Possible to purchase keys for these master locks on ebay.
I am not really interested in the TSA locks. I am giving serious consideration to simply purchasing any old lock and using it. There will be two outcomes. The first is that my suitcase will not be selected and thus the lock doesn’t make a difference. The second is that my suitcase is selected and they discover that I am using a non-TSA lock. They will just cut it off and go about their business.
Both of these options would make me more secure than having a lock that virtually anyone could open (pilfer things from my suitcase) and then lock it up like nothing ever happened.
Not physical locks but Encryption
The record with physical security isn’t so rosy but it seems considerably more secure than in the electronic world. It seems like not a month goes by without some sort of huge data breach being published.
This isn’t talking about using “responsible encryption“, this is simply talking about how poor the current state of electronic security is.
- Equifax breach 143 million
- Yahoo breach 3 billion
- Experian data breach 15 million
- Health Insurer Anthem 80 million
- Ebay 130 million
These breaches of occurred just because the “bad” guys go where the data is. This level of data protection is not acceptable but unfortunately this seems to be the norm.
This is the track record of companies whose livelihood depends on staying in business based on their appropriate control of customer data.
With this track record, does it seem like a good idea to hand over the keys for everyone’s electronic key to the government? Well, it is the government, perhaps they are better at keeping control of their data.
It is possible to attempt to change the behavior of people or countries by changing the laws. Right?
It has been suggested, yet again, that there is some possible way to both have safe encryption and yet allow the government easy access to it whenever they want.
The other problem is that humans are a really tricky lot and can come up with a number of clever solutions other than normal encryption.
It is not clear if the US president does intend to pressure companies to use breakable encryption or encryption with backdoors but it would probably have unexpected consequences.
The harder naughty people are chased, the further from the common methods of communication they will stray. If phone encryption is no longer safe, they will brew their own. If that is not possible some of these other historic encryption methods may be used in the dark corners of the internet.
Responsible encryption is strong encryption. In my opinion, it is criminal to weaken encryption that will inevitably end up not only in a social app, banking app or perhaps password keeper. Securing peoples personal information in this age of no privacy is being safe and responsible.
Finally I did see a response to this article that pretty much sums up the hypocrisy of a Republican president wanting more control.
Beyond all the absurdity of this all is the fact that the party that’s been yelling about “limited government” for decades is now suggesting a central government entity collect the passcodes to everyone’s data “just in case”.
In the United States it is not uncommon to see a bumper sticker.
When guns are outlawed only outlaws will have guns
This may be true for something physical like weapons but it is even more true for encryption. The genie has been let out of the bottle decades ago and it is not possible to put the genie back into the bottle. This is because strong encryption is no longer only in the realm of governments. It is possible to download open source solutions that are just as tough to crack as something the NSA uses.
This is the problem that law enforcement faces. Your dirty little secrets on your smart phone are probably as secure as the data stored at Langley.