Wednesday, August 16, 2006

The safety of air travel

As y'all know, I'm a security consultant. These days I mostly do information security, but not so long ago I was also involved in physical security.

One of the things I did was audit the security of arports; especially the access control and screening side of thing.

I won't get into details, but let me just say that for years I've been saying, you just can't make air travel even 50% safe and secure. It isn't possible. The best you can do is mitigate reasonable risks, in a reasonable way. The first step in this is to post two visibly armed men, trained and ordered to shoot any reasonable threat, at every checkpoint, and in every passenger cabin.

Obviously we as Americans wouldn't accept this, but that is the only reasonable security measure that has any real effect; and that STILL wont have any impact on either a passive threat (pre-positioned explosives), a suicidal deadman threat (a bomber rigged so that he doesnt have to actively detonate the bomb, and so that the bomb goes off automatically if he dies), or various chemical and biological threats.

Now, this whole binary liquid explosives terrorist thing... The explosive the bombers were supposedly going to make on board was TATP, or one of the other Acetone Peroxide compounds. Although there ARE currently extant detectors for the stuff, they aren't deployed anywhere in the U.S. that I know of, nor is the appropriate screening protocol for them in place. They're cheap and trivial to make (though dangerous as all hell), and you can't really control the precursor chemicals (why it is so beloved by terrorists). Hell, you can make it ACCIDENTALLY when you're laying up fiberglass.

I've not want to write about it until the hysteria cooled down; but today I read something that obviated the need for me to write anything, because it's pretty much exactly what I was going to write (though I'm a lot more evil minded, and evilly trained than the author is I s'pose. I came up with a LOT more, nastier, and harder to stop ways to take down an airliner than he did).

I present it in it's entirety here, cross posted from the "interesting people" list:
From: "Perry E. Metzger" 
Date: August 11, 2006 12:25:19 AM EDT
To: David Farber
Subject: On the implausibility of the explosives plot.


[For IP.]

First, a note of introduction. Until recently, I was a computer
security guy, and as with many in my profession, the application of
computer security analysis to non-computer security problems was
increasingly interesting to me. Now, for reasons that don't need
exploring at this juncture, I'm back at school, studying chemistry,
and I'm spending this summer in a lab doing organic synthesis
work. Strangely, today I find my interests colliding.

So, I'm doing a bunch of reading, and I find the claimed method the
"highly sophisticated" attackers came up with for bringing down
airliners kind of implausible. I wonder if it could ever work in
reality.

A disclaimer, I'm working entirely off of news reported by people who
don't know the difference between soft drinks and nail polish remover,
but the information I've seen has the taste of being real. As near as
I can tell, it is claimed that the terrorists planned to make organic
peroxides in situ on board an airplane and use them to destroy the
plane.

This seems, at least given my initial examination of the idea,
implausible.

Based on the claims in the media, it sounds like the idea was to mix
H2O2 (hydrogen peroxide, but not the low test kind you get at the
pharmacy), H2SO4 (sulfuric acid, of necessity very concentrated for it
to work at all), and acetone (known to people worldwide as nail polish
remover), to make acetone peroxides. You first have to mix the H2O2
and H2SO4 to get a powerful oxidizer, and then you use it on acetone
to get the peroxides, which are indeed explosive.

A mix of H2O2 and H2SO4, commonly called "piranha bath", is used in
orgo labs around the world for cleaning the last traces out of organic
material out of glassware when you need it *really* clean -- thus,
many people who work around organic labs are familiar with it. When
you mix it, it heats like mad, which is a common thing when you mix
concentrated sulfuric acid with anything. It is very easy to end up
with a spattering mess. You don't want to be around the stuff in
general. Here, have a look at a typical warning list from a lab about
the stuff:

http://www.mne.umd.edu/LAMP/Sop/Piranha_SOP.htm

Now you may protest "but terrorists who are willing to commit suicide
aren't going to be deterred by being injured while mixing their
precursor chemicals!" -- but of course, determination isn't the issue
here, getting the thing done well enough to make the plane go boom is
the issue. There is also the small matter of explaining to the guy
next to you what you're doing, or doing it in a tiny airplane bathroom
while the plane jitters about.

Now, they could of course mix up their oxidizer in advance, but then
finding a container to keep the stuff in that isn't going to melt is a
bit of an issue. The stuff reacts violently with *everything*. You're
not going to keep piranha bath in a shampoo bottle -- not unless the
shampoo bottle was engineered by James Bond's Q. Glass would be most
appropriate, assuming that you could find a way to seal it that
wouldn't be eaten.

So, lets say you have your oxidizer mixture and now you are going to
mix it with acetone. In a proper lab environment, that's not going to
be *too* awful -- your risk of dying horribly is significant but you
could probably keep the whole thing reasonably under control -- you
can use dry ice to cool a bath to -78C, say, and do the reaction
really slowly by adding the last reactant dropwise with an addition
funnel. If you're mixing the stuff up in someone's bathtub, like the
guys who bombed the London subways a year ago did, you can take some
reasonable precautions to make sure that your reaction doesn't go
wildly out of control, like using a lot of normal ice and being very,
very, very careful and slow. You need to keep the stuff cool, and you
need to be insanely meticulous, or you're going to be in a world of
hurt.

So, we've covered in the lab and in the bathtub. On an airplane? On an
airplane, the whole thing is ridiculous. You have nothing to cool the
mixture with. You have nothing to control your mixing with. You can't
take a day doing the work, either. You are probably locked in the
tiny, shaking bathroom with very limited ventilation, and that isn't
going to bode well for you living long enough to get your explosives
manufactured. In short, it sounds, well, not like a very good idea.

If you choke from fumes, or if your explosives go off before you've
got enough made to take out the airplane -- say if you only have
enough to shatter the mirror in the bathroom and spray yourself with
one of the most evil oxidizers around -- you aren't going to be famous
as the martyr who killed hundreds of westerners. Your determination
and willingness to die doesn't matter -- you still need to get the job
done.

You also need quite a bit of organic peroxides made by this route in
order to be sure of taking down a plane. I doubt that just a few grams
is going to do it -- though of course the first couple of grams you
are likely to go off before you make any more. The possibility of
doing all this in an airplane lav or by some miracle at your seat
seems really unlikely. Perhaps I'm just ignorant here -- it is
possible that a clever person could do it. I can't see an easy way
though.

So far as I can tell, for the pragmatic terrorist, the whole thing
sounds really impractical. Why not just smuggle pre-made explosives on
board? What advantage is this "binary system" idea in the first place?
There are also all sorts of ideas a smart person could come up with in
a few minutes of thinking -- see below.

The news this morning was full of stuff about "ordinary looking
devices being used as detonators". Well, if you're using nasty
unstable peroxides as your explosive material, you don't really need
any -- the stuff goes off if you give it a dirty look. I suspect a
good hard rap with a hard heavy object would be more than
sufficient. No need to worry about those cell phones secretly being
high tech "detonators" if you're going this route.

Anyway, from all of this, I conclude that either

1) The terrorists had a brilliant idea for how to combine oxidizer and
a ketone or ether to make some sort of nasty organic peroxide
explosive in situ that has escaped me so far. Perhaps that's true
-- I'm not omniscient and I have to confess that I've never tried
making the stuff at all, let alone in an airplane bathroom.
2) The terrorists were smuggling on board pre-made organic peroxide
explosives. Clearly, this is not a new threat at all -- organic
peroxide explosives have been used by terrorists for decades
now. Smuggling them in a bottle is not an interesting new threat
either -- clearly if you can smuggle cocaine in a bottle you can
smuggle acetone peroxide. I would hope we had means of looking for
that already, though, see below for a comment on that.
3) The terrorists were phenomenally ill informed, or hadn't actually
tried any of this out yet -- perhaps what we are told was a
"sophisticated plot" was a bunch of not very sophisticated people
who had not gotten very far in testing their ideas out, or perhaps
they were really really dumb and hadn't tried even a small scale
experiment before going forward.

There are other open questions I have here as well. Assuming this is
really what was planned, why are the airport security making people
throw away their shampoo? If you open a shampoo bottle and give it a
sniff, I assure you that you'll notice concentrated sulfuric acid very
fast, not that you would want to have your nose near it for long. No
high tech means needed for detection there. Acetone is also pretty
distinctive -- the average airport security person will recognize the
smell of nail polish remover if told that is what they're sniffing
for. Oh, and even if they used a cousin of acetone, say methyl ethyl
ketone (aka MEK, aka 2-butanone), you'll still pick up on the smell.


And now, on to the fun part of this note. First they came for the nail
clippers, but I did not complain for I do not cut my finger nails. Now
they've come for the shampoo bottles, but I did not complain for I do
not wash my hair. What's next? What will finally stop people in their
tracks and make them realize this is all theater and utterly
ridiculous? Lets cut the morons off at the pass, and discuss all the
other common things you can destroy your favorite aircraft with. Bruce
Schneier makes fun of such exercises as "movie plots", and with good
reason. Hollywood, here I come!

We're stopping people from bringing on board wet things. What about
dry things? Is baby powder safe? Well, perhaps it is if you check
carefully that it is, in fact, baby powder. What if, though, it is
mostly a container of potassium cyanide and a molar equivalent of a
dry carboxylic acid? Just add water in the first class bathroom, and
LOTS of hydrogen cyanide gas will evolve. If you're particularly
crazy, you could do things like impregnating material in your luggage
with the needed components. Clearly, we can't let anyone carry on
containers of talc, and we have to keep them away from all aqueous
liquids.

See the elderly gentleman with the cane? Perhaps it is not really an
ordinary cane. The metal parts could be filled with (possibly
sintered) aluminum and iron oxide. Thermit! Worse still, nothing in a
detector will notice thermit, and trying to make a detector to find
thermit is impractical. Maybe it is in the hollowed portions of your
luggage handles! Maybe it is cleverly mixed into the metal in
someone's wheelchair! Who knows?

Also, we can never allow people to bring on laptop computers. It is
far too easy to fill the interstices of the things with explosives --
there is a lot of space inside them -- or to rig the lithium ion
batteries to start a very hot fire (that's pretty trivial), or if
you're really clever, you can make a new case for the laptop that's
made of 100% explosive material instead of ordinary plastic. Fun!

No liquor on board any more, of course. You can open lots of little
liquor bottles and set the booze on fire, and besides, see the dangers
of letting people have fluids. Even if you let them have fluids, no
cans of coke -- you can make a can of coke into a shiv in a few
minutes. No full sized bottles of course, since you can break 'em and
use them as a sharp weapon, so no more champagne in first class
either, let alone whiskey.

Then, lets consider books and magazines. Sure, they look innocent, but
are they? For 150 years, chemists have known that if you take
something with high cellulose content -- cotton, or paper, or lots of
other things -- and you nitrate it (usually with a mixture of nitric
and sulfuric acids), you get nitrocellulose, which looks vaguely like
the original material you nitrated but which goes BOOM
nicely. Nitrocellulose is the base of lots of explosives and
propellants, including, I believe, modern "smokeless" gunpowder. It
is dangerous stuff to work with, but you're a terrorist, so why
not. Make a bunch of nitrocellulose paper, print books on it, and take
'em on board. The irony of taking out an airplane with a Tom Clancy
novel should make the effort worthwhile.

So, naturally, we have to get rid of books and magazines on
board. That's probably for the best, as people who read are
dangerous.

And now for a small side note. It is, of course, commonly claimed that
we have nitro explosive detectors at airports, but so far as I can
tell they don't work -- students from labs I work in who make nitro
and diazo compounds for perfectly legitimate reasons and have trace
residues on their clothes have told me the machines never pick up a
thing even though this is just what they're supposed to find, possibly
because they're tuned all the way down not to scare all the people who
take nitroglycerine pills for their angina.

Now, books aren't the only things you could nitrate. Pants and shirts?
Sure. It might take a lot of effort to get things just so or they will
look wrong to the eye, but I bet you can do it. Clearly, we can't
allow people on planes wearing clothes. Nudity in the air will
doubtless be welcomed by many as an icebreaker, having been deprived
of their computers and all reading material for entertainment.

Then of course there is the question of people smuggling explosives on
board in their body cavities, so in addition to nudity, you need body
cavity searches. That will, I'm sure, provide additional airport
entertainment. By the way, if you really don't think a terrorist could
smuggle enough explosives on board in their rectum to make a
difference, you haven't been following how people in prison store
their shivs and heroin.

However, it isn't entirely clear that even body cavity searches are
enough. If we're looking for a movie plot, why not just get a
sympathetic surgeon to implant explosives into your abdomen! A small
device that looks just like a pace maker could be the detonator, and
with modern methods, you could do something like setting it off by
rapping "shave and a haircut" on your own chest. You could really do
this -- and I'd like to see them catch that one.

So can someone tell me where the madness is going to end?  My back of
the envelope says about as many people die in the US every month in
highway accidents than have died in all our domestic terrorist
incidents in the last 50 years. Untold numbers of people in the US are
eating themselves to death and dying of heart disease, diabetes,
etc. -- I think that number is something like 750,000 people a year?
Even with all the terrorist bombings of planes over the years, it is
still safer to travel by plane than it is to drive to the airport, and
it is even safer to fly than to walk!

At some point, we're going to have to accept that there is a
difference between real security and Potemkin security (or Security
Theater as Bruce Schneier likes to call it), and a difference between
realistic threats and uninteresting threats. I'm happy that the police
caught these folks even if their plot seems very sketchy, but could we
please have some sense of proportion?

Perry


Want a couple hundred more? We can't screen for all of them, and they'll all be jsut as effective.