The premier authority on intrusion detection theory Martin Roesch has posted some excellent insights, as well as humorous anecdotes, on his newly minted blog:
If the set of things that need to be detected (signatures) is constrained to guns, knives and bomb materials, I’d say grudgingly that a motivated screener could maintain alertness through their entire period manning the machine to have a reasonable probability of detection of the things in the set of threats. Once you extend that signature set to, well, pretty much everything that’s not paper or cloth you’re going to have an analysts nightmare because you just did the equivalent of “alert ip any any -> any any (msg: “Something bad may have happened!!”;)” in Snort.
True, but that is probably not an acurate depiction of current events. There is a period of re-tuning the sensor, rather than de-tuning, and in this case the current detection technology is unable to detect the threat regardless of the rules you give it. In other words you can tell it “find liquids” but the scanner isn’t capable (since they are x-ray instead of ultrasound), so you have little choice but to take extra precautions and re-tune until you get something that can process the new rules and speed up again.
As an aside, “security sauce” and “meatspace”, found in Roesch’s blog, keep making me think of spaghetti. I wonder if he’s a Pastafarian, or maybe I am just hungry. Here’s my suggestion for an official Security Sauce site poem:
On top of spaghetti,
All covered with cheese,
I lost my poor meatball,
When somebody sneezed.It rolled off the table,
And on to the floor,
And then my poor meatball,
Rolled out of the door.It rolled in the garden,
And under a bush,
And then my poor meatball,
Was nothing but mush.The mush was as tasty
As tasty could be,
And then the next summer,
It grew into a tree.The tree was all covered,
All covered with moss,
And on it grew meatballs,
And tomato sauce.So if you eat spaghetti,
All covered with cheese,
Hold on to your meatball,
Whenever you sneeze.
Security Sauce: Hold on to your meatspace.
Maybe if I have time I’ll try to do a full parody.
There must be a sub-set smaller than ‘liquids’ that includes everything from which you can improvise an explosive. Don’t airports already use gas chromatography to look for this stuff?
Yes they do but only randomly and manually. Based on my brief experience working in radiology I suppose ultrasound scanners could be used to pick up more of the liquid data, in an automated fashion like x-rays implemented today.