Pants on Fire

By now, I’m sure everyone has seen the news stories about the attempted bombing of a Northwest Airlines flight from Amsterdam to Detroit.  The alleged terrorist, Umar Farouk Abdulmutallab, a Nigerian, was apparently listed in a database of terrorism suspects, but not on any list used to screen air passengers, despite warnings from his own father to the US Embassy in Nigeria.

Bruce Schneier has been saying for years that there were only two important security lessons to be learned from the September 11, 2001 hijackings:

• That cockpit doors needed to be reinforced and kept locked while the aircraft was in flight.
• That if a hijacking was attempted, the passengers needed to fight back.

At least in this case, the second lesson seems to have been learned.  When the suspect attempted to set off his device, a number of passengers overpowered him, allowing the resulting fire to be put out.

News reports have indicated that the device used contained the explosive PETN (pentaerythritol tetranitrate), which it appears is the same substance used by the unsuccessful “shoe bomber”, Richard Reid,  in December, 2001.  It is a fairly unstable compound, compared to TNT, and an ingredient of Semtex plastic explosive.  Standard references give its explosive power per gram as about 1.6 times that of TNT.  One news report, on ABC network news, said that the quantity of PETN in the device was about 80 grams.  Of course, the report may have it wrong, but that is slightly less than 3 ounces.  I am not at all knowledgable about explosives, but it seems unlikely that that would be enough to destroy a commercial airliner (absent the opportunity to put it in a particularly sensitive place).   I would think, for example, that a hand grenade probably contains at least as much explosive.

As we have learned to expect, a flurry of new security measures was put into place after this incident.  Apparently passengers must now remain  in their seats without anything on their laps during the last hour of flight, and more thorough pre-flight searches will be carried out.  There will be some additional restrictions on carry-on luggage.  Why potential terrorists will be unable to detonate their bombs 61 minutes before landing has not been explained.  Once again, like the generals who are always re-fighting the last war, we have a response directed at the most recent tactic the Bad Guys have tried to use.

I think Bruce Schneier has the best observation on this:

I wish that, just once, some terrorist would try something that you can only foil by upgrading the passengers to first class and giving them free drinks.

We really do need to try to keep a sense of perspective on this: your risk of dying in a car accident is  enormously larger than your risk of being a victim of a terrorist attack.

Update Monday, December 28, 21:25

Joel Esler over at the SANS Internet StormCenter has an interesting diary entry relating this incident to IT security.  He focuses on three main points:

• Doing more of what didn’t work in the first place
• Playing the blame game
• Nonsensical allowances (e.g., you can carry on matches, but not a lighter)

It’s a quick read, and worth a look, especailly if you’re involved with IT security.