Heathrow Terminal 4 security policies

Doing business in the UK, coming from another country, usually requires air travel to/from London Heathrow (LHR) or London City (LCY) airport. LHR is the big London airport dealing with most international flights. LCY is a small airport near Canary Wharf (banking area) which is used mostly by business/banking travelers.

Naturally, on all airports you will have luggage checks (X-ray) and metal detector or nude-scanner body checks when you fly back. For some reason the security policies differ from airport to airport even between LHR and LCY (both in London). The person and hand luggage security area of LHR Terminal 4 consists of a luggage belt with an X-Ray machine and a metal scanner. When the metal scanners gives an alarm you are body searched/padded down by a security officer. This is pretty similar on all airports.

You have to take your laptop and fluids and sometimes other equipment like an e-reader but there is no fixed policy what electronic equipment needs to scanned separately. Also this is pretty common for most airports. So, your hand luggage is scanned by the X-Ray machine but after the X-Ray machine is where story starts.

I always carry around large bag with one or more laptops, cables, external hard disks, tablet, network equipment, headset, bluetooth devices and so on. Usually over 100 items. I have packed these items in handsome smaller bags more or less sorted per function. When I go through airport security I am used that the security officer takes my bag or smaller bags for a re-scan. At this particular time my bag was the 8th bag on the re-check belt so I had to wait a considerable time before my luggage was re-checked.

The recheck usually consists of unpacking all your luggage (so take care what items you pack in your hand luggage, it can be very embarrassing!) and some or more items are placed in a bin and are rechecked by the X-Ray machine. Other items are touched with a cloth which is used for chemical analyses were they can detect if your luggage has been in contact with explosives, that you have smoked marihuana or that you have voted Labour at the last elections.

This picture is an overview of the LHR T4 security area:

Being very early for my flight I waited patiently and started to talk with a supervising security officer where he told me that it was the policy to have at least 3 bags waiting on the re-check belt.

This information astonished me for several reasons:
  • This means that you always have at least 3 persons waiting for the recheck
  • There is a some randomness if you luggage will be rechecked. The more bags you carry, the higher the chance
  • This policy is not about efficient use of security staff, e.g. only place a bag on the recheck belt with suspicious items or when an security officer is free, so it must be only to annoy the travelers
  • The UK security staff is not in a hurry. They take their time for every step of the process and it is your problem if your miss your plane (it took me 23 and 36 minutes to go through security the last two times)
  • Security staff are usually not higher educated persons but they have full control over you during security scanning. This is where fascist behavior is popping up:
    •  You have to watch the security officer unpacking your bag to "prevent claims of theft of breaking stuff" (Security Officers Manager). However, the luggage that is going to be rechecked is out of sight anyway during carrying to X-Ray machine. The ideal spot to steal or break things. If you do not watch the Security Officers stops and calls his manager.
    • If you complain about the long waiting time, the security takes out every item at a very slow speed. In my case, over 100, took more than 10 minutes.
    • If you want to communicate with security officer, to point him at a forgotten item, he responds with:"I was not talking to you".

Avoid traveling through Heathrow T4. It will take you at least 15 minutes which is providing no additional security. Funny example: the four potential lethal items I carried were not part of the rescan. The security officer checked them (in his hands) but put them aside. The "3 bags" policy is only there to annoy the travelers and to put on a lot of stress. Another detail: one female security officer was crying full during while doing her work. I assume that she could not stand the frustrated travelers' remarks.Only after 10 minutes was taken apart with her manager who start a discussion with her in full sight of the passengers, the bastard.

Airport security policies are good but here they have no added value (security) and provides no good experience by travelers (and security staff). Imagine that your husband, wife or friend is working for LHR security and is coming home after a working day like this. I hope you have a dog...


Solid State Drives and Full Disk Encryption: it is getting worse

As you can read from a previous post, SSDs and SW FDE are not particularly a good combination and it is getting worse. Read on...

The "package" (form factor) of traditional laptop hard disks and Solid State Drives is the same. This means you can swap your old, slow hard disk with an ultra-fast SSD. The drivers do not change (both have a SATA interface) and you do not even have to leave 10-20% space for defragmenting. Defragmentation is not necessary on an SSD.

Self Encrypting Drives: Hard Disk and Solid State Drive

Although both drives work the same, they have a completely different internal structure. Since each flash memory location on an SSD can only be written a finite amount of time, the drive manufactures put more memory chips on the drive than that you "see" as user. E.g. a 256GB SSD has actually 1TB on chips. The reason for this is to distribute the writes over all of the chips that the drive can have a normal lifetime of 3 years without losing capacity.

When you write data to disk the driver (Operating System) uses a write method that comes from the traditional hard disk. That same write scheme is "translated" to the SSD storage by the controller on the SSD. The controller selects the right chips to store the data. And this is where new problems arise.

The problem

The OS sees a 256GB drive. The controller on the SSD sees 1TB of storage capacity. The OS does not control which chips are used to store the data. This means that if you are using software based full disk encryption (SW FDE), like Bitlocker or McAfee Endpoint Encryption, and the drive (256GB) is fully encrypted, that there is still unencrypted data in the chips on the drive! That data can be (partially) recovered. This means that you cannot proof that all data on the disk is encrypted when you have deployed SW FDE. So, when a laptop is stolen or lost and you have to report that to the authorities (like the Information Commissioner’s Office) you are responsible for the lost data and you could be fined.You might take a look at ICO's website and look at the fines.

The same problem exists when you think that you can wipe a drive (e.g. you are selling old laptops with SSDs). When using one of the wipe protocols, there is still data in the chips that can be recovered.

There is a special lab at the University of San Diego where they investigate this. In the next graph you can see how much data was recovered from the chips after wiping the drives (even with governmental approved wipe schemes):

The solution: Self Encrypting Drives


There is a solution that solves this problem. Also here Self Encrypting Drives (SED) that are Opal compliant can prevent all of this. The data on SSD SEDs is always encrypted by the controller on the disk. There is never unencrypted data on an SSD and no one is able to remove that encryption: full compliance! When your laptop is stolen or lost, you still might to have to report that to the authorities but since you are able to proof that the drive was encrypted you will not be fined nor do you have to contact all the persons of which data was stored on that laptop.

SEDs are produced by Seagate, Micron, Samsung and other drive manufacturers. The SED (aka Opal) standard is defined by the Trusted Computing Group. SED management is done with Wave EMBASSY Remote Administration Server (ERAS).

Real Time Web Analytics