TSA Bad At Security; Leaves Security Status Data On Boarding Passes Unencrypted

from the these-people-are-supposed-to-make-us-feel-safe dept

You would think, given that "Security" is literally the organization's middle name, that the Transportation Security Administration (TSA) would actually have some sort of clue about the basics of security. Apparently not. This week, someone noticed a ridiculous security flaw in the TSA's pre-screening process for "expedited" lines. This is the program where frequent travelers can pay extra to get them in special faster security lines, and where they can skip some of the worst aspects of airport screening: they don't have to take their laptop out, or take off their shoes or belt, and they can bring more liquid than mere peons.

Of course, security experts long ago pointed out that any such system now becomes a target for terrorists, who can focus on getting into that special line and use that lesser security to cause trouble. One response to this is that, even for passengers who qualify for such a program, they're still subject to "random" conventional screenings. However, aviation blogger John Butler realized that the bar code printing on your boarding pass reveals whether or not you'll be "selected" for further scrutiny, and that it's not difficult to check ahead of time to see if you'll have to go through stricter security because the TSA has apparently never heard of encryption.

As Chris Soghoian pointed out, knowing this info ahead of time could allow plotters to plan accordingly:
“If you have a team of four people [planning an attack], the day before the operation when you print the boarding passes, whichever guy is going to have the least screening is going to be the one who’ll take potentially problematic items through security,” said Soghoian, now a senior policy analyst at the American Civil Liberties Union. “If you know who’s getting screened before you walk into the airport, you can make sure the right guy is carrying the right bags.

“The entire security system depends on the randomness,” he said. “If people can do these dry runs, the system is vulnerable."
I guess, when you've always been in the business of "security theater" rather than actual security, it shouldn't come as a surprise that you don't know the first thing about basic security.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: airport security, boarding passes, encryption, expedited security, security, tsa


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    OMG fucking enough already, 25 Oct 2012 @ 1:31pm

    If you have a team of four people [planning an attack]

    Boo!!! Terrirists. Bend over.

    link to this | view in chronology ]

  • icon
    Josh in CharlotteNC (profile), 25 Oct 2012 @ 1:36pm

    Crypto

    Guess the TSA really believes that encryption is only for criminals and terrorists hiding things.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Oct 2012 @ 1:39pm

    Wow.

    They put it right there on the boarding pass bar code, unencrypted? I guess they figured people can't read bar codes and would never be able to figure out their foolproof code of "0 = let through, 1 = screen"?

    But seriously, why bother putting it on the boarding pass in the first place, even encrypted? It seems like it would be just as easy to decide who gets screened at the point of screening rather than the point of sale. All you need is a random number generator.

    link to this | view in chronology ]

    • identicon
      Mr. Applegate, 25 Oct 2012 @ 3:51pm

      Re:

      Random? Do you honestly think there is anything remotely random about the current TSA system? Do you think they want a random system?

      Then they might have to securely screen someone 'important'. And heaven forbid they have to do the extra screening on the ugly fat bitch.

      I once was travelling and we had to transfer planes twice. I was not screened (beyond normal) at all. However, one of the people on the flight got selected for pat down before the first flight, and both time we transferred planes. When I got to my destination he had to transfer to another plane and had to pass through security again, and for a third time in less than 7 hours he was patted down. There is NO way there was anything random about it.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Oct 2012 @ 1:44pm

    Their Budget Depends On Failure

    After all, if somebody gets through, they can always claim they need more money, more people, more whatever to do the same zero-quality job.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Oct 2012 @ 1:50pm

    And if they did encrypt it

    The key would be "1...2...3...4...5"

    link to this | view in chronology ]

    • icon
      Dark Helmet (profile), 25 Oct 2012 @ 1:53pm

      Re: And if they did encrypt it

      You've got to be kidding me. That's the kind of combination an idiot puts on his luggage!

      link to this | view in chronology ]

      • identicon
        idiot, 25 Oct 2012 @ 1:59pm

        Re: Re: And if they did encrypt it

        Note to self:
        Change luggage password.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 25 Oct 2012 @ 2:37pm

          Re: Re: Re: And if they did encrypt it

          You guys did that bit backwards. Rewind and try again.

          link to this | view in chronology ]

          • icon
            egghead (profile), 25 Oct 2012 @ 3:05pm

            Re: Re: Re: Re: And if they did encrypt it

            Dark Helmet: What the hell am I looking at?! When does this happen in the movie?!
            Colonel Sandurz: "Now". You're looking at "now", sir. Everything that happens now is happening "now".
            DH: What happened to "then"?
            CS: We passed "then".
            DH: When!?
            CS: Just now. Were at "now," now.
            DH: Go back to "then"!
            CS: When?
            DH: Now!
            CS: "Now?"
            DH: Now!
            CS: I can't.
            DH: Why!?
            CS: We missed it.
            DH: When!?
            CS: Just now.
            DH: ... When will "then" be "now"?
            CS: Soon.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 26 Oct 2012 @ 4:26am

              Re: Re: Re: Re: Re: And if they did encrypt it

              **Reminded to actually watch spaceballs on netflix instead of ignoring it and choosing something different.**

              link to this | view in chronology ]

    • identicon
      Jim, 25 Oct 2012 @ 2:14pm

      Re: And if they did encrypt it

      Actually yes. There is a special scanner my prosthetic has Been Examined with twice at MCO. The password 12345678. And the second time through (with over a year between trips), I thought the TSA agent was going to send me to Gitmo for pointing out their weak password was unchanged.

      link to this | view in chronology ]

      • identicon
        Michael, 25 Oct 2012 @ 2:36pm

        Re: Re: And if they did encrypt it

        That really is pathetic security. There are even methods that could produce a changing, but predicable, password based on some simple math (it's at least better than a static password; but really they may as well just build in a timed wait and rely oh physical security for this context).

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Oct 2012 @ 2:54pm

      Re: And if they did encrypt it

      No, it's "password"

      link to this | view in chronology ]

  • identicon
    Michael, 25 Oct 2012 @ 2:21pm

    Gov SOP Name means exact opposite of reality

    Once again agreeing an observation I made long ago:

    The names governments give things mean the exact opposite of their reality.

    link to this | view in chronology ]

    • icon
      FormerAC (profile), 25 Oct 2012 @ 2:53pm

      Re: Gov SOP Name means exact opposite of reality

      Like the Ministry of Peace or Ministry of Truth?

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Oct 2012 @ 3:22pm

        Re: Re: Gov SOP Name means exact opposite of reality

        Those are (I think) UK terms; but applying my above rule, I think I get a good general idea of what they do. Would James Bond work for a division of MoP?

        link to this | view in chronology ]

        • icon
          Niall (profile), 26 Oct 2012 @ 5:11am

          Re: Re: Re: Gov SOP Name means exact opposite of reality

          He's making a reference to Orwell's "1984", but yes, those are British-style names. Just change Ministry to Department and they'll fit right into your alphabet soup.

          link to this | view in chronology ]

    • icon
      Not an Electronic Rodent (profile), 26 Oct 2012 @ 12:02pm

      Re: Gov SOP Name means exact opposite of reality

      The names governments give things mean the exact opposite of their reality.
      Of course:
      "Always get rid of the difficult bit in the title – it does less harm there than in the text" - Sir Humphrey Appleby (Yes Minister - finest political documentary..uh, comedy.. ever)

      link to this | view in chronology ]

  • identicon
    The Real Michael, 25 Oct 2012 @ 3:27pm

    "This week, someone noticed a ridiculous security flaw in the TSA's pre-screening process for 'expedited' lines. This is the program where frequent travelers can pay extra to get them in special faster security lines, and where they can skip some of the worst aspects of airport screening: they don't have to take their laptop out, or take off their shoes or belt, and they can bring more liquid than mere peons."

    Giving preferential treatment to frequent fliers who pay extra is essentially another form of class warfare. If you can 'bribe' the TSA into faster processing, that immediately exposes them for the greed-driven theater they really are. It's saying, "Hey, pay us extra for additional convenience."

    link to this | view in chronology ]

  • identicon
    Dark Lonestar, 25 Oct 2012 @ 3:34pm

    The entire security system depends on the randomness

    Fuck! Even in the future nothing works!

    link to this | view in chronology ]

  • identicon
    Beech, 25 Oct 2012 @ 3:44pm

    Watchlists

    I am sure that the fellow who noticed this, as well as everyone who has read about it is now comfortably placed on a terrorist watchlist. Phew. terrorists almost won there for a second.

    link to this | view in chronology ]

  • icon
    Jay (profile), 25 Oct 2012 @ 4:43pm

    That proves it...

    So Holder allows sharing of information in law enforcement, the NSA compiles the data and the TSA figures out where you are going and who is is in your circle of influence. Not only do these people want to know all sorts of information about you, they want to suppress those that would change the system.

    The media doesn't tell the story and we're left with a government that ignores the 4th Amendment.

    Meanwhile, if you have enough money, you can bypass security, but even then, we are moving closer to a police state. Now I know what the Robber Baron Era feels like...

    link to this | view in chronology ]

  • icon
    jimb (profile), 25 Oct 2012 @ 5:03pm

    Security theater is just like the movies - there's no reason why these gaping holes in logic should interfere with the illusion created by the movie. Just because this is 'reality' is no reason to be smart about anything.

    link to this | view in chronology ]

    • icon
      Jay (profile), 25 Oct 2012 @ 6:29pm

      Re:

      That's just it... This is about gathering information on everyone in the guise of security.

      I just recently heard about Canada having an issue in regards to sharing information through the airport stops. This started with America and has not stopped. The info is given to law enforcement to collect a profile of everyone.

      The naked scanners are used to see how you look. They can then link up aol of the information about you through Stellar wind and the NSA. Meanwhile, we know nothing of their plans save to lock up everyone with the Espionage Act and the NDAA who speak out of turn.

      It's stunning to see so many dots that connect in such a manner...

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Oct 2012 @ 11:40pm

    The terrorists!!!

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.