TSA Bad At Security; Leaves Security Status Data On Boarding Passes Unencrypted
from the these-people-are-supposed-to-make-us-feel-safe dept
You would think, given that "Security" is literally the organization's middle name, that the Transportation Security Administration (TSA) would actually have some sort of clue about the basics of security. Apparently not. This week, someone noticed a ridiculous security flaw in the TSA's pre-screening process for "expedited" lines. This is the program where frequent travelers can pay extra to get them in special faster security lines, and where they can skip some of the worst aspects of airport screening: they don't have to take their laptop out, or take off their shoes or belt, and they can bring more liquid than mere peons.Of course, security experts long ago pointed out that any such system now becomes a target for terrorists, who can focus on getting into that special line and use that lesser security to cause trouble. One response to this is that, even for passengers who qualify for such a program, they're still subject to "random" conventional screenings. However, aviation blogger John Butler realized that the bar code printing on your boarding pass reveals whether or not you'll be "selected" for further scrutiny, and that it's not difficult to check ahead of time to see if you'll have to go through stricter security because the TSA has apparently never heard of encryption.
As Chris Soghoian pointed out, knowing this info ahead of time could allow plotters to plan accordingly:
“If you have a team of four people [planning an attack], the day before the operation when you print the boarding passes, whichever guy is going to have the least screening is going to be the one who’ll take potentially problematic items through security,” said Soghoian, now a senior policy analyst at the American Civil Liberties Union. “If you know who’s getting screened before you walk into the airport, you can make sure the right guy is carrying the right bags.I guess, when you've always been in the business of "security theater" rather than actual security, it shouldn't come as a surprise that you don't know the first thing about basic security.
“The entire security system depends on the randomness,” he said. “If people can do these dry runs, the system is vulnerable."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: airport security, boarding passes, encryption, expedited security, security, tsa
Reader Comments
Subscribe: RSS
View by: Time | Thread
If you have a team of four people [planning an attack]
[ link to this | view in thread ]
Crypto
[ link to this | view in thread ]
They put it right there on the boarding pass bar code, unencrypted? I guess they figured people can't read bar codes and would never be able to figure out their foolproof code of "0 = let through, 1 = screen"?
But seriously, why bother putting it on the boarding pass in the first place, even encrypted? It seems like it would be just as easy to decide who gets screened at the point of screening rather than the point of sale. All you need is a random number generator.
[ link to this | view in thread ]
Their Budget Depends On Failure
[ link to this | view in thread ]
And if they did encrypt it
[ link to this | view in thread ]
Re: And if they did encrypt it
[ link to this | view in thread ]
Re: Re: And if they did encrypt it
Change luggage password.
[ link to this | view in thread ]
Re: And if they did encrypt it
[ link to this | view in thread ]
Gov SOP Name means exact opposite of reality
The names governments give things mean the exact opposite of their reality.
[ link to this | view in thread ]
Re: Re: And if they did encrypt it
[ link to this | view in thread ]
Re: Re: Re: And if they did encrypt it
[ link to this | view in thread ]
Re: Gov SOP Name means exact opposite of reality
[ link to this | view in thread ]
Re: And if they did encrypt it
[ link to this | view in thread ]
Re: Re: Re: Re: And if they did encrypt it
Colonel Sandurz: "Now". You're looking at "now", sir. Everything that happens now is happening "now".
DH: What happened to "then"?
CS: We passed "then".
DH: When!?
CS: Just now. Were at "now," now.
DH: Go back to "then"!
CS: When?
DH: Now!
CS: "Now?"
DH: Now!
CS: I can't.
DH: Why!?
CS: We missed it.
DH: When!?
CS: Just now.
DH: ... When will "then" be "now"?
CS: Soon.
[ link to this | view in thread ]
Re: Re: Gov SOP Name means exact opposite of reality
[ link to this | view in thread ]
Giving preferential treatment to frequent fliers who pay extra is essentially another form of class warfare. If you can 'bribe' the TSA into faster processing, that immediately exposes them for the greed-driven theater they really are. It's saying, "Hey, pay us extra for additional convenience."
[ link to this | view in thread ]
Fuck! Even in the future nothing works!
[ link to this | view in thread ]
Watchlists
[ link to this | view in thread ]
Re:
Then they might have to securely screen someone 'important'. And heaven forbid they have to do the extra screening on the ugly fat bitch.
I once was travelling and we had to transfer planes twice. I was not screened (beyond normal) at all. However, one of the people on the flight got selected for pat down before the first flight, and both time we transferred planes. When I got to my destination he had to transfer to another plane and had to pass through security again, and for a third time in less than 7 hours he was patted down. There is NO way there was anything random about it.
[ link to this | view in thread ]
That proves it...
The media doesn't tell the story and we're left with a government that ignores the 4th Amendment.
Meanwhile, if you have enough money, you can bypass security, but even then, we are moving closer to a police state. Now I know what the Robber Baron Era feels like...
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
I just recently heard about Canada having an issue in regards to sharing information through the airport stops. This started with America and has not stopped. The info is given to law enforcement to collect a profile of everyone.
The naked scanners are used to see how you look. They can then link up aol of the information about you through Stellar wind and the NSA. Meanwhile, we know nothing of their plans save to lock up everyone with the Espionage Act and the NDAA who speak out of turn.
It's stunning to see so many dots that connect in such a manner...
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Re: Re: And if they did encrypt it
[ link to this | view in thread ]
Re: Re: Re: Gov SOP Name means exact opposite of reality
[ link to this | view in thread ]
Re: Gov SOP Name means exact opposite of reality
"Always get rid of the difficult bit in the title – it does less harm there than in the text" - Sir Humphrey Appleby (Yes Minister - finest political documentary..uh, comedy.. ever)
[ link to this | view in thread ]