TSA Bad At Security; Leaves Security Status Data On Boarding Passes Unencrypted
from the these-people-are-supposed-to-make-us-feel-safe dept
You would think, given that “Security” is literally the organization’s middle name, that the Transportation Security Administration (TSA) would actually have some sort of clue about the basics of security. Apparently not. This week, someone noticed a ridiculous security flaw in the TSA’s pre-screening process for “expedited” lines. This is the program where frequent travelers can pay extra to get them in special faster security lines, and where they can skip some of the worst aspects of airport screening: they don’t have to take their laptop out, or take off their shoes or belt, and they can bring more liquid than mere peons.
Of course, security experts long ago pointed out that any such system now becomes a target for terrorists, who can focus on getting into that special line and use that lesser security to cause trouble. One response to this is that, even for passengers who qualify for such a program, they’re still subject to “random” conventional screenings. However, aviation blogger John Butler realized that the bar code printing on your boarding pass reveals whether or not you’ll be “selected” for further scrutiny, and that it’s not difficult to check ahead of time to see if you’ll have to go through stricter security because the TSA has apparently never heard of encryption.
As Chris Soghoian pointed out, knowing this info ahead of time could allow plotters to plan accordingly:
“If you have a team of four people [planning an attack], the day before the operation when you print the boarding passes, whichever guy is going to have the least screening is going to be the one who’ll take potentially problematic items through security,” said Soghoian, now a senior policy analyst at the American Civil Liberties Union. “If you know who’s getting screened before you walk into the airport, you can make sure the right guy is carrying the right bags.
“The entire security system depends on the randomness,” he said. “If people can do these dry runs, the system is vulnerable.”
I guess, when you’ve always been in the business of “security theater” rather than actual security, it shouldn’t come as a surprise that you don’t know the first thing about basic security.
Filed Under: airport security, boarding passes, encryption, expedited security, security, tsa
Comments on “TSA Bad At Security; Leaves Security Status Data On Boarding Passes Unencrypted”
If you have a team of four people [planning an attack]
Boo!!! Terrirists. Bend over.
Crypto
Guess the TSA really believes that encryption is only for criminals and terrorists hiding things.
Wow.
They put it right there on the boarding pass bar code, unencrypted? I guess they figured people can’t read bar codes and would never be able to figure out their foolproof code of “0 = let through, 1 = screen”?
But seriously, why bother putting it on the boarding pass in the first place, even encrypted? It seems like it would be just as easy to decide who gets screened at the point of screening rather than the point of sale. All you need is a random number generator.
Re: Re:
Random? Do you honestly think there is anything remotely random about the current TSA system? Do you think they want a random system?
Then they might have to securely screen someone ‘important’. And heaven forbid they have to do the extra screening on the ugly fat bitch.
I once was travelling and we had to transfer planes twice. I was not screened (beyond normal) at all. However, one of the people on the flight got selected for pat down before the first flight, and both time we transferred planes. When I got to my destination he had to transfer to another plane and had to pass through security again, and for a third time in less than 7 hours he was patted down. There is NO way there was anything random about it.
Their Budget Depends On Failure
After all, if somebody gets through, they can always claim they need more money, more people, more whatever to do the same zero-quality job.
And if they did encrypt it
The key would be “1…2…3…4…5”
Re: And if they did encrypt it
You’ve got to be kidding me. That’s the kind of combination an idiot puts on his luggage!
Re: Re: And if they did encrypt it
Note to self:
Change luggage password.
Re: Re: Re: And if they did encrypt it
You guys did that bit backwards. Rewind and try again.
Re: Re: Re:2 And if they did encrypt it
Dark Helmet: What the hell am I looking at?! When does this happen in the movie?!
Colonel Sandurz: “Now”. You’re looking at “now”, sir. Everything that happens now is happening “now”.
DH: What happened to “then”?
CS: We passed “then”.
DH: When!?
CS: Just now. Were at “now,” now.
DH: Go back to “then”!
CS: When?
DH: Now!
CS: “Now?”
DH: Now!
CS: I can’t.
DH: Why!?
CS: We missed it.
DH: When!?
CS: Just now.
DH: … When will “then” be “now”?
CS: Soon.
Re: Re: Re:3 And if they did encrypt it
**Reminded to actually watch spaceballs on netflix instead of ignoring it and choosing something different.**
Re: And if they did encrypt it
Actually yes. There is a special scanner my prosthetic has Been Examined with twice at MCO. The password 12345678. And the second time through (with over a year between trips), I thought the TSA agent was going to send me to Gitmo for pointing out their weak password was unchanged.
Re: Re: And if they did encrypt it
That really is pathetic security. There are even methods that could produce a changing, but predicable, password based on some simple math (it’s at least better than a static password; but really they may as well just build in a timed wait and rely oh physical security for this context).
Re: And if they did encrypt it
No, it’s “password”
Gov SOP Name means exact opposite of reality
Once again agreeing an observation I made long ago:
The names governments give things mean the exact opposite of their reality.
Re: Gov SOP Name means exact opposite of reality
Like the Ministry of Peace or Ministry of Truth?
Re: Re: Gov SOP Name means exact opposite of reality
Those are (I think) UK terms; but applying my above rule, I think I get a good general idea of what they do. Would James Bond work for a division of MoP?
Re: Re: Re: Gov SOP Name means exact opposite of reality
He’s making a reference to Orwell’s “1984”, but yes, those are British-style names. Just change Ministry to Department and they’ll fit right into your alphabet soup.
Re: Gov SOP Name means exact opposite of reality
Of course:
“Always get rid of the difficult bit in the title ? it does less harm there than in the text” – Sir Humphrey Appleby (Yes Minister – finest political documentary..uh, comedy.. ever)
“This week, someone noticed a ridiculous security flaw in the TSA’s pre-screening process for ‘expedited’ lines. This is the program where frequent travelers can pay extra to get them in special faster security lines, and where they can skip some of the worst aspects of airport screening: they don’t have to take their laptop out, or take off their shoes or belt, and they can bring more liquid than mere peons.”
Giving preferential treatment to frequent fliers who pay extra is essentially another form of class warfare. If you can ‘bribe’ the TSA into faster processing, that immediately exposes them for the greed-driven theater they really are. It’s saying, “Hey, pay us extra for additional convenience.”
The entire security system depends on the randomness
Fuck! Even in the future nothing works!
Watchlists
I am sure that the fellow who noticed this, as well as everyone who has read about it is now comfortably placed on a terrorist watchlist. Phew. terrorists almost won there for a second.
That proves it...
So Holder allows sharing of information in law enforcement, the NSA compiles the data and the TSA figures out where you are going and who is is in your circle of influence. Not only do these people want to know all sorts of information about you, they want to suppress those that would change the system.
The media doesn’t tell the story and we’re left with a government that ignores the 4th Amendment.
Meanwhile, if you have enough money, you can bypass security, but even then, we are moving closer to a police state. Now I know what the Robber Baron Era feels like…
Security theater is just like the movies – there’s no reason why these gaping holes in logic should interfere with the illusion created by the movie. Just because this is ‘reality’ is no reason to be smart about anything.
Re: Re:
That’s just it… This is about gathering information on everyone in the guise of security.
I just recently heard about Canada having an issue in regards to sharing information through the airport stops. This started with America and has not stopped. The info is given to law enforcement to collect a profile of everyone.
The naked scanners are used to see how you look. They can then link up aol of the information about you through Stellar wind and the NSA. Meanwhile, we know nothing of their plans save to lock up everyone with the Espionage Act and the NDAA who speak out of turn.
It’s stunning to see so many dots that connect in such a manner…
The terrorists!!!