TSA Bad At Security; Leaves Security Status Data On Boarding Passes Unencrypted

from the these-people-are-supposed-to-make-us-feel-safe dept

You would think, given that "Security" is literally the organization's middle name, that the Transportation Security Administration (TSA) would actually have some sort of clue about the basics of security. Apparently not. This week, someone noticed a ridiculous security flaw in the TSA's pre-screening process for "expedited" lines. This is the program where frequent travelers can pay extra to get them in special faster security lines, and where they can skip some of the worst aspects of airport screening: they don't have to take their laptop out, or take off their shoes or belt, and they can bring more liquid than mere peons.

Of course, security experts long ago pointed out that any such system now becomes a target for terrorists, who can focus on getting into that special line and use that lesser security to cause trouble. One response to this is that, even for passengers who qualify for such a program, they're still subject to "random" conventional screenings. However, aviation blogger John Butler realized that the bar code printing on your boarding pass reveals whether or not you'll be "selected" for further scrutiny, and that it's not difficult to check ahead of time to see if you'll have to go through stricter security because the TSA has apparently never heard of encryption.

As Chris Soghoian pointed out, knowing this info ahead of time could allow plotters to plan accordingly:
“If you have a team of four people [planning an attack], the day before the operation when you print the boarding passes, whichever guy is going to have the least screening is going to be the one who’ll take potentially problematic items through security,” said Soghoian, now a senior policy analyst at the American Civil Liberties Union. “If you know who’s getting screened before you walk into the airport, you can make sure the right guy is carrying the right bags.

“The entire security system depends on the randomness,” he said. “If people can do these dry runs, the system is vulnerable."
I guess, when you've always been in the business of "security theater" rather than actual security, it shouldn't come as a surprise that you don't know the first thing about basic security.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    OMG fucking enough already, Oct 25th, 2012 @ 1:31pm

    If you have a team of four people [planning an attack]

    Boo!!! Terrirists. Bend over.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Josh in CharlotteNC (profile), Oct 25th, 2012 @ 1:36pm

    Crypto

    Guess the TSA really believes that encryption is only for criminals and terrorists hiding things.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Oct 25th, 2012 @ 1:39pm

    Wow.

    They put it right there on the boarding pass bar code, unencrypted? I guess they figured people can't read bar codes and would never be able to figure out their foolproof code of "0 = let through, 1 = screen"?

    But seriously, why bother putting it on the boarding pass in the first place, even encrypted? It seems like it would be just as easy to decide who gets screened at the point of screening rather than the point of sale. All you need is a random number generator.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Oct 25th, 2012 @ 1:44pm

    Their Budget Depends On Failure

    After all, if somebody gets through, they can always claim they need more money, more people, more whatever to do the same zero-quality job.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Oct 25th, 2012 @ 1:50pm

    And if they did encrypt it

    The key would be "1...2...3...4...5"

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Dark Helmet (profile), Oct 25th, 2012 @ 1:53pm

    Re: And if they did encrypt it

    You've got to be kidding me. That's the kind of combination an idiot puts on his luggage!

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    idiot, Oct 25th, 2012 @ 1:59pm

    Re: Re: And if they did encrypt it

    Note to self:
    Change luggage password.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Jim, Oct 25th, 2012 @ 2:14pm

    Re: And if they did encrypt it

    Actually yes. There is a special scanner my prosthetic has Been Examined with twice at MCO. The password 12345678. And the second time through (with over a year between trips), I thought the TSA agent was going to send me to Gitmo for pointing out their weak password was unchanged.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Michael, Oct 25th, 2012 @ 2:21pm

    Gov SOP Name means exact opposite of reality

    Once again agreeing an observation I made long ago:

    The names governments give things mean the exact opposite of their reality.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Michael, Oct 25th, 2012 @ 2:36pm

    Re: Re: And if they did encrypt it

    That really is pathetic security. There are even methods that could produce a changing, but predicable, password based on some simple math (it's at least better than a static password; but really they may as well just build in a timed wait and rely oh physical security for this context).

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Oct 25th, 2012 @ 2:37pm

    Re: Re: Re: And if they did encrypt it

    You guys did that bit backwards. Rewind and try again.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    FormerAC (profile), Oct 25th, 2012 @ 2:53pm

    Re: Gov SOP Name means exact opposite of reality

    Like the Ministry of Peace or Ministry of Truth?

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Oct 25th, 2012 @ 2:54pm

    Re: And if they did encrypt it

    No, it's "password"

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    egghead (profile), Oct 25th, 2012 @ 3:05pm

    Re: Re: Re: Re: And if they did encrypt it

    Dark Helmet: What the hell am I looking at?! When does this happen in the movie?!
    Colonel Sandurz: "Now". You're looking at "now", sir. Everything that happens now is happening "now".
    DH: What happened to "then"?
    CS: We passed "then".
    DH: When!?
    CS: Just now. Were at "now," now.
    DH: Go back to "then"!
    CS: When?
    DH: Now!
    CS: "Now?"
    DH: Now!
    CS: I can't.
    DH: Why!?
    CS: We missed it.
    DH: When!?
    CS: Just now.
    DH: ... When will "then" be "now"?
    CS: Soon.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Oct 25th, 2012 @ 3:22pm

    Re: Re: Gov SOP Name means exact opposite of reality

    Those are (I think) UK terms; but applying my above rule, I think I get a good general idea of what they do. Would James Bond work for a division of MoP?

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    The Real Michael, Oct 25th, 2012 @ 3:27pm

    "This week, someone noticed a ridiculous security flaw in the TSA's pre-screening process for 'expedited' lines. This is the program where frequent travelers can pay extra to get them in special faster security lines, and where they can skip some of the worst aspects of airport screening: they don't have to take their laptop out, or take off their shoes or belt, and they can bring more liquid than mere peons."

    Giving preferential treatment to frequent fliers who pay extra is essentially another form of class warfare. If you can 'bribe' the TSA into faster processing, that immediately exposes them for the greed-driven theater they really are. It's saying, "Hey, pay us extra for additional convenience."

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Dark Lonestar, Oct 25th, 2012 @ 3:34pm

    The entire security system depends on the randomness

    Fuck! Even in the future nothing works!

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Beech, Oct 25th, 2012 @ 3:44pm

    Watchlists

    I am sure that the fellow who noticed this, as well as everyone who has read about it is now comfortably placed on a terrorist watchlist. Phew. terrorists almost won there for a second.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Mr. Applegate, Oct 25th, 2012 @ 3:51pm

    Re:

    Random? Do you honestly think there is anything remotely random about the current TSA system? Do you think they want a random system?

    Then they might have to securely screen someone 'important'. And heaven forbid they have to do the extra screening on the ugly fat bitch.

    I once was travelling and we had to transfer planes twice. I was not screened (beyond normal) at all. However, one of the people on the flight got selected for pat down before the first flight, and both time we transferred planes. When I got to my destination he had to transfer to another plane and had to pass through security again, and for a third time in less than 7 hours he was patted down. There is NO way there was anything random about it.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    Jay (profile), Oct 25th, 2012 @ 4:43pm

    That proves it...

    So Holder allows sharing of information in law enforcement, the NSA compiles the data and the TSA figures out where you are going and who is is in your circle of influence. Not only do these people want to know all sorts of information about you, they want to suppress those that would change the system.

    The media doesn't tell the story and we're left with a government that ignores the 4th Amendment.

    Meanwhile, if you have enough money, you can bypass security, but even then, we are moving closer to a police state. Now I know what the Robber Baron Era feels like...

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    jimb (profile), Oct 25th, 2012 @ 5:03pm

    Security theater is just like the movies - there's no reason why these gaping holes in logic should interfere with the illusion created by the movie. Just because this is 'reality' is no reason to be smart about anything.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Jay (profile), Oct 25th, 2012 @ 6:29pm

    Re:

    That's just it... This is about gathering information on everyone in the guise of security.

    I just recently heard about Canada having an issue in regards to sharing information through the airport stops. This started with America and has not stopped. The info is given to law enforcement to collect a profile of everyone.

    The naked scanners are used to see how you look. They can then link up aol of the information about you through Stellar wind and the NSA. Meanwhile, we know nothing of their plans save to lock up everyone with the Espionage Act and the NDAA who speak out of turn.

    It's stunning to see so many dots that connect in such a manner...

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Oct 25th, 2012 @ 11:40pm

    The terrorists!!!

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Oct 26th, 2012 @ 4:26am

    Re: Re: Re: Re: Re: And if they did encrypt it

    **Reminded to actually watch spaceballs on netflix instead of ignoring it and choosing something different.**

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    Niall (profile), Oct 26th, 2012 @ 5:11am

    Re: Re: Re: Gov SOP Name means exact opposite of reality

    He's making a reference to Orwell's "1984", but yes, those are British-style names. Just change Ministry to Department and they'll fit right into your alphabet soup.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    Not an Electronic Rodent (profile), Oct 26th, 2012 @ 12:02pm

    Re: Gov SOP Name means exact opposite of reality

    The names governments give things mean the exact opposite of their reality.
    Of course:
    "Always get rid of the difficult bit in the title it does less harm there than in the text" - Sir Humphrey Appleby (Yes Minister - finest political documentary..uh, comedy.. ever)

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This