Interesting People mailing list archives
more on who cares re web
From: David Farber <dave () farber net>
Date: Mon, 30 Oct 2006 13:32:52 -0500
Begin forwarded message: From: Brad Templeton <btm () templetons com> Date: October 30, 2006 1:09:39 PM EST To: David Farber <dave () farber net> Cc: ip () v2 listbox com Subject: Re: [IP] who cares re web On Sun, Oct 29, 2006 at 06:38:35PM -0500, David Farber wrote:
"I am no expert here so I don't want to be commenting on this publicly, but what is the big deal here? The major security problem relates to keeping baddies and their weapons off the planes. The authorities have decided to AUGMENT that crucial protection by limiting the folks who can get access to the boarding areas of the airport to those who are actually flying (unless of course you are an adult m,eeting a minor child, or an employee of a restaurant or store in there, etc). So, everybody goes through the screening to make sure they are not carrying stuff into the boarding areas that could cause a problem when if those materials get onto planes, and the showing here is not that THAT screening is ineffective, but only that there is a way around the means of limiting WHO can come into the boarding areas. But that is the lesser of the problems, no?"
No, the flaw in question is a flaw in the entire "no-fly-list" concept, because it allows you to get on a plane almost no matter what your name is. You can cross the TSA checkpoint with a boarding pass that matches your authentic ID. The name on your authentic ID is checked only to see if it matches the boarding pass, which is just a piece of paper you printed which says anything. Then you board the aircraft with the real boarding pass issued by the airline, which is in the name of somebody else -- somebody not on the no-fly list. This also bypasses the "selectee" system since you can do all the behaviours that make you a selectee, and then use a fake boarding pass through security without the SSSS on it. Finally, this bypasses the airline's "don't transfer your ticket" restriction that they use to make money. You can buy a ticket, and then if you wanted to give it to somebody with a different name, they just print up a boarding pass with their name for the TSA, and use your boarding pass to fly. Since this apparently is a violation of the law, it may be a risky thing to save some bucks. (You also earn the flyer miles which some people care about.) Frankly, if I were a "David Nelson" or one of the other innocents stuck on the no-fly-list, I would have considered using this appraoch. Many people, myself included, saw this hole immediately. Some talked about it. I figured after a while they would take away the convenience of print at home boarding passes, but the truth is that boarding passes issued at the airport are not particularly hard to forge with modern colour printers. They are just slightly thicker pieces of paper. Some airports do have a counter-measure against this attack. The TSA ID-checker will place a stamp or small initial on the pass after checking it. The gate agents in theory are checking for this stamp. However, unless the stamp changes regularly it also should be easy to forge. Just have an accomplice go through security and immediately exit, then scan the token. To bypass this attack they would need either unforgeable boarding passes, an unforgeable stamp or printout at the TSA station, or return to ID checks at the gate. ID checks at the gate slow boarding but are simplest. This is done at some airports. While, as noted, this problem is NOT inherent to print-at-home boarding passes in any way, another solution would be for the TSA agents to get a scanner which can scan all valid forms of boarding pass, incuding airline issued and print-at-home. They would then read the barcode to see the name on the boarding pass, not the printed name which is insecure. The barcode would of course have to be secure, I have no idea if it is. And one last note. There is a reason to keep non-pax out of the gate area, sadly. There are lines for security, and the more people that go through security, the slower it goes. It's nice to meet people at the gate, but I don't want to miss my flight because I was in line behind 20 people going to meet people at the gate. In the old days security was faster and we had the spare capacity for this. ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on who cares re web David Farber (Oct 30)