Interesting People mailing list archives
WORTH READING Boarding pass scanners now at TSA checkpoints
From: David Farber <dave () farber net>
Date: Sat, 19 Sep 2009 13:22:52 -0400
Begin forwarded message: From: Stewart Baker <stewart.baker () gmail com> Date: September 19, 2009 11:59:10 AM EDT To: dave () farber net Subject: Re: [IP] Boarding pass scanners now at TSA checkpoints Dave, My response to Matt, posted at www.skatingonstilts.com. TSA has taken another couple of steps to improve air security. For starters, airline ID checkers are actually checking IDs -- with black lights and magnifying glasses. And now they're getting ready to scan boarding passes in order to make it harder to use a fake boarding pass. You'd think the agency would get a bit of praise for trying to improve security without slowing travelers. Instead, among privacy advocates, there is only one possible response to TSA security measures: condescension. They have to sneer, even if they make themselves look a lot dumber than the agency in the process. To take one example, Matt Blaze, a well-known privacy advocate and security buff, is criticizing TSA's new boarding-pass scanners as "ineffective" and "ill-conceived" with "little actual gain in security". Matt's a pretty smart guy, but his criticism is inexplicable. TSA has fixed a real security hole and deserves credit for the new security. Instead, in an effort to sneer at TSA, Matt has invented a fake security hole and then criticized the agency for not fixing the fake hole too. Let's remember the security concern that got this started. A student named Chris Soghoian demonstrated that a terrorist could avoid the no-fly list with a five-step process: (1) he buys his tickets in a fake name (2) he gets a boarding pass in that name and stuffs it in his pocket (3) he then pulls out a fake boarding pass in his real name that he prepared on a home printer (4) he shows his real ID plus the fake boarding pass at the TSA checkpoint, and (5) he uses the real boarding pass with the fake name to board the plane. Or, as put more succinctly by the Washington Post,"the loophole is that boarding passes are compared to a person's ID only at initial security checkpoints, not at the gates where passengers board planes. Also, the passes are scanned and verified only at departure gates, not security checkpoints." (Long double-pointed aside: to be fair, the hole had been pointed out before, by Bruce Schneier. Soghoian's contribution was irresponsible but attention-getting. He created a website where anyone, including terrorists who needed a little technical help, could generate fake boarding passes. Soghoian was investigated for criminal violations by the FBI and for civil violations by TSA. Rep. Edward J. Markey (D-Mass.) first called for Soghoian's arrest but later called the stunt a public service. "He picked a lousy way of doing it, but he should not go to jail for his bad judgment," Markey said. In the end, no charges were pressed.) Okay, back to the thread: If the security hole is that "the passes are scanned and verified only at departure gates, not security checkpoints," doesn't TSA's new approach actually close that hole -- by, you know, scanning and verifying the passes at the security checkpoint? Seems like this really will keep people from using a fake boarding pass to get past security. So how can Matt Blaze call TSA's new measure "ineffective" and "ill-conceived" with "little actual gain in security"? Only by changing the subject. Blaze recasts the security problem from avoiding the no-fly list to "anonymous flying." Blaze says "it's still as easy for a bad guy to get on a plane without the government knowing his or her true name." But he means that in a very special way apparently comprehensible only to privacy advocates. When he says that the government won't know the bad guy's true name, he means that the government actually will know the bad guy's true name, but that it might not know which plane the bad guy got on. Here's how Blaze says you can avoid the new security measure. First buy two real tickets, one in a fake name and one in your real name. You then use your real-name boarding pass and ID to get past the security check, at which point you can board the other flight using your fake-name boarding pass. Well, that might be a devastating hole -- if TSA's job were to prevent "anonymous flying." But it's not. TSA's new measure is meant to keep people on the no-fly list from, well, from flying. If the only way for bad guys to beat the system is to buy tickets in their own names, then they'll be caught by the no-fly list. The whole point of the Soghoian caper and the Schneier critique was that you never needed to give your real name to the airlines, so your real name wouldn't be checked against the no-fly list. Now you do, and now it will will be. Matt can only describe the new measures as "ineffective" by ignoring the security hole that Soghoian was trying to dramatize and that TSA is trying to fix. Moral: Sneering at TSA may seem like shooting fish in a barrel, but first make sure your foot isn't under the barrel. On 9/19/09, David Farber <dave () farber net> wrote:
Begin forwarded message: From: Matt Blaze <mab () crypto com> Date: September 18, 2009 11:20:45 PM EDT To: David Farber <dave () farber net> Subject: Boarding pass scanners now at TSA checkpoints For IP if you'd like. Yesterday at the Philadelphia airport, I noticed something new at the security checkpoint: the TSA ID checker had a boarding pass scanner along with the usual UV flashlight and magnifying glass. The scanner didn't seem to be in use yet, but others have told me that they have had their boarding passes scanned by the TSA at security checkpoints at various airports this week. The scanners verify that the boarding pass is valid (presumably with a database lookup into the airline reservation record) and display the passenger name as reflected in the record. The devices are apparently a countermeasure against the "anonymous flyer" technique first described by Bruce Schneier in 2003 in which a traveler creates a fakeboarding pass with her true name for use at the security checkpoint, butuses a real boarding pass with a fake name to actually board his or her flight. You may recall the furor a couple years ago when Chris Soghoian made available a do-it-yourself counterfeit boarding pass generator to demonstrate the exploit. But aside from hassling Mr. Soghoian, the TSA never actually fixed their procedures to prevent the attack, however "dangerous" anonymous flying might actually be. So the new scanners are intended to, years later, to close this loophole. But the problem is, they don't actually prevent anonymous flying. The exploit requires a slight adjustment, but the bottom line is that it's still as easy as ever for a bad guy to get on a plane without the government knowing his or her true name. But now the TSA has a bunch of fancy new scanners at their checkpoints, paid for by you and me, with little actual gain in security It feels almost unsporting to criticize the TSA these days, an agency whose popularity seems to lie somewhere between that of the IRS and Al Queda. But this ineffective patch of a security vulnerability is symptomatic of larger problems with our approach to aviation security. Depending on strong ID checks of airline passengers is an ill-conceived response to an ill-defined threat in the first place, but what more can we expect given the pressure on officials to do *something*, where progress is measured only by perception. Anyway, I blog a bit more about the new scanners and the obvious way to defeat them at http://www.crypto.com/blog/patching_the_TSA/ -matt ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
-- Stewart Baker o: 202-429-6402 c: 202-641-8670 ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- WORTH READING Boarding pass scanners now at TSA checkpoints David Farber (Sep 19)
- <Possible follow-ups>
- WORTH READING Boarding pass scanners now at TSA checkpoints Dave Farber (Sep 20)