Interesting People mailing list archives
WORTH READING Boarding pass scanners now at TSA checkpoints
From: Dave Farber <dave () farber net>
Date: Sun, 20 Sep 2009 17:53:49 -0400
Begin forwarded message:
From: Matt Blaze <mab () crypto com> Date: September 20, 2009 17:34:09 EDT To: dave () farber net Cc: ip <ip () v2 listbox com>Subject: Re: [IP] WORTH READING Boarding pass scanners now at TSA checkpoints
Dave, for IP if you wish: Stewart Baker, who served as director of policy at the Department of Homeland Security, the parent agency of the TSA, takes me to task for my recent posting about the new TSA boarding pass scanners being installed at security checkpoints. My observation was that the ID/boarding pass check is insufficient and in the wrong place; fixing the Schneier/Soghoian attack requires that a strong ID check be performed at the boarding gate, which the new system still doesn't do. Stewart says that the TSA security process doesn't care what flight someone is on as long as they are screened properly and compared against the "no fly" list. Maybe it doesn't; the precise security goals to be achieved by identifying travelers have never been clearly articulated, which is an underlying cause of this and other problems with our aviation security system. But the TSA has repeatedly asserted that passenger flight routing is very much a component of their name screening process. For example, the regulations governing the Secure Flight program published last October in the Federal Register [pdf] say that "... TSA may learn that flights on a particular route may be subject to increased security risk" and so might do different screening for passengers on those routes. I don't know whether that's true or not, but those are the TSA's words, not mine. Anyway, Stewart's confusion about the security properties of the protocol, and about my reasons for discussing them notwithstanding, the larger point is that aviation security is a complex (and interesting) problem in the discipline I've come to understand as "human-scale security protocols". I first wrote about human scale security as a computer science problem back in 2004 in my paper "Toward a Broader View Of Security Protocols" ( http://www.crypto.com/papers/humancambridge.pdf ). Such protocols share much in common with the cryptographic authentication and identification schemes used in computing: they're hard to design well and they can fail in subtle and surprising ways. Perhaps cryptographers and security protocol designers have something to contribute toward analyzing and designing better systems here. We can certainly learn something from studying them. -matt On Sep 19, 2009, at 13:22, David Farber wrote:Begin forwarded message: From: Stewart Baker <stewart.baker () gmail com> Date: September 19, 2009 11:59:10 AM EDT To: dave () farber net Subject: Re: [IP] Boarding pass scanners now at TSA checkpoints Dave, My response to Matt, posted at www.skatingonstilts.com. TSA has taken another couple of steps to improve air security. For starters, airline ID checkers are actually checking IDs -- with black lights and magnifying glasses. And now they're getting ready to scan boarding passes in order to make it harder to use a fake boarding pass.You'd think the agency would get a bit of praise for trying to improve security without slowing travelers. Instead, among privacy advocates,there is only one possible response to TSA security measures: condescension. They have to sneer, even if they make themselves look a lot dumber than the agency in the process. To take one example, Matt Blaze, a well-known privacy advocate and security buff, is criticizing TSA's new boarding-pass scanners as "ineffective" and "ill-conceived" with "little actual gain in security". Matt's a pretty smart guy, but his criticism is inexplicable. TSA has fixed a real security hole and deserves creditfor the new security. Instead, in an effort to sneer at TSA, Matt hasinvented a fake security hole and then criticized the agency for not fixing the fake hole too. Let's remember the security concern that got this started. A student named Chris Soghoian demonstrated that a terrorist could avoid the no-fly list with a five-step process: (1) he buys his tickets in a fake name (2) he gets a boarding pass in that name and stuffs it inhis pocket (3) he then pulls out a fake boarding pass in his real namethat he prepared on a home printer (4) he shows his real ID plus the fake boarding pass at the TSA checkpoint, and (5) he uses the real boarding pass with the fake name to board the plane. Or, as put more succinctly by the Washington Post,"the loophole is that boarding passes are compared to a person's ID only at initial security checkpoints, not at the gates where passengers board planes.Also, the passes are scanned and verified only at departure gates, notsecurity checkpoints."(Long double-pointed aside: to be fair, the hole had been pointed outbefore, by Bruce Schneier. Soghoian's contribution was irresponsible but attention-getting. He created a website where anyone, including terrorists who needed a little technical help, could generate fakeboarding passes. Soghoian was investigated for criminal violations bythe FBI and for civil violations by TSA. Rep. Edward J. Markey (D-Mass.) first called for Soghoian's arrest but later called the stunt a public service. "He picked a lousy way of doing it, but heshould not go to jail for his bad judgment," Markey said. In the end,no charges were pressed.) Okay, back to the thread: If the security hole is that "the passes are scanned and verified only at departure gates, not security checkpoints," doesn't TSA's new approach actually close that hole -- by, you know, scanning and verifying the passes at the securitycheckpoint? Seems like this really will keep people from using a fakeboarding pass to get past security. So how can Matt Blaze call TSA's new measure "ineffective" and "ill-conceived" with "little actual gain in security"? Only by changing the subject. Blaze recasts the security problem from avoiding the no-fly list to "anonymous flying." Blaze says "it's still as easy for a bad guy to get on a plane without the government knowing his or her true name."But he means that in a very special way apparently comprehensible only to privacy advocates. When he says that the government won't know thebad guy's true name, he means that the government actually will know the bad guy's true name, but that it might not know which plane the bad guy got on. Here's how Blaze says you can avoid the new security measure. First buy two real tickets, one in a fake name and one in your real name. You then use your real-name boarding pass and ID to get past the security check, at which point you can board the other flight using your fake-name boarding pass.Well, that might be a devastating hole -- if TSA's job were to prevent "anonymous flying." But it's not. TSA's new measure is meant to keeppeople on the no-fly list from, well, from flying. If the only way for bad guys to beat the system is to buy tickets in their own names, then they'll be caught by the no-fly list. The whole point of the Soghoian caper and the Schneier critique was that you never needed to give your real name to the airlines, so your real name wouldn't be checked against the no-fly list. Now you do, and now it will will be. Matt can only describe the new measures as "ineffective" by ignoring the security hole that Soghoian was trying to dramatize and that TSA is trying to fix. Moral: Sneering at TSA may seem like shooting fish in a barrel, but first make sure your foot isn't under the barrel. On 9/19/09, David Farber <dave () farber net> wrote:Begin forwarded message: From: Matt Blaze <mab () crypto com> Date: September 18, 2009 11:20:45 PM EDT To: David Farber <dave () farber net> Subject: Boarding pass scanners now at TSA checkpoints For IP if you'd like.Yesterday at the Philadelphia airport, I noticed something new at thesecurity checkpoint: the TSA ID checker had a boarding pass scanneralong with the usual UV flashlight and magnifying glass. The scannerdidn't seem to be in use yet, but others have told me that they have had their boarding passes scanned by the TSA at security checkpoints at various airports this week.The scanners verify that the boarding pass is valid (presumably with adatabase lookup into the airline reservation record) and display thepassenger name as reflected in the record. The devices are apparentlya countermeasure against the "anonymous flyer" technique firstdescribed by Bruce Schneier in 2003 in which a traveler creates a fake boarding pass with her true name for use at the security checkpoint, butuses a real boarding pass with a fake name to actually board his or her flight. You may recall the furor a couple years ago when Chris Soghoian made available a do-it-yourself counterfeit boarding pass generator to demonstrate the exploit. But aside from hassling Mr.Soghoian, the TSA never actually fixed their procedures to prevent theattack, however "dangerous" anonymous flying might actually be. So the new scanners are intended to, years later, to close this loophole. But the problem is, they don't actually prevent anonymousflying. The exploit requires a slight adjustment, but the bottom lineis that it's still as easy as ever for a bad guy to get on a planewithout the government knowing his or her true name. But now the TSAhas a bunch of fancy new scanners at their checkpoints, paid for by you and me, with little actual gain in securityIt feels almost unsporting to criticize the TSA these days, an agency whose popularity seems to lie somewhere between that of the IRS and AlQueda. But this ineffective patch of a security vulnerability is symptomatic of larger problems with our approach to aviationsecurity. Depending on strong ID checks of airline passengers is anill-conceived response to an ill-defined threat in the first place, but what more can we expect given the pressure on officials to do *something*, where progress is measured only by perception. Anyway, I blog a bit more about the new scanners and the obvious way to defeat them at http://www.crypto.com/blog/patching_the_TSA/ -matt ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com-- Stewart Baker o: 202-429-6402 c: 202-641-8670 ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- WORTH READING Boarding pass scanners now at TSA checkpoints David Farber (Sep 19)
- <Possible follow-ups>
- WORTH READING Boarding pass scanners now at TSA checkpoints Dave Farber (Sep 20)