WORTH READING Boarding pass scanners now at TSA checkpoints

[Dave Farber <dave () farber net>]

Begin forwarded message:

> From: Matt Blaze <mab () crypto com>
> Date: September 20, 2009 17:34:09 EDT
> To: dave () farber net
> Cc: ip <ip () v2 listbox com>
> Subject: Re: [IP] WORTH READING   Boarding pass scanners now at TSA  
> checkpoints

> Dave, for IP if you wish:
>
> Stewart Baker, who served as director of policy at the Department
> of Homeland Security, the parent agency of the TSA, takes me
> to task for my recent posting about the new TSA boarding pass
> scanners being installed at security checkpoints.
>
> My observation was that the ID/boarding pass check is insufficient
> and in the wrong place; fixing the Schneier/Soghoian attack requires
> that a strong ID check be performed at the boarding gate, which the
> new system still doesn't do. Stewart says that the TSA security
> process doesn't care what flight someone is on as long as they are
> screened properly and compared against the "no fly" list.
>
> Maybe it doesn't; the precise security goals to be achieved by
> identifying travelers have never been clearly articulated, which
> is an underlying cause of this and other problems with our aviation
> security system. But the TSA has repeatedly asserted that passenger
> flight routing is very much a component of their name screening
> process. For example, the regulations governing the Secure Flight
> program published last October in the Federal Register [pdf] say
> that "... TSA may learn that flights on a particular route may be
> subject to increased security risk" and so might do different
> screening for passengers on those routes. I don't know whether
> that's true or not, but those are the TSA's words, not mine.
>
> Anyway, Stewart's confusion about the security properties of the
> protocol, and about my reasons for discussing them notwithstanding,
> the larger point is that aviation security is a complex (and
> interesting) problem in the discipline I've come to understand as
> "human-scale security protocols".
>
> I first wrote about human scale security as a computer science
> problem back in 2004 in my paper "Toward a Broader View Of Security
> Protocols" ( http://www.crypto.com/papers/humancambridge.pdf ).
> Such protocols share much in common with the cryptographic
> authentication and identification schemes used in computing: they're
> hard to design well and they can fail in subtle and surprising ways.
> Perhaps cryptographers and security protocol designers have something
> to contribute toward analyzing and designing better systems here.
> We can certainly learn something from studying them.
>
> -matt
>
>
> On Sep 19, 2009, at 13:22, David Farber wrote:
>
> > Begin forwarded message:
> >
> > From: Stewart Baker <stewart.baker () gmail com>
> > Date: September 19, 2009 11:59:10 AM EDT
> > To: dave () farber net
> > Subject: Re: [IP] Boarding pass scanners now at TSA checkpoints
> >
> > Dave,
> >
> > My response to Matt, posted at www.skatingonstilts.com.
> >
> > TSA has taken another couple of steps to improve air security.  For
> > starters, airline ID checkers are actually checking IDs -- with black
> > lights and magnifying glasses.  And now they're getting ready to scan
> > boarding passes in order to make it harder to use a fake boarding
> > pass.
> >
> > You'd think the agency would get a bit of praise for trying to  
> > improve
> > security without slowing travelers.  Instead, among privacy  
> > advocates,
> > there is only one possible response to TSA security measures:
> > condescension.  They have to sneer, even if they make themselves look
> > a lot dumber than the agency in the process.
> >
> > To take one example, Matt Blaze, a well-known privacy advocate and
> > security buff, is criticizing TSA's new boarding-pass scanners as
> > "ineffective" and "ill-conceived"  with "little actual gain in
> > security".  Matt's a pretty smart guy, but his criticism is
> > inexplicable.  TSA has fixed a real security hole and deserves credit
> > for the new security.  Instead, in an effort to sneer at TSA, Matt  
> > has
> > invented a fake security hole and then criticized the agency for not
> > fixing the fake hole too.
> >
> > Let's remember the security concern that got this started.  A student
> > named Chris Soghoian demonstrated that a terrorist could avoid the
> > no-fly list with a five-step process:  (1) he buys his tickets in a
> > fake name (2) he gets a boarding pass in that name and stuffs it in
> > his pocket (3) he then pulls out a fake boarding pass in his real  
> > name
> > that he prepared on a home printer (4) he shows his real ID plus the
> > fake boarding pass at the TSA checkpoint, and (5) he uses the real
> > boarding pass with the fake name to board the plane.
> >
> > Or, as put more succinctly by the Washington Post,"the loophole is
> > that boarding passes are compared to a person's ID only at initial
> > security checkpoints, not at the gates where passengers board planes.
> > Also, the passes are scanned and verified only at departure gates,  
> > not
> > security checkpoints."
> >
> > (Long double-pointed aside:  to be fair, the hole had been pointed  
> > out
> > before, by Bruce Schneier.  Soghoian's contribution was irresponsible
> > but attention-getting.  He created a website where anyone, including
> > terrorists who needed a little technical help, could generate fake
> > boarding passes.  Soghoian was investigated for criminal violations  
> > by
> > the FBI and for civil violations by TSA.  Rep. Edward J. Markey
> > (D-Mass.) first called for Soghoian's arrest but later called the
> > stunt a public service.  "He picked a lousy way of doing it, but he
> > should not go to jail for his bad judgment," Markey said.  In the  
> > end,
> > no charges were pressed.)
> >
> > Okay, back to the thread:  If the security hole is that "the passes
> > are scanned and verified only at departure gates, not security
> > checkpoints," doesn't TSA's new approach actually close that hole --
> > by, you know, scanning and verifying the passes at the security
> > checkpoint?  Seems like this really will keep people from using a  
> > fake
> > boarding pass to get past security.
> >
> > So how can Matt Blaze call TSA's new measure "ineffective" and
> > "ill-conceived"  with "little actual gain in security"?
> >
> > Only by changing the subject.
> >
> > Blaze recasts the security problem from avoiding the no-fly list to
> > "anonymous flying."  Blaze says "it's still as easy for a bad guy to
> > get on a plane without the government knowing his or her true name."
> > But he means that in a very special way apparently comprehensible  
> > only
> > to privacy advocates.  When he says that the government won't know  
> > the
> > bad guy's true name, he means that the government actually will know
> > the bad guy's true name, but that it might not know which plane the
> > bad guy got on.
> >
> > Here's how Blaze says you can avoid the new security measure.  First
> > buy two real tickets, one in a fake name and one in your real name.
> > You then use your real-name boarding pass and ID to get past the
> > security check, at which point you can board the other flight using
> > your fake-name boarding pass.
> >
> > Well, that might be a devastating hole -- if TSA's job were to  
> > prevent
> > "anonymous flying."  But it's not.  TSA's new measure is meant to  
> > keep
> > people on the no-fly list from, well, from flying.  If the only way
> > for bad guys to beat the system is to buy tickets in their own names,
> > then they'll be caught by the no-fly list.
> >
> > The whole point of the Soghoian caper and the Schneier critique was
> > that you never needed to give your real name to the airlines, so your
> > real name wouldn't be checked against the no-fly list.  Now you do,
> > and now it will will be.
> >
> > Matt can only describe the new measures as "ineffective" by ignoring
> > the security hole that Soghoian was trying to dramatize and that TSA
> > is trying to fix.
> >
> > Moral:  Sneering at TSA may seem like shooting fish in a barrel, but
> > first make sure your foot isn't under the barrel.
> >
> > On 9/19/09, David Farber <dave () farber net> wrote:
> > > Begin forwarded message:
> > >
> > > From: Matt Blaze <mab () crypto com>
> > > Date: September 18, 2009 11:20:45 PM EDT
> > > To: David Farber <dave () farber net>
> > > Subject: Boarding pass scanners now at TSA checkpoints
> > >
> > > For IP if you'd like.
> > >
> > > Yesterday at the Philadelphia airport, I noticed something new at  
> > > the
> > > security checkpoint: the TSA ID checker had a boarding pass scanner
> > > along with the usual UV flashlight and magnifying glass.  The  
> > > scanner
> > > didn't seem to be in use yet, but others have told me that they have
> > > had their boarding passes scanned by the TSA at security checkpoints
> > > at various airports this week.
> > >
> > > The scanners verify that the boarding pass is valid (presumably  
> > > with a
> > > database lookup into the airline reservation record) and display the
> > > passenger name as reflected in the record.  The devices are  
> > > apparently
> > > a countermeasure against the "anonymous flyer" technique first
> > > described by Bruce Schneier in 2003 in which a traveler creates a  
> > > fake
> > > boarding pass with her true name for use at the security  
> > > checkpoint, but
> > > uses a real boarding pass with a fake name to actually board his or
> > > her flight.  You may recall the furor a couple years ago when Chris
> > > Soghoian made available a do-it-yourself counterfeit boarding pass
> > > generator to demonstrate the exploit.  But aside from hassling Mr.
> > > Soghoian, the TSA never actually fixed their procedures to prevent  
> > > the
> > > attack, however "dangerous" anonymous flying might actually be.
> > >
> > > So the new scanners are intended to, years later, to close this
> > > loophole.  But the problem is, they don't actually prevent anonymous
> > > flying.  The exploit requires a slight adjustment, but the bottom  
> > > line
> > > is that it's still as easy as ever for a bad guy to get on a plane
> > > without the government knowing his or her true name.  But now the  
> > > TSA
> > > has a bunch of fancy new scanners at their checkpoints, paid for by
> > > you and me, with little actual gain in security
> > >
> > > It feels almost unsporting to criticize the TSA these days, an  
> > > agency
> > > whose popularity seems to lie somewhere between that of the IRS  
> > > and Al
> > > Queda.  But this ineffective patch of a security vulnerability is
> > > symptomatic of larger problems with our approach to aviation
> > > security.   Depending on strong ID checks of airline passengers is  
> > > an
> > > ill-conceived response to an ill-defined threat in the first place,
> > > but what more can we expect given the pressure on officials to do
> > > *something*, where progress is measured only by perception.
> > >
> > > Anyway, I blog a bit more about the new scanners and the obvious way
> > > to defeat them at
> > > http://www.crypto.com/blog/patching_the_TSA/
> > >
> > > -matt
> > >
> > >
> > >
> > >
> > >
> > > -------------------------------------------
> > > Archives: https://www.listbox.com/member/archive/247/=now
> > > RSS Feed: https://www.listbox.com/member/archive/rss/247/
> > > Powered by Listbox: http://www.listbox.com
> >
> >
> > --
> > Stewart Baker
> > o: 202-429-6402
> > c: 202-641-8670
> >
> >
> >
> >
> > -------------------------------------------
> > Archives: https://www.listbox.com/member/archive/247/=now
> > RSS Feed: https://www.listbox.com/member/archive/rss/247/
> > Powered by Listbox: http://www.listbox.com



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com