Ask Slashdot: Is TSA's PreCheck System Easy To Game?

OverTheGeicoE writes "TSA has had a preferred traveler program, PreCheck, for a while now. Frequent fliers and other individuals with prior approval from DHS can avoid some minor annoyances of airport security, like removing shoes and light jackets, but not all of the time. TSA likes to be random and unpredictable, so PreCheck participants don't always get the full benefits of PreCheck. Apparently the decision about PreCheck is made when the boarding pass is printed, and a traveler's PreCheck authorization is encoded, unencrypted, on the boarding pass barcode. In theory, one could use a barcode-reading Web site (like this one, perhaps) to translate a barcode into text to determine your screening level before a flight. One might even be able to modify the boarding pass using PhotoShop or the GIMP to, for example, get the screening level of your choice. I haven't been able to verify this information, but I bet Slashdot can. Is TSA's PreCheck system really that easy to game? If you have an old boarding pass lying around, can you read the barcode and verify that the information in TFA is correct?"

Yes

[Jeremiah+Cornelius]

Yes it is.

Re:Yes

Agreed. Thread over.

Re:Yes

[Spiridios]

Way to get every /. member on the no fly list.

Re:Yes

You have broken the law of headlines. The answer is obviously NO.

Re:Yes

[Mitreya]

Yes it is.

Wrong question is being asked

A better question is -- Would it matter if TSA PreCheck System were easy to game?

Seeing how TSA has no record of ever catching or thwarting a terrorist, I would say "no"

Re:Yes

Yes it is.

Yup done it a few times already basic HTML skills and PDF417 barcode reader and generator are all that is needed.

Re:Yes

Seeing how TSA has no record of ever catching or thwarting a terrorist, I would say "no"

Well, they're semi-effective at catching TSA employees who steal iPads, laptops and expensive camera gear.

I mean, the thought of some low-level thug making off with a $1k piece of glass terrifies the hell out of me.

Re:Yes

Wrong question is being asked

A better question is -- Would it matter if TSA PreCheck System were easy to game?

Seeing how TSA has no record of ever catching or thwarting a terrorist, I would say "no"

No, neither question is really relevant. It doesn't matter if the system is easy to game for someone with technical aptitude because this whole system isn't really about making travel more secure, but conditioning people to be more complacent about government intrusion and restriction on their daily lives.

Re:Yes

[gmanterry]

Way to get every /. member on the no fly list.

It's probably dangerous to even comment on this article. It's probably a Homeland SecurityTSA sting.

Re:Yes

[Joe+Decker]

Well, they're semi-effective at catching TSA employees who steal iPads, laptops and expensive camera gear.

No, they're not. There are occasional busts, but most go unreported or unaddressed.

Fun fact: The TSA refuses to report such thefts to local authorities, as a matter of policy.

Re:Yes

[Jeremiah+Cornelius]

You can submit barcodes to an online reader as a scanned PNG now.

Don't even need specialised hardware.

Re:Yes

[Jeremiah+Cornelius]

" this whole system isn't really about making travel more secure, but conditioning people to be more complacent about government intrusion and restriction on their daily lives."

DING DING DING DING DING!

Ladies and gentlemen, please lower your bids. We have a winner.

Re:Yes

this whole system isn't really about making travel more secure, but conditioning people to be more complacent about government intrusion and restriction on their daily lives.

Parallel to that, army and police have been having Zombie Apocalypse training lately. Training them to fight crowds of unarmed human-shaped figures. Considering the lack of real zombies, I wonder what that's supposed to condition the army and police for...

Re:Yes

[Jeremiah+Cornelius]

Did you notice, how I was able to get in "at the front of the line" on this discussion thread?

Re:Yes

[lcampagn]

I am not a fan of the TSA, but let's be fair here: the purpose of doing security checks is not to catch terrorists with bombs in their shoes, but rather to eliminate shoe-bombing as a viable form of attack. The expectation is that anyone going to the effort to hijack a plane will have good knowledge of security procedures, so it is not really possible to say whether the TSA has prevented any terrorist attacks.

Re:Yes

I am not a fan of the TSA, but let's be fair here: the purpose of doing security checks is not to catch terrorists with bombs in their shoes, but rather to eliminate shoe-bombing as a viable form of attack.

The problem is, there are a large (but not technically infinite) number of such attacks. With the TSA only re-acting to the threat as it is used, that means there are (largeNum -1) attacks remaining. So, with such a large number of attacks to choose from, any terrorist would have no problem with the TSA.

In other words, the TSA only started checking shoes after someone tried to hide a bomb in one. The TSA only started their asinine 3-1-1 liquid rules after a liquid bomb plot was uncovered. And no doubt, the TSA will start rectal exams after a terrorist shoves a bomb up their ass.

Responding to the PREVIOUS threat is not security.

Re:Yes

Not entirely correct. The TSA checks at airports are only one part of the security system. There are other activities within the security system that are looking for new potential threats - the airport checks are not where that battle is being fought.

What would be your response if a liquid bomb threat was discovered and then the TSA did nothing to screen for it? Everyone would be screaming their heads off that the TSA should be checking for known threats. It is absurd to try to claim that the TSA airport checks are not security.

Do I think that the TSA has gone too far in terms of infringing on the rights of people who are not terrorists? Yes. I think they are too concerned with being accused of missing something and have therefore trampled on everyone's toes.
Do I think that the TSA is not helping in terms of deterring terrorist attacks on airplanes? No. You have to have airport checks, and those checks have to respond to threats that are detected by other parts of the security network.

Re:Yes

[Dasuraga]

While they are more reactive than proactive on that front unluckily(or luckily, depending on your standpoint), it's not as if the reaction treats exactly one case.

body scanners can stop more than just shoe bombers in principal. It's very much a unit-test philosophy: When you get a problem, make a test , and with some luck the test will have more coverage than just one specific thing.

Obviously doing nothing is not really a solution either. While locked cockpits stop a lot of things, it doesn't stop explosions from causing problems.

Re:Yes

[Teancum]

If the guys at the TSA haven't even bothered to get other government security experts like the guys at the NSA to review their strategy and how these tickets are encoded, it seems like these guys need a few basic lessons in computer science and should go back to college as freshmen.

As a sting, this is pretty hopeless.

Re:Yes

[Teancum]

What would be your response if a liquid bomb threat was discovered and then the TSA did nothing to screen for it? Everyone would be screaming their heads off that the TSA should be checking for known threats. It is absurd to try to claim that the TSA airport checks are not security.

Not everybody is screaming for increased authority being given to the TSA to declare martial law in airports. Too far? I think it was too far on September 10th, 2001, as the security procedures in pace prior to the 9/11 attacks should have stopped those terrorists from getting on board those planes in the first place as well as stopping even the shoe bomber.

These guys are simply being lousy rent-a-cops that really don't know the first thing about how to act as a law enforcement agency in a once free representative democracy. It is sad that they can't simply act like almost every other police agency acting outside of those airports and *gasp* actually investigate crimes when they happen, to do gum shoe detective work, and root out would be criminals who might be causing problems. I also think this "zero tolerance" for terrorist actions is maddening as well.

The real issue here is that stupid people do stupid things. We can't afford to have TSA level security in malls, public schools, banks, or elsewhere. Certainly not in bus stations or on freeways. In reality we can't afford to have this in airports either, but some stupid congressmen had a knee jerk reaction to a non-problem and didn't really address the issues involved either... trading one form of corruption for another.

What the TSA should be doing is real security and police work in airports. There may even be a need to keep it a federal agency, so far as threats to airport security typically do cross state borders and even become international problems. There are even national security issues involved so far as there are foreign governments who are using "terrorist groups" as surrogates to cause chaos and disorder deliberately in an attempt to further their own national goals. Yes, I'm saying that Al-Queida and other similar groups are not merely spontaneous but rather are supported, financed by, and encouraged by many countries (almost all of whom have seats at the United Nations along with national capitals and recognizable leaders) and this is a real war going on.

If these doughnut loving idiots would get off their behinds, turn off their scanning machines, and actually do some real police work to find those people who are causing problems... then I might be encouraged by the work that the TSA is doing. For now, I consider them to be lazy asses that are wasting billions of tax dollars on a futile exercise that won't stop a real terrorist attack in America by somebody determined to cause problems. This security theater is utter bullshit and needs to stop. If there is a real threat that soliders or mercenaries from foreign governments are coming into America... they should also be stopped. But it should be painfully obvious who they are as well and stopping those foreign soldiers from committing acts of war inside of America can be done without infringing on the rights of ordinary citizens or molesting toddlers.

Re:Yes

I'm not a fan of TSA either, but this seems like an unfair standard. How many criminals has the lock on your home door stopped?

Re:Yes

[UncleTogie]

As a sting, this is pretty hopeless.

Naah, just needs the right media spin.

"A renegade group considered to be 'The Apostles of Bruce Schneier' were caught plotting to manipulate airline tickets for domestic flights.. TSA cavity search and film at 11...."

Re:Yes

... the purpose of doing security checks ...

The US DHS defines their purpose as 'to scare terrorists away'. This creates the problem that no 'terrorists' are at the airport. Hence those terrorists must using your car and the DHS needs to interfere with your lawful travel so said terrorists are scared out of your car.

... to eliminate shoe-bombing as a viable form of attack.

And eliminating condoms also eliminates unwanted pregnancies. (Since it prevents women having safe sex.)

A 'viable form of attack' does not require shoes, so eliminating shoes does not stop any attacks. If you want real safety, give your airport some tiger-repelling rocks.

Re:Yes

[Kwyj1b0]

... and should go back to college as freshmen.

What makes you think they went to college before being hired at the TSA?

Re:Yes

[ericloewe]

The TSA is still doing it completely wrong. You don't try to find weapons or dangerous items, you try to find dangerous people.

Re:Yes

And that's because the whole PreCheck circus was never intended to make flights more secure. It's intended to build acceptance for a system where we discriminate against certain groups of people. Forcing them to sew a symbol onto their coats would not be acceptable today, but apparently, a flag in a barcode is.

If people accept this, then there will soon be PreCheck to get into the subway too, and before you know it, you'll never go anywhere without your PreCheck passport.

Re:Yes

[houghi]

Well, they can't, because what the TSA is actually doing is keeping the terrorists from the planes by employing them. Oh, you were taking about thieves? Well, potato, tomato. Thieves, terrorists, republicans, democrats. Who knows the difference anymore.

Re:Yes

[Sqr(twg)]

Unless you want to give all your flight details to some random web server operator, you're better off installing something like http://sourceforge.net/projects/zbar/ and decoding yourself.

Re:Yes

[xenobyte]

What would be your response if a liquid bomb threat was discovered and then the TSA did nothing to screen for it? Everyone would be screaming their heads off that the TSA should be checking for known threats. It is absurd to try to claim that the TSA airport checks are not security.

The checks are security... security theater that is. They don't work. They don't catch terrorists. They don't prevent terrorists from trying something else.

You mention the liquid bomb incident. First of all, the liquids were not even meant to be taken aboard an airplane. They could have been though and that started the scare. Now, the sensible rules would be such, that it would be impossible to bring enough liquid aboard to create a bomb that could do any worthwhile damage. But no. The rules allow for one liter of liquid to be brought aboard and any half-decent explosives expert could tell you that it takes less than 200 ml of some liquid explosives to create a bomb that could bring down the aircraft. So we've ended up with a worthless rule that doesn't work, but which cause lots of inconvenience and hassle for the traveler. That's security theater - if it's REALLY annoying it must be REALLY effective...

Sure, you can't bring enough liquid explosive to blow a hole in the universe but you can still drop the plane on a major city, and that's usually enough for most terrorists.

Re:Yes

[markyd123]

[...] conditioning people to be more complacent about government intrusion and restriction on their daily lives.

Is that *really* what you think is happening? I'm a Brit and haven't been to the US for a while now so may well be talking out of my 'bum' ... but for that to be the case it suggests that someone, somewhere in the upper echelons of your government has taken an explicit decision that that is what they are trying to do.

I accept that the results make it feel more and more like a police state when you fly, but don't think the cause can be attributed to anything more than incompetence and laziness. As in: 'Hey, we need to make people feel more secure after a few hijackings. Screw it, we'll just hire a bunch of drop-outs in uniform to grope them every time they fly.'

The difference is important, because the way that you deal with an incompetent politician will probably be very different to the way that you deal with an 'evil' one, the latter being what I suspect you are alluding to. We may well be sleepwalking into a police state (the UK certainly has been over the past two decades) but my argument would be that the problem is the political apathy that allows it.

TL;DR: don't portray government as an evil genius when what's much more likely is a lazy idiot.

Re:Yes

[Teancum]

... and should go back to college as freshmen.

What makes you think they went to college before being hired at the TSA?

I'm talking about the guys who designed this system... but you might be right about the "software experts' who designed this system. I question if they even bothered taking lessons at Khan Academy or Code Academy.

Re:Yes

[JohnnyComeLately]

Duh, Black Ops II...

Regards, Capt Me

Re:Yes

[Teancum]

I'm not a fan of TSA either, but this seems like an unfair standard. How many criminals has the lock on your home door stopped?

The role of a lock on a front door or for that matter an automobile is to keep "the honest people honest". In other words, it is there to stop a 70 year old partially senile old woman from driving off with your car or walking into your house at odd hours because they got lost or confused. It reminds an otherwise honest person that they have gone too far and should likely turn back.

A uniformed officer walking around an airport with a radio and a gun works just fine to do that kind of security to protect passengers, staff, and crew from ordinary civil disorder, where they may have to call in some backup if some guys are getting a bit too rowdy at a restaurant bar or some group of people being too pushy trying to board an airplane. "Ordinary" crimes like assault, murder, and perhaps pickpockets and purse snatchers are legitimate things for a security force to try and keep under control.

Trying to keep some group of idiots who are determined to go postal and start killing random people in some manner is much harder to stop... assuming they can even be identified. Soldiers or mercenaries (however you define those terms) who are acting in the interest of a foreign government and trying to disguise as civilians in an attempt to perform acts of war (this is my own definition of terrorism) seems to be a larger problem... but there are ways to deal with such nations as well. Curtailing civil liberties and molesting grandmothers or toddlers is not a way to get that to happen.

Re:Yes

[awrowe]

You must be the least observant person in the country then, if you haven't noticed the relentless line of celebrity based scandals which are blown out of all proportion by every mainstream and traditional media outlet in the country.

As soon as something is past (or looks like becoming uncomfortable), hey look, there's another scandal, who are we going to play the blame game with this week?

Even this Jimmy Saville thing is ridiculous. Fair enough the guy seemed to be a monster, but why has it taken until he's a year or so dead before one of the more than 400 victims spoke loudly enough to be taken seriously? Perhaps it wasn't the right time to open that particular circus.

Bread and circuses. Bludgeon the population into bovine acceptance of government intrusion by constantly providing salacious distraction. It's a tragedy.

Re:Yes

If you read the full article, it's not called gaming. it's to avoid the traveling grope by the TSA, of american citizans. The last time this was done to anyof the public that were traveling somewhere, was in the aftican republics during the aparthide years. Used to read of it then, it was declaired illegal then by the world court. But the US supreme court don't travel by air, or, not by public air, so they don't get touched. But I'm sure scalia or thomas would love it.
Remember this far in it's not a proof of concept, but a done deed. So should the code scanner be used, to tell when the grope be used. or should you be clear about the intention, and call it the "rape" off the public.

Re:Yes

[Cid+Highwind]

DING!

Some people see a monster and need to believe that someone (even someone hostile to them) is holding its leash.

The truth is somewhat scarier: that the continual growth of oppressive-yet-useless security apparatus like the TSA is an emergent property of power, fear, and greed.

Re:Yes

If they are trying to condition us, this seems like a pretty bad method. Everyone hates the TSA. Maybe it is though. It could be that the government is an Evil Lazy Idiot.

Personally I'm fine with strict security, on the plane, as long as the methods are efficient, fair, conducted in a professional manner and they still treat people like human beings. A flight could turn into a dangerous situation for a lot of people. It should have good security; emphasis on good. The problem is, the TSA doesn't seem to be any of those things.

Re:Yes

[dcw3]

And this has what to do with the government? Answer: Nothing.

Media is all about blowing things out of proportion in order to deliver more viewers, in order to sell more advertising, in order to make more $$$$$

Grandparent was spot on.

Re:Yes

[CohibaVancouver]

It's intended to build acceptance for a system where we discriminate against certain groups of people

I'm sorry, but unless America want to keep wasting BILLIONS of dollars on security theatre, then sooner or later this is what is going to need to happen. You need to treat people differently. You need to treat a granny flying economy class with a return ticket to Oklahoma at Christmastime differently from a 22-year-old-male with a first-class one-way ticket on a transatlantic flight paid for in cash. In matters of security you simply should not treat everyone equally - It's just a waste of money. I've flown 57 flight segments so far in 2012, which means I've been through security something like three-dozen times. It make sense that eventually the system should say "We've screened this guy enough, let's worry about someone else." Again - Screening me again and again is a waste of tax dollars.

Re:Yes

[dcw3]

What would be your response if a liquid bomb threat was discovered and then the TSA did nothing to screen for it? Everyone would be screaming their heads off that the TSA should be checking for known threats. It is absurd to try to claim that the TSA airport checks are not security.

Wasn't the whole liquid bomb threat debunked anyway? I recall seeing a chemist on TV claiming it wasn't even feasible.

Re:Yes

I'm not a fan of TSA either, but this seems like an unfair standard. How many criminals has the lock on your home door stopped?

None. But my (locked) house has been broken into several times. By myself. Without doing any damage or making much noise.

A door lock is not going to stop anyone that really wants into your house. It's simply a deterrent, just like alarm systems, cameras, gates, dogs, and personnel. A sane person realizes he can't PREVENT crime, he can only deter it and proactively prepare for the worst with insurance and backups of important documents.

Re:Yes

I have extra security. Slashdot refuses to let me post as anything other than AC, even when I'm logged in.

Re:Yes

"...as the security procedures in pace prior to the 9/11 attacks should have stopped those terrorists from getting on board those planes in the first place..."

Umm... How? The folks responsible for the 9/11 attacks used legal IDs, with proper boarding passes, and got on the planes carrying absolutely nothing that was prohibited.

9/11 happened the way it happened, not because flight security was lax, but because the world had been conditioned by *decades* of "We're going to hijack the plane, fly it somewhere, make demands, and let everyone go when it's all over". Because that was the 'normal' mode of hijacking planes, everyone played along when the 9/11 planes were hijacked.

These days, when someone freaks out on board a plane, or even just acts 'suspicious', they get dog-piled by near-by passengers, restrained (if not knocked unconscious), and turned over to the authorities when the plane lands.

Re:Yes

[GodInHell]

Let's check that thesis:

SAN DIEGO -- Move over vampires, goblins and haunted houses, this kind of Halloween terror aims to shake up even the toughest warriors: An untold number of so-called zombies are coming to a counterterrorism summit attended by hundreds of Marines, Navy special ops, soldiers, police, firefighters and others to prepare them for their worst nightmares. "This is a very real exercise, this is not some type of big costume party," said Brad Barker, president of Halo Corp, a security firm hosting the Oct. 31 training demonstration during the summit at a 44-acre Paradise Point Resort island on a San Diego bay. "Everything that will be simulated at this event has already happened, it just hasn't happened all at once on the same night. But the training is very real, it just happens to be the bad guys we're having a little fun with."

Hundreds of military, law enforcement and medical personnel will observe the Hollywood-style production of a zombie attack as part of their emergency response training.

In the scenario, a VIP and his personal detail are trapped in a village, surrounded by zombies when a bomb explodes. The VIP is wounded and his team must move through the town while dodging bullets and shooting back at the invading zombies. At one point, some members of the team are bit by zombies and must be taken to a field medical facility for decontamination and treatment.

Source.Bombs... bullets, hmm, looks like those aren't unnarmed human shapes. It's just a "standard" tactical simulation with the "fun" twist that the bad guys are dressed up to look like zombies. So ... looks like you might be having a bit of a paranoid fantasy there sir.

If that's not the event you're talking about, perhaps you should add a citation to support your extreme claim.

Re:Yes

[n7ytd]

What would be your response if a liquid bomb threat was discovered and then the TSA did nothing to screen for it? Everyone would be screaming their heads off that the TSA should be checking for known threats. It is absurd to try to claim that the TSA airport checks are not security.

The checks are security... security theater that is. They don't work. They don't catch terrorists. They don't prevent terrorists from trying something else.

You mention the liquid bomb incident. First of all, the liquids were not even meant to be taken aboard an airplane. They could have been though and that started the scare. Now, the sensible rules would be such, that it would be impossible to bring enough liquid aboard to create a bomb that could do any worthwhile damage. But no. [...]

Especially when it takes about 30 seconds worth of thought to get around such a ban. Contact lens solution? Ok. Baby formula? Ok. 1 Liter of bottled water not purchased from a blessed vendor inside the security fence? Nice try, terrerrist, you just leave that right here.

In February 2002, I was in Boston for work and finished up a day early. At the airline counter I was told that for security reasons, I was not allowed to fly standby on a day other than the day for which my ticket was issued. Without missing a beat, the agent then informed me that for a $100 change fee I could get a new ticket issued for the current day.

Crap like this is not security. Does the TSA believe there terrorists in the world ready to sacrifice their own lives, but also carefully observe the 14-day advance purchase requirement to get a cheap ticket? Jihadists are traveling the world without $100 in their pockets?

Every time I show up at the security checkpoint, the security guard carefully inspects my photo ID, being sure that the name on my driver's license matches the name on a piece of paper that looks like a boarding pass, which I also provide. What kind of nonsense is this? "Here's a piece of paper with my name, and to prove I'm supposed to be here, I've also brought with me a second piece of paper with the same name." Let's pretend I can't fake the boarding pass, so securely presented by the airline's website in a .PDF file. I still can purchase an airplane ticket in any name I choose, print a legitimate boarding pass, and then cancel the ticket, even the day of the flight.

Since the TSA screening has foiled exactly zero plots, there are only three options:

1. The TSA is doing such a bang-up job as a deterrent, that no hijacker has dared to attempt it.
2. The TSA has stopped at least one hijacker, but has chosen to not publicize it for some reason. Maybe to avoid revealing their methods.
3. The TSA has done exactly nothing in the way of making airline travel actually safer. But, change fees abound, bottled water sales are up, and people needing bottled medical oxygen on board the plane cannot bring it from home, but now pay the airline $100 per flight to provide it for them.

Which of the three are more likely?

Re:Yes

And no doubt, the TSA will start rectal exams after a terrorist shoves a bomb up their ass.

On the bright side, early detection will improve the survival rates for prostate and colon cancer.

Re:Yes

[Tuoqui]

No it's a cash grab... we need a trillion dollars to encrypt the barcodes.

Probably, but watch out for the Audit.

From what I've read, it would be fairly easy to re-encode your boarding pass to have pre-clearence approval on it. It is just changing a bit on the barcode. Remember, this is matched against your ID and logged. Sure you might get waved on the flight, but I would be shocked to find out anyone that tries this gets in serious trouble. Still doesn't stop the terrorist passenger but might catch people fast enough to honeypot dry runs.

Re:Probably, but watch out for the Audit.

[NIK282000]

There is a very good DefCon talk on youtube about barcodes and how easy they are to scam. It's so trivial to encrypt the data in a barcode but of course TSA has spared every expense in the defence of america.
 
  Here's the DefCon talk: http://www.youtube.com/watch?v=qT_gwl1drhc

Re:Probably, but watch out for the Audit.

[JWSmythe]

    Actually, if they have any common sense, they'd verify the barcode read from the ticket to the barcode stored in the airline DB when the ticket was printed. Modifying it would be a huge red flag.

    But as we all know, the TSA has no common sense. I've considered it mind numbingly stupid that every time I've gone through an airport since 9/11, the super-duper-secure TSA checkpoint (ha!) doesn't check that my boarding pass actually corresponds to a real ticket issued. We're not talking about anything amazingly high tech, except a barcode reader, and network connection to verify against the airline(s) systems.

    The only place that it's cross referenced is boarding, and even that is only most of the airlines I fly. I've been on a few that still just tear the paper boarding pass, and let you on. No verification or anything. At least not before the plane departs. I've been early (just like they ask you to), so I've watched them scanning used boarding passes minutes to hours after the flight leaves. I'm sure we're not suppose to observe procedure, even though it's done right in front of us.

Re:Probably, but watch out for the Audit.

[Ksevio]

There's also nothing forcing you to show the same ticket to the TSA as to the people at the gate. Could have a fake one for the TSA and a real one for the plane to ensure it checks out with the airline.

Re:Probably, but watch out for the Audit.

Yyyyyeah, but then you'd need a real boarding pass anyway. Why wouldn't you just... use the real one all the way through?

The whole point of this is to not NEED a real one.

Re:Probably, but watch out for the Audit.

[jkflying]

No, it's so you can skip the TSA stripsearch once you have a legitimate ticket.

Re:Probably, but watch out for the Audit.

Here in Canada, at least at major airports like Pearson [Toronto] for the past couple of years security has been scanning boarding passes and matching that with photo ID.

Re:Probably, but watch out for the Audit.

    Actually, if they have any common sense,

I'm sorry, you lost me right there when you leaped off into some alternative fantasy universe. Can you explain what this common sense that you speak of is and how it relates to the TSA?

Re:Probably, but watch out for the Audit.

[archmcd]

Let's be realistic. Fake boarding passes aren't a threat to the TSA. The only purpose to the TSA of checking your boarding pass before entering the security checkpoint is to keep from unnecessarily screening people who aren't flying. It keeps your mother from cluttering up the naked-scanner for everyone else who's flying if she just wants to kiss you before you fly away. If someone prints a fake boarding pass to get past the TSA, they still won't be able to get on the flight. They're going to be able to buy a Maxim at Hudson News and an 8 hour old sandwich and nothing more. And even if they are able to board the flight, they won't have a seat assigned so they run the risk of being caught by a flight attendant before takeoff and getting arrested. No, someone who poses a real terror threat won't present a fake boarding pass to the TSA because that could blow their whole plot if they get caught with it before takeoff. I find it hilarious when suddenly everyone on Slashdot becomes a security expert.

Re:Probably, but watch out for the Audit.

[CohibaVancouver]

Here in Canada, at least at major airports like Pearson [Toronto] for the past couple of years security has been scanning boarding passes and matching that with photo ID.

Incorrect. CATSA scans your boarding pass at security to make sure you're in the right place, but they don't ask for ID - The ID check happens when you board. In the US, they don't ask for ID when you board a domestic flight, as the TSA has already checked your ID when you passed through security.

Re:Probably, but watch out for the Audit.

[n7ytd]

I've always thought this would be an easy way to fly on a ticket issued in another name. But in the past two years, I've seen one instance of TSA agents randomly asking people in line at the gate for their boarding passes. I wondered if that flight was flagged for some reason or just a slow day at security.

Re:Probably, but watch out for the Audit.

[SomePoorSchmuck]

There's also nothing forcing you to show the same ticket to the TSA as to the people at the gate. Could have a fake one for the TSA and a real one for the plane to ensure it checks out with the airline.

I wonder if any top-level tracking system would notice if you booked a ticket on two separate airlines leaving from the same terminal around the same time. I don't know that doing so would be exploitable in any way, but now I'm curious toward just how broad the software-based aggregation/collation/analytics are.

Re:Probably, but watch out for the Audit.

...someone proposed getting the airlines out of the business of sending reservations records to DHS/TSA for vetting and classification in the first place. His idea was for TSA to take control of the checkpoint queuing process such that passengers were required to swipe their state-issued driver's license or passport at the beginning of the checkpoint queue so by the time they get to the head of the screening line, DHS/TSA would screen in accordance to what the government has learned from their watchlists, or whatever elements they choose to incorporate into their screening and evaluation process. That way they get the process away from the carriers, and the whole encoding discussion is moot. BTW, this would also allow anyone to travel through security, down to the concessions, to the gate -- whether they're traveling or not.

Re:Probably, but watch out for the Audit.

[JWSmythe]

    I'd be willing to bet that you *could*. Now why you'd drop a bunch of money on a ticket that you can't possibly use, that's the question. :)

Maybe if you're a nefarious criminal with every three letter agency trying to find you, you could slip them up by leaving from gate C4 instead of C12, because ... umm ... they don't have enough agents to watch two gates..

    Nah.. Booking a couple flights, train ticket, bus ticket, and rent a car... At least that would keep them on their toes, while you're camped out in the NoTell-Model with a toothless hooker and half a bag of meth.. Don't worry, I not one to judge you.. That's up to the rest of the Slashdot audience. :)

Re:Probably, but watch out for the Audit.

[JWSmythe]

    Nah, that was the end of any reason... Actually, it may have ended before that, when I implied that the possibility was there.

Re:Probably, but watch out for the Audit.

[JWSmythe]

    What airport have you been flying through, where the sandwiches are only 8 hours old?

    Nah, we all know it's security theater.. Oh my gorsh, bad guys could get into the "secure" area.. As we found with the El Al incident a few years ago, people do bad things anywhere they want, even in a major US airport.

Could be a honeypot

[mepperpint]

If I were designing a security system for TSA, I would definitely consider printing a (possibly fake) screening status in the barcode in plain text. If you keep a database of what status you assigned to which boarding ticket, then you can more thoroughly screen (or arrest and jail indefinitely) anyone who changes the easily hackable obvious screening status on their boarding pass. This is much like a honeypot that folks sometimes use in network security. (For those who don't know, a honeypot is an easily hackable machine that serves no purpose except to be hacked so that an observer can find folks who are trying to break in.)

Re:Could be a honeypot

They're not that smart. They still haven't been able to stop common theft from checked baggage.

Re:Could be a honeypot

[p0p0]

Is this would accomplish what? The terrorists can use Photoshop?

Re:Could be a honeypot

[NIK282000]

I think its more the "why" rather then the "how" that TSA would be interested in.

Re:Could be a honeypot

[nzac]

This is way to simple not to have been done before, someone will have actually used it and unless they have rushed off to gitmo i would guess its undetectable.

I could understand why they might want local authentication but they should at least be able hand out keys to airlines for each airport and encrypt it using the key for the airport you are departing from.

Re:Could be a honeypot

Yes but think of the headlines that it'd generate - "TSA and FBI catch terrorist attempting to breach security". We have theater security, now we have theater arrests.

Re:Could be a honeypot

[iiii]

Yeah, and the "who".

Their thought: "hey, well catch the bad guys who are trying to get around security!"
Reality: they catch the nerds who know how to hack barcodes and want to save 10 minutes of waiting in a security line.

But this is giving them too much credit. They are not thinking that far ahead. They are still stuck on shoe bombs (22 Dec 2001).

Re:Could be a honeypot

[Mitreya]

If I were designing a security system for TSA, I would definitely consider printing a (possibly fake) screening status in the barcode in plain text. If you keep a database of what status you assigned to which boarding ticket, then you can more thoroughly screen (or arrest and jail indefinitely) anyone who changes the easily hackable obvious screening status on their boarding pass.

This is an interesting point, but what does any of this have to do with catching terrorists? Now TSA will detain people who mess with barcodes and claim them to be terrorists?

To extend your line of thought -- If _I_ were designing a security system for TSA (an organization that has never caught a terrorist on its own accord), I too would make up an easily game-able system so that TSA can actually arrest some people and then trump such arrests as success and therefore request more funding.

It would be a lot cheaper and just as efficient to go back to pre-9-11 security and invest in an "anti-terrorism rock" for contractors (if contractors must be funded by this).

Re:Could be a honeypot

[girlintraining]

It's not a honeypot if the information provided is accurate. If the TSA is encoding the screening level on the barcode, then adversaries can use that information to enhance the success rate of smuggling something past security.

Re:Could be a honeypot

[JWSmythe]

    Actually, nothing.

    If it's a bad guy doing it, they'll have a number trying to go through. The ones with flagged boarding passes will turn around and go home. The ones with clean boarding passes will continue through, smile, and say "thank you" to the TSA people (s)he encounters.

    Anyone with any remotely planned mission will have such things in place, and already be ready for them. Send 5 guys in with tickets. A few will get caught. Some won't. Remember the recent tests where only 25% of the weapons passed through x-ray were caught. 5 people means 1 or 2 will get caught. Those odds can be improved if they synchronize someone who *will* get caught. It will draw attention away from the others who they want to make it.

    I've observed that happening more than once. Someone gets stopped for having something "nefarious", like a bottle of water, or knitting needles. They make noise, more TSA employees go to guard, and now the rest of the lines are understaffed, and more will be waved through unmolested.

Re:Could be a honeypot

[JWSmythe]

    They're stuck on the shoe bombing, because that's the only somewhat viable event that's happened in years.

Re:Could be a honeypot

[Joe+Decker]

Stop it? Don't be silly.

They've added to it.

Re:Could be a honeypot

[Yvanhoe]

Don't overestimate the TSA. Bruce Schneier has the habit of meeting journalists who want to interview him inside the "secure" part of the airport and sending them fake boarding pass to print themselves. He thinks it helps him make his point about how this is all a "security theater".

Re:Could be a honeypot

then you can more thoroughly screen (or arrest and jail indefinitely) anyone who changes the easily hackable obvious screening status on their boarding pass

Are you suggesting it should be life in prison, for some stupid kid trying to bypass a hassle and get conveniently on their flight?

Re:Could be a honeypot

[CohibaVancouver]

Bruce Schneier has the habit of meeting journalists who want to interview him inside the "secure" part of the airport and sending them fake boarding pass to print themselves

While I agree much of TSA is security threatre, I suspect this trick is coming to an end. Most checkpoints now have bar code scanners which confirm the validity of the boarding pass.

Re:Could be a honeypot

[Anachragnome]

"(For those who don't know, a honeypot is an easily hackable machine that serves no purpose except to be hacked so that an observer can find folks who are trying to break in.)"

Kind of like this thread.

Re:Could be a honeypot

[blandcramration]

Please don't give them any ideas to increase their budget

Re:Could be a honeypot

[houghi]

Good that you mention the shoe bomber, because the TSA did a great job on that one.

Oh and if you can hijack a plane with just a nail-clipper, you can do it without.

One last thing: Do you know how they smuggle drugs via airplanes? Would it be possible to exchange the drugs with C4?

Re:Could be a honeypot

[Yvanhoe]

The boarding pass he sends comprises a valid QR code. It is a theatre all the way. I agree that the system could be secure, but it is not.

Re:Could be a honeypot

[cdrudge]

One last thing: Do you know how they smuggle drugs via airplanes?

I just came back from a trip this last weekend. I had a 8 or 10 oz bottle of foot powder in my carry on. It flagged them for a double check. The TSA agent removed the bottle, sent the bag back through, it passed, and stuck the foot powder back in the bag.

I'm no chemist, physicist, or XRay machine technician/operator, so I don't know if a bottle of white foot powder shows up differently than a bottle of cocaine. But I have a feeling it doesn't.

Re:Could be a honeypot

[CohibaVancouver]

I agree that the system could be secure, but it is not

In the case of boarding passes I don't think it ever can be. If you want to access the gates, but not fly, just buy a fully-refundable ticket and don't board the flight. This trick is used from time to time by frequent flyers who want to access an airline lounge for an airline they're not flying on a given day.

Re:Could be a honeypot

[j-beda]

I agree that the system could be secure, but it is not

In the case of boarding passes I don't think it ever can be. If you want to access the gates, but not fly, just buy a fully-refundable ticket and don't board the flight. This trick is used from time to time by frequent flyers who want to access an airline lounge for an airline they're not flying on a given day.

You can also get a "gate pass" to accompany people to the gate - often done with young family members or people with mobility or other health issues. It is probably not difficult to use some "social engineering" skills to get one of those printed up for you by the airline in situations where it is not actually warranted.

Re:Could be a honeypot

[iiii]

Forget swallowing or stuffing the c4. The new fear is surgical insertion of explosives. Body bombs. Check out these links:

http://www.thedailybeast.com/newsweek/2012/05/13/al-qaeda-s-body-bombs-al-asiri-s-next-threat.html

http://abcnews.go.com/Blotter/officials-fear-terrorists-body-bombs-us-bound-planes/story?id=16245827

http://www.bbc.co.uk/news/magazine-18161870

Re:Could be a honeypot

[Yvanhoe]

But can you do so easily with a black-listed ID ? That's the whole point.

Re:Could be a honeypot

[CohibaVancouver]

Sure - An SSSS just means you get additional screening. If you don't have prohibited items you're on your way.

Re:This was in the news last week.

[Aardpig]

It was also on Slashdot last week. Good to see that the editorial standards are as high as ever; although Timothy is sadly departed (good night, sweet prince), his fine legacy continues...

dupe

[iiii]

If this sounds a little familiar, well, it is... http://it.slashdot.org/story/12/10/24/2222225/ But I like the tie in with the /. logo today. Will that logo get me a faster screening?

Re:dupe

[pswPhD]

If this sounds a little familiar, well, it is...
http://it.slashdot.org/story/12/10/24/2222225/

There is a difference between this article and the previous one. the question is: do they compare their database with the boarding card to see if it has been altered? The only way to check this would be to check the boarding card, Photoshop/gimp the barcode, go through the TSA theatre with the altered card and see what happens.

I would not want to try this myself. I think most people here have a fairly dim view of the TSA, so I wouldn't put it past them not to compare the card with the database, but there may be one person who thought about this.

looked into it

I looked into it, but it turns out that modifying a boarding pass is a felony.

Re:looked into it

[pswPhD]

I looked into it, but it turns out that modifying a boarding pass is a felony.

And since when has that stopped people modifying/copying hardware, software, music, or legal documents?

Re:looked into it

[Imrik]

Copying and/or modifying is fairly safe, trying to pass it off as the original is when it gets dangerous.

Re:looked into it

[CohibaVancouver]

And since when has that stopped people modifying/copying hardware, software, music, or legal documents?

When there has been a good chance of getting caught and prosecuted.

Re:looked into it

[PPH]

So is strapping on an exploding vest.

Re:looked into it

[serviscope_minor]

So is strapping on an exploding vest.

This happens a lot. In response governments like to make more things illegal.

The thing is criminals doing really bad things generally don't mind a little extra dishonesty or a crime that's way less bad than whatever they're trying to do.

All it ever does is make life harder for normal people.

No brainer

[Meltir]

Store a list of generated barcodes. Sure its big. Its also a very trivial lookup.
If yours doesn't match what's in the DB, prepare for the anal probes.

Or am I crediting the TSA with too many competent technicians ?

Re:No brainer

Store a list of generated barcodes. ... If yours doesn't match what's in the DB, prepare for the anal probes.

Or they could just randomly select people for anal probes. Even less work - for the same result!

The public relations announcement practically writes itself.

No terrorist in the world is safe from our anal probing experts!

Re:No brainer

[tibit]

Technicians? You don't know how it's done in government. Namely, they can don't do anything themselves -- savings and personnel cuts, you understand, of course. Technology is contracted out. Thus they'd need to award some contractor company a project worth a couple million USD to do this. Perhaps even a couple dozen million. TSA, just as any govt. agency, has occasional competent people on board, but they can't do squat, most of the time.

Always been "hackable"

Boarding passes have always been this way, it just wasn't always a bar code.

Why the hell would you even want to try?

These people are lazy. They're annoying, and they're a blight to society. However, for the time being we're all stuck with them until the rest of the general population rises up and says "We've had enough, out you go!".

So I ask you this- even if the system is "easy to game", why the hell would you want to risk it? Maybe you get past their security once, twice, a dozen times, etc. Maybe it is easy to game. That's nice and all.

The question you should be asking yourself is: "What are the consequences of being caught?". These people will happily label you as a terrorist and put you on a no-fly list FOR THE REST OF YOUR LIFE. You think you have legal rights, that they can't do that? They have and they will. Have fun spending the next 5 years of your life debating the finer details of the law in court so you can continue to fly down to Hawaii with the family on occasion for vacation.

It doesn't matter that their system is broken, or that the whole thing is a security theatre and a complete and utter farce. It matters what they're going to do to you when they find out you've been tampering with the system. If you make them look like idiots, their reaction will be to label you as a nefarious terrorist or hacker who was out to get the TSA and thank god they eventually stopped you because who knows what you would have done if they hadn't.

So are you **really** willing to live with the consequences of tampering with the system? Or are you just talking big because someone said the TSA was hackable and now it's all cool and hip to point that out to other people and pretend like you're actually gonna go ahead and do it?

Re:Why the hell would you even want to try?

[dgatwood]

So I ask you this- even if the system is "easy to game", why the hell would you want to risk it? Maybe you get past their security once, twice, a dozen times, etc. Maybe it is easy to game. That's nice and all.

The question you should be asking yourself is: "What are the consequences of being caught?". These people will happily label you as a terrorist and put you on a no-fly list FOR THE REST OF YOUR LIFE.

Which is probably about half an hour for most of the people who would likely be trying to game the system. And that is why it is the responsibility of security researchers and other folks to point out the flaws in the system and to make the TSA look like idiots at every possible opportunity. It is their civic duty, as they represent the only remaining hope that the TSA will either go away or become useful.

Re:Why the hell would you even want to try?

Have fun spending the next 5 years of your life debating the finer details of the law in court so you can continue to fly down to Hawaii with the family on occasion for vacation.

They will happily let you fly down to Hawaii with your family on vacation, then add you to the no-fly list, so you can't fly back.

I know of a person this happened to for no apparent reason; they've been stuck in Hawaii for many months, without any means of available of returning home.

Re:Why the hell would you even want to try?

Try a boat.

Re:Why the hell would you even want to try?

[Jake+Dodgie]

Umm boat?

Re:Why the hell would you even want to try?

Umm boat?

Boat/cruise passengers are also checked against the same list, and denied entry.

Re:Why the hell would you even want to try?

These people are lazy. They're annoying, and they're a blight to society.

And their doing with your tax dollar for your 'benefit'. Why would the general population say "We've had enough, out you go!". It can also be argued, if you're not a part of the solution, you're a part of the problem.

... It doesn't matter that their system is broken

Change your name to "Ahmed Al-Shaqqaf", then tell me what doesn't matter. Your opinion will have more credibility if you then travel outside the USA.

This is like the mayor of L.A.saying those black people must protest racial discrimination without upsetting the white folk.

Re:Why the hell would you even want to try?

[chrismcb]

It is their civic duty, as they represent the only remaining hope that the TSA will either go away or become useful.

They can only become useful by going away.

Re:Why the hell would you even want to try?

[dgatwood]

Nonsense. You're only saying that because none of them ever have. :-D

• Adding hardware to detect bomb residue in the air would potentially be useful (if it works).
• Adding thermal imaging to detect concealed weapons or seriously sick people would potentially be useful.
• X-ray checks of baggage are at least moderately useful even if they miss things once in a while.
• The background checks they run against lists of known or suspected terrorists to help inform the screening process is potentially of at least slight utility, though probably only slight in light of the way the system was designed....

The problem with the TSA is that they seem to have a goal of being usefulness-neutral—for every one thing that they do to improve security, they have to come up with one additional useless hoop for people to jump through for no good reason, so that on average, their actions will never get more useful than they currently are....

I'll take some of that!

[Frosty+Piss]

one could use a barcode-reading Web site (like this one, perhaps) to translate a barcode into text to determine your screening level before a flight. One might even be able to modify the boarding pass using PhotoShop or the GIMP to, for example, get the screening level of your choice.

Yes, I'd like to board an airline flight with a forged boarding pass , and all the privileges that come with it!

Barcode reading website?

[MikeBabcock]

What century is this? Presumably the poster is the only person on Slashdot who doesn't have a smartphone with a barcode reader built in.

Re:Barcode reading website?

[jibjibjib]

> What century is this?

It's the 21st century. You know, that century where not every Slashdot reader has a smartphone, and the majority of smartphones don't come with a built-in barcode reader, and reading barcodes is mostly pointless enough that the majority of users haven't installed a barcode reader.

Re:Barcode reading website?

[issicus]

why would I want a smart phone, it's like a small shitty computer.

Re:Barcode reading website?

[flimflammer]

I might similarly presume that you're really the only person on Slashdot who bothered to install a barcode reader into their smartphone.

Re:Barcode reading website?

[benjamindees]

Big shitty computers, I can handle. They at least have keyboards.

Re:Barcode reading website?

[MikeBabcock]

All right, I'll bite.

The open source zxing barcode reader for Android alone has 50-100 million installs from the Play market. RedLaser has 1-5 million, and ShopSavvy has 10-50 million. That's just on Android, and doesn't include side-loads direct from the websites in question.

Now sure, Angry Birds has 100-500 million installs, so barcode reading software may not be quite as popular, but to assume that any bored geek with a smart phone who wanted to check their boarding pass barcode would go to their nearest PC or laptop and try to scan it with their webcam instead of using a mobile device that fits in one hand and can scan the code quick and easy is just silly.

Now, you feel free to be silly if you want, I'm not one to stop people from being silly, but the first time I wanted to scan a barcode I installed the zxing scanner, and what with how it integrates into the share options on Android, I've installed it on every device since.

Re:Barcode reading website?

[jkflying]

Google Goggles also does a nice job with barcodes.

Re:Barcode reading website?

[dywolf]

the phones/plans cost too much, are too restrictive, and frankly, my needs arent so pressing that i cant wait to use the net access at my house or work.

Easy to Read, not sure easy to change

Look the code to determine pre-check is in the clear and easy to read. What's not obvious is if it's also easy to change. There is a base-64 message below all the normal data that seems to decode to a hash. I would expect that this hash is protecting the integrity of the data above. No one I have seen has modified their barcode and presented it to the TSA. So while there is speculation that it is easy to change, there is no proof and some mild evidence that says this may not be so.

Re:Easy to Read, not sure easy to change

[adamofgreyskull]

Reading that information might be all they need to do. If you have a bunch of co-conspirators on the same plane, you only need one to go through the lighter-screening channel smuggling the box-cutters/drugs/microfilm or whatever; whoever has the magic barcode gets to wear the shoes with the false heels. Alternately, if you know you're not going to be waved through the less-intensive security channel you could cancel your flight or take the flight and just postpone your nefarious deeds for another day.

Re:Easy to Read, not sure easy to change

Or you could just get a job as a TSA agent and wheel a huge suitcase sized bomb right past security and onto the plane.

Re:Easy to Read, not sure easy to change

[j-turkey]

Right, but those who receive more basic screening have already been vetted. In order to qualify for PreCheck, one must agree to (and pay for) a federal background check. This perceived flaw in the system lets a traveller (who has presumably already been qualified for the PreCheck program) know when they are flagged for random additional screening. However, they have already been identified as a lower security priority. Also, given that many analysts believe that additional post 9/11/2001 security screening measures are no more than what they call security theater, and the PreCheck screening measures are nearly identical to pre 9/11/2001; is there really an additional threat? Magnetometers in the TSA PreCheck lines will find box-cutters, or any other items prohibited for travel. Finally, screening for drugs and microfilm is outside the scope of the TSA's enforcement. They are in place for safety, not to enforce state, federal, or customs laws. The article and much of the commentary is misleading, and the AC GPP is one of the few to add real information to the discussion. There is little or no vulnerability, and nothing to see here. Move along please.

Barcode-reading Web site?

[Relayman]

In theory, one could use a barcode-reading Web site ...

That is so 1990s. I use NeoReader on my iPhone. It's available for Android as well.

Boarding Passes with PDF417 barcodes

[Tancred]

My boarding passes seem to have PDF417 barcodes on them. I've tried several but haven't found an Android app that'll read them yet. The Android app from the airline displays a QR code boarding pass, but then I can't scan it with my phone. Anyone know an Android app that'll scan it? Or a program for Mac that'll scan a QR code from the camera? No, I'm not looking to change it, but finding out if I got the PreCheck lane would be nice in advance.

Re:Boarding Passes with PDF417 barcodes

I downloaded Accusoft Barcode Scanner and it correctly read my PDF417 barcoded boarding pass.

It did have a 3 as the last number. I have gone through the Pre-Check line at airports with Pre-Check almost every time since it started. I could not find a boarding pass from an airport without Pre-Check to see what the code looks like.

Re:Boarding Passes with PDF417 barcodes

[El+Micko]

"finding out if I got the PreCheck lane would be nice in advance"

I am sure the terrorists would love to know this as well.

Obvious Terrorist Scenario: Fly around the US enough and get PreCheck status.
Use the barcode and the decoded information to determine which flight to strap on the suicide vest.
If you don't get PreCheck, then don't wear the vest.

I sincerely hope that the the TSA is not stupid enough to leave the decoding of the PreCheck status as something as trivial as an unecoded/plain text 'bit flip' from a barcode.

Surely the barcode decodes to a string that requires a strong private key to actually decipher?

Anything less would be negligent.

Re:Boarding Passes with PDF417 barcodes

[Tancred]

You'll note I didn't say it was a good system.

The obvious answer for the problem is to scan the barcode at security, which could just be a unique identifier, and look it up in a database of who's cleared for PreCheck that day.

Re:Boarding Passes with PDF417 barcodes

I'd argue that nobody should ever know who is cleared for PreCheck, ever.

I think that is the salient point.

Re:Boarding Passes with PDF417 barcodes

[Tancred]

I think that'd be a better system, too, as I described. I happen to know I'm not a threat, so me looking at my own boarding pass harms no one. And as others have stated, this little bit of notoriety is likely to get the system changed.

Re:This was in the news last week.

It was also on Slashdot last week. Good to see that the editorial standards are as high as ever;

Occasional dupes are not the most terrible thing.
Personally, I have missed it last week, so I am glad to participate in the discussion now.

Proper editing is far more important (so that the summary and the title are _factually correct_)

Counterfeiting

[Beardydog]

I think the GIMP is a long-term government anti-counterfeiting scheme.

Re:Counterfeiting

I have confirmed that GIMP will insert some stenographic marking when scanning US currency.

Simple answer.

The first reason you don't want to do this is because you don't want someone's finger in your butt. (Not in this way, anyway)

When they scan your ticket with the and it doesn't match the database, they'll probably scan it a few more times, then have you step into the extended screening anyway while they check out your ticket. This will be followed by a thorough search of your luggage and belongings. Once they find that you've actually modified your ticket, they then perform a thorough search of you.

There are bigger reasons further down the line, but this is the first one that will really stand out.

Naoimi Wolf, had SSS on her card

It use to be that the card would get stamped SSS and that was how you tell you were on the super secret Bush list:
http://www.youtube.com/watch?v=RjALf12PAWc

So all they do now is encode it better, but not well.

For your own good(s)

[lucm]

Forget preCheck or not preCheck, the real question is to know if there is a code or keyword that can be printed on the ticket to prevent TSA agents from stealing iPads and money from the luggage or from the scanner basket.

Thinking of that, maybe the TSA is actually doing a good job: I'm not afraid of hijackers anymore, I'm afraid of getting robbed by the TSA Fingermen.

Schneier

[Penurious+Penguin]

As usual, a good thread on the topic from Schneier-ville: https://www.schneier.com/blog/archives/2012/10/hacking_tsa_pre.html

Begin at the beginning...

An excellent point is made above - with the TSA's wholehearted embodiment of the everything-looks-like-a-nail-if-all-you've-got-is-a-hammer ethos, defrauding the system (e.g. modifying your boarding card) is probably not something you want to get in to. Being sent home instead of to Hawaii once is worth a lifetime of taking off your shoes at the airport if you ask me.

I suppose the first question would really be... can you cause the system to change your TSA barcode through "normal" behaviour? Is the TSA code to check you tied to the traveler or the boarding pass? Given the TSA's track record, I'd say it's equally likely that a reprinted boarding pass would have a different barcode. If that happens to be the case, then you've basically got a free pass to print - scan - assess - reprint until you find a TSA code you like - and all without obviously defrauding the system.
If that doesn't work, I'd be totally shocked if asking to have your seat changed and getting a new pass didn't generate a new code.

Re:Begin at the beginning...

[tibit]

You can always get a legit boarding pass with no extra screening, change it to extra screening, and see what happens. They can't say you tried to bypass any security measures that way :)

Could be white hats 'crowdsourcing'

[globaljustin]

This could be someone in the Federal Government's bright idea...I'm thinking some guy doing a powerpoint talking about 'utilizing the open-source security community'

They might have even used the word 'crowdsourcing' or 'hacktivist'...

If true, I hope their plan works...the fed's geeks are the bottom third of the talent pool using arcane intelligence systems

I say this in light of this article: "Want a security pro? For starters, get politically incorrect and understand geek culture"

RFC 3514

[benjamindees]

TSA has implemented the Evil Bit for terrorists.

The TSA does NOT print the BP

[aepervius]

The airline are printing the baording pass, and they always did it unencrypted, for cost reason, and because some of the CKI system are old legacy system which would not support any modern encryption. So. Yeah. It is a non story.

Random and unpredictable?

[boundary]

They are always assholes.

It's not the gaming, it's the program as such

[Kirth]

You don not want to institute a program which effectively creates a "low security bypass" in a security system, Whether that bypass itself is flawed is completely irrelevant, since the fact that it exists is already a security risk.

What is really scary?

No that this stuff exists on a boarding pass, plain or otherwise, not that the TSA is a scam/sham but that people on this site and elsewhere will be thinking of ways to improve the system. These STASI wannabe's are evil.

Re:Boarding passes are not easy to modify.

[Overzeetop]

Do you mean "signed" as in "digitally certified" as part of the acrobat format? If so, you've got to be joking. Aside from the trivially easy task of saving the file as a TIFF at a sufficiently high resolution, if your program won't do that just take a (series of) screen capture at max resolution and bring it into Photoshop or your editor of choice. The weak link is that this is getting printed on regular paper for you to take through the gate - so whatever the digital encoding is on your downloaded ticket is lost when it is printed.

I know this because I produce digitally certified documents on a daily basis, and have to keep my digital public certificate available at all times. I have also come across people who have difficulty printing hard copies, and have sent them cert-PDF->TIFF->PDF versions so they can make local hard copies. I also get digitally certified files which I have to mark up and return. Again PDF-TIFF-PDF is the way to go.

This whole thing sounds

[Sqreater]

very time-in-jail-ish to me. "Researching" doesn't protect you.

Easy to game?

[mr100percent]

Yes. Once you add a weak point into the system, the entire system becomes just as weak. If you allow anyone with a pilot license to walk through with a reduced check, any real criminal/terrorist will just get a license or steal one to walk through.

Re:Yes !! The Butt Bomb

If heroin smugglers can fit a kilo of white up their bung hole, why not a block of C4? If the Butt Bomb becomes too popular, they can always switch to the Gut Bomb and swallow a couple balloons filled with explosive. Think that millimeter wave scan is intrusive? Wait for the full CT!

(captcha: slopes. As in the slippery one we are walking down.)

Measuring risks

[phorm]

Hmmm....

Possibility of skipping the lineup VS possibility of a body cavity search+no-fly-list+incarceration.

Yeaaahhh. I don't think playing with your boarding pass is a very good idea in this case.

Is it used?

In a different discussion, several people pointed out that the TSA does not scan boarding passes. It's been a while since I flew, but I only had to show my boarding pass to TSA and they didn't scan it. Are there scanners at the TSA security points now?

Re:Boarding passes are not easy to modify.

Wow, you're a fucking idiot. Excellent troll, sir.

Three phases to game the system

Phase 1: Have sacrificial-lamb post on Slashdot about gaming the TSA system.
Phase 2: TSA raids sacrificial-lamb's house, while the payload gets through, since they 'got their man' from Slashdot
Phase 3: Payload causes TSA to review current system, as to how their own flawed system was used against them.

Phase 4 of course is profit, for the contractors employed to design a "foolproof" system for detecting intentional profiling decoys.

bonus captcha: befuddle