October 24, 2012 Why I published the post on the Pre-Check system.
I have gotten any real feedback on my blog post from last Friday, until today. What feedback I have been getting has been negative. Aviation blogging has been taking off recently. Several blogs such as “The Wandering Aramean” and “One Mile at a Time” have become rather well known in the aviation community. With the latter, the writer has gone to monetize his blog through referral links. Aviation bloggers are seen as attention seekers and that in some cases is a fair description. While I do not deny enjoying the attention I’ve been getting, I had an interview with AP and was quoted in a Washington Post piece, it is not why I write this blog. I write because I find the topic interesting and I want to improve my writing.
Through my conversation with AP, the TSA has declined to comment on the story. That’s in line with government policy on security matters. I would like to know why the TSA in collaboration with the Airlines couldn’t come up with an encoding system for the bar codes on airline boarding passes. The effect of such a system would be that when anyone puts their boarding pass into one of the online barcode readers, the output is just a string of characters. The airline and TSA scanners would have chip that contains the decryption key, which would turn the data into the information we see currently.
I don’t know, maybe the TSA will come out with something like this.
Happy Flying!
Colpuck.
- 7 comments
- Posted under TSA
Permalink # TSA PreCheck Program Security Hole Exposes Screening Status | said
[...] a text file, change the 1 to a 3, then use another website to re-encode it into a barcode,” aviation blogger John Butler writes last week. “Finally, using a commercial photo-editing program or any program that can [...]
Permalink # TSA PreCheck Program Security Hole Exposes Screening Status – Dark Reading | Ocean 92 said
[...] a text file, change the 1 to a 3, then use another website to re-encode it into a barcode,” aviation blogger John Butler writes last week. “Finally, using a commercial photo-editing program or any program that can [...]
Permalink #
James
said
The real problem is the problem of security theatre vice real security and intelligence. Technology can never replace real physical security (as a former Navy physical security manager this was one of the first things we were taught).
No amount of technology is ever enough when that is what you rely on; even encrypted barcodes or other such nonsense can eventually be hacked, and the more secure you -think- your system is, the more likely you will trust it always.
The only real solution is unfortunately labour and time intensive: actual security checks, not this Pre-Pass nonsense and technological wizardry that can be subverted by a bored fourteen year old teen.
But try to convince TSA of that. The systems they use have so many holes you can drive a Zeppelin through them.
Permalink #
Mark S
said
This has come up in the discussion of your article over at boingboing.net, but I thought I’d put it here too – a likely reason the first of the two schemes you suggested (an encryption key shared by every barcode generating program and every barcode scanner in use) wouldn’t be feasible – it’s an extremely brittle system.
The secret key material has to be very widely distributed, and put in hardware that will inevitably be lost, stolen, tossed in the trash when it doesn’t work, disposed of at surplus sales, etc. The TSA / airline complex has no way of knowing when one of those devices has fallen into the hands of someone who wants to extract the key material. If they do find out (probably because someone writes a blog post containing the details) they are faced with either the massive expense, effort, and inevitable hassle of missed devices of rekeying all the devices, or the embarassment of admitting that the system never did offer enough security to make it worth maintaining.
The other suggestion you make – having the barcodes consist of a key into a database that contains the actual passenger, flight, and beep-count information – would probably work better. Assuming you think the pre-check system offers any meaningful security in the first place.
Permalink #
jwbutler2005
said
This is true. But something, even a brittle system, I would think is better than nothing.
Permalink #
Karl (@supersat)
said
I’m really curious if the printed boarding passes have digital signatures. If the data at the end of your barcode has a slash, equals sign, or random gibberish, it probably has a digital signature.
My mobile boarding pass from American Airlines seems to have a different (and shorter) signature type than those from Alaska.
I’m curious if anyone with a “3″ boarding pass has ever been directed to the normal security line…
Finally, page 139/140 of http://www.cbp.gov/linkhandler/cgov/travel/inspections_carriers_facilities/apis/un_edifact_guide.ctt/un_edifact_guide.pdf seems to have a list of the Secure Flight codes encoded on the boarding pass.
Permalink # TSA PreCheck Program Security Hole Exposes Screening Status » | said
[...] a text file, change the 1 to a 3, then use another website to re-encode it into a barcode,” aviation blogger John Butler writes last week. “Finally, using a commercial photo-editing program or any program that can [...]