The first time someone pointed this out, the FBI raided his house[1] and sparked a Senate investigation. This was four years ago. I did this to one of my Southwest tickets recently, though didn't use the forged copy. Honestly, it's like they think HTML is unreadable, or, more likely, that it's security theatre designed to make everyone feel safe. I would be okay with that if it wasn't taken so seriously.
Due to being able to use your mobile phone as a boarding pass, most security checkpoints are acquiring the ability to read the 2d barcode on the boarding pass and display the corresponding name. I've seen security start to use this randomly on paper boarding passes as well.
[Update: iNate2000 says cell phone ones are signed. That would make modifying it much more difficult. It also implies printed ones are not signed, which makes that form the the attack vector.]
IATA (the International Air Transport Association) requires airlines to digitally sign the data in the 2D barcode, but only when used on the screen of a mobile device.
That won't make a difference until they add the requirement to paper boarding passes (or phase out the paper boarding passes).
And this all begs the question of whether checking IDs does anything for security.
Nope! The machines at TSA checkpoints aren't connected to a database of any sort. All of the info is encoded in the boarding pass in a PDF417 2D barcode.
If you can read PDF417 (Zebra Crossing, the barcode reader for Android, can do it somewhat unreliably if you make your own build and have a good phone camera - otherwise, there are online services that can extract PDF417 from an image) you can see the info for yourself.
And, more importantly, if you can read PDF417, you can make your own!
To connect those machines to a database would both involve a lot of infrastructure build-out (imagine the chaos if that system went down nationwide!) and a lot of information sharing and standardization between airlines and the government. Signing the barcodes is smart, and is how "mobile boarding passes" work, but because paper passes were standardized so long ago, there's no security in place.
I also suspect the current TSA checkpoint barcode readers aren't smart enough to actually check the signature in a mobile boarding pass, but I don't want to find out myself.
My initial reaction was "wow, good point; there's no way that the government would ever make the airlines buy completely new barcode scanners everywhere, for the simple purpose of improving security checkpoint effectiveness".
But then again, they threw down millions per unit for those back-scatter machines, so all bets are off.....
I'm actually rather surprised the TSA haven't pursued such a project yet - it seems like a perfect opportunity for a politician to give their friend's consulting firm a lot of money.
I'm hoping that the airline industry implementing the smart way to do this (signed information in barcodes) for mobile barcodes means that the eventual rework of paper boarding passes will be intelligent as well, but as you say, all bets really are off...
Scanning the barcode and then doing a lookup of your flight reservation against your ID is far superior than just checking the printed name against your ID.
My opinion of all this security theater is that it is not actually designed to make people feel safe. It is instead that the people at the top know another effort by dedicated attackers willing to die can not be stopped. And I bet that they consider such an attack happening again pretty likely. When it does, the federal government wants a conspicuous example of what they were doing to keep us safe so that the population doesn't riot. From this perspective, the more annoying and egregious the security hassles, the better they are.
I think there are two purposes to the TSA. One is to make people feel safe, as you mentioned. The other is to get people into the habit of having their rights routinely violated by "government agents". It is a form of conditioning, and its pretty effective.
10 year olds at this point have never known a world that was otherwise.
In another 15 years, almost all adults will be completely used to it, and the idea that we don't need the TSA will sound as absurd to them, as to most of us it seems "absurd" that in fact in the past you could fly in the USA while carrying a rifle or shotgun aboard, with ammo. The flight attendants would offer to stow it for you in a coat locker, but otherwise wouldn't bat an eye.
Even today you can fly with firearms (in checked baggage) but a lot of people think that this idea is completely absurd because they've never seen it... and they've been conditioned to being disarmed and the idea that you can't have a gun in an airport. (you walk in and check it at the counter, before going thru security.)
I think there are two purposes to the TSA. One is to make people feel safe, as you mentioned. The other is to get people into the habit of having their rights routinely violated by "government agents".
There's another purpose, politicians must be able to stand up (on the TV, press releases etc.) and say they are doing something. Other people/newspapers/tv shows will ask "Why aren't you doing anything about $TOPIC?" ($TOPIC in this case is 'terrorists', and '$NAME doesn't care about terrorists' is not soemthing politicos want to see)
If it was theater only for those who want to feel more secure, I'd be less aggravated with it. But my forced participation into such theatrics, such as removing shoes, no water bottles, seems that it will only lead to more annoying machinations in the future. Furthermore, this theater only makes the people we are trying to protect against, more creative.
> "10 year olds at this point have never known a world that was otherwise."
It takes 2 generations to completely change the nature of a society. As long as those born before 2000 are still around all hope is not lost. Do not give up.
In the 1920's my Granny was arrested in Germany when she was a teenager because her father sent her to Berlin from Glasgow without a passport because 'he didn't believe in this modern nonsense'. Even passports are pretty new.
The real concern for the 'no-fly list' or 'terrorist watch list' is that it can, and probably is or will be, used as a general shitlist for dissenters (i.e., anyone who voices a problem with their government). That can transition into generalized free-speech quashing and worse faster than people think.
I am actually a little bit afraid to fly now because of numerous comments I have made about the US involvement in forcing the Afghani people to produce heroin etc. I expect I may actually be on this "terrorist watch list" just based on my comments online.
kind of like people can never imagine caring for their elders without having Social Security, or having to pay for doctor's care for their elders without Medicare/Medicaid. We just become more and more dependent on the government to supply what used to be the responsibility of each and every individual. And as that happens, our individual freedoms are slowly diminished and extinguished.
I'm a very tall man (6'4") and always have trouble with a lack of legroom on flights (even JetBlue).
A few years ago I was adventurous, and frustrated -- there were no seats left on the flight that it would let me reserve online. Yet for this particular airline, it showed that the exit row seats were available, but clicking on them lead to an alert that you could not book them online: You had to do so at the airport.
I decided to look at the code making the seat selection calls, submitted my seat selection for that seat anyway -- and wallah! I was granted a ticket with that exit row seat. Had no problem going through security or boarding.
Haven't tried it since - as most airlines now charge extra for those seats, and its not such an easy hack.
wallah does indeed mean 'By God!' in arabic but it's used as an assertion of veracity. In this context the poster obviously meant to say voila and like you I've also seen this wallah variation of it creeping in recently.
Retro-validation appeals to me, so it could be interpreted as:
and - truly, I swear by God I am not making this up - I was granted a ticket with that exit row seat
In English, it's an old-fashioned idiom that a Robert Louis Stevenson character might have used. But English-speakers tend not to swear by God much these days - indeed, "swearing" usually means profanity.
The French pronunciation of voila is akin to "fwalla", with the f/v sound being relatively subtle. At any rate it's not as amusing as misspelling it as viola.
Exit row seats are special in that the ground crew need to see that you are physically capable of operating the door. If you were handicapped in anyway, and I've seen people request so they have more space for their oxygen bottle, the cabin crew would have to move you to a different seat. On a full flight it can be tough to play musical chairs.
Wow - didn't realize this thread would turn into a dissection of my use of 'Wallah' -- which I didn't even consciously realize I use (nor what it really meant to the degree analyzed here). You learn something new every day. Thanks HN!
This doesn't surprise me in the least. I've been in India for the last month, and I've been shocked by two new things since my last visit (several years ago).
First, security here is everywhere.
Second, security here is pointless.
I have had to walk through security to get to supermarkets, discount stores (think Walmart), high-end shopping malls, temples, mosques, movie theaters, national monuments, airports, hotels, you name it. You can't walk into a large building and not walk through a metal detector. The ACLU would probably go ballistic if the US had even 1% of the number of pat-downs that I have had to go through daily here.
Unfortunately, it's entirely pointless. Generally, I don't take my belt/jewelry/phone off when going through the metal detector, and most of the time, it doesn't even detect that. Whether or not I set off the detector, the process is the same: they (occasionally) wave a wand over, and then send me to a second person who briefly pats me down (<5 seconds in all). Keep in mind, the exact same process is applied to those who do and do not set off the metal detector. A few times, I've set it off and they just wave me through without even checking me further. It's mind-boggling.
I can't say I'm a fan of ubiquitous security, but the only thing that's worse than ubiquitous ineffective security. Anybody who really wants to cause trouble can bypass it in their sleep - all you manage to do is disrupt the lives of everybody else, all the while accomplishing literally nothing.
Similar thing happened to me when visiting a museum in the Vatican. Long queues, metal detectors, etc. After passing through the whole thing with no problem, I realized I had my pocket knife in my pocket throughout the day. I noticed then that the metal detector was beeping all the time, but they were not paying attention, as they probably didn't want to get people to take off belts, etc.
It is possible to deduce that from their track record as well. In 10 years TSA has caught exactly 0 terrorists. Not saying there weren't attempts, but those were caught by FBI, other agencies, and most importantly, regular citizens.
While I agree that the "security theatre" that the TSA provides is largely useless, I don't think this is really an accurate statement. It's entirely possible that TSA screening prevented someone getting on a plane with a weapon of some sort, but that the person in question was never identified as a terrorist, since they had to abandon whatever plans they had.
> It's entirely possible that TSA screening prevented someone getting on a plane with a weapon of some sort
I disagree with that statement. "It could" is hard to measure. We spend 100s of billions of $ on something based on this unproven hypothesis.
Keep in mind, TSA was created to catch terrorists red-handed as they are just about to board a plane. As in "Hey look a bomb in the x-ray machine, arrest this guy!". That is their purpose. They have not yet done that, once, in 10 years!
Govt. intelligence work and regular citizens have prevented and stopped attempts. There is some track record there. TSA doesn't have one.
By your metric one could have just as well re-defined TSA's mission as "Protect the citizens of the United States of America against Evil Pink Elephants from Neptune". Chances are very high that TSA's track record with that task would have been exactly what it is with their current mission. AND you could have still made your argument "See no Pink Elephants from Neptune have attacked us, so they must be doing their job."
Or think about it another way: How many airliners were blown up in US airspace before 9/11? Was it a monthly occurrence? Yearly? Now if was a yearly thing, and then TSA came along and it suddenly stopped, you could have made a correlation based argument saying, that it is probably because of fear of TSA that we didn't have any more attacks.
Yet another way to look at it. As a terrorist you are trying to instill terror and kill as many people as possible. A large gathering of people would maximize your impact. I wonder what places and events consistently create large queues of people waiting in line? What about also a place that would cripple and disrupt the economy and travel? I'll leave that as a rhetorical question.
I agree with you completely that it's entirely unproven whether or not the TSA has been effective for catching terrorists. I also agree that it's a wasteful system that should be seriously reformed into something that is actually effective.
It's precisely because it's unproven that we cannot say that the TSA has never caught a terrorist. That's all I was saying. The TSA may or may not have caught a potential terrorist at some point, it's pretty much impossible to say. You can't have it both ways. Either the TSA's effectiveness is unknown (meaning they may or may not have caught terrorists), or it's known to be 100% useless (meaning 0 terrorists were caught).
In regards to occurrences of terrorists prior to 9/11, you're correct that there weren't many (any?) incidences of using a plane for a terrorist attack, but hijackings were certainly not uncommon prior to 9/11. In fact, come to think of it, incidences of hijackings are almost certainly down since 9/11. I don't think this can be entirely attributed to increased security, but I wouldn't be surprised to see it as a contributing factor.
> we cannot say that the TSA has never caught a terrorist.
But why? I am sure any such catch would have been paraded in front of media for months. Are you saying they caught a terrorist with a bomb red-handed but hid it and instead shipped the guy secretly to a prison in another country? If not, that then I think we can say most definitely that they have not caught a single terrorist. Would you agree?
> but hijackings were certainly not uncommon prior to 9/11
Obviously hijackings were not that bad. That is the reason the first two planes ended up being used as projectiles, because people thought it was a regular hijacking. Within hours everyone in the country including passengers of the plane that went down in PA learned to not think about hijackings anymore in the same way. So the problems basically "fixed" itself immediately.
You are right the # of hijackings is now lower. TSA presence might have a part to play, that's plausible. But because of the previous paragraph it also becomes irrelevant. So the reasons for having the TSA evaporate away again.
The main reasons for the TSA are:
1) politicians seen to be doing something
2) making the public feel safe flying again
3) because someone, somewhere is making a pile of cash from it
4) it's a good way to employ unskilled people
Catching terrorists is likely to be one of the lower priorities.
Personally I think that random thorough screening and randomly distributed flight marshals is a better deterrent than poorly screening everyone. It's always harder to evade a security threat when you don't know what it is or looks like.
Another thing that annoys me is that people push for more railways on the basis that it is safe than flying. Railway in the last 10 years has had more crashes and more terrorist incidents than flying, and a determined terrorist can create massive havoc, fear and deaths from targeting trains, as was tragically displayed several times.
But for some reason, you can still hop on a train with no screening. Go figure.
I accidentally left a pocket knife in my carry on as well, and made it through the first leg. On the second leg, I had to go through security again and they spotted it. I explained that it made it through the first security check, so it must be safe. They allowed me to keep it. I wonder if that would have worked with a gun...
I went through eleventy-dozen checkpoints on the Mall, and elsewhere. All the guards searched my backpack at every check point.
On the way home I found I had left a charged magazine (8 .45 rounds) in the bottom of my backpack. Not especially well-hidden, just snugged under my spare socks.
D.C. seems to have the highest per-capita police presences in the US. And it's all useless and dumb and ineffective.
It does. Near the Capitol, you have the Capitol Police. And since the area is designated a national park, you have US Park Police. In addition to DC police. Finally, you have the Diplomatic Security and Secret Service that will randomly be in the area, and each building's own security force.
I remember the security nightmare at IGI: The entire airport was surrounded in soldiers who wouldn't let you in without a ticket. The whole concept of electronic reservations seemed to go right over their head, until I managed to convince a very kind BA stewardess to go in a print an e-ticket confirmation and then bring it outside to me (I'm sure even Al Qaeda could fake one of those). What a bunch of muppets
I doubt it. The supermarkets in West Bengal, for example, have security because there were riots when they first came to the state (which is not that hard to believe if you compare them to Wal-Mart in the US). Ditto for the hotels (2008 terrorist attacks) and the temples and mosques (decades of Partition-related violence). India's focused on developing its economy, but not in the way that private institutions (or a budget-aware government) would actively spend money on security theater just for that purpose - especially not when there actually are real security threats afoot.
It's just like the US - the problem isn't that people don't care about security, or that they don't recognize it's a concern. The problem is that the existing measures (like the TSA) don't seem to be paying proper attention to the problem.
Poorly implemented solutions are security theatre at its best. Well, almost. They're second best to "The wrong solution for the problem" approaches. Take the school in Texas this week where one kid shot another [1]. The school's solution is to make everyone use completely transparent backpacks, nevermind that:
1. You could fit a gun inside a zippered/covered binder or expanding file folder and the backpack does nothing.
2. The school already has metal detectors, so the backpacks aren't actually adding any detection.
3. They don't even know if the edge case where their current security failed even involved backpacks.
The point of security theater is often to placate the public. Public demands (or is perceived to demand) action. Doesn't matter what. In this case "something" was done. The school gets to :
1) boast about how they were proactive and did something quick (so it looks good on their resumes).
2) protect themselves against the expected criticisms that they didn't do anything.
3) it was an easy policy to implement (they just wrote down a new rule). no need for new equipment, training or anything so it doesn't affect the budget.
Not saying that it isn't stupid. It is very stupid. But in their position they seem to act rationally. Now if another incident occurs they will get a backlash about how transparent backpacks didn't work, to which the response would be we need to outlaw binders. _But_ if they hadn't done anything and another incident occurred the backlash would have been a lot worse -- they would have been blamed and possibly sued because they took no action to prevent it after a history of past incidents.
I know a girl who changed her name when she got married and whose ID still has her maiden name. She buys her plane tickets under her married name, and carries her marriage license with her when she flies in case the TSA asks about the discrepancy. But no one has ever noticed.
At least in the UK it costs a decent chunk of money to get the name on your passport changed after marriage. Not a huge amount, but enough that it's easier to just book tickets under your maiden name.
This doesn't always work. You might end up arrested. You are better off with a fake ID.
When you board the plane they check the codes to see if you have been through special screening, they check the markings to the boarding pass codes.
I've made it to the flight a few times only to be turned around and accompanied back to security for the full security theater experience. At this point they will check the list and you will be arrested if they find a problem in the paperwork.
Your best bet is to change your name slightly William --> Bill etc. and play around with a middle/first initial. Computers are dumb. TSA agents are friendly when you are friendly to them and have tendency to not pay attention to their work. Social engineering is a lot more effective than computer hacking.
And what codes are these? the pen-squiggle? the highlighter-check-mark?
Is it your hobby to try to sneak past TSA checkpoints? Are you successful often enough that you have been turned away at the gate for not having the proper 'codes'?
There are codes that indicate the level of screening you should get along with codes that have "Special screening" indicated on them. And then the TSA is supposed to squiggle in response. Buying a one way ticket usually means you get special screening, I hope the terrorists don't figure this one out.
>Is it your hobby to try to sneak past TSA checkpoints?
In a way yes. It is my hobby to get through these things as quickly as possible. Sometimes I go through the staff/express line, you get a long way by being friendly to TSA agents.
>Are you successful often enough that you have been turned away at the gate for not having the proper 'codes'?
Yes. TSA agents make mistakes and don't always check the passes properly. I swear with half the agents I could give them an ID for someone completely different, all they do is check that it "looks" real.
One time I almost missed a flight. One of the gate agents was nice enough to run back to security with me and hurry them along. Someone else watched my bag rather than wait and get it searched properly.
Security theater at its finest.
The SSSS mark is also handed out when you purchase your ticket shortly before the flight or when you pay in cash, or at the discretion of the airline. I've endured it more times than I care to recall because I frequently change my travel plans.
Looking at those criteria, it wouldn't flag terrorists who were well-funded, forward-planning, and punctual. Which sounds like prerequisites for a successful attack.
Forgive my ongoing skepticism, but where are these codes? on the boarding pass? Who is at the gate to turn you away? Does the TSA chase you down when they discover you have outwitted them?
That's not the point... John Doe buys a plane ticket and gets an electronic boarding pass — John uses Chrome Developer Tools or Firebug to change John Doe to Jane Terrorist. John Doe's name is checked against terrorism watch lists, but Jane Terrorist's name isn't. Jane Terrorist then presents a boarding pass with her actual name and she has an ID showing her name is Jane Terrorist. The TSA agents don't check terrorism watch lists at the checkpoint.
tl;dr: You can alter a boarding pass and circumvent the entire watch list process.
In Canada (and Europe), the gate agents check your BP against their list (in fact they just scan the 2DBC and it boards you in the DCS system) and your ID. So you would get stopped at the gate.
If I turn down the lights, squint, and pretend I'm a U.S. senator from Texas I read that as "John uses <illegal hacking tools that should be outlawed> to change..."
You're missing the point - the TSA watch list is checked with the name you bought the flight under. You can then change that name to the name that matches your ID. The TSA does not check your name against the watch list when you go up to their booth; they only verify that the two documents match (where one of the documents is essentially fabricated).
Yes, but the point is you have to buy a ticket with your real name. You can't board the plane unless the ticket is in your name. If it is in your name, you get stopped at check-in.
Second that -- my gf and I were actually shocked, when on a recent trip to the States (took about 7 flights in total) where the person at the gate only checked the boarding passes and not photo ID! We have added security up here because of the States, it seems like a lapse to not do this themselves. For example, when you board a flight to/from Canada, you have to show the boarding pass and photo ID, the person at the gate scans the ticket to see if everything checks out.
I have heard that if someone flies into a country on Your Airline Inc., and is denied entry, it's the financial responsibility of Your Airline Inc. to take them back to where they come from.
I've not only had my passport, but visas, checked at check-in, flying into Canada from the US.
This was certainly the case for Etihad when I flew from Dublin => Sydney last year. Of course, the airline managed to not notice the problem with my passport/visa until I was Abu Dhabi and Sydney said "Do not let him on the plane". The airline security representative told me if I had managed to get to Australia, the Sydney visa office would have forced the airline to return me to Ireland on the next flight.
This triggered 3 days of dealing with the US embassy in Abu Dhabi, but that's another story. :)
Last time I flew to Australia I paid $45 and got one of their electronic visas; it was a 15 minute process. My departure was from Singapore and I assumed, wrongly, that Australia was a member of the VFW program.
Why would the US embassy be involved? This seemed like a matter between you, the airline and Australia.
Sorry for the late reply, but yes it was a problem with my passport (it was wrongly reported as being stolen). When checking in in Dublin, the airline employee checking me in mentioned something about my passport but we were allowed on the plane anyway.
FYI, I was traveling on a 457 visa as part of my new job.
>I have heard that if someone flies into a country on Your Airline Inc., and is denied entry, it's the financial responsibility of Your Airline Inc. to take them back to where they come from.
It's been this way for over 100 years. If someone was denied entry at say Ellis Island, it would be the steamship co.'s responsibility to get them back at no cost to the passenger.
Not just Canadian. Amsterdam airport has extra security theatre where they ask you a bunch of really dumb questions because the United States mandated such questions be asked, and then verify your boarding pass and ID against the flight manifest (good thing!)
> when you board a flight to/from Canada, you have
> to show the boarding pass and photo ID
They are looking to make sure that you have your passport more than looking for 'photo ID.' I flew into Canada over Xmas and they were specifically looking for your passport. Probably to make sure that there won't be any obvious gaffs once you land.
That said, on the domestic flight I took the TSA was at the boarding gate 'randomly' checking people as they were getting on the flight. So not everyone got checked for photo ID, but some people did.
Makes sense about checking the passport flying international ;) I guess I should have said that flying domestic you also are required to show photo ID. I'm not saying it never happens down there, but on the flights we boarded, we never had ours checked and it just seemed out of the norm for what we're used to.
No, it is not just that, it is a cultural thing. I recently did a long trip through South America, and only had one-way ticket to Ecuador. Canadian check-in agent refused to give us boarding pass citing an _Ecuadorian_ rule that you have to have a ticket out of Ecuador to be admitted. I had to buy two fully-refundable tickets from Ecuador to Mexico (based on cheapest price and the fact that Mexico does not ask such things).
And of course, neither Ecuador nor any of the other South American countries with the same formal rule ever asked us for the return ticket. Why would they?! Most people travel on buses between countries anyway. But Canada does not care, it sticks to the rule.
Legally you are correct, but I've tried this, and been unable to manage it. Despite asking politely in a couple different ways, the TSA agent would say no words to me except "You need ID".
I'm told by people who know that it possibly would have worked to lie and say I didn't have ID on me, but I didn't have the guts to try lying to federal agents.
My aunt lost her drivers license but was able to fly (roundtrip AZ to VA) by being polite, patient and by having a wallet full of other cards with her name on it.
Surprisingly, the key card that let her board was her Costco card as it had her photo on it and that was an acceptable form of ID.
I had my wallet stolen once, and the TSA agent asked if I had a text message on my phone that included my name. Apparently, that was enough ID for him...
I had a similar experience. I was taking a flight home from Arizona, and the TSA agent stopped me because my drivers license was expired. He let me board because my Sam's Club card (which I don't believe has an expiration date) had my photo on it (a TINY Black and white picture).
Not sure how I would have renewed my license from out of state, if they didn't let me on the plane. I'm pretty sure I couldn't rent a car and drive home!
That's interesting but not very surprising. I would say that's traveling with alternate ID (or unofficial ID), not flying with no ID. It sounds like she would not have been allowed to fly without ID.
I was late for a United flight several months ago; when I boarded the plane, they did not scan my boarding pass. They still found a seat for me, but without scanning my boarding pass, United assumed I didn't make the flight. My flight from LAX back to Chicago was cancelled and I had to fight for two hours on the phone with United customer care to convince them that, yes, I indeed did fly their equipment to LAX and still should permitted to fly my return ticket home.
Air Canada's requirements specify that they require gov't issued ID, but they don't specify which gov't. Would a gate agent be able to identify and verify the authenticity of an arbitrary ID card from a distant country?
I experimented with this, and have flown within Canada with a foreign (non-US, non-European) driving license. There was no verification other than checking the name matched the boarding pass, if I remember correctly.
In the days not long after 9/11, they used to check the ID both at the screening checkpoint and the gate, but in the last several (5+), they don't check at the gate. I'd assume it's a time-saving measure, but it does totally defeat the point of checking.
In my experience, the TSA agent you have to show ID and boarding pass to at the security checkpoint also scribbles something with a marker or highlighter on your boarding pass.
But even aside from the fact that this is obviously and trivially forgeable, I don't think the person who scans your boarding pass at the gate even looks for the scribble, as I've used a different boarding pass to get on the plane than I did at the security checkpoint before (because I had printed one out at home and also printed another copy at the self-service check-in machine, and just happened to use different copies each time I needed to show it).
They definitely don't look. Several itineraries have multiple legs, and the TSA only ever looks at - much less scribbles on - your first leg. Even that aside, you can easily get a boarding pass from an agent inside the terminal, without it ever having been checked by the TSA.
I've actually gone through TSA with one boarding pass on one flight, and boarded a completely different flight before (not just a separate piece of paper) - back when I could book flights for free on JetBlue and had already booked another flight that night. I merely decided once I was in the terminal that I'd hop on a different flight I had also checked in to.
I do a lot of flying and have long though about this. It's total theatre. They could fix it by implementing some cryptographic code that's scanned at TSA entry points, verifying the actual document (boarding passes are a far cry from a verifyable document).
> They could fix it by implementing some cryptographic code that's scanned at TSA entry points, verifying the actual document (boarding passes are a far cry from a verifyable document).
Yeah, I tend to believe that they really aren't serious about it. It seems trivial to include a data matrix barcode that encodes the traveller's name and flight data.
Wait, what? Are you saying barcodes aren't used in the US? Here in Norway at least all major handling agents issue boarding passes with barcodes, so you can board a (domestic or intra-Scandinavian) flight without interacting with anybody human except the security agents just by scanning the barcode at the gate. No idea if it's also used for security purposes, though.
The ticket has a barcode, but it's usually scanned by the airline before you board the plane. The TSA checker just looks at your ticket and your id, no computers involved.
And presumably the passenger's name is encoded in the barcode, which I guess is why the OP suggests printing the original ticket with the name of the friend that bought it instead of just using the "forged" ticket at the gate. Though I'd also guess that the airline employees who scan the ticket at the gate almost never check that the name on the ticket matches the one displayed on their screen when they scan the barcode, so you'd probably be fine using the forged one.
This is probably like when the security guard at the exit of a shop checks your receipt and scribbles on it. I'm sure it's more to hold the guard accountable - so they don't wave people through without some semblance of checking.
If terrorists still want to "get us", why don't they detonate some truck bombs in major urban areas? If the bridges or subway tunnels in the SF Bay Area or NYC had big holes punched in them, the economic impact would be huge.
A suitcase bomb in a large TSA security screening lineup would have a similar effect and would be a tragic way of pointing out how ridiculous the so-called security is.
You're right, but this is a terribly inappropriate example.
The 'terrorists' in this case were holding Beslan School to ransom. No one expected that the Russians (fascists in every sense of the word) would put all their effort into securing a Pyrrhic victory.
Sorry this is so off-topic, but someone had to stand up for Chechnya - one of the most damaged, brutalized, traumatized, forgotten countries on Earth, a blight on the 'ideals' of every 'civilized' nation.
Whatever your view on the political situation in Russia and at this tragedy, it's not the point.
The point is that this accident demonstrates that terrorists have low-tech and high-casualty methods available at their disposal which they choose not to employ for whatever reasons.
Not only is my ID almost never checked at the gate, the agent hardly even compares the name on the paper to their flight information. So really, you could just print out the forged copy with your name on it and use it the whole way through.
Include a QR code on the printed boarding pass that holds the details of the passenger and flight along with a hash of the data, the hash being salted with a secret known only to TSA. The TSA agent then scans the QR code, computer verifies the hash and displays the data on screen for the agent to check against the printed boarding pass and ID. No database look up is needed, just a PC and webcam.
Danger is someone works out or leaks the hash secret.
The real danger is someone figures out how to spoof a legitimate request to the TSA-QR service and have them create authentic codes with bogus data.
Never mind that the solution itself is far from 'easy'. Somehow linking every ticket printer to a central TSA-QR service in a reliable and secure way sounds like, uh, fun...
> Give the ticket with your friend’s name to the gate agent who lets you board. It will match the flight information and you’ll be allowed to board.
I fly 4 times a month and each time I have to present a piece of photo ID at the gate to the flight attendant that has to match the name on the ticket, ticketing computer and ofcourse me.
The boarding pass should never be shown at the gate, instead you should show your ID. The agent would then check it to make sure its real and then scan it to see if your in the database to fly that day. It is a simple solution, Someone needs to build a device that can read 90% of IDs.
Could you use the same trick to use your friend's ticket in general?
I've often had the situation of having an "extra" flight ticket for some reason. I've always thought that there is no way I can give the ticket away to a friend, but it seems like this could be a way to do it.
I've not run into that in any of my recent flights. I've seen it happen for international travellers but not for any of the domestic ones. It may also have to do with the fact that my flights were completely full and took nearly an hour to finish boarding.
It would suck to be someone whose name appears on a no-fly list. It would REALLY suck to be that same person who forges a ticket and gets caught. #oops
It would if they checked your name against a database. But all TSA does is verify your ID is valid and matches the name on the boarding pass, nothing more.
When your flight is booked, the airlines are required to check it against the copy of the no fly list they're given. So typically you do this online, well before you visit the airport.
(Former employee of ITA Software - does airline flight stuff - not sure how much more I can say, so I'll stop there)
DHS is a giant convoluted bureaucracy and it was designed to be such from the beginning. They don't actually have to, or really desire to make anybody safer at all. That's not the point of DHS at all. It's all just a series of checklists, and forms, and initiatives... and reports... all the way down. All anybody needs to do is go down the new checklist that somebody higher up gave them to fill out.
Thanks for the article. Now tsa will install another check point on each gate where you will have to show id, remove shoes, do the chicken dance ...for security
[1] http://arstechnica.com/security/news/2008/06/tsa-defiant-pas...
Edit: The Soghoian blog post about the raid: http://paranoia.dubfire.net/2006/10/fbi-visit-2.html