Shostack + Friends Blog Archive

 

What Did TSA Know, and When Did They Know It?

Recently, Slate had an article on how to alter your boarding passes and bypass the silly watch lists. It was picked up by BoingBoing, and it turns out that Bruce Schneier talked about it 18 months ago.

Recently, I was talking to a friend who started telling me about…how to alter your boarding passes. What makes this interesting is that my friend is in a role where he was able to make some phone calls, and draw this attack to the attention of very senior officials of TSA. He named names, and showed me a presentation that he and his colleagues gave to senior TSA managers last February. The presentation was in depth and detailed. So regardless of if they’re reading Bruce’s blog, Slate, or BoingBoing, this was brought to them.

5 comments on "What Did TSA Know, and When Did They Know It?"

  • POSIWID says:

    No Fly On Us

    These so-called security measures have been widely ridiculed, and it is hard to believe that anyone in authority seriously believes they would actually stop an attack. According to the POSIWID principle, if we want to understand the true purpose of the…

  • Iang says:

    I was about to say that if one followed institutional economics and systems thinking, it would all make sense … and then I followed the trackback! So I’ll say no more about that 🙂
    However, one shouldn’t take too harsh a stance at the TSA for having a loophole. There will always be loopholes. It’s security, that’s how it is. The question to ask is a) what is the overall effectiveness improvement that has been gained, and b) what’s the cost-benefit result of all that.
    That’s a seriously difficult question to answer, and I don’t know how I’d go about doing that. The main problem is going to be that the organisation itself will resist any external measurement that is independent. I don’t know how to overcome that in this case; perhaps the Bruce Schneier experience will provide some leads (I’m referring here to him being on a committee and facing similar conflicts of interest independence).

  • adam says:

    Part of the reason that people are angry at the TSA is that they’re pushing for national ID cards, while they’ve known for at least a year that the current system of ID checking is irrelevant to airline security. Why not fix what’s broken before spending billions on national ID cards, which have their own problems?

  • Chris Walsh says:

    As one further data point, Eric Rescorla blogged about this in Oct. 2003. Bruce probably flies more, so he got to it first ;^).
    It’s easy to believe that this attack was independently discovered of by a large number of people, since it is pretty straightforward.

  • John Gilmore: A User’s Manual

    Cryptome.org has posted an email from Brad Barnhill describing how to get avoid having to show identification at the airport. As many of you know, John Gilmore is currently suing the government to reveal whether the identification requirement exists an…

Comments are closed.