Forgot your password?
typodupeerror
Encryption Security United States News

Ask Slashdot: Is TSA's PreCheck System Easy To Game? 157

Posted by Unknown Lamer
from the it's-probably-a-crime dept.
OverTheGeicoE writes "TSA has had a preferred traveler program, PreCheck, for a while now. Frequent fliers and other individuals with prior approval from DHS can avoid some minor annoyances of airport security, like removing shoes and light jackets, but not all of the time. TSA likes to be random and unpredictable, so PreCheck participants don't always get the full benefits of PreCheck. Apparently the decision about PreCheck is made when the boarding pass is printed, and a traveler's PreCheck authorization is encoded, unencrypted, on the boarding pass barcode. In theory, one could use a barcode-reading Web site (like this one, perhaps) to translate a barcode into text to determine your screening level before a flight. One might even be able to modify the boarding pass using PhotoShop or the GIMP to, for example, get the screening level of your choice. I haven't been able to verify this information, but I bet Slashdot can. Is TSA's PreCheck system really that easy to game? If you have an old boarding pass lying around, can you read the barcode and verify that the information in TFA is correct?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Is TSA's PreCheck System Easy To Game?

Comments Filter:
  • Yes (Score:4, Funny)

    by Jeremiah Cornelius (137) on Tuesday October 30, 2012 @07:58PM (#41825489) Homepage Journal

    Yes it is.

    • Re:Yes (Score:5, Funny)

      by Spiridios (2406474) on Tuesday October 30, 2012 @08:15PM (#41825645) Journal
      Way to get every /. member on the no fly list.
      • Re:Yes (Score:5, Interesting)

        by gmanterry (1141623) on Tuesday October 30, 2012 @09:09PM (#41826071) Journal

        Way to get every /. member on the no fly list.

        It's probably dangerous to even comment on this article. It's probably a Homeland SecurityTSA sting.

        • by Teancum (67324)

          If the guys at the TSA haven't even bothered to get other government security experts like the guys at the NSA to review their strategy and how these tickets are encoded, it seems like these guys need a few basic lessons in computer science and should go back to college as freshmen.

          As a sting, this is pretty hopeless.

          • As a sting, this is pretty hopeless.

            Naah, just needs the right media spin.

            "A renegade group considered to be 'The Apostles of Bruce Schneier' were caught plotting to manipulate airline tickets for domestic flights.. TSA cavity search and film at 11...."

          • by Tuoqui (1091447)

            No it's a cash grab... we need a trillion dollars to encrypt the barcodes.

      • Re:Yes (Score:5, Funny)

        by Jeremiah Cornelius (137) on Tuesday October 30, 2012 @10:24PM (#41826527) Homepage Journal

        Did you notice, how I was able to get in "at the front of the line" on this discussion thread?

    • Re:Yes (Score:5, Insightful)

      by Mitreya (579078) <<moc.liamg> <ta> <ayertim>> on Tuesday October 30, 2012 @08:23PM (#41825727)

      Yes it is.

      Wrong question is being asked

      A better question is -- Would it matter if TSA PreCheck System were easy to game?

      Seeing how TSA has no record of ever catching or thwarting a terrorist, I would say "no"

      • Re: (Score:2, Funny)

        by Anonymous Coward

        Seeing how TSA has no record of ever catching or thwarting a terrorist, I would say "no"

        Well, they're semi-effective at catching TSA employees who steal iPads, laptops and expensive camera gear.

        I mean, the thought of some low-level thug making off with a $1k piece of glass terrifies the hell out of me.

        • Re:Yes (Score:5, Interesting)

          by Joe Decker (3806) on Tuesday October 30, 2012 @10:07PM (#41826425) Homepage

          Well, they're semi-effective at catching TSA employees who steal iPads, laptops and expensive camera gear.

          No, they're not. There are occasional busts, but most go unreported or unaddressed.

          Fun fact: The TSA refuses to report such thefts to local authorities, as a matter of policy.

          • Re:Yes (Score:5, Funny)

            by houghi (78078) on Wednesday October 31, 2012 @03:50AM (#41827747)

            Well, they can't, because what the TSA is actually doing is keeping the terrorists from the planes by employing them. Oh, you were taking about thieves? Well, potato, tomato. Thieves, terrorists, republicans, democrats. Who knows the difference anymore.

      • Re:Yes (Score:5, Insightful)

        by Anonymous Coward on Tuesday October 30, 2012 @09:09PM (#41826063)

        Wrong question is being asked

        A better question is -- Would it matter if TSA PreCheck System were easy to game?

        Seeing how TSA has no record of ever catching or thwarting a terrorist, I would say "no"

        No, neither question is really relevant. It doesn't matter if the system is easy to game for someone with technical aptitude because this whole system isn't really about making travel more secure, but conditioning people to be more complacent about government intrusion and restriction on their daily lives.

        • Re:Yes (Score:5, Informative)

          by Jeremiah Cornelius (137) on Tuesday October 30, 2012 @10:22PM (#41826505) Homepage Journal

          " this whole system isn't really about making travel more secure, but conditioning people to be more complacent about government intrusion and restriction on their daily lives."

          DING DING DING DING DING!

          Ladies and gentlemen, please lower your bids. We have a winner.

        • Re:Yes (Score:4, Insightful)

          by Anonymous Coward on Tuesday October 30, 2012 @10:24PM (#41826515)

          this whole system isn't really about making travel more secure, but conditioning people to be more complacent about government intrusion and restriction on their daily lives.

          Parallel to that, army and police have been having Zombie Apocalypse training lately. Training them to fight crowds of unarmed human-shaped figures. Considering the lack of real zombies, I wonder what that's supposed to condition the army and police for...

          • Duh, Black Ops II...

            Regards, Capt Me

          • by GodInHell (258915)
            Let's check that thesis:

            SAN DIEGO -- Move over vampires, goblins and haunted houses, this kind of Halloween terror aims to shake up even the toughest warriors: An untold number of so-called zombies are coming to a counterterrorism summit attended by hundreds of Marines, Navy special ops, soldiers, police, firefighters and others to prepare them for their worst nightmares. "This is a very real exercise, this is not some type of big costume party," said Brad Barker, president of Halo Corp, a security firm hosting the Oct. 31 training demonstration during the summit at a 44-acre Paradise Point Resort island on a San Diego bay. "Everything that will be simulated at this event has already happened, it just hasn't happened all at once on the same night. But the training is very real, it just happens to be the bad guys we're having a little fun with."

            Hundreds of military, law enforcement and medical personnel will observe the Hollywood-style production of a zombie attack as part of their emergency response training.

            In the scenario, a VIP and his personal detail are trapped in a village, surrounded by zombies when a bomb explodes. The VIP is wounded and his team must move through the town while dodging bullets and shooting back at the invading zombies. At one point, some members of the team are bit by zombies and must be taken to a field medical facility for decontamination and treatment.

            Source. [huffingtonpost.com]Bombs... bullets, hmm, looks like those aren't unnarmed human shapes. It's just a "standard" tactical simulation with the "fun" twist that the bad guys are dressed up to look like zombies. So ... looks like you might be having a bit of a paranoid fantasy there sir.

            If that's not the event you're talking about, perhaps you should add a citation to support your extreme claim.

        • Re: (Score:2, Insightful)

          by markyd123 (1070260)

          [...] conditioning people to be more complacent about government intrusion and restriction on their daily lives.

          Is that *really* what you think is happening? I'm a Brit and haven't been to the US for a while now so may well be talking out of my 'bum' ... but for that to be the case it suggests that someone, somewhere in the upper echelons of your government has taken an explicit decision that that is what they are trying to do.

          I accept that the results make it feel more and more like a police state when you fly, but don't think the cause can be attributed to anything more than incompetence and laziness. As in: 'He

          • Re:Yes (Score:4, Interesting)

            by Cid Highwind (9258) on Wednesday October 31, 2012 @09:15AM (#41829285) Homepage

            DING!

            Some people see a monster and need to believe that someone (even someone hostile to them) is holding its leash.

            The truth is somewhat scarier: that the continual growth of oppressive-yet-useless security apparatus like the TSA is an emergent property of power, fear, and greed.

  • by Anonymous Coward

    From what I've read, it would be fairly easy to re-encode your boarding pass to have pre-clearence approval on it. It is just changing a bit on the barcode. Remember, this is matched against your ID and logged. Sure you might get waved on the flight, but I would be shocked to find out anyone that tries this gets in serious trouble. Still doesn't stop the terrorist passenger but might catch people fast enough to honeypot dry runs.

    • by NIK282000 (737852) on Tuesday October 30, 2012 @08:12PM (#41825617) Homepage Journal

      There is a very good DefCon talk on youtube about barcodes and how easy they are to scam. It's so trivial to encrypt the data in a barcode but of course TSA has spared every expense in the defence of america.
       
        Here's the DefCon talk: http://www.youtube.com/watch?v=qT_gwl1drhc [youtube.com]

      • The airline are printing the baording pass, and they always did it unencrypted, for cost reason, and because some of the CKI system are old legacy system which would not support any modern encryption. So. Yeah. It is a non story.
    •     Actually, if they have any common sense, they'd verify the barcode read from the ticket to the barcode stored in the airline DB when the ticket was printed. Modifying it would be a huge red flag.

          But as we all know, the TSA has no common sense. I've considered it mind numbingly stupid that every time I've gone through an airport since 9/11, the super-duper-secure TSA checkpoint (ha!) doesn't check that my boarding pass actually corresponds to a real ticket issued. We're not talking about anything amazingly high tech, except a barcode reader, and network connection to verify against the airline(s) systems.

          The only place that it's cross referenced is boarding, and even that is only most of the airlines I fly. I've been on a few that still just tear the paper boarding pass, and let you on. No verification or anything. At least not before the plane departs. I've been early (just like they ask you to), so I've watched them scanning used boarding passes minutes to hours after the flight leaves. I'm sure we're not suppose to observe procedure, even though it's done right in front of us.

      • by Ksevio (865461)
        There's also nothing forcing you to show the same ticket to the TSA as to the people at the gate. Could have a fake one for the TSA and a real one for the plane to ensure it checks out with the airline.
        • by n7ytd (230708)

          I've always thought this would be an easy way to fly on a ticket issued in another name. But in the past two years, I've seen one instance of TSA agents randomly asking people in line at the gate for their boarding passes. I wondered if that flight was flagged for some reason or just a slow day at security.

      • by archmcd (1789532)
        Let's be realistic. Fake boarding passes aren't a threat to the TSA. The only purpose to the TSA of checking your boarding pass before entering the security checkpoint is to keep from unnecessarily screening people who aren't flying. It keeps your mother from cluttering up the naked-scanner for everyone else who's flying if she just wants to kiss you before you fly away. If someone prints a fake boarding pass to get past the TSA, they still won't be able to get on the flight. They're going to be able to buy
  • Could be a honeypot (Score:5, Interesting)

    by mepperpint (790350) on Tuesday October 30, 2012 @08:06PM (#41825571)
    If I were designing a security system for TSA, I would definitely consider printing a (possibly fake) screening status in the barcode in plain text. If you keep a database of what status you assigned to which boarding ticket, then you can more thoroughly screen (or arrest and jail indefinitely) anyone who changes the easily hackable obvious screening status on their boarding pass. This is much like a honeypot that folks sometimes use in network security. (For those who don't know, a honeypot is an easily hackable machine that serves no purpose except to be hacked so that an observer can find folks who are trying to break in.)
    • by p0p0 (1841106)
      Is this would accomplish what? The terrorists can use Photoshop?
      • by NIK282000 (737852)

        I think its more the "why" rather then the "how" that TSA would be interested in.

      • by JWSmythe (446288) <jwsmythe@@@jwsmythe...com> on Tuesday October 30, 2012 @10:02PM (#41826383) Homepage Journal

            Actually, nothing.

            If it's a bad guy doing it, they'll have a number trying to go through. The ones with flagged boarding passes will turn around and go home. The ones with clean boarding passes will continue through, smile, and say "thank you" to the TSA people (s)he encounters.

            Anyone with any remotely planned mission will have such things in place, and already be ready for them. Send 5 guys in with tickets. A few will get caught. Some won't. Remember the recent tests where only 25% of the weapons passed through x-ray were caught. 5 people means 1 or 2 will get caught. Those odds can be improved if they synchronize someone who *will* get caught. It will draw attention away from the others who they want to make it.

            I've observed that happening more than once. Someone gets stopped for having something "nefarious", like a bottle of water, or knitting needles. They make noise, more TSA employees go to guard, and now the rest of the lines are understaffed, and more will be waved through unmolested.

    • by nzac (1822298)

      This is way to simple not to have been done before, someone will have actually used it and unless they have rushed off to gitmo i would guess its undetectable.

      I could understand why they might want local authentication but they should at least be able hand out keys to airlines for each airport and encrypt it using the key for the airport you are departing from.

    • by Mitreya (579078) <<moc.liamg> <ta> <ayertim>> on Tuesday October 30, 2012 @08:29PM (#41825797)

      If I were designing a security system for TSA, I would definitely consider printing a (possibly fake) screening status in the barcode in plain text. If you keep a database of what status you assigned to which boarding ticket, then you can more thoroughly screen (or arrest and jail indefinitely) anyone who changes the easily hackable obvious screening status on their boarding pass.

      This is an interesting point, but what does any of this have to do with catching terrorists? Now TSA will detain people who mess with barcodes and claim them to be terrorists?

      To extend your line of thought -- If _I_ were designing a security system for TSA (an organization that has never caught a terrorist on its own accord), I too would make up an easily game-able system so that TSA can actually arrest some people and then trump such arrests as success and therefore request more funding.

      It would be a lot cheaper and just as efficient to go back to pre-9-11 security and invest in an "anti-terrorism rock" for contractors (if contractors must be funded by this).

    • by girlintraining (1395911) on Tuesday October 30, 2012 @08:33PM (#41825835)
      It's not a honeypot if the information provided is accurate. If the TSA is encoding the screening level on the barcode, then adversaries can use that information to enhance the success rate of smuggling something past security.
    • by Yvanhoe (564877) on Tuesday October 30, 2012 @10:30PM (#41826561) Journal
      Don't overestimate the TSA. Bruce Schneier has the habit of meeting journalists who want to interview him inside the "secure" part of the airport and sending them fake boarding pass to print themselves. He thinks it helps him make his point about how this is all a "security theater".
      • Bruce Schneier has the habit of meeting journalists who want to interview him inside the "secure" part of the airport and sending them fake boarding pass to print themselves

        While I agree much of TSA is security threatre, I suspect this trick is coming to an end. Most checkpoints now have bar code scanners which confirm the validity of the boarding pass.

        • by Yvanhoe (564877)
          The boarding pass he sends comprises a valid QR code. It is a theatre all the way. I agree that the system could be secure, but it is not.
          • I agree that the system could be secure, but it is not

            In the case of boarding passes I don't think it ever can be. If you want to access the gates, but not fly, just buy a fully-refundable ticket and don't board the flight. This trick is used from time to time by frequent flyers who want to access an airline lounge for an airline they're not flying on a given day.

            • by j-beda (85386)

              I agree that the system could be secure, but it is not

              In the case of boarding passes I don't think it ever can be. If you want to access the gates, but not fly, just buy a fully-refundable ticket and don't board the flight. This trick is used from time to time by frequent flyers who want to access an airline lounge for an airline they're not flying on a given day.

              You can also get a "gate pass" to accompany people to the gate - often done with young family members or people with mobility or other health issues. It is probably not difficult to use some "social engineering" skills to get one of those printed up for you by the airline in situations where it is not actually warranted.

            • by Yvanhoe (564877)
              But can you do so easily with a black-listed ID ? That's the whole point.
    • "(For those who don't know, a honeypot is an easily hackable machine that serves no purpose except to be hacked so that an observer can find folks who are trying to break in.)"

      Kind of like this thread.

    • This could be someone in the Federal Government's bright idea...I'm thinking some guy doing a powerpoint talking about 'utilizing the open-source security community'

      They might have even used the word 'crowdsourcing' or 'hacktivist'...

      If true, I hope their plan works...the fed's geeks are the bottom third of the talent pool using arcane intelligence systems

      I say this in light of this article: "Want a security pro? For starters, get politically incorrect and understand geek culture" [networkworld.com]

  • dupe (Score:3, Insightful)

    by iiii (541004) on Tuesday October 30, 2012 @08:19PM (#41825695) Homepage
    If this sounds a little familiar, well, it is... http://it.slashdot.org/story/12/10/24/2222225/ [slashdot.org] But I like the tie in with the /. logo today. Will that logo get me a faster screening?
    • by pswPhD (1528411)

      If this sounds a little familiar, well, it is...
      http://it.slashdot.org/story/12/10/24/2222225/ [slashdot.org]

      There is a difference between this article and the previous one. the question is: do they compare their database with the boarding card to see if it has been altered? The only way to check this would be to check the boarding card, Photoshop/gimp the barcode, go through the TSA theatre with the altered card and see what happens.

      I would not want to try this myself. I think most people here have a fairly dim view of the TSA, so I wouldn't put it past them not to compare the card with the database, but there ma

  • looked into it (Score:2, Interesting)

    by Anonymous Coward

    I looked into it, but it turns out that modifying a boarding pass is a felony.

    • by PPH (736903)
      So is strapping on an exploding vest.
      • So is strapping on an exploding vest.

        This happens a lot. In response governments like to make more things illegal.

        The thing is criminals doing really bad things generally don't mind a little extra dishonesty or a crime that's way less bad than whatever they're trying to do.

        All it ever does is make life harder for normal people.

  • by Meltir (891449) on Tuesday October 30, 2012 @08:25PM (#41825745) Homepage

    Store a list of generated barcodes. Sure its big. Its also a very trivial lookup.
    If yours doesn't match what's in the DB, prepare for the anal probes.

    Or am I crediting the TSA with too many competent technicians ?

    • by tibit (1762298)

      Technicians? You don't know how it's done in government. Namely, they can don't do anything themselves -- savings and personnel cuts, you understand, of course. Technology is contracted out. Thus they'd need to award some contractor company a project worth a couple million USD to do this. Perhaps even a couple dozen million. TSA, just as any govt. agency, has occasional competent people on board, but they can't do squat, most of the time.

  • by Anonymous Coward on Tuesday October 30, 2012 @08:26PM (#41825755)

    These people are lazy. They're annoying, and they're a blight to society. However, for the time being we're all stuck with them until the rest of the general population rises up and says "We've had enough, out you go!".

    So I ask you this- even if the system is "easy to game", why the hell would you want to risk it? Maybe you get past their security once, twice, a dozen times, etc. Maybe it is easy to game. That's nice and all.

    The question you should be asking yourself is: "What are the consequences of being caught?". These people will happily label you as a terrorist and put you on a no-fly list FOR THE REST OF YOUR LIFE. You think you have legal rights, that they can't do that? They have and they will. Have fun spending the next 5 years of your life debating the finer details of the law in court so you can continue to fly down to Hawaii with the family on occasion for vacation.

    It doesn't matter that their system is broken, or that the whole thing is a security theatre and a complete and utter farce. It matters what they're going to do to you when they find out you've been tampering with the system. If you make them look like idiots, their reaction will be to label you as a nefarious terrorist or hacker who was out to get the TSA and thank god they eventually stopped you because who knows what you would have done if they hadn't.

    So are you **really** willing to live with the consequences of tampering with the system? Or are you just talking big because someone said the TSA was hackable and now it's all cool and hip to point that out to other people and pretend like you're actually gonna go ahead and do it?

    • by dgatwood (11270) on Tuesday October 30, 2012 @08:35PM (#41825851) Journal

      So I ask you this- even if the system is "easy to game", why the hell would you want to risk it? Maybe you get past their security once, twice, a dozen times, etc. Maybe it is easy to game. That's nice and all.

      The question you should be asking yourself is: "What are the consequences of being caught?". These people will happily label you as a terrorist and put you on a no-fly list FOR THE REST OF YOUR LIFE.

      Which is probably about half an hour for most of the people who would likely be trying to game the system. And that is why it is the responsibility of security researchers and other folks to point out the flaws in the system and to make the TSA look like idiots at every possible opportunity. It is their civic duty, as they represent the only remaining hope that the TSA will either go away or become useful.

      • by chrismcb (983081)

        It is their civic duty, as they represent the only remaining hope that the TSA will either go away or become useful.

        They can only become useful by going away.

        • by dgatwood (11270)

          Nonsense. You're only saying that because none of them ever have. :-D

          • Adding hardware to detect bomb residue in the air would potentially be useful (if it works).
          • Adding thermal imaging to detect concealed weapons or seriously sick people would potentially be useful.
          • X-ray checks of baggage are at least moderately useful even if they miss things once in a while.
          • The background checks they run against lists of known or suspected terrorists to help inform the screening process is potentially of at least sligh
  • by Frosty Piss (770223) * on Tuesday October 30, 2012 @08:27PM (#41825775)

    one could use a barcode-reading Web site (like this one, perhaps) to translate a barcode into text to determine your screening level before a flight. One might even be able to modify the boarding pass using PhotoShop or the GIMP to, for example, get the screening level of your choice.

    Yes, I'd like to board an airline flight with a forged boarding pass , and all the privileges that come with it!

  • What century is this? Presumably the poster is the only person on Slashdot who doesn't have a smartphone with a barcode reader built in.

    • by jibjibjib (889679) on Tuesday October 30, 2012 @08:53PM (#41825979) Journal

      > What century is this?

      It's the 21st century. You know, that century where not every Slashdot reader has a smartphone, and the majority of smartphones don't come with a built-in barcode reader, and reading barcodes is mostly pointless enough that the majority of users haven't installed a barcode reader.

    • I might similarly presume that you're really the only person on Slashdot who bothered to install a barcode reader into their smartphone.

      • All right, I'll bite.

        The open source zxing barcode reader for Android alone has 50-100 million installs from the Play market. RedLaser has 1-5 million, and ShopSavvy has 10-50 million. That's just on Android, and doesn't include side-loads direct from the websites in question.

        Now sure, Angry Birds has 100-500 million installs, so barcode reading software may not be quite as popular, but to assume that any bored geek with a smart phone who wanted to check their boarding pass barcode would go to their neare

    • by dywolf (2673597)

      the phones/plans cost too much, are too restrictive, and frankly, my needs arent so pressing that i cant wait to use the net access at my house or work.

  • by Anonymous Coward on Tuesday October 30, 2012 @08:32PM (#41825829)

    Look the code to determine pre-check is in the clear and easy to read. What's not obvious is if it's also easy to change. There is a base-64 message below all the normal data that seems to decode to a hash. I would expect that this hash is protecting the integrity of the data above. No one I have seen has modified their barcode and presented it to the TSA. So while there is speculation that it is easy to change, there is no proof and some mild evidence that says this may not be so.

    • by adamofgreyskull (640712) on Tuesday October 30, 2012 @09:30PM (#41826201)
      Reading that information might be all they need to do. If you have a bunch of co-conspirators on the same plane, you only need one to go through the lighter-screening channel smuggling the box-cutters/drugs/microfilm or whatever; whoever has the magic barcode gets to wear the shoes with the false heels. Alternately, if you know you're not going to be waved through the less-intensive security channel you could cancel your flight or take the flight and just postpone your nefarious deeds for another day.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Or you could just get a job as a TSA agent and wheel a huge suitcase sized bomb right past security and onto the plane.

      • by j-turkey (187775)
        Right, but those who receive more basic screening have already been vetted. In order to qualify for PreCheck, one must agree to (and pay for) a federal background check. This perceived flaw in the system lets a traveller (who has presumably already been qualified for the PreCheck program) know when they are flagged for random additional screening. However, they have already been identified as a lower security priority. Also, given that many analysts believe that additional post 9/11/2001 security screen
  • by Relayman (1068986) on Tuesday October 30, 2012 @08:45PM (#41825927)

    In theory, one could use a barcode-reading Web site ...

    That is so 1990s. I use NeoReader [neoreader.com] on my iPhone. It's available for Android as well.

  • by Tancred (3904) on Tuesday October 30, 2012 @08:47PM (#41825943)

    My boarding passes seem to have PDF417 barcodes on them. I've tried several but haven't found an Android app that'll read them yet. The Android app from the airline displays a QR code boarding pass, but then I can't scan it with my phone. Anyone know an Android app that'll scan it? Or a program for Mac that'll scan a QR code from the camera? No, I'm not looking to change it, but finding out if I got the PreCheck lane would be nice in advance.

    • by El Micko (118401) *

      "finding out if I got the PreCheck lane would be nice in advance"

      I am sure the terrorists would love to know this as well.

      Obvious Terrorist Scenario: Fly around the US enough and get PreCheck status.
      Use the barcode and the decoded information to determine which flight to strap on the suicide vest.
      If you don't get PreCheck, then don't wear the vest.

      I sincerely hope that the the TSA is not stupid enough to leave the decoding of the PreCheck status as something as trivial as an unecoded/plain text 'bit flip' f

      • by Tancred (3904)

        You'll note I didn't say it was a good system.

        The obvious answer for the problem is to scan the barcode at security, which could just be a unique identifier, and look it up in a database of who's cleared for PreCheck that day.

  • by Beardydog (716221) on Tuesday October 30, 2012 @08:54PM (#41825983)
    I think the GIMP is a long-term government anti-counterfeiting scheme.
  • by lucm (889690) on Tuesday October 30, 2012 @09:18PM (#41826129)

    Forget preCheck or not preCheck, the real question is to know if there is a code or keyword that can be printed on the ticket to prevent TSA agents from stealing iPads and money from the luggage or from the scanner basket.

    Thinking of that, maybe the TSA is actually doing a good job: I'm not afraid of hijackers anymore, I'm afraid of getting robbed by the TSA Fingermen.

  • Schneier (Score:5, Informative)

    by Penurious Penguin (2687307) on Tuesday October 30, 2012 @09:18PM (#41826135) Homepage Journal
    As usual, a good thread on the topic from Schneier-ville: https://www.schneier.com/blog/archives/2012/10/hacking_tsa_pre.html [schneier.com]
  • by Anonymous Coward

    An excellent point is made above - with the TSA's wholehearted embodiment of the everything-looks-like-a-nail-if-all-you've-got-is-a-hammer ethos, defrauding the system (e.g. modifying your boarding card) is probably not something you want to get in to. Being sent home instead of to Hawaii once is worth a lifetime of taking off your shoes at the airport if you ask me.

    I suppose the first question would really be... can you cause the system to change your TSA barcode through "normal" behaviour? Is the TSA cod

  • RFC 3514 (Score:2, Funny)

    by benjamindees (441808)

    TSA has implemented the Evil Bit for terrorists.

  • You don not want to institute a program which effectively creates a "low security bypass" in a security system, Whether that bypass itself is flawed is completely irrelevant, since the fact that it exists is already a security risk.

  • Yes. Once you add a weak point into the system, the entire system becomes just as weak. If you allow anyone with a pilot license to walk through with a reduced check, any real criminal/terrorist will just get a license or steal one to walk through.

Porsche: there simply is no substitute. -- Risky Business

Working...