Me Helping Evade Airport Security

Great article from The Atlantic:

As we stood at an airport Starbucks, Schneier spread before me a batch of fabricated boarding passes for Northwest Airlines flight 1714, scheduled to depart at 2:20 p.m. and arrive at Reagan National at 5:47 p.m. He had taken the liberty of upgrading us to first class, and had even granted me "Platinum/Elite Plus" status, which was gracious of him. This status would allow us to skip the ranks of hoi-polloi flyers and join the expedited line, which is my preference, because those knotty, teeming security lines are the most dangerous places in airports: terrorists could paralyze U.S. aviation merely by detonating a bomb at any security checkpoint, all of which are, of course, entirely unsecured. (I once asked Michael Chertoff, the secretary of Homeland Security, about this. "We actually ultimately do have a vision of trying to move the security checkpoint away from the gate, deeper into the airport itself, but there's always going to be some place that people congregate. So if you're asking me, is there any way to protect against a person taking a bomb into a crowded location and blowing it up, the answer is no.")

Schneier and I walked to the security checkpoint. "Counterterrorism in the airport is a show designed to make people feel better," he said. "Only two things have made flying safer: the reinforcement of cockpit doors, and the fact that passengers know now to resist hijackers." This assumes, of course, that al-Qaeda will target airplanes for hijacking, or target aviation at all. "We defend against what the terrorists did last week," Schneier said. He believes that the country would be just as safe as it is today if airport security were rolled back to pre-9/11 levels. "Spend the rest of your money on intelligence, investigations, and emergency response."

Schneier and I joined the line with our ersatz boarding passes. "Technically we could get arrested for this," he said, but we judged the risk to be acceptable. We handed our boarding passes and IDs to the security officer, who inspected our driver's licenses through a loupe, one of those magnifying-glass devices jewelers use for minute examinations of fine detail. This was the moment of maximum peril, not because the boarding passes were flawed, but because the TSA now trains its officers in the science of behavior detection. The SPOT program -- Screening of Passengers by Observation Techniques -- was based in part on the work of a psychologist who believes that involuntary facial-muscle movements, including the most fleeting "micro-expressions," can betray lying or criminality. The training program for behavior-detection officers is one week long. Our facial muscles did not cooperate with the SPOT program, apparently, because the officer chicken-scratched onto our boarding passes what might have been his signature, or the number 4, or the letter y. We took our shoes off and placed our laptops in bins. Schneier took from his bag a 12-ounce container labeled "saline solution."

"It's allowed," he said. Medical supplies, such as saline solution for contact-lens cleaning, don't fall under the TSA's three-ounce rule.

"What's allowed?" I asked. "Saline solution, or bottles labeled saline solution?"

"Bottles labeled saline solution. They won't check what's in it, trust me."

They did not check. As we gathered our belongings, Schneier held up the bottle and said to the nearest security officer, "This is okay, right?" "Yep," the officer said. "Just have to put it in the tray."

"Maybe if you lit it on fire, he'd pay attention," I said, risking arrest for making a joke at airport security. (Later, Schneier would carry two bottles labeled saline solution -- 24 ounces in total -- through security. An officer asked him why he needed two bottles. "Two eyes," he said. He was allowed to keep the bottles.)

Posted on October 16, 2008 at 4:32 PM • 56 Comments

Comments

EricOctober 16, 2008 5:13 PM

Fun read! I laughed quite a bit, not the funny ``ha ha'' but more of the funny ``uht oh''.

This really doesn't surprise me that much. Nothing the TSA does really makes me any safer when I fly.

Paul RenaultOctober 16, 2008 5:14 PM

"An officer asked him why he needed two bottles. "Two eyes," he said. He was allowed to keep the bottles."

How did you manage to not burst out laughing (Like I did, when I read that line)?

Or to not kill yourself out of despair when faced with stupidity on such a massive scale?

Gawd! How do these people, the officers and their bosses, manage automatic breathing?

Smee JenkinsOctober 16, 2008 6:27 PM

Some people get their boarding passes from the airlines.

Other people print their own boarding passes.

Bruce Schneier prints an epic boarding passpoem, detailing the life and works of seven mythical Norse heroes.

MysterymanOctober 16, 2008 6:32 PM

Bying ticets whit stolen credit card are a comon way for thives and husler to move from air port ari port i EU. I don't know the details but faking bording passes my be a part of it.

KmrOctober 16, 2008 7:25 PM

Chris soghoian, a grad student got a visit from the FBI and his arrest was called by a congressman for posting a trivial program which creates a fake boarding pass. He didn't even try using it. I dont know how TSA/FBI wants to respond for this one

addOctober 16, 2008 7:26 PM

1. I've met Bruce, and "frenetic" is hyperbole. Not laconic, but not frenetic, either.

2. I can totally believe him saying "Two eyes" with a straight face.

3. On page 3, Goldberg talks to Kip Hawley, and seems to take the latter's responses at face value. Kip doesn't necessarily know something about the ID-triangle vulnerability, but he can certainly make confident statements about it. Goldberg is reading the wrong game plan: it's poker, not chess.

ThomasOctober 16, 2008 7:46 PM

Any chance of releasing a line Schneier-brand saline solution?

Sell them in packs of two, helpfully labelled "left" and "right".

mooOctober 16, 2008 10:26 PM

I bet money that Bruce somehow ends up on the no-fly list.

He will soon have to print his boarding passes with variations of his canonical name in order to avoid a lengthy interview and SSSS treatment on every trip.

:P

An entertaining read, though!

Paul ReinheimerOctober 16, 2008 10:56 PM

The TSA agent alludes to something secretive being encoded in that chicken scratch on your bording pass. I don't buy it.

Either it's a lie, or, it's meaningless. Gate agents are more than happy to re-print your bording pass if you've lost it. Hand them ID, and presto, new pass. A pass with no markings on it I can see.

When you actually board the plane and they take that pass from you, either they're not looking for the secret confirmation code from the TSA, or the re-print has some special by-pass code on it, in which case we were planning on bording with our real names anyways so it doesn't matter.

Nomen PublicusOctober 17, 2008 12:38 AM

Concidering the pointless farce that goes on at major airports I wonder what happens at the thousands of minor airports and private landing fields. If your objective is to fly a plane into a full sports stadium, a cargo plane flown from a private airfield is just as good as a passenger aircraft flown from Dullus International.

Clive RobinsonOctober 17, 2008 5:46 AM

@ Bruce,

As a double act with jeff you have a standby carear should you ever need it 8)

More seriously though making people laugh at the TSA is the best way to get rid of them.

After all we don't mind being entertained and it makes us smile and remember it. Then "bahm" we find out it's cost and then the laughter turns to anger.

Most people like a laugh but at that price it can only be a sick joke...

vwmOctober 17, 2008 6:44 AM

In Frankfurt, Germany (FRA), for some month now the boarding passes get scanned before you are allowed to enter the screening queue.

The guards have monitors that will tell them whether the boarding pass is valid and display all details (Passenger name, destination, etc.). They even notify passengers about gate changes.

I do not remember, if they actually compared the readings with the passports, but if in doubt, they could.

ACOctober 17, 2008 7:31 AM

In the US attempting to photograph airport security will get you cuffed and hauled away.

sooth sayerOctober 17, 2008 8:00 AM

It's Bruce's blog and his name in an article is mentionable without question -- however to call it funny is beyond sane.

It's dumb read -- not funny and devoid of wit.

RyanOctober 17, 2008 8:19 AM

I am not really all that concerned about the fake boarding passes. If someone is examined properly, does it matter who is flying on the plane?

The real issue is that the TSA does not have the funding or the know-how to fully examine passengers. Whether this be by inept rules or other means.

Ryan

QuercusOctober 17, 2008 8:23 AM

I was disappointed that the author asked Kip Hawley the wrong follow-up question. The right question is not "There are vulnerabilities, what are you doing about them?' The question is "There are vulnerabilities : is it worth the money and time (and loss of liberty) we're spending on this if it doesn't work?"

Moshe YudkowskyOctober 17, 2008 8:31 AM

This was perhaps the most intellectually dishonest article I've read in months.

The reporter deliberately set a trap that would allow him to lambast the TSA regardless of the TSA's actions:

If the TSA had treated him suspiciously because of his Hezbollah flag, the reporter would have complained that the TSA agents should have realized that no "real terrorist" would bring a Hezbollah flag, and then gone on a rant about the TSA, potential racial profiling, censorship, and ignoring "real threats."

Instead, the TSA rightfully ignored the fluff about flags and T-shirts and focused on objects, identity, and actions, completely ignoring political opinions and other distractions -- so instead the reporter complains that the TSA ignored his political opinions and other deliberate distractions.

This hit piece is a masterpiece of its genre, and ought to be enshrined in journalism schools as an example to both honest and dishonest reporters (albeit for different reasons).

Michael AshOctober 17, 2008 9:00 AM

@Moshe Yudkowsky

Maybe the reason this journalist put the TSA in a no-win situation is not because the journalist is dishonest but because the TSA is dishonest. They have put themselves in this position, and you can hardly blame a journalist for taking advantage.

o.s.October 17, 2008 9:26 AM

"I could have ripped up these counterfeit boarding passes in the privacy of a toilet stall, but I chose not to, partly because this was the renowned Senator Larry Craig Memorial Wide-Stance Bathroom, and since the commencement of the Global War on Terror this particular bathroom has been patrolled by security officials trying to protect it from gay sex, and partly because I wanted to see whether my fellow passengers would report me to the TSA for acting suspiciously in a public bathroom."

The unbelievable stupidity displayed in this article was just HILARIOUS! That clown Larry Craig is still serving in the senate as well. There just aren't any consequences for stupidity and waste in government bureaucracies.

Frank Ch. EiglerOctober 17, 2008 9:52 AM

A problem with this sort of argumentation is that when tested against reality of the number of recent successful terrorists attacks (zero), the TSA has in fact been objectively successful. This is true, whether you think it's all just "theater" or not.

Consider also whether you are necessarily qualified to pass judgment like that. Surely you wouldn't assert that you know of *every* element of the TSA security system.

bobOctober 17, 2008 10:03 AM

TWO EYES COMMENT: Funny on the surface; however it is possible in the event of an eye "issue" (infection, surgery) to be required by the doctor to have a separate bottle (contact lens solutions, eyedrops, w/e) for each eye, in order to not transfer bacteria or fungi between your bad eye and good eye.

BobOctober 17, 2008 10:58 AM

@Frank Ch. Eigler

When I fly I always carry my tiger-repelling magic rock. I have not once been attacked by a tiger at an airport.

DaedalaOctober 17, 2008 11:09 AM

@Moshe

While you're right that the flags, etc. were distractors that the TSA rightfully ignored, you are ignoring the fact that the author repeatedly carried in things that he wasn't supposed to be able to carry in and that he got in on faked boarding passes with no ID.

No, the TSA shouldn't have stopped him for his t-shirts. But according to their own rules, they should have caught the Beerbelly and the fake boarding pass and so on. They were focused on "objects, identity, and actions" -- AND THEY MISSED.

MikeOctober 17, 2008 11:20 AM

I'm disappointed that you didn't try these items mentioned in prior blog posts (which I can't seem to locate at the moment):

Shopping bag with a picture of a gun
http://granitegrok.com/pix/bag_gun.jpg

Bag with simulated X-ray of gun
http://ecx.images-amazon.com/images/I/...

Bags with raised impression of gun, knife
http://s2.thisnext.com/media/400x400/...
http://s2.thisnext.com/media/400x400/...

And one the TSA recently warned was Not Funny ( http://www.tsa.gov/blog/2008/10/... ):

Laser-cut metal messages to the TSA
http://evan-roth.com/rhizome2008/

Pat CahalanOctober 17, 2008 11:37 AM

> “Then you’re a stupid terrorist and the government will catch you,”

This is another point that is often overlooked when discussing security countermeasures.

Layered defense is important to protect against sophisticated attackers, but it only matters when the layers have different exceptions. If one layer of defense is, "This catches the stupid terrorist", each additional layer that is designed to "catch the stupid terrorist" is adding an increasingly marginal amount of security. Sure, "stupid terrorist" may get lucky getting past one layer, but are three or four additional layers really necessary?

@ Moshe

> This was perhaps the most intellectually dishonest
> article I've read in months.

Wow, you're claiming this on the basis of a single logic bomb? You must not read political commentary.

Moshe YudkowskyOctober 17, 2008 11:56 AM

@ Daedala

While it's true that the TSA missed, that wasn't my point -- that the journalist displayed truly remarkable dishonesty.

As for the TSA misses, the TSA does not offer nor does it pretend to offer perfect security. The TSA tests its processes and publicizes its results -- failures are scarcely news.

JasonOctober 17, 2008 12:51 PM

Re: Frank Ch. Eigler
"A problem with this sort of argumentation is that when tested against reality of the number of recent successful terrorists attacks (zero), the TSA has in fact been objectively successful. This is true, whether you think it's all just "theater" or not."

Because we know the exact number of terrorist attacks that would have been successful if the TSA had never been created, right?

ErinOctober 17, 2008 2:42 PM

Bruce, it seems to me that this ID triangulation problem only exists because of the ease of printing boarding passes at home -- a procedure that only began to be allowed post-9/11, if I recall correctly. If a person still had to stand in line at the ticket counter to get a pass, I don't see how he'd pull this off without an inside man. Could you comment on this? Any idea why airlines made this choice, and/or the feds didn't object?

GregOctober 17, 2008 4:28 PM


If either of the Presidential Nominees would promise to disband the TSA the day after he takes the oath, he would win in a landslide.

AnnestaOctober 17, 2008 4:56 PM

I have one observation to make about the airport employees thing, though.

Before I got my ID badge that gives me access to the secure area of the airport I work at, I was fingerprinted and subjected to an FBI background check.

The ID contains biometric information that prevents someone else from using it.

And I absolutely have to go through through the magnetometer and put my belongings through the X-ray machine in order to access the "sterile area" just like everyone else.

Michael AshOctober 17, 2008 5:15 PM

@Erin

It's true that this specific attack would not work if official airline boarding passes were required to get through security, not home-printer jobs.

However this wouldn't eliminate the hole. Even requiring people to pick up boarding passes with the airline, all you've done is change the problem from forging an ID card (which the system assumes is hard, even though it really isn't) to forging an airline boarding pass. Airline boarding passes are not designed against forgery so this really can't be difficult.

For the no-fly list to even make sense, a person's presence on the list needs to be verified by security, or boarding passes need to be made difficult to forge. You can't trust an adversary with an insecure token, because they can simply change it. (Of course given the level of scrutiny that our IDs face when going through security, it seems clear that the entire concept is doomed. I don't know how much a high-quality fake ID costs, but I would wager that it is far less than the resources available to terrorist groups. And then there's the minor problem even a properly implemented no-fly list makes no sense.)

Call me somethingOctober 17, 2008 8:37 PM

left eye; right eye; fluids....

sounds like a catalytic moment waiting to happen.

PoOctober 19, 2008 8:22 PM

The reason they didn't take any time for real security is because they are busy on Ebay selling your stolen items...

"After years of people complaining about their luggage locks being broken in the name of the Transportation Security Administration, and after countless properly-stowed utilities and tools had been scrutinized from a paranoid point of view, an employee of the TSA (which is part of the Department of Homeland Security) has been captured with evidence of over $200,000 worth of stolen property he was selling on eBay. With the help of local police and the USPS, a search of his house found a great deal of property pilfered from the un-witnessed searches that occurred after luggage had been checked, where the rightful owner was not allowed. 'Among the items seized were 66 cameras, 31 laptop computers, 20 cell phones, 17 sets of electronic games, 13 pieces of jewelry, 12 GPS devices, 11 MP3 players, eight camera lenses, six video cameras and two DVD players, the affidavit said.'"

alethiophileOctober 20, 2008 8:26 PM

@Po:
Just what we needed, questionably honest people having the authority to go through our bags and confiscate items that they judge to be dangerous. "Oh, wow, I guess you could hit someone on the head with that laptop, guess I'd better confiscate it."

VOctober 23, 2008 11:52 AM

@Erin - no, print-at-home boarding passes weren't post-9/11.

I was flying for business before that, and printing passes at the office.

Mr PaulOctober 23, 2008 1:21 PM

The TSA done good. He was not a threat and thus was allowed to get on the plane.

I'm not saying that the TSA's policies are good (I don't believe they are), but since their intent is to catch terrorists (ostensibly, anyway) and he was not one, they behaved correctly. Messing with the system some is not the same as having a genuine history and fear of getting caught. His article, in a fashion, actually tells us that the TSA is tolerate of non-threats who step outside of norm.

KiashuOctober 26, 2008 6:31 AM

Frank Eigler says,

"A problem with this sort of argumentation is that when tested against reality of the number of recent successful terrorists attacks (zero), the TSA has in fact been objectively successful."

I wear a tinfoil hat to protect me from alien mind control laser beams.

My mind has not been taken over by alien mind control laser beams, therefore the tinfoil hat must work.

Alternately, there simply are no aliens trying to take over my mind, and no terrorists trying to hijack US aircraft from US airports.

TSOctober 28, 2008 6:48 PM

What was actually in the bottles labeled saline solution? I’m willing to bet that if it was a well-known liquid explosive (like, say, butane) labeled as saline, it wouldn’t have gone through security so easily. There’s a reason that stuff goes through the scanners.

Carl HageNovember 16, 2008 2:40 PM

[Bruce commenting on the number of entries in the no-fly list] It is just plain impossible that the TSA identifies "dozens" of these people every week. The math just doesn't make sense.

The math makes sense-- the dozens are people with a false-positive match on the name, e.g. Ted Kennedy.

Nicholas ParimoreNovember 19, 2008 7:44 PM

@Moshe Yudkowsky: Moshe, I believe your missing the point. The pair were conducting a form of penetration test against TSA's security measures. They acted "dishonestly" because such tests must simulate what a malicious attacker will do, such as exploit weaknesses in an organization's security posture. That's what they did, and they succeeded.

The U.S. Government has spent billions of dollars and put people through hell via their security plans. Kids have even been arrested over this stuff. By Schneier and others, these plans have shown to be ineffective in practice. Can you tell me how the tremendous cost that TSA's security imposes on us is in anyway justified? Security that provides no real safety shouldn't be implemented. If the TSA isn't really protecting us, they shouldn't exist. Instead, good investigative and intelligence work should be where our money goes.

That laundromat operation in Ireland is a good example of this, where the bomb makers were caught *before* they tried to blow something up, thanks to clever intelligence efforts. ;) Had the effort gone into TSA-style static defenses instead, the terrorists would have blown up some innocent people and Britain would have lost much $$$. TSA will not counter terrorism. They should be dissolved, and their budget allocated in a more useful manner.

Keith AppleyardJanuary 12, 2009 10:10 AM

On Fri 9 Jan 2009 I was flying with American Airlines from NY JFK to London. When we boarded the plane, all they did was check the Boarding Passes. They actually announced beforehand they would NOT be checking Passports or Photo ID - so that means anyone in the mixed (Domestic/International) terminal could have exchanged Boarding Passes and got on that plane.

Engagement RingsApril 2, 2011 1:14 PM

I am pleased that I found this weblog , just the right info that I was looking for! .

Rob DMarch 23, 2012 11:26 AM

I don't think there is much danger of ending up on the no-fly list...but maybe the full body cavity search list!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..