Entries Tagged "DHS"

Page 4 of 38

Hacking TSA PreCheck

I have a hard time getting worked up about this story:

I have X’d out any information that you could use to change my reservation. But it’s all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.

What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode. Finally, using a commercial photo-editing program or any program that can edit graphics replace the barcode in their boarding pass with the new one they created. Even more scary is that people can do this to change names. So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID. The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don’t check against the real time information. So the TSA document checker will not pick up on the alterations. This means, as long as they sub in 3 they can always use the Pre-Check line.

What a dumb way to design the system. It would be easier—and far more secure—if the boarding pass checker just randomly chose 10%, or whatever percentage they want, of PreCheck passengers to send through regular screening. Why go through the trouble of encoding it in the barcode and then reading it?

And—of course—this means that you can still print your own boarding pass.

On the other hand, I think the PreCheck level of airport screening is what everyone should get, and that the no-fly list and the photo ID check add nothing to security. So I don’t feel any less safe because of this vulnerability.

Still, I am surprised. Is this the same in other countries? Lots of countries scan my boarding pass before allowing me through security: France, the Netherlands, the UK, Japan, even Uruguay at Montevideo Airport when I flew out of there yesterday. I always assumed that those systems were connected to the airlines’ reservation databases. Does anyone know?

Posted on October 26, 2012 at 6:46 AMView Comments

2013 U.S. Homeland Security Budget

Among other findings in this CBO report:

Funding for homeland security has dropped somewhat from its 2009 peak of $76 billion, in inflation-adjusted terms; funding for 2012 totaled $68 billion. Nevertheless, the nation is now spending substantially more than what it spent on homeland security in 2001.

Note that this is just direct spending on homeland security. This does not include DoD spending—which would include the costs of the wars in Iraq and Afghanistan—and Department of Justice spending. John Mueller estimates that we have spent $1.1 trillion over the ten years between 2002 and 2011.

Posted on October 2, 2012 at 9:41 AMView Comments

Poll: Americans Like the TSA

Gallup has the results:

Despite recent negative press, a majority of Americans, 54%, think the U.S. Transportation Security Administration is doing either an excellent or a good job of handling security screening at airports. At the same time, 41% think TSA screening procedures are extremely or very effective at preventing acts of terrorism on U.S. airplanes, with most of the rest saying they are somewhat effective.

My first reaction was that people who don’t fly—and don’t interact with the TSA—are more likely to believe it is doing a good job. That’s not true.

Just over half of Americans report having flown at least once in the past year. These fliers have a slightly better opinion of the job TSA is doing than those who haven’t flown. Fifty-seven percent of those who have flown at least once and 57% of the smaller group who have flown at least three times have an excellent or good opinion of the TSA’s job performance. That compares with 52% of those who have not flown in the past year.

There is little difference in opinions about the effectiveness of TSA’s screening procedures by flying status; between 40% and 42% of non-fliers, as well as of those who have flown at least once and those who have flown at least three times, believe the procedures are at least very effective.


Younger Americans have significantly more positive opinions of the TSA than those who are older. These differences may partly reflect substantial differences in flying frequency, with 60% of 18- to 29-year-olds reporting having flown within the last year, compared with 33% of those 65 years and older.

Anyone want to try to explain these numbers?

Posted on August 22, 2012 at 6:09 AMView Comments

Court Orders TSA to Answer EPIC

A year ago, EPIC sued the TSA over full body scanners (I was one of the plaintiffs), demanding that they follow their own rules and ask for public comment. The court agreed, and ordered the TSA to do that. In response, the TSA has done nothing. Now, a year later, the court has again ordered the TSA to answer EPIC’s position.

This is an excellent time to add your name to the petition the TSA to do what they’re supposed to do, and what the court ordered them to do: take public comments on full body scanners. The petition has almost 17,000 signatures. If we get 25,000 by August 9th, the government will respond. I doubt they’ll capitulate, but it will be a press event that will put even more pressure on the TSA. So please sign the petition. (Here is my first post about it.)

Posted on August 2, 2012 at 2:19 PMView Comments

Remote Scanning Technology

I don’t know if this is real or fantasy:

Within the next year or two, the U.S. Department of Homeland Security will instantly know everything about your body, clothes, and luggage with a new laser-based molecular scanner fired from 164 feet (50 meters) away. From traces of drugs or gun powder on your clothes to what you had for breakfast to the adrenaline level in your body—agents will be able to get any information they want without even touching you.

The meta-point is less about this particular technology, and more about the arc of technological advancements in general. All sorts of remote surveillance technologies—facial recognition, remote fingerprint recognition, RFID/Bluetooth/cell phone tracking, license plate tracking—are becoming possible, cheaper, smaller, more reliable, etc. It’s wholesale surveillance, something I wrote about back in 2004.

We’re at a unique time in the history of surveillance: the cameras are everywhere, and we can still see them. Fifteen years ago, they weren’t everywhere. Fifteen years from now, they’ll be so small we won’t be able to see them. Similarly, all the debates we’ve had about national ID cards will become moot as soon as these surveillance technologies are able to recognize us without us even knowing it.

EDITED TO ADD (8/13): Related papers, and a video.

Posted on July 16, 2012 at 1:59 PMView Comments

Petition the U.S. Government to Force the TSA to Follow the Law

This is important:

In July 2011, a federal appeals court ruled that the Transportation Security Administration had to conduct a notice-and-comment rulemaking on its policy of using “Advanced Imaging Technology” for primary screening at airports. TSA was supposed to publish the policy in the Federal Register, take comments from the public, and justify its policy based on public input. The court told TSA to do all this “promptly.” A year later, TSA has not even started that public process. Defying the court, the TSA has not satisfied public concerns about privacy, about costs and delays, security weaknesses, and the potential health effects of these machines. If the government is going to “body-scan” Americans at U.S. airports, President Obama should force the TSA to begin the public process the court ordered.

The petition needed 150 signatures to go “public” on Whitehouse.gov (currently at 296), and needs 25,000 to require a response from the administration. You have to register before you can sign, but it’s a painless procedure. Basically, they’re checking that you have a valid e-mail address.

Everyone should sign it.

Posted on July 11, 2012 at 12:39 PMView Comments

Rand Paul Takes on the TSA

Rand Paul has introduced legislation to rein in the TSA. There are two bills:

One bill would require that the mostly federalized program be turned over to private screeners and allow airports ­ with Department of Homeland Security approval ­ to select companies to handle the work.

This seems to be a result of a fundamental misunderstanding of the economic incentives involved here, combined with magical thinking that a market solution solves all. In airport screening, the passenger isn’t the customer. (Technically he is, but only indirectly.) The airline isn’t even the customer. The customer is the U.S. government, which is in the grip of an irrational fear of terrorism.

It doesn’t matter if an airport screener receives a paycheck signed by the Department of the Treasury or Private Airport Screening Services, Inc. As long as a terrorized government—one that needs to be seen by voters as “tough on terror” and wants to stop every terrorist attack, regardless of the cost, and is willing to sacrifice all for the illusion of security—gets to set the security standards, we’re going to get TSA-style security.

We can put the airlines, either directly or via airport fees, in charge of security, but that has problems in the other direction. Airlines don’t really care about terrorism; it’s rare, the costs to the airline are relatively small (remember that the government bailed the industry out after 9/11), and the rest of the costs are externalities and are borne by other people. So if airlines are in charge, we’re likely to get less security than makes sense.

It makes sense for a government to be in charge of airport security—either directly or by setting standards for contractors to follow, I don’t care—but we’ll only get sensible security when the government starts behaving sensibly.

The second bill would permit travelers to opt out of pat-downs and be rescreened, allow them to call a lawyer when detained, increase the role of dogs in explosive detection, let passengers “appropriately object to mistreatment,” allow children 12 years old and younger to avoid “unnecessary pat-downs” and require the distribution of the new rights at airports.

That legislation also would let airports decide to privatize if wanted and expand TSA’s PreCheck program for trusted travelers.

This is a mixed bag. Airports can already privatize security—SFO has done so already—and TSA’s PreCheck is being expanded. Opting out of pat downs and being rescreened only makes sense if the pat down request was the result of an anomaly in the screening process; my guess is that rescreening will just produce the same anomaly and still require a pat down. The right to call a lawyer when detained is a good one, although in reality we passengers just want to make our flights; that’s why we let ourselves be subjected to this sort of treatment at airports. And the phrase “unnecessary pat-downs” all comes down to what is considered necessary. If a 12-year-old goes through a full-body scanner and a gun-shaped image shows up on the screen, is the subsequent pat down necessary? What if it’s a long and thin image? What if he goes through a metal detector and it beeps? And who gets to decide what’s necessary? If it’s the TSA, nothing will change.

And dogs: a great idea, but a logistical nightmare. Dogs require space to eat, sleep, run, poop, and so on. They just don’t fit into your typical airport setup.

The problem isn’t government-run airport security, full-body scanners, the screening of children and the elderly, or even a paucity of dogs. The problem is that we were so terrorized that we demanded our government keep us safe at all costs. The problem is that our government was so terrorized after 9/11 that it gave an enormous amount of power to our security organizations. The problem is that the security-industrial complex has gotten large and powerful—and good at advancing its agenda—and that we’ve scared our public officials into being so scared that they don’t notice when security goes too far.

I too want to rein in the TSA, but the only way to do that is to change the TSA’s mission. And the only way to do that is to change the government that gives the TSA its mission. We need to refuse to be terrorized, and we need to elect non-terrorized legislators.

But that’s a long way off. In the near term, I’d like to see legislation that forces the TSA, the DHS, and anyone working in counterterrorism, to justify their systems, procedures, and expenditures with cost-benefit analyses.

This is me on that issue:

An even more meaningful response to any of these issues would be to perform a cost-benefit analysis. These sorts of analyses are standard, even with regard to rare risks, but the TSA (and, in fact, the whole Department of Homeland Security) has never conducted them on any of its programmes or technologies. It’s incredible but true: he TSA does not analyse whether the security measures it deploys are worth deploying. In 2010, the National Academies of Science wrote a pretty damning report on this topic.

Filling in where the TSA and the DHS have left a void, academics have performed some cost-benefit analyses on specific airline-security measures. The results are pretty much what you would expect: the security benefits of most post-9/11 security changes do not justify the costs.

More on security cost-benefit analyses here and here. It’s not going to magically dismantle the security-industrial complex, eliminate the culture of fear, or imbue our elected officials with common sense—but it’s a start.

EDITED TO ADD (7/13): A rebuttal to my essay. It’s too insulting to respond directly to, but there are points worth debating.

Posted on June 20, 2012 at 1:19 PMView Comments

The Explosive from the Latest Foiled Al Qaeda Underwear Bomb Plot


Although the plot was disrupted before a particular airline was targeted and tickets were purchased, al Qaeda’s continued attempts to attack the U.S. speak to the organization’s persistence and willingness to refine specific approaches to killing. Unlike Abdulmutallab’s bomb, the new device contained lead azide, an explosive often used as a detonator. If the new underwear bomb had been used, the bomber would have ignited the lead azide, which would have triggered a more powerful explosive, possibly military-grade explosive pentaerythritol tetranitrate (PETN).

Lead azide and PETN were key components in a 2010 plan to detonate two bombs sent from Yemen and bound for Chicago—one in a cargo aircraft and the other in the cargo hold of a passenger aircraft. In that plot, al-Qaeda hid bombs in printer cartridges, allowing them to slip past cargo handlers and airport screeners. Both bombs contained far more explosive material than the 80 grams of PETN that Abdulmutallab smuggled onto his Northwest Airlines flight.

With the latest device, al Asiri appears to have been able to improve on the underwear bomb supplied to Abdulmutallab, says Joan Neuhaus Schaan, a fellow in homeland security and terrorism for Rice University’s James A. Baker III Institute for Public Policy.

The interview is also interesting, and I am especially pleased to see this last answer:

What has been the most effective means of disrupting terrorism attacks?
As with bombs that were being sent from Yemen to Chicago as cargo, this latest plot was discovered using human intelligence rather than screening procedures and technologies. These plans were disrupted because of proactive mechanisms put in place to stop terrorism rather than defensive approaches such as screening.

Posted on May 25, 2012 at 6:43 AMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.