The first time someone pointed this out, the FBI raided his house[1] and sparked a Senate investigation. This was four years ago. I did this to one of my Southwest tickets recently, though didn't use the forged copy. Honestly, it's like they think HTML is unreadable, or, more likely, that it's security theatre designed to make everyone feel safe. I would be okay with that if it wasn't taken so seriously.
Due to being able to use your mobile phone as a boarding pass, most security checkpoints are acquiring the ability to read the 2d barcode on the boarding pass and display the corresponding name. I've seen security start to use this randomly on paper boarding passes as well.
My opinion of all this security theater is that it is not actually designed to make people feel safe. It is instead that the people at the top know another effort by dedicated attackers willing to die can not be stopped. And I bet that they consider such an attack happening again pretty likely. When it does, the federal government wants a conspicuous example of what they were doing to keep us safe so that the population doesn't riot. From this perspective, the more annoying and egregious the security hassles, the better they are.
I think there are two purposes to the TSA. One is to make people feel safe, as you mentioned. The other is to get people into the habit of having their rights routinely violated by "government agents". It is a form of conditioning, and its pretty effective.
10 year olds at this point have never known a world that was otherwise.
In another 15 years, almost all adults will be completely used to it, and the idea that we don't need the TSA will sound as absurd to them, as to most of us it seems "absurd" that in fact in the past you could fly in the USA while carrying a rifle or shotgun aboard, with ammo. The flight attendants would offer to stow it for you in a coat locker, but otherwise wouldn't bat an eye.
Even today you can fly with firearms (in checked baggage) but a lot of people think that this idea is completely absurd because they've never seen it... and they've been conditioned to being disarmed and the idea that you can't have a gun in an airport. (you walk in and check it at the counter, before going thru security.)
I'm a very tall man (6'4") and always have trouble with a lack of legroom on flights (even JetBlue).
A few years ago I was adventurous, and frustrated -- there were no seats left on the flight that it would let me reserve online. Yet for this particular airline, it showed that the exit row seats were available, but clicking on them lead to an alert that you could not book them online: You had to do so at the airport.
I decided to look at the code making the seat selection calls, submitted my seat selection for that seat anyway -- and wallah! I was granted a ticket with that exit row seat. Had no problem going through security or boarding.
Haven't tried it since - as most airlines now charge extra for those seats, and its not such an easy hack.
Exit row seats are special in that the ground crew need to see that you are physically capable of operating the door. If you were handicapped in anyway, and I've seen people request so they have more space for their oxygen bottle, the cabin crew would have to move you to a different seat. On a full flight it can be tough to play musical chairs.
Wow - didn't realize this thread would turn into a dissection of my use of 'Wallah' -- which I didn't even consciously realize I use (nor what it really meant to the degree analyzed here). You learn something new every day. Thanks HN!
This doesn't surprise me in the least. I've been in India for the last month, and I've been shocked by two new things since my last visit (several years ago).
First, security here is everywhere.
Second, security here is pointless.
I have had to walk through security to get to supermarkets, discount stores (think Walmart), high-end shopping malls, temples, mosques, movie theaters, national monuments, airports, hotels, you name it. You can't walk into a large building and not walk through a metal detector. The ACLU would probably go ballistic if the US had even 1% of the number of pat-downs that I have had to go through daily here.
Unfortunately, it's entirely pointless. Generally, I don't take my belt/jewelry/phone off when going through the metal detector, and most of the time, it doesn't even detect that. Whether or not I set off the detector, the process is the same: they (occasionally) wave a wand over, and then send me to a second person who briefly pats me down (<5 seconds in all). Keep in mind, the exact same process is applied to those who do and do not set off the metal detector. A few times, I've set it off and they just wave me through without even checking me further. It's mind-boggling.
I can't say I'm a fan of ubiquitous security, but the only thing that's worse than ubiquitous ineffective security. Anybody who really wants to cause trouble can bypass it in their sleep - all you manage to do is disrupt the lives of everybody else, all the while accomplishing literally nothing.
Similar thing happened to me when visiting a museum in the Vatican. Long queues, metal detectors, etc. After passing through the whole thing with no problem, I realized I had my pocket knife in my pocket throughout the day. I noticed then that the metal detector was beeping all the time, but they were not paying attention, as they probably didn't want to get people to take off belts, etc.
I went through eleventy-dozen checkpoints on the Mall, and elsewhere. All the guards searched my backpack at every check point.
On the way home I found I had left a charged magazine (8 .45 rounds) in the bottom of my backpack. Not especially well-hidden, just snugged under my spare socks.
D.C. seems to have the highest per-capita police presences in the US. And it's all useless and dumb and ineffective.
I remember the security nightmare at IGI: The entire airport was surrounded in soldiers who wouldn't let you in without a ticket. The whole concept of electronic reservations seemed to go right over their head, until I managed to convince a very kind BA stewardess to go in a print an e-ticket confirmation and then bring it outside to me (I'm sure even Al Qaeda could fake one of those). What a bunch of muppets
Poorly implemented solutions are security theatre at its best. Well, almost. They're second best to "The wrong solution for the problem" approaches. Take the school in Texas this week where one kid shot another [1]. The school's solution is to make everyone use completely transparent backpacks, nevermind that:
1. You could fit a gun inside a zippered/covered binder or expanding file folder and the backpack does nothing.
2. The school already has metal detectors, so the backpacks aren't actually adding any detection.
3. They don't even know if the edge case where their current security failed even involved backpacks.
I know a girl who changed her name when she got married and whose ID still has her maiden name. She buys her plane tickets under her married name, and carries her marriage license with her when she flies in case the TSA asks about the discrepancy. But no one has ever noticed.
This doesn't always work. You might end up arrested. You are better off with a fake ID.
When you board the plane they check the codes to see if you have been through special screening, they check the markings to the boarding pass codes.
I've made it to the flight a few times only to be turned around and accompanied back to security for the full security theater experience. At this point they will check the list and you will be arrested if they find a problem in the paperwork.
Your best bet is to change your name slightly William --> Bill etc. and play around with a middle/first initial. Computers are dumb. TSA agents are friendly when you are friendly to them and have tendency to not pay attention to their work. Social engineering is a lot more effective than computer hacking.
And what codes are these? the pen-squiggle? the highlighter-check-mark?
Is it your hobby to try to sneak past TSA checkpoints? Are you successful often enough that you have been turned away at the gate for not having the proper 'codes'?
That's not the point... John Doe buys a plane ticket and gets an electronic boarding pass — John uses Chrome Developer Tools or Firebug to change John Doe to Jane Terrorist. John Doe's name is checked against terrorism watch lists, but Jane Terrorist's name isn't. Jane Terrorist then presents a boarding pass with her actual name and she has an ID showing her name is Jane Terrorist. The TSA agents don't check terrorism watch lists at the checkpoint.
tl;dr: You can alter a boarding pass and circumvent the entire watch list process.
Second that -- my gf and I were actually shocked, when on a recent trip to the States (took about 7 flights in total) where the person at the gate only checked the boarding passes and not photo ID! We have added security up here because of the States, it seems like a lapse to not do this themselves. For example, when you board a flight to/from Canada, you have to show the boarding pass and photo ID, the person at the gate scans the ticket to see if everything checks out.
Air Canada's requirements specify that they require gov't issued ID, but they don't specify which gov't. Would a gate agent be able to identify and verify the authenticity of an arbitrary ID card from a distant country?
In the days not long after 9/11, they used to check the ID both at the screening checkpoint and the gate, but in the last several (5+), they don't check at the gate. I'd assume it's a time-saving measure, but it does totally defeat the point of checking.
In my experience, the TSA agent you have to show ID and boarding pass to at the security checkpoint also scribbles something with a marker or highlighter on your boarding pass.
But even aside from the fact that this is obviously and trivially forgeable, I don't think the person who scans your boarding pass at the gate even looks for the scribble, as I've used a different boarding pass to get on the plane than I did at the security checkpoint before (because I had printed one out at home and also printed another copy at the self-service check-in machine, and just happened to use different copies each time I needed to show it).
They definitely don't look. Several itineraries have multiple legs, and the TSA only ever looks at - much less scribbles on - your first leg. Even that aside, you can easily get a boarding pass from an agent inside the terminal, without it ever having been checked by the TSA.
I've actually gone through TSA with one boarding pass on one flight, and boarded a completely different flight before (not just a separate piece of paper) - back when I could book flights for free on JetBlue and had already booked another flight that night. I merely decided once I was in the terminal that I'd hop on a different flight I had also checked in to.
I do a lot of flying and have long though about this. It's total theatre. They could fix it by implementing some cryptographic code that's scanned at TSA entry points, verifying the actual document (boarding passes are a far cry from a verifyable document).
This is probably like when the security guard at the exit of a shop checks your receipt and scribbles on it. I'm sure it's more to hold the guard accountable - so they don't wave people through without some semblance of checking.
If terrorists still want to "get us", why don't they detonate some truck bombs in major urban areas? If the bridges or subway tunnels in the SF Bay Area or NYC had big holes punched in them, the economic impact would be huge.
A suitcase bomb in a large TSA security screening lineup would have a similar effect and would be a tragic way of pointing out how ridiculous the so-called security is.
Not only is my ID almost never checked at the gate, the agent hardly even compares the name on the paper to their flight information. So really, you could just print out the forged copy with your name on it and use it the whole way through.
Include a QR code on the printed boarding pass that holds the details of the passenger and flight along with a hash of the data, the hash being salted with a secret known only to TSA. The TSA agent then scans the QR code, computer verifies the hash and displays the data on screen for the agent to check against the printed boarding pass and ID. No database look up is needed, just a PC and webcam.
Danger is someone works out or leaks the hash secret.
The real danger is someone figures out how to spoof a legitimate request to the TSA-QR service and have them create authentic codes with bogus data.
Never mind that the solution itself is far from 'easy'. Somehow linking every ticket printer to a central TSA-QR service in a reliable and secure way sounds like, uh, fun...
> Give the ticket with your friend’s name to the gate agent who lets you board. It will match the flight information and you’ll be allowed to board.
I fly 4 times a month and each time I have to present a piece of photo ID at the gate to the flight attendant that has to match the name on the ticket, ticketing computer and ofcourse me.
The boarding pass should never be shown at the gate, instead you should show your ID. The agent would then check it to make sure its real and then scan it to see if your in the database to fly that day. It is a simple solution, Someone needs to build a device that can read 90% of IDs.
Could you use the same trick to use your friend's ticket in general?
I've often had the situation of having an "extra" flight ticket for some reason. I've always thought that there is no way I can give the ticket away to a friend, but it seems like this could be a way to do it.
I've not run into that in any of my recent flights. I've seen it happen for international travellers but not for any of the domestic ones. It may also have to do with the fact that my flights were completely full and took nearly an hour to finish boarding.
[+] [-] kevinalexbrown|14 years ago|reply
[1] http://arstechnica.com/security/news/2008/06/tsa-defiant-pas...
Edit: The Soghoian blog post about the raid: http://paranoia.dubfire.net/2006/10/fbi-visit-2.html
[+] [-] jedbrown|14 years ago|reply
The bug has been closed as WONTFIX by the director of the TSA.
[+] [-] cstejerean|14 years ago|reply
[+] [-] sopooneo|14 years ago|reply
[+] [-] nirvana|14 years ago|reply
10 year olds at this point have never known a world that was otherwise.
In another 15 years, almost all adults will be completely used to it, and the idea that we don't need the TSA will sound as absurd to them, as to most of us it seems "absurd" that in fact in the past you could fly in the USA while carrying a rifle or shotgun aboard, with ammo. The flight attendants would offer to stow it for you in a coat locker, but otherwise wouldn't bat an eye.
Even today you can fly with firearms (in checked baggage) but a lot of people think that this idea is completely absurd because they've never seen it... and they've been conditioned to being disarmed and the idea that you can't have a gun in an airport. (you walk in and check it at the counter, before going thru security.)
[+] [-] LogicX|14 years ago|reply
A few years ago I was adventurous, and frustrated -- there were no seats left on the flight that it would let me reserve online. Yet for this particular airline, it showed that the exit row seats were available, but clicking on them lead to an alert that you could not book them online: You had to do so at the airport.
I decided to look at the code making the seat selection calls, submitted my seat selection for that seat anyway -- and wallah! I was granted a ticket with that exit row seat. Had no problem going through security or boarding. Haven't tried it since - as most airlines now charge extra for those seats, and its not such an easy hack.
[+] [-] 6ren|14 years ago|reply
[+] [-] yardie|14 years ago|reply
[+] [-] LogicX|14 years ago|reply
[+] [-] chimeracoder|14 years ago|reply
First, security here is everywhere.
Second, security here is pointless.
I have had to walk through security to get to supermarkets, discount stores (think Walmart), high-end shopping malls, temples, mosques, movie theaters, national monuments, airports, hotels, you name it. You can't walk into a large building and not walk through a metal detector. The ACLU would probably go ballistic if the US had even 1% of the number of pat-downs that I have had to go through daily here.
Unfortunately, it's entirely pointless. Generally, I don't take my belt/jewelry/phone off when going through the metal detector, and most of the time, it doesn't even detect that. Whether or not I set off the detector, the process is the same: they (occasionally) wave a wand over, and then send me to a second person who briefly pats me down (<5 seconds in all). Keep in mind, the exact same process is applied to those who do and do not set off the metal detector. A few times, I've set it off and they just wave me through without even checking me further. It's mind-boggling.
I can't say I'm a fan of ubiquitous security, but the only thing that's worse than ubiquitous ineffective security. Anybody who really wants to cause trouble can bypass it in their sleep - all you manage to do is disrupt the lives of everybody else, all the while accomplishing literally nothing.
[+] [-] lkozma|14 years ago|reply
[+] [-] bdunbar|14 years ago|reply
It's much the same in the states.
I went through eleventy-dozen checkpoints on the Mall, and elsewhere. All the guards searched my backpack at every check point.
On the way home I found I had left a charged magazine (8 .45 rounds) in the bottom of my backpack. Not especially well-hidden, just snugged under my spare socks.
D.C. seems to have the highest per-capita police presences in the US. And it's all useless and dumb and ineffective.
[+] [-] namdnay|14 years ago|reply
[+] [-] bconway|14 years ago|reply
[+] [-] chao-|14 years ago|reply
1. You could fit a gun inside a zippered/covered binder or expanding file folder and the backpack does nothing.
2. The school already has metal detectors, so the backpacks aren't actually adding any detection.
3. They don't even know if the edge case where their current security failed even involved backpacks.
[1] http://www.chron.com/news/houston-texas/article/Teen-shot-at...
[+] [-] mhartl|14 years ago|reply
[+] [-] tnuc|14 years ago|reply
When you board the plane they check the codes to see if you have been through special screening, they check the markings to the boarding pass codes.
I've made it to the flight a few times only to be turned around and accompanied back to security for the full security theater experience. At this point they will check the list and you will be arrested if they find a problem in the paperwork.
Your best bet is to change your name slightly William --> Bill etc. and play around with a middle/first initial. Computers are dumb. TSA agents are friendly when you are friendly to them and have tendency to not pay attention to their work. Social engineering is a lot more effective than computer hacking.
[+] [-] fr0sty|14 years ago|reply
And what codes are these? the pen-squiggle? the highlighter-check-mark?
Is it your hobby to try to sneak past TSA checkpoints? Are you successful often enough that you have been turned away at the gate for not having the proper 'codes'?
[+] [-] narkee|14 years ago|reply
The the gate agents definitely always check ID with the boarding pass.
[+] [-] tonywebster|14 years ago|reply
tl;dr: You can alter a boarding pass and circumvent the entire watch list process.
[+] [-] WestCoastJustin|14 years ago|reply
[+] [-] dantheman|14 years ago|reply
I hope it'd be illegal in the US to require it, not sure though.
[+] [-] notatoad|14 years ago|reply
[+] [-] Splines|14 years ago|reply
Probably not - I wouldn't expect them to, anyway.
[+] [-] rflrob|14 years ago|reply
[+] [-] nebkor|14 years ago|reply
It's too bad, though, about how impossible it is to make a fake ID.
[+] [-] ehthere|14 years ago|reply
[+] [-] quinndupont|14 years ago|reply
[+] [-] smhinsey|14 years ago|reply
[+] [-] hohead|14 years ago|reply
[+] [-] zalew|14 years ago|reply
[+] [-] FaceKicker|14 years ago|reply
But even aside from the fact that this is obviously and trivially forgeable, I don't think the person who scans your boarding pass at the gate even looks for the scribble, as I've used a different boarding pass to get on the plane than I did at the security checkpoint before (because I had printed one out at home and also printed another copy at the self-service check-in machine, and just happened to use different copies each time I needed to show it).
[+] [-] rubiety|14 years ago|reply
I've actually gone through TSA with one boarding pass on one flight, and boarded a completely different flight before (not just a separate piece of paper) - back when I could book flights for free on JetBlue and had already booked another flight that night. I merely decided once I was in the terminal that I'd hop on a different flight I had also checked in to.
I do a lot of flying and have long though about this. It's total theatre. They could fix it by implementing some cryptographic code that's scanned at TSA entry points, verifying the actual document (boarding passes are a far cry from a verifyable document).
[+] [-] _morgs_|14 years ago|reply
[+] [-] cpeterso|14 years ago|reply
[+] [-] biot|14 years ago|reply
[+] [-] vl|14 years ago|reply
(But then they know that response would be really asymmetrical).
[+] [-] jessriedel|14 years ago|reply
[+] [-] samwillis|14 years ago|reply
Include a QR code on the printed boarding pass that holds the details of the passenger and flight along with a hash of the data, the hash being salted with a secret known only to TSA. The TSA agent then scans the QR code, computer verifies the hash and displays the data on screen for the agent to check against the printed boarding pass and ID. No database look up is needed, just a PC and webcam.
Danger is someone works out or leaks the hash secret.
[+] [-] fr0sty|14 years ago|reply
Never mind that the solution itself is far from 'easy'. Somehow linking every ticket printer to a central TSA-QR service in a reliable and secure way sounds like, uh, fun...
[+] [-] namdnay|14 years ago|reply
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] chollida1|14 years ago|reply
> Give the ticket with your friend’s name to the gate agent who lets you board. It will match the flight information and you’ll be allowed to board.
I fly 4 times a month and each time I have to present a piece of photo ID at the gate to the flight attendant that has to match the name on the ticket, ticketing computer and ofcourse me.
The above advice would seem to fail this test.
[+] [-] jzd131|14 years ago|reply
[+] [-] snowmaker|14 years ago|reply
I've often had the situation of having an "extra" flight ticket for some reason. I've always thought that there is no way I can give the ticket away to a friend, but it seems like this could be a way to do it.
[+] [-] nchuhoai|14 years ago|reply
[+] [-] Shenglong|14 years ago|reply
[+] [-] simcop2387|14 years ago|reply
[+] [-] Mordor|14 years ago|reply