Markey wants to outlaw testing airport security

Topics: Transportation
27 Oct 2006

From: Ervan Darnell

Oct. 27, 2006 — A
computer security student working on his doctorate at Indiana
University Bloomington has created a Web site that allows anyone with
an Internet connection and a printer to create and print fake boarding
passes for Northwest Airlines flights.

"The Bush administration must immediately act to investigate,
those responsible, shut down the website, and warn airlines and
aviation security officials to be on the look-out for fraudsters or
terrorists trying to use fake boarding passes in an attempt to cheat
their way through security and onto a plane," wrote Rep. Edward Markey,
D-Mass., a senior member of the Committee on Homeland Security, in a
statement. [1]

Just when I think Congress cannot get any dumber, I'm proven wrong. As
if shutting down the website would keep a real terrorist from printing
a fake boarding pass. The kid did exactly the right thing by exposing
this weakness. It's the same problem as electronic voting, arguing
that secrecy can protect bad algorithms better than open source. As I
wrote sometime back, even outlawing hacking makes us less secure
because it catches the tester, and then leaves open the big security
hole for the real attacker. Markey and friends are responsible for
our security?

That the boarding pass, with the 2-D bar code and several bits of
information, is not cryptographically (public key) signed is
pathetic[2]. One wonders if the TSA actually consulted anyone that
knew something about security or if they just passed some bureaucratic
nonsense and assumed everyone was just going to follow it.
But, TSA officials also
believe that it would do little to aid anyone looking to do harm to
airline passengers.

They why do we annoy everyone with a process that doesn't do any good?

I have to wonder if the boarding pass can be so easily faked how easy
it would be to get on the plane? One hopes that the (private) airplane
security mechanism actually verifies that the boarding pass is in the
database of people who are supposed to be on the plane, rather than
just doing a checksum and then letting you grab an empty seat. Such
verification wouldn't necessarily make forgery difficult, but
presumably you'd conflict with the a legit ticket and upon seeing two
of the same thing, questions would be asked.

[2] For the non-CS people reading this, it is possible to digitally
sign documents such that anyone can verify the contents and signature,
but without making it easy to create the document, and even
compromising the scanner at the airport wouldn't allow one to create it
(easily). None of the local TSA people would even know (or indirectly
handle) the private-key half of the password.

Ragnar mailing list