Tuesday, September 16, 2008

Bar-Coded Boarding Passes – Secure, Mobile, and On The Way

As we’ve talked about earlier on the blog, TSA has taken a lot of steps to confirm ID: TSA Travel Document Checkers with magnifying loupes and black lights, the revised ID rules that affect people with no ID and developing Secure Flight. All that considered, we’re not na├»ve enough to say the system is foolproof. We’ve seen the “boarding pass generator” websites and know how to use Photoshop. In fairness, between the marking of boarding passes by TSOs at the checkpoint and the use of barcode scanners at the gate for most flights, it’s neither easy nor predictable to board a flight with a fake boarding pass. But the broader point is accurate – we could be better on this issue.

Some months ago, a team of people at TSA went to work on it. They’re working very closely with our airline partners to incorporate a strong digital signature into the barcode on every boarding pass. The technique we’ve selected allows existing 2D barcode scanners to read the basic flight information, but scanners equipped with the appropriate security keys can authenticate the information and determine if the name, date, flight number or any other information has been changed. It’s simple but very effective. The net result will be a boarding pass that is extremely resistant to tampering or forgery.

We’re already testing this concept in the field. Thanks to terrific cooperation from our airline partners, we’ve launched eight test sites where passengers can receive boarding passes on their mobile phones or PDAs (wait until you try it – it’s pretty slick). Click here to learn more about participating airports and airlines.

These mobile boarding passes have digital signatures embedded in the barcodes. Officers who do the document checking are equipped with handheld barcode scanners (generously on loan from our partners) and can confirm the authenticity of the boarding pass instantly. This isn’t rocket science – the (2010 NL East Champion) Nationals use the same process at their new ballpark – and it’s working really well for both TSA and passengers.

Next up, we’ll work on expanding from mobile boarding passes at a few sites to all formats of boarding passes across our system. Looking back on the progress that we’ve made over the past several weeks, we greatly appreciate the cooperation and commitment of our partners on this effort. In the meantime, you can check back here or at www.tsa.gov for specifics on where you can try the new mobile boarding passes.

99 comments:

Jim Huggins said...

Lynn,

First of all, I'm glad to see this moving forward. This closes one of the big loopholes (in my opinion) in the current screening process.

But I do have to nitpick a little bit (gee, what a surprise) ...

We’ve seen the “boarding pass generator” websites and know how to use Photoshop. In fairness, between the marking of boarding passes by TSOs at the checkpoint and the use of barcode scanners at the gate for most flights, it’s neither easy nor predictable to board a flight with a fake boarding pass.

I think you're missing the most obvious security hole, though. Currently, I can use two boarding passes to bypass security: one fake, one real.

Assume I'm a known terrorist. I buy a plane ticket under an assumed name (presumably, one not on the various selectee lists). I print my boarding pass at home for that flight. Also, at home, I print a forged boarding pass with my real name (which should be on a selectee list).

When I approach the checkpoint, I offer the TSA my fake boarding pass and real ID. The ID card matches the boarding pass, and the ID card looks genuine, so I get through security. I then throw the fake boarding pass away and use my real boarding pass (under my fake name) to board the aircraft.

Of course, this scenario becomes much more unlikely with the barcode scanner system ... you are now verifying that the boarding pass is legitimate, and that the boarding pass matches the presented ID. (Nothing is perfect, of course, but this will make the system much better.)

Miller said...

We’re already testing this concept in the field. Thanks to terrific cooperation from our airline partners, we’ve launched eight test sites where passengers can receive boarding passes on their mobile phones or PDAs (wait until you try it – it’s pretty slick).

I can't wait to hand over my cell phone to someone who is clueless and wants a chunk of paper. No thanks.

Click here to learn more about participating airports and airlines.These mobile boarding passes have digital signatures embedded in the barcodes. Officers who do the document checking are equipped with handheld barcode scanners (generously on loan from our partners) and can confirm the authenticity of the boarding pass instantly.

TSA still has problems with the basic requirements of security such as keeping weapons, incendiary devices, and explosives off of the aircraft. Get that down and then branch out into different areas. You're losing focus of your primary mission.

This isn’t rocket science – the (2010 NL East Champion) Nationals use the same process at their new ballpark – and it’s working really well for both TSA and passengers.

So how much did it cost them per seat? Again FOCUS. Gate to gate and airport to airport inconsistencies within TSA make this one of those 'what were they thinking when they came up with this scheme' moments.

Dave said...

What a waste. Just because some college kid subverted your pointless watch list, you find the need to come up with this. It too will be subverted and destroyed. I really don't care who is on a flight with me as long as they have gone through screening. Typical government waste.

Anonymous said...

I applaud your efforts in this area; maybe you have listened to some feedback from this blog afterall on how easy it is to fake a boarding pass. However, I submit to you that the challenge the security community still faces goes well beyond the scope of the TSA into state DMVs and other agencies who issue identification media. While the "Real ID" measure does attempt to address bogus ID cards; until certain loopholes are closed in those agencies, you still have no way of knowing whether the individual presenting the ID is in fact who they claim to be. This is because, obviously, it's still too easy to apply for a valid ID on the basis of fraudulent source documents that any well-planned and well-financed terrorist operation can acquire. Once that's done, the authenticity of the boarding pass is really inmaterial.

yangj08 said...

Japan's had this for at least a few years now. They've taken it even further and allow you to scan your frequent flyer card too.

Here's how the Japanese version works.

Trollkiller said...

The repeated "thunk" you keep hearing is the sound of my head striking my desk as I try to dumb myself down to the point that the illegal forced ID verification and 10 year old bar code technology will seem like a good use of resources in thwarting terrorism involving aircraft.

Can we please stop hassling passengers and spend some effort on securing commercial cargo, luggage, and screening airport and airline workers?

The other day a poll was released by Ipsos/McClatchy. That poll stated that 50% felt enough has been done in regards to screening requirements for passengers and luggage, 15% felt too much has been done already and 35% felt not enough has been done.

Here is my interpretation of the numbers, 50% are saying "please DON'T do anything else, enough is enough", 15% are saying "STOP overstepping your authority with statutorily illegal or unconstitutional acts", and 35% are saying "if my luggage is protected from terrorist by the TSA, how come my stuff keeps getting STOLEN?"

P.S. When a vendor is "generous" and loans you equipment it is so you take "ownership" of the new toy and buy it. It is a very old sales technique and by the sounds of it, the technique worked.

Anyone want to take bets on how long it takes before the 2D bar code is cracked and placed on the internet? I say by October 21st.

Anonymous said...

First of all, if you think that the combination of TSOs scribbling on the boarding pass and airline-owned barcode readers at the gate does anything for security, you are sorely mistaken. I would estimate that in only 1 flight out of 3 do I actually use the TSO-marked boarding pass to board the flight. Have you ever heard of seat changes, upgrades, flying standby, or irregular operations? Not to mention that I have a habit of misplacing boarding passes, so I tend to print 2 or 3 at home or at the kiosk. TSOs scribbling on BPs is just another visible form of security theater to make it seem like they are doing something.

Second, where's the Privacy Impact Statement for all the data the TSOs are going to be collecting from these boarding passes? Your little plan conveniently lets TSA keep a log of everyone's travel, indexed by name. Don't think we don't realize that.

Or are you going to make an outright lie, like with the virtual strip search machines, that it is "impossible" to store the data? (Re: the virtual strip search machines; if it truly were impossible to store the images, then TSA could never use the images for issuing civil fines or prosecutions, which I doubt TSA would find a tolerable arrangement.)

Anonymous said...

I have to disagree with the statement:

In fairness, between the marking of boarding passes by TSOs at the checkpoint and the use of barcode scanners at the gate for most flights, it’s neither easy nor predictable to board a flight with a fake boarding pass.


AFAIK, the bar-code check at the gate is done to compare the id code in the bar-code against that in a ticket database maintained by the airline. Unless the hand held bar code scanner shows the passengers name, and the attendant checks the name against the ticket and the passenger is required to show ID, it will not prevent someone from using someone else's ticket or a forged ticket with a valid bar-code, but different name. I don't recall seeing any attendants do the latter two things in the past several times I've flown.

As far as the markings applied, are refering to the check marks the TSA personnel put on the boarding pass? I don't see how you could consider that secure, considering a bad actor could simple copy the mark over to this new boarding pass.



Also, for the "secure digital signature" what hashing / encryption algorithms is being used? Please tell me that TSA didn't roll their own encryption. That is usually the first mistake in designing an insecure system.

Anonymous said...

Miller, Get a life. Even when they try to close loopholes you (and I'm sure many others) complain. Instead of constantly complaining why don't you try this for a change: Great idea, making improvments that your customers called for is another small step forward to making air travel more secure for us Thanks. There that wasn't hard. If you want to make suggestions for further improvements, great, if not please do us all a favor and take you whining elsewhere. Great job TSA and Thanks for making me and my family more secure.

Phil said...

We need more details before this can be considered at all useful.

For instance, Lynn used the term digital signature rather loosely. If information is actually digitally signed, then who holds the signing key? Every airline? Does each have its own key? How are they protected?

Lynn, please provide some information for those of us who understand a bit about cryptography.

Anonymous said...

So, in order to make it more secure, are only people who have cell phones or PDAs going to be allowed to fly?

yangj08 said...

Oh, and after you approve my earlier post, I also wanted to add (which I should have earlier) that the plus side of the Japanese system is that it's automated- that is, you don't need to dedicate a TSO's time to scanning, only to the actual screening itself, which means more efficiency, which shows in faster and maybe shorter lines at security.

Adrian McCarthy said...

I read recently that 20 million Americans do not have government-issued photo ID. Are they forbidden from flying?

Adrian McCarthy said...

If the encryption key in these hand scanners is ever leaked, then the website boarding pass generators will be able to produce authentic barcodes.

When this is rolled out to all airports, there will be thousands of scanners out there. If just one of them ever goes missing, then all are compromised.

Perhaps they can be reprogrammed with a new encryption key if the original leaks. But that will take time, and there will be a transition period in which some boarding passes were coded with the original key and some with the new key. All-in-all, a logistical nightmare.

The only real way to solve this is to make the security checkpoint be the ticket counter.

Anonymous said...

TSA needs to stop wasting their time and my money on nonsense like this that does nothing to make anyone safer. Come to think of it, NOTHING TSA does makes anyone safer as long as all of the cargo that goes on planes isn't being screened. Deal with that and then maybe we can talk about your asinine fantasies.

Adrian McCarthy said...

If the TSA does manage to make it too difficult to tamper with the boarding pass, then it becomes a simple matter of changing your name to avoid matching the watch list.

http://www.cbc.ca/canada/montreal/story/2008/09/11/nofly-name.html

Of course, you might not need to go to the extreme of legally changing your name if you can just purchase your tickets with a variation of your name (or bribe^H^H^H^H^H tip your skycap).

But although the list is clearly bloated with misidentifications by every official's account, CNN has learned that it may also be ineffective. Numerous people, including all three Robinsons, have figured out that there are ways not to get flagged by the watch list.

Denise Robinson says she tells the skycaps her son is on the list, tips heavily and is given boarding passes. And booking her son as "J. Pierce Robinson" also has let the family bypass the watch list hassle.

Capt. James Robinson said he has learned that "Jim Robinson" and "J.K. Robinson" are not on the list.

And Griffin has tested its effectiveness. When he runs his first and middle name together when making a reservation online, he has no problem checking in at the airport.


http://www.cnn.com/2008/US/08/19/tsa.watch.list/index.html?imw=Y&iref=mpstoryemail

Identity has nothing to do with security. It's time to give up this charade. It's a waste of time and money. It's not feasible, and it's discriminatory.

Ayn R. Key said...

What is the legal basis for searching people who aren't trying to access the sterile areas of the airport with the new passive MMW machine?

Why won't you allow my comment on the lessons of 9/12 into the blog entry on the lessons of 9/11?

Where is the single authoritative list of rules that PASSENGERS, not TSOs, but PASSENGERS, must follow so that we can make sure we are within the rules and we can challenge lawbreaking TSOs at the checkpoints without losing our ability to fly?

How do on the spot fines for secret rules and for those who dare try to challenge the fines the doubling of the fine square with the Administrative Procedures Act?

Ayn R. Key said...

It is only a matter of time until this code is cracked. The DVD encryption was also cracked, and that was real security.

Anonymous said...

and this adds to security how???? It adds just like checking ids and other violations of the 4th amendment that TSA performs on a daily basis that add nothing to security or then more and more economic damage that has amounted to way more then 9/11 ever did.

Dave Nelson said...

Anybody who voluntarily consents to a screener reading their PDAs with a barcode reader of unknown capability is putting another nail in the coffin of our precious Constitution.

Anonymous said...

And what of those of us who don't have cell phones or PDA's or whatever?

Or those who refuse to use their cell phone or whatever for the boarding pass?

m simons said...

TSA should have been in with the airlines from the start with boarding pass standardization. But now that each has its own version, work with them to add another barcode in a uniform location and a set format.
And most importantly, GET ACCESS to their database (read only).
Then cross check the pass to the database.
Should even be able to make it a turnstile operation using the mag stripe on a drivers license (or passport) in conjunction with the bar code.

Stephen said...

looks...um.... expensive.

I am still waiting to hear what was so bad about the old system. I seem to remember printing out my own ticket information from orbitz years ago.

Frankly I am still waiting on hearing any justification for more spending on this stuff. I mean boarding passes, trains and planes have been doing them for so many years now.

They were adequet in the 90s, adequet in the 80s. Frankly, I just don't see why this is needed, much less how it justifies its own cost, esp when you figure the R&D and testing that must be going into it.

Seems like really low ROI to me, if not negative.

Though, thats generally the case with the war on boogeymen. Its always expensive to fight enemies that arn't out there and arn't planning anything.

I mean, sure maybe you can somehow come up with some magical case of screening, and identiy verification that makes it nearly impossible for the boogeymen to get an "agent" on a plane.

Well, if they existed, they would just attack the line in front of the checkpoint to similar effect.

I have pointed this out before. Real security experts like Bruce Schneier have pointed it out.

Whoever controls the money doesn't seem to listen.

-Steve

Anonymous said...

When you buy tickets online you still need a credit card in your name or the fake name. Whatever ticket you use there is still a trace to you.
- Threats are always evolving and so securtiy also has to evolve. Rules are everywhere not just at airports.i.e. speed limits, seat belts, no cell phones while driving and the list go ons. I myself like the old fashioned way of a paper ticket. We get herded around and searched at amusement parks, major sporting events and even schools. Is there a forum to comment on that? NO

Anonymous said...

>Should even be able to >make it a turnstile >operation using the mag >stripe on a drivers >license (or passport) in >conjunction with the bar >code.

I'm not sure I understand the "turnstile operation". Is that like what you do when you get on a subway? If all someone has to do is swipe a boarding pass, credit card and/or ID, who checks to make sure the person who uses the ID and boarding pass is in fact the person named thereon?

>When you buy tickets >online you still need a >credit card in your name >or the fake name. >Whatever ticket you use >there is still a trace to >you.

What about those "gift card" VISA cards you can buy in the grocery store with cash and has no name on it?

Tomas said...

Yet Another Anonymous wrote...
When you buy tickets online you still need a credit card in your name or the fake name. Whatever ticket you use there is still a trace to you.

Time before last I bought my ticket using a "refillable" prepaid VISA I'd got as a gift - no name at all, just an anonymous number on a card, bought by someone else for cash in another state from a kisok at a mall with tens of thousands of customers.

I'm not at all certain those tickets were really all that trackable to me, and no one seemed the least concerned that I was buying tickets with my christmas gift.

This move to better security on the boarding pass document is good so long as there is also a standard printed version available, as not everyone has a cellphone or cellphone service capable of handling the receipt, storage, and subsequent display of your 2D barcode.

In fact, even those who have cellphones with the capabilities may not have the personal capability to do that - for example my 83 year old mother... Please don't expect her to be able to do more with her cellphone than make or answer a simple telephone call.

Tom (1 of 5-6)

Miller said...

Miller, Get a life. Even when they try to close loopholes you (and I'm sure many others) complain.

Loopholes? Try doing what they were originally tasked to do in the first place and do that better than a %50 success rate.


Instead of constantly complaining why don't you try this for a change: Great idea, making improvments that your customers called for is another small step forward to making air travel more secure for us Thanks.

I've been in high tech for the past 30 years. Just because you have high tech that doesn't mean that the high tech is actually any better than doing things the old fashioned way. A good example of this is robots. A robot must be trained to do any function. Once trained it will do that function till the equipment wears out. Training that robot though might takes several weeks to make it do a new job, whereas a person gets told to do a new job, assesses the job and does it within a few minutes/hours.

There that wasn't hard. If you want to make suggestions for further improvements, great, if not please do us all a favor and take you whining elsewhere.

Good, you are now thinking and I've got you angry. Here's a few suggestions:

Clear up all of the inconsistencies on TSA's main web page. In other words make all of your documents consistent. Update the web pages as well to reflect current policies, not something flopped out there months and even years ago.

Answer Trollkiller's and other's valid questions - straight up with no obfuscation.

Stop the war on liquids.

Stop the shoe war.

Treat both passengers and their belongings with common courtesy. Would you like to be screamed at and have your belongings trashed by a total stranger?

Obey the Constitution you've (DHS) have sworn to uphold. That isn't being done.

Answer some of the posters with more than a new smoke screen, a song and dance routine. We aren't stupid and it angers us when you dance around an issue.

Great job TSA and Thanks for making me and my family more secure.

More secure? The airlines SOP was responsible for the way 9/11 occurred. The airlines cleaned up its act by armoring the cockpit doors and by not complying with hijackers. Two very simple, but effective actions. Tell me how TSA measureably made ACTUAL security better. If you drag out the Potemkin measures I will answer each and every measure and show you how that doesn't provide any measure of security improvement.

Easy to hide behind anonymous.

Anonymous said...

Anonymous Anonymous said...

Miller, Get a life. Even when they try to close loopholes you (and I'm sure many others) complain. Instead of constantly complaining why don't you try this for a change: Great idea, making improvments that your customers called for is another small step forward to making air travel more secure for us Thanks. There that wasn't hard. If you want to make suggestions for further improvements, great, if not please do us all a favor and take you whining elsewhere. Great job TSA and Thanks for making me and my family more secure.
------------
Did you ever notice that the whining and complaining on this blog is due to the fact that we can never get a question answered.

Also the whining and complaining has made the TSA aware of what they need to change. Such as; complaint forms can be filed online, computer friendly bags, retractions of over zealous press statements, improved lines (i.e. the ski marked lanes). If we could actually affect change and felt there was areal dialogue with the TSA maybe some of the whining would stop and positive solutions could be presented.

Stephen said...

Anonymous said:

> I'm not sure I understand the
> "turnstile operation". Is that like
> what you do when you get on a subway?
> If all someone has to do is swipe a
> boarding pass, credit card and/or ID,
> who checks to make sure the person who
> uses the ID and boarding pass is in
> fact the person named thereon?

I have yet to hear a single credible reason as to why you need to do that except to create a job for someone to stand there and work the checkpoint and screen for boogeymen.

What I don't see is why I can't walk into an airport, walk up to the gate, pay in cash for a seat, and walk on the plane. No ID, no security checkpoint.

I have yet to see ANY indication that there is ANY difference in REAL SAFETY of air travel between today and the 1970s thats not SOLELY the result of aeronautics technology and improvements to the aircraft, aircrew, and air traffic management.

To restate, I firmly believe that airport security hit the point of diminishing returns probably BEFORE they outlawed people carrying their own firearms on the plane. Never mind the liquids ban.

-Steve
(A true fiscal conservative)

Stephen said...

TO be fair:

It does look like cool technology. I always like seeing more use of digital signatures. I don't mean to come out as against research or tech. I am all in favor of security.

It looks like a pretty fair attempt at a good secure boarding pass. I still do question the need, as I was unaware that there had been any complaints of problems from the current system.

-Steve

yangj08 said...

"When this is rolled out to all airports, there will be thousands of scanners out there. If just one of them ever goes missing, then all are compromised."

Again, if they'd do like what Japan has and keep the readers fixed to the checkpoint (in Japan the reader is on a table next to the gate, I'm guessing to avoid the possibility of this scenario occurring) this wouldn't be a problem.

Jim Huggins said...

Is there some way to keep link-spam (like the one from Anonymous at September 18, 2008, 9:51 PM) out of this blog?

GSOLTSO said...

Miller said - "Good, you are now thinking and I've got you angry. Here's a few suggestions:

Clear up all of the inconsistencies on TSA's main web page. In other words make all of your documents consistent. Update the web pages as well to reflect current policies, not something flopped out there months and even years ago.

Answer Trollkiller's and other's valid questions - straight up with no obfuscation.

Stop the war on liquids.

Stop the shoe war.

Treat both passengers and their belongings with common courtesy. Would you like to be screamed at and have your belongings trashed by a total stranger?

Obey the Constitution you've (DHS) have sworn to uphold. That isn't being done.

Answer some of the posters with more than a new smoke screen, a song and dance routine. We aren't stupid and it angers us when you dance around an issue."

First off, I agree with you 100% on the clear up the postings on the website, it is a fairly easy fix and it could be 5,000 times more user friendly so you guys would have a working knowledge of the rules and prohibited items.

The slayer of large (usually green, hairy and downright nasty looking) regenerating lummoxes asks some serious questions that can not be answered outright. He asks a lot of questions that fall under SSI and I would be really ticked off if the website started dispensing SSI to the masses.

As for stopping the "war" on shoes and liquids.... No. There are too many valid concerns associated with both of these and the technology has not caught up with the screening process at this time. You can raise Cain all you want, you can say (wrongly) that there is no threat for shoes or water. The capability for these items to pose a risk is simply too high to allow the procedure to change. IF the tech sector catches up, I will be the first one to hand you your shoes back and allow water to be taken through. Until the capability to screen improves in the tech sector, things are not likely to change.

Sandra said...

Nothing like indoctrinating them early:

http://www.dcexaminer.com/opinion/blogs/YeasandNays/Homeland_Security_Sesame_Style.html

"When it comes to securing the homeland, who better to help you sleep at night than various characters from the popular children’s show, “Sesame Street" ... ?!?

Seriously.

In a move that will make Bush administration detractors bring back those duct tape jokes again, the Department of Homeland Security has partnered up with the famous children’s show.

“We all want our children to feel safe in this world,” said Meryl Chertoff, wife of Homeland Security Secretary Michael Chertoff, at a ceremony held at the John Tyler Elementary School to announce the partnership. "And who better to do that than our Sesame Street friends, Grover and Rosita!”

Anonymous said...

LINK

So screeners at DIA can now carry into and out of the secured area anything that they want to? Must be good to be the king.

Stephen said...

Actually, even as one of the big detractors of spending the money, I don't see why losing a scanner is such a big deal.

If you assume that this is being done properly (which is not clear: I have yet to hear about an independant 3rd party review).

Done properly all you need is the information to be signed by a private key. The scanner then only needs the public key to check the signature.

Lose a scanner? no problem, all a person can then do is verify the signatures.

All well and good. Verified boarding passes. Though, the need is hardly obvious. I mean, I am unaware of any problems with the current system.

Its not like you can get someones info, print your own boarding pass, and get on the plane...because the legitimate user is going to show up for his flight and you have a problem... so the "insecure" boarding passes arn't really even useful

The ONLY use is to have one person buy a ticket, to allow someone else to fly. So... how much of a problem is that really? I mean... seriously.

How much money is being thrown at such a limited non-problem? There is no issue here. This smells like another barrel of pork to me.

-Steve

Anonymous said...

My prediction:

A TSO on the midnight 'dead stretch' shift at an airport somewhere (probably LAX domestic..) will be listening to their personal music player at high volume while the other two TSO's on duty are reading entertainment magazines, and they won't notice that someone has walked off with their super-duper-secret barcode scanner.

Fifteen minutes later, after cloning the contents of the various memories contained in the scanner to a laptop, someone will cause it to reappear where it was. The distracted TSOs will not notice the scanners return.

Thirty minutes later, after decompiling the ROM image and analyzing the results, a ROT-13/PL (Rotate-13/Pig Latin) encoder is written to create arbitrary barcodes for home-printed boarding passes.

The resultant perl script will be mentioned on Slashdot, BoingBoing and Hackaday, with direct bittorrent links, ensuring distribution around the world in minutes

The easiest solution would be to return to the more expensive 'punch card' style boarding passes of yester-decade, and eliminate the 'print your own boarding pass' loophole entirely? The TSA keeps telling us that security is by its very nature an inconvienence, so maybe they should take their own advice?

Sound far-fetched? I don't think so.

Lynn said...

To Miller and GSOLTSO - re:

Clear up all of the inconsistencies on TSA's main web page. In other words make all of your documents consistent. Update the web pages as well to reflect current policies, not something flopped out there months and even years ago.


That is in the works right now. Our IT and web team are working on redoing the content and creating some tools to make the information reasier to use. I've sent these comments to them, and if you have other suggestions to make the info for helpful, please post it and we'll use it.

Lynn
EoS Blog team

Anonymous said...

Another intrusion into our daily lives in a feeble attempt at security at any cost.

Anonymous said...

"Is there some way to keep link-spam (like the one from Anonymous at September 18, 2008, 9:51 PM) out of this blog?"

I would have thought the moderation process would catch those.

I loved the way someone snuck a link for their laptop product into the laptop thread.

Every link improves their rating in Google.

Surprised your post got through. They deleted my others that kept pointing out how the site keeps getting gamed.

Miller said...

You can raise Cain all you want, you can say (wrongly) that there is no threat for shoes or water. The capability for these items to pose a risk is simply too high to allow the procedure to change. IF the tech sector catches up, I will be the first one to hand you your shoes back and allow water to be taken through. Until the capability to screen improves in the tech sector, things are not likely to change.

So do Schiphol and Helsinki airports have better technology than we do? Do the airports in Japan have better technology than we do? They canceled the war on both shoes and liquids. Why do we insist on waging a very expensive war on fluff? Is it due to being embarrassed when you are forced to admit that you are wrong?

Anonymous said...

GSOLTSO said...
As for stopping the "war" on shoes and liquids.... No. There are too many valid concerns associated with both of these and the technology has not caught up with the screening process at this time. You can raise Cain all you want, you can say (wrongly) that there is no threat for shoes or water. The capability for these items to pose a risk is simply too high to allow the procedure to change. IF the tech sector catches up, I will be the first one to hand you your shoes back and allow water to be taken through. Until the capability to screen improves in the tech sector, things are not likely to change.
-------
Its this sort of thinking that makes me ask the same question, in Europe and Israel they have been dealing with real terrorist incidents since the early 1970's. Yet when you board a flight in those countries your shoes stay on and their is no liquids retrictions. So why only in America? Richard Reids flight orginated from London and yet you don't have to take your shoes off. The liquid explosive plot was in London and yet their is no war on fluids in english airports.

I'd like an asnwer that does not involve "because we said so" or "this is not Europe". To one poster they wull claim I am whining, I say that the flying public is entitled to a valid reason why this only happens in America.

Anonymous said...

"I've sent these comments to them, and if you have other suggestions to make the info for helpful, please post it and we'll use it."

Drop the mandatory show removal, dump the pointless and indefensible 3.4-1-1 policy, and stop wasting time with interminable ID checks. None of these things make anyone's lives a lick safer and getting rid of them will make your jobs easier, travel safer (since screeners will be free to focus on real threats), and the citizens you serve happier.

Also, as long as your taking suggestions, might I suggest that you clarify just what the policy for a citizen seeking to travel by air who declines to show ID but is willing to undergo an invasive interrogation about his or her political affiliations and personal finances is? According to your blog, such a person is too dangerous to fly. According to screeners posting in comments, this person will be screened and permitted to fly. Which is correct, and why have you not used your blog to announce the change as loudly as you did the initial policy?

Anonymous said...

That is in the works right now. Our IT and web team are working on redoing the content and creating some tools to make the information reasier to use. I've sent these comments to them, and if you have other suggestions to make the info for helpful, please post it and we'll use it.

Glad to here. I wish you guys would do more posts like this. Seems like you guys were working on the boarding pass loop whole for a while... Why did you not just say "we are working on it"? We don't need a blow by blow acount... just a heads up would be nice. :)

Lynn said...

@ Anonymous:

Second, where's the Privacy Impact Statement for all the data the TSOs are going to be collecting from these boarding passes? Your little plan conveniently lets TSA keep a log of everyone's travel, indexed by name. Don't think we don't realize that.

We're not collecting any information. It is true that any time you use any kind of scanner, you could set it up to do so. We have not. And we have done a Privacy Impact Assessment for this - I'll hunt for the link and post it.

Lynn
EoS Blog Team

Lynn said...

Anonymous said...
So, in order to make it more secure, are only people who have cell phones or PDAs going to be allowed to fly?

Not at all - this is currently an option for those who have the cell phones and PDAs. Eventually we'd like to use a similar approach to secure all boarding passes.

Lynn
EoS Blog Team

Tomas said...

Lynn wrote...
That is in the works right now. Our IT and web team are working on redoing the content and creating some tools to make the information reasier to use. I've sent these comments to them, and if you have other suggestions to make the info for helpful, please post it and we'll use it.

I have one strong suggestion, Lynn, assign someone the specific job of updating and keeping consistent the information on the TSA's web site as changes occur.

Give them a time frame such as "one week" for those updates to be made.

Make accomplishing this a "condition of employment" so they are more concerned with keeping the information current and correct than they are with coming up with excuses as to why the information is over two years out-of-date in some places.

Institute tracking of changes so the difference between a change being made and the update of public information is easily visible.

And lastly, the person given this responsibility should be a manager so they have the ability to create large amounts of heat under those slow or reluctant to provide them timely information.

Keeping those "two million flyers a day" who are your employers informed is, or at least should be, an important part of the TSA's job.

Make it so. Keep it so.

You pledged an oath to us, follow through.

Thanks,
Tom (1 of 5-6)

Anonymous said...

Anonymous said...
So, in order to make it more secure, are only people who have cell phones or PDAs going to be allowed to fly?

And then Lynn said: Not at all - this is currently an option for those who have the cell phones and PDAs. Eventually we'd like to use a similar approach to secure all boarding passes.

******
That's my point. Not everyone has a cellphone or PDA, and not everyone will necessarily have a cellphone or PDA in the future. Some people simply don't want/need them. I guess those people won't fly when it becomes mandatory, right?

Sandra said...

So where's my post about Sesame Street and DHS? Doesn't suit your parameters?

Lynn said...

"That's my point. Not everyone has a cellphone or PDA, and not everyone will necessarily have a cellphone or PDA in the future. Some people simply don't want/need them. I guess those people won't fly when it becomes mandatory, right?"

Not sure if you're serious or not - the the answer is absolutely not. As I said earlier, we're looking at additional ways to secure boarding passes.

Lynn
EoS Blog team

Lynn said...

Here's the link to the Privacy Impact Assessment related to the bar coded boarding passes:

http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_bpss.pdf

Lynn
EoS Blog team

GSOLTSO said...

1st off YAY LYNN!!!! I hope that his comes out soon for the public, it will help cut down on a lot of the stuff I see posted here from infrequent travellers that have a bad day.

2nd Miller said - "So do Schiphol and Helsinki airports have better technology than we do? Do the airports in Japan have better technology than we do? They canceled the war on both shoes and liquids. Why do we insist on waging a very expensive war on fluff? Is it due to being embarrassed when you are forced to admit that you are wrong?"

Uhhhhh..... I dunno, I am pretty sure that Japan has top of the line equipment. Helsinki... I haven't ever been there and amazingly enough, I couldn't really dig up a lot on their equipment. Schipol... (where is Schipol, you have me at a loss on that one) I can tell you that there is equipment out there available that offers a TON more in the detection spectrum. The problem is the funding issues it is all quite costly and most of the really good equipment is costly to maintain (especially in a checkpoint environment have you LOOKED at the stuff that flies around in the air at those places?). I am a big champion for the new tech available, but I am also leery of paying $1.7 million for an X-ray machine. Sorry, guess that was a long winded way of saying I am not sure of what tech they all have available.

GSOLTSO said...

Sorry, I missed this earlier, Troll PLEASE stop beating your head on the desk, you are off beat with my headphones! I think that this is actually an ok step forward as it will allow a bit more speed at the document checker. As long as it is merely a closed circuit verification of authorization, not a data based operation (by that I mean it should be a verification procedure only, sort of a matching up system that says "passenger A has a e-ticket for flt 3221" and no other data.... no database assigned, etc). I agree that the encryption systems will need to be access controlled due to the digital signature generated. If we can establish proper protection protocols for the encryption systems (such as making the scanning terminals either "dumb" terminals or insuring that the information in the digital signature is not personal info in nature) it will provide a quicker experience at the document checker. Maybe this will even get it's own dedicated lane in the future once the system is up to speed.... wouldn't that be cool? Walk up say "hi", hold out your PDA beep "Thanks Sir/Ma'am have a nice day", screen and go... This would be a huge hit with the everyday travellers.

Anonymous said...

About the removing of shoes and limits on liquid; considering that those attempts were unsuccesful, do you seriously think someone would try them again? Since they didn't work, a different method would be employed.

There's no need to x-ray shoes and limit liquids. Security theater at it's finest

Anonymous said...

Anonymous said...


"Its this sort of thinking that makes me ask the same question, in Europe and Israel they have been dealing with real terrorist incidents since the early 1970's. Yet when you board a flight in those countries your shoes stay on and their is no liquids retrictions. So why only in America? Richard Reids flight orginated from London and yet you don't have to take your shoes off. The liquid explosive plot was in London and yet their is no war on fluids in english airports.

I'd like an asnwer that does not involve "because we said so" or "this is not Europe". To one poster they wull claim I am whining, I say that the flying public is entitled to a valid reason why this only happens in America."


Because our government has decided that these pose a valid threat to the flying public. evedently their government has decided otherwise.

dont ask me i still dont see the reson for this.

Dave said...

Are you guys ashamed about the process that a college student created to bypass your meaningless ID checks and worthless watch-list? In typical TSA fashion, your reaction is:

1. Decide to throw more $$$'s recklessly at a non-issue.
2. Forget to realize that whatever you do on the technology front will be cracked - after you wasted all of our money on #1.
3. Secretly begin collecting and storing data on those devices, before getting outed and issuing an apology "for the children".

You all should be ashamed of yourselves. Give it up.

Anonymous said...

What good does this rule when the TSA can't even follow its own?

Denver TSA personnel bypassing security.

Anonymous said...

"As I said earlier, we're looking at additional ways to secure boarding passes."

Why? Describe the precise benefits to security that "secure boarding passes" would provide. I doubt you can -- ever since you instituted the draconian new ID policies that may or may not still be in place, we have been asking you to explain what security benefit your attempts to verify ID provide, and you have completely and utterly failed to do so. Could it possibly be because there's NO benefit to doing so?

Anonymous said...

@ ayn r. key

What is the legal basis for searching people who aren't trying to access the sterile areas of the airport with the new passive MMW machine?

Why would we search people that is not going to the sterile side of an airport? They are not going through the security checkpoint then.

Where is the single authoritative list of rules that PASSENGERS, not TSOs, but PASSENGERS, must follow so that we can make sure we are within the rules and we can challenge lawbreaking TSOs at the checkpoints without losing our ability to fly?

There is no such list with everything there for you to see in one section. This is a burden but as the bloggers have said, they are trying to fix how information is available to the public. The best thing for now is the website with information every which way. Most of the information is good information.

How do on the spot fines for secret rules and for those who dare try to challenge the fines the doubling of the fine square with the Administrative Procedures Act?

I don't know about this but from the sound of it, if you are fined you obviously are not cooperating or doing something right.

Ryan said...

First the claim that "only in America" is there a "war" on liguids simply isn't true. (I will reserve all the "egg on face" comments people like to make at TSA's expense for later.) The Brits have a similar ban, they are discussing ending it however it remains to be seen.

http://news.bbc.co.uk/2/hi/uk_news/7607043.stm

Further the theory that "they do it this way in some airport in another country isn't a valid argument. Every country operates based on its own laws, its own threats. The Israelis don't screen liquids ergo... we shouldn't either. However the Israeli's also profile people like its going out of style. So do we pick and choose what techniques we borrow from the Israeli's? Or do we allow liquids and profile to follow the Israeli model?

MarkVII said...

Lynn --

I'm glad to hear that someone is consolidating the various rules, and I second Tomas' response on making someone seriously accountable for the completeness, accuracy and timeliness of updates.

A few suggestions on document control

As a general framework, look into the document control procedures found in ISO 9000/9001. The auto industry has its own flavor called QS9000 which is similar. The basic concept here is having a master set of documents where updates are controlled.

Have a "single source of truth" document that is updated first. All updates are derived from the source of truth. This document will probably end up being very large, as it will need to be comprehensive. However, this will help with the problem of having to assemble bits of information from a number of sources to assemble the picture, which is a current source of frustration for flyers.

Maintain a list of the current documents, their revision numbers and dates. Send this list to all concerned (local offices, FSM's, etc.) and require periodic reviews to ensure that local document copies are kept up to date and that superceeded documents are taken out of circulation. We did this quarterly in the military, and this approach served us well.

A few suggestions on content

Use layman's terms, define the terms you use, and provide examples. For example, checkpoint personnel are fond of the catchphrase "liquids, gels and aerosols", but try to find a definition of exactly what is covered by this phrase. To my way of thinking, lipstick is not a "liquid, gel, or aerosol", but some checkpoints say it is. If some items commonly present a problem in interpreting the rules, point these out.

Put some constraints around local embellishments of requirements, so that they don’t turn into “every airport has its own rules.” Examples – 3oz bottles having to be “labeled”, bottles have to be translucent, the 1 quart bag has to be certain dimensions, the 1 quart bag has to be “zip top” but cannot have an actual zipper.


Thoughts on validating the outputs

Have some people that are unfamiliar with your documents read them and give comments. Ask them to look for gaps in content and vague or ambiguous passages. Give them some sample items to decide what to put in the ziploc and what can go in the carryon. See if you get the results you expect. Document content needs to be reviewed by outsiders to the process, who don't have the "tribal knowledge" to fill in the gaps, make interpretations, etc.

Give some inexperienced users some subjects to research and have them try to find the answers in the printed materials and on your website. We have a saying in my line work, "if the user can't find it, it's not there."

WDavidStephenson said...

Very cool: I wrote an op-ed in the Boston Globe in October 2001 about a variety of web-based measures the government could take to improve security and the economy, and the title the Globe put on it says it all about this step: "Fight Terrorism with PalmPilots."
W. David Stephenson
Stephenson Strategies

Anonymous said...

Anonymous said: "That's my point. Not everyone has a cellphone or PDA, and not everyone will necessarily have a cellphone or PDA in the future. Some people simply don't want/need them. I guess those people won't fly when it becomes mandatory, right?"

Then Lynn said: "Not sure if you're serious or not - the the answer is absolutely not. As I said earlier, we're looking at additional ways to secure boarding passes."

***

Yes, I am serious. What I fear is the logical progression of events, based on TSA history: 1) boarding passes via cellphone or PDA become possible, 2) boarding passes via cellphone or PDA become preferred, 3) boarding passes via cellphone or PDA become mandatory.

Anonymous said...

I don´t understand how this helps me. I can stick a paper pass and my ID in my pocket as I struggle to take my shoes off, pull out laptops and liquids. I can also walk through the metal detector with the paper pass and ID with me. I cannot do that with a phone or PDA. How about actually helping us ending with stupid policies that help no one?

Anonymous said...

Any word on when you're training your agents not to be complete and utter idiots?

This time last year:
http://boingboing.net/2007/09/21/mit-student-arrested.html

The student in question (arrested for having a shirt with batteries and LEDs attached) has since left MIT.

You don't need sophisticated training to discern the difference between a bomb and some lights with a battery. You need the knowledge provided by the basic circuitry lab you did in high school.

Great quote from the AP news item:
"She's extremely lucky she followed the instructions or deadly force would have been used," Pare told The Associated Press. "And she's lucky to be in a cell as opposed to the morgue."

Yet another example of the effects of our fear of terrorism and our massively overblown responses to it. TSA does nothing to help assuage these fears, it makes them worse and it's only a matter of time before someone innocent dies.

Blog team, I'd appreciate your comments on this case, and what might be done to prevent such incidents in the future. And DON'T say proper procedures were followed and no one is at fault. Someone panicked and an innocent girl came close to death as a result.

TSA Levi said...

Anonymous said...
My prediction:

A TSO on the midnight 'dead stretch' shift at an airport somewhere (probably LAX domestic..) will be listening to their personal music player at high volume while the other two TSO's on duty are reading entertainment magazines, and they won't notice that someone has walked off with their super-duper-secret barcode scanner.

Fifteen minutes later, after cloning the contents of the various memories contained in the scanner to a laptop, someone will cause it to reappear where it was. The distracted TSOs will not notice the scanners return.

Thirty minutes later, after decompiling the ROM image and analyzing the results, a ROT-13/PL (Rotate-13/Pig Latin) encoder is written to create arbitrary barcodes for home-printed boarding passes.

The resultant perl script will be mentioned on Slashdot, BoingBoing and Hackaday, with direct bittorrent links, ensuring distribution around the world in minutes

The easiest solution would be to return to the more expensive 'punch card' style boarding passes of yester-decade, and eliminate the 'print your own boarding pass' loophole entirely? The TSA keeps telling us that security is by its very nature an inconvienence, so maybe they should take their own advice?

Sound far-fetched? I don't think so.

September 19, 2008 11:16 AM


Actually, the system that we're testing would not be compromised by the theft of a scanner. Public key infrastructure would allow scanners to be loaded with only the public keys to read digital signatures, not with the private keys that are needed to create them.

TSA Levi said...

Lynn said...
"That's my point. Not everyone has a cellphone or PDA, and not everyone will necessarily have a cellphone or PDA in the future. Some people simply don't want/need them. I guess those people won't fly when it becomes mandatory, right?"

Not sure if you're serious or not - the the answer is absolutely not. As I said earlier, we're looking at additional ways to secure boarding passes.

Lynn
EoS Blog team

September 19, 2008 5:13 PM

Just to expand further on Lynn's explanation: the digital signature referenced in our post can be inserted into any 2D barcode, whether it's displayed on a screen or printed on paper. We tested the signature with electronic boarding passes first since it was easiest to implement there, but the intent is to place that same signature in all formats of boarding passes.

Mr. Gel-pack said...

GSOTSO @"As for stopping the "war" on shoes and liquids.... No. There are too many valid concerns associated with both of these and the technology has not caught up with the screening process at this time. You can raise Cain all you want, you can say (wrongly) that there is no threat for shoes or water. The capability for these items to pose a risk is simply too high to allow the procedure to change. IF the tech sector catches up, I will be the first one to hand you your shoes back and allow water to be taken through. Until the capability to screen improves in the tech sector, things are not likely to change."

Hey, your leaky screening procedures already allow water to be taken through. As long as you rely on an essentially visual inspection process you will always miss things. Your system is ineffective at keeping "the moist" off the plane. Things need to change.

TSA itself is the most clear example of how the terrorists have already won, and how they will continue winning. Until things change, 2,000,000 people per day are paying the TSA fear tax.

Phil said...

Lynn, did you actually mean "digital signature"?

Assuming that the information on these bar-coded boarding passes is actually digitally signed, who holds the signing key? Every airline? Does each have its own key? How are they protected? If a key is revoked due to security compromise, what will happen to passengers who hold boarding passes signed with the revoked key?

Lynn said...

In response to Anonymous:

The student in question (arrested for having a shirt with batteries and LEDs attached) has since left MIT.

Blog team, I'd appreciate your comments on this case, and what might be done to prevent such incidents in the future. And DON'T say proper procedures were followed and no one is at fault. Someone panicked and an innocent girl came close to death as a result.


Happy to respond to this. TSA officers had no involvement in this incident. This is another case of someone assuming that because it happened in an airport, it must have been TSA. Not so. The person who spotted the woman was an airport employee (at an Information Desk, I believe). This actually happened on the Baggage Claim level of the airport. The airport employee called the police, not TSA.

Just saw a video interview with the MIT student, and in the video, she says: "I didn't meet any TSA people that day."

Click here to see the video.

In the text that accompanies the video, the blogger says the woman was "tackled by security" so many would assume it was TSA. It's not the first time it's happened and it's not the last, I'm sure.

So in this case, you owe our officers an apology. :-)

Lynn
EoS Blog Team

Lynn said...

@ markvii:

Thanks for the comments and suggestions. We're actually doing some of the things you've suggested. You've provided other good insights, and they're much appreciated.

Lynn
EoS Blog team

Bob Eucher said...

I have a question about the bar-coded PDA/cellphone boarding pass.

When the TSA is yelling to everyone to keep your boarding pass out for verification at the WTMD, what do the people that used their PDA/cellphone do?

Also how does the TDC mark or initial that he or she verified it, as is done with a paper boarding pass?

I think that throws your entire TDC marking a paper boarding pass out the window.

Al Ames said...

"So in this case, you owe our officers an apology. :-)" - Lynn

I'm still waiting for an apology from TSA for all the wasted money, trampling of rights, and high failure rate from security.

Anonymous said...

This is why the 311 rule still exists.

http://news.bbc.co.uk/2/hi/uk_news/7607043.stm

Anonymous said...

When will everyone be required to be a 'trusted traveller' to fly? That is to submit biometrics such as fingerprints, iris scans, blood samples, etc. Because as we've already established, a picture ID doesn't prove much.

yangj08 said...

@GSOLTSO-"Uhhhhh..... I dunno, I am pretty sure that Japan has top of the line equipment. "

Exactly- liquid-screening technolofy that the US should be obligated to implement as well. Now the only liquid banning they have to do is on international flights (I wonder which country complained and threatened to deny landing rights...).

Japan has also had the technology we're talking about here since 2006, and like I said, they extend theirs to e-tickets (boarding pass is printed by the reader at screening- no more verification issues for TSA to handle if the US does the same) and frequent flyer cards (RFID technology- not as insecure as people claim).

Top-of-the-line. And if the TSA actually cared about security they'd implement it.

Anonymous said...

Anonymous said...
Any word on when you're training your agents not to be complete and utter idiots?

This time last year:
http://boingboing.net/2007/09/21/mit-student-arrested.html

The student in question (arrested for having a shirt with batteries and LEDs attached) has since left MIT.

You don't need sophisticated training to discern the difference between a bomb and some lights with a battery. You need the knowledge provided by the basic circuitry lab you did in high school.

Great quote from the AP news item:
"She's extremely lucky she followed the instructions or deadly force would have been used," Pare told The Associated Press. "And she's lucky to be in a cell as opposed to the morgue."

Yet another example of the effects of our fear of terrorism and our massively overblown responses to it. TSA does nothing to help assuage these fears, it makes them worse and it's only a matter of time before someone innocent dies.

Blog team, I'd appreciate your comments on this case, and what might be done to prevent such incidents in the future. And DON'T say proper procedures were followed and no one is at fault. Someone panicked and an innocent girl came close to death as a result.

September 22, 2008 10:42 AM

You lose all credibility when you start your comment with an insult.

As Lynn pointed out your argument lies with the Mass State Police and with the Airport Authority -Massport, not with the TSA. You sound slightly intelligent so I'll make a suggestion for your future postings; do your research first and make sure it is complete and unbiased then post your comments and finally do not start of insulting others if you care to be taken seriously.

Anonymous said...

"I don't know about this but from the sound of it, if you are fined you obviously are not cooperating or doing something right.

September 21, 2008 12:01 PM"

How about a list of rules a traveler must comply with at a TSA checkpoint so we may all avoid the chance of a fine!

Only seems fair and right that I know exactly what is expected of me when moving through a govenment checkpoint.

Can the TSA legal department give a compelling reason for not providing the public a list of rules I musst comply with?

Miller said...

yangj08 said...

@GSOLTSO-"Uhhhhh..... I dunno, I am pretty sure that Japan has top of the line equipment. "

Exactly- liquid-screening technolofy that the US should be obligated to implement as well. Now the only liquid banning they have to do is on international flights (I wonder which country complained and threatened to deny landing rights...).

Japan has also had the technology we're talking about here since 2006, and like I said, they extend theirs to e-tickets (boarding pass is printed by the reader at screening- no more verification issues for TSA to handle if the US does the same) and frequent flyer cards (RFID technology- not as insecure as people claim).


Japan has top of the line equipment. That statement says much about TSA and the way they've squandered the $6,000,000,000 a year in tax payer and travelers funds on a Potemkin-esqe security system. Why is that so? Could it be that Japan values true security and does what is needed before purchasing a pig in the poke? Could it be that Japanese security measures are proven effective before being purchased?

I've been involved in the procurement process before and witnessed the effects of a poorly written specifications document upon the cost of a contract. If the specifications documents for new equipment were as poorly written as some of the other DHS documentation dumped onto the American public then I understand why we have marginally functioning equipment at our airports. A situation like this reflects poorly on both DHS and the politicians who turned DHS loose on Americans without having any checks and balances built into the DHS. We've got the 'security at any cost' and quite frankly it costs too much.

We hemorrhage money like there is no tomorrow all the while, terrorists sit back and bide their time. How many terrorists has all of DHS caught? 1000? 100? 10? Even one? Let's say that 10 terrorists were caught by DHS over the past three years. That works out to roughly 1.8 billion dollars to capture each of the terrorists. I don't know about you, but 1.8 billion dollars per terrorist is a whole lot of money that could have been spent on the CIA, NSA, FBI, etc to gain real information on actual terrorist threats. How about some oversight on how the money at DHS gets spent?

FYI Schiphol is the airport at Amsterdam. Security there is top notch without the pointless war on both shoes and liquids.

Ayn R. Key said...

Anonymous, September 21
Why would we search people that is not going to the sterile side of an airport? They are not going through the security checkpoint then.

See blog entries:
New Security Technologies Make Airport Debut
More on Passive Millimeter Wave Technology

Both of which are MMW scanning taking place at areas othern than the enterence to the sterile area.

There is no such list with everything there for you to see in one section.

That should be rectified immediately.

I don't know about this but from the sound of it, if you are fined you obviously are not cooperating or doing something right.

You can be fined for 'non-physical interference with a TSO' which means if you talk back by saying, oh for example, "the TSA's rules allow me to keep this", you can be fined for interfering with their job. That is TSA policy, but it is in violation of the Administrative Procedures Act. Challenging the fine doubles the fine, also in violation of the Administrative Procedures Act.

TSA Levi said...

Phil said...
Lynn, did you actually mean "digital signature"?

Assuming that the information on these bar-coded boarding passes is actually digitally signed, who holds the signing key? Every airline? Does each have its own key? How are they protected? If a key is revoked due to security compromise, what will happen to passengers who hold boarding passes signed with the revoked key?

September 22, 2008 3:10 PM

Excellent questions. Yes, we're talking about digitally signing the information in the boarding passes. The benefit is that this allows TSA to confirm validity of a boarding pass without a connection to a database (something which would be more challenging and expensive to implement at hundreds of airports). This project is still in the pilot test phase, so there's not a great deal we can say about our plans for maintaing keys or dealing with a compromise. We're working very closely with airlines to sort these questions out and feel that the current pilot tests will help to establish what works best.

TSA Levi said...

Bob Eucher said...
I have a question about the bar-coded PDA/cellphone boarding pass.

When the TSA is yelling to everyone to keep your boarding pass out for verification at the WTMD, what do the people that used their PDA/cellphone do?

Also how does the TDC mark or initial that he or she verified it, as is done with a paper boarding pass?

I think that throws your entire TDC marking a paper boarding pass out the window.

September 22, 2008 6:37 PM


We're working on these exact questions at the eight e-boarding pass pilot sites and have tested some different approaches.

Fundamentally, the point of marking a boarding pass and checking it a second time is to ensure that selectee passengers are identified, routed, and screened appropriately. We're looking at other ways to achieve this goal that would be compatible with the e-boarding pass. For example, selectee passengers could be directed from the travel document check station to a designated lane.

Anonymous said...

Will you put a SSSS sticker on the PDA of those of us who qualify for haraSSSSment?

Am I supposed to walk through the metal detector with my PDA, or do I put it through the X-ray? If I put it through, will I be allowed to get it back to hand to the officer who wants to see my pass after the detector?

I can already see people being screamed at for that!

Phil said...

Lynn, assuming that the information on these bar-coded boarding passes is actually digitally signed, who holds the signing key? Every airline? Does each have its own key? How are they protected? If a key is revoked due to security compromise, what will happen to passengers who hold boarding passes signed with the revoked key?

Ayn R. Key said...

Anonymous on September 21st wrote:
Why would we search people that is not going to the sterile side of an airport? They are not going through the security checkpoint then.

That was my question, but that's what the TSA is doing with not one but two blog entries on passive MMW machines set up in locations around the airport.

There is no such list with everything there for you to see in one section.

That's the problem. As long as there is no list, there is no way for a criminal^H^H peaceful traveler to say to a TSO "this item is allowed". It doesn't matter if it is allowed, a TSO said it isn't, the TSO's supervisor will say the TSO is right whether he is or not, and if you protest it enough you get detained until your flight has taken off and you get a fine in violation of the Administrative Procedures Act.

I don't know about this but from the sound of it, if you are fined you obviously are not cooperating or doing something right.

That is what we're supposed to think. But the fines can be levied for "non-physical interference with a TSO in performance of his duties." That means talking back when they try to forbid a legal item. And interestingly enough it also means contesting the fine because that doubles the fine - also in violation of the Administrative Procedures Act.

Anonymous said...

"Can the TSA legal department give a compelling reason for not providing the public a list of rules I musst comply with?"

Easy. They won't because then you can prove they acted wrong, immorally, illegally or unconstitutionally. TSA doesn't believe in the law or accountability, so that is two strikes against something like this.

Anonymous said...

Ayn R. Key, first time I read that I thought it was in reference to Ayn Rand.

That is what we're supposed to think. But the fines can be levied for "non-physical interference with a TSO in performance of his duties." That means talking back when they try to forbid a legal item. And interestingly enough it also means contesting the fine because that doubles the fine - also in violation of the Administrative Procedures Act.

I waiting for DHS to take offense at the posts on this blog as "non-physical interference with a TSO in the performance of his duties." That's pretty much the next step for a thought crime. Always thought that was a bit extreme for any government agency to act in that fashion. Even dealing with the FBI you have more rights than you do when dealing with the DHS and something about that doesn't quite agree with our form of government.

Anonymous said...

Anonymous said...
"Can the TSA legal department give a compelling reason for not providing the public a list of rules I musst comply with?"

Easy. They won't because then you can prove they acted wrong, immorally, illegally or unconstitutionally. TSA doesn't believe in the law or accountability, so that is two strikes against something like this.

September 24, 2008 1:23 PM
.........................
It's a sad statement but I have to agree with your point.

TSA placing itself above the law brings into focus why no better reason exist when demanding the disestablishment of this rouge organization.

TSA is a threat to the United States!

Ayn R. Key said...

Ayn R. Key, first time I read that I thought it was in reference to Ayn Rand.

It is. It's also a pun. Read as one word it is similar to "anarchy", but read in pieces "Ayn R." refers to Ayn Rand.

Miller said...

You know, in the past eight years of frequent travel I've never had a situation where someone attempted to board a flight with a counterfeit boarding pass. The gate agent would have stopped them before boarding. How again does this relate to security since everyone (except TSA and airport vendors)goes through screening?

Jim Huggins said...

How again does this relate to security since everyone (except TSA and airport vendors) goes through screening?

I don't work for TSA, so I can't given an official answer. But here's the answer as I understand it.

To TSA, there are issues both of identity and of opportunity which they are trying to screen against.

Some individuals, in TSA's opinion, are too much of a security risk to fly. Some other individuals are less risky, but still risky enough to require mandatory secondary screening. The names of such people appear on various lists. Ideally, when you enter screening, your name (or the name on your ID) would be compared against those lists. At this point, it's the boarding passes that are compared against the lists (by the airlines), not your ID, so it's important to know that the boarding passes aren't forged when presented at the checkpoint.

This is independent of the issue of banned items ... which are viewed by TSA as potentially usable as a weapon (or a means for concealing a weapon).

TSA's reasoning is (probably) as follows. Bad people want to get on-board planes with bad items in order to commit crimes. We should try to keep the bad people off, but we don't know everyone who will want to be bad. So we can keep the bad items off as well, but there's no way we can keep everything off without creating threats to health and well-being, either. So TSA tries to do both, in the hopes that if one filter fails, the other filter will succeed.

Now I've tried to render this objectively. Whether it makes sense to keep a list of bad people, or a list of bad items, or which one is the better one to focus on,
is a matter of debate, which this blog captures quite nicely ...

Anonymous said...

:) said: I'm very glad to see this moving forward as well.

Really? Or are you just happy to get your xbox link onto this iste?

Bob said...

Anonymous said...:) I'm very glad to see this moving forward as well. September 18, 2008 9:51 PM

The above post has been deleted due to spam content.

Thanks,

Bob

EoS Blog Team

Anonymous said...

Anonymous said...
"Can the TSA legal department give a compelling reason for not providing the public a list of rules I must comply with?"

From: A concerned flyer who would like to comply

Lynn has been kind enough to reply to other posts, how about this one?

Thanks in advance

Anonymous said...

I have yet to find a TSA list that states that you can take solid lipstick and solid deodorant (anti-perspirant) in carry-on. And, in what amounts/size/weight are allowed, if any.
The only subject is hearsay, from other travelers, but nothing from TSA, except for the old 2006 or so statement: "Clarification: solid lipstick and solid deodorants are now allowed in carry-on."

What gives, stop being arrogant, for lack of a better word, and publish a note stating what amount/weight/size of solid lipstick and solid deodorants are allowed, so that WE, TAX-PAYING travelers don't get hassled, or our stuff thrown in the bin by minimum wage "security officers" at the airport.

Manoj Jain said...

MarkVII has rightly pointed document control procedures required by ISO 9000 / 9001 and its auto industry counter part QS 9000 (Now ISO /TS 16949).

To his comments I would like to add to refer AS 9000 (Aerospace basic quality management system standard) which is based on ISO 9000. The ISO 9001 is recently updated in 2008 but requirements relating to document control are same and unchanged.

The standard requires documents to be legible. People do not fully understand the meaning of legible, it does not simply mean readable, relating to ability to read but legible means ability to understand.

You need to ensure that users of your documents are able to understand whats it is trying to convey.

Just to point the security laps, today few passenger with a deadly virus H1N1 reached Hyderabad India via a British Airways Plane.

The bar code system you are trying to introduce may keep such things in control.

Edu Mass said...

Can the TSA legal department give a compelling reason for not providing the public a list of rules I musst comply with?"

Easy. They won't because then you can prove they acted wrong, immorally, illegally or unconstitutionally. TSA doesn't believe in the law or accountability, so that is two strikes against something like this.

Anonymous said...

I am sorry to hear that the TSA thinks we are mindless sheep and will sing praise for any silly idea that comes along. (In some cases they're right, based on the comments here.)

This does not improve security. It is theatre, and a waste of taxpayer money. Shame on you, TSA, for further eroding this country.

Anonymous said...

Has this new information colleciton been approved by OMB pursuant to the Paperwork Reduction Act? Is there an OMB control number certifying this displayed at the point of information collection?