Re: Delta CAPPS-2 watch: decrypt boarding passes!
At most airports, they've moved most of the screening to the security checkpoint, where they do the dump search of the people with the on the boarding pass and the lucky random selectees. For flights with people on them, they also have TSA people to screen them at the gate. I've not noticed the specific mechanism they've used to select the additional random selectees. It's possible that it's wrapped in to the program that decides who gets the printed on the boarding pass in the first place. If so, that seems like a weakness, since you would be able to predict whether you'll get the additional scrutiny before you reach the checkpoint. I'm not sure one way or the other about what the actual practice is: has anyone here (who's gone through the airports following the new procedure) been informed at the checkpoint they they've been randomly selected for additional screening but not had the printed on the boarding pass? The main way to tell if you're at one of these airports is that you DON'T have to show your ID when boarding. For checked baggage screening, however, I have seen how they do the randomness: it involves a pre-printed randomness table consulted for each bag. (Some airports do the baggage screening in front of the passenger before it is turned over to the airline.). Every bag gets a basic scan through the sniffer, and bags that test positive or that the randomness table selects are opened and searched by hand. By the way, at these airports, you can no longer get past the checkpoint with just a pre-printed receipt; you need either a boarding pass, a "gate pass" printed by the airline (like a boarding pass, but for people without a specific flight), or an airport ID. -matt Russ Nelson writes: > John Ioannidis writes: > > (they [TSA] still picked up "random" people without the search > > string on their boarding passess). > > HHH! If this list was to have a subtitle it would be > "Practical uses of randomness". Surely they're rolling dice, or > cutting a well-shuffled deck, or consulting a book of random numbers, > or using some other secure source of randomness. Somebody please tell > me that they're not just picking people "at random". I am reminded of > a six-year-old's idea of randomness: eenie, meenie, miney, moe. > > -- > -russ nelson http://russnelson.com | "What Problem Are You Trying > Crynwr sells support for free software | PGPok | To Solve?" is a service mark > 521 Pleasant Valley Rd. | +1 315 268 1925 voice | of Crynwr Software. > Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Re: Delta CAPPS-2 watch: decrypt boarding passes!
John Ioannidis writes: > (they [TSA] still picked up "random" people without the search > string on their boarding passess). HHH! If this list was to have a subtitle it would be "Practical uses of randomness". Surely they're rolling dice, or cutting a well-shuffled deck, or consulting a book of random numbers, or using some other secure source of randomness. Somebody please tell me that they're not just picking people "at random". I am reminded of a six-year-old's idea of randomness: eenie, meenie, miney, moe. -- -russ nelson http://russnelson.com | "What Problem Are You Trying Crynwr sells support for free software | PGPok | To Solve?" is a service mark 521 Pleasant Valley Rd. | +1 315 268 1925 voice | of Crynwr Software. Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Delta CAPPS-2 watch: decrypt boarding passes!
John Gilmore writes: > And, besides identifying what cities they're doing this in, we should > also start examining a collection of these boarding passes, looking > for the encrypted "let me through without searching me" information. > Or the "Don't let me fly" information. Then we can evaluate how easy > it would be to turn one into another. (Don't mistake a system that > claims to provide security for one that actually does.) May I suggest as a non-violent civil disobedience measure, that if anyone gains the ability to change the insecurity level, that they should be careful to change it from green to yellow, or yellow to red. In that manner, you cannot be accused to trying to escape scrutiny. You make your point[1] more effectively by demonstrating that you are willing to suffer for your cause. Like the guy who wouldn't take off the T-shirt that he *bought* in the mall. [1] that the only thing worse than taking away our freedom is by doing it using insecure cryptography. -- -russ nelson http://russnelson.com | "What Problem Are You Trying Crynwr sells support for free software | PGPok | To Solve?" is a service mark 521 Pleasant Valley Rd. | +1 315 268 1925 voice | of Crynwr Software. Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Delta CAPPS-2 watch: decrypt boarding passes!
"Roy M. Silvernail" <[EMAIL PROTECTED]> writes: > On Thursday 06 March 2003 02:34 pm, John Ioannidis wrote: > > > Both JFK and SFO have stopped gate searches. Searches at security are > > still decided by the TSA personnel there (they don't get to see your > > boarding pass). > > FWIW, MSP initial security screening wants to see your boarding pass. I > didn't see anyone try to avoid showing it. I've not seen ANY airport that didn't have this initial check, although generally it is "boarding pass, printed ticket, or printed itinerary". This is actually one of the "written rules" (as opposed to some of those lovely unwritten rules that TSA seems to like imposing). -derek -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Re: Delta CAPPS-2 watch: decrypt boarding passes!
On Thursday 06 March 2003 02:34 pm, John Ioannidis wrote: > Both JFK and SFO have stopped gate searches. Searches at security are > still decided by the TSA personnel there (they don't get to see your > boarding pass). FWIW, MSP initial security screening wants to see your boarding pass. I didn't see anyone try to avoid showing it. The last time I was through SFO, this new jihad hadn't started, but I got yet another lesson in the lack of sense of humor among the staff. Asked to take my creaky old ThinkPad 760XL out of its case to be x-rayed, I said "Be nice to it; it's old." Whereupon I was invited out of line so the explosives residue screener could give it a wipedown. Even so, it was better than the beginning of that trip, when I'd forgotten to take my Victorinox Signature off of my keychain. (that's a 1.6" Swiss Army Knife with a pen, an LED flashlight and a 1.25" blade) At least I was given the opportunity to FedEx it back to the office. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Delta CAPPS-2 watch: decrypt boarding passes!
John Ioannidis <[EMAIL PROTECTED]> writes: > Are you referring to the "" string on the boarding pass? That > indicated that you were going to be searched by the boarding gate TSA > people whether they were going to decide to search you or not (they > still picked up "random" people without the search string on their > boarding passess). Yes, that's what I was referring to. I didn't recall exactly what the mark was, but "" sounds right. I was just annoyed because they flagged about 30% of the flight. Even though I was seated in like row 15/22 (in the second group to get boarded), by the time I actually made it through the line they had already finished normal boarding and closed the gate doors. > Both JFK and SFO have stopped gate searches. Searches at security are > still decided by the TSA personnel there (they don't get to see your > boarding pass). Hmm. Well, I'll let you know about BOS. And I'll find out about ORD on my return flight. I consider gate checks rather rude, but then again I consider commercial travel in general rather annoying. If it weren't going to take me 3 days (rather than 6 hours) I would have just flown myself out to SF -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH [EMAIL PROTECTED]PGP key available - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Re: Delta CAPPS-2 watch: decrypt boarding passes!
On Thu, Mar 06, 2003 at 01:50:44PM -0500, Derek Atkins wrote: > [...] > > When I flew on US-Airways out of BAL last year, they had a marking on > the boarding pass that signified "search this person". If your > boarding pass had the mark, you were searched as you tried to board. > If it did not, then you were not searched. > > [...] > > -derek Are you referring to the "" string on the boarding pass? That indicated that you were going to be searched by the boarding gate TSA people whether they were going to decide to search you or not (they still picked up "random" people without the search string on their boarding passess). Both JFK and SFO have stopped gate searches. Searches at security are still decided by the TSA personnel there (they don't get to see your boarding pass). LHR still has gate searches, and the mix of people they were searching looked fairly random. I don't know if any of them had been flagged by the computers, or if the gate security personnel had picked them out. I wasn't searched, either going through security or at the gate, but when I tried going from the gate area back into the duty-free area they were pretty thorough (but exceedingly polite). /ji - KC2IER -- /\ ASCII ribbon | John "JI" Ioannidis * Secure Systems Research Department \/campaign| AT&T Labs - Research * Florham Park, NJ 07932 * USA /\against | "Intellectuals trying to out-intellectual / \ HTML email. | other intellectuals" (Fritz the Cat) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Delta CAPPS-2 watch: decrypt boarding passes!
John, John Gilmore <[EMAIL PROTECTED]> writes: > And, besides identifying what cities they're doing this in, we should > also start examining a collection of these boarding passes, looking > for the encrypted "let me through without searching me" information. > Or the "Don't let me fly" information. Then we can evaluate how easy > it would be to turn one into another. (Don't mistake a system that > claims to provide security for one that actually does.) When I flew on US-Airways out of BAL last year, they had a marking on the boarding pass that signified "search this person". If your boarding pass had the mark, you were searched as you tried to board. If it did not, then you were not searched. I'm flying United out to the IETF next week, so I'll gladly report my findings. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH [EMAIL PROTECTED]PGP key available - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Delta CAPPS-2 watch: decrypt boarding passes!
Delta Air Lines is the guinea pig for the CAPPS-2 intrusive database search on every passenger. They'll be doing this in three cities, starting THIS MONTH. First, if you were thinking of flying, be sure not to fly on Delta. See http://boycottdelta.org. Second, if you're stuck on Delta, or want to watch their system, then please report back (to me, [EMAIL PROTECTED], or to the cryptography list) about how the airport checkin and screening process has changed. We should be able to rapidly figure out which cities they are doing this in, based on the airline's behavior changes. For example, some stories say that the system will require more info from you, like your home address and date of birth. Other stories say that no new info is collected. One has pointed out that Delta's frequent flyer program has collected birthdate info for years. I suggest flying WITHOUT tying your flight into the frequent flyer database. Also, most news stories claim that your boarding pass will have "encrypted" on it a "red/yellow/green" flag that tells the security screeners whether to: * Block you from getting on the flight * Search the hell out of you * Let you walk through with minimal hassle The stories report that the security screeners at the checkpoint might have new machines to run your boarding pass through (to "decrypt" this info). This could all be disinformation. If true, it should be easy to spot, particularly if you've flown through these airports before. And, besides identifying what cities they're doing this in, we should also start examining a collection of these boarding passes, looking for the encrypted "let me through without searching me" information. Or the "Don't let me fly" information. Then we can evaluate how easy it would be to turn one into another. (Don't mistake a system that claims to provide security for one that actually does.) I'll restate just for the record that I oppose this entire program, as well as the unconstitutional demand for ID before traveling in the US. I'm suing Ashcroft, TSA, and Homeland Security over it. We're currently awaiting Judge Illston's decision on the government's motion to dismiss the case as frivolous. (How many of you who thought it was frivolous eight months ago, still think it is?) http://cryptome.org/freetotravel.htm John - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
