TSA Incompetence

As this blog has reported on multiple prior occasions (in 2006, 2008, and 2009, at the very least), the fact that U.S. airport security separates the checking of the boarding pass by TSA from the use of a boarding pass to check in to board makes it easy to get through security with a boarding pass that matches your ID while flying under a boarding pass on a ticket purchased in a different name. Now, as The Economist (July 2, 2011) reports, Olajide Oluwaseun Noibi, a 24-year-old Nigerian American, has been arrested after successfully doing something along these lines to fly around the country, apparently on multiple occasions. Only Noibi wasn’t even using boarding passes valid for the flights he was on–he was caught with a boarding pass in another person’s name for a flight from a day prior. And he wasn’t caught because the boarding pass was detected at check-in–he had already successfully boarded the flight and was seated. He was only caught because of his extreme body odor and a fellow passenger complained, which led to his boarding pass being checked and found to be invalid. ...

Looks like the air marshals have a problem similar to the TSA and the Border Patrol: Shawn Nguyen bragged that he could sneak anything past airport security using his top-secret clearance as a federal air marshal. And for months, he smuggled cocaine and drug money onto flights across the country, boasting to an FBI informant that he was "the man with the golden badge." Michael McGowan used his position as an air marshal to lure a young boy to his hotel room, where he showed him child porn, took pictures of him naked and sexually abused him. And when Brian "Cooter" Phelps wanted his ex-wife to disappear, he called a fellow air marshal and tried to hire a hit man nicknamed "the Crucifixer." Since 9/11, more than three dozen federal air marshals have been charged with crimes, and hundreds more have been accused of misconduct, an investigation by ProPublica, a non-profit journalism organization, has found. Cases range from drunken driving and domestic violence to aiding a human-trafficking ring and trying to smuggle explosives from Afghanistan. More details at USA Today. UPDATE (8 March 2015): Another air marshals scandal: What began as an internal investigation into allegations of harassment and threats stemming from a spat between ex-lovers has expanded into a criminal inquiry focused on the Federal Air Marshal Service’s dispatch hub in Herndon, Virginia. More than 60 federal employees are under scrutiny as investigators look into whether flights considered at risk of hijacking or a terrorist attack were left without marshals on board, sources with knowledge of the investigation told Reveal. Historical Comments Sheldon (2008-11-18): Wow! Thats 36 Federal law enforcment officials who had passsed the background checks to fill those positions, and then went bad, some very bad. Pretty scary when you think about it.Thanks. ...

Jeffrey Goldberg explains why in The Atlantic. The check for whether you’re on the no-fly list is at the time of ticket purchase and check-in; there is no validation of your actual ticket against your ID at the TSA checkpoint (you can easily print and use a fake boarding pass at the TSA checkpoint); there is no check of ID when you board the plane. The checks for substances and items at the TSA checkpoint are easily subverted, with the restrictions on liquids probably the most absurd and pointless. We’re throwing away billions of taxpayer dollars per year on security theater. (Hat tip to John Lynch.) (Previously, previously, previously, previously, previously, previously.)

The ACLU reports that the Terrorist Screening Center’s watch list reached 700,000 names in September 2007, and is adding 20,000 new names per month. “At that rate, our list will have a million names on it by July. If there were really that many terrorists running around, we’d all be dead." Names on the list include: Robert Johnson Alexandra Hay Evo Morales (president of Bolivia) Saddam Hussein (dead former dictator of Iraq) the 9/11 hijackers (all still dead) Gary Smith John Williams Edward Kennedy (Massachusetts Senator) John Lewis (U.S. Rep. from Georgia) Daniel Brown (U.S. soldier detained on way home from Iraq) James Moore (author of book critical of Bush administration) Catherine (“Cat”) Stevens (wife of Sen. Ted Stevens) Yusuf Islam (formerly known as Cat Stevens) Vernon Lewis (retired Major General, U.S. Army) Robert Campbell (U.S. Navy, retired) David Nelson John William Anderson Don Young (U.S. Rep. from Alaska) The whole idea of checking names for flight screening is nearly pointless, since terrorists are capable of getting fake ID. It’s absolutely idiotic to have extremely common names on the list and subject everyone who happens to have a common name to extra screening every time they fly. The right way to do screening is to use mechanisms like randomly subjecting people to extra screening and to have people undercover trained to identify suspicious behavior in the terminal–and to use multiple mechanisms that are randomly changed from day to day, so that security measures tested on one day will not be the exact measures in place on a later day. UPDATE (March 18, 2008): Note that the no-fly list is a subset of the terrorist watch list. The former is what I criticize in the last paragraph. An FBI audit has stated that the information the FBI supplies for the terrorist watch list is “outdated and inaccurate." ...

Check it out here. I’m not on the list, but my 13-year-old nephew is, due to his common last name. (Via Bruce Schneier’s Blog.)

Barbara Peterson took a job as a TSA screener and has written an interesting description of her experience for Conde Nast Traveler. She blames TSA’s incompetence not on the individual screeners (who are generally doing as well as they could be hoped to under the demands of the job) but on Congress.

A web page on the TSA’s website for travelers “who were told you are on a Federal Government Watch List” displays evidence of being a phishing site–it’s probably not, it’s just so badly done that it looks like a hacked web site that’s submitting its details to an unrelated third party. TSA responded that “We are aware there was an issue and replaced the site. The issue has been fully addressed. We take IT responsibilities seriously. There never a vulnerability; just a small glitch." The full story may be found at Wired Blogs, which points out fifteen features that make the TSA form submission site look dangerous. Also check out this comment at Christopher Soghoian’s blog: This may be surprising to hear: I am an employee at a major airline and I just recieved an e-mail that said we now have access to the TSA no-fly list, selectee list, and cleared list. I just accessed it and found it to contain thousands of names, DOB, SSN#s, drivers licesense #’s, military ID #’s, addresses, and even home phone #’s. The TSA just made this list and all of this information readily available to thousands of employees at my airline (and probably others). I think that previously this list was only available to ticket agents, but now it is available to every employee. I find it quite disturbing that any airline employee has access to this information, and that many of the ppl on the cleared list have to give up there SSN# and other information.Nice. (Hat tip to Bruce Schneier’s blog.)

The December 17 New York Times has a great article on airport security, with quotes from Bruce Schneier and Matt Blaze. A few key paragraphs: The root problem, as some experts see it, is the T.S.A.’s reliance on IDs that are so easily obtained under false pretenses. “It would be wonderful if Osama bin Laden carried a photo ID that listed his occupation of ‘Evildoer,’ ” permitting the authorities to pluck him from a line, Mr. Schneier said. “The problem is, we try to pretend that identity maps to intentionality. But it doesn’t.” … WHEN I asked Mr. Schneier of BT Counterpane what he would do if he were appointed leader of the T.S.A., he said he would return to the basic procedures for passenger screening used before the 2001 terrorist attacks, which was designed to do nothing more ambitious than “catch the sloppy and the stupid.” ...

The TSA badly failed a recent set of tests at Newark’s Liberty Airport. TSA screeners missed 90% of the guns and explosives that testers put through the system. TSA’s response? Immediate action to try to find out who leaked the results. (Via Bruce Schneier’s blog.)

Security researcher Chris Soghoian, a graduate student at Indiana University’s School for Informatics and an intern at Google, set up a website that functions as a boarding pass generator for Northwest Airlines. The site contained a form that allowed you to fill in name, flight number, destination, and all of the other information on a boarding pass, and would display a boarding pass that would be indistinguishable from the real thing at the TSA security checkpoints. He pointed out that the identity check at the TSA checkpoint amounts to nothing more than a comparison between the name on a picture ID and the name on a boarding pass, and that this provides no security whatsoever. I’m not sure what threat this check is even supposed to be trying to mitigate. At best, it is an attempt to piggy-back on the check against the no-fly list (which is itself a complete joke) that is performed by the airlines when you purchase a ticket, but clearly that fails as his boarding pass generator is one of several ways to create a boarding pass in a name other than your own–including modifying the displayed text generated by any airline’s online site or even purchasing a ticket in any name you choose. The latter was displayed vividly by a couple of guys who purchased tickets in the names of “Al Kyder” and “Terry Wrist” (link includes video). In my opinion, the only actual purpose served by checking for a valid boarding pass at the TSA checkpoint is to reduce the number of people passing through the checkpoint in order to most efficiently make use of security resources. It does not otherwise have any effect on security; it provides no deterrent to an attacker. It is not effective in screening out those with malicious intent, and it is not even effective in verifying identity. Congressman Ed Markey (D-MA) has called for Chris Soghoian to be arrested. He was visited and interrogated by the FBI, then went to stay at his parents’ house. Friday night, the FBI broke their way into his apartment, seized his computers, and generally trashed his place. Lesson: Point out U.S. security weaknesses, and you will be punished. Those responsible for the weaknesses and idiocy of U.S. “security theater,” however, will not be held accountable. This is one of the rare times when Michelle Malkin actually says something correct. Other coverage: Jim Harper, author of the excellent book Identity Crisis, at the Technology Liberation Front and at Cato@Liberty (this post does a good job of pointing out the problems with the TSA identity check). Bruce Schneier, at his blog. And there’s some rather good coverage in multiple posts at BoingBoing. The problem that Soghoian pointed out was previously described in February 2005 on Slate.com by Andy Bowers, and in 2003 by Bruce Schneier in his Crypt-o-Gram newsletter. So yes, Kip Hawley is still an idiot. UPDATE (November 2, 2006): Bruce Schneier has written a detailed description of the flaw in the security design of the TSA identity check, and makes the same point that even if the flaw is corrected it doesn’t add any real security because it’s just a check of the no-fly list.