Delta CAPPS-2 watch: decrypt boarding passes!

Matt Blaze mab at research.att.com
Fri Mar 7 20:11:14 EST 2003 

At most airports, they've moved most of the screening to the security
checkpoint, where they do the dump search of the people with the SSSS
on the boarding pass and the lucky random selectees.  For flights
with SSSS people on them, they also have TSA people to screen them
at the gate.  I've not noticed the specific mechanism they've used to
select the additional random selectees.  It's possible that it's
wrapped in to the program that decides who gets the SSSS printed on
the boarding pass in the first place.  If so, that seems like a weakness,
since you would be able to predict whether you'll get the additional
scrutiny before you reach the checkpoint.  I'm not sure one way
or the other about what the actual practice is: has anyone here (who's
gone through the airports following the new procedure) been informed at
the checkpoint they they've been randomly selected for additional screening
but not had the SSSS printed on the boarding pass?  The main way to tell
if you're at one of these airports is that you DON'T have to show
your ID when boarding.

For checked baggage screening, however, I have seen how they do the
randomness: it involves a pre-printed randomness table consulted
for each bag.  (Some airports do the baggage screening in front
of the passenger before it is turned over to the airline.).  Every bag
gets a basic scan through the sniffer, and bags that test positive
or that the randomness table selects are opened and searched by hand.

By the way, at these airports, you can no longer get past the checkpoint
with just a pre-printed receipt; you need either a boarding pass, a
"gate pass" printed by the airline (like a boarding pass, but for people
without a specific flight), or an airport ID. 

-matt

Russ Nelson writes:
> John Ioannidis writes:
>  > (they [TSA] still picked up "random" people without the search
>  > string on their boarding passess).
> 
> AAAARRRRGGGGHHHHHHH!  If this list was to have a subtitle it would be
> "Practical uses of randomness".  Surely they're rolling dice, or
> cutting a well-shuffled deck, or consulting a book of random numbers,
> or using some other secure source of randomness.  Somebody please tell
> me that they're not just picking people "at random".  I am reminded of
> a six-year-old's idea of randomness: eenie, meenie, miney, moe.
> 
> -- 
> -russ nelson              http://russnelson.com | "What Problem Are You Trying
> Crynwr sells support for free software  | PGPok | To Solve?" is a service mark
> 521 Pleasant Valley Rd. | +1 315 268 1925 voice | of Crynwr Software.
> Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | 
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list