Originally Posted by
gobluetwo
Actually, I believe he said he wasn't sure if there was a boarding pass signature and whether or not his reverse-engineered boarding pass would, um, pass...
That's not what I read. The holier-than-thou post begins "I’m publishing this because I am seriously concerned with boarding pass security in the United States." Obviously, if someone is 'seriously' concerned about a security flaw, the proper course of action is to reach out to TSA and/or UA in private to bring it to their attention, not to alert the public with a bigger microphone than this blog so that it might be exploited. That's why I question his motives-- seems to me, he wanted to be a big shot and be the first to expose a security flaw in public (albeit a flaw which doesn't exist).
https://puckinflight.wordpress.com/2...-check-system/
The post continues:
What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode. Finally, using a commercial photo-editing program or any program that can edit graphics replace the barcode in their boarding pass with the new one they created. Even more scary is that people can do this to change names. So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID. The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don’t check against the real time information. So the TSA document checker will not pick up on the alterations. This means, as long as they sub in 3 they can always use the Pre-Check line.
. . .
So, there are two problems here. First, is the that data on the barcode is not encrypted. This allows people to alter information on the front of the boarding pass. Second, is the more serious issue of the Pre-Check information not only out there but where it is also possible to edit the Pre-Check status and place it back on the boarding pass.
(emphasis added)
I didn't see any hedging there at all. I believe he might also be wrong that 1 is no PreCheck-- 0 is no PreCheck. I don't know (I try to hedge when I don't know something for sure), but I
think 1 means SSSS. I think 0 = CLR, 1 = SSSS, and 3 = LLL.
And then, when he figures out he is wrong:
https://puckinflight.wordpress.com/2...security-flaw/
Notice that the title is "Update on the TSA Security Flaw," not "Oops, I didn't know what I was talking about". It is hardly an 'update' when the information is only new to the author.
* * *
Whether knowing one has a '3' in advance of arriving at the security checkpoint constitutes a security risk is a topic open for debate; what
Colpuck did was post fiction as fact to sound an alarm that didn't need sounding. There was no need to attract attention to a 'secret' frequent fliers find very convenient; the only thing that could come of it is that it changes, and that would be a bad thing for us.
What people also fail to recognize is that at airports like ORD, contract employees scan boarding passes before the line to security. Anyone wanting to probe the system can just turn around and go home if he doesn't get 3 beeps from the contract employee-- it isn't like one is already in the TSA area past some 'point of no return' when one finds out about PreCheck for a given flight. This 'flaw' (if it is one at all) was evident to
me when AA first split the line in ORD T3 during PreCheck's first month. (Somehow, I resisted the temptation to post it, perhaps because I knew nothing good could come of running my mouth-- they could have reacted by shoving PreCheck back into the elite line). So one could probe the system long before people knew how to decode the barcode.
I take no pleasure in attacking my fellow FT'ers, but this poster's conduct is beyond irksome and requires calling out.