The first time someone pointed this out, the FBI raided his house[1] and sparked a Senate investigation. This was <i>four</i> years ago. I did this to one of my Southwest tickets recently, though didn't use the forged copy. Honestly, it's like they think HTML is unreadable, or, more likely, that it's security theatre designed to make everyone feel safe. I would be okay with that if it wasn't taken so seriously.<p>[1] <a href="http://arstechnica.com/security/news/2008/06/tsa-defiant-passengers-wont-get-to-fly-without-id.ars" rel="nofollow">http://arstechnica.com/security/news/2008/06/tsa-defiant-pas...</a><p>Edit: The Soghoian blog post about the raid:
<a href="http://paranoia.dubfire.net/2006/10/fbi-visit-2.html" rel="nofollow">http://paranoia.dubfire.net/2006/10/fbi-visit-2.html</a>
I'm a very tall man (6'4") and always have trouble with a lack of legroom on flights (even JetBlue).<p>A few years ago I was adventurous, and frustrated -- there were no seats left on the flight that it would let me reserve online. Yet for this particular airline, it showed that the exit row seats were available, but clicking on them lead to an alert that you could not book them online: You had to do so at the airport.<p>I decided to look at the code making the seat selection calls, submitted my seat selection for that seat anyway -- and wallah! I was granted a ticket with that exit row seat. Had no problem going through security or boarding.
Haven't tried it since - as most airlines now charge extra for those seats, and its not such an easy hack.
This doesn't surprise me in the least. I've been in India for the last month, and I've been <i>shocked</i> by two new things since my last visit (several years ago).<p>First, security here is <i>everywhere</i>.<p>Second, security here is <i>pointless</i>.<p>I have had to walk through security to get to supermarkets, discount stores (think Walmart), high-end shopping malls, temples, mosques, movie theaters, national monuments, airports, hotels, you name it. You can't walk into a large building and not walk through a metal detector. The ACLU would probably go ballistic if the US had even 1% of the number of pat-downs that I have had to go through daily here.<p>Unfortunately, it's entirely pointless. Generally, I don't take my belt/jewelry/phone off when going through the metal detector, and most of the time, it doesn't even detect that. Whether or not I set off the detector, the process is the same: they (occasionally) wave a wand over, and then send me to a second person who briefly pats me down (<5 seconds in all). Keep in mind, the <i>exact same process</i> is applied to those who do and do not set off the metal detector. A few times, I've set it off and they just wave me through without even checking me further. It's mind-boggling.<p>I can't say I'm a fan of ubiquitous security, but the only thing that's worse than ubiquitous <i>ineffective</i> security. Anybody who really wants to cause trouble can bypass it in their sleep - all you manage to do is disrupt the lives of everybody else, all the while accomplishing literally nothing.
Poorly implemented solutions are security theatre at its best. Well, almost. They're second best to "The wrong solution for the problem" approaches. Take the school in Texas this week where one kid shot another [1]. The school's solution is to make everyone use completely transparent backpacks, nevermind that:<p>1. You could fit a gun inside a zippered/covered binder or expanding file folder and the backpack does nothing.<p>2. The school already has metal detectors, so the backpacks aren't actually adding any detection.<p>3. They don't even know if the edge case where their current security failed even involved backpacks.<p>[1] <a href="http://www.chron.com/news/houston-texas/article/Teen-shot-at-North-Forest-High-School-2457718.php" rel="nofollow">http://www.chron.com/news/houston-texas/article/Teen-shot-at...</a>
I know a girl who changed her name when she got married and whose ID still has her maiden name. She buys her plane tickets under her married name, and carries her marriage license with her when she flies in case the TSA asks about the discrepancy. <i>But no one has ever noticed.</i>
This doesn't always work. You might end up arrested. You are better off with a fake ID.<p>When you board the plane they check the codes to see if you have been through special screening, they check the markings to the boarding pass codes.<p>I've made it to the flight a few times only to be turned around and accompanied back to security for the full security theater experience. At this point they will check the list and you will be arrested if they find a problem in the paperwork.<p>Your best bet is to change your name slightly William --> Bill etc. and play around with a middle/first initial. Computers are dumb. TSA agents are friendly when you are friendly to them and have tendency to not pay attention to their work. Social engineering is a lot more effective than computer hacking.
In my experience, the TSA agent you have to show ID and boarding pass to at the security checkpoint also scribbles something with a marker or highlighter on your boarding pass.<p>But even aside from the fact that this is obviously and trivially forgeable, I don't think the person who scans your boarding pass at the gate even looks for the scribble, as I've used a different boarding pass to get on the plane than I did at the security checkpoint before (because I had printed one out at home and also printed another copy at the self-service check-in machine, and just happened to use different copies each time I needed to show it).
If terrorists still want to "get us", why don't they detonate some truck bombs in major urban areas? If the bridges or subway tunnels in the SF Bay Area or NYC had big holes punched in them, the economic impact would be huge.
Not only is my ID almost never checked at the gate, the agent hardly even compares the name on the paper to their flight information. So really, you could just print out the forged copy with your name on it and use it the whole way through.
Possible easy way to fix this:<p>Include a QR code on the printed boarding pass that holds the details of the passenger and flight along with a hash of the data, the hash being salted with a secret known only to TSA. The TSA agent then scans the QR code, computer verifies the hash and displays the data on screen for the agent to check against the printed boarding pass and ID. No database look up is needed, just a PC and webcam.<p>Danger is someone works out or leaks the hash secret.
Does this work?<p>> Give the ticket with your friend’s name to the gate agent who lets you board. It will match the flight information and you’ll be allowed to board.<p>I fly 4 times a month and each time I have to present a piece of photo ID at the gate to the flight attendant that has to match the name on the ticket, ticketing computer and ofcourse me.<p>The above advice would seem to fail this test.
The boarding pass should never be shown at the gate, instead you should show your ID. The agent would then check it to make sure its real and then scan it to see if your in the database to fly that day. It is a simple solution, Someone needs to build a device that can read 90% of IDs.
Could you use the same trick to use your friend's ticket in general?<p>I've often had the situation of having an "extra" flight ticket for some reason. I've always thought that there is no way I can give the ticket away to a friend, but it seems like this could be a way to do it.
Glad we all give up our civil liberties for this awesome "security". I'm sure zero terrorists know of this method.<p>Those who sacrifice liberty for security deserve neither.
It would suck to be someone whose name appears on a no-fly list. It would REALLY suck to be that same person who forges a ticket and gets caught. #oops
DHS is a giant convoluted bureaucracy and it was designed to be such from the beginning. They don't actually have to, or really desire to make anybody safer at all. That's not the point of DHS at all. It's all just a series of checklists, and forms, and initiatives... and reports... all the way down. All anybody needs to do is go down the new checklist that somebody higher up gave them to fill out.
Thanks for the article. Now tsa will install another check point on each gate where you will have to show id, remove shoes, do the chicken dance ...for security