[IP] more on Get a boarding pass, steal someone's identity

To: ip@xxxxxxxxxxxxxx
Subject: [IP] more on Get a boarding pass, steal someone's identity
From: David Farber <dave@xxxxxxxxxx>
Date: Mon, 8 May 2006 12:07:00 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <20060508100113.50c8b3cf.smb@xxxxxxxxxxxxxxx>
Reply-to: dave@xxxxxxxxxx

Begin forwarded message:

From: "Steven M. Bellovin" <smb@xxxxxxxxxxxxxxx>
Date: May 8, 2006 10:01:13 AM EDT
To: "Perry E. Metzger" <perry@xxxxxxxxxxxx>
Cc: cryptography@xxxxxxxxxxxx
Subject: Re: Get a boarding pass, steal someone's identity

On Sun, 07 May 2006 12:53:41 -0400, "Perry E. Metzger"
<perry@xxxxxxxxxxxx> wrote:


I got this pointer off of Paul Hoffman's blog. Basically, a reporter
uses information on a discarded boarding pass to find out far too much
about the person who threw it away....

  http://www.guardian.co.uk/idcards/story/0,,1766266,00.html

The story may be exaggerated but it feels quite real. Certainly I've
found similar issues in the past.

These days, I shred practically anything with my name on it before
throwing it out. Perhaps I'm paranoid, but then again...


I read the article.  What bothers me is the focus on CAPS II, Secure
Flight, and all the other US government-mandated initiatives.  I saw
nothing in it that seemed in any way related to security.  Every one of

those database entries could have been there -- and probably werethere --

for the convenience of airline passengers.  In particular, I'm referring
to the ability to check in online and print your own boarding pass.  For
business travelers who use only carry-on baggage, it's a *major*
timesaver.  I've been on flights where I had to wait 45-60 minutes (or

more) just to get my boarding pass, independent of any securityscreening.Passport numbers? I've always had to present my passport whenchecking in

for an international flight; the difference now is that I see what's
happening.  (Yes, US immigration is fussier about passport and customs
inspections than most other countries I've visited -- but in my personal
experience, that dates back to 1971.  It's also less fussy about
emigration -- I remember having to listen to fundamentalist religious
preaching from an Australian emigration officer some years ago.)

The real point here is carelessness with access controls.  *That's* what
we have to fight.  It's certainly better if databases don't exist; as I

said, I think that these exist because of customer demand, notgovernment

mandates.

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List

Unsubscribe by sending "unsubscribe cryptography" tomajordomo@xxxxxxxxxxxx



-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] more on A foreign knowledge desert requires cultural irrigation.... in both direcitons....
Next by Date: [IP] more on Inaccurate reporting in "Gone in 60 seconds"
Previous by thread: [IP] more on A foreign knowledge desert requires cultural irrigation.... in both direcitons....
Next by thread: [IP] more on Inaccurate reporting in "Gone in 60 seconds"
Index(es):
- Date
- Thread