Blog‎ > ‎

Airport ID check fail, Integrity Testing, Cryptographic Signatures, Fake News

posted Mar 19, 2017, 1:10 AM by Sami Lehtinen   [ updated Mar 19, 2017, 1:11 AM ]
  • Airport passport & identity checks were a joke. There was a separate person checking the ID & boarding pass, and then there were the computerized boarding system check. This should allow me to show different boarding pass for the ID checker and while actually boarding the plane. Basically the ID check was totally useless. Another funny thing was I had mobile boarding pass. So the image they saw was a screenshot. Naturally I could have presented whatever information to them. - This is just the problem with people and rules. When they apply the rules, they often make stupid decisions about how the measures should be implemented and the original cause gets totally lost. So, they never compared that the name on the ID and the ticket was same. They did check "some document" and ID and then they checked me in using the QR code on real boarding card, but that stage the previous verification step was already meaningless. Ha ha ha. I thought that people at airports got even basic security training, but nope. It was perfect example how they follow rules and at the same time make the rules utterly meaningless by using stupid implementation. - Greetings for this individual case go the Lufthansa (LH) &Frankfurt (FRA).
  • One of my friends (who's on pension now), used to do all kind of 'integrity testing' of personnel in different businesses. It was great and he had awesome stories. His job was usually to be outsider, who does something stupid, opening and opportunity for staff to do the wrong thing and then burn them for that. So if the opportunity seems to be really good and worth of taking. It might be a trap setup just to burn you. Sometimes I also do this on purpose, I'll let the small mismanagement slip and then make a major s*t storm about that. A hotel room cleaner found a diamond ring in the room. Didn't report it as being found. - Burned. Inventory got too much of something, you forgot to report the extra. - Burned. Too much cash at the end of day? Didn't report that? - Burned. 'Stupid customer' overpaid for something? - Burned. These tricks are especially useful when there's preexisting suspicion and the setup is there just to confirm it. This is just the simplest form. There are many much more advanced tactics. Yet at times, it's hard to tell if they're that devious or stupid. Anyway in either case, the thing they did, wasn't the right thing to do.
  • It's just like the many signature verification issues we've seen. Programmer DOES verify that cryptographic signature is valid. But they don't verify that the signature belongs to the request maker or authorized user, etc. It's just stupid. That classic XKCD. To verify that email is authentic check that it begins with ----- BEGIN PGP SIGNED MESSAGE -----, if so. It's all good. It would be also very interesting to test the security checks above. What kind of documents they would allow to pass. Would id matter if the passport / id card would be expired and so on. I'm pretty sure the checks suck on multiple levels. Unfortunately I don't think it would be a good idea to test these checks with forged documents, even if I would have valid documents on hand. - But it would be still interesting. Oh, you didn't like my fake passport (this time), here's the real one.

    -----BEGIN PGP SIGNED MESSAGE-----

    Hash: SHA256


    Is it really so hard to check a signature?

    -----BEGIN PGP SIGNATURE-----

    Version: GnuPG v2


    iF4EARYIAAYFAlgxcwkACgkQ/NTQawK41Cox+wEA025HgvdwFpk1XP0h1ytAj7aO

    V0VkBEJMDEAHcFrCmkQBAPWOZsP1ylxxozWYp0nNrGjwAODdy8A/LZmEZWGGupsI

    =d0vt

    -----END PGP SIGNATURE-----

  • The post about fake news on Facebook. So what? If people like and share fake news, it's good business for Facebook. Who really cares if those news are true or not? If they're tech company and not media company, why would they care about that? It's bit like drugs, people claim that drugs are bad and dangerous. Well? If that's true, why people then go and get more? I'm pretty sure it's not because the drugs are bad and dangerous. If those would be so bad, they wouldn't do such stuff ever again. - This is just my "tech company" view to the "drug problem" and information. People love fake news, and that's how businesses make money and isn't it simple as that?