On Sun, 07 May 2006 12:53:41 -0400, "Perry E. Metzger" <[EMAIL PROTECTED]> wrote:
> > I got this pointer off of Paul Hoffman's blog. Basically, a reporter > uses information on a discarded boarding pass to find out far too much > about the person who threw it away.... > > http://www.guardian.co.uk/idcards/story/0,,1766266,00.html > > The story may be exaggerated but it feels quite real. Certainly I've > found similar issues in the past. > > These days, I shred practically anything with my name on it before > throwing it out. Perhaps I'm paranoid, but then again... I read the article. What bothers me is the focus on CAPS II, Secure Flight, and all the other US government-mandated initiatives. I saw nothing in it that seemed in any way related to security. Every one of those database entries could have been there -- and probably were there -- for the convenience of airline passengers. In particular, I'm referring to the ability to check in online and print your own boarding pass. For business travelers who use only carry-on baggage, it's a *major* timesaver. I've been on flights where I had to wait 45-60 minutes (or more) just to get my boarding pass, independent of any security screening. Passport numbers? I've always had to present my passport when checking in for an international flight; the difference now is that I see what's happening. (Yes, US immigration is fussier about passport and customs inspections than most other countries I've visited -- but in my personal experience, that dates back to 1971. It's also less fussy about emigration -- I remember having to listen to fundamentalist religious preaching from an Australian emigration officer some years ago.) The real point here is carelessness with access controls. *That's* what we have to fight. It's certainly better if databases don't exist; as I said, I think that these exist because of customer demand, not government mandates. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]