I'm at the Saint Louis International airport (STL), waiting to board on my flight back to Dallas. I have just experienced another stupidity of the airport (in)security procedures. This post is not about software, but software security and "physical" security depend on each other.
It's an American Airlines flight. You can usually do the check-in procedure online, and print the boarding-pass yourself before heading to airport. This is a welcomed service, but this time it gave me an error, something like: "Sorry, you cannot check-in online, please see an agent at the airport".
No big deal. At the airport I used one of the automated kiosks to print my boarding pass. And it worked, without the need of an agent.
I proceeded to security screening. The TSA officer highlighted a "SSSS" imprint on the lower-right corner of my boarding-pass and said: "you've been randomly selected for additional screening, please come this way...".
I couldn't believe it!. They randomly selected me for screening, but they warned me about it in advance!... I mean, now I (and you) know that if a passenger gets a quadruple-"S" code it means he/she will get additional screening!
I asked the TSA guy how could the process be so flawed. He replied that he understood my concern, but he was not responsible for defining the process and couldn't give me his opinion. Later, I asked one of the American Airlines agents:
agent: "Well, yeah... but most people don't know that the SSSS code means they'll be screened." me: "Sure, but most people are not terrorist either. And I bet ALL terrorist DO know about this SSSS-joke" agent: "yeah, I know... the whole process is so stupid...".
I'm all for random security screenings and checks, but please, don't tell the passenger in advance! The random selection should be done right there, at screening time, and not before.
What's more, you don't need to go to the airport to know you have high changes of being picked for additional screening: if the online check-in refuses to let you in, you will probably get the infamous quad-S code.
More stupidity: This actually happened first on my Dallas-to-Saint Louis segment of a round-trip. Now I'm returning to Dallas, and I got the exact same thing: no online check-in allowed, got the boarding-pass with the SSSS code at the kiosk, and was "picked" for additional screening. Talk about "surprise factor" :-).
Later, I googled for "SSSS" and found it stands for Selected for Secondary Security Screening, and it's nothing new. It's been there for years, and even the Department of the Interior warns about it!.
For those interested in security topics in general (and computer security in particular) you should subscribe to Bruce Schneier's newsletter and/or blog. A simple search for TSA on his blog finds more than 80 articles about the questionable effectiveness of the TSA, and the millions of dollars they are burning.