
TSA Doesn’t Care That Its Luggage Locks Have Been Hacked - frostmatthew
https://theintercept.com/2015/09/17/tsa-doesnt-really-care-luggage-locks-hacked/
======
spilk
The most secure way to transport goods in checked bags is to fly with a
checked firearm. You are required to lock a firearm in a hard-sided case with
locks that only you have the keys to -- TSA approved locks are not allowed.
You are allowed to lock whatever else you want in these cases too. They are
screened more closely and if they can't determine contents with an x-ray they
will ask you to open the locks in their presence. It's a tradeoff for
convenience, for sure, but it's the only way to travel with securely locked
baggage.

~~~
fiatmoney
You don't even really need a firearm; a starter pistol, or probably even a
flare launcher, would suffice.

~~~
jeff_marshall
Be careful with this advice - If the TSA considers an item a firearm, local
law enforcement may as well. If you are traveling to a place where firearms
are restricted, you could end up facing penalties for possesion that don't
discrimenate between "starter pistol" and "real pistol"

~~~
vvanders
Yeah, I seem to recall a few stories of people getting in trouble traveling
_through_ states where this is an issue(I think the state in question was New
York) via a connecting flight.

~~~
OopsCriticality
It happens in New Jersey too. What typically happens is there is an unexpected
layover (say, due to weather), so the victims take possession of their luggage
(with firearm) without malicious intent when they go to a hotel, and get
arrested the following morning when checking in. In that situation, the proper
(only?) course of action is to refuse to take possession of your checked
luggage.

While traveling through a state, one is supposed to be protected by FOPA [0].
An uncharitable (technically correct but against the spirit) reading of the
law is used by New Jersey and New York to harass gun owners, as in this case
and in other more egregious cases.

[0]
[https://en.wikipedia.org/wiki/Firearm_Owners_Protection_Act](https://en.wikipedia.org/wiki/Firearm_Owners_Protection_Act)

~~~
danieltillett
Is a gun that has been permanently made inoperatible considered a firearm in
NJ and NY? Could you travel with something that looked like a gun by X-ray,
but in fact was harmless?

~~~
OopsCriticality
I can't speak to the ultimate legality of your idea, but I would guess that
one would be arrested and it would be up to your lawyer to demonstrate that
you were acting within the bounds of the law (if you were).

To your first question, I think it's fair to say that both NJ and NYC (and
because of NYC, NY to a lesser extent) are generally perceived as being
hostile towards firearms and general weapons ownership. If I were to predict
states that restricted possession of an inoperable or antique firearm, NJ and
NY would be at the top of my list, in that order.

To your second question, the appearance of the object has no bearing on it's
legal status as a firearm (laws prohibiting look-alike objects
notwithstanding). A pistol frame or lower receiver, incapable of being
anything but a paperweight without all the other parts, is a firearm for legal
purposes and would get one busted in the same manner as if it were a
completely operational firearm.

Weapons laws are nuanced, pedantic, and frustrating. Frequently, they make no
rational sense.

------
eli
Look, I get how it's an amusing and poignant metaphor for what a bad idea key
escrow is, but we all know that (unlike strong encryption) dinky luggage locks
never provided any meaningful security in the first place. I pulled one apart
with my hands once when I lost the key. You definitely don't need bolt
cutters.

The outrage at this "spectacular failure" feels a little insincere. You want
to convince me the government can't keep sensitive data secure, the OPM hack
is closer to the mark.

~~~
yifanlu
The outrage isn't that your luggage can be stolen now. The outrage is that a)
the government felt that it needed to invade the privacy of our luggage for
security; so they made these master keys (yes, you can pull them apart with
your hands, but provided the TSA doesn't regularly go through luggages, a
broken lock is a quick way of telling someone's been through your stuff and
you can take action appropriately) and b) it's been revealed that these keys
can easily be obtained and the government does not care--showing the broader
problem of what happens when you compromise privacy for "security".

~~~
kabdib
We could have locks with seals. So the TSA could open them, but you could
always tell that _someone_ had opened them. Bonus points for re-sealing with a
verifiable tag of some kind.

Ultimately it's pretty pointless, since your luggage can simply be stolen, or
hacked open with a knife.

I've always treated the locks as part of the security theatre. Utter nonsense
that probably got someone promoted because it sounded good. If someone at TSA
said, "Hey we need to do something, _anything_ , just so we look like we're
doing something," then pointless toy locks are not all that damaging compared
to other possible "somethings" they could have stuck us with.

The TSA truly needs to go.

------
ck2
Because everyone knows it is security theater.

Plus stealing from luggage is a major source of income for TSA employees, they
are caught every few months but they keep doing it - so for every one caught
you know there are hundreds not caught and management knows this.

[https://google.com/search?q=tsa+stealing](https://google.com/search?q=tsa+stealing)

Remember how corrupt TSA employees are the next time you see a story on the
news about how corrupt officials in another country are...

~~~
bproctor
I agree with you that the TSA is a joke, but as someone who worked as a TSA
agent before, I never stole anything, nor to the best of my knowledge did
anyone I worked with steal anything. Stealing, in fact, would be kind of
difficult, even in the baggage rooms. I think "a major source of income for
TSA employees" is a pretty gross exaggeration of the truth. For the most part,
TSA employees are just a bunch of regular people trying to make a living, just
like everyone else.

------
JshWright
Why does anyone bother with locks on luggage secured with zippers?

[https://www.youtube.com/watch?v=tbpKhHwwtiY](https://www.youtube.com/watch?v=tbpKhHwwtiY)

~~~
miahi
There are zippers that cannot be closed like that - the zipper keys lock is
fixed on the bag[1]; you can open it with a pen, but you cannot close it again
- so you can see that it was tampered with.

[1]
[https://www.youtube.com/watch?v=7t5MPTpy3xU](https://www.youtube.com/watch?v=7t5MPTpy3xU)

------
2bluesc
One thing I always wondered: why inclined people couldn't buy the four locks
and mechanically reverse engineer them? Could someone not disassemble the lock
and see where all the tumblers fit and iterate on a solution until they get
it?

I feel that the people that would exploit the 3D key files now floating around
the Internet could achieve almost the same thing anyways.

I don't think any sufficiently logical person ever thought that a TSA lock was
secure.

~~~
sergers
yea you could just go shopping and buy the range the locks which you can see
the lock key ID through the packaging. just purchase all variations... likely
people did this in past.

i never use luggage locks, i also keep my most valuable items in my carryon
rather than my checked bags.

the locks are useless. easily cut, easily opened using tools, TSA still had
access, now other people have access by copying the TSA keys.

if someone wanted to break into your luggage, they would have with or without
the key.

i have had hard shell luggage cracked open by just terrible handling, i once
had a lock/zipper got ripped off when it snagged somewhere.

i pack my luggage in a certain way and utilize tape in certain areas to know
if someone was rummaging through it at the airport.

there is no security/privacy for your luggage at the airport

------
cgriswald
The security theater of the TSA is indefensible.

However, I found the article dubious. The only source for Mike England's
alleged response is an email to _The Intercept_. While I am not calling the
author a liar, I am skeptical that the response was placed in context.

> Clarification: An earlier version of this story incorrectly reported that
> hackers had broken into Travel Sentry’s internal website.

This is a particularly egregious error in reporting and suggests, to me, very
sloppy reporting. So, without seeing the actual content and context of the
email, including perhaps, the email which prompted the response, I am
reserving judgment as to whether or not what has been reported is true to what
the TSA actually meant.

It certainly wouldn't surprise me to hear the TSA responded in that way, but
that doesn't mean that's what's actually happened.

------
tene
I used to have a bit of an interest in recreational lock picking. I had a few
TSA-approved locks that I liked to use as demonstrations to friends, because
they were so trivially easy to open. They would pop open after just a few
seconds of jiggling anything at all around in there, so they were great at
building people's confidence that they could learn to pick locks, and that
locks are just puzzles, not magic.

This is the only time that I've ever considered the TSA locks to be useful for
anything at all.

------
cryoshon
There are a few unfortunate truths here:

1\. The TSA is invasive security theater operated on the principle that the
most effective placebos are those with tangible side effects, namely body
scanners and palpable tension at ultra-vulnerable (targets in and of
themselves) security checkpoints.

2\. The TSA is a country-scale jobs program for poor, unskilled, and
unemployable people who might otherwise join disruptive political groups that
promise more resource redistribution.

I think the first two points are reasonable if not explicitly provable, but my
third point goes off the reservation a bit:

3\. The TSA-friendly luggage locks are one of many overt acts of submission
that the members of the public undertake in order to travel with speed; there
is no incentive for the locks to actually work or be secure, as their primary
purpose is to symbolize obeisance. I imagine this may be the case because the
TSA-friendly luggage locks are jokes to begin with, as anyone with a common
file, rudimentary lockpicking skill, or bolt cutter could pop them open in
mere moments... not to mention the misbegotten troglodytes who actually have
the master keys and help themselves whenever it suits them.

~~~
2bluesc
> 2\. The TSA is a country-scale jobs program for poor, unskilled, and
> unemployable people who might otherwise join disruptive political groups
> that promise more resource redistribution.

This is a pretty mind blowing perspective.

~~~
cgriswald
From a historical perspective, it's not that mind-blowing. Most of FDR's work
programs were designed not just to get people working, but to prevent open
revolt.

What is mind-blowing, to me, is that the program provides no service. FDR's
programs did, and we still benefit from those programs today (exhibit A:
national parks).

~~~
Turing_Machine
I've often wondered if the rural location of many of these programs (the CCC,
many of the WPA projects) was chosen specifically to get men out of the cities
so they would be unable to participate in riots.

------
russdill
The article seems to me an admission that the locks were never intended to
secure anything and just there to make people feel better. At least the TSA
understands that not only are the locks unsecure now, they never were.

------
TheSpiceIsLife
> _In a spectacular failure of a “back door” designed to give law enforcement
> exclusive access to private places, hackers have made the “master keys” for
> Transportation Security Administration-recognized luggage locks available to
> anyone with a 3D printer._

Surely this doesn't require a 3D printer. The right key blank and a set of
needle files should do the trick, or should be able modify an off the shelf
key.

I suppose saying it can be done with a 3D printer makes it all seem more
dramatic.

------
limaoscarjuliet
Most bags can be opened and closed with a ball point pen _WITHOUT A TRACE_
completely bypassing any locks.

[https://www.youtube.com/watch?v=wpIJVWXsBBI](https://www.youtube.com/watch?v=wpIJVWXsBBI)

------
noonespecial
I think its fantastic. Now when people bring up the fact that the government
needs backdoor access to encryption to fight "terrorism" I can just point to
how well they manage these things in practice.

------
DanWaterworth
The best advice I've seen is to secure your bag with a cable tie, then you
tell whether anyone's been through it.

~~~
qb45
These can be quickly opened with a narrow flat screwdriver. But they probably
wouldn't bother with it in practice.

~~~
toomuchtodo
The goal is not to secure the luggage; its used as tamper evidence.

~~~
colanderman
The point being, once opened non-destructively (with a screwdriver), cable
ties are easily re-closed, leaving no trace of tampering.

------
hexscrews
If you REALLY, REEEALLLY need the things with you, you could always do
something like UPS with signature and insurance. Make the insurance level
something like 3x the value of our items and you should be good.

------
loopdoend
Who cares? These locks could be cut with tweezers. Manual baggage inspection
notices could be faked regardless. Pure noise.

------
awqrre
I thought that the key's images were posted online by a TSA employee that
didn't know any better...

