Update: Version 1.1.0 can be found via PDF here. This is Version 1.0.0 on this page currently.
Here are my intended contents of how I’ll set up and arrange the next few posts, hyperlinked once they’re done since it’ll take me a while. Things may change or get re-arranged later. Over time I’ll go back to add in more sources and links for folks and to also avoid legal issues. After all I’m working off of my CFP which was detailed but it wasn’t everything. Feedback, comments, suggestions, and more can go to my Twitter.
This is much more in-depth than I’d have gone most likely in a talk so I’m kind of glad things happened the way they did. Do feel free to skip to the bottom of this post to begin the actual content.
While I state this at the bottom too I’m stating up here too that everything here on this page was done either in research, observance, Google-ing, and no SSI.
If folks actually enjoy this series I’ll do it for other areas of the airlines. Thanks all.
- Why I’m writing this now
- Who I am
- Key airline lingo, various agencies and departments, issues that prohibit or make it really difficult to talk about security issues or mess around in the airlines, some info on legacy systems
- Things to know about airlines
- Airline Culture and Common Issues
- Inner Airline Employee Views and Issues
- Fun things observed
- Passenger walk through
Why I’m writing this now
Back in March I intended to submit a CFP to DEF CON on airline security. Why? I absolutely love airlines and air travel, want to help fix it, and I wanted to see if I was capable of writing something that could be presented on a stage. Especially with it being my fifth year of DEF CON this year. It was a challenge to myself.
At first it was a solid two dozen or so pages scattered pretty much in every direction possible because I really want to help with every area I saw issues in. Then I did a Twitter poll asking what folks would be more interested in. From there I narrowed it down to twelve or so pages then began asking folks to review it.
Thank you to all the folks in my life from the airlines who’ve been amazingly supportive of me from the very first day I joined the airlines, laughing about airline things with me while I wrote the CFP, giving me pointers and tips, and overall for being in my life. I love my airline family dearly.
To all those who read and reviewed my CFP thank you, thank you so much. I appreciated all of you folks being honest with me. Of course there was mix review and debate on the length of how long my proposal was but otherwise it was a good first exposure to working on one.
It was after I got the following final review from a wonderful peep in the DEF CON CFP review board (who would have to of course omit voting on mine had I submitted it) that I decided, with all other potential issues legally with it, to not submit.
So why now?
Today has been a hard day to cope with. A former best and close friend of mine died by suicide just over a month ago right at the beginning of Pride Month which also happens to be the day I came out as a trans individual three years prior. She would have been 20 years of age today.
I need to do something today for myself to feel productive. This is something I am deeply in love with, something I’m motivated to do and happy to talk about nonstop even when I’m feeling really sad. So that’s it.
Actually, not completely. I can’t do this alone to fix the problems. They won’t listen to just one voice.
So hopefully you’ll speak up too.
Happy birthday, Eileen, I love you so much.
Who I am
Hi hi, I’m Avi. I love rabbits, cheesecake, and cute things like prime numbers, triangles, half diamond lock picks. Airlines are very 3cute5me. I have an odd habit of ending up working at places where I’m rather obsessed with figuring out how things work, where the systems in place fail and why, and find more cute things inside of it to obsess over.
That included the airlines.
I worked from 16 March 2015 to 16 March 2016 officially in the airlines.
I started out as a customer service ticket counter agent. I was pulled a week or two later to replace the outgoing person who was the station training compliance coordinator so I took over while also becoming for two months the primary station ops agent. I also got recruited and became an emergency response team member and then became the emergency response coordinator maintaining emergency plans and the business continuity for my station.
Outside of other things I was the baggage service champion for my station, was the primary cargo acceptance agent, became an instructor for cargo and new hires. I was also tasked with the transition workforce wise of the legacy system to the new system at my station which was hilarious to me since I loved and never stopped using the legacy system. I’ll explain why later.
At one point I handled and did the regional safety minutes and reports for my region. Oh yeah and I also got to deal with all of the IRROPs like that one diverted flight I got alone at night while also working on two of my own delayed flights. IRROPs loves me and I loved IRROPs, too.
If there’s any interest of what my personal daily workflow used to look like I’d be happy to break it down. If there’s one thing I’m rather pleased with myself on it’s my time management.
So there’s my experience. If it isn’t enough for you to keep reading further because you think I’m not qualified enough please feel free to stop here.
Even if you’re a frequent flier or are in the airlines and feel like you already know all of the linguistics of the airlines I recommend double checking with the following examples to make sure we’re on the same page. If you’re new to the entire concept of what the heck happens once you enter through the airport doors this is a requirement to understand this series.
I’m sure I’ll be adding more necessary vocabulary here over time, feel free to reach out to me any time if I say something you don’t understand.
- PNR - Passenger Name Record
- This is the 6-digit alphanumerical thing you go, “This is my reservation number cool,” at in your e-mails or on your boarding pass. That’s actually not the case, PNRs are really only there to store information. Assuming you are ticketed correctly it contains all of your flight segments, your name, phone number, etc. Also any notes and logs from the system related to your PNR. Make sure you have an eTicket attached to your PNR as described with eTickets.
- What actually matters on your boarding pass. If your boarding pass doesn’t have a 14-digit number on it your PNR is out of sync and needs to be resynced. Oftentimes an issue with whoever booked your flight (tends to happen to military a ton I saw) where you’ll think everything is already set and done but they never sent the payment into the airline so you don’t have any eTickets.
- APIS - Advance Passenger Information System
- This is part of the TSA’s Secure Flight Program. This is for international travelling.
- Non-revs/NRSA - Non-Revenue Seat Available
- Someone who is a non-rev is either an employee, family member, or have a buddy pass from the employee. This is how folks with flight benefits fly for leisure.
- Positive space/NRPS - Non-Revenue Positive Space
- Someone who is employed by the airlines and is flying for business related issues related to their airline. Typically you’ll see folks like deadheads under NRPS, people going to training, conferences, etc.
- A flight crew member flying to another city to go to work. For example you may deadhead a crew to a different city so a flight can leave, if you don’t have a deadhead crew going there there won’t be a crew that can fly that flight.
- Crew/Flight Crew
- When I refer to crews or flight crews I intend to say that they are the pilots and flight attendants to distinguish. If I am referring to other type of crews (e.g. below the wing crew) I will preface ‘crew’ with whatever specific group I am targeting.
- ATW - Above the Wing
- This covers all employees who work essentially “above the wing”, aka they are the customer service agents at the ticket counter, the gate agents, the main station supervisors, and more.
- BTW - Below the Wing
- If you can understand “above the wing”, it’s the same here too. Aka anyone “below the wing” includes ramp agents, station ops agents (because they must be by the ramp to see what’s going on and communicate to pilots, dispatch, fuelers, etc), etc.
- Contract of Carriage
- Any ATW airline employee by law must be able to define this to you whether by pointing you to the website or a mini broucher version of it. This is what sets the rule for everything legally for them.
- Restricting/Unrestricting Flights
- If you still refuse to check-in online (or your airline doesn’t allow online check-in) you’ve maybe experienced getting to the ticket counter too late. You missed the cut off time. This is stated in each airline’s Contract of Carriage at what time that is (typically anywhere from 30-45 minutes prior to flight departure time for US domestic). So what happened? They ‘restricted’ the flight at the gate, aka to a single machine. Essentially they are the only ones able to now ‘touch’ this flight whether it be passengers on it, etc. Sometimes they might be nice to you and ‘unrestrict’ the flight so you can check in. But at a hub? (Essentially…) Never.
- Closing/Opening Flights
- You may have heard this one before but say for example your flight has to come back to the gate and deplane/is allowing passengers that choose to to deplane. The gate agent will have to ‘reopen’ the flight (might hear on the radio, “Re-open that flight,” if you’re in the gating area listening to this) allowing passengers to re-scan their boarding passes to be “off” the flight. When a flight departs they ‘close’ the flight, aka nothing can be altered from this point on. It’s set, it’s done, good bye. This is all really serious as benign sounding it may be because it all relates to the passenger flight manifest.
- Passenger/Flight Manifest
- There is a manifest for every single flight. There are various versions of it akin to “light” or “minified” manifests but essentially it must have everything on that flight on it. In the event of a crash or emergency this is automatically the first thing to be guarded and secured.
Important agencies to be aware of
Department of Homeland Security (DHS), Transportation Security Administration (TSA), Department of Transportation (DoT), Federal Aviation Administration (FAA), International Air Transport Association (IATA), etc.
There are countless more whether by local municipality level, city level, state level, and so forth. If you really want me to add one I didn’t list here let me know and I’ll do it.
All of them are crucial and create various rules that airlines must abide and follow by. Which oftentimes means that they make a checklist of things they must do and so airlines will do things until they’re told not to do that anymore. Things change sometimes on the daily for airline folks with what they’re told to do which doesn’t help at all confusion wise. Sometimes it may be even conflicting with the other rule or thing they were told.
While I’ll go super into depth on this later this is a massive weak point and flaw, especially as someone who has seen this first hand by making sure folks did their training.
Issues that make it hard to talk about airline security
Once you start talking about security issues in the airlines whether you’re a researcher or someone who notices things you’re walking on really fragile ice. Which I’m officially on now I’m sure and why I made sure that everything I said could be backed up by public information whether it be Wikipedia articles to Google with folks-
Anyways. The largest issue for me to talk about this as a former airline employee is Sensitive Secure Information (SSI) - 49 CFR §1520.5(b). The shorthand for the entire scary nature of it to airline employees is “a need to know basis”.
Essentially if it’s required in your job duties to know something, you have to know it. Otherwise you shouldn’t know it. Any document that has SSI on it clearly states on it that it has SSI. If you have SSI it must be secured (if you find a document with SSI on it openly at the airport huzzah, that’s super cool! But also totally oh noes for whoever left it).
I really want to talk more about this but I’ll go on it more later with whenever I get to airline employees and airline culture. To get a taste of it, though, for myself as an example I had a lot more exposure to things with SSI due to having to, well, do and know everything. Some things that seem fairly blatantly clear if you’re observant as a passenger and talk about it openly is actually SSI for airline employees.
Maybe this wasn’t the greatest idea to do this but here goes nothing.
Other issues outside of SSI at this point is simply nondisclosure agreements and whatever else you sign when you go work somewhere like the airlines. The FBI has my fingerprints now which I’m not exactly happy with but it’s the deal I agreed to.
Finally to conclude this brief (if you consider this long oh boy, I could have seriously gone into depth on this believe me) introduction I’m officially saying from this entire page and whatever page I have from here on out about this everything I am saying was done either in research, observance, lots of Google-ing, there is no SSI, etc.