Congressman Calls for Arrest of Security Researcher

Christopher Soghoian writes "Yesterday, I published a tool that allows you to Create your own boarding pass for Northwest flights. This was an attempt to document the fragile and broken state of identity/security for domestic flights in the US. Today, Congressman Markey (D-Mass) has called for my arrest." From the ABC article: "'I don't want to help terrorists or help bad guys do bad things on airplanes, but what we have now is what we in the industry call security theater. It's made to make you think you're secure without actually making you secure,' Soghoian said. 'As a member of the academic research community, I consider this to be a public service.' Soghoian admits that he hasn't actually tried to use one of the boarding passes yet."

Ummm. The First Amendment?

[mbstone (457308)]

The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?

Re:Ummm. The First Amendment?

[Tackhead (54550)]

> The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?

Much like the guy who looks at your boarding pass, you're trusting your life to something that's just a goddamn piece of paper.

Re:Ummm. The First Amendment?

[finkployd (12902)]

Clearly you do not understand that we are at war. Anything that the Whitehouse defines as terrorism related or critical to our war effort is off limits to your constitutional whining. to suggest otherwise indicates that you clearly need some waterboarding, you filthy enemy combatant.

Finkployd

Re:Ummm. The First Amendment?

[Em Adespoton (792954)]

The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?

Well, look at it like this: because he published this, he is both an enemy combatant and a terrorist. Therefore, he has no habeas corpus protection. Therefore, they can just come around, pick him up, and toss him in some cell somewhere, and never have to tell anyone.

Re:not likely

[kfg (145172)]

Otherwise, you know, you couldn't be prosecuted for faking a bill of sale for a car, or a life insurance policy, or printing counterfeit currency, or most other forms of fraud that involve a printed document -- and you surely can.

I just created a fake bill of sale for a car. I have committed no crime, because I have not proffered it as genuine to anybody.

Fraud is a crime of intent.

KFG

Re:not likely

[finkployd (12902)]

No, you can be prosecuted for attempting to pass these off as real, but not just printing them (well, in the case of money that may not be true). Obviously, this guy was not encouraging people to print them and break the law and threaten national security, he was attempting to make a point about how silly our pseudo-security efforts regarding airlines are. In the collective mind of the federal government, educating the public just how ineffective most security measures are is probably the more more dangerous scenario though.

Finkployd

Re:not likely

[psykocrime (61037)]

I suspect very strongly that in the case of money, simply having the means to create counterfeit bills will probably land you in a whole heap of trouble.


This is why every American should immediately go visit FIJA [fija.org] and learn the truth about serving on a jury. Hint: you can judge the law as well as the facts, and juries ARE the "last line of defense" against oppressive government / bad laws. See Jury Nullification [wikipedia.org] and/or Peter Zenger [wikipedia.org] for more.

If I'm ever serving on a jury, I can guarantee you that I won't be voting to convict in any "victimless crime" situation, or anything where somebody is being charged with violating some bullshit law. Hung jury or acquittal, here we come.

Re:not likely

[Fulcrum of Evil (560260)]

Come on, security researchers, you know what the political climate is! Is there no other way to point out that something may be easily forged besides actually creating a tool to forge it!?

No, because anything less will be dismissed as fearmongering.

Re:not likely

[UbuntuDupe (970646)]

Conservative/Libertarian radio talk show host Neal Boortz ran into the same thing. (According to a story he regularly tells) He told some airline, Delta I think, that the security check in procedures were too lax. They ignored him. After he was fed up with that, he made a bet with the head of security, then dressed up like a pilot, got waved through a checkpoint, and once on a plane, he got out his cell phone and called the head of security to let him know he got through.

Don't know what became of that. (This was long before 9/11.)

Re:not likely

[thePowerOfGrayskull (905905)]

Is there no other way to point out that something may be easily forged besides actually creating a tool to forge it!?

Come on software security researchers -- is there no other way to demonstrate exploits in Internet Explorer than to actually create and release the exploit code?!

I mean seriously -- isn't this the same question in a different wrapper?

Re:Ummm. The First Amendment?

[jadavis (473492)]

There must be some hidden reason for the seemingly obvious misjudgment.

More like a misconception. This country really needs more so-called conservative justices. By "conservative", I don't mean conservatives pushing their agendas from the bench (like O'Connor), I mean justices who follow the Constitution (like Scalia).

It's no surprise that Kelo went the way it did. You're thinking is that "liberals are for the little guys, conservatives for business". But, in reality, having the power of central planning is crucial to the liberal agenda. Kelo was exactly what the liberals needed: the power for government officials to confiscate your personal property in the name of a "greater good" by calling it a "public purpose" (not public use, however, as the 5th Amendment says).

Scalia, on the other hand, follows the Constitutional principle that the federal government can only regulate interstate commerce ("commerce among the states," as is in the Constitution). Using that principle, it would be Unconstitutional for the federal government to prohibit the growing of Marijuana on private property. States could still outlaw it, of course, but the feds couldn't do a thing. Does that sound "conservative" to you? Nope, but it is what the Constitution says.

This is not about your party, the Constitution gets in the way of BOTH parties, but it's not for the parties, it's for the PEOPLE. So back the Constitution, because it's just in the way of the Democrats and the Republicans. It's time for both parties to face the hard truths: you can't execute unwarranted searchs (too bad, GOP). And Democrats: stop trying to control guns, unless you want to try to pass an Amendment. The Constitution says these things, plain and simple. Oh, and when you get a chance, read the 10th Amendment, too.

Right now the idea that we are following the Constitution is a joke. We cling to a few scraps of the Bill of Rights, and ignore much of the rest of it. Congress "Authorized the use of force"?! What is that supposed to mean? What about a declaration of war? Meanwhile the Supreme Court passes arbitrary edicts fabricated out of thin air, like "privacy" meaning that it's Unconstitutional to ban abortions. I don't think it's a good idea to ban abortions, but why did 9 people make that decision for the entire country, when it's clearly a state issue?

Newark

[From A Far Away Land (930780)]

Listening to the radio this morning, they said Newark airport staff failed 20 of 22 tests involving guns and bombs being smuggled past security by undercover agents. Airport "security" is a joke, and a distraction from real issues. When they stop taking away your toothpaste and maple syrup in the carry-on luggage, maybe then I'll take something about airports seriously again.

Creating loopholes?

[pjt33 (739471)]

It's astounding that Markey thinks that the website which prints fake boarding passes is creating a loophole. Politicians may not have a grasp of technology, but it only takes common sense to see that the loophole exists independently of any specifictool which creates the document to exploit it.

Re:Creating loopholes?

[Hijacked Public (999535)]

And oddly enough, despite our collective superiority, they are running the show while the most influential thing we can do is get modded +5 Insightful for insulting them on Slashdot.

Something is amiss here.

but of course

[Phantom of the Opera (1867)]

This whole homeland security mindset is not one of rationality. It is one of panic. There is an element of OMG - he's giving the badguys ideas. This call to arrest him is probably more along the lines of OMG - he's giving passengers the idea that they are unsafe. It isn't the issue wether they are unsafe or not, but making them feel that is going to have negative affects on the airline industry and get people jumpier. All in all, its going to make going on a plane that much less pleasant.

"The Bush Administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane," Markey said in a statement. "There are enough loopholes at the backdoor of our passenger airplanes from not scanning cargo for bombs; we should not tolerate any new loopholes making it easier for terrorists to get into the front door of a plane."

One, shouldn't they already be on the lookout for frausters and terrorist.
Two, this isn't a new loophole. It's been there a while folks.

Well

[finkployd (12902)]

The emperor generally does not like having his nudity pointed out. Many in government know they are bit players in a pointless security theater, but react violently when told that. I suppose they like to feel that what they do is important and useful (read TSA agents, pretty much the entire DHS, etc). After all, how would you like it if your entire job consisted of going through a dance routine designed to make the clueless public feel as though the government is doing something to keep them safe?

I suppose Congress is a bit different, I have no problem believing most of the genuinely are clueless and believe wholeheartedly that keeping lighters, tweezers, and bottles of water off airlines is critical to our national security. That also seem to really believe that torture and massive surveillance is an effective way to combat terrorism, further displaying a total lack if understanding. The Republicans (at least those loyal to the Whitehouse) are in a unique position where they have to pretend all of this fluff is important, but somehow selling the ports to Middle East companies, looking the other way on illegal aliens, and ignoring Bin Laden to focus on the mess we created in Iraq are perfectly acceptable.

Finkployd

Called them up: talked security vs obscurity

[geekotourist (80163)]

I called up their Washington DC office. The person who answered didn't know about this issue and the call for an arrest. I made three points:

1. Arresting the messenger doesn't help security- it makes people more afraid to point out security holes.
2. Security holes don't shrink by pretending they don't exist
3. Just before elections isn't the best time to make people in Silicon Valley rethink democrats on security. Markey has usually been thoughtful on security- he should rethink his policy of calling for arresting the messenger.

Impossible.

[DAldredge (2353)]

This is impossible. EVERYONE knows it is only those with a R after their name that wish to take away our rights and jail those they do not like.

What Does This Have To Do With Anything?

[hondo77 (324058)]

The 9/11 hijackers all had valid boarding passes. What do fake boarding passes have to do with security?

Reminds me of an old southwest.com "HOST" bug

[thehossman (198379)]

Background: my last name starts with the letters "Host"

When southwest first started offering online checking, i discovered a small bug, when you got the the "Print your boarding pass" screen, with my name in all caps, the letters "HOST" were replaced with "southwest.com" ... so if your name was "Jim Hostenfeffer" it would appear on your boardingpass as "JIM southwest.comENFEFFER" ... I played with the site a little bit and found that it was a straight macro replacement bug of whatever domain name was used, so would say "JIM wWw.SOutHwesT.cOmENFEFFER" if that was the domain you typed into the URL bar.

The first time it happened i thought it was ammusing, I emailed their tech support, saved the HTML to a file and edited it so it had my name again and would match my ID when i checked in.

4 or 5 flights and at least 9 months later it was still happening and I spent a good 3 hours on the phone being transfered arround to different people trying ot get them to understand what the problem was and how fucking ridiculous it was that i had to constantly "hack" my boarding pass because of a bug they'd had for months.

Here's my letter to Markey

[quincunx55555 (969721)]

Dear Honorable Edward Markey,

I just read about your response to Christopher Soghoian's findings regarding online printable boarding passes being easily faked.

I have to say that I am appalled at what I am reading. Mr. Soghoian has found something that could allow terrorist to continue to harm Americans. This technique may have already been used, or plan to be used, but now we know about it and can do something about it.

Why? Because Mr. Soghoian was kind enough to expose this security flaw. Punishing someone that has put this much effort into giving us the knowledge to save more lives is asinine.

As a Quality Assurance Engineer, I know the importance of finding, and reporting, flaws. This man should be commended, not condemned.

I think it would be wise as a senior member of the Department for Homeland Security to withdraw your previous statements as you have gained "an insightful perspective" on this issue after responses such as mine.

Scaring others into not telling us where our security flaws are will only lead to more opportunities for our enemies. How can you not immediately see this?

Or should I put you on the list of government employees that pretend like they care, but would rather play political games instead?


Sincerely,

Quincunx (real name used in the real letter)


I encourage others to write as well. If we let him know his error, give him an "out", then maybe bullshit like this won't happen again. Here's hoping.
Here's the send-an-email part of Honorable Edward Markey's web page [house.gov]

Flash Update: The FBI is at The Door

[klausner (92204)]

Chris reports that the FBI is knocking [blogspot.com] on his door. The boarding pass generator [dubfire.net] is also (at least temporarily) down.

This is actually quite brilliant

[panaceaa (205396)]

There IS brilliance behind his idea. Perhaps you didn't read it... but basically, you can fly on a fake identity without any screening of your actual identity.

1) Go to 7-Eleven and buy a pre-paid credit card with cash using a fake name. This will be the name you fly under.
2) Buy a ticket with this credit card.
3) Print out an ADDITIONAL ticket for your real identity. He gives you an HTML form to do this.

Now, show up at the airport. Go through security with the fake ticket... it will match your ID, but since it's not in any computer systems, they won't check to see if you're on the no-fly list. When at the gate, provide the ticket you actually bought. Nowadays you don't need an ID at the gates anymore -- just have your ticket scanned and hop on the plane!

Now, I'm not exactly sure if you can check bags. If you have to go to the counter before security, they ask for your ID. But if you can avoid that (and you can now, as far as I know), you can fly on a fake identity.

Re:Another politician...

[Blue Stone (582566)]

> Another politician calling for action in places without even thinking.

Oh, he's thinking - about how scoring a cheap point by making himself look 'tough' on people percievable as wrongdoers, will score him political points with an "Election Day drawing near".

That's a politician's priority - exploiting the uninformed electorate by pushing buttons regardless of the truth.

Politics is about number one, everything else is by the by.

Re:Political spectrum

[NineNine (235196)]

Ha! You didn't actually think that the Republicans and Democrats were opponents, did you? C'mon.
 
    There's a very popular case study in business school about Coke and Pepsi, and how they're both very happy with approximately 49% of the market. People think they have a real "choice". Neither one has to worry about "monopolies". And, they already know each other. It's a fake battle to make people think that they actually have a choice, all the while, both parties are very happy with half of a FUCKING HUGE pie.
 
Sound familiar?