An anonymous reader writes, "Investigators have dropped the criminal case against Christopher Soghoian after satisfying themselves that he acted without criminal intent. The grad student had created a web site capable of printing fake airline boarding passes. Soghoian is quoted: 'If they fix the airport security problems... then this entire process has been worth it. If they don't fix airport security, then... what was the purpose?'" Soghoian's blog has insightful comments about the divide between security researchers and government officials on subjects such as TOR.
Unfortunately, the investigators who dropped the charges were unable to be reached as they were enjoying their cushy first-class-flight South Pacific vacations.
As I understand it, he used a fake boarding pass to fly to Bel Air [seeklyrics.com], where he whistled for a cab and when it came near, the license plate said "FRESH" and it had dice in the mirror.
If you can't print a fake boarding pass, you can always scribble something illegible on an old ticket with a magic marker. Ever had that happen? "Sorry your flight is delayed, we're transfering you to another airline, just show them this.." and you're thinking, wonder if this scribble will get me to Hawaii?
True. I took a flight recently (from the middle east to the UK), and they screwed up and put the wrong name on the ticket. The travel agent insisted everything would be fine at the airport, but I wasn't so sure. Upon reaching the airport, I checked with the help desk. You know what they did? They took my ticket, grabbed a pen, crossed out the wrong name and wrote in the right one. Nobody batted an eyelid when I checked in or boarded.
Can somebody explain US laws to me here? Is it or is it not legal to put up a website that helps to print fake boarding passes? If it is not legal, why was the case dropped? If it is legal, would it be ok to put the website online again?
I have a hard time to imagine what law could be violated by this unless somebody tried to actually use such a fake boarding pass to get on a plane or into a restricted area.
I could imagine that the mere act of printing a fake boarding pass *could* (depending on how it is done) violate the copyrights of the company. Anything else?
First off the title is really off, he was never charged so thier are no charges to be dropped. What happened is that they got a criminal complaint from a congressman against this guy, they filed paper and started investigating; also the airline company complained about it. With a congressman breathing down thier necks they decided to confiscate his equipment from the site. The decision today is that they would no be going forward with the procecution by filing charges.
There is currently now federal law
Putting symbols on the ticket is not a copyright offense, it is a trademark offense. If he was charged, he would probably be charged with counterfeiting airline tickets. People should be glad that there is a law like that, otherwise people can sell counterfeit concert tickets etc... without any criminal consequences. Of course in this case, the charges were rightfully dropped.
I don't have a problem with ID checks, though the USCOA does. When I fly internationally, I am subject to ID checks at almost every port of call. That's just the way things are when you enter and leave countries. However within the U.S. there is no requirement that you submit to an ID check. It is your right to refuse this check. So anyone can claim to be anyone and get past the TSA checkpoint with nothing but a boarding pass. The No-Fly list is made useless by this simple loophole.
So what then? Change the Constitution so that we lose the right to security in our papers? I dunno.
But what I do know is that a not-really determined terrorist can plant a bomb anywhere outside the TSA security perimeter with impunity. In fact, a bomb can be placed anywhere in any city at any time and cause the type of destruction that generates terror.
Is the solution to negotiate with the terrorists? I dunno.
I don't like to give these crackpots any more legitimacy than they deserve, but if we are truly afraid of them wouldn't it help to find out what they want and then find a way to come to a mutual agreement?
If we're not afraid of them, then stop all this nonsense about making our country safer by strip searching grandma. The initial price of freedom is blood, but the recurring cost of freedom is risk. You can't have freedom without risk. You can reduce risk by reducing freedom and that's what the current tack is, but it's a mistake to assume that we have all agreed to this level of reduced freedom because a few fraidycats are unwilling to live in a risk-filled world.
Lets start counting up the ID checks from my last visit to the US:
1) Checkin counter, including where I'm staying info, with passport check.
2) Customs Counter in Canada, with passport check, included info on where I'm staying. US Customs in less than 20 feet from the checkin counter.
3) Security Desk, with passport and boarding card check, 20 feet further.
4) Passport check to get on the plane
The return trip:
1) Checkin counter, with passport check
2) TSA Security checkpoint, with passport check (10 fe
The actions by any organization larger than, uhm, 200 people, are controlled by written procedures and norms, which are software. You'd, probably, learn this much in a management course (not that I tried).
The bigger the organization, the more likely you are to deal with someone who is merely executing the instructions — unable of, and unthinking about changing them. An organization like government, or a huge department like Homeland Security is all about it. A few "software engineers" and "analysts" high above devise the algorithms, some more "coding monkeys" codify it, and then it gets to run "in production".
We are the users. And we get worked-up about the bugs. In this case, the bug is a security one, where a presented certificate is accepted without checking with the issuer.
Somebody thought, that it would be good to limit the crowds next to the gates to people with boarding passes. Checking, that the pass is valid (as airlines do at the actual gates), either did not occur to the coder at all or was deemed too expensive...
The new release will, hopefully, have a fix. If not, than, certainly, the next one. Nothing, you've never heard before.
It has been my experience that bureaucracies don't generally want to believe that their policies and procedures are, indeed, essentially software and could therefore be considered as such, with provisions for analysis and with their design including provisions for exceptional cases. It is tough to debug such things once they get deployed - in part because there are usually few ways to report "bugs" and often nobody to read such bug reports if they were generated. In the ideal, the policies would specif
there are usually few ways to report "bugs" and often nobody to read such bug reports if they were generated.
Bug-reporting is easy — you write to the bureaucracy's head (they'll never read it, but their staff might).
As for reacting to a bug-report, well, that sucks with most software... Something small with a single maintainer may get fixed quickly, but large projects (like KDE or Mozilla) have bug-reports lingering for years (I filed quite a few).
I was innocently looking for some bar-code scanners ( I was hoping to label my books with bar codes ), and bid on a batch of 9 of them on eBay.
Got them for under $1 each.
To my dismay, they can't read standard bar codes.
To my amusement, and dismay, I figured out WHY they wouldnt read standard bar codes.
Some airline sold them to a liquidator. With their custom code in the flash memory to scan their baggage and boarding pass tags.
It wasnt too hard to learn all this. Every scanner had several stickers on it with diagonal red stripes and phrases like
"/// SECURITY DEVICE #xxxxxxxx/// "
"/// USER MUST HAVE SIGNED CONFIDENTIALITY AGREEMENT A8R55-2/// "
"/// FIRING OFFENSE TO REMOVE FROM RED ZONE (UNION HBK, PG 37)/// "
"/// DEADULUS & EARHART AIRLINE CUSTOM FIRMWARE VERSION 1.22"/// .
I wonder what their thought processes where?, something like:
These old hand scanners are getting dirty, let's throw them away.... Wait, there's probably a few cents of value left in them, lets sell them to that liquidatior, you know, the one that pays us $20 per pallet of old stuff.
Never mind these will help somebody impersonate a baggage loader or gate agent.
Never mind someone can use them to validate that their tag-faking software is printing out valid tags.
Those are antiques! You might just try to re-sell them on eBay. Daedalus Airlines, in particular, had their assets sold of decades ago when the last wax-attached bird features fell off the last airliner. Both airlines declared bankruptcy, and eventually merged with the old Glenn Miller Airlines to form the Oceanic Air we know and love today. You know, the one with the slogan "Getting halfway there is all the fun". They're also the first airline to consider electrified wings in order to keep the gremlins off.
No security should be dependent on the technology implementing it not being distributed. A truly secure system should assume that someone wanting to penetrate it can amass every piece of technology used and STILL not allow someone through. Making your security depend on the bad guys not getting equipment XYZ is just obfuscation, not security at all. In the case of boarding passes it's simple - you check each one against the central database of valid passes for that flight. If you get two passes for the sa
"Soghoian said fake boarding passes wouldn't be an issue if identification was required and checked to travel. The student said he has been able to get on four flights without showing ID."
I fly across country every other week and have well over 100,000 miles under my belt this year a lone and I have never once gotten through security without my ID. Wrong boarding pass, yes, but it still had my name and matched my ID. And since we have no National ID how does one make sure the the people paid $8 an hour know how to check every state and military ID and look for fakes?
Printing devices are just machines used for printing fake boarding passes, and they all know it. So it's time to get paid for it!
-Department of Homeland Security
Trust is what makes a modern society function. To destroy a modern society, you destroy trust. In many ways, that has been the aim of the terrorists attacking the US. We trust boarding passes. Pointing out that they are not trustworthy is simply beyond the point. Trust is an ephemeral thing, and yet it is an essential thing. Printing out fake boarding passes to show that they are not trustworthy doesn't help to increase security; in fact..... the terrorists win when you stop trusting people.
It was made perfectly clear during the meeting that parts of the US government, at least the two represented at the meeting, strongly disapprove of Tor - and in particular, thought that research universities such as IU, MIT, Georgia Tech, Harvard and others have no business supporting such projects.
I wonder how they feel about TOR being a naval research project.
Appearently, the status quo is that its ok to make a boarding pass generator, but its not ok to create DVD decrypting software.
Don't you get it? Real crimes are copyright infringements. Spending money and resources protecting passengers on jet planes is a complete waste of time....
Real criminals are underprivileged 13 year old girls evilly downloading music they have not purchased. May they hang!
Those people using fake board pass generators are not paying anything for their privilege to visit the Cinnabon(TM) that is down by the gates. They must be stopped.
Don't you get it? Real crimes are copyright infringements.
Came back from Europe recently. Picked up bag at destination. TSA lock
had been ripped off the bag, taking two zipper pulls with it. (Bag is
now unlockable.)
Looked inside. Contents rearranged, but on the top of the pile were...
the two DVDs and a CD I bought in Amsterdam. No TSA notice that they'd
vandalized my bag. No apology. No lock. Nothing missing, so it wasn't a thief who did it.
From all appearances, they pried open my bag in a desperate
I understand what you are trying to say, but US law isn't built in some coordinated fashion. Implying that US laws written for the protection of passengers at airports have had any coordination with US laws written to minimize theft of copyrighted works is silly (before I get flamed note that I have not said that I support the way that either set has been written).
If you want to look for coordination, look towards the lobbyists. The RIAA and MPAA lobbyists who have helped pass the oppressive copyright protection laws don't have anything to do with the airline lobbyists or defense lobbyists who have helped write much of the War on Terror related laws.
I find it interesting though how fast it was dropped. Appearently, the status quo is that its ok to make a boarding pass generator, but its not ok to create DVD decrypting software. Granted, I understand why the latter generates more lawsuits, but still this is pretty much the end result.
Maybe they couldn't manage to convince an judges that there was actually a case to answer.
If I were Chris, I'd thoroughly check and wipe the disks of the computers that the FBI gave back to him.
"If I were Chris, I'd thoroughly check and wipe the disks of the computers that the FBI gave back to him."
I would just sell them and buy new ones. Even if you carefully inspected all your hardware, would you really be able to tell if anything had been modified/removed/spliced in? It's probably safer to just assume that you won't find it if it's there and ditch everything.
A fake boarding pass generator does not endanger the safety of anyone except for the idiot who tries to actually board a plane with one, because he's likely to end up being interrogated by Homeland Security for hours in a back room of the airport.
All these things can do is maybe get someone into the gate area. But seriously, if a terrorist wanted to blow up an airport, do you honestly think he would spend the hundreds of dollars building a bomb, and then balk at the $80 for a plane ticket? Hell, he could even steal a boarding pass from someone else. Seriously, requiring boarding passes to get into the gate area only serves to give people a false sense of security. It would not be an obstacle for anyone who wants to actually do harm.
I agree that posting the generator on the Internet was foolish, but only in the sense that posting anything that even appears to be able to help terrorists in today's climate is a stupid thing to do, not because it could actually endanger anyone's safety.
A fake boarding pass generator does not endanger the safety of anyone except for the idiot who tries to actually board a plane with one, because he's likely to end up being interrogated by Homeland Security for hours in a back room of the airport. Don't forget the danger to everyone who ran the boarding pass generator... The Feds have the access logs and I know I'm in them. I didn't change the default name (Osama B.) or anything though. My God help you if you did and then generated a boarding pas
But seriously, if a terrorist wanted to blow up an airport, do you honestly think he would spend the hundreds of dollars building a bomb, and then balk at the $80 for a plane ticket? Hell, he could even steal a boarding pass from someone else. Seriously, requiring boarding passes to get into the gate area only serves to give people a false sense of security. It would not be an obstacle for anyone who wants to actually do harm.
As with most of the security changes imposed on air travel it is all mostly illusion, or as some other Slashdot poster called it "Security Theatre". If you make life difficult for the average travelor they will assume it makes life equally difficult for terrorists. Unfortunately, this just isn't true!
What I don't understand is if Osama and his cohorts are so dead set against us (ie The West) and he has armies of suicide jockeys all raring to go, then why aren't there 'planes falling out of the sky all around us. Why are shopping centres (malls) not blowing up? Trains, buses, garages, boats, ships. They could be instilling real terror on a daily basis but they're not! Hell, even failed attempts to blow up stuff would instil terror as it would confirm that they are still trying! It doesn't make any sense, unless they're simply not as powerful as we are being led to believe, in which case why are the politicians still trying to take away our freedoms?
They could be instilling real terror on a daily basis but they're not! Hell, even failed attempts to blow up stuff would instil terror as it would confirm that they are still trying! It doesn't make any sense, unless they're simply not as powerful as we are being led to believe, in which case why are the politicians still trying to take away our freedoms?
BINGO.
Been saying this since ~6 months after 9/11.
Rummy also told us that A.Q. had several super-high-tech underground bases in Afghanistan, any one of which would have made Cobra Commander or Dr. Evil proud. Did you see the diagrams of them that the Whitehouse produced? It was some hilarious bullshit.
The lying didn't start with Iraq. A lot of people have forgotten, I think, the degree to which the Bush administration was spewing what should have been easily exposed as lies (I guess a lot of people fell for them; if Bush has achieved nothing else, he's convinced me that people are, on average, way, way dumber than I thought they were) since 9/12/01. They lied to hype up the war in Afghanistan, and they lied to exaggerate Al Qaeda's ability to project meaningful force into the U.S. Remember them saying how there were dozens or hundreds of "sleeper cells" here just waiting to be activated? What happened to that? They certainly haven't found any (thought they did a couple of times, turned out that they were just incompetent as usual) nor have we been attacked again, and they've stopped talking about it.
Remember the short-lived "Total Information Awareness" office whose first public message was to encourage U.S. citizens to spy on their neighbors? Ha!
This administration has been lying to us and manipulating us from the beginning. The willingness of most people here to accept it has convinced me that, excepting the unlikely chance that education will be overhauled, the dream of America is doomed. The country may survive, but our ideals, which began slowly dying as soon as the ink on the Constitution had dried, are dead, and cannot be saved in our lifetimes.
It turned out that We the People were just too dumb (or were made to be too dumb) to handle it. Let it be said that the final blow was struck by mass ignorance and apathy.
Actually, I've heard some commentary that explains that. Al-Qaeda and OBL in particular have a modus operandi of "escalating attacks." In other words, each attack should be bigger and better than the last one. They feel this has more of an effect than the Palestinian-Israel style low-level terrorism that people sort of "get used to." I think it has as much to do with the political/psychological impact as it does with the fact that any terrorist activity has the potential to leak information about the pl
All these things can do is maybe get someone into the gate area. But seriously, if a terrorist wanted to blow up an airport, do you honestly think he would spend the hundreds of dollars building a bomb, and then balk at the $80 for a plane ticket?
You missed the point: it's not to save buying a ticket. (They scan the boarding pass at the gate and can detect a fake at that point, so you need to carry a real boarding pass anyway.) One of the goals of the system appears to be to exclude people from certain names from flying, at least without some additional checks. Since they don't scan the boarding pass at security, you can hand them a fake boarding pass (matching your real ID) at security. If that's the only time they check ID, then you can use a real boarding pass (bought under somebody else's name) at the other points. And if I understand right it's only at those other points that they actually check the name against no-fly lists. So the no-fly list doesn't work even given really good unforgeable ID's.
Seems like kind of a crazy system if that's correct--so it's fair game for being made fun of, which is all the fake boarding-pass generator does as far as I can tell.
Right, but at that point, they don't actually check the name against any kind of list.
Just to make it clear:
John Smith buys ticket. Since he is not on the no-fly list, this is not noticed.
John Smith checks in using eticket machine or even online and prints John Smith boarding pass.
John Smith gives his boarding pass to Bob Terror.
Bob Terror creates fake boarding pass with the name of Bob Terror on it.
Bob Terror goes to the airport and goes to the security checkpoint. He gives them his legit Bob Terror ID and fake Bob Terror boarding pass. They check it and see that it matches. They do not have the list with them and unless they happen to recognize the name (yeah, right), they will confirm that the ID matches the boarding pass and allow him through.
Bob Terror goes to his plan and presents the John Smith boarding pass to get on it. Since they no longer check ID on boarding, he passes through without a problem (even if they check for John Smith on the no-fly list at this point).
There is no ??? and Profit.
What about baggage check, you ask? That is a tiny bit more complicated, but not really. You just get John Smith to come to the airport with you and he checks in and checks the bags. Then he goes home and Bob Terror takes it from there. It's even easier in some airports where they have skycaps who I don't think do any ID checking, or automated bag checking with the same problem.
As you can see, the no-fly list is useless because of this flaw. It's a waste of time, money and just hassles people who are NOT terrorists and who have somehow got on the no-fly list, via similar names or simple mistake.
They could make one simple change to make this system better - check ID at boarding. Yeah, it adds a little time and wouldn't stop terrorists with forging connections. I don't think it would actually do much to stop terrorists, either. Especially considering terrorists aren't likely to be on the no-fly list until you figure out they are terrorists and by then it's probably too late. But as it is now, what they are doing is 100% useless. At least that way it would be only 99% useless.
The other thing they could do is just stop the no-fly list and stop checking ID, as both are useless at this point and may never be effective at stopping terrorism. As long as ID is forgable and the method is to check ID, these systems are all just false hope. Unfortunately, it's false hope combined with hassling everyone else that flies.
by Anonymous Coward
on Thursday November 30 2006, @10:25AM (#17049474)
"If he was truly concerned about the safety of airline security like he claims, why would he sacrifice the safety of others by making a boarding pass generator to make a point?"
He isn't sacrificing the safety of others. This is the point of the exercise: our government is sacrificing the safety of us, and doing it while wasting (or stealing, depending on the individual politico) huge amounts of our tax money.
"Writing a research paper is one thing, but posting a boarding pass generator on the internet is pretty serious stuff."
Serious how, exactly? Serious in the sense that it actually demonstrates his claims, yes. Do you think anyone would pay attention or even hear if he just stated how poorly designed these procedures are? He would be dismissed as a political critic.
Saying that "posting a boarding pass generator on the internet is pretty serious stuff" borders on ludicrous. I can just picture the crowds running for cover, terrified, "Dear God! It's a boarding pass generator! On the INTERNET!"
"I find it very shocking that the FBI dropped the case. I think people have been sent to Guantanamo for much less."
Yes, people have been sent to Guantanamo for much less, but just because a few random peasants who happened to be in the wrong place at the wrong time got locked up for 5 years of their lives, torn from their wives and children, unable to speak even with a lawyer -- let alone protest their innocence -- does not make such pointless attacks on human liberty justifiable. Be surprised that the FBI dropped the case, but only be surprised because of the incongruity of this glimpse of sanity.
First and foremost, I've been a slashdot lurker, and finally registered for an account because I think I have something of value to say here.
So, I think you guys have totally overlooked the point of all this. The way he talks about fixing the airline boarding pass security issue highlights to me that he is a security minded individual and has taken this step because he's noticed a vulnerability and has generated a proof of concept to illustrate the need for reform. This is often the only way to spark change rapidly in a ginormous looming organization as many of these airlines are. In my opinion, this public disclosure of a vulnerability is no different than the daily postings on SecuriTeam or Remote-Exploit or similar sites.
I see the argument then being "well, he probably said that to get out of a lawsuit". While I'm in no position to agree or disagree, from a larger perspective, even if that was the case, this vulnerability has been address, the ball is in the airlines court to clean up their mess. He knew that was how it would go down, and that makes this guy a whitehat. He convinced the FBI of this, and thats why they dropped the charges. We may not have the most reliable and efficient government in the world, but hey at least they are trying to embrace technology. I'd like to think that our government recognizes the need for public disclosure of *SOME* vulnerabilities to enact change... but that may be too optimistic of me.
Security is never absolute, and I am a firm believer that we cannot enhance our own security without first understanding how to break it. This guy is the bug finder, who will fix the bug? Long story short --> chalk one up for the whitehats!
And if dude wasn't white? Well.. I'm not touching that with a ten foot pole-arm +1 even.
Find a manual for one of them. The previous user most likely had
them set to only respond to a very specific symbology, to avoid
having the morons they hire accidentally confuse the system by
trying to check-in things like Pepsi cans and bags of Cheetos.
You want to reset them to factory defaults, then enable all symbologies
(or if you can't find an "enable all", just turn on the ones you need...
Code128 works pretty well for general-purpose custom barco
I bet he has a number of speaking engagements and (maybe) a book deal. Knowing this was a possible outcome (and he certainly seems astute enough to know that might be the case), he seems to have done quite well. He could have done worse as a grad student writing a thesis.
More detail (Score:4, Funny)
Eh? (Score:4, Funny)
Yes, but was it "flipped" as well?
Perhaps, while we sit here, he would like to take a minute and tell us.
Re:Eh? (Score:5, Funny)
As I understand it, he used a fake boarding pass to fly to Bel Air [seeklyrics.com], where he whistled for a cab and when it came near, the license plate said "FRESH" and it had dice in the mirror.
Parent
Alternative boarding pass (Score:3, Funny)
Re: (Score:3, Interesting)
True. I took a flight recently (from the middle east to the UK), and they screwed up and put the wrong name on the ticket. The travel agent insisted everything would be fine at the airport, but I wasn't so sure. Upon reaching the airport, I checked with the help desk. You know what they did? They took my ticket, grabbed a pen, crossed out the wrong name and wrote in the right one. Nobody batted an eyelid when I checked in or boarded.
Golly. (Score:4, Funny)
Strange laws? (Score:4, Interesting)
I have a hard time to imagine what law could be violated by this unless somebody tried to actually use such a fake boarding pass to get on a plane or into a restricted area.
I could imagine that the mere act of printing a fake boarding pass *could* (depending on how it is done) violate the copyrights of the company. Anything else?
Re: (Score:3, Funny)
Hell, many of 'em freely admit to not reading the legislation they vote upon. Asking 'em to actually understand it is obviously going way too far.
Re: (Score:3, Informative)
There is currently now federal law
Re: (Score:2)
Re: (Score:2)
Is security worth the inconvenience? (Score:5, Insightful)
So what then? Change the Constitution so that we lose the right to security in our papers? I dunno.
But what I do know is that a not-really determined terrorist can plant a bomb anywhere outside the TSA security perimeter with impunity. In fact, a bomb can be placed anywhere in any city at any time and cause the type of destruction that generates terror.
Is the solution to negotiate with the terrorists? I dunno.
I don't like to give these crackpots any more legitimacy than they deserve, but if we are truly afraid of them wouldn't it help to find out what they want and then find a way to come to a mutual agreement?
If we're not afraid of them, then stop all this nonsense about making our country safer by strip searching grandma. The initial price of freedom is blood, but the recurring cost of freedom is risk. You can't have freedom without risk. You can reduce risk by reducing freedom and that's what the current tack is, but it's a mistake to assume that we have all agreed to this level of reduced freedom because a few fraidycats are unwilling to live in a risk-filled world.
Re: (Score:2, Insightful)
Re: (Score:2, Insightful)
That's classified of course! (mostly so they don't have to tell you that it's zero!)
Re: (Score:2)
Good luck with that one! Seriously, have you tried it?
Re:Is security worth the inconvenience? (Score:5, Informative)
The Slashdot discussion: http://politics.slashdot.org/article.pl?sid=06/06
-dave
Parent
Organization's procedures are SOFTWARE (Score:5, Insightful)
The actions by any organization larger than, uhm, 200 people, are controlled by written procedures and norms, which are software. You'd, probably, learn this much in a management course (not that I tried).
The bigger the organization, the more likely you are to deal with someone who is merely executing the instructions — unable of, and unthinking about changing them. An organization like government, or a huge department like Homeland Security is all about it. A few "software engineers" and "analysts" high above devise the algorithms, some more "coding monkeys" codify it, and then it gets to run "in production".
We are the users. And we get worked-up about the bugs. In this case, the bug is a security one, where a presented certificate is accepted without checking with the issuer.
Somebody thought, that it would be good to limit the crowds next to the gates to people with boarding passes. Checking, that the pass is valid (as airlines do at the actual gates), either did not occur to the coder at all or was deemed too expensive...
The new release will, hopefully, have a fix. If not, than, certainly, the next one. Nothing, you've never heard before.
Re: (Score:2)
It has been my experience that bureaucracies don't generally want to believe that their policies and procedures are, indeed, essentially software and could therefore be considered as such, with provisions for analysis and with their design including provisions for exceptional cases. It is tough to debug such things once they get deployed - in part because there are usually few ways to report "bugs" and often nobody to read such bug reports if they were generated. In the ideal, the policies would specif
Re: (Score:2)
Bug-reporting is easy — you write to the bureaucracy's head (they'll never read it, but their staff might).
As for reacting to a bug-report, well, that sucks with most software... Something small with a single maintainer may get fixed quickly, but large projects (like KDE or Mozilla) have bug-reports lingering for years (I filed quite a few).
Re: (Score:2)
Cool. Now I just need to write a procedure how people enter a building, patent that and I can strangle every company out of business.
Security, hah, I penetrated it by accident (Score:5, Interesting)
Got them for under $1 each.
To my dismay, they can't read standard bar codes.
To my amusement, and dismay, I figured out WHY they wouldnt read standard bar codes.
Some airline sold them to a liquidator. With their custom code in the flash memory to scan their baggage and boarding pass tags.
It wasnt too hard to learn all this. Every scanner had several stickers on it with diagonal red stripes and phrases like
"/// SECURITY DEVICE #xxxxxxxx/// "
"/// USER MUST HAVE SIGNED CONFIDENTIALITY AGREEMENT A8R55-2/// "
"/// FIRING OFFENSE TO REMOVE FROM RED ZONE (UNION HBK, PG 37)/// "
"/// DEADULUS & EARHART AIRLINE CUSTOM FIRMWARE VERSION 1.22"/// .
I wonder what their thought processes where?, something like:
those are antiques!!!! (Score:5, Funny)
Those are antiques! You might just try to re-sell them on eBay. Daedalus Airlines, in particular, had their assets sold of decades ago when the last wax-attached bird features fell off the last airliner. Both airlines declared bankruptcy, and eventually merged with the old Glenn Miller Airlines to form the Oceanic Air we know and love today. You know, the one with the slogan "Getting halfway there is all the fun". They're also the first airline to consider electrified wings in order to keep the gremlins off.
Parent
Re: (Score:2)
In the case of boarding passes it's simple - you check each one against the central database of valid passes for that flight. If you get two passes for the sa
CIA and TOR (Score:3, Informative)
Umm, not sure about this (Score:3, Informative)
I fly across country every other week and have well over 100,000 miles under my belt this year a lone and I have never once gotten through security without my ID. Wrong boarding pass, yes, but it still had my name and matched my ID. And since we have no National ID how does one make sure the the people paid $8 an hour know how to check every state and military ID and look for fakes?
DHS Tax! (Score:2, Funny)
Terrorists work to destroy trust. (Score:3, Insightful)
Ummm Hello....Navy (Score:4, Informative)
I wonder how they feel about TOR being a naval research project.
Re:Paranoia (Score:5, Insightful)
Don't you get it? Real crimes are copyright infringements. Spending money and resources protecting passengers on jet planes is a complete waste of time....
Real criminals are underprivileged 13 year old girls evilly downloading music they have not purchased. May they hang!
Parent
Re: (Score:2)
Those people using fake board pass generators are not paying anything for their privilege to visit the Cinnabon(TM) that is down by the gates. They must be stopped.
Re: (Score:3, Interesting)
Came back from Europe recently. Picked up bag at destination. TSA lock had been ripped off the bag, taking two zipper pulls with it. (Bag is now unlockable.)
Looked inside. Contents rearranged, but on the top of the pile were ...
the two DVDs and a CD I bought in Amsterdam. No TSA notice that they'd
vandalized my bag. No apology. No lock. Nothing missing, so it wasn't a thief who did it.
From all appearances, they pried open my bag in a desperate
Re:Paranoia (Score:4, Insightful)
If you want to look for coordination, look towards the lobbyists. The RIAA and MPAA lobbyists who have helped pass the oppressive copyright protection laws don't have anything to do with the airline lobbyists or defense lobbyists who have helped write much of the War on Terror related laws.
Parent
Re: (Score:2)
Maybe they couldn't manage to convince an judges that there was actually a case to answer.
If I were Chris, I'd thoroughly check and wipe the disks of the computers that the FBI gave back to him.
Being sure to record (a
Re: (Score:2)
I would just sell them and buy new ones. Even if you carefully inspected all your hardware, would you really be able to tell if anything had been modified/removed/spliced in? It's probably safer to just assume that you won't find it if it's there and ditch everything.
Re:Paranoia (Score:4, Informative)
Bull.
Garland Grant (look it up).
[Only need one counter example to prove your 100% wrong]
Parent
Re: (Score:3, Informative)
Re:Paranoia (Score:5, Insightful)
All these things can do is maybe get someone into the gate area. But seriously, if a terrorist wanted to blow up an airport, do you honestly think he would spend the hundreds of dollars building a bomb, and then balk at the $80 for a plane ticket? Hell, he could even steal a boarding pass from someone else. Seriously, requiring boarding passes to get into the gate area only serves to give people a false sense of security. It would not be an obstacle for anyone who wants to actually do harm.
I agree that posting the generator on the Internet was foolish, but only in the sense that posting anything that even appears to be able to help terrorists in today's climate is a stupid thing to do, not because it could actually endanger anyone's safety.
Parent
Re: (Score:2)
Don't forget the danger to everyone who ran the boarding pass generator... The Feds have the access logs and I know I'm in them. I didn't change the default name (Osama B.) or anything though. My God help you if you did and then generated a boarding pas
Re:Paranoia (Score:5, Insightful)
As with most of the security changes imposed on air travel it is all mostly illusion, or as some other Slashdot poster called it "Security Theatre". If you make life difficult for the average travelor they will assume it makes life equally difficult for terrorists. Unfortunately, this just isn't true!
What I don't understand is if Osama and his cohorts are so dead set against us (ie The West) and he has armies of suicide jockeys all raring to go, then why aren't there 'planes falling out of the sky all around us. Why are shopping centres (malls) not blowing up? Trains, buses, garages, boats, ships. They could be instilling real terror on a daily basis but they're not! Hell, even failed attempts to blow up stuff would instil terror as it would confirm that they are still trying! It doesn't make any sense, unless they're simply not as powerful as we are being led to believe, in which case why are the politicians still trying to take away our freedoms?
Parent
Re:Paranoia (Score:5, Interesting)
BINGO.
Been saying this since ~6 months after 9/11.
Rummy also told us that A.Q. had several super-high-tech underground bases in Afghanistan, any one of which would have made Cobra Commander or Dr. Evil proud. Did you see the diagrams of them that the Whitehouse produced? It was some hilarious bullshit.
The lying didn't start with Iraq. A lot of people have forgotten, I think, the degree to which the Bush administration was spewing what should have been easily exposed as lies (I guess a lot of people fell for them; if Bush has achieved nothing else, he's convinced me that people are, on average, way, way dumber than I thought they were) since 9/12/01. They lied to hype up the war in Afghanistan, and they lied to exaggerate Al Qaeda's ability to project meaningful force into the U.S. Remember them saying how there were dozens or hundreds of "sleeper cells" here just waiting to be activated? What happened to that? They certainly haven't found any (thought they did a couple of times, turned out that they were just incompetent as usual) nor have we been attacked again, and they've stopped talking about it.
Remember the short-lived "Total Information Awareness" office whose first public message was to encourage U.S. citizens to spy on their neighbors? Ha!
This administration has been lying to us and manipulating us from the beginning. The willingness of most people here to accept it has convinced me that, excepting the unlikely chance that education will be overhauled, the dream of America is doomed. The country may survive, but our ideals, which began slowly dying as soon as the ink on the Constitution had dried, are dead, and cannot be saved in our lifetimes.
It turned out that We the People were just too dumb (or were made to be too dumb) to handle it. Let it be said that the final blow was struck by mass ignorance and apathy.
Parent
Re: (Score:3, Interesting)
Re:Paranoia (Score:4, Interesting)
You missed the point: it's not to save buying a ticket. (They scan the boarding pass at the gate and can detect a fake at that point, so you need to carry a real boarding pass anyway.) One of the goals of the system appears to be to exclude people from certain names from flying, at least without some additional checks. Since they don't scan the boarding pass at security, you can hand them a fake boarding pass (matching your real ID) at security. If that's the only time they check ID, then you can use a real boarding pass (bought under somebody else's name) at the other points. And if I understand right it's only at those other points that they actually check the name against no-fly lists. So the no-fly list doesn't work even given really good unforgeable ID's.
Seems like kind of a crazy system if that's correct--so it's fair game for being made fun of, which is all the fake boarding-pass generator does as far as I can tell.
Parent
Re:Paranoia (Score:4, Insightful)
Right, but at that point, they don't actually check the name against any kind of list.
Just to make it clear:
There is no ??? and Profit.
What about baggage check, you ask? That is a tiny bit more complicated, but not really. You just get John Smith to come to the airport with you and he checks in and checks the bags. Then he goes home and Bob Terror takes it from there. It's even easier in some airports where they have skycaps who I don't think do any ID checking, or automated bag checking with the same problem.
As you can see, the no-fly list is useless because of this flaw. It's a waste of time, money and just hassles people who are NOT terrorists and who have somehow got on the no-fly list, via similar names or simple mistake.
They could make one simple change to make this system better - check ID at boarding. Yeah, it adds a little time and wouldn't stop terrorists with forging connections. I don't think it would actually do much to stop terrorists, either. Especially considering terrorists aren't likely to be on the no-fly list until you figure out they are terrorists and by then it's probably too late. But as it is now, what they are doing is 100% useless. At least that way it would be only 99% useless.
The other thing they could do is just stop the no-fly list and stop checking ID, as both are useless at this point and may never be effective at stopping terrorism. As long as ID is forgable and the method is to check ID, these systems are all just false hope. Unfortunately, it's false hope combined with hassling everyone else that flies.
Parent
Re:Paranoia (Score:5, Insightful)
He isn't sacrificing the safety of others. This is the point of the exercise: our government is sacrificing the safety of us, and doing it while wasting (or stealing, depending on the individual politico) huge amounts of our tax money.
"Writing a research paper is one thing, but posting a boarding pass generator on the internet is pretty serious stuff."
Serious how, exactly? Serious in the sense that it actually demonstrates his claims, yes. Do you think anyone would pay attention or even hear if he just stated how poorly designed these procedures are? He would be dismissed as a political critic.
Saying that "posting a boarding pass generator on the internet is pretty serious stuff" borders on ludicrous. I can just picture the crowds running for cover, terrified, "Dear God! It's a boarding pass generator! On the INTERNET!"
"I find it very shocking that the FBI dropped the case. I think people have been sent to Guantanamo for much less."
Yes, people have been sent to Guantanamo for much less, but just because a few random peasants who happened to be in the wrong place at the wrong time got locked up for 5 years of their lives, torn from their wives and children, unable to speak even with a lawyer -- let alone protest their innocence -- does not make such pointless attacks on human liberty justifiable. Be surprised that the FBI dropped the case, but only be surprised because of the incongruity of this glimpse of sanity.
Parent
Re:Paranoia (Score:4, Interesting)
First and foremost, I've been a slashdot lurker, and finally registered for an account because I think I have something of value to say here.
So, I think you guys have totally overlooked the point of all this. The way he talks about fixing the airline boarding pass security issue highlights to me that he is a security minded individual and has taken this step because he's noticed a vulnerability and has generated a proof of concept to illustrate the need for reform. This is often the only way to spark change rapidly in a ginormous looming organization as many of these airlines are. In my opinion, this public disclosure of a vulnerability is no different than the daily postings on SecuriTeam or Remote-Exploit or similar sites.
I see the argument then being "well, he probably said that to get out of a lawsuit". While I'm in no position to agree or disagree, from a larger perspective, even if that was the case, this vulnerability has been address, the ball is in the airlines court to clean up their mess. He knew that was how it would go down, and that makes this guy a whitehat. He convinced the FBI of this, and thats why they dropped the charges. We may not have the most reliable and efficient government in the world, but hey at least they are trying to embrace technology. I'd like to think that our government recognizes the need for public disclosure of *SOME* vulnerabilities to enact change... but that may be too optimistic of me.
Security is never absolute, and I am a firm believer that we cannot enhance our own security without first understanding how to break it. This guy is the bug finder, who will fix the bug? Long story short --> chalk one up for the whitehats!
And if dude wasn't white? Well .. I'm not touching that with a ten foot pole-arm +1 even.
just my .02 ;P
-Marspeace'n'reallylouddrumandbass
Parent
Re: (Score:2)
Re: (Score:2, Informative)
Re: (Score:3, Informative)
Find a manual for one of them. The previous user most likely had them set to only respond to a very specific symbology, to avoid having the morons they hire accidentally confuse the system by trying to check-in things like Pepsi cans and bags of Cheetos.
You want to reset them to factory defaults, then enable all symbologies (or if you can't find an "enable all", just turn on the ones you need... Code128 works pretty well for general-purpose custom barco
Re: (Score:3, Interesting)
Re:Yeah but... (Score:4, Informative)
But this is slashdot, where reading isn't a prerequisite to posting.
Parent