Congressman Calls for Arrest of Security Researcher

Christopher Soghoian writes "Yesterday, I published a tool that allows you to Create your own boarding pass for Northwest flights. This was an attempt to document the fragile and broken state of identity/security for domestic flights in the US. Today, Congressman Markey (D-Mass) has called for my arrest." From the ABC article: "'I don't want to help terrorists or help bad guys do bad things on airplanes, but what we have now is what we in the industry call security theater. It's made to make you think you're secure without actually making you secure,' Soghoian said. 'As a member of the academic research community, I consider this to be a public service.' Soghoian admits that he hasn't actually tried to use one of the boarding passes yet."

Ummm. The First Amendment?

[mbstone]

The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?

Re:Ummm. The First Amendment?

[soft_guy]

The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?

With a supreme court with 7 republican appointees? I doubt it.

Re:

[yorktown]

Unfortunately, the Supreme Court takes a very loose view of what the Constitution says. For example, it considers building a hotel and condominiums as "public use" for the purposes of eminent domain. http://en.wikipedia.org/wiki/Kelo_v._City_of_New_L ondon [wikipedia.org]

Note that all four of the dissenting justices in the Kelo decision were appointed by Republicans.

Re:Ummm. The First Amendment?

[jadavis]

There must be some hidden reason for the seemingly obvious misjudgment.

More like a misconception. This country really needs more so-called conservative justices. By "conservative", I don't mean conservatives pushing their agendas from the bench (like O'Connor), I mean justices who follow the Constitution (like Scalia).

It's no surprise that Kelo went the way it did. You're thinking is that "liberals are for the little guys, conservatives for business". But, in reality, having the power of central planning is crucial to the liberal agenda. Kelo was exactly what the liberals needed: the power for government officials to confiscate your personal property in the name of a "greater good" by calling it a "public purpose" (not public use, however, as the 5th Amendment says).

Scalia, on the other hand, follows the Constitutional principle that the federal government can only regulate interstate commerce ("commerce among the states," as is in the Constitution). Using that principle, it would be Unconstitutional for the federal government to prohibit the growing of Marijuana on private property. States could still outlaw it, of course, but the feds couldn't do a thing. Does that sound "conservative" to you? Nope, but it is what the Constitution says.

This is not about your party, the Constitution gets in the way of BOTH parties, but it's not for the parties, it's for the PEOPLE. So back the Constitution, because it's just in the way of the Democrats and the Republicans. It's time for both parties to face the hard truths: you can't execute unwarranted searchs (too bad, GOP). And Democrats: stop trying to control guns, unless you want to try to pass an Amendment. The Constitution says these things, plain and simple. Oh, and when you get a chance, read the 10th Amendment, too.

Right now the idea that we are following the Constitution is a joke. We cling to a few scraps of the Bill of Rights, and ignore much of the rest of it. Congress "Authorized the use of force"?! What is that supposed to mean? What about a declaration of war? Meanwhile the Supreme Court passes arbitrary edicts fabricated out of thin air, like "privacy" meaning that it's Unconstitutional to ban abortions. I don't think it's a good idea to ban abortions, but why did 9 people make that decision for the entire country, when it's clearly a state issue?

Re:

[tm2b]

Scalia, on the other hand, follows the Constitutional principle that the federal government can only regulate interstate commerce ("commerce among the states," as is in the Constitution). Using that principle, it would be Unconstitutional for the federal government to prohibit the growing of Marijuana on private property. States could still outlaw it, of course, but the feds couldn't do a thing. Does that sound "conservative" to you? Nope, but it is what the Constitution says.

I wish you weren't really w

Re:

[stinerman]

Depending on your definition...

Judicial activism to me is any decision which is pretty obviously wrong. See Kelo v. New London [wikipedia.org] for an example of judicial activism. Thomas is an activist in that he believes that when Congress declares war, President Bush becomes King Bush. As far as I can tell, the Constitution does not grant the President any extra powers during times of war. He is simply Commander-in-Chief as he always has been. His activism has put him to the right of Scalia, specifically his dissent

Re:

[Dun Malg]

So, how would new money flow into the economy? Easy: Just as it is created from nothing now, it would be the same, but, instead of it being loaned into existence, and interest being charged, every Citizen would get a monthly stipend, a "living wage". EVERYONE, young, old, rich, poor - the details would have to be worked out, and it would take time, but, it CAN work, if we GROW UP, and accept our responsibilities as Citizens, and create the future that WE want, not that which is dictated to us by the rich.

J

Re:

[Hijacked Public]

And a Democrat calling for the arrest?

Oh no, both parties must be in on this together! I know my face sure is red.

Re:Ummm. The First Amendment?

[Tackhead]

> The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?

Much like the guy who looks at your boarding pass, you're trusting your life to something that's just a goddamn piece of paper.

Re:Ummm. The First Amendment?

[timeOday]

A boarding pass isn't even supposed to be a security document. That's why you have to show your ID as well as your boarding pass, just to get the privelige of being x-rayed, bomb-sniffed, and patted down before being allowed into the secured area. If anybody thought boarding passes were supposed to enhance security, they wouldn't let you print your own.

In other words, I think the professor's research is silly, and I think the congressman is equally silly for calling for his arrest.

Re:

[iocat]

It's not even research. Anyone with five minutes and a copy of WORD could do the same thing. It doesn't make something that spoofs the system, it makes something that spoofs people who can't read barcodes (that is: everyone). It wouldn't scan correctly and let you get on the plane, it just is a form that adds your name and date to a rip off of the standard "print at home" boarding passes.

This whole story is stupid. The fact that documents can be forged is not news, the fact that some guy made a website for

Re:

[Hoi Polloi]

"x-rayed, bomb-sniffed, and patted down"

Oh shit, you mean that full body cavity search WASN'T part of the normal screening process?

not likely

[Quadraginta]

I doubt it. It's hard to see how faking a boarding pass can be considered some kind of "political speech," which is about the only kind of speech that has near-absolute protection under the First Amendment.

Otherwise, you know, you couldn't be prosecuted for faking a bill of sale for a car, or a life insurance policy, or printing counterfeit currency, or most other forms of fraud that involve a printed document -- and you surely can.

Re:not likely

[kfg]

Otherwise, you know, you couldn't be prosecuted for faking a bill of sale for a car, or a life insurance policy, or printing counterfeit currency, or most other forms of fraud that involve a printed document -- and you surely can.

I just created a fake bill of sale for a car. I have committed no crime, because I have not proffered it as genuine to anybody.

Fraud is a crime of intent.

KFG

Criminal Facilitation

[westlake]

I just created a fake bill of sale for a car. I have committed no crime, because I have not proffered it as genuine to anybody.
Fraud is a crime of intent.

I have written a program to fake a boarding pass and published it on the web. I am now in bigger trouble than if I had been charged with fraud:

The charge might be framed as a from of criminal facilitation. The only intent required might be defined simply as a reckless disregard of the consequences of your actions.

What follows is a model statute that s

Re:

[Quadraginta]

Yes, well, if you created it and kept in in your desk drawer, you're right. But have you forgotten that this fellow published his widget on the net, and allowed anybody at all access to it? That's a whole 'nother ball game.

First of all, a jury may and often will draw powerful inferences about someone's intent from their actions. For example, if you have enough crack in your possession, the jury is allowed to decide -- and probably will decide -- that you have ipso facto the intent to distribute it, regar

Re:

[Danse]

Unfortunately, there are enough weak brained person's around to get the guy for "intent" based on production of the code.

I think the fact that he's telling everyone about it pretty much nullifies that argument. You don't broadcast to everyone that you can create fake tickets if you actually intend to use them.

Re:

[Zeinfeld]

Fraud is a crime of intent.
Unfortunately, there are enough weak brained person's around to get the guy for "intent" based on production of the code.

Fraud requires intent. But fraud is not the only possible crime here.

In particular there are a lot of crimes that are designed to make it easier to prosecute fraud by criminalizing conduct that is preparation for fraud. That is how the CANSPAM act works, it does not criminalize spam but it does criminalize activities spammers typically engage in.

The Sec

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Tim C]

I suspect very strongly that in the case of money, simply having the means to create counterfeit bills will probably land you in a whole heap of trouble. Governments tend not to have much of a sense of humour when it comes to that sort of thing.

10 years ago, in this case, I'd have laughed if somone had suggested the guy could be arrested just for this. Since the attack on the WTC, however...

Re:not likely

[psykocrime]

I suspect very strongly that in the case of money, simply having the means to create counterfeit bills will probably land you in a whole heap of trouble.


This is why every American should immediately go visit FIJA [fija.org] and learn the truth about serving on a jury. Hint: you can judge the law as well as the facts, and juries ARE the "last line of defense" against oppressive government / bad laws. See Jury Nullification [wikipedia.org] and/or Peter Zenger [wikipedia.org] for more.

If I'm ever serving on a jury, I can guarantee you that I won't be voting to convict in any "victimless crime" situation, or anything where somebody is being charged with violating some bullshit law. Hung jury or acquittal, here we come.

Re:

[raehl]

No, you can be prosecuted for attempting to pass these off as real, but not just printing them

But you could be civilly sued for violating NWA's trademark and copyright.

Re:

[Hijacked Public]

And you definitely don't want a pissed off r. Dre knocking on your front door.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:YANAL and you don't play one well on the net

[psykocrime]

The theory you seem to be proposing here might be worth a shot if you were a defense attorney defending a case. It is not a good idea to rely on such theories if you want to stay out of prison. Much better to consider the theories that a prosecutor might use and steer clear of possibly illegal activity.

Steer clear of illegal activity???? HELL no! That's the dumbest idea I've ever heard. As good citizens we have a responsibility to ignore and break bad laws...

Re:

[MoreBonez]

I doubt it. It's hard to see how faking a boarding pass can be considered some kind of "political speech," which is about the only kind of speech that has near-absolute protection under the First Amendment.

But he's not faking a boarding pass. He published a tool that allows it to be done in order to make a point about aviation security, which is regulated by the government. Sounds like political speech to me.

Whether that argument would hold up in court while he's being accused of helping terrorists i

Re:

[SnowZero]

I think it would have been more responsible on the researcher's part if he had simply announced that he could make fake boarding passes, rather than fielding a system for doing so. As an undergrad, I found some holes in our university IT system, and in the grading systems for two classes I took. Instead of exploiting it, I told the people in charge so they could fix it. There are cases where the person with the problem won't admit it, and wants you to keep it secret. In those cases you might eventually

Re:

[dgatwood]

The problem is that for every tale like yours, there are a thousand stories of people who found holes in a computer system, told the responsible party, and were promptly threatened with administrative action for "cracking". After all, if you weren't trying to break in, how did you stumble across the security hole to begin with?

And as I said, we've all been saying this for years. It simply took somebody having the guts to make a really visible, easy-to-use exploit for the problem before anyone would list

Re:not likely

[dgatwood]

Passing a fake bill is illegal. Selling a printing press is not, even if that printing press can be used to print bills.... Telling people how to make a plate based on existing currency... it's the same as making any other kind of plate, so also not illegal in all likelihood.

There isn't anything here that hasn't been obvious to every single person who reads Slashdot for years. It's all smoke and mirrors, and anyone with even a modest level of intelligence knows this, not just geeks. The only thing surprising here is that we have a Congressman who is so completely computer illiterate and clueless that he actually believes that the stuff in this article would be a surprise to anyone.

You know, now that I think about it, given the quality of federal legislation in the past few years... it's not really that surprising after all. In fact, it explains a lot.

Re:not likely

[Fulcrum of Evil]

Come on, security researchers, you know what the political climate is! Is there no other way to point out that something may be easily forged besides actually creating a tool to forge it!?

No, because anything less will be dismissed as fearmongering.

Re:

[twistedsymphony]

exactly... I believe this is what we call "Taking one for the team".

Re:not likely

[UbuntuDupe]

Conservative/Libertarian radio talk show host Neal Boortz ran into the same thing. (According to a story he regularly tells) He told some airline, Delta I think, that the security check in procedures were too lax. They ignored him. After he was fed up with that, he made a bet with the head of security, then dressed up like a pilot, got waved through a checkpoint, and once on a plane, he got out his cell phone and called the head of security to let him know he got through.

Don't know what became of that. (This was long before 9/11.)

Re:not likely

[thePowerOfGrayskull]

Is there no other way to point out that something may be easily forged besides actually creating a tool to forge it!?

Come on software security researchers -- is there no other way to demonstrate exploits in Internet Explorer than to actually create and release the exploit code?!

I mean seriously -- isn't this the same question in a different wrapper?

Re:

[grcumb]

Yes, normaly you can show the problem by just pointing it to any smart person. But you'll never make MS aknowledge the flaw without somebody exploiting it (and lots of times not even then). The situation is almost the same.

Indeed. The very first MS Word macro virus was explicitly designed as a 'proof of concept' - in effect, a shot across the bows of the USS Microsoft. While many of us had already expressed serious concern long before this, MS refused to even acknowledge that there was an issue. Even this

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[hacker]

Ah, more sheep.

You do realize that those same extremists, the ones that are using the Muslim religion, twisted to suit their needs, as a shield, are the same ones we trained, financed and helped defeat Russia when it tried to invade Afghanistan, right? Read your history books.

Oh, and this puppet government we put into Iraq... we tried the same thing in Iran back in the 50's, and that's what led to the Iran Hostage Affair in the 70's. Again, look it up. These people are pissed off BECAUSE WE MADE THEM SO

Re:

[dark_requiem]

Oh, that's rich. Really funny. Who needs criminal convictions and constitutional law when you could just classify the guy as an "unlawful enemy combatant" and lock him up with no charges and no recourse? The first amendment? You're living in a fantasy land of yesteryear my friend.

Re:

[rthille]

Been in that cave long?

They don't have to file a case. Congress did away with Habeas Corpus recently, so they can just 'disappear' you, like all the other terrorists...

I'm really thinking that armed insurrection is going to be coming soon to the U.S....

Re:

[Em Adespoton]

I'm really thinking that armed insurrection is going to be coming soon to the U.S....

I doubt it... anyone who started organizing such a thing would be labeled an enemy combatant and disappeared. For this sort of mess, you're going to need some outside country to liberate you and bring democracy to your suffering land.

Re:

[maetenloch]

They don't have to file a case. Congress did away with Habeas Corpus recently, so they can just 'disappear' you, like all the other terrorists...

No, they didn't. Habeas corpus still applies to all U.S. citizens. Period.

What congress did in the MCA was say that non-citizens being held in Guantanamo Bay or who have been declared enemy combatants cannot claim habeas corpus rights. Note that it's not clear that they would have had habeas corpus rights even before the MCA was passed. This was an attempt b

Re:Ummm. The First Amendment?

[An Onerous Coward]

Soooooo.... if I get my butt hauled off to Guantanamo, how do I get myself a court hearing so that I can present the evidence showing that I am a U.S. citizen and therefore entitled to Habeus Corpus?

Face it. So long as we say, "Everyone has a right to habeus corpus, except for group X," then all the government needs to do is claim you're a member of group X to deny you access to the courts.

Final note: We are not at war. Legally, we are not at war, because Congress has not declared war. Morally, we cannot declare a war that amounts to a war against anyone, anywhere who might be plotting violence against us. That leads directly to a state of eternal war, because we cannot even conceive of a future state of affairs that could be called "victorious."

The U.S. knew the war was over when Lee signed his surrender at Appomattox. How will we know that the "global struggle against islamofascism" is at an end, that America is safe, and we can demand these so-called "war powers" back? Who is going to have to surrender their arms to make that day come? The answer, of course, is nobody. This "war" won't end with a resounding military victory or the fall of some great tyrant. It only ends when the people of the U.S. rise up and take back the liberties they traded for false security.

November 7, people. Mark it on your calendars.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Ummm. The First Amendment?

[Em Adespoton]

The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?

Well, look at it like this: because he published this, he is both an enemy combatant and a terrorist. Therefore, he has no habeas corpus protection. Therefore, they can just come around, pick him up, and toss him in some cell somewhere, and never have to tell anyone.

Re:

[JWSmythe]

Ha!

Have you noticed all the less than friendly laws passed recently?

If they decide to do anything to him, they'll be shipping him off to a Southeastern Cuba vacation spot. It's a very exclusive resort, you can only show up by invitation (an invitation that you cannot refuse). How did the Eagles put it? "You can checkout any time you like, but you can never leave..."

How did the summary of the "Military Commissions Act of 2006" go?

1) The US Gov'

This is nothing new..

[RightSaidFred99]

You could have just used an old boarding pass or copied an old one, or scanned and photoshopped an old boarding pass and changed the date/time.

Or, gee, the terrorists could just have someone else buy a plane ticket, or buy it themselves, or buy for a different flight, whatever.

The whole thing is ridiculous. It's ridiculous that this is thought to be some newly discovered weakness, and it's ridiculous that the powers that be are actually getting upset over it.

This is actually quite brilliant

[panaceaa]

There IS brilliance behind his idea. Perhaps you didn't read it... but basically, you can fly on a fake identity without any screening of your actual identity.

1) Go to 7-Eleven and buy a pre-paid credit card with cash using a fake name. This will be the name you fly under.
2) Buy a ticket with this credit card.
3) Print out an ADDITIONAL ticket for your real identity. He gives you an HTML form to do this.

Now, show up at the airport. Go through security with the fake ticket... it will match your ID, but since it's not in any computer systems, they won't check to see if you're on the no-fly list. When at the gate, provide the ticket you actually bought. Nowadays you don't need an ID at the gates anymore -- just have your ticket scanned and hop on the plane!

Now, I'm not exactly sure if you can check bags. If you have to go to the counter before security, they ask for your ID. But if you can avoid that (and you can now, as far as I know), you can fly on a fake identity.

where do you sit??

[commodoresloat]

Another problem with this is, what good is a fake boarding pass? Remember, the 9-11 hijackers used real boarding passes; all this can do at best is save you a few hundred bucks -- hardly a big deal if you're willing to kill yourself on an airplane to make some kind of point. The biggest problem I see is, let's say you get your fake boarding pass and you manage to get onto the plane with it; then what? Where the hell are you going to sit? Pick an empty seat; then when the real passenger shows up, your fo

Arrest?

[Anonymous brave dude]

So, some guy said he should be arrested. Does that mean anything?

Re:

[JourneyExpertApe]

When he's a congressman, I'd say it does. Although technically a member of the legislative branch, not the executive, a congressman can be very influential.

Re:

[__aaclcg7560]

It's an election year. Some ambitious prosecutor will step up to the plate and file charges for 15 minutes of media fame. It's like the old king saying to himself, "Won't anyone get rid of this meddlesome priest?", and a half-dozen knights running out the door to finish the job.

Yes and no

[rewt66]

It doesn't mean that the guy will be arrested, no. So in that sense, it doesn't mean anything at all.

On the other hand, it isn't just "some guy", a Congressman said that he should be arrested. This means that we have semi-hysterical, technically clueless blowhards deciding national policy. I think that means something, and what it means is really bad...

Re:Arrest?

[camperdave]

Yes, it means that politicians are not interested in fixing the problems, but in hushing up the whistle blowers. It's the age old problem of killing the messenger.

Not only boarding passes...

[GillBates0]

...it also amazes me immensely, how a simple 'printout' passes as an 'authentic' document in a variety of situations.

The wide spread use of e-commerce has expedited the adoption of regular printouts as tickets, receipts, passes and other situations I can't think of right now.

Are people so dumb as to not realize, how simple their official 'logos' are to create using an image processing software? Agreed, most of these 'receipts' merely provide a number, which acts as an 'index' in some internal database somewhere.

But this guy does have a point. Merely admitting a person holding a an easily reproducible printout of an 'eticket' or boarding pass is just lame.

Newark

[From A Far Away Land]

Listening to the radio this morning, they said Newark airport staff failed 20 of 22 tests involving guns and bombs being smuggled past security by undercover agents. Airport "security" is a joke, and a distraction from real issues. When they stop taking away your toothpaste and maple syrup in the carry-on luggage, maybe then I'll take something about airports seriously again.

Re:

[Ungrounded Lightning]

Listening to the radio this morning, they said Newark airport staff failed 20 of 22 tests involving guns and bombs being smuggled past security by undercover agents.

A few years ago I was in a security-check X-ray line. The guy ahead of me was such a "tester", smuggling a gun in his carrr-on bag. The gun was positioned against the side of the bag and sitting on its top surface, so the grip was up. It looked like a flattened-out bracelet on the X-ray.

The screener didn't catch it. The guy showed the screen

Re:

[Macthorpe]

You are suffering from a frighteningly advanced case of "Two-tone perception disorder".

Just because he doesn't want security taking away his toothpaste doesn't mean he advocates allowing firearms on a plane.

Creating loopholes?

[pjt33]

It's astounding that Markey thinks that the website which prints fake boarding passes is creating a loophole. Politicians may not have a grasp of technology, but it only takes common sense to see that the loophole exists independently of any specifictool which creates the document to exploit it.

Re:

[oGMo]

I think the problem is they don't have a grasp of common sense, either.

Re:

[__aaclcg7560]

They're too busy grasping at the pages.

Re:Creating loopholes?

[Hijacked Public]

And oddly enough, despite our collective superiority, they are running the show while the most influential thing we can do is get modded +5 Insightful for insulting them on Slashdot.

Something is amiss here.

odd logic

[Quadraginta]

Mmmm....so since your ability to be killed by a giant fireball exists independently of any specific tool (e.g. a nuclear bomb) that exploits it...you would perhaps also think it would be contrary to common sense to call for restrictions on who can possess (or publish on the Web directions for building) a nuclear bomb?

Re:

[inKubus]

Get real. Although 2000 AMERICANS is a significant percentage of AMERICA, 2000 PEOPLE is not a significant percentage of HUMANITY. Even if terrorists were somehow able to construct a functional nuclear device, smuggle it into a major city and manage to detonate it and kill 100,000 people, it's still meaningless as far as humanity is concerned. A great tragedy, the country would be pretty numb, almost everyone would know someone who died and those people who were in city would have their lives unjustly end

Re:

[raehl]

It does create a slight loophole. Let's say I'm on the no-fly list. If I try to enter the terminal on a boarding pass with a different name and no ID, I'll get more thurough screening. This would let me print a fake boarding pass with my name and enter the terminal using ID, then fly on the real boarding pass with the fake name.

Also, if I am flagged for extra screening, it allows me to avoid it - I just note that the "extra screening" code has been noted on my boarding pass, then use my trusty fake board

I can see it now..

[The Living Fractal]

(airport announcer over intercom) Boarding Northwest Flight 171 has begun...

Passenger 1, with fake ticket, gets to seat 13F first. Sits down and gets comfortable.
Passenger 2, with real ticket, gets to seat 13F, finds someone else in their seat, and politely claims that it is their seat.
Passenger 3 gets to seat 13F, finds two people arguing over whos seat it is, and considers his mistake.
Flight attendant 1 arrives on scene, cannot determine who is the proper passenger, and has Air Marshall 1 escort them bot

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[JourneyExpertApe]

I could have sworn that the last time I flew, they actually scanned my ticket before I boarded. If they don't do this, then they definitely should. How hard would it be to check the barcode on a ticket against a database of tickets that have actually been sold?

Re:

[R3d M3rcury]

Well, first, a boarding pass can get you to the gate. From there, you can force your way onto a plane.

Remember the guy who stormed the gate at BWI Airport back in '70s? He was going to hijack a plane and crash it into the White House and kill Nixon? Ah...found it [wikipedia.org].

Obviously, it'd be trickier to get through security with a .22 and a couple of gallons of gasoline than it was in 1974...

but of course

[Phantom of the Opera]

This whole homeland security mindset is not one of rationality. It is one of panic. There is an element of OMG - he's giving the badguys ideas. This call to arrest him is probably more along the lines of OMG - he's giving passengers the idea that they are unsafe. It isn't the issue wether they are unsafe or not, but making them feel that is going to have negative affects on the airline industry and get people jumpier. All in all, its going to make going on a plane that much less pleasant.

"The Bush Administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane," Markey said in a statement. "There are enough loopholes at the backdoor of our passenger airplanes from not scanning cargo for bombs; we should not tolerate any new loopholes making it easier for terrorists to get into the front door of a plane."

One, shouldn't they already be on the lookout for frausters and terrorist.
Two, this isn't a new loophole. It's been there a while folks.

Not only has it been there a while

[Beryllium Sphere(tm)]

The TSA had already been briefed about fake boarding passes [emergentchaos.com].

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Zeinfeld]

Seriously why? It really makes no difference. They differ on abortion, gay marriage, and gun control, that is about it.

In actual fact they differ on rather a lot, most imporantly the issue of whether Congress should perform oversight of the executive or simply rubber stamp their demands.

This is rather important if you as a US soldier sent to Iraq in insufficient force, lacking essential equipment and having your efforts sabotaged by a civilian leadership whose incompetence is only matched by their menda

Called them up: talked security vs obscurity

[geekotourist]

I called up their Washington DC office. The person who answered didn't know about this issue and the call for an arrest. I made three points:

1. Arresting the messenger doesn't help security- it makes people more afraid to point out security holes.
2. Security holes don't shrink by pretending they don't exist
3. Just before elections isn't the best time to make people in Silicon Valley rethink democrats on security. Markey has usually been thoughtful on security- he should rethink his policy of calling for arresting the messenger.

Impossible.

[DAldredge]

This is impossible. EVERYONE knows it is only those with a R after their name that wish to take away our rights and jail those they do not like.

What Does This Have To Do With Anything?

[hondo77]

The 9/11 hijackers all had valid boarding passes. What do fake boarding passes have to do with security?

Re:

[account_deleted]

Comment removed based on user account deletion

Political spectrum

[delirium of disorder]

Check out Edward Markey's voting record [washingtonpost.com]. He's one of the most liberal members of congress. His call to arrest this innocent security researcher further proves that the Democrats are authoritarians just like the Republicans. Only Greens and Libertarians appear to have any respect for free speech and other civil liberties.

You are most certainly correct

[Phantom of the Opera]

That being said, he's just earned his "oooo, I'm for security" political credit for the day, and preventing a republican from scooping that.

There is something darwinian about US politics. Any politician that speaks their mind too often gets weeded out. The survivors cameoflage themselves in the Coke vs Pepsi plank (or favorite sports team plank). Right now, if you are not 'for security', you are not electable.

Re:Political spectrum

[NineNine]

Ha! You didn't actually think that the Republicans and Democrats were opponents, did you? C'mon.
 
    There's a very popular case study in business school about Coke and Pepsi, and how they're both very happy with approximately 49% of the market. People think they have a real "choice". Neither one has to worry about "monopolies". And, they already know each other. It's a fake battle to make people think that they actually have a choice, all the while, both parties are very happy with half of a FUCKING HUGE pie.
 
Sound familiar?

Would it actually work?

[Junta]

It's been a while since I flew, but I did buy electronic tickets last time. When I first got inside the airport door, the first and only place I presented my ticket printouts was to a clerk right near the entrance. They took the printout, scanned it, looked over my ID along with their screens, and then printed out a 'real' ticket that was a bit less ordinary (though still possibly forgeable if you had their cardstock maybe...). The ticket readers at the actual boarding point were picky about the format a

here's a new rule

[Anonymous Cowpat]

since law enforcement agencies should be able to figure out if there's a possibility that someone has committed a crime and 'aprehend' them, there's no real need for some pompus, self-important, know-nothing congressman to call for their arrest. To ward off the possibility that the law enforcement agencies might look like congress' lackeys, anyone who's arrest is 'called for' by a congressperson should be placed on a 'do not arrest' list. We do not live in a society where people get arrested because an indi

Standard case of security through obscurity

[The Master Control P]

As is common with closed-source software companies, they refuse to listen or reform when told they're unsecure. Once their insecurity is exposed, they are made to look like utter morons in front of their target audience. Rather than behave rationally by acknowledging a problem and working to fix it, they jump to Cover Yer Ass maneuvers:

* Deny the existence of the problem (ABC link, bottom of first page)
* Threaten the person or persons who made them look like incompetent idiots

As long as they believe

Look at the generator, it's not that complicated

[CTho9305]

If you actually look at the boarding pass generator, what it does really isn't complicated - you could do the same thing with one legitimate boarding pass, a typewriter, and a photocopier. That this is worthy of calling for someone's arrest is disturbing.

Re:

[wes33]

in America, one should always be ready to be arrested, and held without charge, possibly tortured and/or sent to a secret prison in a foreign country. This is what Americans call "Freedom"

Prediction

[FirstTimeCaller]

And what do you think the TSA's response to this will be? My money is that they decide to no longer allow people to print their own boarding passes. It will be paper ticket or nothing (and yes I'm aware that these can be forged too). So no more checkins at the gate -- stand in line along with those that have baggage to check. Just great.

Well if all else fails...

[aapold]

Maybe you could use it to flee the country...

Failure to Legi$late

[mpapet]

Individuals simply cannot point out the obvious flaws in what passes for National Security. While we as individuals are supposed to have some kind of freedom in this way, we don't.

Now, lets get to the reasons why this was the dumbest thing to do.

1. It puts egg of the face of every big federal contractor muscling their way into the "homeland security" budget.

2. We're at war with an enemy and tactical end that won't ever be defined. To maintain that heightened state of fear and social control, this individual must be criminalized. (he's helping the terrists after all.)

3. No contractor has a product ready to replace it. It will be a tough day for the contractors that have to explain this to gov't types.

4. It fires off a "something must be done" storm, that no politician really wants. They've got too much fund raising to do.

5. Whistle blowing is contrary to the nation-state's goals. An individual this smart and not working for the State must be criminalized in order to maintain the heightened state of fear and sustain a compliant population.

Never, and I mean never, should an individual take it upon themselves to publish this kind of information.

Except if you want to be known as "notorious" and probably a felon in prison for a couple of administrations at least.

Reminds me of an old southwest.com "HOST" bug

[thehossman]

Background: my last name starts with the letters "Host"

When southwest first started offering online checking, i discovered a small bug, when you got the the "Print your boarding pass" screen, with my name in all caps, the letters "HOST" were replaced with "southwest.com" ... so if your name was "Jim Hostenfeffer" it would appear on your boardingpass as "JIM southwest.comENFEFFER" ... I played with the site a little bit and found that it was a straight macro replacement bug of whatever domain name was used, so would say "JIM wWw.SOutHwesT.cOmENFEFFER" if that was the domain you typed into the URL bar.

The first time it happened i thought it was ammusing, I emailed their tech support, saved the HTML to a file and edited it so it had my name again and would match my ID when i checked in.

4 or 5 flights and at least 9 months later it was still happening and I spent a good 3 hours on the phone being transfered arround to different people trying ot get them to understand what the problem was and how fucking ridiculous it was that i had to constantly "hack" my boarding pass because of a bug they'd had for months.

How to deter suicide bombers: make 'em break law

[Sloppy]

If outlawing printing fake passes, is what it takes to keep terrorists from printing them, then we should do it. Terrorists wouldn't dare to break such a law, thus they won't be able to get boarding passes, thus they won't be able to fly, thus they won't be able to travel to my city, thus they won't be able to detonate a suicide bomb near me.

I'm glad Markey has the sense to systematically think this threat though, and recommend a solution that will stop it at the source.

And if anyone suggests that terrorist threats can only be countered by assuming that terrorists are willing to break TSA guidelines, then I suspect such a person of being an anarchist! This is a nation of laws!

Here's my letter to Markey

[quincunx55555]

Dear Honorable Edward Markey,

I just read about your response to Christopher Soghoian's findings regarding online printable boarding passes being easily faked.

I have to say that I am appalled at what I am reading. Mr. Soghoian has found something that could allow terrorist to continue to harm Americans. This technique may have already been used, or plan to be used, but now we know about it and can do something about it.

Why? Because Mr. Soghoian was kind enough to expose this security flaw. Punishing someone that has put this much effort into giving us the knowledge to save more lives is asinine.

As a Quality Assurance Engineer, I know the importance of finding, and reporting, flaws. This man should be commended, not condemned.

I think it would be wise as a senior member of the Department for Homeland Security to withdraw your previous statements as you have gained "an insightful perspective" on this issue after responses such as mine.

Scaring others into not telling us where our security flaws are will only lead to more opportunities for our enemies. How can you not immediately see this?

Or should I put you on the list of government employees that pretend like they care, but would rather play political games instead?


Sincerely,

Quincunx (real name used in the real letter)


I encourage others to write as well. If we let him know his error, give him an "out", then maybe bullshit like this won't happen again. Here's hoping.
Here's the send-an-email part of Honorable Edward Markey's web page [house.gov]

Tom Clancy, anyone?

[AdmiralWeirdbeard]

Uh, so should they arrest Tom Clancy too? He wrote a book detailing how easily a single person could fly a plane into an important building (the capitol building during a presidential address to a joint session of congress, but whatever).
So, if the litmus test has become, "Using mass media to point out ways that terrorists might strike = terrorism," then Mr. Clancy, as well as any number of Whitehouse Spokespeople are terrorists and should be put in Guantanamo right now. I mean, come on, they got up there at the briefings and said that people could smuggle bomb supplies on in component form in water bottles... and we can bring water bottles on board again... so... THEY'RE WITH THE TERRORISTS!!!!!

Since this is patently absurd, maybe Mr. Windbag might want to slow his roll a bit, and consider using his brain before he opens his fucking hole.

works both ways

[technicalandsocial]

I don't know of a security researcher that doesn't feel that some, if not most, congressmen should be arrested.

Flash Update: The FBI is at The Door

[klausner]

Chris reports that the FBI is knocking [blogspot.com] on his door. The boarding pass generator [dubfire.net] is also (at least temporarily) down.

Re:

[stefanb]

FBI says they didn't arrest him [wired.com], but various people have tried to get in touch with him since then, and were unable to.

Let Markey know what you think

[psykocrime]

I suggest that all concerned Slashdotters contact congressman Markey [house.gov] and let him know what you think.

Re:

[eln]

Because everyone knows terrorists aren't smart enough to buy a ticket before attempting to blow up the airport. Obviously.

Re:

[__aaclcg7560]

I thought "D-Ass" was for shorthand for "Dumb Ass". A lot of politicians fit into that category.

Re:

[Mateo_LeFou]

damn, and markey was the guy who tried to get real net neutrality in the whatchamacalit for us...

In Soviet Russia...

[raehl]

...Security researcher calls for arrest of congressman?

Maybe not this one, but I'm sure one of the other 434 of them have done something.

Re:Another politician...

[Blue Stone]

> Another politician calling for action in places without even thinking.

Oh, he's thinking - about how scoring a cheap point by making himself look 'tough' on people percievable as wrongdoers, will score him political points with an "Election Day drawing near".

That's a politician's priority - exploiting the uninformed electorate by pushing buttons regardless of the truth.

Politics is about number one, everything else is by the by.

Re:Another politician...

[RLiegh]

>Politics is about number one,
Could fool me, mostly it smells like number two.