Congressman Calls for Arrest of Security Researcher

Christopher Soghoian writes "Yesterday, I published a tool that allows you to Create your own boarding pass for Northwest flights. This was an attempt to document the fragile and broken state of identity/security for domestic flights in the US. Today, Congressman Markey (D-Mass) has called for my arrest." From the ABC article: "'I don't want to help terrorists or help bad guys do bad things on airplanes, but what we have now is what we in the industry call security theater. It's made to make you think you're secure without actually making you secure,' Soghoian said. 'As a member of the academic research community, I consider this to be a public service.' Soghoian admits that he hasn't actually tried to use one of the boarding passes yet."

This is nothing new..

[RightSaidFred99]

You could have just used an old boarding pass or copied an old one, or scanned and photoshopped an old boarding pass and changed the date/time.

Or, gee, the terrorists could just have someone else buy a plane ticket, or buy it themselves, or buy for a different flight, whatever.

The whole thing is ridiculous. It's ridiculous that this is thought to be some newly discovered weakness, and it's ridiculous that the powers that be are actually getting upset over it.

Arrest?

[Anonymous+brave+dude]

So, some guy said he should be arrested. Does that mean anything?

Re:Arrest?

[camperdave]

Yes, it means that politicians are not interested in fixing the problems, but in hushing up the whistle blowers. It's the age old problem of killing the messenger.

Newark

[From+A+Far+Away+Land]

Listening to the radio this morning, they said Newark airport staff failed 20 of 22 tests involving guns and bombs being smuggled past security by undercover agents. Airport "security" is a joke, and a distraction from real issues. When they stop taking away your toothpaste and maple syrup in the carry-on luggage, maybe then I'll take something about airports seriously again.

Creating loopholes?

[pjt33]

It's astounding that Markey thinks that the website which prints fake boarding passes is creating a loophole. Politicians may not have a grasp of technology, but it only takes common sense to see that the loophole exists independently of any specifictool which creates the document to exploit it.

Re:Creating loopholes?

[Hijacked+Public]

And oddly enough, despite our collective superiority, they are running the show while the most influential thing we can do is get modded +5 Insightful for insulting them on Slashdot.

Something is amiss here.

Re:Ummm. The First Amendment?

[soft_guy]

The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?

With a supreme court with 7 republican appointees? I doubt it.

Re:Ummm. The First Amendment?

[Tackhead]

> The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?

Much like the guy who looks at your boarding pass, you're trusting your life to something that's just a goddamn piece of paper.

Well

[finkployd]

The emperor generally does not like having his nudity pointed out. Many in government know they are bit players in a pointless security theater, but react violently when told that. I suppose they like to feel that what they do is important and useful (read TSA agents, pretty much the entire DHS, etc). After all, how would you like it if your entire job consisted of going through a dance routine designed to make the clueless public feel as though the government is doing something to keep them safe?

I suppose Congress is a bit different, I have no problem believing most of the genuinely are clueless and believe wholeheartedly that keeping lighters, tweezers, and bottles of water off airlines is critical to our national security. That also seem to really believe that torture and massive surveillance is an effective way to combat terrorism, further displaying a total lack if understanding. The Republicans (at least those loyal to the Whitehouse) are in a unique position where they have to pretend all of this fluff is important, but somehow selling the ports to Middle East companies, looking the other way on illegal aliens, and ignoring Bin Laden to focus on the mess we created in Iraq are perfectly acceptable.

Finkployd

Called them up: talked security vs obscurity

[geekotourist]

I called up their Washington DC office. The person who answered didn't know about this issue and the call for an arrest. I made three points:

1. Arresting the messenger doesn't help security- it makes people more afraid to point out security holes.
2. Security holes don't shrink by pretending they don't exist
3. Just before elections isn't the best time to make people in Silicon Valley rethink democrats on security. Markey has usually been thoughtful on security- he should rethink his policy of calling for arresting the messenger.

What Does This Have To Do With Anything?

[hondo77]

The 9/11 hijackers all had valid boarding passes. What do fake boarding passes have to do with security?

Re:not likely

[finkployd]

No, you can be prosecuted for attempting to pass these off as real, but not just printing them (well, in the case of money that may not be true). Obviously, this guy was not encouraging people to print them and break the law and threaten national security, he was attempting to make a point about how silly our pseudo-security efforts regarding airlines are. In the collective mind of the federal government, educating the public just how ineffective most security measures are is probably the more more dangerous scenario though.

Finkployd

Re:not likely

[Fulcrum+of+Evil]

Come on, security researchers, you know what the political climate is! Is there no other way to point out that something may be easily forged besides actually creating a tool to forge it!?

No, because anything less will be dismissed as fearmongering.

This is actually quite brilliant

[panaceaa]

There IS brilliance behind his idea. Perhaps you didn't read it... but basically, you can fly on a fake identity without any screening of your actual identity.

1) Go to 7-Eleven and buy a pre-paid credit card with cash using a fake name. This will be the name you fly under.
2) Buy a ticket with this credit card.
3) Print out an ADDITIONAL ticket for your real identity. He gives you an HTML form to do this.

Now, show up at the airport. Go through security with the fake ticket... it will match your ID, but since it's not in any computer systems, they won't check to see if you're on the no-fly list. When at the gate, provide the ticket you actually bought. Nowadays you don't need an ID at the gates anymore -- just have your ticket scanned and hop on the plane!

Now, I'm not exactly sure if you can check bags. If you have to go to the counter before security, they ask for your ID. But if you can avoid that (and you can now, as far as I know), you can fly on a fake identity.

Failure to Legi$late

[mpapet]

Individuals simply cannot point out the obvious flaws in what passes for National Security. While we as individuals are supposed to have some kind of freedom in this way, we don't.

Now, lets get to the reasons why this was the dumbest thing to do.

1. It puts egg of the face of every big federal contractor muscling their way into the "homeland security" budget.

2. We're at war with an enemy and tactical end that won't ever be defined. To maintain that heightened state of fear and social control, this individual must be criminalized. (he's helping the terrists after all.)

3. No contractor has a product ready to replace it. It will be a tough day for the contractors that have to explain this to gov't types.

4. It fires off a "something must be done" storm, that no politician really wants. They've got too much fund raising to do.

5. Whistle blowing is contrary to the nation-state's goals. An individual this smart and not working for the State must be criminalized in order to maintain the heightened state of fear and sustain a compliant population.

Never, and I mean never, should an individual take it upon themselves to publish this kind of information.

Except if you want to be known as "notorious" and probably a felon in prison for a couple of administrations at least.

Re:not likely

[thePowerOfGrayskull]

Is there no other way to point out that something may be easily forged besides actually creating a tool to forge it!?

Come on software security researchers -- is there no other way to demonstrate exploits in Internet Explorer than to actually create and release the exploit code?!

I mean seriously -- isn't this the same question in a different wrapper?

Re:Ummm. The First Amendment?

[Em+Adespoton]

The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?

Well, look at it like this: because he published this, he is both an enemy combatant and a terrorist. Therefore, he has no habeas corpus protection. Therefore, they can just come around, pick him up, and toss him in some cell somewhere, and never have to tell anyone.

Re:Another politician...

[Blue+Stone]

> Another politician calling for action in places without even thinking.

Oh, he's thinking - about how scoring a cheap point by making himself look 'tough' on people percievable as wrongdoers, will score him political points with an "Election Day drawing near".

That's a politician's priority - exploiting the uninformed electorate by pushing buttons regardless of the truth.

Politics is about number one, everything else is by the by.

Here's my letter to Markey

[quincunx55555]

Dear Honorable Edward Markey,

I just read about your response to Christopher Soghoian's findings regarding online printable boarding passes being easily faked.

I have to say that I am appalled at what I am reading. Mr. Soghoian has found something that could allow terrorist to continue to harm Americans. This technique may have already been used, or plan to be used, but now we know about it and can do something about it.

Why? Because Mr. Soghoian was kind enough to expose this security flaw. Punishing someone that has put this much effort into giving us the knowledge to save more lives is asinine.

As a Quality Assurance Engineer, I know the importance of finding, and reporting, flaws. This man should be commended, not condemned.

I think it would be wise as a senior member of the Department for Homeland Security to withdraw your previous statements as you have gained "an insightful perspective" on this issue after responses such as mine.

Scaring others into not telling us where our security flaws are will only lead to more opportunities for our enemies. How can you not immediately see this?

Or should I put you on the list of government employees that pretend like they care, but would rather play political games instead?


Sincerely,

Quincunx (real name used in the real letter)


I encourage others to write as well. If we let him know his error, give him an "out", then maybe bullshit like this won't happen again. Here's hoping.
Here's the send-an-email part of Honorable Edward Markey's web page

Re:Ummm. The First Amendment?

[timeOday]

A boarding pass isn't even supposed to be a security document. That's why you have to show your ID as well as your boarding pass, just to get the privelige of being x-rayed, bomb-sniffed, and patted down before being allowed into the secured area. If anybody thought boarding passes were supposed to enhance security, they wouldn't let you print your own.

In other words, I think the professor's research is silly, and I think the congressman is equally silly for calling for his arrest.

Tom Clancy, anyone?

[AdmiralWeirdbeard]

Uh, so should they arrest Tom Clancy too? He wrote a book detailing how easily a single person could fly a plane into an important building (the capitol building during a presidential address to a joint session of congress, but whatever).
So, if the litmus test has become, "Using mass media to point out ways that terrorists might strike = terrorism," then Mr. Clancy, as well as any number of Whitehouse Spokespeople are terrorists and should be put in Guantanamo right now. I mean, come on, they got up there at the briefings and said that people could smuggle bomb supplies on in component form in water bottles... and we can bring water bottles on board again... so... THEY'RE WITH THE TERRORISTS!!!!!

Since this is patently absurd, maybe Mr. Windbag might want to slow his roll a bit, and consider using his brain before he opens his fucking hole.

Re:YANAL and you don't play one well on the net

[psykocrime]

The theory you seem to be proposing here might be worth a shot if you were a defense attorney defending a case. It is not a good idea to rely on such theories if you want to stay out of prison. Much better to consider the theories that a prosecutor might use and steer clear of possibly illegal activity.

Steer clear of illegal activity???? HELL no! That's the dumbest idea I've ever heard. As good citizens we have a responsibility to ignore and break bad laws...

Re:Ummm. The First Amendment?

[iocat]

It's not even research. Anyone with five minutes and a copy of WORD could do the same thing. It doesn't make something that spoofs the system, it makes something that spoofs people who can't read barcodes (that is: everyone). It wouldn't scan correctly and let you get on the plane, it just is a form that adds your name and date to a rip off of the standard "print at home" boarding passes.

This whole story is stupid. The fact that documents can be forged is not news, the fact that some guy made a website for doing it faster is not news, and the fact that security at airports is a giant joke to anyone dedicated to getting stuff past it is not news either.

I put a lot more faith in my fellow passengers' desire to rip a terrorist to pieces with their bare hands on the plane once he or she announces themselves than I do in the ability of the TSA to effectively screen people. And it's not becuase the TSA are all idiots; thay have a tough job that they try to do very quickly -- if they really wanted to screen everything effectively, it would take hours to get through security.

Re:Ummm. The First Amendment?

[jadavis]

There must be some hidden reason for the seemingly obvious misjudgment.

More like a misconception. This country really needs more so-called conservative justices. By "conservative", I don't mean conservatives pushing their agendas from the bench (like O'Connor), I mean justices who follow the Constitution (like Scalia).

It's no surprise that Kelo went the way it did. You're thinking is that "liberals are for the little guys, conservatives for business". But, in reality, having the power of central planning is crucial to the liberal agenda. Kelo was exactly what the liberals needed: the power for government officials to confiscate your personal property in the name of a "greater good" by calling it a "public purpose" (not public use, however, as the 5th Amendment says).

Scalia, on the other hand, follows the Constitutional principle that the federal government can only regulate interstate commerce ("commerce among the states," as is in the Constitution). Using that principle, it would be Unconstitutional for the federal government to prohibit the growing of Marijuana on private property. States could still outlaw it, of course, but the feds couldn't do a thing. Does that sound "conservative" to you? Nope, but it is what the Constitution says.

This is not about your party, the Constitution gets in the way of BOTH parties, but it's not for the parties, it's for the PEOPLE. So back the Constitution, because it's just in the way of the Democrats and the Republicans. It's time for both parties to face the hard truths: you can't execute unwarranted searchs (too bad, GOP). And Democrats: stop trying to control guns, unless you want to try to pass an Amendment. The Constitution says these things, plain and simple. Oh, and when you get a chance, read the 10th Amendment, too.

Right now the idea that we are following the Constitution is a joke. We cling to a few scraps of the Bill of Rights, and ignore much of the rest of it. Congress "Authorized the use of force"?! What is that supposed to mean? What about a declaration of war? Meanwhile the Supreme Court passes arbitrary edicts fabricated out of thin air, like "privacy" meaning that it's Unconstitutional to ban abortions. I don't think it's a good idea to ban abortions, but why did 9 people make that decision for the entire country, when it's clearly a state issue?

Re:Ummm. The First Amendment?

[An+Onerous+Coward]

Soooooo.... if I get my butt hauled off to Guantanamo, how do I get myself a court hearing so that I can present the evidence showing that I am a U.S. citizen and therefore entitled to Habeus Corpus?

Face it. So long as we say, "Everyone has a right to habeus corpus, except for group X," then all the government needs to do is claim you're a member of group X to deny you access to the courts.

Final note: We are not at war. Legally, we are not at war, because Congress has not declared war. Morally, we cannot declare a war that amounts to a war against anyone, anywhere who might be plotting violence against us. That leads directly to a state of eternal war, because we cannot even conceive of a future state of affairs that could be called "victorious."

The U.S. knew the war was over when Lee signed his surrender at Appomattox. How will we know that the "global struggle against islamofascism" is at an end, that America is safe, and we can demand these so-called "war powers" back? Who is going to have to surrender their arms to make that day come? The answer, of course, is nobody. This "war" won't end with a resounding military victory or the fall of some great tyrant. It only ends when the people of the U.S. rise up and take back the liberties they traded for false security.

November 7, people. Mark it on your calendars.