Slashdot Mirror
Congressman Calls for Arrest of Security Researcher
Christopher Soghoian writes "Yesterday, I published a tool that allows you to Create your own boarding pass for Northwest flights. This was an attempt to document the fragile and broken state of identity/security for domestic flights in the US. Today, Congressman Markey (D-Mass) has called for my arrest." From the ABC article: "'I don't want to help terrorists or help bad guys do bad things on airplanes, but what we have now is what we in the industry call security theater. It's made to make you think you're secure without actually making you secure,' Soghoian said. 'As a member of the academic research community, I consider this to be a public service.' Soghoian admits that he hasn't actually tried to use one of the boarding passes yet."
The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?
Or, gee, the terrorists could just have someone else buy a plane ticket, or buy it themselves, or buy for a different flight, whatever.
The whole thing is ridiculous. It's ridiculous that this is thought to be some newly discovered weakness, and it's ridiculous that the powers that be are actually getting upset over it.
So, some guy said he should be arrested. Does that mean anything?
The wide spread use of e-commerce has expedited the adoption of regular printouts as tickets, receipts, passes and other situations I can't think of right now.
Are people so dumb as to not realize, how simple their official 'logos' are to create using an image processing software? Agreed, most of these 'receipts' merely provide a number, which acts as an 'index' in some internal database somewhere.
But this guy does have a point. Merely admitting a person holding a an easily reproducible printout of an 'eticket' or boarding pass is just lame.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Listening to the radio this morning, they said Newark airport staff failed 20 of 22 tests involving guns and bombs being smuggled past security by undercover agents. Airport "security" is a joke, and a distraction from real issues. When they stop taking away your toothpaste and maple syrup in the carry-on luggage, maybe then I'll take something about airports seriously again.
Oh You POS
It's astounding that Markey thinks that the website which prints fake boarding passes is creating a loophole. Politicians may not have a grasp of technology, but it only takes common sense to see that the loophole exists independently of any specifictool which creates the document to exploit it.
One, shouldn't they already be on the lookout for frausters and terrorist.
Two, this isn't a new loophole. It's been there a while folks.
I doubt it. It's hard to see how faking a boarding pass can be considered some kind of "political speech," which is about the only kind of speech that has near-absolute protection under the First Amendment.
Otherwise, you know, you couldn't be prosecuted for faking a bill of sale for a car, or a life insurance policy, or printing counterfeit currency, or most other forms of fraud that involve a printed document -- and you surely can.
The emperor generally does not like having his nudity pointed out. Many in government know they are bit players in a pointless security theater, but react violently when told that. I suppose they like to feel that what they do is important and useful (read TSA agents, pretty much the entire DHS, etc). After all, how would you like it if your entire job consisted of going through a dance routine designed to make the clueless public feel as though the government is doing something to keep them safe?
I suppose Congress is a bit different, I have no problem believing most of the genuinely are clueless and believe wholeheartedly that keeping lighters, tweezers, and bottles of water off airlines is critical to our national security. That also seem to really believe that torture and massive surveillance is an effective way to combat terrorism, further displaying a total lack if understanding. The Republicans (at least those loyal to the Whitehouse) are in a unique position where they have to pretend all of this fluff is important, but somehow selling the ports to Middle East companies, looking the other way on illegal aliens, and ignoring Bin Laden to focus on the mess we created in Iraq are perfectly acceptable.
Finkployd
1. Arresting the messenger doesn't help security- it makes people more afraid to point out security holes.
2. Security holes don't shrink by pretending they don't exist
3. Just before elections isn't the best time to make people in Silicon Valley rethink democrats on security. Markey has usually been thoughtful on security- he should rethink his policy of calling for arresting the messenger.
This is impossible. EVERYONE knows it is only those with a R after their name that wish to take away our rights and jail those they do not like.
The 9/11 hijackers all had valid boarding passes. What do fake boarding passes have to do with security?
I live ze unknown. I love ze unknown. I am ze unknown.
Check out Edward Markey's voting record. He's one of the most liberal members of congress. His call to arrest this innocent security researcher further proves that the Democrats are authoritarians just like the Republicans. Only Greens and Libertarians appear to have any respect for free speech and other civil liberties.
------ Take away the right to say fuck and you take away the right to say fuck the government.
Because everyone knows terrorists aren't smart enough to buy a ticket before attempting to blow up the airport. Obviously.
And what do you think the TSA's response to this will be? My money is that they decide to no longer allow people to print their own boarding passes. It will be paper ticket or nothing (and yes I'm aware that these can be forged too). So no more checkins at the gate -- stand in line along with those that have baggage to check. Just great.
Wanted: witty unique signature. Must be willing to relocate.
There IS brilliance behind his idea. Perhaps you didn't read it... but basically, you can fly on a fake identity without any screening of your actual identity.
1) Go to 7-Eleven and buy a pre-paid credit card with cash using a fake name. This will be the name you fly under.
2) Buy a ticket with this credit card.
3) Print out an ADDITIONAL ticket for your real identity. He gives you an HTML form to do this.
Now, show up at the airport. Go through security with the fake ticket... it will match your ID, but since it's not in any computer systems, they won't check to see if you're on the no-fly list. When at the gate, provide the ticket you actually bought. Nowadays you don't need an ID at the gates anymore -- just have your ticket scanned and hop on the plane!
Now, I'm not exactly sure if you can check bags. If you have to go to the counter before security, they ask for your ID. But if you can avoid that (and you can now, as far as I know), you can fly on a fake identity.
my blog
Maybe you could use it to flee the country...
"Waste not one watt!" - CZ
Individuals simply cannot point out the obvious flaws in what passes for National Security. While we as individuals are supposed to have some kind of freedom in this way, we don't.
Now, lets get to the reasons why this was the dumbest thing to do.
1. It puts egg of the face of every big federal contractor muscling their way into the "homeland security" budget.
2. We're at war with an enemy and tactical end that won't ever be defined. To maintain that heightened state of fear and social control, this individual must be criminalized. (he's helping the terrists after all.)
3. No contractor has a product ready to replace it. It will be a tough day for the contractors that have to explain this to gov't types.
4. It fires off a "something must be done" storm, that no politician really wants. They've got too much fund raising to do.
5. Whistle blowing is contrary to the nation-state's goals. An individual this smart and not working for the State must be criminalized in order to maintain the heightened state of fear and sustain a compliant population.
Never, and I mean never, should an individual take it upon themselves to publish this kind of information.
Except if you want to be known as "notorious" and probably a felon in prison for a couple of administrations at least.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Well...his arrest wouldn't be completely bad. It would give me something to cover my 'Free Kevin' bumper sticker with.
THIS MAN SHOULD BE ARRESTED IMMEDIATELY. I mean, publishing this as closed source? I'd be surprised if someone replying to me didn't call for him to be immediately thrown on death row!
damn, and markey was the guy who tried to get real net neutrality in the whatchamacalit for us...
My turnips listen for the soft cry of your love
Background: my last name starts with the letters "Host"
... so if your name was "Jim Hostenfeffer" it would appear on your boardingpass as "JIM southwest.comENFEFFER" ... I played with the site a little bit and found that it was a straight macro replacement bug of whatever domain name was used, so would say "JIM wWw.SOutHwesT.cOmENFEFFER" if that was the domain you typed into the URL bar.
When southwest first started offering online checking, i discovered a small bug, when you got the the "Print your boarding pass" screen, with my name in all caps, the letters "HOST" were replaced with "southwest.com"
The first time it happened i thought it was ammusing, I emailed their tech support, saved the HTML to a file and edited it so it had my name again and would match my ID when i checked in.
4 or 5 flights and at least 9 months later it was still happening and I spent a good 3 hours on the phone being transfered arround to different people trying ot get them to understand what the problem was and how fucking ridiculous it was that i had to constantly "hack" my boarding pass because of a bug they'd had for months.
-- The Hoss Man
Get real. Although 2000 AMERICANS is a significant percentage of AMERICA, 2000 PEOPLE is not a significant percentage of HUMANITY. Even if terrorists were somehow able to construct a functional nuclear device, smuggle it into a major city and manage to detonate it and kill 100,000 people, it's still meaningless as far as humanity is concerned. A great tragedy, the country would be pretty numb, almost everyone would know someone who died and those people who were in city would have their lives unjustly ended early. BUT, humanity will go on. Even 10 bombs, or 100! Anyone who wants to make a nuclear bomb bad enough can get the info needed to build one. So why not publish it online so everyone knows how to make one, then the security guards actually know what one looks like, the person who finds it knows how it works and then more people can think of solutions to stop them.
Instead, the current mindset is to limit the information, and therefore the people working to solve the problem, thus leading to no solutions being found. That is why this is a huge farce. Lawmakers are using a tragedy to not only take and spend money but to take away our freedoms and increase their own power. And in the end, as is shown here and will be continually shown TIME AND TIME AGAIN in the future, all of their so called "security measures" will prove to be just as easily bypassed.
The real reason was to limit the number of people who get in to the boarding area so they need less employees to clean toilets and carpets, less wear on carpets, less seating required, etc. because all of those employees will have to be security checked. It's security compartmentalization. It doesn't MATTER if a small number people start printing out boarding passes to get behind the gates. They always could. It's just preventing the flocking of sheep in places where they have to be served, and thus creating a bigger security risk in the form of authorized employees. In addition, that means fewer faces for a facial recognition algorithm to search and of course a captive audience for any food services deep in the terminal.
This information does not lower the security of the system. It was already very low. Just as bolt cutters will never be banned even though they can cut locks, this guy shouldn't be arrested because he is generating an HTML file. PEOPLE make terror, not tools. The more information people have, the less likely they are to fear the government, and thus the less likely they will want to cause insurrection. Information, like humanity, wants to be free. One might argue that the whole middle east is based on a problem of information--people there are affected by real-world conditions on the ground and they don't understand that it's not US (americans) that are causing those problems. It's their leaders and our leaders, keeping the real information from them. If everyone knew what everyone else was thinking, we'd know for sure that politicians and governments are all liars and are using us for our money and slave labor. As long as that's being done for the collective GOOD, so be it, but when it's used for the collective harm and benefits only those in power, you have what's called a Dictatorship. Which is not what America is supposed to be about.
So next time they go spouting off about some stupid new security measure that seems to be for the collective good but doesn't really do anything, look to see who benefits. Then you'll know if it really was done to protect YOU or to protect some rich factory or security company owner.
Cool! Amazing Toys.
...Security researcher calls for arrest of congressman?
Maybe not this one, but I'm sure one of the other 434 of them have done something.
paintball
> Another politician calling for action in places without even thinking.
Oh, he's thinking - about how scoring a cheap point by making himself look 'tough' on people percievable as wrongdoers, will score him political points with an "Election Day drawing near".
That's a politician's priority - exploiting the uninformed electorate by pushing buttons regardless of the truth.
Politics is about number one, everything else is by the by.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
If outlawing printing fake passes, is what it takes to keep terrorists from printing them, then we should do it. Terrorists wouldn't dare to break such a law, thus they won't be able to get boarding passes, thus they won't be able to fly, thus they won't be able to travel to my city, thus they won't be able to detonate a suicide bomb near me.
I'm glad Markey has the sense to systematically think this threat though, and recommend a solution that will stop it at the source.
And if anyone suggests that terrorist threats can only be countered by assuming that terrorists are willing to break TSA guidelines, then I suspect such a person of being an anarchist! This is a nation of laws!
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Dear Honorable Edward Markey,
I just read about your response to Christopher Soghoian's findings regarding online printable boarding passes being easily faked.
I have to say that I am appalled at what I am reading. Mr. Soghoian has found something that could allow terrorist to continue to harm Americans. This technique may have already been used, or plan to be used, but now we know about it and can do something about it.
Why? Because Mr. Soghoian was kind enough to expose this security flaw. Punishing someone that has put this much effort into giving us the knowledge to save more lives is asinine.
As a Quality Assurance Engineer, I know the importance of finding, and reporting, flaws. This man should be commended, not condemned.
I think it would be wise as a senior member of the Department for Homeland Security to withdraw your previous statements as you have gained "an insightful perspective" on this issue after responses such as mine.
Scaring others into not telling us where our security flaws are will only lead to more opportunities for our enemies. How can you not immediately see this?
Or should I put you on the list of government employees that pretend like they care, but would rather play political games instead?
Sincerely,
Quincunx (real name used in the real letter)
I encourage others to write as well. If we let him know his error, give him an "out", then maybe bullshit like this won't happen again. Here's hoping.
Here's the send-an-email part of Honorable Edward Markey's web page
Uh, so should they arrest Tom Clancy too? He wrote a book detailing how easily a single person could fly a plane into an important building (the capitol building during a presidential address to a joint session of congress, but whatever).
So, if the litmus test has become, "Using mass media to point out ways that terrorists might strike = terrorism," then Mr. Clancy, as well as any number of Whitehouse Spokespeople are terrorists and should be put in Guantanamo right now. I mean, come on, they got up there at the briefings and said that people could smuggle bomb supplies on in component form in water bottles... and we can bring water bottles on board again... so... THEY'RE WITH THE TERRORISTS!!!!!
Since this is patently absurd, maybe Mr. Windbag might want to slow his roll a bit, and consider using his brain before he opens his fucking hole.
Come read my stupid blagablog. Rants and Giggles
I don't know of a security researcher that doesn't feel that some, if not most, congressmen should be arrested.
Chris reports that the FBI is knocking on his door. The boarding pass generator is also (at least temporarily) down.
>Politics is about number one,
Could fool me, mostly it smells like number two.
I suggest that all concerned Slashdotters contact congressman Markey and let him know what you think.
// TODO: Insert Cool Sig
I am not a lawyer but I deal with Internet crime issues, law enforcement, prosecutors on a regular basis.
As do I, you have absolutely no idea who I am in real life and assumptions are unwarranted. Granted "successfully prosecuted" would have been a better term, since you can pretty much be prosecuted for anything as long as a judge can be found to go along with it.
You are completely sidestepping the question of intent, but more important is the question of use. You are free to print up all the flight tickets and Amex travellers cheques you desire. The illegal action is attempting to pass them off as real. Again, US currency is a different story. Don't even talk about printing them, the secret service takes it very seriously.
In this case we have a person who provided a php script to aid in the manufacture of forged plane tickets. This is completely outside of the realm of currency and into the area of homeland security (which is the only reason it is getting notice). In this case, the person's intent (which is clearly to raise awareness of major flaws in the system, not to blackmarket tickets to terrorists) would come into play. Obviously they may try to prosecute him, but any defense attorney with half a brain would shoot down the "terrorist" accusation. You also have to look into the political aspect of this. Clearly the feds are a bit pissed at him for pointing out major weaknesses in the air traffic system that they have spent billions trying to convince the public is secure (without actually doing anything meaningful or even competent to actually secure it). However, do you really think they would want to draw even more attention to this by going after him? The website will likely get shut down (if not already, I haven't checked) but I highly doubt he will face prosecution. Frankly, they actually want to pretend they care (or know anything) about security, thanking him would be in order. As I said elsewhere though, the emperor generally does not like his nudity pointed out. And as I am sure you well know, the law enforcement community does not like some of the more absurd aspects of what they do thrown in their face, so I'm sure there will be some saber rattling.
Finkployd
The theory you seem to be proposing here might be worth a shot if you were a defense attorney defending a case. It is not a good idea to rely on such theories if you want to stay out of prison. Much better to consider the theories that a prosecutor might use and steer clear of possibly illegal activity.
Steer clear of illegal activity???? HELL no! That's the dumbest idea I've ever heard. As good citizens we have a responsibility to ignore and break bad laws...
// TODO: Insert Cool Sig
Fraud is a crime of intent.
I have written a program to fake a boarding pass and published it on the web. I am now in bigger trouble than if I had been charged with fraud:
The charge might be framed as a from of criminal facilitation. The only intent required might be defined simply as a reckless disregard of the consequences of your actions.
What follows is a model statute that suggsts the possibilites:
__
1002. Criminal Facilitation.
(1) Offense. A person is guilty of criminal facilitation if he knowingly provides substantial assistance to a person intending to commit a felony, and that person, in fact, commits the crime contemplated, or a like or related felony, employing the assistance so provided. The ready lawful availability from others of the goods or services provided by a defendant is a factor to be considered in determining whether or not his assistance was substantial. This section does not apply to a person who is either expressly or by implication made not accountable by the statute defining the felony facilitated or related statutes.
(2) Defense Precluded. Except as otherwise provided, it is no defense to a prosecution under this section that the person whose conduct the defendant facilitated has been acquitted, has not been prosecuted or convicted, has been convicted of a different offense, is immune from prosecution, or is otherwise not subject to justice. (3) Grading. Facilitation of a Class A felony is a Class C felony. Facilitation of a Class B or Class C felony is a Class A misdemeanor.
(4) Jurisdiction. There is federal jurisdiction over an offense defined in this section when the felony facilitated is a federal felony Proposed New Federal Code
The current White House is out there defending this country (and others) against terrorists.
According to Pentagon and intelligence agency reports, they are succeeding primarily in making new ones.
Finkployd
The TSA had already been briefed about fake boarding passes.