Congressman Calls for Arrest of Security Researcher

Christopher Soghoian writes "Yesterday, I published a tool that allows you to Create your own boarding pass for Northwest flights. This was an attempt to document the fragile and broken state of identity/security for domestic flights in the US. Today, Congressman Markey (D-Mass) has called for my arrest." From the ABC article: "'I don't want to help terrorists or help bad guys do bad things on airplanes, but what we have now is what we in the industry call security theater. It's made to make you think you're secure without actually making you secure,' Soghoian said. 'As a member of the academic research community, I consider this to be a public service.' Soghoian admits that he hasn't actually tried to use one of the boarding passes yet."

Ummm. The First Amendment?

[mbstone]

The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?

Re:Ummm. The First Amendment?

[soft_guy]

The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?

With a supreme court with 7 republican appointees? I doubt it.

Re:Ummm. The First Amendment?

[Tackhead]

> The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?

Much like the guy who looks at your boarding pass, you're trusting your life to something that's just a goddamn piece of paper.

Re:Ummm. The First Amendment?

[finkployd]

Clearly you do not understand that we are at war. Anything that the Whitehouse defines as terrorism related or critical to our war effort is off limits to your constitutional whining. to suggest otherwise indicates that you clearly need some waterboarding, you filthy enemy combatant.

Finkployd

Re:Ummm. The First Amendment?

[yorktown]

Unfortunately, the Supreme Court takes a very loose view of what the Constitution says. For example, it considers building a hotel and condominiums as "public use" for the purposes of eminent domain. http://en.wikipedia.org/wiki/Kelo_v._City_of_New_L ondon

Note that all four of the dissenting justices in the Kelo decision were appointed by Republicans.

Re:Ummm. The First Amendment?

[Em+Adespoton]

The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?

Well, look at it like this: because he published this, he is both an enemy combatant and a terrorist. Therefore, he has no habeas corpus protection. Therefore, they can just come around, pick him up, and toss him in some cell somewhere, and never have to tell anyone.

Re:Ummm. The First Amendment?

[timeOday]

A boarding pass isn't even supposed to be a security document. That's why you have to show your ID as well as your boarding pass, just to get the privelige of being x-rayed, bomb-sniffed, and patted down before being allowed into the secured area. If anybody thought boarding passes were supposed to enhance security, they wouldn't let you print your own.

In other words, I think the professor's research is silly, and I think the congressman is equally silly for calling for his arrest.

Re:Ummm. The First Amendment?

[iocat]

It's not even research. Anyone with five minutes and a copy of WORD could do the same thing. It doesn't make something that spoofs the system, it makes something that spoofs people who can't read barcodes (that is: everyone). It wouldn't scan correctly and let you get on the plane, it just is a form that adds your name and date to a rip off of the standard "print at home" boarding passes.

This whole story is stupid. The fact that documents can be forged is not news, the fact that some guy made a website for doing it faster is not news, and the fact that security at airports is a giant joke to anyone dedicated to getting stuff past it is not news either.

I put a lot more faith in my fellow passengers' desire to rip a terrorist to pieces with their bare hands on the plane once he or she announces themselves than I do in the ability of the TSA to effectively screen people. And it's not becuase the TSA are all idiots; thay have a tough job that they try to do very quickly -- if they really wanted to screen everything effectively, it would take hours to get through security.

Re:Ummm. The First Amendment?

[jadavis]

There must be some hidden reason for the seemingly obvious misjudgment.

More like a misconception. This country really needs more so-called conservative justices. By "conservative", I don't mean conservatives pushing their agendas from the bench (like O'Connor), I mean justices who follow the Constitution (like Scalia).

It's no surprise that Kelo went the way it did. You're thinking is that "liberals are for the little guys, conservatives for business". But, in reality, having the power of central planning is crucial to the liberal agenda. Kelo was exactly what the liberals needed: the power for government officials to confiscate your personal property in the name of a "greater good" by calling it a "public purpose" (not public use, however, as the 5th Amendment says).

Scalia, on the other hand, follows the Constitutional principle that the federal government can only regulate interstate commerce ("commerce among the states," as is in the Constitution). Using that principle, it would be Unconstitutional for the federal government to prohibit the growing of Marijuana on private property. States could still outlaw it, of course, but the feds couldn't do a thing. Does that sound "conservative" to you? Nope, but it is what the Constitution says.

This is not about your party, the Constitution gets in the way of BOTH parties, but it's not for the parties, it's for the PEOPLE. So back the Constitution, because it's just in the way of the Democrats and the Republicans. It's time for both parties to face the hard truths: you can't execute unwarranted searchs (too bad, GOP). And Democrats: stop trying to control guns, unless you want to try to pass an Amendment. The Constitution says these things, plain and simple. Oh, and when you get a chance, read the 10th Amendment, too.

Right now the idea that we are following the Constitution is a joke. We cling to a few scraps of the Bill of Rights, and ignore much of the rest of it. Congress "Authorized the use of force"?! What is that supposed to mean? What about a declaration of war? Meanwhile the Supreme Court passes arbitrary edicts fabricated out of thin air, like "privacy" meaning that it's Unconstitutional to ban abortions. I don't think it's a good idea to ban abortions, but why did 9 people make that decision for the entire country, when it's clearly a state issue?

Re:Ummm. The First Amendment?

[An+Onerous+Coward]

Soooooo.... if I get my butt hauled off to Guantanamo, how do I get myself a court hearing so that I can present the evidence showing that I am a U.S. citizen and therefore entitled to Habeus Corpus?

Face it. So long as we say, "Everyone has a right to habeus corpus, except for group X," then all the government needs to do is claim you're a member of group X to deny you access to the courts.

Final note: We are not at war. Legally, we are not at war, because Congress has not declared war. Morally, we cannot declare a war that amounts to a war against anyone, anywhere who might be plotting violence against us. That leads directly to a state of eternal war, because we cannot even conceive of a future state of affairs that could be called "victorious."

The U.S. knew the war was over when Lee signed his surrender at Appomattox. How will we know that the "global struggle against islamofascism" is at an end, that America is safe, and we can demand these so-called "war powers" back? Who is going to have to surrender their arms to make that day come? The answer, of course, is nobody. This "war" won't end with a resounding military victory or the fall of some great tyrant. It only ends when the people of the U.S. rise up and take back the liberties they traded for false security.

November 7, people. Mark it on your calendars.

This is nothing new..

[RightSaidFred99]

You could have just used an old boarding pass or copied an old one, or scanned and photoshopped an old boarding pass and changed the date/time.

Or, gee, the terrorists could just have someone else buy a plane ticket, or buy it themselves, or buy for a different flight, whatever.

The whole thing is ridiculous. It's ridiculous that this is thought to be some newly discovered weakness, and it's ridiculous that the powers that be are actually getting upset over it.

Arrest?

[Anonymous+brave+dude]

So, some guy said he should be arrested. Does that mean anything?

Re:Arrest?

[camperdave]

Yes, it means that politicians are not interested in fixing the problems, but in hushing up the whistle blowers. It's the age old problem of killing the messenger.

Newark

[From+A+Far+Away+Land]

Listening to the radio this morning, they said Newark airport staff failed 20 of 22 tests involving guns and bombs being smuggled past security by undercover agents. Airport "security" is a joke, and a distraction from real issues. When they stop taking away your toothpaste and maple syrup in the carry-on luggage, maybe then I'll take something about airports seriously again.

Creating loopholes?

[pjt33]

It's astounding that Markey thinks that the website which prints fake boarding passes is creating a loophole. Politicians may not have a grasp of technology, but it only takes common sense to see that the loophole exists independently of any specifictool which creates the document to exploit it.

Re:Creating loopholes?

[Hijacked+Public]

And oddly enough, despite our collective superiority, they are running the show while the most influential thing we can do is get modded +5 Insightful for insulting them on Slashdot.

Something is amiss here.

but of course

[Phantom+of+the+Opera]

This whole homeland security mindset is not one of rationality. It is one of panic. There is an element of OMG - he's giving the badguys ideas. This call to arrest him is probably more along the lines of OMG - he's giving passengers the idea that they are unsafe. It isn't the issue wether they are unsafe or not, but making them feel that is going to have negative affects on the airline industry and get people jumpier. All in all, its going to make going on a plane that much less pleasant.

"The Bush Administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane," Markey said in a statement. "There are enough loopholes at the backdoor of our passenger airplanes from not scanning cargo for bombs; we should not tolerate any new loopholes making it easier for terrorists to get into the front door of a plane."

One, shouldn't they already be on the lookout for frausters and terrorist.
Two, this isn't a new loophole. It's been there a while folks.

Well

[finkployd]

The emperor generally does not like having his nudity pointed out. Many in government know they are bit players in a pointless security theater, but react violently when told that. I suppose they like to feel that what they do is important and useful (read TSA agents, pretty much the entire DHS, etc). After all, how would you like it if your entire job consisted of going through a dance routine designed to make the clueless public feel as though the government is doing something to keep them safe?

I suppose Congress is a bit different, I have no problem believing most of the genuinely are clueless and believe wholeheartedly that keeping lighters, tweezers, and bottles of water off airlines is critical to our national security. That also seem to really believe that torture and massive surveillance is an effective way to combat terrorism, further displaying a total lack if understanding. The Republicans (at least those loyal to the Whitehouse) are in a unique position where they have to pretend all of this fluff is important, but somehow selling the ports to Middle East companies, looking the other way on illegal aliens, and ignoring Bin Laden to focus on the mess we created in Iraq are perfectly acceptable.

Finkployd

Called them up: talked security vs obscurity

[geekotourist]

I called up their Washington DC office. The person who answered didn't know about this issue and the call for an arrest. I made three points:

1. Arresting the messenger doesn't help security- it makes people more afraid to point out security holes.
2. Security holes don't shrink by pretending they don't exist
3. Just before elections isn't the best time to make people in Silicon Valley rethink democrats on security. Markey has usually been thoughtful on security- he should rethink his policy of calling for arresting the messenger.

Impossible.

[DAldredge]

This is impossible. EVERYONE knows it is only those with a R after their name that wish to take away our rights and jail those they do not like.

What Does This Have To Do With Anything?

[hondo77]

The 9/11 hijackers all had valid boarding passes. What do fake boarding passes have to do with security?

Re:not likely

[kfg]

Otherwise, you know, you couldn't be prosecuted for faking a bill of sale for a car, or a life insurance policy, or printing counterfeit currency, or most other forms of fraud that involve a printed document -- and you surely can.

I just created a fake bill of sale for a car. I have committed no crime, because I have not proffered it as genuine to anybody.

Fraud is a crime of intent.

KFG

Re:not likely

[finkployd]

No, you can be prosecuted for attempting to pass these off as real, but not just printing them (well, in the case of money that may not be true). Obviously, this guy was not encouraging people to print them and break the law and threaten national security, he was attempting to make a point about how silly our pseudo-security efforts regarding airlines are. In the collective mind of the federal government, educating the public just how ineffective most security measures are is probably the more more dangerous scenario though.

Finkployd

Re:not likely

[Fulcrum+of+Evil]

Come on, security researchers, you know what the political climate is! Is there no other way to point out that something may be easily forged besides actually creating a tool to forge it!?

No, because anything less will be dismissed as fearmongering.

This is actually quite brilliant

[panaceaa]

There IS brilliance behind his idea. Perhaps you didn't read it... but basically, you can fly on a fake identity without any screening of your actual identity.

1) Go to 7-Eleven and buy a pre-paid credit card with cash using a fake name. This will be the name you fly under.
2) Buy a ticket with this credit card.
3) Print out an ADDITIONAL ticket for your real identity. He gives you an HTML form to do this.

Now, show up at the airport. Go through security with the fake ticket... it will match your ID, but since it's not in any computer systems, they won't check to see if you're on the no-fly list. When at the gate, provide the ticket you actually bought. Nowadays you don't need an ID at the gates anymore -- just have your ticket scanned and hop on the plane!

Now, I'm not exactly sure if you can check bags. If you have to go to the counter before security, they ask for your ID. But if you can avoid that (and you can now, as far as I know), you can fly on a fake identity.

Re:not likely

[dgatwood]

Passing a fake bill is illegal. Selling a printing press is not, even if that printing press can be used to print bills.... Telling people how to make a plate based on existing currency... it's the same as making any other kind of plate, so also not illegal in all likelihood.

There isn't anything here that hasn't been obvious to every single person who reads Slashdot for years. It's all smoke and mirrors, and anyone with even a modest level of intelligence knows this, not just geeks. The only thing surprising here is that we have a Congressman who is so completely computer illiterate and clueless that he actually believes that the stuff in this article would be a surprise to anyone.

You know, now that I think about it, given the quality of federal legislation in the past few years... it's not really that surprising after all. In fact, it explains a lot.

Failure to Legi$late

[mpapet]

Individuals simply cannot point out the obvious flaws in what passes for National Security. While we as individuals are supposed to have some kind of freedom in this way, we don't.

Now, lets get to the reasons why this was the dumbest thing to do.

1. It puts egg of the face of every big federal contractor muscling their way into the "homeland security" budget.

2. We're at war with an enemy and tactical end that won't ever be defined. To maintain that heightened state of fear and social control, this individual must be criminalized. (he's helping the terrists after all.)

3. No contractor has a product ready to replace it. It will be a tough day for the contractors that have to explain this to gov't types.

4. It fires off a "something must be done" storm, that no politician really wants. They've got too much fund raising to do.

5. Whistle blowing is contrary to the nation-state's goals. An individual this smart and not working for the State must be criminalized in order to maintain the heightened state of fear and sustain a compliant population.

Never, and I mean never, should an individual take it upon themselves to publish this kind of information.

Except if you want to be known as "notorious" and probably a felon in prison for a couple of administrations at least.

Re:not likely

[thePowerOfGrayskull]

Is there no other way to point out that something may be easily forged besides actually creating a tool to forge it!?

Come on software security researchers -- is there no other way to demonstrate exploits in Internet Explorer than to actually create and release the exploit code?!

I mean seriously -- isn't this the same question in a different wrapper?

Re:not likely

[UbuntuDupe]

Conservative/Libertarian radio talk show host Neal Boortz ran into the same thing. (According to a story he regularly tells) He told some airline, Delta I think, that the security check in procedures were too lax. They ignored him. After he was fed up with that, he made a bet with the head of security, then dressed up like a pilot, got waved through a checkpoint, and once on a plane, he got out his cell phone and called the head of security to let him know he got through.

Don't know what became of that. (This was long before 9/11.)

Reminds me of an old southwest.com "HOST" bug

[thehossman]

Background: my last name starts with the letters "Host"

When southwest first started offering online checking, i discovered a small bug, when you got the the "Print your boarding pass" screen, with my name in all caps, the letters "HOST" were replaced with "southwest.com" ... so if your name was "Jim Hostenfeffer" it would appear on your boardingpass as "JIM southwest.comENFEFFER" ... I played with the site a little bit and found that it was a straight macro replacement bug of whatever domain name was used, so would say "JIM wWw.SOutHwesT.cOmENFEFFER" if that was the domain you typed into the URL bar.

The first time it happened i thought it was ammusing, I emailed their tech support, saved the HTML to a file and edited it so it had my name again and would match my ID when i checked in.

4 or 5 flights and at least 9 months later it was still happening and I spent a good 3 hours on the phone being transfered arround to different people trying ot get them to understand what the problem was and how fucking ridiculous it was that i had to constantly "hack" my boarding pass because of a bug they'd had for months.

In Soviet Russia...

[raehl]

...Security researcher calls for arrest of congressman?

Maybe not this one, but I'm sure one of the other 434 of them have done something.

Re:Another politician...

[Blue+Stone]

> Another politician calling for action in places without even thinking.

Oh, he's thinking - about how scoring a cheap point by making himself look 'tough' on people percievable as wrongdoers, will score him political points with an "Election Day drawing near".

That's a politician's priority - exploiting the uninformed electorate by pushing buttons regardless of the truth.

Politics is about number one, everything else is by the by.

How to deter suicide bombers: make 'em break law

[Sloppy]

If outlawing printing fake passes, is what it takes to keep terrorists from printing them, then we should do it. Terrorists wouldn't dare to break such a law, thus they won't be able to get boarding passes, thus they won't be able to fly, thus they won't be able to travel to my city, thus they won't be able to detonate a suicide bomb near me.

I'm glad Markey has the sense to systematically think this threat though, and recommend a solution that will stop it at the source.

And if anyone suggests that terrorist threats can only be countered by assuming that terrorists are willing to break TSA guidelines, then I suspect such a person of being an anarchist! This is a nation of laws!

Here's my letter to Markey

[quincunx55555]

Dear Honorable Edward Markey,

I just read about your response to Christopher Soghoian's findings regarding online printable boarding passes being easily faked.

I have to say that I am appalled at what I am reading. Mr. Soghoian has found something that could allow terrorist to continue to harm Americans. This technique may have already been used, or plan to be used, but now we know about it and can do something about it.

Why? Because Mr. Soghoian was kind enough to expose this security flaw. Punishing someone that has put this much effort into giving us the knowledge to save more lives is asinine.

As a Quality Assurance Engineer, I know the importance of finding, and reporting, flaws. This man should be commended, not condemned.

I think it would be wise as a senior member of the Department for Homeland Security to withdraw your previous statements as you have gained "an insightful perspective" on this issue after responses such as mine.

Scaring others into not telling us where our security flaws are will only lead to more opportunities for our enemies. How can you not immediately see this?

Or should I put you on the list of government employees that pretend like they care, but would rather play political games instead?


Sincerely,

Quincunx (real name used in the real letter)


I encourage others to write as well. If we let him know his error, give him an "out", then maybe bullshit like this won't happen again. Here's hoping.
Here's the send-an-email part of Honorable Edward Markey's web page

Re:Political spectrum

[NineNine]

Ha! You didn't actually think that the Republicans and Democrats were opponents, did you? C'mon.
 
    There's a very popular case study in business school about Coke and Pepsi, and how they're both very happy with approximately 49% of the market. People think they have a real "choice". Neither one has to worry about "monopolies". And, they already know each other. It's a fake battle to make people think that they actually have a choice, all the while, both parties are very happy with half of a FUCKING HUGE pie.
 
Sound familiar?

Tom Clancy, anyone?

[AdmiralWeirdbeard]

Uh, so should they arrest Tom Clancy too? He wrote a book detailing how easily a single person could fly a plane into an important building (the capitol building during a presidential address to a joint session of congress, but whatever).
So, if the litmus test has become, "Using mass media to point out ways that terrorists might strike = terrorism," then Mr. Clancy, as well as any number of Whitehouse Spokespeople are terrorists and should be put in Guantanamo right now. I mean, come on, they got up there at the briefings and said that people could smuggle bomb supplies on in component form in water bottles... and we can bring water bottles on board again... so... THEY'RE WITH THE TERRORISTS!!!!!

Since this is patently absurd, maybe Mr. Windbag might want to slow his roll a bit, and consider using his brain before he opens his fucking hole.

works both ways

[technicalandsocial]

I don't know of a security researcher that doesn't feel that some, if not most, congressmen should be arrested.

Flash Update: The FBI is at The Door

[klausner]

Chris reports that the FBI is knocking on his door. The boarding pass generator is also (at least temporarily) down.

Re:Another politician...

[RLiegh]

>Politics is about number one,
Could fool me, mostly it smells like number two.

Let Markey know what you think

[psykocrime]

I suggest that all concerned Slashdotters contact congressman Markey and let him know what you think.

Re:not likely

[psykocrime]

I suspect very strongly that in the case of money, simply having the means to create counterfeit bills will probably land you in a whole heap of trouble.


This is why every American should immediately go visit FIJA and learn the truth about serving on a jury. Hint: you can judge the law as well as the facts, and juries ARE the "last line of defense" against oppressive government / bad laws. See Jury Nullification and/or Peter Zenger for more.

If I'm ever serving on a jury, I can guarantee you that I won't be voting to convict in any "victimless crime" situation, or anything where somebody is being charged with violating some bullshit law. Hung jury or acquittal, here we come.

Re:YANAL and you don't play one well on the net

[psykocrime]

The theory you seem to be proposing here might be worth a shot if you were a defense attorney defending a case. It is not a good idea to rely on such theories if you want to stay out of prison. Much better to consider the theories that a prosecutor might use and steer clear of possibly illegal activity.

Steer clear of illegal activity???? HELL no! That's the dumbest idea I've ever heard. As good citizens we have a responsibility to ignore and break bad laws...