FBI Raids Security Researcher's Home

Sparr0 writes, "The FBI has raided the home of Christopher Soghoian, the grad student who created the NWA boarding pass site. Details can be found on his blog including a scanned copy of the warrant. The bad news is that he really did break the law. The good news is that Senator Charles Schumer did it first, 19 months ago, on an official government website no less. The outcome of this trial should be at least academically interesting. At best, it could result in nullifying some portion of the law(s) that the TSA operates under." Read on for Sparr0's take on what laws may apply in this case.

Boiling down some of the legalese, the charges (if any are filed) will be "conspiracy to knowingly present a false and fictitious claim upon or against the United States, or any department or agency thereof in violation of USC 18 (secs. 2, 371, 1036, 1343, 2318) and USC 49 (secs. 46314 and 46316) and 49 CFR (secs. 1540.103 and 1540.105)" (edited for brevity).

Legal Defense Fund

Soghoian is setting up a legal defense fund. You can learn more and donate at
http://slightparanoia.blogspot.com/2006/10/legal-d efense-fund.html

A question of intent

[dsanfte]

I think what needs to be looked at here, and what is often ignored by those with agendas to push, is intent. His intent was to improve security, not to see it subverted by enemies of the state. It is the government's fault, not his, that the only way to ensure the closure of this security hole was to engineer a tool to exploit it.

The fact that he published his identity and did this entire thing above-board settles the question of intent for me. He was not maliciously motivated. That is the basis by which we should judge him.

If I showed up at my apartment with the door unlocked, I would be rather annoyed. If I had had notes posted to my door for several years beforehand telling me my lock was insecure, and how to secure it with relative ease, and I then showed up at my apartment door to find it unlocked with a note saying "Told you so", I'd be embarassed. The key is, as long as the belongings inside are left untouched, all that's hurt here is pride. Pride is not something the law needs to be protecting.

Re:Too bad it has to be this way

[chazwurth]

The line between sensible and thoughtless disclosure is a tricky one though. If the secret society of bad guys already know about it then all bets are off, but how do you know?

In this case, the vulnerability had been made clear by others months prior to this disclosure. In fact, this wasn't so much a disclosure as much as it was a public demonstration of just how easy it is to exploit the already known vulnerability. ...unless you wanted to make a point and shame an organisation, then it would be foolish and malicious, and possibly illegal.

Attempting to shame an organization isn't necessarily foolish and malicious. If that organization is a government body charged with insuring your safety, and it is failing spectacularly to do so, you might desire to shame it publicly in order to improve its behavior. Illegal, I'll grant -- and often the law is unjust.

all this hoopla over nothing

[oohshiny]

Notice how in all this discussion, everybody is implicitly assuming that the watch lists are actually worth anything. In fact, I think the reason this hole has existed for several years without any problem due to them is that the watch lists simply don't make any difference at all.

Which raises the question: why have the watch lists in the first place? I think they are more psychological than anything else: they give the impression that there is a continuing threat, they give the impression that the government is doing something, and they make people willingly give in to controls that they previously wouldn't have considered. Remember: you used to be able to travel across this nation without the government being able to track your every step.

Re:all this hoopla over nothing

[loraksus]

60 Minutes did a great segment about the the No Fly list (titled "Unlikely Terrorists On No Fly List") which aired 2006-10-08.
Great piece and it is pretty much guaranteed that you'll feel the watch lists are a joke (or a bigger joke) after you watch it.

It's on their annoyingly bad website. These links should work.
Video
Article

And "Security Theater" is an excellent way to describe the "security" measures that have been enacted over the past few years.

Re:Too bad it has to be this way

[letxa2000]

When I saw this in the news the other day, I said, "Duh... I wondered about this lack of security a few years ago." As soon as you allow people to print their own boarding passes on their own printers, it's a piece of cake to print your own. Obviously you'd never get on a plane with it, but every time I presented my home-printed boarding pass to the TSA guys that check your documents before you get metal-detected, I always wondered, "Do these people really think they can recognize a valid boarding pass from a home-brewed one?" This isn't rocket scientist. I'd have to assume that anyone that deals with computers and has more than a few IQ points thought of it. This "security researcher" didn't do anything special whatsoever.

If he really wanted to bring attention to it, he could've just posted a website that says, "Printing your own false boarding pass is a piece of cake." End of story, the truth, and no laws broken. But actually putting up a website that serves absolutely no practical purpose except to violate the law was stupid and unnecessary.

I wouldn't be surprised if the ultimate response to this is that we will no longer be able to check-in from home and print our own boarding passes. I suspect, at best, we'll have to go through one of those kiosks in the airport and get an official ticket printed before we get in line for TSA.

Thanks, Christopher... Very few people actually believe the security is real anyway so you proved nothing that people didn't already know. You have, however, highlighted it so that the government will most likely have to enter CYA mode and further decrease the convenience of flying by banning home-printed boarding passes. For that, the flying public thanks you.

From Senator Schumer's Feb 13, 2005 Press Release

[Kanaka+Kid]

From Senator Schumer's (D-NY) Feb 13, 2005 Press Release:

Schumer today laid out the following scenario in which someone on the terrorist watch list can get through airline security undetected:

1. Joe Terror (whose name is on the terrorist watch list) buys a ticket online in the name of Joe Thompson using a stolen credit card. Joe Thompson is not listed on the terrorist watch list.

2. Joe Terror then prints his "Joe Thompson" boarding pass at home, and then electronically alters it (either by scanning or altering the original image, depending on the airline system and the technology he uses at home) to create a second almost identical boarding pass under the name Joe Terror, his name.

3. Joe Terror then goes to the airport and goes through security with his real ID and the FAKE boarding pass. The name and face match his real drivers license. The airport employee matches the name and face to the real ID.

4. The TSA guard at the magnetometer checks to make sure that the boarding pass looks legitimate as Joe Terror goes through. He/she does not scan it into the system, so there is still no hint that the name on the fake boarding pass is not the same as the name on the reservation.

5. Joe Terror then goes through the gate into his plane using the real Joe Thompson boarding pass for the gate's computer scanner. He is not asked for ID again to match the name on the scanner, so the fact that he does not have an ID with that name does not matter. [Since Joe Thompson doesn't actually exist it does not coincide with a name on the terrorist watch list] Joe Terror boards the plane, no questions asked.

Based on the above press release by a US Senator, shouldn't Schumer be charged with similar crimes?

Security post 9/11

[Cr33pybusguy]

Security is a joke in airports.

I was a airplane re-fueler at Edmonton International Airport post 9/11 (Shell Aerocenter 2002-2003) . I can tell you this. EVERY refueler and most baggage handlers carry knives or a multi-tool (ie. leatherman) of some sort. So do many pilots. Why is this? We use them to lever open hatches, latches, open your bags for the video cameras ect. (I shit you not. I know several guys who carry those little keys that fit the little locks on your bags so they can poke around in your bags) It would be a snap for some one on the inside to plant a knife. Or even a small gun.

But how do you get past security you ask. I'll tell you. We don't. We have our own entrances and exits and these don't use metal detectors or our steel-toed boots would set them off every time. The only thing that is our security check is our id tags. Sure we go through an extensive process before we are issued one but there's lots of criminals working at your airports. That and they aren't that tough to forge. If you have a "friend" at your local DMV you could probably do it.

So security is tight at the terminal? You can charter a small to large plane at your local FBO. We never check you or your bags. Why would we? We think you are some rich guy who jaunts around on his private jet. Perfect for loading with explosives and plowing into buildings on you jihadic quest.

But what about the regular people who go through security? Did you know that you are allowed 10 packs of matches but no lighters? I can do a shit load of damage with ten packs of matches and I'm sure you could too! Oh yeah the metal detectors that you walk through aren't sensitive enough to pick up a bic lighter. If you get caught with one. Just say oops, my bad I forgot about it and make sure they see your pack of smokes. They'll take the lighter away and thats it!

If you are worried when they swab your laptop and you've been chopping some of columbia's finest ontop of it don't worry. They are searching for bomb residue. But here's a secret. They don't swab your MP3 players, video cameras, and cell phones. They just scan them with the machines. I'm not sure how many ounces of high explosive you fit in a video camera but i'm guessing it's a fair amount.

What about sniffing dogs? I fly all over the place to meet up or disembark from ships. I can't remember the last time I saw one. Why? They are a bitch to train. (pun semi-intended) Something like one out of every 20 makes the grade. And THEN they are split up for K-9 tracking, bomb sniffing, narcotics, sniffing, blind leading ect. The odds of running into a dog is pretty slim unless ou are at one of the well funded big airports. (LAX, Heathrow ect.) Most of the guys who I work with on multi-national ships regularily bring some drugs home. Not alot, but a few grams to help make the welcome home party a bit more welcoming.

These flaws are just a few I could think of off the top of my head. So whats the point? If you are creative enough (and hackers prove this regularily) and determined enough you can get past and security thats in place. Especially when it's so shoddy like it is at our airports.

So to be honest some one forging a boarding pass should be the least of their worries. Happy flying!

Re:Real reason he is being arrested:

[swillden]

If you so desired, you could actually read the laws that you obviously have no understanding of.

Oh, if that were only true. John Gilmore's been trying for years now to do exactly that -- to read the laws/regulations under which the TSA operates and to which we're subject. Even with his millions of dollars and army of attorneys, he hasn't been able to to break the shroud of secrecy surrounding these laws, what makes you think anyone else can?

Or didn't you realize that the US now has secret laws that the public is not allowed to read? And that courts (9th circuit district and appellate) have ruled that the government doesn't have to show us the law? Hopefully the Supreme Court will correct the situation, but I'm not holding my breath.

Re:Too bad it has to be this way

[Zeinfeld]

In this case, the vulnerability had been made clear by others months prior to this disclosure. In fact, this wasn't so much a disclosure as much as it was a public demonstration of just how easy it is to exploit the already known vulnerability.

Yes which is precisely why it will probably be possible to persuade the Feds not to prosecute in this particular instance.

I absolutely disagree about putting the information up on the Freenet, that would have made the legal problem much much worse. In addition it would probably end up with the FBI arresting people running the Freenet.

Ten years ago this would almost certainly have ended up in the courts and a federal case made of it. Today there are enough FBI agents who understand what is going on that it is easier to persuade them to back off.

There are four points in his favor, first he created the site openly, second he did not attempt to use it for gain himself, three others had made the same point in theory without comment the issue only attracted notice after practical demonstration, four he took it down immediately when requested. When I read the first story I was concerned that the Slashlawyering might persuade him to continue which would have made the situation far worse.

There are certainly arguments that the defense might make if charges were brought. It would not be a good idea to make too much of them unless you want to force the FBI to prove that the law allows them to put a stop to it.