FBI Raids Security Researcher's Home

Sparr0 writes, "The FBI has raided the home of Christopher Soghoian, the grad student who created the NWA boarding pass site. Details can be found on his blog including a scanned copy of the warrant. The bad news is that he really did break the law. The good news is that Senator Charles Schumer did it first, 19 months ago, on an official government website no less. The outcome of this trial should be at least academically interesting. At best, it could result in nullifying some portion of the law(s) that the TSA operates under." Read on for Sparr0's take on what laws may apply in this case.

Boiling down some of the legalese, the charges (if any are filed) will be "conspiracy to knowingly present a false and fictitious claim upon or against the United States, or any department or agency thereof in violation of USC 18 (secs. 2, 371, 1036, 1343, 2318) and USC 49 (secs. 46314 and 46316) and 49 CFR (secs. 1540.103 and 1540.105)" (edited for brevity).

Too bad it has to be this way

[Salvance]

Even faced with potential jail time, some people have a burning desire to be in the limelight. I wonder why Christopher Soghoian didn't just create a site anonymously. It would likely have the same effect, and he'd stay out of prison.

It's unfortunate that exposing holes in our security gets no press until someone actually leverages the hole to cause harm. For years before 9/11, the U.S. knew our airports were pitifully insecure, particularly Boston Logan, yet failed to do anything about it. So even though we'll be safer as a result of Christopher's work, he may be in prison. Unfortunately our society aplauds the whistleblower only well after the whistle has been blown, and the government aplauds them almost never at all.

Re:Too bad it has to be this way

[Simon+Garlick]

The fact that you think Soghoian should have HIDDEN HIS IDENTITY FROM THE GOVERNMENT in order to identify a flaw in official security processes says a lot about your government.

Re:Too bad it has to be this way

[bfields]

I wonder why Christopher Soghoian didn't just create a site anonymously.

He's one guy, he's young, and he's been entirely open and straightforward about why he's doing this--that gives him a much better chance to shame the TSA. It would've hurt his case (with the public, at least) if he'd looked furtive.

And someone with determination (not to mention search warrants) could probably figure out who he was eventually anyway.

Unfortunately our society aplauds the whistleblower only well after the whistle has been blown

Well, I'm applauding.

You can also contribute to his legal defense fund, if you'd like to show your support.

Re:Too bad it has to be this way

[dsanfte]

There's a difference between pointing out security flaws, even giving detailed instructions, and providing a mechanism for breaking the law.

If he had simply pointed out the hole, people would be calling him a fearmonger.

Although one could argue that that shouldn't be illegal, I think the DMCA's provisions against circumventing a security mechanism probably apply.

It would, if the DMCA didn't solely cover breaking security mechanisms that serve to prevent copyright infringement. That's not what happened here.

On another point, the reason our airports were so lax before 9/11 is that we would not have put up with post-9/11 security back then. Actually, I just realized that I've not been on an airplane since 1999, and I don't know first hand how things are different.

So you just discredited your own statement? Thanks?

This is the type of thing that gets modded as Interesting on Slashdot?

Re:Too bad it has to be this way

[ricree]

Like others have said, it wouldn't be all that hard for him to have done it anonymously, but he shouldn't have to in the first place.

Re:Too bad it has to be this way

[cecil_turtle]

...made a powerful tool available for someone who intends to do harm.

He saved the HTML from NWA's actual ticket printout page on their website, and made a form to fill in like 10 variables mad-libs style. I hardly call that "a powerful tool". More like saving somebody who knows how to right-click about 90 seconds of work to forge it themselves.

Re:Too bad it has to be this way

[jamesh]

Sensible disclosure of vulnerabilities improves security for everyone.

Thoughtless disclosure has the potential to make things a lot worse. In the software example, if another ping of death exploit were found, simply announcing it to everyone in full would be foolish (unless you wanted to make a point and shame an organisation, then it would be foolish and malicious, and possibly illegal).

The line between sensible and thoughtless disclosure is a tricky one though. If the secret society of bad guys already know about it then all bets are off, but how do you know?

"Excuse me bad guys, are you aware that a ping with x, y and z parameters will crash a machine running w OS?"
"We are now"
"... doh!"

It should certainly be illegal for a commercial organisation to fail to respond to notification of a vulnerability in their software, but again, under what parameters? Does Microsoft have any obligation to fix holes in Windows 95? Is there any obligation to fix holes in Linux 1.x.y? (and who's obligation is it?)

There should be answers to all of these questions though, and a protocol to follow, so that this sort of mess doesn't happen.

Re:Too bad it has to be this way

[niiler]

If the government thinks that he is enabling the "terrorists", they may also see contributing to his defense fund as contributing to terrorists which would result in your loss of habeas corpus. That said, while I have mixed feelings about what he has done (in terms of leaving his identity out there vs. taking a clearly political stand), I do feel that his is a worthy cause.

Just my 0.02 cents.

Re:Too bad it has to be this way

[psykocrime]

He didn't have to publicly supply a way to bypass security.

He didn't.

That is endangering everyone unnecessarily.

No, it's not. As plenty of others have already pointed out, it doesn't matter if Osama f'in Bin Laden is sitting
in the seat beside you on your flight... As long as he doesn't have a bomb, or any other means of creating problems
on the flight, the fact that it's Osama is irrelevant. So these fake boarding passes *might* help somebody
get on a plane who isn't allowed... big deal, they will still be searched, run through a metal detector, bomb-sniffing
crap, etc. This is completely insignificant from a security standout.

And even if it were a security flaw, people have to realize that with freedom comes danger. It's probably a little bit more
dangerous to live in a very free country, than one with a strict totalitarian regime who controls every movement everybody makes... but most
people will take that tradeoff. I know I sure will. "Give me Liberty or give me Death" is not just a cute sound bite to me.

Re:Too bad it has to be this way

[psykocrime]

On another point, the reason our airports were so lax before 9/11 is that we would not have put up with post-9/11 security back then.

And there's no good reason for us to put up with it now.

Re:Too bad it has to be this way

He didn't have to publicly supply a way to bypass security. That is endangering everyone unnecessarily. First he should have contacted the airport security officials privately about it. If they did nothing, he should have then announced that he had found a way to bypass security, but not given any specifics. If they still did nothing, he should have publicly reported the problem.

He was acting towards the end of your suggested sequence of events, it has already got to the point of being publicly reported - what Soghoian did was effectivly bring it to the public's attention.

• This was such an obvious flaw - one could reasonably assume security officials knew about it
• Many others - including Senator Schume, and Slate Magagine (http://www.slate.com/id/2113157/) had drawn attention to this "vulnerability" prior to Soghoian
• Soghoian had tried to publicise the problem previously without sucess - then he had his brilliant idea of producing his PHP script to demonstrate the ease with which the vulnerability could be exploited - only by doing this did he really succeed in fulfiling his duty to publicly report the problem. He has done a better job than either the Senator or Slate Magazine or the others who knew about this flaw in bringing it to the public's attention - he should be applauded for doing that.
• The fact that he has published on anonymity Preserving in P2P Networks strongly suggests that he could have acted anonymously if he had wanted to (or felt he needed to)

I am quite shocked that if Slashdot was the Jury, and the Jury's opinions were the initial opinions of the individual Jurors and not those of the Jury acting as a committee following deliberation that we wouldn't have unaminously aquited Soghoian. I'm in the UK - and this scares me - given the state of the extridaition arrangements the UK has agreed to with the USA and the potential for indefinate imprisonment in the US for non-citizens. I've been to the US twice on business this year, reading this and the countless articles like it will certainly make me think twice before arranging another trip.

Re:Too bad it has to be this way

[chazwurth]

You didn't see the spectacular failure of security in airports that preceded the Sept. 11th attacks by mere hours? Haven't you noticed the fact that the so-called security measures enacted since then are unlikely to prevent an identical attack? Or are you saying that because a successful attack hasn't been carried out recently, we are therefore secure? That's a very dangerous stance. It assumes that because vulnerabilities haven't been exploited, they aren't a problem. That's like saying that because some critical vulnerability in your operating system of choice hasn't been exploited yet, the vendor might as well not issue a fix; we should only fix a problem once half the boxes on the 'net have been infected with the as-yet-unwritten virus that exploits the problem. Soghoian pointed out a problem that has been known for months and yet hasn't been repaired. He did this to draw attention to the security theater that exists surrounding airline travel; he was trying to highlight the fact that our government doesn't take security seriously, but only tries to foster the appearance of safety while failing to address real issues.

If you want another example, read this: http://www.swiss.ai.mit.edu/6805/student-papers/sp ring02-papers/caps.htmf

For a wealth of information about problems with our airport and airline security, start reading archives of Bruce Schneier's Crypto-Gram: http://www.schneier.com/crypto-gram.html

Real reason he is being arrested:

[hsmith]

The gov't doesn't like to look bad. They don't like flaws being publically seen of their great "system" of boondoggles which they have created.

We all now the TSA is a scam, we all know we are not one bit safer, we all know the airways are no better than they were before 9/11. Just a great hat trick.

For his sake

[Lord_Dweomer]

For his sake I'm glad this is getting so much coverage. Not only will it hopefully make a lot of America realize how dumb our government is, and make them realize that Democrats can be just as authoritarian as Neocons...but most importantly, it makes it near impossible for the Feds to "disappear" him because he has the media spotlight on him and the second he goes missing the entire internet will raise a royal hell storm. And that is a PR shitfest that the GOP definitely does not want to have on their hands, especially around election time.

Of course, at this point...I wonder if they even care that the public would be aware.

Re:For his sake

[Tony+Hoyle]

Yeah, like dimitri skylarov was all over the front pages of the newspapers, and CNN did a three hour special on software patents, and the Fox picked up on how regressive the DMCA was...

Oh, wait... this is planet earth, I forgot.

Cue typical slashdot pro-State responses...

[dada21]

1. "If you don't like it, move away." Considering the fact that Congress is severely limited by the Constitution in creating NO law that infringes on our God-given (or inherent, if you prefer) right to speak freely on our property, the laws listed above have nothing to do with what he did. In fact, his website IS his property, he rents it, and he's protected. Congress here should be the ones behind bars for continuing to violate the Constitution they took an oath to uphold.

2. "He broke a law, he should go to jail." The court system should be mandated to tell the jurors in all trials about their right to nullify terrible laws. Jury nullifaction is more than a priviledge, it is a right even greater than serving on a jury.

3. "He didn't do anything wrong." This shouldn't matter either way unless he violated someone's property or person himself. I find it outrageous that people are arrested for inciting violence -- the gun doesn't kill, the inciter doesn't kill, it is the person who physically performs a violent act that is the cause of the violence. Not only did he do nothing wrong, we shouldn't even be considering whether or not he did or didn't. Did he harm anyone physically? Did he physically steal anything? Did he trespass?

On top of those 3, we should also realize that the laws pertaining to security are 100% unconstitutional. The airplanes are private. The airports should be privatized (I can't see how airports could be considered federally-regulated properties). The passengers are generally private citizens. The Constitution is clear on this, too -- it should be left up to the individual States and the people.

This is what you get when you have democracy -- even a republican form of it.

"Democracy is the most vile form of government...democracies have ever been spectacles of turbulence and contention: have ever been found incompatible with personal security or the rights of property: and have in general been as short in their lives as they have been violent in their deaths." James Madison

"Democracy... while it lasts is more bloody than either [aristocracy or monarchy]. Remember, democracy never lasts long. It soon wastes, exhausts, and murders itself. There is never a democracy that did not commit suicide." John Adams

The U.S. isn't going to hell in a handbasket, it's been there since 1913 (or 1865, if you consider the traitor Lincoln's actions).

Thankfully, there are a great number of opportunities to vacate from the system without leaving the lands of the "Nation." I can only hope that more freedom lovers just stop voting for authority and move forward to taking that authority back.

Re:What did he expect?

[illegalcortex]

Look, if my house has poor security, you're still in trouble if you start a factory to create keys for criminals to break in.

You wanna rethink that analogy there, "Reality Master"? Cause I'm pretty sure they call those places "locksmiths."

Write to your senator now ...

Dear Senator,

I would like to bring your attention to the outrageous behaviour our government agencies have displayed regarding the matter of security researcher Christopher Soghoian's comments on the TSA security procedures.

Quite frankly the FBI raid on his premises are beyond comprehension for a country that preaches freedom and respect for human rights.

Not only would I like you to help in resolving Christopher's plight, I would also ask that you investigate and bring to the public's attention the true nature of the effectiveness of the TSA policies as well as to the rather offensive nature of the "secrecy" of the policies upheld by the organization.

Public transparency of the government is very important to me and any help you can give to avoid being virtually disenfranchised due being unable to evaluate the performance of my elected officals is critical.

Sincerely

A good time for prosecutorial DISCRETION

[kaltkalt]

Even if he did break a law, and I'm a lawyer and I'm far from convinced that he did, this is a prime example of when the US Attorney should use some prosecutorial discretion and, after investigating the matter and being content with the subject's explanation as to what happened and why he did what he did, decide not to prosecute. The worst thing this guy did was act imprudently. No terrorists got on airplanes, nor could they have. The best thing this guy did, and I don't think there is any question about his intentions, is to bring attention to a security flaw. He took down the website when asked (maybe even prior to that) and nothing bad resulted from his actions. He had no intent to hurt anyone, no intent to steal or deprive anyone of property, and no intent to help anyone actually break the law. So, even if he could be prosecuted, he shouldn't be. Not everyone who breaks the law should be charged with a crime.

Re:What exactly were they looking for?

[loraksus]

Harassment, mainly. He is looking at a period of several months and several appearances in court and discussions with his lawyer before he gets his computer and personal property back, assuming they aren't "lost" in the system.

The repairs for any damage that the FBI did, include the maliciously broken window (really, the FBI doesn't know how to pick locks?) will come out of his pocket.

And yes, now they can scan his hard drive for whatever they want, im / chat logs, "kiddie porn" (aka porn involving a girl who faked her ID, even if it is sold through regular channels under the belief that it is legal - it just takes 1 of these to get a mandatory sentence of several to a dozen years in prison, depending on the state).
Anything that can be used for character assassination will be. It doesn't help that that congressman who is trying to look tough on terrorism opened his mouth either.

Who are the terrorists in this case?

[PhunkySchtuff]

My dictionary definition of a terrorist:
terrorist noun A person who uses terrorism in the pursuit of political aims.
terrorism noun The use of violence and intimidation in the pursuit of political aims.

I quote from his blog:

I didn't sleep at home last night. It's fair to say I was rather shaken up.

I came back today, to find the glass on the front door smashed.

Inside, is a rather ransacked home, a search warrant taped to my kitchen table, a total absence of computers - and various other important things. I have no idea what time they actually performed the search, but the warrant was approved at 2AM. I'm sincerely glad I wasn't in bed when they raided the house. That would have been even more scary.

This is a case of classic police-state gestapo tactics.
This guy hasn't done anything wrong, he hasn't even hilighted a previously unknown security flaw, and now he's subject to this kind of treatment...

The only way to be certain...

[jd]

...of what the bad guys know is to tell them and mark it off on the list. Anything else is down to chance.

The chance of them knowing is the probability of them finding the information multiplied by the probability of knowing the value multiplied by the probability of producing a workable exploit.

The chance of you knowing if they know is the probability of them knowing multiplied by the probability of you knowing who the bad guys even are, multiplied by the probability of obtaining real information (they can jam anyone monitoring them by flooding the information space with junk information), multiplied by the probability of you knowing you even have real information, multiplied by the probability of being able to determine what the information actually means.

Counterintelligence is an exceptionally difficult field with a painfully poor track record. Most published successes have been by a series of sheer fluke events and staggering luck. Most published failures were unlikely to be anything else. We don't know about the unpublished stuff, but percentagewise, are we more likely to see bragging over achievements or failures, if both can be equally hidden?

I'm not saying that everything should be published, merely that it should not be assumed that not publishing is the same as others not knowing.

Now, can a case ever be made for publishing everything? Yes. Game Theory requires that all "full information scenarios" have a strategy for one side and one side only that will ALWAYS result in the winning conditions being met, no matter what the other side does. It is possible to imagine situations, particularly in computing where there is essentially no randomness and a "full information scenario" is possible, where the outcome can be guaranteed, if you want it to be.

No matter what anybody else might say, it is not the job of an enemy to make your life easy, so we shouldn't expect them to. We should expect them to do the researcxh, the legwork, the analysis to figure everything out. They might indeed just wait until someone tells them, but that should be a bonus. It should not be your modus operandi. In computer security, you must assume that there are opponents out there who could have all of the industry-standard backdoor passwords, a complete printout of every Operating System and network device QA test that failed and got overlooked, and a copy of the highest-end vulnerability scanner the commercial sector has going for it.

Hell, we know that a Russian spammer got a tier-1 backbone provider to turn off Blue Frog's Internet connectivity. Turning off a link like that is very traceable, but appears to have been regarded as mere amusement for the backbone provider. The same provider is hardly likely to show scruples when it comes to handing out internal or commercially-sensitive data, software or anything else. Given the repeatedly low scores on security for many US government departments and the almost routine mishandling of classified data, there are probably those in the information black markets who know more national secrets than the entire White House combined. If one backbone provider is riddled with corruption and pwned by organized crime, then we must assume that such people are unlikely to be avoiding big money out of a sense of decency and moral fortitude.

But if the most dangerous people have the most dangerous information already - and that includes whatever terrorists might actually exist - then most of the obscurity only serves to increase the value of what has already been stolen. This makes the thieves rich, the criminals dangerous, and the politicians popular for appearing to do something, but it doesn't make anyone else - users, vendors, bystanders - any better off at all. Illusions are fun on the stage, but they should be left there.