Slashdot Mirror
FBI Raids Security Researcher's Home
Sparr0 writes, "The FBI has raided the home of Christopher Soghoian, the grad student who created the NWA boarding pass site. Details can be found on his blog including a scanned copy of the warrant. The bad news is that he really did break the law. The good news is that Senator Charles Schumer did it first, 19 months ago, on an official government website no less. The outcome of this trial should be at least academically interesting. At best, it could result in nullifying some portion of the law(s) that the TSA operates under." Read on for Sparr0's take on what laws may apply in this case.
Boiling down some of the legalese, the charges (if any are filed) will be "conspiracy to knowingly present a false and fictitious claim upon or against the United States, or any department or agency thereof in violation of USC 18 (secs. 2, 371, 1036, 1343, 2318) and USC 49 (secs. 46314 and 46316) and 49 CFR (secs. 1540.103 and 1540.105)" (edited for brevity).
Even faced with potential jail time, some people have a burning desire to be in the limelight. I wonder why Christopher Soghoian didn't just create a site anonymously. It would likely have the same effect, and he'd stay out of prison.
It's unfortunate that exposing holes in our security gets no press until someone actually leverages the hole to cause harm. For years before 9/11, the U.S. knew our airports were pitifully insecure, particularly Boston Logan, yet failed to do anything about it. So even though we'll be safer as a result of Christopher's work, he may be in prison. Unfortunately our society aplauds the whistleblower only well after the whistle has been blown, and the government aplauds them almost never at all.
Crack - Free with every butt and set of boobs
They're straight out of Compton yo.
God spoke to me.
The gov't doesn't like to look bad. They don't like flaws being publically seen of their great "system" of boondoggles which they have created.
We all now the TSA is a scam, we all know we are not one bit safer, we all know the airways are no better than they were before 9/11. Just a great hat trick.
Of course, at this point...I wonder if they even care that the public would be aware.
Buy Steampunk Clothing Online!
A conspiracy with who?
[Fuck Beta]
o0t!
Soghoian is setting up a legal defense fund. You can learn more and donate atd efense-fund.html
http://slightparanoia.blogspot.com/2006/10/legal-
1. "If you don't like it, move away." Considering the fact that Congress is severely limited by the Constitution in creating NO law that infringes on our God-given (or inherent, if you prefer) right to speak freely on our property, the laws listed above have nothing to do with what he did. In fact, his website IS his property, he rents it, and he's protected. Congress here should be the ones behind bars for continuing to violate the Constitution they took an oath to uphold.
2. "He broke a law, he should go to jail." The court system should be mandated to tell the jurors in all trials about their right to nullify terrible laws. Jury nullifaction is more than a priviledge, it is a right even greater than serving on a jury.
3. "He didn't do anything wrong." This shouldn't matter either way unless he violated someone's property or person himself. I find it outrageous that people are arrested for inciting violence -- the gun doesn't kill, the inciter doesn't kill, it is the person who physically performs a violent act that is the cause of the violence. Not only did he do nothing wrong, we shouldn't even be considering whether or not he did or didn't. Did he harm anyone physically? Did he physically steal anything? Did he trespass?
On top of those 3, we should also realize that the laws pertaining to security are 100% unconstitutional. The airplanes are private. The airports should be privatized (I can't see how airports could be considered federally-regulated properties). The passengers are generally private citizens. The Constitution is clear on this, too -- it should be left up to the individual States and the people.
This is what you get when you have democracy -- even a republican form of it.
"Democracy is the most vile form of government...democracies have ever been spectacles of turbulence and contention: have ever been found incompatible with personal security or the rights of property: and have in general been as short in their lives as they have been violent in their deaths." James Madison
"Democracy... while it lasts is more bloody than either [aristocracy or monarchy]. Remember, democracy never lasts long. It soon wastes, exhausts, and murders itself. There is never a democracy that did not commit suicide." John Adams
The U.S. isn't going to hell in a handbasket, it's been there since 1913 (or 1865, if you consider the traitor Lincoln's actions).
Thankfully, there are a great number of opportunities to vacate from the system without leaving the lands of the "Nation." I can only hope that more freedom lovers just stop voting for authority and move forward to taking that authority back.
You wanna rethink that analogy there, "Reality Master"? Cause I'm pretty sure they call those places "locksmiths."
Of course, if it wasn't your house, but a hotel, both you and your guests would surely be _WAY_ safer if only hardened criminals knew about your lock problems and how to open the door.
After all, we know that about half the population of any given country is just waiting for a chance to get on a plane with a bomb, and that the turrists are spontaneous people who don't research and plan in advance.
What is funny is that while there's a law to punish the guy, apparently nothing will be done to either Northworst, or the TSA for not doing their job. America obviously takes air travel security seriously.
This guy is not a terrorist, he's a security researcher. I live in Bloomington as well and work with a guy who is taking a cryptographic protocols class with Chris. He says that Chris is a decent guy, which is probably the case. I for one commend Chris for releasing this kind of information to the public. Even if he had released it to the FAA or Northwest Airlines, its doubtful that the public would have ever known. He is simply doing what most security researchers do, its just that his research coincides with current hot topics in politics and public interest.
Dear Senator,
I would like to bring your attention to the outrageous behaviour our government agencies have displayed regarding the matter of security researcher Christopher Soghoian's comments on the TSA security procedures.
Quite frankly the FBI raid on his premises are beyond comprehension for a country that preaches freedom and respect for human rights.
Not only would I like you to help in resolving Christopher's plight, I would also ask that you investigate and bring to the public's attention the true nature of the effectiveness of the TSA policies as well as to the rather offensive nature of the "secrecy" of the policies upheld by the organization.
Public transparency of the government is very important to me and any help you can give to avoid being virtually disenfranchised due being unable to evaluate the performance of my elected officals is critical.
Sincerely
And so a corollary is that any security researcher who exposes a risk or danger is a criminal (;-))
--dave
davecb@spamcop.net
I think what needs to be looked at here, and what is often ignored by those with agendas to push, is intent. His intent was to improve security, not to see it subverted by enemies of the state. It is the government's fault, not his, that the only way to ensure the closure of this security hole was to engineer a tool to exploit it.
The fact that he published his identity and did this entire thing above-board settles the question of intent for me. He was not maliciously motivated. That is the basis by which we should judge him.
If I showed up at my apartment with the door unlocked, I would be rather annoyed. If I had had notes posted to my door for several years beforehand telling me my lock was insecure, and how to secure it with relative ease, and I then showed up at my apartment door to find it unlocked with a note saying "Told you so", I'd be embarassed. The key is, as long as the belongings inside are left untouched, all that's hurt here is pride. Pride is not something the law needs to be protecting.
occultae nullus est respectus musicae - originally a Greek proverb
The only way to get this situation under control.
Senators have constitutional immunity for what they say in the Senate. That might extend to his official website, though Proxmire set a precedent that points in the opposite direction.
More to the point is that Bruce Schneier was pointing out the boarding pass problem in _2003_.
The man affirmed that he created the page, the FBI had plenty of grounds to charge him. Why search his premises? Looking for other dirt to kick up in case the judge disagrees with the prosecutor?
Notice how in all this discussion, everybody is implicitly assuming that the watch lists are actually worth anything. In fact, I think the reason this hole has existed for several years without any problem due to them is that the watch lists simply don't make any difference at all.
Which raises the question: why have the watch lists in the first place? I think they are more psychological than anything else: they give the impression that there is a continuing threat, they give the impression that the government is doing something, and they make people willingly give in to controls that they previously wouldn't have considered. Remember: you used to be able to travel across this nation without the government being able to track your every step.
"He really did break the law?" I don't think so, but I'm not qualified to make that statement and neither are you. It takes a judge or a jury to say that. To me, it doesn't appear that he conspired to do any such thing. He simply wanted to public to realize how insecure it really was. It sounds like this law requires such intent. There is also the question of whether Northwest Airlines would be considered a Government agency or department for the purposes of this law.
Freedom requires that people stand up, publicly, for what they believe in. That is why the 1st Amendment reads:
Simply striking against a convenient target does not get you any closer to being Free. Nor does it keep you Free.
Freedom is not safe.
Even if he did break a law, and I'm a lawyer and I'm far from convinced that he did, this is a prime example of when the US Attorney should use some prosecutorial discretion and, after investigating the matter and being content with the subject's explanation as to what happened and why he did what he did, decide not to prosecute. The worst thing this guy did was act imprudently. No terrorists got on airplanes, nor could they have. The best thing this guy did, and I don't think there is any question about his intentions, is to bring attention to a security flaw. He took down the website when asked (maybe even prior to that) and nothing bad resulted from his actions. He had no intent to hurt anyone, no intent to steal or deprive anyone of property, and no intent to help anyone actually break the law. So, even if he could be prosecuted, he shouldn't be. Not everyone who breaks the law should be charged with a crime.
Stupid people make stupid things profitable.
The fact that he is going through this for pointing out a flaw is pretty horrifying. That said, hopefully the justice system will 'do justice' to keep this guy out of prison. Even still at best he's going to be pretty shaken up by this for a while to come, and probably be out a fairly sizable chunk of money in legal defense; at worst, he's gonna have a pretty horrible time (can't check punishments as all but final 2 of the USC links The Fine Summary are 404s). All for pointing out what should be a fairly apparent flaw in a 'security' system. I guess the guys at the FBI just like arresting folk for things like that. Hell, why didn't they arrest Andy Bowers of Slate for his research / article too?
Also, can some pro-2nd amendment folk go and give him some "legal defence"? You know, protect people from the government and all that... ;-)
If all you have is a grenade, pretty soon every problem looks like a foxhole -- MightyYar
Doesn't matter. I don't even think the FBI much cares if they win or lose the case, or if it even goes to trial. What does matter is that they've terrified some other potential geeks from publishing anything else negative about the TSA or other government organ. It's a win-win from their perspective. Pretty much a lose-lose from where I'm sitting ... free speech takes another hit. This is exactly the kind of situation the Founders envisioned when they came up with free speech and plugged it into the Constitution. Here's someone that saw something wrong with government, and wanted the rest of us to know about it. So, of course, in true Constitutional spirit the FBI raids his place and charges him with a crime. Doesn't matter what crime, so long as the kid is terrorized sufficiently. I mean, there are so many laws on the books nowadays that everyone, and I mean everyone, is guilty of something and can be nailed to a cross for little reason, or no reason at all.
Cripes.
The higher the technology, the sharper that two-edged sword.
I encourage all other security professionals to do the same.
In the darkness of future past, The magician longs to see. One chants between two worlds, "Fire, walk with me!"
terrorist noun A person who uses terrorism in the pursuit of political aims.
terrorism noun The use of violence and intimidation in the pursuit of political aims.
I quote from his blog:
This is a case of classic police-state gestapo tactics.
This guy hasn't done anything wrong, he hasn't even hilighted a previously unknown security flaw, and now he's subject to this kind of treatment...
Specialist Mac support for creative pros, Melbourne
I'm not sure, to be honest. So far GNUnet hasn't avoided that fate; there's not too much content on the network yet. I try to keep the daemon running on my computer whenever it's on, and encourage its use whenever the topic of P2P networks compes up, but I doubt it helps much. I assume Freenet and/or GNUnet will grow as the RIAA sues more people and starts leaning on ISPs to block networks like Gnutella, but who can tell?
ResidntGeek
Damn... I just don't know what we can do to fix this anymore. I'm honestly beginning to wonder if there's any chance of getting our freedom back. And the media coverage of all these problems? Nil. How in the world do we get enough people to notice, at this point? Also, are we college students really so apathetic now? The draft for the Vietnam War started riots, but there's next to no noise on campus over these problems - even at liberal schools... I haven't lost hope yet, but how can we get the people of the United States to start caring again?
The chance of them knowing is the probability of them finding the information multiplied by the probability of knowing the value multiplied by the probability of producing a workable exploit.
The chance of you knowing if they know is the probability of them knowing multiplied by the probability of you knowing who the bad guys even are, multiplied by the probability of obtaining real information (they can jam anyone monitoring them by flooding the information space with junk information), multiplied by the probability of you knowing you even have real information, multiplied by the probability of being able to determine what the information actually means.
Counterintelligence is an exceptionally difficult field with a painfully poor track record. Most published successes have been by a series of sheer fluke events and staggering luck. Most published failures were unlikely to be anything else. We don't know about the unpublished stuff, but percentagewise, are we more likely to see bragging over achievements or failures, if both can be equally hidden?
I'm not saying that everything should be published, merely that it should not be assumed that not publishing is the same as others not knowing.
Now, can a case ever be made for publishing everything? Yes. Game Theory requires that all "full information scenarios" have a strategy for one side and one side only that will ALWAYS result in the winning conditions being met, no matter what the other side does. It is possible to imagine situations, particularly in computing where there is essentially no randomness and a "full information scenario" is possible, where the outcome can be guaranteed, if you want it to be.
No matter what anybody else might say, it is not the job of an enemy to make your life easy, so we shouldn't expect them to. We should expect them to do the researcxh, the legwork, the analysis to figure everything out. They might indeed just wait until someone tells them, but that should be a bonus. It should not be your modus operandi. In computer security, you must assume that there are opponents out there who could have all of the industry-standard backdoor passwords, a complete printout of every Operating System and network device QA test that failed and got overlooked, and a copy of the highest-end vulnerability scanner the commercial sector has going for it.
Hell, we know that a Russian spammer got a tier-1 backbone provider to turn off Blue Frog's Internet connectivity. Turning off a link like that is very traceable, but appears to have been regarded as mere amusement for the backbone provider. The same provider is hardly likely to show scruples when it comes to handing out internal or commercially-sensitive data, software or anything else. Given the repeatedly low scores on security for many US government departments and the almost routine mishandling of classified data, there are probably those in the information black markets who know more national secrets than the entire White House combined. If one backbone provider is riddled with corruption and pwned by organized crime, then we must assume that such people are unlikely to be avoiding big money out of a sense of decency and moral fortitude.
But if the most dangerous people have the most dangerous information already - and that includes whatever terrorists might actually exist - then most of the obscurity only serves to increase the value of what has already been stolen. This makes the thieves rich, the criminals dangerous, and the politicians popular for appearing to do something, but it doesn't make anyone else - users, vendors, bystanders - any better off at all. Illusions are fun on the stage, but they should be left there.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Schumer today laid out the following scenario in which someone on the terrorist watch list can get through airline security undetected:
1. Joe Terror (whose name is on the terrorist watch list) buys a ticket online in the name of Joe Thompson using a stolen credit card. Joe Thompson is not listed on the terrorist watch list.
2. Joe Terror then prints his "Joe Thompson" boarding pass at home, and then electronically alters it (either by scanning or altering the original image, depending on the airline system and the technology he uses at home) to create a second almost identical boarding pass under the name Joe Terror, his name.
3. Joe Terror then goes to the airport and goes through security with his real ID and the FAKE boarding pass. The name and face match his real drivers license. The airport employee matches the name and face to the real ID.
4. The TSA guard at the magnetometer checks to make sure that the boarding pass looks legitimate as Joe Terror goes through. He/she does not scan it into the system, so there is still no hint that the name on the fake boarding pass is not the same as the name on the reservation.
5. Joe Terror then goes through the gate into his plane using the real Joe Thompson boarding pass for the gate's computer scanner. He is not asked for ID again to match the name on the scanner, so the fact that he does not have an ID with that name does not matter. [Since Joe Thompson doesn't actually exist it does not coincide with a name on the terrorist watch list] Joe Terror boards the plane, no questions asked.
Based on the above press release by a US Senator, shouldn't Schumer be charged with similar crimes?
We won't be ANY safer after Christopher's work. Not because he was wrong about his claims but because he is right. We only have security theatre.
No rational allocation of resources would have beefed up passenger screening after 9/11. I don't care if you do get a AK-47 on a plane nowadays you won't be able to hijack it and crash it into a building for the simple reason that the people on the plane KNOW they will die if they let you fly the plane.
9/11 was a one time deal. It worked because no one expected terrorists to fly planes into buildings. After 9/11 any hijacking would end like flight 82. While this would be a horrible tragedy it would be far easier to create such a tragedy with surface to air missiles, gas attacks in subways or a hundred other ways we aren't guarding against.
The real risk now is new attacks not a repeat of 9/11. We should be spending our money securing chemical plants or defending our water supply not inconveniencing people in airports. Any security in airports beyond pre 9/11 levels is nothing but a show designed to make people think they are safer while wasting resources.
Christopher is showing that the post 9/11 security measures are total theater. He isn't being arrested because he put people at risk, he is being arrested because he made uncomfortable.
If you liked this thought maybe you would find my blog nice too:
So, if I say "Bush has an ass the size of Texas", I should expect the FBI soon?
No, that's only a wrong word choice. It should read, "Bush is an ass the size of Texas."
!#@%*)anks for hanging up the phone, dear.
Security is a joke in airports.
I was a airplane re-fueler at Edmonton International Airport post 9/11 (Shell Aerocenter 2002-2003) . I can tell you this. EVERY refueler and most baggage handlers carry knives or a multi-tool (ie. leatherman) of some sort. So do many pilots. Why is this? We use them to lever open hatches, latches, open your bags for the video cameras ect. (I shit you not. I know several guys who carry those little keys that fit the little locks on your bags so they can poke around in your bags) It would be a snap for some one on the inside to plant a knife. Or even a small gun.
But how do you get past security you ask. I'll tell you. We don't. We have our own entrances and exits and these don't use metal detectors or our steel-toed boots would set them off every time. The only thing that is our security check is our id tags. Sure we go through an extensive process before we are issued one but there's lots of criminals working at your airports. That and they aren't that tough to forge. If you have a "friend" at your local DMV you could probably do it.
So security is tight at the terminal? You can charter a small to large plane at your local FBO. We never check you or your bags. Why would we? We think you are some rich guy who jaunts around on his private jet. Perfect for loading with explosives and plowing into buildings on you jihadic quest.
But what about the regular people who go through security? Did you know that you are allowed 10 packs of matches but no lighters? I can do a shit load of damage with ten packs of matches and I'm sure you could too! Oh yeah the metal detectors that you walk through aren't sensitive enough to pick up a bic lighter. If you get caught with one. Just say oops, my bad I forgot about it and make sure they see your pack of smokes. They'll take the lighter away and thats it!
If you are worried when they swab your laptop and you've been chopping some of columbia's finest ontop of it don't worry. They are searching for bomb residue. But here's a secret. They don't swab your MP3 players, video cameras, and cell phones. They just scan them with the machines. I'm not sure how many ounces of high explosive you fit in a video camera but i'm guessing it's a fair amount.
What about sniffing dogs? I fly all over the place to meet up or disembark from ships. I can't remember the last time I saw one. Why? They are a bitch to train. (pun semi-intended) Something like one out of every 20 makes the grade. And THEN they are split up for K-9 tracking, bomb sniffing, narcotics, sniffing, blind leading ect. The odds of running into a dog is pretty slim unless ou are at one of the well funded big airports. (LAX, Heathrow ect.) Most of the guys who I work with on multi-national ships regularily bring some drugs home. Not alot, but a few grams to help make the welcome home party a bit more welcoming.
These flaws are just a few I could think of off the top of my head. So whats the point? If you are creative enough (and hackers prove this regularily) and determined enough you can get past and security thats in place. Especially when it's so shoddy like it is at our airports.
So to be honest some one forging a boarding pass should be the least of their worries. Happy flying!
Hee Hee The drinking bird does all the work!