Slashdot Mirror
Charges Dropped In Fake Boarding Pass Case
An anonymous reader writes, "Investigators have dropped the criminal case against Christopher Soghoian after satisfying themselves that he acted without criminal intent. The grad student had created a web site capable of printing fake airline boarding passes. Soghoian is quoted: 'If they fix the airport security problems... then this entire process has been worth it. If they don't fix airport security, then... what was the purpose?'" Soghoian's blog has insightful comments about the divide between security researchers and government officials on subjects such as TOR.
Can somebody explain US laws to me here? Is it or is it not legal to put up a website that helps to print fake boarding passes? If it is not legal, why was the case dropped? If it is legal, would it be ok to put the website online again?
I have a hard time to imagine what law could be violated by this unless somebody tried to actually use such a fake boarding pass to get on a plane or into a restricted area.
I could imagine that the mere act of printing a fake boarding pass *could* (depending on how it is done) violate the copyrights of the company. Anything else?
True. I took a flight recently (from the middle east to the UK), and they screwed up and put the wrong name on the ticket. The travel agent insisted everything would be fine at the airport, but I wasn't so sure. Upon reaching the airport, I checked with the help desk. You know what they did? They took my ticket, grabbed a pen, crossed out the wrong name and wrote in the right one. Nobody batted an eyelid when I checked in or boarded.
Got them for under $1 each.
To my dismay, they can't read standard bar codes.
To my amusement, and dismay, I figured out WHY they wouldnt read standard bar codes.
Some airline sold them to a liquidator. With their custom code in the flash memory to scan their baggage and boarding pass tags.
It wasnt too hard to learn all this. Every scanner had several stickers on it with diagonal red stripes and phrases like
"/// SECURITY DEVICE #xxxxxxxx/// "
"/// USER MUST HAVE SIGNED CONFIDENTIALITY AGREEMENT A8R55-2/// "
"/// FIRING OFFENSE TO REMOVE FROM RED ZONE (UNION HBK, PG 37)/// "
"/// DEADULUS & EARHART AIRLINE CUSTOM FIRMWARE VERSION 1.22"/// .
I wonder what their thought processes where?, something like:
I bet he has a number of speaking engagements and (maybe) a book deal. Knowing this was a possible outcome (and he certainly seems astute enough to know that might be the case), he seems to have done quite well. He could have done worse as a grad student writing a thesis.
First and foremost, I've been a slashdot lurker, and finally registered for an account because I think I have something of value to say here.
So, I think you guys have totally overlooked the point of all this. The way he talks about fixing the airline boarding pass security issue highlights to me that he is a security minded individual and has taken this step because he's noticed a vulnerability and has generated a proof of concept to illustrate the need for reform. This is often the only way to spark change rapidly in a ginormous looming organization as many of these airlines are. In my opinion, this public disclosure of a vulnerability is no different than the daily postings on SecuriTeam or Remote-Exploit or similar sites.
I see the argument then being "well, he probably said that to get out of a lawsuit". While I'm in no position to agree or disagree, from a larger perspective, even if that was the case, this vulnerability has been address, the ball is in the airlines court to clean up their mess. He knew that was how it would go down, and that makes this guy a whitehat. He convinced the FBI of this, and thats why they dropped the charges. We may not have the most reliable and efficient government in the world, but hey at least they are trying to embrace technology. I'd like to think that our government recognizes the need for public disclosure of *SOME* vulnerabilities to enact change... but that may be too optimistic of me.
Security is never absolute, and I am a firm believer that we cannot enhance our own security without first understanding how to break it. This guy is the bug finder, who will fix the bug? Long story short --> chalk one up for the whitehats!
And if dude wasn't white? Well .. I'm not touching that with a ten foot pole-arm +1 even.
just my .02 ;P
-Marspeace'n'reallylouddrumandbass
A Zen koan: Zen master said to his pupil, "I own you, bitch. Know that." And the pupil was owned. And he knew it.
You missed the point: it's not to save buying a ticket. (They scan the boarding pass at the gate and can detect a fake at that point, so you need to carry a real boarding pass anyway.) One of the goals of the system appears to be to exclude people from certain names from flying, at least without some additional checks. Since they don't scan the boarding pass at security, you can hand them a fake boarding pass (matching your real ID) at security. If that's the only time they check ID, then you can use a real boarding pass (bought under somebody else's name) at the other points. And if I understand right it's only at those other points that they actually check the name against no-fly lists. So the no-fly list doesn't work even given really good unforgeable ID's.
Seems like kind of a crazy system if that's correct--so it's fair game for being made fun of, which is all the fake boarding-pass generator does as far as I can tell.
Yes, I have, 4 times. So has Jim Harper from the CATO Institute.
It's easy, and the US appeals court has recognized this right.
See: this story
So if I ignore the security trying to stop me from boarding the plane with my large toothpaste tube, intending only to brush my teeth after dining on their airplane food, then I shouldn't be arrested? The criminal charges apply only to people boarding with criminal intent for their toothpaste?
Look, the charges against this guy are bogus. The criminals are the people in the TSA who treat us like dirt on a cop's beat, while leaving these gaping security holes for actual attackers to exploit. Who try to cover their asses by arresting people who out their incompetence. The whole simcurity industry is a mafia, shaking us down with fear and intimidation while leaving us undefended.
But the lawyers, judges and legislators who decide justice based on unknowable (philosophically, perhaps even nonexistent) "intent", are worse than criminals. They're destroying the entire rational basis for justice, based on testable evidence and disprovable legal theories, in favor of arbitrary mind reading. Even if they didn't "intend" to do that, they've done the damage.
Just like security rules can protect us only from actual acts and results, not forgive well-intentioned acts that might create insecurity anyway. Should the law allow me to bring my pressure-detonating bomb prototype on an airplane, just because it never occurred to me that it would destroy the plane in flight? What if I did that a few times? What if I just got on the plane so drunk that I abused the passengers, making a mess in the aisle, a few times a month on business trips, intending only to "relax" my nerves before the flight?
The law should protect us from too-risky actions and actual danger. Including the incompetent actions of the TSA which can't accept warnings from researchers that boarding passes are insecure. Not dwell in the imaginary world of "good intentions".
--
make install -not war
BINGO.
Been saying this since ~6 months after 9/11.
Rummy also told us that A.Q. had several super-high-tech underground bases in Afghanistan, any one of which would have made Cobra Commander or Dr. Evil proud. Did you see the diagrams of them that the Whitehouse produced? It was some hilarious bullshit.
The lying didn't start with Iraq. A lot of people have forgotten, I think, the degree to which the Bush administration was spewing what should have been easily exposed as lies (I guess a lot of people fell for them; if Bush has achieved nothing else, he's convinced me that people are, on average, way, way dumber than I thought they were) since 9/12/01. They lied to hype up the war in Afghanistan, and they lied to exaggerate Al Qaeda's ability to project meaningful force into the U.S. Remember them saying how there were dozens or hundreds of "sleeper cells" here just waiting to be activated? What happened to that? They certainly haven't found any (thought they did a couple of times, turned out that they were just incompetent as usual) nor have we been attacked again, and they've stopped talking about it.
Remember the short-lived "Total Information Awareness" office whose first public message was to encourage U.S. citizens to spy on their neighbors? Ha!
This administration has been lying to us and manipulating us from the beginning. The willingness of most people here to accept it has convinced me that, excepting the unlikely chance that education will be overhauled, the dream of America is doomed. The country may survive, but our ideals, which began slowly dying as soon as the ink on the Constitution had dried, are dead, and cannot be saved in our lifetimes.
It turned out that We the People were just too dumb (or were made to be too dumb) to handle it. Let it be said that the final blow was struck by mass ignorance and apathy.
Actually, I've heard some commentary that explains that. Al-Qaeda and OBL in particular have a modus operandi of "escalating attacks." In other words, each attack should be bigger and better than the last one. They feel this has more of an effect than the Palestinian-Israel style low-level terrorism that people sort of "get used to." I think it has as much to do with the political/psychological impact as it does with the fact that any terrorist activity has the potential to leak information about the planners, get them arrested and seal off future avenues of attack. You can see that pattern in their attacks. So while they could easily blow up a few dozen people here and there, they hold back their resources and wait for something bigger.
Came back from Europe recently. Picked up bag at destination. TSA lock had been ripped off the bag, taking two zipper pulls with it. (Bag is now unlockable.)
Looked inside. Contents rearranged, but on the top of the pile were ...
the two DVDs and a CD I bought in Amsterdam. No TSA notice that they'd
vandalized my bag. No apology. No lock. Nothing missing, so it wasn't a thief who did it.
From all appearances, they pried open my bag in a desperate rush to check that the DVDs and CD were not pirated material. I know of no current danger to aircraft from DVD or CD shaped objects that would have justified the deliberate vandalism of my property.
On a side note, Minnesota bomb squad blows up scientific instruments. A scientist returning from MN left her stream-bed temperature sensors in the trunk of the rental car. Instead of paging her while she was still in the airport, the rental company called the police, the police called the FBI, the FBI called the bomb squad, and the bomb squad destroyed all of her data. PVC pipes with holes drilled in them, end caps, and gravel inside. Boom!