TSA Now Investigating Boarding Pass Hacker

An anonymous reader writes "A week after the Justice Department cleared him of any wrongdoing, Chris Soghoian, the Indiana University PhD student who created an online boarding pass generator for Northwest Airlines to highlight security holes is on the government's 'no-fly' list. The Transportation Security Administration has now launched its own investigation, says Wired blog 27strokeB. The TSA is claiming that Soghoian 'attempted to circumvent an established civil aviation security program established in the Transportation Security Regulations,' violations of which carry fines of up to $11,000 per violation. That could be a steep fine, says Washingtonpost.com's Security Fix blog: 'Something like 35,000 people viewed and possibly used the boarding pass generator during the less than 72 hours that it was live on his site in November. Soghoian told WaPo: "If they decide that the only safe way for me to leave the country is by boat, then that's pretty much the end of my career here in the States. It's one thing to harass researchers, but if they can chase them out of the country, then that's a real chilling effect."'"

35,000 views?

[denebian+devil]

I wonder how many of those were Slashdot users. Shame on us! Shame!!

Re:35,000 views?

['nother+poster]

No, shame on the TSA for not implimenting real secuity requirements.

Re:35,000 views?

[garcia]

I was one but I didn't get to it from Slashdot. I got to it from several local bloggers that pointed it out.

Big fucking deal. It was an obvious security hole. If anything, he should be hailed, not jailed. But then again, we don't want to go out and make NWA (who fucking blow anyway) and the TSA look worse than they already do (if anyone is reading from MCO's TSA, fucking fix your system by doing a "best practices visit" to any number of other airports -- your system sucks even at 4:00AM)

Re:35,000 views?

[bostonkarl]

No kidding. This was an obvious loophole that had been pointed out a very long time ago. Investigating the kid till you're blue in the face doesn't make the problem go away. Anyone with moderately good office-suite type computer skills could fake a bording pass. TSA needs to focus on security, not obscurity of their obvious failures. TSA needs to focus on security, not their obvious complicity with the airlines and the airlines heavey lobbying.

Re:35,000 views?

[UbuntuDupe]

He should be hailed. But the man who introduced fire to the world was burned at the stake. The man who introduced the wheel to the world was spun to death on the rack. The man who introduced sailing to the world was keelhauled. And the man who alerted others of a security flaw made his own country unsafe for him.

It's the burden of being a genius.

Re:35,000 views?

[Aardpig]

But the man who introduced fire to the world was burned at the stake.

Bollocks he was. He (Prometheus) was chained to a rock, and an eagle would come every day and tear out his liver. Then, in the night, his liver would grow back. Sheesh, don't you kids learn any mythology anymore?

Re:35,000 views?

[BoRegardless]

So lets see. If the emperer has no clothes, and you point that out, you are guilty of...telling the truth?

Re:35,000 views?

[Deitiker]

fix your system by doing a "best practices visit" to any number of other airports -- your system sucks even at 4:00AM)

I lub it! What is the best practice for protecting the public from half-drank bottles of water?

Re:35,000 views?

[Jehosephat2k]

Yep!

Bingo, right on the $$$

Mod Parent up

Re:35,000 views?

[Inominate]

It's not even a security hole. Forcing someone to buy a ticket doesn't keep anyone unwanted out of the terminal. Forging a fake boarding pass that will get you into the terminal is trivial even without that "tool".

What it DOES do is reduce the number of people in the terminal. It means that the security checkpoints can do more and move people through faster, since non-flyers aren't around.

Re:35,000 views?

I know it's a waste of time to point this out several hours after this discussion was over. But anyway;

The whole point of checking boarding passes has almost NOTHING to do with security. Not directly, at least. The idea is to restrict the number of people through the screening point so that they can save some money. You could look at it as though they were screening more strictly because there are fewer people to screen, but the screening standards don't appear to change whether the line is long or short, so that's not really the case. The only thing that changes is the number of screeners at the stations

It really doesn't do a damn thing towards security. Neither does the no-fly list, since it is so bloated. It is all about security theatre. I'll stop there before I get into a real rant (which, like this, nobody will read).

What's the fine?

[HangingChad]

What's the fine for making TSA look stupid?

Re:What's the fine?

[towermac]

apx. $11,000 per incident.

Re:What's the fine?

"What's the fine for making TSA look stupid?" slightly embarrass = $1,000 obviously embarrass = $5,000 Making them look Stupid = Priceless!!

Re:What's the fine?

What's the fine for making TSA look stupid?

You mean they aren't?

Re:What's the fine?

[loraksus]

It usually consists of a strip search with a cavity check performed by homosexual TSA agents who derive "great pleasure" from conducting one.
That and missing your flight.

Re:What's the fine?

[JohnnyGTO]

Can they fine themselves?

I was in line behind a TSA employee from a local small airport. She was telling the cashier that she had left the check to pay for a number of photocopied documents in her car and must retrieve it to pay. BUT she could not leave the documents and had to take them with her to the car as they were VERY VERY sensitive. Here's the kicker, she left them at Staples overnight to be copied.

I wonder if they let her sleep there and then shot the copier tech out in the alley?

Re:What's the fine?

[mattwarden]

The fine is getting modded -1, Redundant.

The TSA (Thousands Standing Around) do a decent job themselves.

Re:What's the fine?

[StikyPad]

What's my TSA joke? Well, iTSA joke.

Re:What's the fine?

[Beryllium+Sphere(tm)]

Massive investigations and threats of jail time if you don't help them cover up how ineffective their screening is.

Welcome to life under Occupation. Population You.

[mikelieman]

Enjoy your stay.

Go Chris...

The people responsible within the TSA need to be dealt with. These fuckheads have some nerve harrassing a researcher for bringing their errors to wider attention.

Fair is fair

[The+Clockwork+Troll]

The fine seems reasonable, will they accept cash?

Re:Fair is fair

Is it only my webbrowser or is the SS website really broken? http://img111.imageshack.us/img111/4679/screenshot 1sa8.png

Re:Fair is fair

Did you notice that the secret service badge is loaded as two images and if you resize the font (+ in FireFox), the badge splits and shift?

Very odd.

Congress @$!^^#**#

What oversight does the TSA have?

WTF was Congress (not) thinking when they created the Dept. of Homeland Security?

From what I've been seeing over the last few years, they can do pretty much anything they want and unless you have a Whitehouse contact or are a Senator, you have to bend over and take it.

Re:Congress @$!^^#**#

[towermac]

When they started throwing around the term "Homeland" a few years ago, it sounded a lot like "Fatherland" to me, and I knew then that no good could come of it.

Re:Congress @$!^^#**#

[Apocalypse111]

Fatherland - a bunch of old Germans raise their eye-brows and say, "Hmm, ve like it. Dat is a good vun."
Motherland - a bunch of Russians raise their eye-brows, then sit back down at the barage of Soviet Russia jokes bandied about here.
Homeland - a bunch of Rednecks raise their beers and shotguns, create a lot of noise, then start calling their hatred of non-Anglo's "patriotism".

Re:Congress @$!^^#**#

And the most bigoted reply to the article gets a rating of...
"Insightful"

Good job on this one mods...

Re:Congress @$!^^#**#

[Jehosephat2k]

In Soviet Russia, barages of jokes bandy YOU!

The blog is "27B Stroke 6"

[toby]

And it's a "Brazil" reference, of course, which is nicely appropriate in this context...

He can still travel

[Col.+Klink+(retired)]

As long as they don't fix the flaw, he can still exploit it and circumvent any extra scrutiny they try and put on him.

Re:He can still travel

[griffjon]

The popping sound you heard after parent post was made were hundreds of small brains at TSA HQ.

The message?

[marcello_dl]

So, what's the message these kind of reactions from the authorities send? To me it seems: "We don't really care if the system is really secure, there are always some friends might need to sneak in, one day. You just let yourself be searched and stay well put during the flight, cause if you don't we call you a terrorist. Trust us or else."

Re:The message?

[Who235]

The fact is that this is bullshit, plain and simple. If this guy goes down or gets fined, I hope all nerds with any discretionary cash pony up a little to help him out. He did nothing wrong. As a matter of fact, a pretty persuasive argument could be made that he did something very right.

So, what's the message these kind of reactions from the authorities send?

You are no longer being governed, you are being ruled.

The US doesn't have enought smart people...

[denis-The-menace]

because they CHASE THEM AWAY!!

http://science.slashdot.org/article.pl?sid=06/12/0 7/0419259

Re:The US doesn't have enought smart people...

[wonkavader]

I remember an American commedian (pity I don't remember who it was) responding to a bunch of germans who saw his act and thought it was hilarious. "Why don't we" the Germans asked him after the show, "have funny people like you in Germany?" "Because you gassed them all." He replied.

Re:The US doesn't have enought smart people...

Or silence them.

Not to mention, this easily generates more of an underground. (I'm one who believes that the harder it is to get a tech job, the more black hatters form.) Before, researchers would publish their data to earn their keep or notoriety; remove that incentive, that white hat economy, however small, and it potentially generates a black hatter economy. And like many economies, usually it's the start that snowballs into something larger.

Worse, and more directly, there are people that *do not* fly because of this. Myself, since 9/11, I've had the time and money to travel the US. I haven't; no freakin way I'm going to go to an airport and get harrassed, and not knowing this damn security hole isn't fixed. Like XP, you see one hole that doesn't get fixed for months, you start to wonder what else is lurking. I'm one person, but that's tens of thousands not spent on air travel alone (and those tens of thousands meanwhile have generated more foreign wealth because of the hamstrings the US government and businesses have put on "innovation" in the US).

I've become more of a cynic over the years; I just keep my damn mouth shut when a security hole or bug is found. The system, imo, is stacked against you. Come up with a discovery, someone else patents it. Publish it, get harassed, threatened, or jailed. Now that government is going to hammer on you, why take the risk; not only is there no reward, there is punishment.

Meanwhile, the security hole *remains in effect.* If they'd put a sliver of the energy they put into harrassing, investigating, and highlighting this guy, they could have closed the hole completely.

Re:The US doesn't have enought smart people...

[bilbobob]

Basically, you guys are screwed. In 50 years the US will be left behind choking in the dust of China, India and Europe. When "researchers" of any field are harrassed and investigated into extinction everyone should start to worry. The whole research system of science/medicine/technolgy or whatever is based on results expected by sponsors. Once results deviate, then funding is at risk. If there is no sponsor, as in this case, then freedom is at risk by those who probably knew the results before they were published anyway. Seriously, if this security hole was as easy as it looked, then someone should have known about it; the TSA should be investigating themselves. --- Advertisement: positions open for researchers - apply in person to the UK.

Irresponsible researcher

[Echoez]

What is the actual value and goals of his research? A responsible researcher could have created a proof-of-concept, and raised awareness through media channels, research paper, blog etc. He should have also presented his research to the TSA and the airlines. Instead what he did was not research. He created a website to create fake boarding passes and released it to the public. There was no academic benefit. If I created forged passport software and released it, that's not research. Let's call this for what it is: trouble-making, not research.

Re:Irresponsible researcher

[Midnight+Thunder]

This is something I was thinking. It is one thing proving there is an exploitation, it is another making it available to just anyone. The least he could have done is print void over the valid document he created. When you live in a society you need to exert a certain sense of responsibility. It should also be noted nothing is free from flaws and no security will ever be perfect.

Re:Irresponsible researcher

[maztuhblastah]

I think the benefit is twofold:

1) If he had just submitted a report to the TSA, it would get lost in the bureaucratic hell that is the TSA (or more likely, it would just be ignored, since fixing it would cost money and time.)

2) The media coverage that the site, and subsequent harassment that he has received has raised awareness far more than a report to the TSA or a blog entry ever would.

By bringing up the issue in a very public way, he has made many, many people very aware of the "security theatre" that the TSA is. The fact that he is drawing so much fire from the TSA also helps demonstrate exactly how poorly suited they are to deal with the flaws in their system -- it's easier to silence those who point out the problem than it is to actually purchase real clothes for the emperor.

Added irony: the CAPTCHA for my post is "barefoot".

Re:Irresponsible researcher

"He should have also presented his research to the TSA and the airlines."

No, that would have also resulted in him getting investigated.

Currently in the US, anonymous submission to the media, or a specialised security forum, is the only safe option; and even then, it may not be that way for very long.

Re:Irresponsible researcher

[soft_guy]

What is the actual value and goals of his research? A responsible researcher could have created a proof-of-concept, and raised awareness through media channels, research paper, blog etc. He should have also presented his research to the TSA and the airlines.Instead what he did was not research. He created a website to create fake boarding passes and released it to the public. There was no academic benefit. If I created forged passport software and released it, that's not research.Let's call this for what it is: trouble-making, not research. I agree with you, but I still think his "trouble making" had value of raising awareness and also he should not be persecuted for it.

Re:Irresponsible researcher

[bugnuts]

This was almost exactly what I said when it first happened. It was also nothing unique in its implementation. I wrangled a -1 Troll, too! :-)

The problem exposes some very alarming trends I see in security research. It used to merely be embarassing when someone would release exploit code, but there really wasn't any recourse other than fix the flaw asap. Then, the separation between blackhat and whitehat hacking became more distinct... the responsible researchers started to notify the manufacturers with enough time to fix, with an underlying veiled threat of embarassment as the cost of exploits rose. But there was always a threat of "fix this before I release the information".

But somehow, somewhere, the government got involved and everything went to hell in research. Now we have the DMCA, and asshat maneuvers like Adobe getting people arrested for legal activities, chilling effects on legal speech through threats BY corporations who are negligent, bullying academics, and so on. We have the USA PATRIOT Act. We have a war on US citizens, not just terrorists. And then, in this windstorm, Soghoian was an idiot by sticking out his neck while the farmer had been sharpening his axe.

What he did wasn't research... it was /obvious to any hacker who's ever printed a boarding pass in advance. What he did was simple embarassing exposure. Now, I fully believe his speech should be protected, but frankly he was irresponsible in the first place and it's difficult to find any sympathy.

Re:Irresponsible researcher

[Rinzai]

First of all, it's not "persecution." If he broke the law, then he needs to pay the penalty for that transgression. According to your semantics, we persecute murderers for murdering and thieves for stealing. I just don't think so.

What Chris S. did was just plain stupid. Yes, the web-based boarding document system was originally designed to keep unticketed passengers from getting onto planes, not from getting past the (at the time non-existent) TSA security points. Giving non-technical nogoodniks an easy way to exploit the system was wrong, unwise, and dangerous.

People relevant to the technology are trying to resolve the security issues involved with web-based boarding documents right now, so don't think nothing is being done just because you don't hear anything about it.

Yes, the people involved in that are smarter than the TSA. You'll just have to trust me on that. Don't ask how I know.

Re:Irresponsible researcher

[soft_guy]

First of all, it's not "persecution." If he broke the law, then he needs to pay the penalty for that transgression. Putting him on the "no fly" list has nothing to do with the law. He wasn't convicted in court - no we just had a bunch of mindless beaurocrats take it upon themselves to start handing down punishment to whoever they don't like.

Re:Irresponsible researcher

[AlHunt]

>A responsible researcher could have created a proof-of-concept, and raised awareness
> through media channels, research paper, blog

I agree with what you're saying. The problem is that had he used the channels you describe, in 10 years we'd have 6 million reams of paper generated by the government to cover it's ass but no solution to the problem.

Remember - these are the same incompetent nitwits who can't fix potholes unless someone complains.

Re:Irresponsible researcher

[Rinzai]

Dude. Pay attention. The guy published a way to produce false boarding passes and made a deliberate attempt to call attention to himself for doing it. He described the way in which it could be used, and even suggested that people use the web page to create fake boarding passes to go meet the grandparents down at gate 20. I think he needs a little reminder regarding what happens to people who do that sort of thing. (And is he really on the no-fly list? All I can see is blogger's opinions that he "may one day find himself on the no-fly list." It's not the same thing, is it? Don't presume facts not in evidence.)

One more thing--I'm not going to accept commentary from someone who can't punctuate, spell "bureaucrat," or know the difference between "whoever" and "whomever." I've had the SWAT team called out on me twice in my life--you'll have to do better than that before you have anything to show me, punk.

Mods -- do your worst.

Re:Irresponsible researcher

[soft_guy]

You pay attention, asshole. No one appreciates your idiotic commentary. If someone breaks the law, they should be charged with a crime and taken to court. That's why we are a nation of laws, not just whatever some TSA monkey thinks might be a good idea at the time.

Re:Irresponsible researcher

[The_Wilschon]

It should also be noted nothing is free from flaws and no security will ever be perfect.

You obviously skipped the formalism classes in computer science. I'm a physicist (we make notoriously bad programmers) and I know this. Programs can be proven correct. A program which has been proven to follow its spec exactly, running on a similarly proven hardware platform, is perfectly secure (assuming the spec is secure, which is not always a trivial thing).

For something as allegedly important as airline security, the TSA ought to be doing a far superior job to what they actually are doing, which is wasting an awful lot of taxpayer money on PR to make it seem like they are doing something legit.

Re:Irresponsible researcher

[Midnight+Thunder]

For something as allegedly important as airline security, the TSA ought to be doing a far superior job to what they actually are doing, which is wasting an awful lot of taxpayer money on PR to make it seem like they are doing something legit.

While I agree on the general point, this is where reality steps in. Simple well engineered and well architectured systems, with good specifications are usually near perfect. The problem is when you have politics, 'I know better' programmers, unnecessarily complicated code with bad assumptions, conflicting requirements and badly managed budgets everything looks like a road accident.

With my quote of "It should also be noted nothing is free from flaws and no security will ever be perfect", I am probably very negative, but I see it more as my cynical point of view of the realities that step in.

Airport Security is a joke

[bigbadbuccidaddy]

Airport security is a joke, and all he did is point that out. I will point something else out. When I was waiting in the immensely long line for United Domestic Check-In, I noticed they controlled access to the door behind the ticket counter with a simple mechanical combination lock. I observed several United Airlines employees entering and every time I could clearly see the code being entered. I felt very secure.

Re:Airport Security is a joke

[smooth+wombat]

The biggest flaw in airport security is having large groups of people wait in closely packed lines to go through the check-in process.

I guess someone standing there with a rucksack full of explosives and going BOOM during a heavy traffic time, say the day before Thanksgiving, never occured to our overlords.

Re:Airport Security is a joke

[DerekLyons]

Airport security is a joke, and all he did is point that out.

And that's the crux of the problem - he didn't act like a researcher (as he claims) and merely point a security hole (as you claim). He crossed the line from researcher to (potentially) criminal when he published a tool on the web that had no other purpose than to make it possible for others to circumvent security.

Re:Airport Security is a joke

[Echoez]

Your point is well-taken. In your case, the responsible thing to do then would be to notify the TSA and the authorities at the airport to your concerns. It would not be "research", however, to post the combination to that door on the Internet, or to reveal its location. This is analogous to what he did. It's one thing to point out flaws in order to help address them. It's another thing entirely to create tools and resources to help people exploit holes in the system.

Airport security is not tight, nor anywhere near a bulletproof system. But his actions in no way benefit or ameliorate this system; it only had the potential to cause more problems.

Re:Airport Security is a joke

[RexRhino]

Well, he figured that the only way they would FIX the security hole was to make it public. He didn't consider that Soviet style suppression of information would be how the U.S. government chooses to solve it's security problems.

Re:Airport Security is a joke

[Archangel+Michael]

19 Hijackers killed some 4000 people, or about 200 people per hijacker. Totally destroyed several buildings, but all in a geographic location. Very spectacular. One building, in another geographic location, partially destroyed. One plane, completely missed.

I suspect that if they coordinated across 20 of the largest airports during the busiest time they could probably do a lot more damage (kill more people), without having to go through any security. But see, that wouldn't be as "Spectacular" as having buildings crash down.

Terrorism is a tactic, not the enemy. Islam isn't even the enemy, it is an idiology/religion. The enemy is RADICAL MUSLIMS*

*Possible redundancy detected, please confirm. Y /N ???

Re:Airport Security is a joke

[loraksus]

I'll have to admit that a small part of me wanted someone to drive up in a large vehicle and drive through the lines outside the airport killing and injuring dozens when the TSA retards had people lined up outside of the airport buildings in the last "security crisis"

Re:Airport Security is a joke

[loraksus]

Because just pointing to a security hole would actually result in something getting changed.

Clearly the TSA listens and has people smart enough to create countermeasures.

Oh wait... Even after all this fucking publicity, the fucking hole is still fucking open, MONTHS FUCKING LATER.

At least they're spending their (your) money on frivolous prosecution. That must be worth something right?
Right?

Re:Airport Security is a joke

[letxa2000]

I observed several United Airlines employees entering and every time I could clearly see the code being entered. I felt very secure.

And yet I'll bet if you had jumped behind the ticketing counter, entered the code, and walked through the door, you would have been taken down by authorities within a minute, tops.

Re:Airport Security is a joke

[onkelonkel]

And yet I'll bet if buddy puts on navy blue pants, navy blue jacket, a white shirt (or whatever UA employees wear), plus a nicely laminated photoshop badge, and walks around the end of the counter instead of jumping over, he'll have the run of the place.

Re:Airport Security is a joke

[CheeseTroll]

You could do that anywhere, though. Who needs an airport line when there are crowded malls, city streets, etc?

Re:Airport Security is a joke

[letxa2000]

I knew that was coming. It'd be a gamble, and it's going to ultimately depend on what's behind the door. I don't know what's behind that door. Maybe a code is adequate security considering what is (or isn't) behind the door.

Re:Airport Security is a joke

[maxume]

You don't pet a dog to make it safe, you pet a dog to make it *feel* safe. Airport security does everything that the 'overlords' want it to do. When some new shit goes down, they can point at all the stuff they do that is supposed to keep us safe and say they were working hard.

Re:Airport Security is a joke

[ChaosDiscord]

He crossed the line from researcher to (potentially) criminal when he published a tool on the web that had no other purpose than to make it possible for others to circumvent security.

The purpose was to shame the TAA into fixing a problem which was widely known and publicized: August 2003 by security expert Bruce Schneier, February 2005 in Slate , February 2005 press release by a US Senator, February 2006 article in CSO Online . The TSA has been ignoring the problem for over three years. Bad guys have known about the attack for at least three years, possibly longer. For all we know bad guys are using it right now; we have no way of knowing. Even without Soghoian's program, it was really, really trivial to exploit; all you need is a very basic understanding of HTML, enough to change one name to another, to execute the attack Schneier described in 2003. The media has been letting the TSA continue to ignore this. If Soghoian had simply published a "I can make fake boarding passes and get into the "sterile" area of an airport he would have gotten an article or two and nothing would have changed. By providing a working exploit things just became that much harder for the TSA. News coverage exploded. Finally something will happen.

The TSA has proven itself grossly incompetant. There is little to no oversight and zero public accountability. Drastic measures were necessary, as rational measures have clearly failed. The really sad thing is even in the face of such a drastic failure, they're not fixing the core problem.

Re:Airport Security is a joke

[NeutronCowboy]

Bingo! Someone mod this guy up. This is EXACTLY why all this claptrap offers merely the illusion of security. The "hijack a plane to fly it into a building" attack plan was obsolete even before the first plan had been fully executed.

I'd say that the terrorists are actually aiming too high with their current plans of toppling buildings. Move 200 people into the US, equip them with suicide vests, and let them loose during Christmas shopping at various malls, local governments, parks and other well trafficked areas. The pandemonium would birth laws that will make the current ones look enlightened.

We're lucky the terrorists haven't figured out yet that the best way to defeat the US is to have it defeat itself.

Re:Airport Security is a joke

[bilbobob]

hey, don't suppose you remember the combo? um, I think I left something in there by accident.

Re:Airport Security is a joke

[bloobloo]

I, for one, do not welcome our never thinking about someone standing there with a rucksack full of explosives and going BOOM during a heavy traffic time, say the day before Thanksgiving, overlords.

Re:Airport Security is a joke

[bigbadbuccidaddy]

A code, even if it wasn't plainly visible to everyone, probably isn't adequate security. I assume from the layout of the ticket counter etc. that you would have access to passenger bags there, at a minimum.

Re:Airport Security is a joke

[bigbadbuccidaddy]

The hole was trivially easy to exploit. Microsoft Word makes it possible to circumvent security it.

Re:Airport Security is a joke

[kchrist]

The enemy is RADICAL MUSLIMS*
*Possible redundancy detected, please confirm. Y /N ???

N

If there were 1.4 billion radical Muslims on Earth, you'd know it. The world is not nearly that simple, sorry.

Re:Airport Security is a joke

[evilviper]

I guess someone standing there with a rucksack full of explosives and going BOOM during a heavy traffic time, say the day before Thanksgiving, never occured to our overlords.

You'd probably kill more people if you walked in firing a handgun, than you would with a suitcase full of explosives.

Every airport I've been too has extremely high ceilings, wide-open spaces, etc. With that, a bomb-blast will likely exert most of it's energy upward and outward, leaving relatively few people seriously uninjured.

Why do you think suicide bombers prefer enclosed spaces like trains, buses, and airplanes, to open-air areas? You can do much more damage, with much less explosive there.

Re:Airport Security is a joke

[jrockway]

I, for one, do not welcome our never thinking about someone standing there with a rucksack full of explosives and going BOOM during a heavy traffic time, say the day before Thanksgiving, overlords.

So you welcome them "going BOOM" in a shopping mall on the day after Thanksgiving instead?

Re:Airport Security is a joke

[jrockway]

It's another thing entirely to create tools and resources to help people exploit holes in the system.

So, code is speech when it comes to decrypting a DVD, but not when demonstrating a flaw in "homeland security"? How convenient...

The "problem" with Freedom (of speech; of software; of anything) is that people are Free to abuse the freedom. It's the price we have to pay for our freedom (freedom's not free), and I for one am willing to live with that. (In fact, I'm glad the guy forced the issue... now the TSA has to do something to fix it... they can't just sweep it under the covers.)

I think, in summary, it's people like you that are ruining our society. Please be careful.

Re:Airport Security is a joke

[couchslug]

"I guess someone standing there with a rucksack full of explosives and going BOOM during a heavy traffic time, say the day before Thanksgiving, never occured to our overlords."

Then it's just another boring suicide bombing instead of a dramatic plane crash.

Less entertainment value equals less terrorism value.

Re:Airport Security is a joke

[sponga]

Add to that it would be so difficult in todays circumstances to even get in America and perform that act without being traced back to something that it is not even worth the resources of a terrorist group to target people in lines.
Even the Israelis know this with the amount of bombings they get from those fucking cowards that blow themselves up with the ball bearings that they target packed discos and buses.

Re:Airport Security is a joke

[letxa2000]

Maybe, maybe not. I don't profess to know the floorplan behind the ticket counter but it's entirely possible that going through that door doesn't give them access to passenger bags. Maybe it's just access to private company bathrooms or the company break-room. We're all just speculating here, unless one of us has worked behind the counter at an airline.

Re:Airport Security is a joke

[Jah-Wren+Ryel]

The TSA has proven itself grossly incompetent.

Not true. The TSA is all about Security Theater - putting on a show to distract the masses from the facts. That is why this guy is being persecuted, he made it much harder for the audience to suspend disbelief and thus really was interfering with the TSA's mission. He should go to jail for that.

Re:Airport Security is a joke

[hawaiian717]

You mean like in these incidents, when someone drove into the Kahului, Maui airport? Fortunately in these incidents, nobody was hurt:

http://starbulletin.com/2005/10/24/news/story01.ht ml
http://starbulletin.com/2004/03/03/news/story8.htm l

Re:Airport Security is a joke

[devilspgd]

Since the problem hasn't been addressed in 3+ years of talking about it, a demonstration isn't inappropriate.

Re:Airport Security is a joke

[pipingguy]

"You can fool all the people some of the time, and some of the people all the time, but you cannot fool all the people all the time."

- Some guy

Re:Airport Security is a joke

[loraksus]

Well, LAX had people standing outside in half mile long lines in front of the airport (as opposed to inside the terminal), but yeah.
Even if you ignore the possibility of someone with malicious intent, having people stand around on the asphalt at a major airport was stupid and dangerous to those in line.

Not helping...

If these people think that they're making air travel safer by suing/investigating someone who makes a blatant security hole public, they're diminishing my trust in their methods. Jail time doesn't scare a suicide bomber.

Re:Not helping...

[b0s0z0ku]

Jail time doesn't scare a suicide bomber.

Nor would a suicide bomber have publicized the security hole (if it *was* a security hole, since the only true security is physical security - metal/explosives detectory, x-ray machines, and armed pilots/sky marshals - having to show ID is just something to make the sheeple more comfortable). The suicide bomber would have used the hole if he could have and kept his mouth shut. So, the guy actually did the USA a service by publicizing the hole before it was exploited.

Could it be that the airline management is pissed about possible loss of revenue due to fake boarding passes, so they pressure the TSA into doing something in the name of "security" (the Boogeyman of the Day).

-b.

Re:Not helping...

[Zonnald]

True, but a suicide bomber could have exploited the security hole and software that the guy made public. That is where I see his actions as being a problem.

Re:Not helping...

[b0s0z0ku]

True, but a suicide bomber could have exploited the security hole and software that the guy made public. That is where I see his actions as being a problem.

Not if there was good physical security, which is the only kind that matters. Remember that most suicide bombers only commit one crime during their lives, so there isn't any history of suspicious behavior.

-b.

MOD PARENT UP!

He seems to know something others don't! Mod as "insightful" or something.

>The blog is "27B Stroke 6"

>And it's a "Brazil" reference, of course, which is nicely appropriate in this context...

Re:Welcome to life under Occupation. Population Yo

[MollyB]

Suggestion for Rule #1 in LUO: No good deed shall go unpunished.

Looks the same as the FBI investigation

[Thansal]

His blog (http://slightparanoia.blogspot.com/) has scans of the letter.

Reading the letter makes it sound much like the case the FBI was workign on against him (and subsequently droped).

All of the legalease (as well as I can read it) states is that you can't make these or higher some one else to make them.

Well, he didn't, he just created a program that COULD. In this case (as with the FBI one) it all seems about intent...

Re:Looks the same as the FBI investigation

[Zonnald]

Was there a scan of the letter he sent to TSA (or whoever) to say: Guys, on a hunch that your system may not be secure, I have created a program which generates realistic boarding pass , in my opinion.
With your permission I would like to take this to the next level and supply several anonymous passengers with these "boarding passes".
I will supply the names and times that these people will be attempting to board, so that you can have hard evidence that this flaw in the system can have serious ramifications to Homeland Security (tm).
Details of the flaw will be provided upon request. I await your response...

Would that have been to hard?

Re:Looks the same as the FBI investigation

[bonoboboy]

I'm personally not surprised that the TSA is taking up the same case and evidence the FBI was using. Robert Mueller (Director of the FBI) has been very careful in protecting his agency from certain scandals; for example, FBI agents were no where to be found any time the CIA used torture during any interrogation. Likewise, I wonder if he is worried about fallout if the public continues to question the methods and tactics used by certain federal enforcement agencies. He may well have decided that this investigation could put his agency in water that was too hot for his comfort. The TSA, on the other hand, appears to have little in the way of self restraint or ethical guiding.

Re:Looks the same as the FBI investigation

[loraksus]

The only difference is that this case is being brought by people who have a vested interest in keeping their reputation "clean". Intent is also important on the other side.

Re:Looks the same as the FBI investigation

[westlake]

All of the legalease (as well as I can read it) states is that you can't make these or higher some one else to make them. Well, he didn't, he just created a program that COULD

only a Geek would believe that this kind of argument plays well in court.

Re:Looks the same as the FBI investigation

[jrockway]

Well, he didn't, he just created a program that COULD

only a Geek would believe that this kind of argument plays well in court.

Absolutely true. All the gun manufacturers are in jail because their guns killed people! Right?

Re:Looks the same as the FBI investigation

[Thansal]

umm, that is why the FBI droped the case against him.

Proving a point is expensive....

[zappepcs]

This is the same problem with all kinds of security systems/programs. How does one point out the error/flaws in said system without falling afoul of the law(s)?

In this case, he would have been better off just telling people it could be done IMO. Just the same, if Kazaa isn't guilty, how can this guy be held responsible for what people did with his demonstration? If he personally used the fake boarding passes to fly and thus circumvent TSA rules, then he's guilty, should be punished. To demonstrate that its possible doesn't make him guilty. Even making it possible for others to do so doesn't make him guilty of anything except making the TSA look stupid.

Printing counterfeit money is not illegal... using it is. Normally, nobody would print it without the intent of using it, but in this case, the whole effort was to prove that it could be done and show that a fake boarding pass ruins security measures. If he can print fake boarding passes, any reasonably savvy group can. The manner used to demonstrate this flaw surely makes it impossible to not fix the problem?

I hope that he is not slapped with huge fines...

Re:Proving a point is expensive....

[TripMaster+Monkey]

Printing counterfeit money is not illegal...

Actually, it is:

Manufacturing counterfeit United States currency or altering genuine currency to increase its value is a violation of Title 18, Section 471 of the United States Code and is punishable by a fine of up to $5,000, or 15 years imprisonment, or both.

Re:Proving a point is expensive....

Printing counterfeit money is not illegal... using it is.

Not true. Even taking and printing a full scale photo of any denomination of paper currency is highly illegal. Scanning a bill is also illegal. AFAIK, printing fake bills is a federal crime.

Re:Proving a point is expensive....

[elviscious]

"Printing counterfeit money is not illegal..."

Actually it is. Despite that, I agree with you, the problem is not the fact that money is being reproduced, but that it is being used illegally. However, there is also a long history of counterfeiting being used to reduce the value of money. With that in mind, it is legal to reproduce a dollar bill, provided that the reproduction is sufficiently larger or smaller. I believe the proportion was 50% or 150% normal size.

The gentleman being investigated by the TSA probably should have included a "This is a illegal reproduction" as text, as a watermark, or something else included in the image. At least then he would of had plausible deniability.

Re:Proving a point is expensive....

[Chosen+Reject]

You were gone for nearly three months and that is the best reponse you can come up with? If you made counterfiet US currency as a substitute for monopoly, it would have no value, thus it is legal. According to what you wrote, you could even alter a genuine $20 bill into a $10 bill and that would also be legal. But perhaps, you would have been more wise to read Title 18 section 471.

Whoever, with intent to defraud, falsely makes, forges, counterfeits, or alters any obligation or other security of the United States, shall be fined under this title or imprisoned not more than 20 years, or both.

Now we are talking intent. Thus, counterfeiting money that you never use is in fact legal. Read the whole page you linked to and then read the actual contents of the law, and you will find every time they talk about intent to defraud. Thus the original poster was correct in saying it's not illegal to counterfeit money.

Re:Proving a point is expensive....

[Chosen+Reject]

Actually, it isn't.

Re:Proving a point is expensive....

[pla]

How does one point out the error/flaws in said system without falling afoul of the law(s)?

Survey says - "Anonymously".

He could have written his boarding pass creator as a flash app and uploaded it to Newgrounds. He could have posted a JS version on any of a number of blogs without using his own name. He could have even posted about it, with a link to an anonymously hosted applet, and probably made the Slashdot FP. He could even have gotten someone outside the US to host the exact same content, with all occurrences of his name replaced by "Mr. CheeseNips".

But no. He had to use his own name, and therein lies his biggest mistake.

Anyone who says we don't need anonymity just doesn't fear the government enough for their own good. And anyone who makes the government look bad without at least trying to hide their identity needs to study their history a tad more.

I, for one, THANK Soghoian for exposing a glaring flaw in the farce we call the TSA. Not because it has made us safer (as we can see, they chose to shoot the messenger rather than, y'know, fix the goddamned problem), but because it has slightly reduced the false sense of security among the voting sheep.

Re:Proving a point is expensive....

[Rinzai]

To demonstrate that its possible doesn't make him guilty. Even making it possible for others to do so doesn't make him guilty of anything except making the TSA look stupid.

Apparently you've never heard of "conspiracy to commit" and "aiding and abetting."

Re:Proving a point is expensive....

[ChaosDiscord]

In this case, he would have been better off just telling people it could be done IMO.

CSO Online told people about it in February 2006. Slate told people about it in February 2005. Senator Schumer told people about it in February 2005. Security expert Bruce Schneier told people about it in August 2003.

We're more than a little beyond "telling people" being productive.

Worse, apparently a proof of concept isn't enough. The TSA is busy trying to presecute the messenger, but they still haven't fixed the core problem. I'd sadly forced to conclude that the TSA will not fix a real threat to airline security until terrorists successfully exploit that threat. While honest people are stuck measuring their shampoo out of fear of a deeply implausible liquid-bomb threat, anyone with access to a printer and a reasonably plausible state ID can get into the "sterile" area of the airport. (I find it darkly humorous that the boarding pass vulnerability makes the cost of getting 30 ounces of liquid explosives onto a plane just 10 fake boarding passes for almost no cost and 10 evil conspirators.)

Re:Proving a point is expensive....

[elviscious]

Hmm, you might actually be correct about that, although I will point out that doing so outside of the US is illegal regardless of intent. I think this is probably a more the more appropriate law for your example. So (standard disclaimer applies, ie. IANAL) as long as you make no attempt to actual pass these off as geniune (regardless of whether you receive any compensation) it appears to be legal. In the gentleman's case, I would probably argue that indeed he was passing them off as geniune, although probably without full regard to the consequences. A nice watermark on them still would have been a good idea.

Regardless, you are correct about the counterfeiting being legal.

Re:Proving a point is expensive....

[Chosen+Reject]

You are quite right about the watermark. He could have saved himself a lot of trouble by doing that.

However, I will also point that doing so outside of the US is still legal. The link you gave said that a person does 1) and 2) shall be punished, but it also says if the act would violate section 471, 473, or 474 and all of those refer to intent.

Nevertheless, he could have saved himself a lot of headache.

Re:Proving a point is expensive....

[dch24]

Anyone who says we don't need anonymity just doesn't fear the government enough for their own good. And anyone who makes the government look bad without at least trying to hide their identity needs to study their history a tad more.

Although I agree with you, can I rephrase that?

Anyone who makes the government / any powerful organization look bad without at least pausing to think about the repercussions is foolish. Hiring a lawyer might be a good idea. Contacting the TSA and giving them six months notice is also a good idea. Contacting two or three major newspapers and letting them know about it is also a good idea.

But for once, I think Chris Soghoian is brace to use his real name and not hide. If he is really willing to face imprisonment and fines to make the TSA more accountable, the USA safer, and the draconian new "security" measures less credible, he's brave and patriotic in my book.

Just my two cents.

Re:Proving a point is expensive....

[Vitriol+Angst]

They are punishing him for the embarassment.

While the TSA might protect us from the lone nut job... it's just more or less a show, when Dubai owns ports and we just NOW started putting in Nuclear detectors. But they are at 10 ports -- which are posted.

Wow, who could figure out which ports to use to sneak in weapons...

Most of the security, is in the areas that are in contact with the public. Past the thin facade, I'm sure there isn't much going on. You can tell by the counterfeiting of boarding passes, that none of this was designed to thwart the professionals. The 9/11 folks were already on security watch lists yet were allowed in the country.

Until we secure our LEADERS ... scanning grandmas shoes is a waste of time.

Re:he has it coming

[GungaDan]

I *so* wanted to mod this post "troll," but that is unfitting - your ideas are not meant to provoke, but to unprovoke, and breed grudging contentment with the sad status quo. So no troll moderation for you. Sadly, there is no "defeatist fucktard lemming" moderation available. That would be fitting.

Re:he has it coming

[Scarblac]

Exactly, of course this is against the law.

I'd also say it's deserving of a fine of around $100 or so, nothing more.

And immediate job loss without privileges for several of the highest ranking managers responsible for letting the insanely lacking security system live for so long.

Predicting the /. responce

"$11,000 per violation is ludicrous... he can't be held responsible for all those downloads by others."

Follow this recent thread on Slashdot and replace 'Kazaa customer' with 'Chris Soghoian'.

Oh Snap

[TubeSteak]

Wired doesn't mention it, but in the kid's blog, he links to a re-implementation of his boarding pass generator, this time using html & java.

Coralized Archive of the mirror: http://geocities.com.nyud.net:8080/j0hn4dm5/forge. tar.gz

The mirror:
-http://j0hn4d4m5.bravehost.com/
(Coral CDN didn't seem to work on it)

Maybe now the TSA will actually do something about their security hole.
Actually, I doubt it, but we can hope.

Re:he has it coming

>He wrote a tool to exploit a federal system, and he used it

Did he use it? a fake boarding pass? I gave just a brief look at the story (sorry, should never RTFA) but I missed it.

New Homeland Security Motto:

[Lord_Slepnir]

"Homeland Security: We can't secure any of our borders, but we'll inconvenience hijackers by making sure they can't brush their teeth!"

Re:New Homeland Security Motto:

we'll inconvenience hijackers by making sure they can't brush their teeth!

And in doing so, they'll exacerbate the problem as TSA will simply mistake the terrorists for the British.

Security Threat

[Archangel+Michael]

This whole airline TSA thing is a crock of BS. Over Kill.

So, a bunch of terrorists captured a couple of airplanes and flew them into buildings. Yeah, a bunch of people died, which is tragic. And the Economy Burped, which is ... expected.

However, we've learned our lesson, and have secured the airplanes better. In addition, I doubt, HIGHLY DOUBT, that they could get anywhere close to doing the same thing, given the same circumstances, mainly because the passengers wouldn't stand for it.

Screening 80 year old grandmas of their knitting needles is stupid. Taking off shoes is stupid. Banning Liquids is stupid. For all the inconvenience of it all, it will not prevent someone from trying to by-pass whatever security is setup, and eventually they will succeed.

I know for a fact that I could bring a knife on board a plane even today, even passing through all the security. They can't stop me if they can't see it. And there are such knives available.

The point is, all this "security" isn't really designed to prevent hi-jackers, it is designed to placate the masses. See my sig for more info

Re:Security Threat

[drinkypoo]

Yeah, just put a plastic knife in your sock, underneath your foot. Bingo! You can slide right in with it. There are so many holes in TSA security that it's hard to know where to start pointing them out - and even harder to know when to stop.

Re:Security Threat

[Rombuu]

know for a fact that I could bring a knife on board a plane even today, even passing through all the security. They can't stop me if they can't see it. And there are such knives available.

I'd like to hear more about your invisible knives.

Re:Security Threat

[Ezzaral]

That's been my take on it ever since they went apeshit over security after 9-11. They slammed a bunch of kneejerk overreaction policies into place, made air travel a huge pain in the ass for the normal everyday person taking a flight, and pushed airline security hand-wringing to the forefront of everyone's eyes and minds - all to effect an illusion of having everything under control. I mean, just look at how hard they are scrutinizing us, it must be secure, right?

Thanks TSA. Preventing us from traveling with a lighter and shampoo has made the US a safer place to fly.

Re:Security Threat

[b0s0z0ku]

So, a bunch of terrorists captured a couple of airplanes and flew them into buildings. Yeah, a bunch of people died, which is tragic. And the Economy Burped, which is ... expected.

The economy was starting to downturn months before 9/11 - I was taking off a semester from school and working. I wanted to take another semester off and move to Calif. for 6 months, and in October 00, there were still jobs available for the asking. By January 01, the supply of jobs had largely dried up.

However, we've learned our lesson, and have secured the airplanes better. In addition, I doubt, HIGHLY DOUBT, that they could get anywhere close to doing the same thing, given the same circumstances, mainly because the passengers wouldn't stand for it.

Actually, if they wanted truly good security, they'd hand out Tasers to randomly-selected passengers before boarding. Anyone trying anything overtly boneheaded will most likely get their ass (non lethally) zapped.

-b.

Re:Security Threat

[Archangel+Michael]

http://www.specialtyblades.com/blade_types/ceramic .html

Re:Security Threat

[kanweg]

Ceramic knives, because they're not made of metal you can walk with them thru the Electronic Security Gates (not the first time I notice that Gates and security are mentioned in one sentence and that there's something bad with the security, but I disgress). And they're extremely sharp (yes, Gates too, but I meant the ceramic knives). Of course, you don't need to buy an expensive knive, you just take your heavy glass bottle with liquor, which can serve as a multipurpose weapon and doesn't need to be concealed. Don't bring mother's milk in bottles. TSA wants it in the natural packaging.

I have a nice dad and we go on holidays some times. On one of those occasions after 9/11 he noticed in the airplane that he'd forgotton to take his pocket knife out of his carry-on luggage. Here, that shows how nice a person he is. I didn't have to convince him not to hijack the plane knowing that nobody else had a knife.

If he'd been a "researcher" he would have written the mistake on a piece of paper and stuck it with the knife on the cockpit door.

Bert

Re:Security Threat

[Dog-Cow]

I agree completely, and I'll go one further.

Even if all passengers had to board naked and were not allowed any carry-on, there would still be successful hijackings if someone were desperate enough.

The 9/11 hijackers used box cutters because they could. If box cutters were banned (they aren't anymore), the terrorists would simply have used a cord to strangele or threaten to strangle someone. Should we ban all cloth now because it could be used in a hijacking attempt? It doesn't matter what is banned. There will always be a way to threaten deadly force.

Re:Security Threat

[gosand]

While a little more delicate, there are glass knives. And while not as sharp, there are some made of plastic.

The thing is, *last* time it was knives. Next time it will be whatever they aren't looking for...

Re:Security Threat

[slim-t]

However, we've learned our lesson, and have secured the airplanes better. In addition, I doubt, HIGHLY DOUBT, that they could get anywhere close to doing the same thing, given the same circumstances, mainly because the passengers wouldn't stand for it.

It was shown by the 4th plane on September 11th that passengers won't stand for it, and they did stop the plane from reaching its target, but all of the passengers died.

The only real airline security of course would be to seal off the cockpit, and fill the cabin with the gas the dentist uses and keep everybody in the passenger area "controlled". The terrorists will bring gas masks, so there will be automatic weapons to disable anybody who stands up.

Re:Security Threat

Even a sharp piece of plastic could do at least as much damage as a box cutter.

Re:Security Threat

[bonoboboy]

Agreed. The terrorist attacks changed *nothing,* unlike what so many political leaders have been telling us since moments after 9/11 ocurred. Yes, it was tragic, but it wasn't the result of some mass terrorist uprising. There have always been terrorists, and there always will be. "Terrorism" is simply the buzzword of the decade, used to manipulate people to particular ends. I wonder how long it's going to be before certain unnamed agencies are bitch-slapped back into legal and logical operations.

Re:Security Threat

[maxume]

It took all of 3 planes and 5 hours for the attack they used to become ineffective -- passengers crashed the fourth plane.

I have heard a rumor, and I would love to see some real confirmation of it, that Northwest was not among the airlines attacked because they keep a pistol in the cockpit. Anybody?

Re:Security Threat

Why go to all that trouble of trying to get a knife through security when you can just take a steak knife from one of the restaurants inside of the secured area?

Re:Security Threat

[Ezzaral]

I wonder how long it's going to be before certain unnamed agencies are bitch-slapped back into legal and logical operations. Longer than many will probably like. A good number of people just take in on the chin and say "Well, if it's making me safer, they can do whatever they want." Demagoguery is a wonderful thing.

Re:Security Threat

[sking]

terrorist a: hey, wouldn't it be funny if we could make everyone in america take off their shoes at the airport?

terrorist b: yeah! let's find someone stupid enough to wear a shoe with explosives and give him a lighter that doesn't work! we'll put him on a flight and make sure someone knows about him.

terrorist a: hahaha! hey, what if nobody could take shampoo with them on a flight? wouldn't that be a hoot?

Re:Security Threat

[OriginalArlen]

Actually, they couldn't do it today for three reasons; "the passengers wouldn't stand for it" would be #3, behind #1 "cockpit doors are now locked and reinforced sufficiently to withstand prolonged attack with an axe", and #2, "aircrew will not open the cockpit door to hijackers under any circumstances, even if they line up every passenger and torture them to death". They're going to turn round and land at the nearest airport.

Hasn't anyone done a chart showing the number of aircraft hijackings over the last few decades? Has no-one noticed that where there were often multiple hijacks or attempted hijackers every year, there are now effectively none - anywhere? Yes, that includes places outside the USA that aren't subject to the TSA security theatre. That's because our aircraft have the same reinforced doors and hijacker-averse aircrew. Nothing to do with Secure Flight or CAPPS or the TSA at all.

Re:Security Threat

[Archangel+Michael]

You sir, are an idiot.

It isn't about taking shoes off, it isn't about screening grandma for knitting needles. It is about costing BILLIONS in wasted effort to contain something that isn't worth BILLIONS to protect, one airplane, full of people aren't worth "billions". Four Airplanes full of people aren't worth "billions".

The mistake made was that we were taught to not resist hi-jackers, and to let them control the freaking plane, so that they wouldn't kill US. However that idea is now shot to hell, because we know that doesn't solve the problem.

Resistance solves the problem. Resistance is the most effective counter measure against ANY radical element.

There are schools now, teaching kids how to "rush" at a school sniper/killer (Columbine) type attacker. Throwing anything and everything at the attacker rather than hiding and cowering under the desks, waiting to be picked off one by one.

BTW, I've read Sun Tzu, I only wish our politicians would.

Re:Security Threat

[Jehosephat2k]

Gloria: Do you know that sixty percent of all deaths in America are caused by guns?
Archie Bunker: Would it make you feel any better, little girl, if they was pushed out of windows?

Re:Security Threat

[hankwang]

Hmm, the knives are made of zirconium oxide. Since it is an electrical insulator, it won't trigger the metal detectors, but zirconium is a heavy element and therefore will show up on the X-ray.

Besides, the metal detectors are mainly sensitive to magnetic metals (iron, steel, nickel in coins). With nonmagnetic metals you need much more to trigger it. My brass belt buckle, metal frame for my glasses, and titanium watch have never set off the metal detector. I suppose you could make a knife out of bronze.

Re:Security Threat

[biglig2]

No need to just doubt they could repeat the 9/11 attack:that attack vector actually stopped working on 9/11 itself, when the passengers on the fourth plane charged the hijackers. If you are on a plane now, and someone tries to take it over with a knife, you know you're dead anyway, so most people will choose to spend the few moments they have left kicking the fucker to death. I would.

Re:Security Threat

[NormalVisual]

Or put another way, *you* are ultimately responsible for *your* own safety, which is as it should be in a free society. As a group I think we (US citizens) have lost too much self-reliance in that area and expect the government to keep us safe on a personal level while not understanding that the government has zero legal obligation to do so.

So what did we learn kids?

[drgonzo59]

Don't trust the government. Whenever you feel the "I just want to help" vibe coming on, rephrase that into "How can _I_ profit from this?". If he did that he would have sold his generator to al-Qaeda for cash and retired by now. He wanted to "help" and he got screwed!

The thing is, Americans cannot understand how someone could possibly just "want to help" and not "want to make money". If such a thing happens, then surely they must be up to something, they are probably a terrorist and should be locked up anyway.

Re:So what did we learn kids?

[RingDev]

Does he have Google adsence on his page? ;)

-Rick

Re:So what did we learn kids?

[VorpalEdge]

The thing is, lots of people outside the US cannot understand that our government is not representative of our people any longer. For you, I personally suggest removing the stereotype stick from your nether regions and getting a clue. I certainly do not condone my governments antics anymore, and most people I know don't either.

Re:So what did we learn kids?

[drgonzo59]

I think in case of the U.S., the government _is_ representative of the people. In fact that is the painful side effect of democracy. The "demos" are often not very bright.

Yes, as hard as it may be for you (and me) to believe Bush is still president and a lot of people from the "red" states would still vote for Bush, would still condone war, torture and lack of privacy in the name of some "war on terror" (or as Borat put it "war _of_ terror"). So as dismayed as we are we are in a great minority, the whole state of Texas would probably rejoice at the arrest of Sagoyan and would want him burned at the stake. The best you can do is make a lot of noise, write to your Congressman, try to educate people yourself hoping that they would listen to you.

The main reason that in U.S. primary education is mandatory and free is so people could be educated enough to cast an intelligent vote. Unfortunately that system is not working very well...

Re:So what did we learn kids?

[LandruBek]

the whole state of Texas would probably rejoice at the arrest ...

Unless you live in Texas and know every Texan, STFU.

Re:So what did we learn kids?

[drgonzo59]

Thank you, my dear Texan. You have proved my point actually.

Re:So what did we learn kids?

[LandruBek]

The problem isn't that you insulted "Texas," a state I have no connection to; it's your crude generalization about a whole class of people. It's straw thinking like this that perpetuates the racism and xenophobia that is making the "fear-the-terrorist" political platform so powerful. It's because of those attitudes that my civil liberties are being dissolved -- that's what makes me angry. Try these sentences on for size (while wearing your irony goggles):

"So as dismayed as we are we are in a great minority, the whole state of Ohio would probably rejoice at the arrest of Sagoyan and would want him burned at the stake."

"So as dismayed as we are we are in a great minority, all the Whiteys would probably rejoice at the arrest of Sagoyan and would want him burned at the stake."

"So as dismayed as we Canadians are we are in a great minority, all Americans would probably rejoice at the arrest of Sagoyan and would want him burned at the stake."

This attitude is what feeds the problem. Free your mind.

Re:he has it coming

[PatrickThomson]

No, if he was a criminal he'd have kept it quiet and sold it. How do we know a criminal's version of this scheme wasn't already running? We don't, but we know that now it won't work. For every security researcher there are 3 self-serving fiscally-motivated elitist assholes and it is the security researcher's moral obligation to practice full disclosure (after giving the company notice and time to fix the hole).

The terrorists have won

It seems to me that the whole point of terrorism is to disrupt the normal lifestyle of those who are terrorized. The US government has often stated that they don't negotiate with terrorists. That's apparently true - they don't negotiate - they just capitulate and let them completely destroy the American way of life. BTW - I'm posting this anonymously so that I don't wind up on the no-fly list :-)

Re:he has it coming

[molog]

Like how ABC news had permission when they showed that they could sneak box cutters onto a plane, just 1 year after 911?

Molog

No-fly list?

[theoriginalturtle]

Is that their latest pre-emptive penalty, sticking people they don't like on the no-fly list? While not legally in the same category as house arrest, by infringing on his right to travel, have they or have they not already imposed a civil penalty?

I didn't actually see a citation of where he'd been placed on the no-fly list, can anyone find one and post it? Probably not, since the list doesn't even technically "exist" except as an abstract concept... sorta.

I have to strongly disagree with the dude above who insists that what CS did was "wrong." He neither invented the method of subverting a broken access control system (it had been possible to alter boarding passes with a $50 scanner and a cheap inkjet printer for who-knows-how-long) nor did he encourage anyone to break the law. Worse, TSA's head-in-anus response only even more strongly points up the problem with DHS overall: we can't fix our problems, but we CAN harrass people who point the problems out to the world in the hope we might actually do something.

They're too busy making old ladies take off their shoes.

Re:No-fly list?

[b0s0z0ku]

Is that their latest pre-emptive penalty, sticking people they don't like on the no-fly list?

I don't see the societal benefit of this either. He released the software, rather than selling it or using it for his own nefarious purposes. So he's unlikely to be "up to" anything evil. Since it's a government mandated list and not optional for large private carriers to follow, they should not place people (at least not US citizens or permanent residents[1]) on the no-fly list without trial.

-b.

[1]-> If someone in the US is suspected of planning a terrorist attack, they should be brought up on treason charges and a jury should be allowed to decide based on evidence. Petty penalties based on mere suspicion are unacceptable.

Re:No-fly list?

[finkployd]

What, you didn't think it was to actually stop terrorists did you? We already know the CIA does not let actual known terrorists on that list because circulating their names widely would be a security violation. The no fly list has one intended purpose: Making you think they are doing something about terrorism. Anyone who thinks about it for a minute knows it is a "security theater" joke (like everything else the TSA does), but most people would rather just watch NASCAR and assume the government is looking out for them in a competent way.

It seems an added side effect of the millions of taxpayer dollars wasted on this list was that it provides a nice legal way of harassing people they don't like. I don't understand how any of this can come as a surprise to someone.

Re:No-fly list?

I must have missed the "Right to Travel" amendment in the Constitution.

Re:No-fly list?

[jotok]

In America, the government is supposed to work thus: - The Constitution enumerates exactly what the government is allowed to do - Everything else, the citizens are allowed to do You have things backwards.

double jeopardy?

[Joe+The+Dragon]

This may fall under double jeopardy

Re:double jeopardy?

This may fall under double jeopardy That phrase doesn't mean what you think it means. He wasn't already tried for it. Investigations don't count.

Unless you're referring to that special square from the popular television game show...

Bing! Bing! Bing!

Alec: "This hacker was investigated by the TSA after the Justice Department cleared him of wrong-doing."

No... I don't really see it...

Re:double jeopardy?

[westlake]

This may fall under double jeopardy

There is no "double jeopardy" until there is a criminal trial and acquital.

There is no double jeopardy if the second trial is on a different charge and requires proof of a somewhat different set of facts.

There is no double jeopardy if the second trial or hearing is a civil action---no barrier to suing O.J. Simpson for wrongful death even after he has been acquitted of murder.

Re:he has it coming

Hm I could swear I once heard something along the lines of government of the people, by the people, for the people.

It's our obligation to watch the government, question it, and try to fix it when it's not doing its job. The airlines and the government were clearly aware of this problem as it had been "exploited" by a congressman a couple years back. This is a case of government employees covering their asses instead of fixing the problem. Soghoian publicized the problem because no one was doing anything about it.

I'm glad to know there are some people who won't roll over saying the government always knows what's best for us. WE run the government and write their checks. Don't forget it.

Re:he has it coming

[d3fault]

Do you think the flaw ever would have been brought to attention had he gone through the proper channels? I for one am happy he did this and brought it to everyone's attention, once it's out like this it's hard to down play and ignore.

Re:he has it coming

[Broken+scope]

So when normal attempts at bringing a problem to light fail because they are to lazy to fix what is found he should just drop it till someone with malicious intent finds it and then start screaming "I TOLD YOU SO!!!". Great idea, I'm sure that would console everyone who was hurt or lost friends and family because of the problem. Pardon him for not wanting people to get hurt first.

Re:he has it coming

[Brushfireb]

Nice Flaimbait...But i'll bite.

Your argument is simply foolish. The TSA is inept at running a dept, so they are also inept at hiring researchers or security folk to check up on their stuff. This is a government agency. This person committed no actual crime -- he didnt use one, and didnt even print one.

The criminal would have kept this secret, and used it to his/her benefit by selling it to terrorists, criminals, or whatever. Those types of actions should be punished, SEVERELY!

What did he do? He made us all safer. He did it by exposing how ridiculous the TSA is, and gave them all the knowledge to fix the problem. He did not personally gain from this experience. If anything, he has suffered already for it much more than he ever should have. I would feel differently if this was a private company and not a public-oriented service (like AIRLINE travel), to which my tax dollars go (both to bail out airline bankruptcy, as well as to operating the TSA).

IU needs to stick up for their researchers, and foot the legal bill. I doubt they will, however, having been a past student, the administration at IU is pretty much inept equivalent to the TSA in my eyes.

God forbid someone try to HELP the world...

Re:he has it coming

[Sargeant+Slaughter]

The difference between a black hat and a white hat is one simple thing: PERMISSION. He wrote a tool to exploit a federal system, and he used it without permission. He is not a hero, he is not the good guy, he is a criminal. I'm sorry, but you need signed permission to do stuff like that.

Wouldn't asking permission defeat the purpose?

Ever heard of whistleblower laws to protect people who serve the common good?

Don't you think we should be free to examine the system on our own?

When nobody listens, soemtimes you ahve to make a stronger statement. Thats what he did and should be commended for it. I would guess that you think Dieboold's e-voting machines are a good thing as well...

Re:he has it coming

So, this whole "who watches the watchmen" bit doesn't wash with you? How does it feel to be so servile?

Re:Error

[coolgeek]

It's Twenty Seven B Stroke Six YIC

Re:he has it coming

[Qzukk]

Well, his intentions were obviously meaningless, since I can apparently still print out my own boarding passes, legit or not.

It's a shame the TSA people think just like you, if people would quit trying to kill the messengers, we might start seeing something that looked more like security and less like cronies securing contracts.

You don't need a boat to get to Canada!

Although you might need some grizzly bear rifles and a big sign that says, "I do not want to marry a homosexual man!"

Simcurity: Fake Security

[Doc+Ruby]

The TSA will not bring any real charges against Soghoian. This entire exercise is pure simcurity, simulated security. The TSA runs a hollywood show for its political stakeholders, in Congress, the White House and in the media, to generate PR showing they're "tough on terrorists, strong on security". Without making us safer. In fact, putting us in danger, by ignoring real security requirements, creating security holes, suppressing serious research, and wasting time on this whole charade, when there isn't enough time, money, people, or actual resources to work on the real security work.

Soghoian is being sacrificed to this simcurity charade. As is the confidence of the public, ironically the only worthwhile product of simcurity.

The whole fake, yet lethal Bush simcurity apparatus has to be ripped out by the roots. We need more security than on 9/10/2001, not less. Congress should grab hold of the BS TSA next year and remake it according to our ranks of real security experts. Along with the rest of the leviathan Homeland Security Department, with its flagship FEMA. When Bush stands in the way, that will be even more reason to rip that terrorist incompetent, and his designated successors, out of the path of securing America.

Re:Simcurity: Fake Security

[b0s0z0ku]

We need more security than on 9/10/2001, not less. Congress should grab hold of the BS TSA next year and remake it according to our ranks of real security experts. Along with the rest of the leviathan Homeland Security Department, with its flagship FEMA.

I may add to this that it's citizens' responsibility to keep the country secure - this job shouldn't just be handed out to specialists. I'd not be averse to six months to a year of mandatory military training for all able-bodied citizens between 20 and 40 years old, with those wanting to choose the military or Guard as a career path being allowed to do so. Furthermore, unneeded obstacles should not be put in the way of citizens of good character acquiring guns - basically, a lot more states should be "shall issue" or even "issue by default" like Vermont and Alaska.

-b.

Re:Simcurity: Fake Security

[Doc+Ruby]

I've never heard anyone suggest 6-12mo mandatory military training, with only volunteer military enlistment. Like mandatory ROTC. It's a very interesting idea.

There's about 1.2M highschool graduates this year, and supposedly 7.5M US citizens enrolled in the ROTC (though that seems high, and is uncited). It seems that the ROTC is already serving the right scale of enrollees. I'd favor replacing mandatory HS gym classes with ROTC for at least a year or two, required for HS graduation. Perhaps even mandatory service - but what do you do with AWOL HS dropouts, jail them? Force them into the program? In separate units?

The problem I have is that militarizing the youth rebalances America's existing warmonger culture more towards the military mindset. Actual military experience can go a long way to disabusing the notion of blind authority obedience, but does a year of ROTC? Or does it just present the best face of the military: integration, opportunity, discipline, expensive toys, mayhem, fraternity (& sorority), a bad influence on American voters?

I probably totally disagree with you about the necessity of obstacles to citizens getting guns, regardless of their "good character". But we'd probably agree that teaching everyone how to handle a gun would make those who get one for private use a lot more safe. And possibly make criminals expect more of their targets to not only have one, but to be able to use one, and to actually use it in an emergency.

This is a compelling idea. Did you think of it, or did you hear it somewhere? Is anyone else talking about it?

Re:Simcurity: Fake Security

[Man+Eating+Duck]

... simcurity ...

While I know it is a neologism, that word is possibly one of the more annoying words I know. It's up there with 'guesstimate' and 'edutainment/infotainment'. We already have perfectly good expressions that aren't inane.
Sorry, just felt the need to say that, no offence to the good Doc.

Re:Simcurity: Fake Security

[Mad_Rain]

This is a compelling idea. Did you think of it, or did you hear it somewhere? Is anyone else talking about it?

Yeah, Switzerland has a policy like this in place already.

I guess my question is how the "differently-abled" would serve out their requirement. And how low would that threshold for "differently-abled" be?

For example, one of my friends in high school was legally blind. He could march in marching band, and could drive a car (passably), but I would never want to have him behind the trigger on a gun. Or, let's say a teenager who is obese, and unable to meet a fitness requirement, how do they serve? Or what about the "If I had a gun, I'd get all Columbine up in this place," kinds of kids? Or the opposite-side pacifist kids? (The link from Wikipedia to the Swiss Armed Forces answers a few of those questions, but would they be applicable to the US?)

Re:Simcurity: Fake Security

[Doc+Ruby]

It's etymologically correct (sim + cure + ity), sounds like it means, is easy to spell, and has few syllables/letters.

Which word do you prefer to "simcurity"?

FWIW, I like guesstimate and edutainment/infotainment. I also like "infotainvert". Which perfectly good expressions that aren't inane mean exactly what those words say?

Re:Simcurity: Fake Security

[Doc+Ruby]

The military already has ways to use disabled people. Because they are "differently abled", though not necessarily able in a way that is more able than those without any specific disability.

The US deploys troops abroad in a 6:1 ratio of "support" (everyone else) to "warfighter", at best. At worst, it's probably 10-20:1, like in Germany or Japan (or Canada, where it might be 50:1 or worse). Domestic deployment is much more "topheavy". Consider that 140K Iraq troops are probably 6-10:1, including National Guard (which has a much stronger warfighter ratio). That 100K troops, of whom maybe 20K are non-Guard warfighters, is draining the US warfighter pool to the breaking point (requiring all those Guard, and near-draft retention rules). Even though the total US military personnel is about 1 million people. That means that 2% of the military is Iraq warfighters, maybe 4-8% is global warfighters. Totally imprecise numbers, but those are the relative scales.

That leaves at least 900K people who talk on the phone, use the Internet, drive around in shipping, cook food, repair machines. But mostly bureaucrats who go to meetings. That is apparently necessary to the way our military works (though a separate policy I favor would reduce all of that, especially abroad). I'm sure that the disabled would be productively used in that huge bureaucracy and operations dump. There's probably even a case to make that people paid disability welfare could contribute some of their abilities to the military, saving money. In the "mandatory ROTC", the disabled would just get trained for those extra jobs that do not demand strong health/fitness. While socializing them, training (even forcing) them to work, and probably making them a lot more fit than those sadistic yet pointless gym classes.

"Misfits" like homicidal maniacs and pacifists (and just nonconformists all between) are a different story. There are lots of jobs as I just described that they could do without being near anything (or anyone) that goes "BANG". Many of those people, especially the homicidal maniacs, probably should go through some socializing program that helps them get over that just by seeing what it's really like to kill and die, watching those suited to do so. The military has a long history of figuring out which people are too dangerous to assign as killers, though it also gives us someplace "useful" to put those violent people.

Pacifists are another story. Pacifism is too easy a copout - and I'm a pacifist. "Conscientious objectors" are relatively easy: put them in jail, minimum security, with alternate training available, for the duration of their service. With only other COs, most likely, if just for their own protection. No punishment, just call them on their conscientious committment not to kill. To distinguish them from the rest of us less "moral" people who are committed mainly to "not dying", with "not killing" in second place. Real pacifists can't handle being part of a war machine any more than your blind friend can drive a car, so we have to put them somewhere that makes the same time and freedom sacrifices as the rest of us.

But there's a lot more national service than just the military. The National Guard is primarily for nonmilitary disasters. With Climate Change, we have a lot more work coming down the pipes. There's border control, which can be treated more as legitimate domestic labor protection than as racism, and is popular in pockets across the political spectrum. A national "tutor corps" would really improve education, the best national security. And would probably be popular with a disproportionate amount of people too smart to be willing to kill or die for our country, and are looking at careers that allow them to avoid living for our country, too. There's all kinds of community service that's too good for petty criminals to work. And of course the military itself has plenty of work demand indistinguishable from civilian work/study programs.

Maybe we just make the nonmilitary service last longer, like 1

Re:Simcurity: Fake Security

[Doc+Ruby]

Moderation -1
    70% Overrated
    30% Insightful

TrollMods can't stand hearing that Bush is a terrorist incompetent. So they will anonymously suppress any mention, rather than openly disagree.

Is it any wonder that the president they worship created the TSA that is suppressing Soghoian? Why do they hate America?

Re:Simcurity: Fake Security

[Man+Eating+Duck]

I might have come across a little harsh, sorry for that :)

Anyway, I think it's more of a personal aversion. To me those terms seem constructed (well, duh) and unnatural, and I find them unaesthetic and inelegant. For instance, I prefer 'simulated security', which consists of well-established words with clearly defined meanings, one of more qualities of which 'simcurity' apparently lacks since you felt the need to explain the term in your post.

If you use the term 'guesstimate' you're very imprecise. I have no idea how much confidence I should put in your answer. How did you arrive at your conclusion? Either you're guessing, or you're making an estimate based on interpretation of data in some manner, which one is it? In my opinion there is no 'in between' for which 'guesstimate' is an adequate term. It might be an estimate with incomplete data, but still an estimate. Or a guess. Whichever.

Hmmmm, 'infotainvert'? I believe you're pulling my leg, sir. A Google search yields three hits, two of which points to the same Slashdot article where it was used by you, the third to a literally contentless site at www.infotainvert.com. My first impression is that it is constructed to ridicule exactly the contrived terms of which we are speaking.

Besides, you will note that English is not my first language. In Norwegian, which IS my first language, people will sometimes try to bring similar terms into everyday use. They mostly have little luck for the same reasons I stated above. Maybe we just look at languages in a different manner?

Let's just agree to disagree, shall we?

BTW, otherwise your post was an interesting one. Going to bed now...

Re:Simcurity: Fake Security

[Doc+Ruby]

Ah, you're Norwegian. I couldn't tell at first, because your English is so impeccable. Though your extreme politeness in legitimately complaining seemed a little weird - though we do have plenty of Scandinavians in the Upper Midwest :).

But I can understand your aversion to American neologisms, at least more than we Americans aver (pun to test your bilinguality ;). Americans, especially here in NYC, prefer the fastest combination of words to express an idea. That's why we call it "NYC", instead of "New York City", because it saves a syllable, and a lot of typing (and modulating the shift key).

Personally, I think that value on abbreviation comes from our German immigrants towards the middle of the end of the 1800s. Many of whom became publishers, some of whom still dominate publishing, like at the NYT (NY Times) and other major periodicals. German efficiency, along with "neologisms" like the common German technique of combining words into very long ones, seems consistent with the abbreviations favored by New Yorkers, and the country we intellectually colonized here. Maybe Germans don't neologize in Europe (or verb nouns, as I just did). I don't really know where those long combinations of German words come from, or how they're "authorized", if at all. But in America, especially perhaps in old cities once English colonies, we like to have our own way with the Queen's English.

I explained my "simcurity" neologism precisely because it is so new. English etymology is mostly "simple when you know how", more a mnemonic technique than an actual generative system, except in science. So I explain it for a while, until it's conventional. Like the process by which hyphenation disappears as the neologism gains currency.

It does seem that we look at languages differently. I don't think our disagreement is due to your use of English as your second language. Because my second language is Spanish, in which I neologize and speak circuitously with my rusty facility and limited vocabulary. Maybe you're just a more precise speaker than am I, because you learned English from rigorous academics, while I learned to speak Spanish on the streets (after lots of ineffective academic training). I certainly love to neologize, and practice the art whenever I can get away with it.

In any event, this has been a most agreeable disagreement. TTYL.

Having it both ways...

[Vellmont]

I didn't actually see the site while it was up, so maybe the guy actually DID this, but.

To avoid being arrested, why not make the boarding pass have VOID VOID VOID printed all over it in such a way as it exposes the problem, but doesn't actually create a valid boarding pass. Then he would have violated no laws, AND exposed the poor security procedure at the same time.

Once the story broke he could create a boarding pass that's given to someone that's authorized to test the fake boarding pass, or others others could independently confirm that the fake pass would work by comparing it to a real boarding pass.

Anyone know if the site did anything to show that the pass was actually invalid?

It seems a bit foolish to put up a working system and not expect the government to go all apeshit.

Re:Having it both ways...

[Mex]

Well, the US Government allows guns, yet owning one is not a reason for anyone to go to jail. Just because he created software that *could* be used maliciously, he hasn't broken the law.

"attempted to circumvent an established civil aviation security program established in the Transportation Security Regulations"

As far as anyone knows, he did NOT personally attempt to circumvent the security program, and he did not encourage people to use it. He just said "You know it's possible to do this, you guys should be more careful."

It's the same as saying "You know, you can make a BOMB by combining these chemicals". He doesn't go to jail for that.

I read his blog, and it was clear he did it because he was concerned about the illusion of security from airports. He was just trying to help.

Re:Having it both ways...

[sbben]

The site did not take any measure to avoid having someone use it (besides some warnings and stuff)

There was another site that emerged after this one was shut down, and it did add some kind of Void marking on it.

I think the real problem here is that the authorities do not understand how easy the exploit is and they think that by making this "generator" the sites creator made things so much easier. Its fucking html! Yeah you have to know something but come on. If boarding passes were hand written would they be surprised if they could be faked? What if boarding passes were word documents sent as an attachment? The average computer user can figure out how to edit that, right? Well copying the source of a page and dropping it in notepad isn't that much more difficult. Hell, you can hit save page and then pop it open in word. The average user I'm sure can do that. But somehow, his actions constituted an investigation. Politicians need to pull their heads out of their asses and get with the times.

-my two cents

Re:Having it both ways...

[Vellmont]

Well, the US Government allows guns, yet owning one is not a reason for anyone to go to jail.

Guns have other uses than commiting crimes. I see no other use for a system that produces a functioning boarding pass other than to break the law.

Just because he created software that *could* be used maliciously, he hasn't broken the law.

Maybe, maybe not. It doesn't sound exactly cut and dry. My point is really that he didn't have to pull this stunt that landed him in jail and facing possible fines to accompish his goals.

It's the same as saying "You know, you can make a BOMB by combining these chemicals". He doesn't go to jail for that.

This wasn't an academic paper, it wasn't even code that someone had to download and run themself. This was a system that made the actual thing that presents a danger. If we take your analogy, it'd be like making a device that creates bombs at the click of a switch.

I read his blog, and it was clear he did it because he was concerned about the illusion of security from airports. He was just trying to help.

I'm sure he was, but that doesn't mean he wasn't extremely naive and stupid. I don't really know if what he did was illegal or not. I do know that it was potentially dangerous, really stupid, and could have been done in a much less dangerous way and accomplished the same goals.

Re:Having it both ways...

[Vellmont]

Its fucking html!

No, actually it's javascript.

Yeah you have to know something but come on.

Actually I think that's kind of the point. The boarding pass was protected by some crappy, but unknown security measure. The vast majority of people would have no clue how to fake this thing. You'd have to reverse-engineer it to be able to forge documents. While I'm sure that wasn't terribly hard, it's near impossible for the vast majority of people.

Giving the whole world a frickin website that's setup to print them out like hotcakes is just irresponsible. The LEAST he could have done is hidden the code inside a CGI on his website, and made it print VOID VOID VOID all over the boarding pass, including over the barcode. Then make a press release to all the media and they can go all apeshit about it. NWA and the TSA will all make dumb press announcements, but still look like idiots. And several months later maybe the system will have changed.

Instead what happens is there's all this press about the guy going to jail, so the focus is on him instead of the dumb system they've implemented.

Re:Having it both ways...

[Mex]

"I'm sure he was, but that doesn't mean he wasn't extremely naive and stupid. I don't really know if what he did was illegal or not. I do know that it was potentially dangerous, really stupid, and could have been done in a much less dangerous way and accomplished the same goals."

You know, we can argue the rest of your points forever, but I cannot deny this. He did come off as very naive, so I concede reason to you.

Re:Having it both ways...

[sbben]

Giving the whole world a frickin website that's setup to print them out like hotcakes is just irresponsible
What's irresponsible is the fact that boarding passes can be generated by the web (on sites like NWA) without any large security precautions.

No, actually it's javascript.
When I said it was html, I wasn't referring to the generator, I was referring to its output. It's text and a little barcode that we found out doesn't get checked until later on in the security process. You cannot say that editing text in word by saving the web page is beyond too many people's capabilities. Not a whole lot of reverse engineering necessary.

The fact that he is being investigated for exercising only slightly more technical knowledge then the average person is what I have a problem with. If credit cards were printed on plain paper should I be in that much trouble for writing a little web app that automates the process? Was it that hard to do it without my generator?

Re:he has it coming

[drinkypoo]

Uh, why should he pay a fine? He wasn't attempting to circumvent anything. If he's guilty of anything it's violating the airline's copyright on their logo.

Seen this before

[Nom+du+Keyboard]

They're just not going to leave the poor guy alone. He embarrassed them, and they're going to make him pay and pay and pay. It looks a lot like getting on the wrong side of the RIAA. They can be entirely wrong, but it costs you a fortune and year(s) of your life to win, and then they only pay a pittance for all their unwarranted grief at best.

go to bed without supper!

[zeromorph]

Chris Soghoian [...] is on the government's 'no-fly' list.

Does that mean he is grounded for being naughty?

That's unfair. Obviously he did his homework.

Re:he has it coming

[phoenixwade]

No, I strongly disagree. The DOJ has already decided he is not a criminal, or at least decided not to procescute. TSA seems to be getting their panties in a wad because he pointed out that the system is flawed, and did it in such a way as to force them to fix it. However, he didn't defraud anyone. He didn't use the tool to fly or to even bypass security. Seems to me, that after 4 years of TSA "Security" (more actually, but lets count from 9/11) stupid holes like that one should have been fixed.

NWA Boarding Passes are just HTML

I'll probably be on the no-fly list soon for this, but it's worth pointing out that what Chris did to NWA's boaring passes could be duplicated by just about anyone without special software. While I don't agree with how he exposed the issue (he should have used a fake airline/pass to show the risk), it is worth exposing some very very bad software design. The real criminals here are the coders who developed the boaring pass system for NWA.

The NWA online boarding pass generator uses HTML to render the boarding passes. There's no image processing or anything special involved in changing values on these. Just save it to your desktop, open it in your favorite text editor, and change the text. Bingo. You're flying first class.

Re:NWA Boarding Passes are just HTML

[Rinzai]

Bingo. You're flying first class.

No, you're not. Wouldn't work. Try as you might, you can't take the HTML output of the boarding pass and modify it to get on a different flight, change your class of service, or anything else your criminal little mind might conceive. You'd be caught at the gate trying to board, and then you'd have some explaining to do.

That you think you can just means you don't know enough about the process to comment intelligently on it. Chris S. said it was possible, and he was wrong, too.

The system was designed pre-9/11 to keep unticketed passengers from getting onto planes, NOT to keep people from cheating past the (at the time non-existent) TSA checkpoints. Right now the coders you so glibly classify as criminals are working to modify the system to allow web-based boarding document printing that isn't as vulnerable to the kind of hacking Chris S. came up with (and likewise, the Photoshopping of image-based documents, etc.).

Meanwhile, let me remind you to be careful what labels you apply to people in your posts. You never know who might be reading what you write. Saavy?

Re:NWA Boarding Passes are just HTML

I think we've hit a nerve here and I take it you're one of the people who wrote the system in the first place.

Chris' system gets people through the ID check, that's all he claimed. Of course your software wasn't designed to prevent this, since it wasn't a requirement at the time. However, as soon as the requirement changed, the software should have changed. That's where the criminality on your employers end starts (aiding and abetting, as you mentioned in another post).

I claimed you can print a boarding pass that gives you a first class seat. I assume there's a list on board of the people who should be in first class, but a good social engineer may be able to talk around that list with a valid looking document in his hand (remember, you use the real one to get on the plane). But, as you pointed out, I don't know enough of those details to be sure.

But, I do know that the flawed design of the boarding pass generators enables both Chris' ID check exploit and the possibility of talking your way into a first class seat (I never claimed changing flights was possible, you'll still need your real pass to get through the barcode scanner - though those sometimes aren't working and I've boarded flights at the last minute by just flashing my boarding pass).

Look, you wrote bad software and got caught for it. We all do it at at least one point in our career. Even pre-9/11, an experienced systems architect would have caught this. Learn from your mistake and allow others to learn from it. But please, don't pretend you didn't make a mistake. I'm glad that the powers that be are fixing this, and I'm very curious to see how they solve the problem without going back to using a medium that is difficult to acquire (e.g., magnet stripe boarding passes).

Just to be clear: the design mistake was using a rendering technology and medium (HTML+JavaScript+Paper) that was trivial exploit for forging documents.

Final proof the no-fly list isn't about safety

[Beryllium+Sphere(tm)]

There's no reason to believe he even might endanger any airplane that he boards. There's not even the thread of suspicion you'd get from guilt by association. There's no allegation that he has violent tendencies or has threatened violence.

He's there because the no-fly list is a tool for control and coercion at the whim of the authorities without the restraint of statute or jury.

Re:Final proof the no-fly list isn't about safety

[rabiddeity]

Indeed. But keep in mind it's done with the complicity of the airlines. There's no law on the books that says a passenger on some list can't fly on an airplane, because that would be discriminatory, right? But an airline has the right to refuse service to anyone for any reason, and that's how they get around it. Hey, if you wanted to, you could always charter a jet and they can't stop you, assuming you have assloads of cash. So EACH AND EVERY AIRLINE delegates the responsibility of refusing service off to the TSA, ho hum, everything is legal. It also makes sure that the "oh shit, we screened the wrong person" stuff gets foisted off onto the TSA instead of the individual airlines. Yes, of course it's bullshit. Conspiracy? You tell me.

This holds up against legal recourse because they refund your money or otherwise compensate you for your inconvenience (usually by giving you a ticket to a later flight, oh joy), thus keeping you from suing them for not providing a service paid for. Ideally you should be able to sue because they delayed your flight, you lost money because you missed a crucial business meeting from being delayed at security, etc. But for that reason, the airlines don't have a clause in their contract that says they HAVE to get you there on time. In fact if you actually read the contract you'll see that it leaves you with little recourse in the event of anything happening. Every plane in the fleet could be grounded because of incompetence and you have no way to sue them for breach of contract. None.

Balancing act...

[multimediavt]

I'm not saying that what the TSA is doing to this guy (or any of us) is right. I think it's blatant sour grapes! But, I don't condone Chris Soghoian's actions either. He should have "done the right thing" and approached the TSA *BEFORE* he made his findings public, and he certainly *NEVER* should have made his web app public. What he did was dumb and irresponsible, period. Was it illegal, ummm, that's up to the courts to decide.

Re:Balancing act...

Yes, but what what is assumed in this is that the TSA would nicely listen to what he has to say. The problem is that in reality, they would prosecute him anyway for just "inventing" the idea. And then none of the public would even know it. At least this way, there's a public that has knowledge about this whole mess and can at least call out the government when they do something stupid. Sure, it wasn't the brightest idea in the first place, but at least we know about it and the TSA knows we know about it. They'd have a hard time just labeling him 'terrorist' and being done with it now.

Re:he has it coming

[rudeboy1]

BS.

    White hat hackers do things like this pro bono all the time. Perhaps you might recall when a security researcher found a critical flaw in the Cisco OS that could have potentially been exploited to bring down half the internet's backbone infrastructure? Or perhaps you might recall the time that a security pro found a rootkit on a Sony CD? If I went up to you and told you your fly was down, that is a white hat hacker exploit report. If I went up to you and stuck a red hot pocker through your open fly, that is a black hat exploit.

    Though, I'm tempted to do that to you anyway, despite the color of hat I wear.

    This guy didn't exploit the issue, he immediately made the responsible party aware of the problem. I don't recall him ever flying on a bogus boarding pass. Learn the difference and stop preaching blindly.

Re:he has it coming

[soft_guy]

Uh, why should he pay a fine? He wasn't attempting to circumvent anything. If he's guilty of anything it's violating the airline's copyright on their logo. Wouldn't that be a trademark, not a copyright?

Why is that a problem?

that's pretty much the end of my career here in the States.

So what?

Most Americans who have never lived anywhere else, or who immigrated from third-world countries, think the USA is the best place in the world to live.

But if you travel to any pleasant country, you will find that lots of Americans have chosen to live there.

YMMV, of course. But living in a country where the language is different from the one you grew up with is one of the most educational experiences there is, and you might eventually be grateful for the event which prompted you to leave the USA.

Re:he has it coming

[letxa2000]

I may cynical, but what this guy did was WRONG.

The idiots here at Slashdot have modded you troll, but you are right.

Legally, what he did was wrong. And it doesn't require a degree in law to know that.

Second, what did he think was going to happen? It's one thing to state what everyone already knows: The security is a joke. But to demonstrate it in a way that makes the security easy to circumvent so that any idiot can do it is stupid. It serves no purpose. Consider the only three possible outcomes of this fiasco: 1) We can no longer print boarding passes at home, which really would annoy those of us who try to be as efficient as possible. 2) The security checkpoints would need scanners to scan the boarding passes to make sure they are real which is costly and just one more thing to slow down lines. 3) No change. It looks like we made it with #3, which was what I was hoping for myself.

And as a traveler, what he did was wrong. Yes, we know the security is worthless but the last thing I want is more security on planes. We have too much as it is. Make an effort to make sure no firearms, explosives, or unusually sharp objects are let into the secure area and call it done. I don't want more security, I want less. And drawing undue attention to the weakness of the current system only serves to increase the probability of them implementing real security that is going to make air travel so inconvenient as to be useless. Sorry, I don't want that.

So, basically, the guy that put up that boarding-pass generator is an idiot. Is he really a threat such that he should be on the no-fly list? No, of course not. But in this particular case, do I care? Nope. His little exercise had (and still has) the potential of making traveling less convenient for millions of people. So forgive me if I don't really care if his travel convenience is impacted.

Nice in theory

[MarkusQ]

A responsible researcher could have created a proof-of-concept, and raised awareness through media channels, research paper, blog etc. He should have also presented his research to the TSA and the airlines.

You seem to be forgetting that that had already been done, up to and including having the information on how to create a fake boarding pass published on a congressman's web site for a year or so prior to his arrest. And yes, there had already be newspaper articles on it, and the TSA was either well aware of it and doing nothing or unaware of it even though it had been reported to them multiple times.

Let's call this for what it is: trouble-making, not research.

Ok, fine. It was trouble making. But for whom? It didn't lower airport security one iota. Anyone who cared about it already new how to do it. What it did do, though, was make trouble for the fake "security" providers at the TSA, and point out the fact that they are ripping us (the taxpayers) off.

We saw the same sort of misleading argument come up when people started pointing out that US Military personnel were being given ineffective bulletproof vests; somehow the people who were trying to raise awareness of the issue were supposedly "helping the terrorists." Which is just nuts. What they were doing is making things uncomfortable for the crooks selling the defective jackets, and having zero impact on the people wearing them unless and until they could raise enough awareness of the issue to get things changed--in which case their actions would have helped the roops, not hurt them.

--MarkusQ

Re:he has it coming

[letxa2000]

Really? The story made headlines for a day or two at most. Then nothing. It's very easy to ignore and that's exactly what the government, TSA, and airlines appear to have done. And I for one am glad that was the reaction.

Geez, didn't this guy realize that...

[Kazoo+the+Clown]

...it's illegal to make the TSA look stupid?

Mod parent down

The enemy is RADICAL MUSLIMS*

*Possible redundancy detected, please confirm. Y /N ???

(-1, bigoted asshole)

Re:Mod parent down

[Archangel+Michael]

Bigoted? Asshole?

Okay, I'll feed the troll. WHY? Are you a muslim? You gonna kill me for suggesting such a thing? You gonna stab me and leave me dead with a note attached? You gonna threaten me and my family with death or dismemberment if I don't convert?

Koran 5:33
The Punishment for those who oppose Allah and his messenger is : Execution or Crucifixion or the cutting off of hands and feet from opposite sides or exile from the land.

Okay, so maybe you aren't a muslim. Do you even know what Muslims teach from the Koran (see above quote). This is but ONE of many such verses, which require DEATH or dismemberment for Apostates and Infidels.

Re:Mod parent down

[mojodamm]

I'm not a Muslim. I'm not a Catholic. I'm not a Christian. But I'm also not blind. The problem is not with radical MUSLIMS, but radical PEOPLE. And just to add clarity; Exodus 22:20 "He that sacrificeth unto any god, save unto the LORD only, he shall be utterly destroyed." Leviticus 24:16 "And he that blasphemeth the name of the LORD, he shall surely be put to death, and all the congregation shall certainly stone him: as well the stranger, as he that is born in the land, when he blasphemeth the name of the Lord, shall be put to death." Acts 3:23 "And it shall come to pass, that every soul, which will not hear that prophet, shall be destroyed from among the people." Islam isn't the only religion to preach intolerance. Most followers of the Bible would likely argue that only a small radical slice of zealots would actually follow through with these things. I can imagine that the same might be said of followers of Islam and the quote you pulled...

Re:Mod parent down

[Archangel+Michael]

"Most followers of the Bible would likely argue that only a small radical slice of zealots would actually follow through with these things."

Uh huh. Not blind? But unable to see the riots over a FREAKING CARTOON! When was the last time you saw a Riot in Texas because someone "insulted" Jesus? When was the last time you saw a riot in Israel when someone insulted the Jewish G-D?

Uh huh. That's what I thought. Are you willing to die for your beliefs? You willing to kill to defend them? The war isn't over Terrorism, it is over Radical Islam*. They have proven their willingness to die and kill for it, they teach it, the live it. You willing to do the same to prevent it? Now, isn't that radical thought?

*Possible Redundancy Error, please verify. Y / N ?

Re:Mod parent down

[jrockway]

> *Possible Redundancy Error, please verify. Y / N ?

* Possible it wasn't funny the first time, mod down again? Y / N ?

Re:Mod parent down

[mojodamm]

http://en.wikipedia.org/wiki/Christian_Identity As I stated, there are religious zealots in every religion. Thanks for proving my point.

Re:Mod parent down

Islam is the religion of peace, and I'LL FUCKING KILL YOU to prove it!!!!!!

Re:Mod parent down

[Archangel+Michael]

CI is a FRINGE group, and not taught in "churches", at least as a matter of course.

However, Radical Islam, is standard fair, and taught all over the place. I can name several prominent Muslim Clerics just off the top of my head. I cannot do the same for CI. Besides, when was the last time a CIer hijacked a plane, blew up a building, set an IED, destroyed a Mosque, Church or Synagogue?

The problem here, is that you want to marginalize Radical Islam and make it seem like it is just a few wackos, when the reality is, radical = mainstream.

Further, most "christians" are willing and do denounce violence from such groups as CIers. I have yet to see such boldness from the Muslim communities, except in VERY RARE CASES, and then, those people usually end up hiding for the rest of their lives. Do you remember Salman Rushdie? All he did was write a FICTIONAL NOVEL.

Now compare to the violence associated with "The Last Temptation of Christ". Right, what violence. There wasn't any.

While you may like to try to compare the extremes, but there is no comparison, because nominal christianity and judiasm is not "extreme", whereas nominal Islam in its current state IS.

Re:Mod parent down

[mojodamm]

CI is a FRINGE group, and not taught in "churches", at least as a matter of course.

As someone living in the Southern United States, the so-called 'Bible Belt', I beg to differ. Good old Southern racism is, sadly, very much alive down here. It's passed down from generation to generation like a mutant gene, and it gets its roots from the 'fringe' religious ramblings of Christian Identity.

However, Radical Islam, is standard fair, and taught all over the place. I can name several prominent Muslim Clerics just off the top of my head. I cannot do the same for CI. Besides, when was the last time a CIer hijacked a plane, blew up a building, set an IED, destroyed a Mosque, Church or Synagogue?

Why did Buford O. Furrow, Jr. attack a Jewish Community center in 1999? Christian Identity.

Why did Benjamin Smith go on a minority-targetted sooting spree in 1999? Christian Identity.

Why did two members of the Creativity Movement attempt to blow up Black and Jewish landmarks in 2002? Perhaps you're starting to get the picture.

It's a very parallel ideology. In fact, the head of the Ku Klux Clan, Posse Comitatus, and the Aryan Nation/Aryan Brotherhood, August Kreis, has recently reached out to al Qaeda in an attempt to form an alliance.

The problem here, is that you want to marginalize Radical Islam and make it seem like it is just a few wackos, when the reality is, radical = mainstream.

Please don't assume to know what I want, because I realize Radical Islam is more than a 'few wackos', just like EVERY religion has more than its share of 'wackos'. I'm just not getting my world-view spoon fed to me by my own religious leaders, and can see that the problem is not with any one religion in particular, but with any movement, religious or otherwise, that sponsors hate.

Further, most "christians" are willing and do denounce violence from such groups as CIers. I have yet to see such boldness from the Muslim communities, except in VERY RARE CASES, and then, those people usually end up hiding for the rest of their lives. Do you remember Salman Rushdie? All he did was write a FICTIONAL NOVEL.

Yes, most Christians do denounce the violence. Out of one side of their mouth, that is. The other is normally too busy spouting out propaganda against any religion, lifestyle, or medical procedure that they disagree with.

Plus, it's a lot easier to play the 'concerned citizen' and decry the violence while sitting in a comfortable position within the highest populated religion in the U.S. Try to advance non-Christian views in a predominantly Christian culture and see how far that gets you. Probably about as far as advancing non-Islamic views in a predominantly Muslim culture.

Now compare to the violence associated with "The Last Temptation of Christ". Right, what violence. There wasn't any.

Oh? Tell that to the people injured by the molotov cocktails tossed into the movie theater by Catholic fundementalists. Scorsese himself stated that for over a year, death threats had him so scared he couldn't open his own mail.

While you may like to try to compare the extremes, but there is no comparison, because nominal christianity and judiasm is not "extreme", whereas nominal Islam in its current state IS.

Nominal Christianity, Judaism, or Islam are not what I was referring to. I was just making a point that, like you said, there are 'wackos' in each and every one of them. And right now, with all the focus on the scary Muslim wackos, it's the rest that'll sneak up on you if you don't pay attention. While everyone keeps on worrying about all those terrorist attacks, civil liberties are being taken, scientific advancement is being squelched, and the gap between Church and State is shrinking at an alarming pace.

As I stated, extremists are the issue. On that I think you agree. You state that the Islamic extremists are the norm, and according to population census when it comes to religious preference, that's utterly false. The radicals are driven by politics, using their religion as a means to an end, as a way to incite the sheeple, as a flag around which their flock can gather.

Just like Christianity...

Re:he has it coming

[letxa2000]

This person committed no actual crime -- he didnt use one, and didnt even print one.

Really? Come on, I'll bet he printed one. I have no doubt he destroyed it, but if I were writing a system like that I know I'd at least print it to make sure it still looks good on real paper.

What did he do? He made us all safer.

How are we safer? I'm not aware of any changes to policies regarding home-printed boarding passes. And I'm glad there haven't been any changes to policies. But how did he make us safer? Even with his little system it was impossible to get on a plane anyway... it was just possible to go buy lunch at the McDonald's inside the security area instead of the one on the corner.

Re:he has it coming

[letxa2000]

TSA seems to be getting their panties in a wad because he pointed out that the system is flawed, and did it in such a way as to force them to fix it.

Really? He forced the TSA to fix the system? Exactly how was it fixed? I can still print boarding passes at home and last time I was at the airport, the security checkpoints still weren't scanning them. So exactly how did he force them to fix it? The whole issue was swept under the rug, and I'm glad.

We don't want real security. As it is now, we complain about the fake security because it's a hassle. Do you know what real security would be like??? Seriously, I'd just start driving anywhere on this continent and leave air travel for intercontinental travel--and only because my car doesn't travel well over oceans.

Re:he has it coming

[Daemonstar]

I agree.

The U.S. is a country of laws: we believe in the rule of law (before anyone comments, this is a standard question covered in Texas police training under the TCLEOSE module "The History of Policing"). Whether it was right or not, it was against the law. It is up to governmental authority whether or not to punish the individual.

They have to weigh the fact that a) it was illegal, it was known by the individual that his actions were illegal, and he intentionally violated the law, and b) his actions publicized a major flaw in national security and personal safety, exemplifying how security could be circumvented even when the flaw was previously known.

In hindsight, what he should have done was got in touch with the entity responsible for security of the airport and presented his evidence. This is analogous to the scientist that invents some "cure", skips FDA approval, injects himself, and it ends up harming himself and others. It also reminds me of the ST:TNG episode Force of Nature.

While what he did was "noble" or "right", he went about it the wrong way.

Re:he has it coming

[dgatwood]

People have been saying it for years. Last I checked, with E-tickets, you didn't even need a boarding pass---a printout of an email message was enough. (This should be changed if it hasn't already been.) The proper channels have repeatedly ignored complaints about this. As such, this guy should be protected by something akin to whistleblower laws, but I don't think there are any at the federal level except between employers and employees, sadly.

The way I see it is this: the TSA gave the public their new clothes. All this guy did was take the blindfold off so they knew they were naked.

Re:he has it coming

[drinkypoo]

Well, it would be both. Any artwork you create is automatically covered by copyright. Now that you mention it though, fair use is probably a defense - he was constructing criticism which falls under fair use law. Trademark, on the other hand, would likely nail him.

Bruce Schneier on the matter

[beej]

I remember reading about this in the Cryptogram all that time ago. Why didn't they go after Schneier instead of this other guy?

http://www.wired.com/news/columns/0,72045-0.html

Soghoian claims that he wanted to demonstrate the vulnerability. You could argue that he went about it in a stupid way, but I don't think what he did is substantively worse than what I wrote in 2003. Or what Schumer described in 2005. Why is it that the person who demonstrates the vulnerability is vilified while the person who describes it is ignored? Or, even worse, the organization that causes it is ignored? Why are we shooting the messenger instead of discussing the problem?

Because they couldn't take down the big fish, that's why.

note address

i suspect this is a locally initiated effort, not driven by hq.

Exactly! As an example

[Mycroft_514]

I found a security hole in a "secrue" system used against pedophiles. I documented the system and submitted it thru channels to the proper authorities. I had to jump up a couple of levels before they could pay attention, but tha tis the way it is done.

What this guy did is not research, but *IS* criminal.

Re:he has it coming

[loraksus]

accountability, lol.

A little bit frightened

[blankinthefill]

This is a little bit frightening to me, not because they're prosecuting him and all, because I've come to expect that, but because of where it could lead. We all know that security is never permanent. If there is a way to stop someone from doing something, there is a way around it. What happens when the government realizes this? Some of the cases that get pushed through, like this one (IMHO, anyways) are ridiculous, but what happens when the government realizes that it's just the tip of the iceberg? It sounds kinda funny now, but after seeing the ways in which the government has evolved over the last few years, I would believe anything of them. What happens when they start bringing cases against people who make a proof of concept? Once we know something can be done, the rest is relatively easy, right? So proving that something can be done is like telling the terrorists how to do it, right? Of course, once you think of an idea of how to do something, you've taken your first step on the road to making a proof of concept, am I right? I look at those last few sentences and it makes me shudder, how absurd the logic is, but it's all too familiar to me. It's very like certain justifications to get a hold on certain domestic phone records, or even records from your local library. I've always been of the opinion that America is the best place to live (for me, at least), but if thought processes like this continue to spread and grow, I don't know that America will continue to be a good place to live for very much longer. I like my freedom, and I am not willing to give up personal freedoms in order to lead a life filled with a false sense of security, under a tyrannical government that is unwilling to admit that it can and does make mistakes.

Troublemaker==Felon?

[Overzeetop]

Okay, so it's not research. But he's also not at the center of some vast terrorist conspiracy to forge boarding passes and blow up the US. The trouble he made was not a serious threat to US security, and if it was we are in some deep fucking trouble because it's clear that the gatekeepers are asleep at the switch.

No, he has already been treated to the "troublemaker" gauntlet, had his brush with the government and his future almost turned upside down. He's still a kid, and kids will do things without thinking (yes, you can be 25 and childish - they guy has probably never lived outside of academia). The TSA is now practicing a little mafia style justice for losing face to this guy.

Al Capone...

[metoc]

was never convicted in criminal court. The IRS got him in tax court for not paying taxes.

So justice had there try. Now its TSA's turn. Next the IRS will look over his finances looking for undeclared paypal donations for his defence, student loan fraud, etc. Next the army will conscript him under some secret law, and send him to Iraq. If they still can't get him there is always the RIAA & MPAA.

Re:he has it coming

[orkysoft]

If that printout of that email message contains a security code, what is the problem?

"Homeland"

[wonkavader]

Yep. Gave me the willies, too. But that was nothing compared to my shock that the whole country didn't rise up and shout their own horror.

We're surrounded by people who don't learn from history, or from reading at all. Presumably because their lips get too tired.

Who needs a knife?

[rbochan]

All you need is a couple of Christmas presents.

Get used to it

[iviagnus]

That's the United States today, unfortunately. If I had the financial resources I'd move to Europe, Russia, Asia, Australia, anywhere other than here. Anything is better than the $@&^ed-up crap our government is getting away with now. They are a bunch of psychopaths that can't stand to have anyone smarter than they are (which is any non-government employee) point out their flaws. I'll be glad when the common people of this once great nation are fed up and take it back. Terrorist attacks on the United States and abroad have brought out the worst in our government . . . so much so that we're hated around the world by everyone not a government scumbag. Losers!

Re:Get used to it

[/dev/trash]

Europe and Asia are not countries.
And Russia? I'd do some research.

Re:he has it coming

[CrazedWalrus]

At least with Continental's E-ticket, there's a bar code on the printout. They scan that and check it against your passport before allowing you on the plane. So not only do you need to have the printout, which could be easily faked, you have to have a barcode number that associates with a record in their database which matches your passport, which is a hell of a lot harder. You'd have to have a fake passport as well. Not impossible, but certainly less trivial.

wait...

[UrktheTurk]

They put the guy who can forge boarding passes on the no-fly list? does anybody else find that kinda... i don't know... retarded?

Hey, look, the investigator's name and phone #...

[loraksus]

How about giving him a call and talking to him about this situation...

James A. Roberts
(317) 390-6916

Feynman's "trivial"

[Oriumpor]

I was reading Feyman's memoirs just before I read this, so please excuse it did affected me a little. What may be perfectly easy to understand to a game theorist and can be summed up in one dilemma can easily take a few dozen pages to describe to the uninitiated. Similarly there are years of courses to understand the basic foundation upon which theoretical mathematicians don't even have to think of consciously. And finally what to a hacker may be plain as day may be completely counterintuitive to the way the rest of the world thinks. (In this case, any output can be converted to input, and fed back out again.)

Further, because the concept is known by a vendor as a "possible" problem, doesn't mean they will address it. By creating an interface for even those unfamiliar with the theory, the concept became a reality. On top of which, there is innate skepticism from the part of the vendor (for the most part) that their product could be broken in such a "trivial" manner; or put another way big head smackers sometimes take simple examples.

Re:Feynman's "trivial"

Put another way-- I used to work for a company that didn't change passwords to a web interface after laying people off. That interface was accessible from anywhere, not from just within our intranet.

After receiving permission from my manager, I accessed the web page from outside the network.

They freaked out and yelled at my manager, but the hole was closed the next day.

Re:he has it coming

[soft_guy]

Well, it would be both. Any artwork you create is automatically covered by copyright. Now that you mention it though, fair use is probably a defense - he was constructing criticism which falls under fair use law. Trademark, on the other hand, would likely nail him. You can use other people's trademarks, you just have to (sometimes) acknowledge their trademark. For example, Macintosh is a trademark. In some uses, you'll see a thing that says "Macintosh is a registered trademark of Apple Computer Inc." However, you don't see that disclaimer in people's slashdot posts or on blogs every time they refer to the Apple Macintosh. I seriously doubt he'd be nailed for trademark infringement (cause he ain't selling anything).

Re:he has it coming

[kinglink]

I think it's more then permission, the difference in a black hat and a white hat comes down to real intentions. Saying you're trying to inform people means bullshit because it's just that. If you want to inform people, inform people of the problem as well as the airline, meantion you have a working prototype but that's it. Don't start handing it out blindly to random people.

Just because you have a new technology doesn't mean make it available to everyone with out at least trying to inform those who should be informed. that means TSA, DHS or what ever group. If you did this for better security work WITH them. Acting like they should automatically know what you've done is just stupid, what ever his purpose it wasn't done the correct way, which means in the end it wasn't done for the right reason. If you honestly think it's something to expose, start by telling the company and if they insist it's unimportant that's when you announce it to the world. If it is still ignored then you should consider sharing instructions/devices/ or what ever with the world.

Re:he has it coming

It's trademark infringement if it can be reasonably confused with the genuine article. These boarding passes purported to be genuine, so it is infringement.

Ironic Reaction...

[evilviper]

Chris Soghoian, the Indiana University PhD student who created an online boarding pass generator for Northwest Airlines to highlight security holes is on the government's 'no-fly' list.

Does NOBODY see the irony here?

The government is putting him on the No-Fly list, BECAUSE HE RELEASED A PROGRAM THAT ALLOWS PEOPLE TO CIRCUMVENT THE NO-FLY LIST.

So this helps, how?

Re:he has it coming

[mdw2]

What he did was illegal but it was not wrong. While this is a point of semantics, it is a very important one.

I'm ashamed...

[Phillup]

Shame on us! Shame!!

I'm ashamed to live in a country where so many idiots are in positions of authority.

(que up the "then leave" remarks in 3... 2... 1...)

Re:he has it coming

[dgatwood]

That would be an electronic boarding pass if it ha a bar code.... Maybe they've changed this since I last flew an airline that did this. Not sure. I just remember being able to get a boarding pass at the gate if you had no luggage. I'm pretty sure that was after 9/11/01, but I may be wrong.

Again, none of the things being discussed would get you on a plane, just into the terminal itself. The point is that requiring a boarding pass to access the terminal is basically a no-op security-wise. It neither adds to nor detracts from security. Similarly, requiring a photo ID effectively becomes a no-op as a result of checking it against a printed customer name rather than the ID on a computer screen after scanning the barcode on the boarding pass.

Re:he has it coming

[dgatwood]

That the security code is just a string of six letters and numbers, and that I've never seen the people at the checkpoint check that code against anything.

repeat after me

[drDugan]

Victimless crime
Victimless crime
Victimless crime

Re:he has it coming

The parent is NOT flamebait. I encourage the moderators to fly El Al sometime. That's real security. If TSA (or whatever agency replaces them when they implode) were to implement that level of security the American people would run to the ACLU. People want it both ways. Sure, banning water is ridiculous (and I have some understanding of the threat posed by liquid explosives), and TSA shoots itself in the foot on a regular basis, but truly effective regulations wouldn't be tolerated. (There you have it. Mod down at will. :-)

Re:he has it coming

[Schraegstrichpunkt]

How do you avoid corruption in a democratic state, if the people themselves aren't able to audit the actions of the state? By asking permission from the corrupt?

That's what this is. A bunch of people taking paychecks from the people, while not actually doing their jobs, and then when someone blows the whistle, it is the whistleblower who gets punished. That sounds exactly like the situation in China, where---*surprise*---corruption is rampant.

Re:he has it coming

[Schraegstrichpunkt]

How are we safer?

We now have a better understanding of the risks of airline travel; We have less of a false sense of security.

Re:he has it coming

The parent is NOT flamebait. I encourage the moderators to fly El Al sometime. That's real security. If TSA (or whatever agency replaces them when they implode) were to implement that level of security the American people would run to the ACLU.People want it both ways. Sure, banning water is ridiculous (and I have some understanding of the threat posed by liquid explosives), and TSA shoots itself in the foot on a regular basis, but truly effective regulations wouldn't be tolerated.(There you have it. Mod down at will. :-) You mean zero?

Re:he has it coming

[letxa2000]

Most of us already knew this, and less of a false sense of security does not increase our safety, it just makes us aware of what our safety is.

Oh, and what idiot moderators moderated my original post as flamebait? I hope you get meta-moderated.

Re:he has it coming

But, you don't actually buy boarding passes -- you buy the service. If you used this pass, you would get the genuine article -- a flight on an NWA-owned plane. It would be trademark infringement if you built a whole airline and used this logo for your planes. Selling these passes for the purpose of illegitimately receiving airline travel would just be fraud.

Re:he has it coming

[dch24]

I want to argue your point based on the letter from the TSA.

First of all, I think the rule of law is extremely important. The laws (at least in theory) represent the rules agreed to by the people and until the people choose to rewrite them, everyone should abide by them. This allows citizens and foreigners stability (as opposed to anarchy) while giving them control at the same time (as opposed to a dictatorship).

If the laws offend some citizens, they must pursue the legal process for changing them, but not violate them. I think most of the posts today complain that the laws aren't fair, etc. There are ways of having them rewritten. I'd like to see them rewritten. This farce where a well-meaning individual must risk their career to make a difference in the security practices of the TSA could result in a new bill that more clearly defines such things (cited in the TSA letter) as:

1. "fraudulent purpose"
2. "circumvent any security system"
3. "enter ... a secure area"

To see changes though, this would have to motivate the people. So far, the voters of the USA have chosen to leave things alone. Apparently, the TSA is doing just fine according to most Americans.

Further, I think the case can be made that Chris is innocent of the charges.

1. "fraudulent purpose": Chris has clearly stated his purpose. In particular, "3. Demonstrate that the TSA Boarding Pass/ID check is useless" does not represent fraudulent purpose. Senator Charles E. Schumer demonstrated the same thing and is likewise not guilty of any fraud. Their intents were clear, and they made no attempt to either create, use, or cause others to create or use a fake boarding pass.
2. "circumvent any security system": this is essentially the same claim. By publishing a program which automatically generates "valid" boarding passes, both Charles and Chris have acted to preserve security by publishing the method of operation of the system. Not only is this protected by the First Amendment, it is not circumvention unless action is taken to attack the actual systems in operation. Neither Chris nor Charles have entered secure areas without authorization. They have not caused others to do so. They are only guilty of revealing the method in use.
   
   If a system fails to control access when its encryption becomes public knowledge, it is not a secure system, in the same way that DRM can never stop piracy. This is immaterial to the case, however, since Chris only provided a web page to generate encrypted data, and did not reveal the key.
3. "enter ... a secure area": if the TSA has evidence that anyone has successfully entered their secured areas, I propose they present it in the court case. As a corollary, Steve Ballmer has said that linux users have "an undisclosed balance sheet liability," and he is likewise welcome to provide evidence of that liability. Innocent until proven guilty. However, in Chris's case, he has stated that he did not even print a boarding pass, much less get through security at an airport. What if there is a bug in his code and the pass does not actually work? He won't know. That wasn't his purpose.

This is analogous to the scientist that invents some "cure", skips FDA approval, injects himself, and it ends up harming himself and others.

I can see your point. However, what Chris has done is akin to publishing a Star Trek replicator's database entry for borg implants. He knows they are dangerous. He also knows that others (like Senator Schumer) have previously published the same information. If someone chooses to load the database entry into their replicator (they would have to intenti

Re:he has it coming

[letxa2000]

I'd say it was illegal and wrong. It served no purpose. It showed that security was weak which is something that anyone with more than a few days of experience with desktop publishing or Powerpoint already knew. The authorities keep doing their security to act like they're doing something and we, travelers, go through their hoops so that we can all act like there is security when, in reality, we all know there isn't. We all know it's B.S., but the politics involved don't permit the politicians to come out and say, "Hey, we can't make this 100% safe unless you're all willing to travel with no carry-on baggage and if you're willing to strip out of your clothes at the checkpoint and check that to your destination, too." Politics doesn't permit that because the other side would just turn around and say the side saying it is "weak on terrorism." So the politicians keep up the farce, and so do we so we can just get to our destination. The last thing we want to do is give the idiotic politicians reason to get serious about security.

Was it illegal? Obviously.

Was it wrong? Elsewhere in this thread I've already said why it was, but basically: 1) He risked causing an inconvenience to travelers if the governmental response was to reject home-printed boarding passes. 2) He risked increasing security checkpoint delay times because the security people would have to scan the boarding passes to make sure they were real. 3) He didn't publicize anything that anyone with an ounce of computer skills didn't already know.

So, basically, his exercise was pointless, accomplished nothing, and had the possibility of inconveniencing a lot of people. That's "wrong" as far as I'm concerned. If you're going to inconvenience people, there damn well be a better reason than making some headlines for your 15 minutes. And if you're going to make a public website that allows people to print bogus boarding passes in this political/security environment, forgive me if I don't really care if you later complain that you've been added to the no-fly list.

Re:he has it coming

[TommydCat]

You're wrong :) I've tried this a few times since 9/11 at various airports since I usually just have a carry-on.

I did find it interesting that Alaska Airlines still has self-service kiosks at some airports (San Diego, for instance) in the gate area. When asked about that, they told me it would be too expensive to remove them in hopes they can use them again sometime, as well as the occasional traveler connecting through a non-partner airline could use it without going through security.

He'll have to defect to Russia

[flyingfsck]

Or maybe he can dig a tunnel to Mexico. He can't use an existing Mexican tunnel, due to all the oncoming traffic...

Bingo.

[attemptedgoalie]

One of my favorite Archie-isms.

What TSA really stands for...

Too Stupid for Arby's (USA fast food joint)

Too stupid to work there, so they're TSA instead. These folks are the lowest form of law enforcement, unable to even qualify as rent-a-cops. Don't you *feel* safer, citizen?

I would suggest leaving the new Stalinism....

[gweihir]

Seems to me this is all not about security. If it were, they would welcome the guy. This is really about dominating the population. ''You have an inconvenient opinion? Sorry, our software says you are a potential security risk. No airtravel for you....''

The Government's Message To You:

[FFFish]

Don't fuck with us, because we'll fuck with you.

It's disappointing how far things have gone off-track.

You are wrong

[aepervius]

The TSA guy aren't idiot. They do not want to investigate the kid to make the problem go away, they want to send a STRONG message to other kid , or heck, security researcher : "do the same stunt and we will make sure you will sooooo buried in shit that you can say goodbye to your carrier, flying/travel freedom, and peace of mind". In other word they are trying to implement self-censorship through fear.

stating the obvious.. just a thought.

[zuki]

It goes without saying that for anyone gullible enough to think that they can get away with doing something like this under their real identity... (fill in the blanks)

This is the one time where I would categorically have advised to consult with an attorney beforehand, so that he could have understood the type of trouble he might be in for pointing this out the way he did, and releasing the software in the wild.

It really doesn't seem very smart to go about it headfirst like this, and he is paying for it now.

Maybe we need 'whistle-blower lawyers', or at least courses in responsible and perfectly safe whistle-blowing?

There has to be a better way to force the TSA to fix their flaws.

Z.

Re: Irresponsible?

[fahrbot-bot]

He should have also presented his research to the TSA and the airlines.

<conspearacy theory>
I know this is an extreme comparison, but how'd that sort of thing work out for Karen Silkwood? She went old-school public and got killed! Perhaps the immediate notoriety offered by the web is "safer".
</conspearacy theory>

Thousands Standing Around (TSA)

[t00le]

Well at least they are doing something proactive to catch kids wanting to see mom/dad at the gate.

I always thought they were strictly reactionary and look for things that have already happened?

Well..

[The+Creator]

Certanly the act of embarassing the emperor has to be punished..

Possible Factual Error

Yeah, I'm sure none of the terrorism in Ireland was due to radical Christians. And terrorism may have originated with the Zealots, a Jewish group, back in the first century.

Re:Possible Factual Error

[Archangel+Michael]

Ireland was less about religion than it was about identity and nationalism. Zealots didn't kill greeks, they killed "apostate" Jews (Messianics). It was later turned around into state sponsored terrorism when Rome became "christianized" in around AD 324. After the conversion of the pagans into the Roman Sun God turned Christianity, the Jews were highly persecuted by the state.

Re:he has it coming

[jotok]

Noo. Were he a criminal, he might have sold the technology to Hizbollah or somesuch without alerting anyone.

Re:he has it coming

[phoenixwade]

I didn't say they fixed it, I said he did it in a way that will force them to fix it.

When the media coverage of TSA goofs occur, they have to respond with a fix. Granted it's another media patch, and yes, you are quite right that SOMEONE doesn't want real security, but that's the Airlines that don't want to do the things like foot a security officer on each flight, add the bulletproof doors, and so forth.

Where "WE" don't want real security, is that "WE" don't want to pay for the upgrades needed. It's money, it's allways about the money here in the US.