Congressman Calls for Arrest of Security Researcher

Christopher Soghoian writes "Yesterday, I published a tool that allows you to Create your own boarding pass for Northwest flights. This was an attempt to document the fragile and broken state of identity/security for domestic flights in the US. Today, Congressman Markey (D-Mass) has called for my arrest." From the ABC article: "'I don't want to help terrorists or help bad guys do bad things on airplanes, but what we have now is what we in the industry call security theater. It's made to make you think you're secure without actually making you secure,' Soghoian said. 'As a member of the academic research community, I consider this to be a public service.' Soghoian admits that he hasn't actually tried to use one of the boarding passes yet."

Ummm. The First Amendment?

[mbstone]

The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?

I can see it now..

[The Living Fractal]

(airport announcer over intercom) Boarding Northwest Flight 171 has begun...

Passenger 1, with fake ticket, gets to seat 13F first. Sits down and gets comfortable.
Passenger 2, with real ticket, gets to seat 13F, finds someone else in their seat, and politely claims that it is their seat.
Passenger 3 gets to seat 13F, finds two people arguing over whos seat it is, and considers his mistake.
Flight attendant 1 arrives on scene, cannot determine who is the proper passenger, and has Air Marshall 1 escort them both off the plane, where the receive black bags over their heads and are both never heard from again.

Passenger 3, like passenger 1, forgot to change the seat number they printed for the fake ticket they heard would work 'from a friend on the internet'.

But, let's be serious for a minute. This would never work for actually getting to FLY somewhere. You would get into the seat dispute and the person with the real ticket would win every time. And you'd end up in a dark, dark room with FBI agents, then finally in prison for a long time. Gee, that was worth it.

Of course, the real threat is probably just being able to get to the plane. So, point taken. And it truly is a sad state of affairs for security. I am curious to see if this guy gets arrested and if so, convicted of a crime.

TLF

but of course

[Phantom of the Opera]

This whole homeland security mindset is not one of rationality. It is one of panic. There is an element of OMG - he's giving the badguys ideas. This call to arrest him is probably more along the lines of OMG - he's giving passengers the idea that they are unsafe. It isn't the issue wether they are unsafe or not, but making them feel that is going to have negative affects on the airline industry and get people jumpier. All in all, its going to make going on a plane that much less pleasant.

"The Bush Administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane," Markey said in a statement. "There are enough loopholes at the backdoor of our passenger airplanes from not scanning cargo for bombs; we should not tolerate any new loopholes making it easier for terrorists to get into the front door of a plane."

One, shouldn't they already be on the lookout for frausters and terrorist.
Two, this isn't a new loophole. It's been there a while folks.

Re:Ummm. The First Amendment?

[rthille]

Been in that cave long?

They don't have to file a case. Congress did away with Habeas Corpus recently, so they can just 'disappear' you, like all the other terrorists...

I'm really thinking that armed insurrection is going to be coming soon to the U.S....

Re:not likely

[dgatwood]

Passing a fake bill is illegal. Selling a printing press is not, even if that printing press can be used to print bills.... Telling people how to make a plate based on existing currency... it's the same as making any other kind of plate, so also not illegal in all likelihood.

There isn't anything here that hasn't been obvious to every single person who reads Slashdot for years. It's all smoke and mirrors, and anyone with even a modest level of intelligence knows this, not just geeks. The only thing surprising here is that we have a Congressman who is so completely computer illiterate and clueless that he actually believes that the stuff in this article would be a surprise to anyone.

You know, now that I think about it, given the quality of federal legislation in the past few years... it's not really that surprising after all. In fact, it explains a lot.

Re:not likely

[UbuntuDupe]

Conservative/Libertarian radio talk show host Neal Boortz ran into the same thing. (According to a story he regularly tells) He told some airline, Delta I think, that the security check in procedures were too lax. They ignored him. After he was fed up with that, he made a bet with the head of security, then dressed up like a pilot, got waved through a checkpoint, and once on a plane, he got out his cell phone and called the head of security to let him know he got through.

Don't know what became of that. (This was long before 9/11.)

Re:Another politician...

[Mateo_LeFou]

damn, and markey was the guy who tried to get real net neutrality in the whatchamacalit for us...

Reminds me of an old southwest.com "HOST" bug

[thehossman]

Background: my last name starts with the letters "Host"

When southwest first started offering online checking, i discovered a small bug, when you got the the "Print your boarding pass" screen, with my name in all caps, the letters "HOST" were replaced with "southwest.com" ... so if your name was "Jim Hostenfeffer" it would appear on your boardingpass as "JIM southwest.comENFEFFER" ... I played with the site a little bit and found that it was a straight macro replacement bug of whatever domain name was used, so would say "JIM wWw.SOutHwesT.cOmENFEFFER" if that was the domain you typed into the URL bar.

The first time it happened i thought it was ammusing, I emailed their tech support, saved the HTML to a file and edited it so it had my name again and would match my ID when i checked in.

4 or 5 flights and at least 9 months later it was still happening and I spent a good 3 hours on the phone being transfered arround to different people trying ot get them to understand what the problem was and how fucking ridiculous it was that i had to constantly "hack" my boarding pass because of a bug they'd had for months.

Re:Ummm. The First Amendment?

[Em Adespoton]

I'm really thinking that armed insurrection is going to be coming soon to the U.S....

I doubt it... anyone who started organizing such a thing would be labeled an enemy combatant and disappeared. For this sort of mess, you're going to need some outside country to liberate you and bring democracy to your suffering land.

Re:Political spectrum

[NineNine]

Ha! You didn't actually think that the Republicans and Democrats were opponents, did you? C'mon.
 
    There's a very popular case study in business school about Coke and Pepsi, and how they're both very happy with approximately 49% of the market. People think they have a real "choice". Neither one has to worry about "monopolies". And, they already know each other. It's a fake battle to make people think that they actually have a choice, all the while, both parties are very happy with half of a FUCKING HUGE pie.
 
Sound familiar?

Re:not likely

[grcumb]

Yes, normaly you can show the problem by just pointing it to any smart person. But you'll never make MS aknowledge the flaw without somebody exploiting it (and lots of times not even then). The situation is almost the same.

Indeed. The very first MS Word macro virus was explicitly designed as a 'proof of concept' - in effect, a shot across the bows of the USS Microsoft. While many of us had already expressed serious concern long before this, MS refused to even acknowledge that there was an issue. Even this tangible evidence wasn't enough to garner a timely reaction from MS. It was months later when the software industry slowly ground its gears and began to accept that integrated scripting languages in one's documents could actually be a problem. To this day, the entire automation model is still a liability.

I'm not singling out Microsoft as the cause of all this - WordPerfect had macros long before MS Office ever existed. I'm simply using this anecdote as one of the biggest, most obvious and most egregious examples of people pooh-poohing security concerns until the barbarians are already inside the gates [sic].

Red vs Blue

[Anonymous Coward]

Simple, Republicans are far more protective of individual property rights.

Being pro-business is an extension of this, rather than the other way around. Democrats are more willing to allow use of eminent domain in such situations for the same reason they are more willing to raise taxes. It is subtle difference in thinking: Do the rights of the state exist because they were granted by the people? Do the rights of the individual exist because they were granted by the state?

The case in question was far more narrow, of course. But justices anwsers to those questions are pretty strongly correlated to decisions like this one. For a similar reason, even though Republicans are on TV moaning about "judicial activism" their appointees are far more likely to vote to strike down acts of congress than those of Democrats.

Re:not likely

[Zeinfeld]

Fraud is a crime of intent.
Unfortunately, there are enough weak brained person's around to get the guy for "intent" based on production of the code.

Fraud requires intent. But fraud is not the only possible crime here.

In particular there are a lot of crimes that are designed to make it easier to prosecute fraud by criminalizing conduct that is preparation for fraud. That is how the CANSPAM act works, it does not criminalize spam but it does criminalize activities spammers typically engage in.

The Secret Service agent who led the Shaddowcrew investigation told me that the charge they used most was not fraud or even having stolen credit card numbers. The charge that they used to break the case was possession of a device designed for the purpose of counterfeiting a financial instrument. Once a search of the suspects place turned up a machine for making credit cards a plea bargain was a foregone conclusion.

Looks to me that it is not very difficult to claim that the Web site is a device that enables forgery of a financial instrument. Not only could the creator of the site be liable here, the hosting service might well be.

Re:Well

[Zeinfeld]

Seriously why? It really makes no difference. They differ on abortion, gay marriage, and gun control, that is about it.

In actual fact they differ on rather a lot, most imporantly the issue of whether Congress should perform oversight of the executive or simply rubber stamp their demands.

This is rather important if you as a US soldier sent to Iraq in insufficient force, lacking essential equipment and having your efforts sabotaged by a civilian leadership whose incompetence is only matched by their mendacity.

Another important difference is that Republicans would like to phase out 'privatize' social security while Democrats beleive in it. The last Democratic President balanced the budget, the last three Republicans all burst it. Tax cuts mean nothing if expenditure runs out of control, the bills will have to be paid some day and taxes will be raised when they do.

But most importantly of all there has never been a US administration that has shown such utter contempt for international law and in particular the laws of war. This is the first US administration to have embraced torture.

Re:Flash Update: The FBI is at The Door

[Anonymous Coward]

That 3:54 PM blog entry has itself changed...

It originally said "Russel Coleman and Christopher E Allen from the FBI are at the door. Off to chat."

Now it says "The FBI are at the door. Off to chat."