See your link here
FBI smashes fake boarding pass guy's door (and new GHP)
4 comments- IT TOPICS:Government & Regulation, Personal Technology, Security
Now boarding: IT Blogwatch, in which a security researcher demonstrates flawed airport security and gets his home searched by the FBI. Not to mention fresh meat from Go Home Productions...
Michael Hampton was one of many to note the start of the story on Friday:
Getting past the no-fly list and the security checkpoint could be as simple as, well, making up a name and printing your own boarding pass. Christopher Soghoian, a graduate researcher at the Center for Applied Cybersecurity Research at Indiana University, said he wanted to get the attention of Congress when he put online a Web application which generates fake boarding passes that are good enough to get you past the Transportation Security Administration checkpoint.
The fake boarding pass generator exposes long-standing flaws in airport security as implemented by the federal government which would allow people on the no-fly list to buy tickets and board flights, possibly without even going through the somewhat invasive secondary screening that everyone whose boarding pass shows “SSSS” finds themselves subjected to. And he sure got the attention of Congress, all right. Rep. Ed Markey (D-Mass.) denounced the web site and called for the executive branch to shut down the site and have Soghoian arrested.
...
Shutting down the fake boarding pass generator would be completely useless; it’s so simple that it would immediately be reproduced at hundreds of sites all over the Internet.
Chris Soghoian (for it is he) picks up the story in a series of blog posts:
The only way for these kind of problems to get fixed, are through through public full disclosure. TSA/DHS cannot be expected to fix anything unless they are publicly shamed into doing so ... TSA doesn't have access to the Airline's computer systems. Thus, they have no real way of knowing if a boarding pass is real or not ... consider the fact that you can print your own boarding pass online at home ... It is trivially easy -- as in, 20 seconds with a text-editor ... -- to open it up, and change the name ... Of course, I won't be using this, as it'd guarantee me a one-way ticket straight to Gitmo.
...
In addition to calling for my arrest, the congressman may want to call for the arrest of Senator Schumer (D-NY). In April of this year, he posted rather detailed instructions for the exact same attack. See: here ... Indiana University's legal team have essentially said I'm on my own ... for the record: I have not flown, or even attempted to enter the airport with one of these fake boarding passes. I haven't even printed one out.
...
The FBI are at the door.
...
They handed me with a written order to remove the boarding pass generator. By the time we were somewhere with internet access, the website had already been taken down.
...
I came back today, to find the glass on the front door smashed. Inside, is a rather ransacked home, a search warrant taped to my kitchen table, a total absence of computers - and various other important things. I have no idea what time they actually performed the search, but the warrant was approved at 2AM. I'm sincerely glad I wasn't in bed when they raided the house. That would have been even more scary.
Brian Krebs puts it into context:
Others in the past have highlighted this same weakness, including Slate.com back in 2005, as well as Sen. Charles Schumer (D-N.Y.). Heck, security expert Bruce Schneier warned about this vulnerability back in 2003.
...
the FBI's Indianapolis field office declined to discuss the matter, but said Soghoian was not arrested ... Here's hoping this issue finally receives the attention it deserves.
Sparr0's take on what laws may apply:
Boiling down some of the legalese, the charges (if any are filed) will be "conspiracy to knowingly present a false and fictitious claim upon or against the United States, or any department or agency thereof in violation of USC 18 (secs. 2, 371, 1036, 1343, 2318) and USC 49 (secs. 46314 and 46316) and 49 CFR (secs. 1540.103 and 1540.105)"
If I'm reading the current Homeland Security Code of Federal Regulations accurately, it would appear that even scrawling the words "boarding pass" on a cocktail napkin in lipstick and calling it a boarding pass could be cause for an unsolicited late-night visit, though intent is key.
Avi Rubin, a computer science professor at Johns Hopkins sighs:
Even if he has a legitimate point, it shows a real lapse in judgement ... When we find a security vulnerability, we think about how to publish that information responsibly, and what information we may need to omit. When we find an exploit, the first thing we do is have a meeting about who to tell and how. When we discovered the problems with RFID, we brought the company involved into our lab for several weeks before we released the information.
Quinn Norton muddies the waters:
There's a brewing controversy that pits Washington Post against BoingBoing regarding breaking the story of Christopher "Print your own boarding pass" Soghoian's visit from the FBI along with his site being taken down. The short version is that bloggers believe that Brian Krebs, the Post's security beat reporter, ripped a story off BoingBoing with no credit, and some have even accused him of fabricating details. In response, Brian has written some angry letters in his own defense, and talked about his own process pursuing the story. Brian, like the people at BoingBoing, is a friend and a journalist high in my regard.
...
In this case, BoingBoing is just Xeni [Jardin], reporting on the same thing as Brian. Xeni posted faster, but Brian did his legwork as well.
TSA has known about this since at least February of 2004. If the no-fly list means anything, then they should have responded at least as effectively as they have to the whole "liquid bomb" scare. ...
Quite a few people (including the FBI) are taking the wrong lesson from this. Wrong lessons include "we shouldn't be allowed to print boarding passes," "we should check ID at the gate," and "Christopher Soghoian should be arrested." The right lesson is that the TSA is putting us all through a silly wringer based on an ID system they know is so porous as to be irrelevant.
...
If we wanted useful screening, we would screen passengers at the door of the plane, like they do in, say, the Czech republic. It's too expensive. We might consider more air marshals. It's too expensive. Removing a line of seats, and making the flight deck a larger area, with a sealed off washroom and kitchen. It's too expensive.
...
There's nothing in the print your own boarding pass that needs fixing, except bad and expensive theater. Let's fix the problem by admitting that ID checking does no good, rather than acting all shocked at the power of a good demo.
Buffer overflow:
Around the Net
- IT Compliance: Electronic Frontier Foundation Sues the U.S. DOJ for FOIA Information
- Micro Persuasion: Should Conferences Ban Blogging?
- Willie, ITToolbox: What's up with Larry and the two faces of Oracle?
- Om Malik: Skype Mobile, Behind the Scenes
- Doc Searls: Hearing Things
- Threadwatch: Structuring, Formatting, & Making Information Accessible
Around Computerworld
- Martin MC Brown: ADSLMax was the last step for better Net access; what is next?
- Michael R. Farnum: Is a hacker a virus?
- Eric Ogren: Sourcefire: IPO or acquisition bait?
- Preston Gralla: The world's most dangerous job: Being a Verizon tech
- Robert L. Mitchell: IT exec turns tables on blade server vendor
- Shark Tank: But didn't you say moving PCs would be easy now?
- Martin McKeay: EFF's Freedom of Information Act guide
- David Haskin: Sprint's real challenge
- Douglas Schweitzer: Knowledge is key when it comes to security
And finally... New mashups from a prince of the UK bootleg scene
Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richij.com.
Print
Email this
Digg this
