See your link here
December 8, 2006 - 6:20 A.M.
TSA threatens fake-boarding-pass guy (and scary Mary)
6 comments- IT TOPICS:Government & Regulation, Personal Technology, Security
Further and final call for IT Blogwatch, in which Christopher Soghoian's fake boarding pass generator now attracts the attention of the TSA. Not to mention a new trailer for Disney's Mary Poppins, re-cut into a horror film...
You may recall October 30th's IT Blogwatch, when your humble blogwatcher wrote about Chris Soghoian and his fake boarding pass generator. The FBI broke down his door and seized his computers. Now it seems that the FBI and DoJ have dropped the case, but the Transportation Security Administration is investigating his alleged lawbreaking. Read on...
Christopher Soghoian has the letter from the TSA, with his own interpretation:
Dear Christopher, We were slightly worried that you might spend Christmas relaxing and spending quality time with your family. We can't have that. Thus, please enjoy the enclosed letter - we're quite confident that it'll occupy your thoughts for the next few weeks. Have fun mulling things over. We expect a reply from you by Christmas day.
...
P.S. We continue to ignore the existence of a different boarding pass generator, written by someone else and which has been online for the past month. It wasn't in the Washington Post, so our bosses haven't seen it yet. Phew!
Did someone mention the WaPo? Here's Brian Krebs to explain:
Last month Security Fix reported that Chris Soghoian ... had been cleared of any wrongdoing by the FBI and the Justice Department. Well, turns out the guy isn't out of the woods yet. On Wednesday afternoon, Soghoian received a letter from the TSA informing him that the agency is conducting its own investigation into the allegation that he "attempted to circumvent an established civil aviation security program established in the Transportation Security Regulations." If Soghoian is ultimately found to have attempted said circumvention, the TSA said, he could be subjected to civil penalties of up to $11,000 per violation.
...
It's absurd because the cat is already out of the bag. That's the way information on the Internet works: Once it's out there, it's incredibly hard if not impossible to get it all back. Soghoian's site has no doubt been archived by anyone who would want to use it for malicious or illegal purposes (this guy, operating under what is in all likelihood a pseudonym, continues to mirror the Northwest Airlines boarding pass generator that Soghoian built.) ... worse than the specter of fines is the notion that he may one day find his own name on the TSA's no-fly list.
It is likely that the TSA will have to drop charges like the FBI did, but Mr. Soghoian has already been punished by having the govenment break down his door, threaten him, and harass him. Let this be a warning to intelligent people seeking the truth: in America you have the freedom to speak, but the government might come after you anyway.
Airport security is a joke, and all he did is point that out. I will point something else out. When I was waiting in the immensely long line for United Domestic Check-In, I noticed they controlled access to the door behind the ticket counter with a simple mechanical combination lock. I observed several United Airlines employees entering and every time I could clearly see the code being entered. I felt very secure.
Lest we forget, ChaosDiscord reminds:
The purpose was to shame the TAA into fixing a problem which was widely known and publicized: August 2003 by security expert Bruce Schneier, February 2005 in Slate , February 2005 press release by a US Senator, February 2006 article in CSO Online . The TSA has been ignoring the problem for over three years. Bad guys have known about the attack for at least three years, possibly longer. For all we know bad guys are using it right now; we have no way of knowing. Even without Soghoian's program, it was really, really trivial to exploit; all you need is a very basic understanding of HTML, enough to change one name to another, to execute the attack Schneier described in 2003. The media has been letting the TSA continue to ignore this. If Soghoian had simply published a "I can make fake boarding passes and get into the "sterile" area of an airport he would have gotten an article or two and nothing would have changed. By providing a working exploit things just became that much harder for the TSA. News coverage exploded. Finally something will happen.
We saw the same sort of misleading argument come up when people started pointing out that US Military personnel were being given ineffective bulletproof vests; somehow the people who were trying to raise awareness of the issue were supposedly "helping the terrorists." Which is just nuts. What they were doing is making things uncomfortable for the crooks selling the defective jackets, and having zero impact on the people wearing them unless and until they could raise enough awareness of the issue to get things changed--in which case their actions would have helped the roops, not hurt them.
Anonymous Coward minces his (possibly "her") words:
The people responsible within the TSA need to be dealt with. These f***heads have some nerve harrassing a researcher for bringing their errors to wider attention.
Buffer overflow:
Around the Net
- Richi Jennings: Ciao! Interesting Social Engineering Attack
- StorageMojo: Adam Smith and the Liberace effect
- Techcrunch: Digg Celebrates 2nd Birthday
- Guy Kawasaki: iPod and Hearing Loss
- Meridith Levinson: Data Breach Victim Ohio U Appoints Interim CIO
- Mike, Techdirt: Massive Class Action Lawsuit Against Wall Street For Artificially Inflating Dot Com Bubble Rejected
- Nate Anderson: Washington uses new spyware law, gets $1 million settlement
- Security Monkey: Datacenter Hilarity: Oops.
- Jurgens Pieterse: Defining IT portfolio management
Around Computerworld
- Preston Gralla: Game players beware: The IRS wants your virtual assets
- Michael R. Farnum: The Security of Web 2.0 - an Oxymoron
- David Haskin: The real news at Macworld won't be iPhone
- Shark Tank: Why we love users
- Douglas Schweitzer: One man's garbage is another man's gold!
Previously in IT Blogwatch
And finally... Scary Mary (Poppins) [hat tip: Boing Boing]
Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk.
Print
Email this
Digg this
