{October 2006 Archive}

Identify a Security Flaw, Lose One Laptop
Sasha Horwitz || October 30, 2006 || Transportation

This week I came across a story about a 24 year old security researcher/PhD student named Christopher Soghoian who developed a fake boarding pass generator on his website. There you could enter your “information” and out would come a realistic looking ticket like the kind you print from home for an early check in. If you’re experience is anything like mine then waking up to the security line at the airport means I hand my boarding pass and ID to the TSA screener who makes sure my face and name match on all the documents and scribbles something before letting me through. The agent never scans the barcode. These passes are meant to get a person past the screener but not onto the plane.

I’m terrified. After the terrorist plot to blow up planes using bomb material concealed in liquid was foiled, all forms of liquid was banned from terminals. The TSA finally realized the weakness in a plan that sought to deal with the plot retroactively, and has loosened the restrictions. Now I think I can bring four ounces of liquid and medicine with a prescription label. But this hole shows us a major problem with not only the implementation of security measures but our process for dealing with the problems.

Soghoian designed the script to identify this weakness, not to exploit it. “I want Congress to see how stupid the TSA's watch lists are. Now even the most technically incompetent user can click and generate a boarding pass. By doing this, I'm hoping [Congress] will see how silly the security rules are. I don't want bad guys to board airplanes but I don't think the system we have right now works and I think it is giving us a false sense of security.” The day after the story became public on wired.com, Congressman Edward Markey (D-MA) called for Soghoian’s arrest and for the site to be taken down; he later rescinded the call for arrest.

That day the FBI visited Soghoian in his home, but he was not arrested. That night the FBI returned and seized his computers with a warrant signed at 2 a.m.. Am I wrong or does it seem that the government is less interested in learning about these security vulnerabilities than punishing someone for revealing them?

Most interestingly is one of the people who identified this security vulnerability before this incident was Sen. Chuck Schumer (D-NY), who did so in 2005 press release.

Continue reading "Identify a Security Flaw, Lose One Laptop" »
[] [Comments (1)] [TrackBacks (0)]
Creative Commons License

This weblog is licensed under a Creative Commons License.