RE: Congressman Ed Markey Wants Security Researcher Arrested

[Nick FitzGerald <nick () virus-l demon co uk>]

Larry Seltzer wrote:

> I know this makes me a fascist around here but this bothers me a lot. He's
> facilitating fraud, and the fact that he himself says they're not good
> enough to get you on a plane makes me doubt the value of his research.
> Suppose he was making  software to print $100 bills. Is that OK because it
> shows weaknesses in the currency?
>
> And if he or anyone else uses these they definitely should be busted. 

I think you've missed the point...

_If_ these forgeries are good enough to get through initial (usually 
just the briefest of eye-balling and often kerbside) screening _AND_ 
that opens the whole system up to some much bigger threat _THEN_ the 
whole system is totally borked from tip to toe.

Ed Markey was quoted as saying:

   The Bush Administration must immediately act to investigate,
   apprehend those responsible, shut down the website, and warn
   airlines and aviation security officials to be on the look-out for
   fraudsters or terrorists trying to use fake boarding passes in an
   attempt to cheat their way through security and onto a plane...

_IF_ the current system cannot filter out those carrying fake boarding 
passes, _THEN_ the current system _IS BROKEN_.

Further, Markey seems to suggest that he beleives if a terrorist were 
"enabled" to gain access to a plane by the use of such a fake boarding 
pass that terrorist would in some way be more likely to NOT be 
subjected to and/or detected by whatever _OTHER_ checks are put in such 
terrorists' way.

Markey is clearly barking mad and totally devoid of the slighest hint 
of a grip on how to do what he is supposedly charged with doing -- 
improving airline/flight safety.

Thus it is no wonder US aviation security is the joke that it is.

Markey understands this:

   There are enough loopholes at the backdoor of our passenger
   airplanes from not scanning cargo for bombs; 

but can't see that trivially forgeable and weakly "authenticated" bits 
of paper are a fundamental _design weakness_ in another part of the 
system:

   ... we should not tolerate any new loopholes making it easier for
   terrorists to get into the front door of a plane.

Soghoian did not create this loophole -- it was already there and has 
been for how long?  Two?  Five?  Ten? Forty? years...

And, because we know of it already, and have much better layers of 
checking before and/or after (imagine using this in a transit/layover 
situation, rather than directly at check-in) use of this one, its 
existence should be a moot point.

Now, if there really is a dire flaw in Northwest Airline's deployment 
and use of these feeble little bits of paper, Soghoian may just have 
done Northwest passengers and the DHS a favour.

Yes, what he's doing is technically fraud, but to even suggest it 
begins to equate with forging $100 bills is reactionary nonsense.


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.