more on Web Site Lets Anyone Create Fake Boarding Passes

[David Farber <dave () farber net>]

I don't condemn the actions of people, like Avi, who break systems  
that are "unbreakable" but I do seriously question the ethics and  
maturity of someone who demonstrates what is well understood just for  
the sake of it all.

It is hard enough to travel with the Kabuki theater that passes for  
security. I don't want to add the knee jerk reaction of banning  
computer boarding passes which serve little or no use at the TSA  
checkpoints anyway.

I strongly suggest we require a course in common sense and  
professional ethics for undergrads and graduate students. I have seen  
enough bad judgement calls to suggest it would be worth while (none  
from my students (that I know of)).

Dave



Begin forwarded message:

From: Patrick Sinz <ps () ethiqa com>
Date: October 29, 2006 4:11:00 AM EST
To: dave () farber net
Subject: Re: [IP] Web Site Lets Anyone Create Fake Boarding Passes

Hi,
My first reaction is very similar to yours, making this web site does
not show any particular IT security prowess, and is a sure way to stir
up trouble.

Then my second reaction was to check again the fine article and lookup
the student's field.
So he is not a political science student trying to evaluate government,
private authorities and public response to a perceived security threat.
So he deserved to be yelled at.

On the other hand IT security is not just about good crypto, but also
processes, ethics and all this kind of social sciences ("soft skills in
corporateese :-)).
So what was the "build up of the experiment" ? (if there was one).

IMHO the student should have sent a letter to the airline, then to the
supervision authority, then to a consumer organisation, and when all
these actions fail to have any positive result, or to explain why this
is a non issue: setup his site.

Flatly condemning his actions would lead to a situation where any
security related disfunction should be hidden in order to avoid "bad
things to happen".
So to somewhat caricature the situation: if you are working on a
post-grad on hospital management and you notice that a large hospital
chain is feeding junk to hearth patients you should keep  silent because
revealing this publicly might get hearth patients to worrry and get an
hearth attack. duh!

        Best Regards
                [ps]

Le samedi 28 octobre 2006 à 16:03 -0400, David Farber a écrit :
> This grad student would be an ex grad student if I were there or at
> least a very very yelled at one. To do what was done is not research
> -- in fact it is not  hard and everyone knows the weakness so " just  
> pointing it out " is no excuse.
>
> Then again maybe it is the Universities job to talk about ethics
>
> Dave
>
> Begin forwarded message:
>
> From: EEkid () aol com
> Date: October 28, 2006 3:08:20 PM EDT
> To: dave () farber net
> Subject: Web Site Lets Anyone Create Fake Boarding Passes
>
> http://articles.news.aol.com/news/_a/web-site-lets-anyone-create-fake/
> 20061027231809990001?ncid=NWS00010000000001
>
>
>
> Web Site Lets Anyone Create Fake Boarding Passes
> Student Says Site's Meant to Show Loopholes, Feds Don't See It That  
> Way
>
> By JONATHAN SILVERSTEIN, ABCNews.com
>
> (Oct. 28) - A 24-year-old computer security student working on his
> doctorate at Indiana University Bloomington has created a Web site
> that allows anyone with an Internet connection and a printer to
> create and print fake boarding passes for Northwest Airlines flights.
>
> The passes look virtually identical to the ones printed from the
> airline's site, and are intended to get you past security -- but not
> onto an airplane.
>
> By entering your name and plugging in information about the flight --
> flight number, gate, seat number, departing city, destination,
> departure, and arrival times and class -- the site generates a
> boarding pass the program's creator says will get you past security
> checkpoints, even without ID.
>
> Christopher Soghoian, creator of "The Northwest Airlines Boarding
> Pass Generator," knew he would be opening up a can of worms by
> writing the program and creating the site, but says it's the only way
> to show people how deeply flawed airport and airline security are.
>    <snip>
>
> -------------------------------------
> You are subscribed as ps () ethiqa com
> To manage your subscription, go to
>   http://v2.listbox.com/member/?listname=ip
>
> Archives at: http://www.interesting-people.org/archives/interesting- 
> people/



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/