funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Digital Freedom and Boarding Passes

From: Gary Warner <gar () askgar com>
Date: Fri, 03 Nov 2006 16:05:36 -0600
Fun-sec'ers, Here's a note that I sent to my local InfraGard chapter on this one (thanks for some of the links from this mailing list.) Just for grins, I cc'ed Chris and one of his professors as well. They might appreciate an email of support: 

   csoghoian () gmail com

   markus () indiana edu

(assuming you support them...)

/Christopher Soghoian /, who runs the blog
"SlightParanoia.blogspot.com", is a student of Informatics at Indiana
University.  I've met professors from that department and they said I
was close when I called Informatics "the sociology of computing".

According to /.,
( http://yro.slashdot.org/yro/06/10/28/2358202.shtml )
Senator Schumer revealed this technique to the public in February of
2005.  I don't believe the FBI arrested him for it, but that's because
he just TALKED about it, instead of spending three minutes to build a
tool to DO it.

http://www.senate.gov/~schumer/SchumerWebsite/pressroom/press_releases/2005/PR4123.aviationsecurity021305.html

I'm curious to hear what folks opinion on this is.

What he's done is basically pointed out how silly it is to depend on an
emailed-to-your-home-and-printed electronic document for security.  Its
child's play to edit  HTML document to make the characters in your
NorthWest board pass (and several other airlines) say whatever you
wish.  The question is really whether or not the policies of the airport
security checkpoints are appropriate and being followed.  I've flown
several dozen times in the past year and I have ALWAYS been required to
show my boarding pass WITH PHOTO ID.   Before Congress Markey demanded
that the FBI arrest Chris several of us had been playing with his tool
and were amused with the concept that Chris thought he could bypass the
photo id check just by saying he forgot his wallet. (although he did
make a compelling argument).

If that worked, then the airlines deserve what they get.

This is exactly the kind of Out of the Box Thinking that the School of
Informatics at Indiana University is encouraging with their
departmental  research.  Chris has published papers on Red Teaming
electronic voting (presented at a European conference on e-voting) , the
Digital Millenia Copyright Act, Steganography, OS Fingerprinting, SSH
Man in the Middle Attacks, and Electronic Privacy.   He got his BS from
James Madison in Computer Science, his MS in Information Security from
Johns Hopkins, and is working on his PhD in CyberSecurity from Indiana U.

He has interned at Google in their security group,  at Apple in their
Security Technology group, and at IBM in their Global Security Analysis
Lab in Switzerland.  He's designed an anti-phishing tool (patent
pending).  He's also designed a mobile phone based account verification
system

********************************************************************
If Chris lived in Birmingham, we would DEFINITELY want him as an
InfraGard member.
********************************************************************

I've met one of his professors, Markus Jakobsson, (
http://www.informatics.indiana.edu/markus/ ) at an anti-phishing working
group meeting, and I was FASCINATED by the ideas they have developed and
published on out of this department.

(I talked about one of Jakobsson's research projects at an InfraGard
meeting this spring - you might remember - it was a social networking
experiment using the "background image" for "visited" web pages to "map"
what pages someone visiting your website had also visited???  They then
took the "visited blog" entries to build social networks and send
phishing emails that appeared to come from people they believed you to
know based on mutual blog visits.  This was the same paper that said
male engineering students are likely to follow links sent to them by
females they know, while female education students are likely to follow
links sent to them by unknown random strangers of either gender.)

If Chris had written a paper about the Boarding Pass Issue instead of
posting it on his website we would have been calling him a Defender of
the Homeland.  There is something messed up about this situation.

Enjoy this protest link:

          http://www.boingboing.net/2006/10/29/ceci_nest_pas_un_fak.html

Or to see how simple the whole process was, visit one of the other fake
Boarding Pass generators that Congressman Markey hasn't killed yet, such as:

         http://j0hn4d4m5.bravehost.com/pass.html

The original site (Chris's) used the demo name of "Osama Bin Laden",
which is probably why Chris no longer has any of his computers, disks,
tapes, drives, DVDs, and CDs (all were picked up by the FBI) and John
didn't.




_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: