funsec mailing list archives
Digital Freedom and Boarding Passes
From: Gary Warner <gar () askgar com>
Date: Fri, 03 Nov 2006 16:05:36 -0600
Fun-sec'ers, Here's a note that I sent to my local InfraGard chapter on this one (thanks for some of the links from this mailing list.) Just for grins, I cc'ed Chris and one of his professors as well. They might appreciate an email of support:
csoghoian () gmail com markus () indiana edu (assuming you support them...) /Christopher Soghoian /, who runs the blog "SlightParanoia.blogspot.com", is a student of Informatics at Indiana University. I've met professors from that department and they said I was close when I called Informatics "the sociology of computing". According to /., ( http://yro.slashdot.org/yro/06/10/28/2358202.shtml ) Senator Schumer revealed this technique to the public in February of 2005. I don't believe the FBI arrested him for it, but that's because he just TALKED about it, instead of spending three minutes to build a tool to DO it. http://www.senate.gov/~schumer/SchumerWebsite/pressroom/press_releases/2005/PR4123.aviationsecurity021305.html I'm curious to hear what folks opinion on this is. What he's done is basically pointed out how silly it is to depend on an emailed-to-your-home-and-printed electronic document for security. Its child's play to edit HTML document to make the characters in your NorthWest board pass (and several other airlines) say whatever you wish. The question is really whether or not the policies of the airport security checkpoints are appropriate and being followed. I've flown several dozen times in the past year and I have ALWAYS been required to show my boarding pass WITH PHOTO ID. Before Congress Markey demanded that the FBI arrest Chris several of us had been playing with his tool and were amused with the concept that Chris thought he could bypass the photo id check just by saying he forgot his wallet. (although he did make a compelling argument). If that worked, then the airlines deserve what they get. This is exactly the kind of Out of the Box Thinking that the School of Informatics at Indiana University is encouraging with their departmental research. Chris has published papers on Red Teaming electronic voting (presented at a European conference on e-voting) , the Digital Millenia Copyright Act, Steganography, OS Fingerprinting, SSH Man in the Middle Attacks, and Electronic Privacy. He got his BS from James Madison in Computer Science, his MS in Information Security from Johns Hopkins, and is working on his PhD in CyberSecurity from Indiana U. He has interned at Google in their security group, at Apple in their Security Technology group, and at IBM in their Global Security Analysis Lab in Switzerland. He's designed an anti-phishing tool (patent pending). He's also designed a mobile phone based account verification system ******************************************************************** If Chris lived in Birmingham, we would DEFINITELY want him as an InfraGard member. ******************************************************************** I've met one of his professors, Markus Jakobsson, ( http://www.informatics.indiana.edu/markus/ ) at an anti-phishing working group meeting, and I was FASCINATED by the ideas they have developed and published on out of this department. (I talked about one of Jakobsson's research projects at an InfraGard meeting this spring - you might remember - it was a social networking experiment using the "background image" for "visited" web pages to "map" what pages someone visiting your website had also visited??? They then took the "visited blog" entries to build social networks and send phishing emails that appeared to come from people they believed you to know based on mutual blog visits. This was the same paper that said male engineering students are likely to follow links sent to them by females they know, while female education students are likely to follow links sent to them by unknown random strangers of either gender.) If Chris had written a paper about the Boarding Pass Issue instead of posting it on his website we would have been calling him a Defender of the Homeland. There is something messed up about this situation. Enjoy this protest link: http://www.boingboing.net/2006/10/29/ceci_nest_pas_un_fak.html Or to see how simple the whole process was, visit one of the other fake Boarding Pass generators that Congressman Markey hasn't killed yet, such as: http://j0hn4d4m5.bravehost.com/pass.html The original site (Chris's) used the demo name of "Osama Bin Laden", which is probably why Chris no longer has any of his computers, disks, tapes, drives, DVDs, and CDs (all were picked up by the FBI) and John didn't. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Digital Freedom and Boarding Passes Gary Warner (Nov 03)