funsec mailing list archives
RE: Congressman Ed Markey Wants Security Researcher Arrested
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 28 Oct 2006 16:24:15 +1300
Larry Seltzer wrote:
I know this makes me a fascist around here but this bothers me a lot. He's facilitating fraud, and the fact that he himself says they're not good enough to get you on a plane makes me doubt the value of his research. Suppose he was making software to print $100 bills. Is that OK because it shows weaknesses in the currency? And if he or anyone else uses these they definitely should be busted.
I think you've missed the point... _If_ these forgeries are good enough to get through initial (usually just the briefest of eye-balling and often kerbside) screening _AND_ that opens the whole system up to some much bigger threat _THEN_ the whole system is totally borked from tip to toe. Ed Markey was quoted as saying: The Bush Administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane... _IF_ the current system cannot filter out those carrying fake boarding passes, _THEN_ the current system _IS BROKEN_. Further, Markey seems to suggest that he beleives if a terrorist were "enabled" to gain access to a plane by the use of such a fake boarding pass that terrorist would in some way be more likely to NOT be subjected to and/or detected by whatever _OTHER_ checks are put in such terrorists' way. Markey is clearly barking mad and totally devoid of the slighest hint of a grip on how to do what he is supposedly charged with doing -- improving airline/flight safety. Thus it is no wonder US aviation security is the joke that it is. Markey understands this: There are enough loopholes at the backdoor of our passenger airplanes from not scanning cargo for bombs; but can't see that trivially forgeable and weakly "authenticated" bits of paper are a fundamental _design weakness_ in another part of the system: ... we should not tolerate any new loopholes making it easier for terrorists to get into the front door of a plane. Soghoian did not create this loophole -- it was already there and has been for how long? Two? Five? Ten? Forty? years... And, because we know of it already, and have much better layers of checking before and/or after (imagine using this in a transit/layover situation, rather than directly at check-in) use of this one, its existence should be a moot point. Now, if there really is a dire flaw in Northwest Airline's deployment and use of these feeble little bits of paper, Soghoian may just have done Northwest passengers and the DHS a favour. Yes, what he's doing is technically fraud, but to even suggest it begins to equate with forging $100 bills is reactionary nonsense. Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Congressman Ed Markey Wants Security Researcher Arrested Fergie (Oct 27)
- Re: Congressman Ed Markey Wants Security Researcher Arrested Drsolly (Oct 27)
- Re: Congressman Ed Markey Wants Security Researcher Arrested Nick FitzGerald (Oct 27)
- <Possible follow-ups>
- Re: Congressman Ed Markey Wants Security Researcher Arrested Gregory Hicks (Oct 27)
- Re: Congressman Ed Markey Wants Security Researcher Arrested Drsolly (Oct 27)
- RE: Congressman Ed Markey Wants Security Researcher Arrested Larry Seltzer (Oct 27)
- RE: Congressman Ed Markey Wants Security Researcher Arrested Nick FitzGerald (Oct 27)
- RE: Congressman Ed Markey Wants Security Researcher Arrested Larry Seltzer (Oct 28)
- Re: Congressman Ed Markey Wants Security Researcher Arrested Kevin Johnson (Oct 28)
- Re: Congressman Ed Markey Wants Security Researcher Arrested Dude VanWinkle (Oct 28)
- RE: Congressman Ed Markey Wants Security Researcher Arrested Larry Seltzer (Oct 28)
- Re: Congressman Ed Markey Wants Security Researcher Arrested Dude VanWinkle (Oct 28)
- Re: Congressman Ed Markey Wants Security Researcher Arrested Drsolly (Oct 27)
- Re: Congressman Ed Markey Wants Security Researcher Arrested Dude VanWinkle (Oct 27)