RE: Congressman Ed Markey Wants Security Researcher Arrested

["Fergie" <fergdawg () netzero net>]

While I wouldn't say the point is been quite yet mooted now, it
does appear that the FBI convinced Chris to take his fake boarding
pass generator offline.

If you go to his home page:

 http://dubfire.net/chris/

...and follow the link for "Fake Northwest Airlines Boarding
Pass Generator", you be greeted with this:

[snip]

Not Found

The requested URL /boarding_pass was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use
an ErrorDocument to handle the request.


[snip]

See also:
http://blog.wired.com/27bstroke6/2006/10/fbi_says_no_arr.html

- ferg


-- Nick FitzGerald <nick () virus-l demon co uk> wrote:
Larry Seltzer wrote:

> I know this makes me a fascist around here but this bothers me a lot.
He's
> facilitating fraud, and the fact that he himself says they're not good
> enough to get you on a plane makes me doubt the value of his research.
> Suppose he was making  software to print $100 bills. Is that OK
because it
> shows weaknesses in the currency?
>
> And if he or anyone else uses these they definitely should be busted. 

I think you've missed the point...

_If_ these forgeries are good enough to get through initial (usually 
just the briefest of eye-balling and often kerbside) screening _AND_ 
that opens the whole system up to some much bigger threat _THEN_ the 
whole system is totally borked from tip to toe.

Ed Markey was quoted as saying:

   The Bush Administration must immediately act to investigate,
   apprehend those responsible, shut down the website, and warn
   airlines and aviation security officials to be on the look-out for
   fraudsters or terrorists trying to use fake boarding passes in an
   attempt to cheat their way through security and onto a plane...

_IF_ the current system cannot filter out those carrying fake boarding 
passes, _THEN_ the current system _IS BROKEN_.

Further, Markey seems to suggest that he beleives if a terrorist were 
"enabled" to gain access to a plane by the use of such a fake boarding 
pass that terrorist would in some way be more likely to NOT be 
subjected to and/or detected by whatever _OTHER_ checks are put in such 
terrorists' way.

Markey is clearly barking mad and totally devoid of the slighest hint 
of a grip on how to do what he is supposedly charged with doing -- 
improving airline/flight safety.

Thus it is no wonder US aviation security is the joke that it is.

Markey understands this:

   There are enough loopholes at the backdoor of our passenger
   airplanes from not scanning cargo for bombs; 

but can't see that trivially forgeable and weakly "authenticated" bits 
of paper are a fundamental _design weakness_ in another part of the 
system:

   ... we should not tolerate any new loopholes making it easier for
   terrorists to get into the front door of a plane.

Soghoian did not create this loophole -- it was already there and has 
been for how long?  Two?  Five?  Ten? Forty? years...

And, because we know of it already, and have much better layers of 
checking before and/or after (imagine using this in a transit/layover 
situation, rather than directly at check-in) use of this one, its 
existence should be a moot point.

Now, if there really is a dire flaw in Northwest Airline's deployment 
and use of these feeble little bits of paper, Soghoian may just have 
done Northwest passengers and the DHS a favour.

Yes, what he's doing is technically fraud, but to even suggest it 
begins to equate with forging $100 bills is reactionary nonsense.


Regards,

Nick FitzGerald



--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.