Sunday, October 29, 2006

Point out the obvious, get raided by the FBI

Security researcher Chris Soghoian, a graduate student at Indiana University's School for Informatics and an intern at Google, set up a website that functions as a boarding pass generator for Northwest Airlines. The site contained a form that allowed you to fill in name, flight number, destination, and all of the other information on a boarding pass, and would display a boarding pass that would be indistinguishable from the real thing at the TSA security checkpoints.

He pointed out that the identity check at the TSA checkpoint amounts to nothing more than a comparison between the name on a picture ID and the name on a boarding pass, and that this provides no security whatsoever. I'm not sure what threat this check is even supposed to be trying to mitigate. At best, it is an attempt to piggy-back on the check against the no-fly list (which is itself a complete joke) that is performed by the airlines when you purchase a ticket, but clearly that fails as his boarding pass generator is one of several ways to create a boarding pass in a name other than your own--including modifying the displayed text generated by any airline's online site or even purchasing a ticket in any name you choose. The latter was displayed vividly by a couple of guys who purchased tickets in the names of "Al Kyder" and "Terry Wrist" (link includes video).

In my opinion, the only actual purpose served by checking for a valid boarding pass at the TSA checkpoint is to reduce the number of people passing through the checkpoint in order to most efficiently make use of security resources. It does not otherwise have any effect on security; it provides no deterrent to an attacker. It is not effective in screening out those with malicious intent, and it is not even effective in verifying identity.

Congressman Ed Markey (D-MA) has called for Chris Soghoian to be arrested. He was visited and interrogated by the FBI, then went to stay at his parents' house. Friday night, the FBI broke their way into his apartment, seized his computers, and generally trashed his place.

Lesson: Point out U.S. security weaknesses, and you will be punished. Those responsible for the weaknesses and idiocy of U.S. "security theater," however, will not be held accountable.

This is one of the rare times when Michelle Malkin actually says something correct.

Other coverage: Jim Harper, author of the excellent book Identity Crisis, at the Technology Liberation Front and at Cato@Liberty (this post does a good job of pointing out the problems with the TSA identity check). Bruce Schneier, at his blog. And there's some rather good coverage in multiple posts at BoingBoing.

The problem that Soghoian pointed out was previously described in February 2005 on Slate.com by Andy Bowers, and in 2003 by Bruce Schneier in his Crypt-o-Gram newsletter.

So yes, Kip Hawley is still an idiot.

UPDATE (November 2, 2006): Bruce Schneier has written a detailed description of the flaw in the security design of the TSA identity check, and makes the same point that even if the flaw is corrected it doesn't add any real security because it's just a check of the no-fly list.

No comments: