30 October 2006

Heeding the Message

It takes a big man to admit that he's made a mistake, especially in politics.

It takes an even bigger man to think it over carefully enough to propose doing something genuinely useful. Rep. Markey has done both; here's what he wrote in his latest press release, covered on Chris Soghoian's blog:

Under the circumstances, any legal consequences for this student must take into account his intent to perform a public service, to publicize a problem as a way of getting it fixed. He picked a lousy way of doing it, but he should not go to jail for his bad judgment. Better yet, the Department of Homeland Security should put him to work showing public officials how easily our security can be compromised.

Exactly. This is the kind of thinking we need more of. Kudos and thanks to Rep. Markey for a courageous and helpful statement.

28 October 2006

Shooting the Messenger

Congressman Ed Markey (D-Mass) has called for the arrest of Chris Soghoian, a University of Indiana graduate student who created a website which enabled printing of fake Northwest Airlines boarding passes.

If Congressman Markey, who represents himself as an authority on technology and civil liberties issues, and who publicises national security vulnerabilities on his own congressional website, is surprised by the fact that boarding pass security is a joke, then he hasn't been paying attention for a long time.

Boarding pass security has always been terrible. ABC reported on this vulnerability in June. Bruce Schneier wrote about it as early as 2003, and explains here why he's not worried that it's still easy to forge print-at-home boarding passes.

The print-at-home vulnerability has been covered at Stupid Security and elsewhere (here too!).

Publishing instructions for how to do it isn't new either.

In fact, Slate has pointed out that you don't even need to forge a boarding pass to get past airport identity checks - you can just use somebody else's real one.

Providing an easy online utility to automate forgery may indeed be new. But before we start arresting people, let's think for a minute about who we should be locking up. Real villains - not security researchers - should be at the top of our most-wanted list.

What say we start with the people who actually want to commit terrorism? Congressman Markey lists Homeland Security and Defense among his top issues. You may have noticed that we haven't caught Osama yet.

Once we arrest the people who create the threats, we should go after the people who create the vulnerability. This would be airlines (who allow you to print insecure boarding passes at home in an easily-forgeable format) and the TSA, who take a cursory look at your forged boarding pass and wave you through their checkpoints.

Then let's look for the guys who have failed to hold the airlines and the TSA accountable for their failures. Congressman Markey's bio says he's one of them: "As the third most senior Democrat on the House Homeland Security Committee, he has emerged as a leader in both legislative and oversight activities in the areas of nuclear, aviation, rail, liquefied natural gas and chemical security." If this oversight were effective, Chris Soghoian wouldn't have been able to build his website and we wouldn't be talking about it.

Bruce is right that the real problem is elsewhere. But even if this were a real problem, arresting the messenger wouldn't solve it. Congressman Markey undboutedly knows that - and he also knows that loud law-and-order noises sound good in an election year.

01 October 2006

Pink for October

Special this month: Ceci n'est pas un Bob will be Pink for October to promote awareness of breast cancer. Plus, pink is cool.