28 October 2006

Shooting the Messenger

Congressman Ed Markey (D-Mass) has called for the arrest of Chris Soghoian, a University of Indiana graduate student who created a website which enabled printing of fake Northwest Airlines boarding passes.

If Congressman Markey, who represents himself as an authority on technology and civil liberties issues, and who publicises national security vulnerabilities on his own congressional website, is surprised by the fact that boarding pass security is a joke, then he hasn't been paying attention for a long time.

Boarding pass security has always been terrible. ABC reported on this vulnerability in June. Bruce Schneier wrote about it as early as 2003, and explains here why he's not worried that it's still easy to forge print-at-home boarding passes.

The print-at-home vulnerability has been covered at Stupid Security and elsewhere (here too!).

Publishing instructions for how to do it isn't new either.

In fact, Slate has pointed out that you don't even need to forge a boarding pass to get past airport identity checks - you can just use somebody else's real one.

Providing an easy online utility to automate forgery may indeed be new. But before we start arresting people, let's think for a minute about who we should be locking up. Real villains - not security researchers - should be at the top of our most-wanted list.

What say we start with the people who actually want to commit terrorism? Congressman Markey lists Homeland Security and Defense among his top issues. You may have noticed that we haven't caught Osama yet.

Once we arrest the people who create the threats, we should go after the people who create the vulnerability. This would be airlines (who allow you to print insecure boarding passes at home in an easily-forgeable format) and the TSA, who take a cursory look at your forged boarding pass and wave you through their checkpoints.

Then let's look for the guys who have failed to hold the airlines and the TSA accountable for their failures. Congressman Markey's bio says he's one of them: "As the third most senior Democrat on the House Homeland Security Committee, he has emerged as a leader in both legislative and oversight activities in the areas of nuclear, aviation, rail, liquefied natural gas and chemical security." If this oversight were effective, Chris Soghoian wouldn't have been able to build his website and we wouldn't be talking about it.

Bruce is right that the real problem is elsewhere. But even if this were a real problem, arresting the messenger wouldn't solve it. Congressman Markey undboutedly knows that - and he also knows that loud law-and-order noises sound good in an election year.


Post a Comment

<< Home