Here is a story for you:
- In 2003 a security researcher Bruce Sheiner pointed out that the anyone can print a fake boarding pass at home
- In February of 2005 the Slate magazine published an article describing the same security problem in detail
- In April of 2006, NY Senator Charles E. Shumer mentioned these security issues on his website and sent multiple letters about the issue to TSA.
- In October of this year, Christopher Soghoian a PHD student at Indiana U created a web application allowing people to print fake passes directly from his website
- Finally, after 3 years someone in the government notices the issue. Congressman Edward Markey totally freaks out and… demands that Christopher Soghoian to be immediately arrested.
- Today, FBI paid Christopher a visit and politely told him to take down his site.
- Boarding passes remain insecure…
Apparently, Christopher was not labeled an enemy combatant, and he was not sent to a secret torture prison without a sentence. But he came very close to it. The next person who implements an application that exploits known vulnerabilities in the airport security systems may not be so lucky.
Can someone explain to me how in the hell did we manage to make airline travel 90% less convenient in the last few years, but we haven’t fixed the most fundamental, rudimentary security issues that have been publicaly known since 2003?
The sad part here is that if Christopher’s app would not end up on the front page of digg, slashdot and boingboing and in the wired magazine no one would care about this. The only reason anything has been done is because some jackass in congress felt embarrassed that the story of the gigantic failure to secure our airports is making rounds in the tech news networks.
The response to the problem is also a classic – punish the security researcher, make his findings inaccessible to general public and then just hope that no other programmer in the world can figure out how to exploit the same vulnerability.
With an attitude like that, we will never have good airport security.
Update Sun Oct 29 22:14:53 EST 2006 → apparently FBI busted Christoper’s door in the dead of the night, ransacked his house, confiscated all his computers and other personal belongings. This is after he took down the website, and was interrogated. This sucks. Sigh…
[tags]security, airports, flying, boarding pass, fbi, stupid, government, tsa, politics[/tags]