Congressman Markey, thank you for taking the time to look closer at this situation, and to hear the voice of the security community.

“On Friday I urged the Bush Administration to ‘apprehend’ and shut down whoever had created a new website that enabled persons without a plane ticket to easily fake a boarding pass and use it to clear security, gain access to the boarding area and potentially to the cabin of a passenger plane. Subsequently I learned that the person responsible was a student at Indiana University, Christopher Soghoian, who intended no harm but, rather, intended to provide a public service by warning that this long-standing loophole could be easily exploited. The website has now apparently been shut down.

“Under the circumstances, any legal consequences for this student must take into account his intent to perform a public service, to publicize a problem as a way of getting it fixed. He picked a lousy way of doing it, but he should not go to jail for his bad judgment. Better yet, the Department of Homeland Security should put him to work showing public officials how easily our security can be compromised.

“It remains a fact that fake boarding passes can be easily created and the integration of terrorist watch lists with boarding security is still woefully inadequate. The best outcome of Mr. Soghoian’s ill-considered demonstration would be for the Department of Homeland Security to close these loopholes immediately."

MARKEY: DON'T ARREST STUDENT, USE HIM TO FIX LOOPHOLES

The section of law relevant to the fake boarding pass site:

Sec. 1540.103 Fraud and intentional falsification of records.

No person may make, or cause to be made, any of the following:

(a) Any fraudulent or intentionally false statement in any application for any security program, access medium, or identification medium, or any amendment thereto, under this subchapter.

(b) Any fraudulent or intentionally false entry in any record or report that is kept, made, or used to show compliance with this subchapter, or exercise any privileges under this subchapter.

(c) Any reproduction or alteration, for fraudulent purpose, of any report, record, security program, access medium, or identification medium issued under this subchapter.

The process as according to Senator Charles Schumer's February 13, 2005 press release:

1. Joe Terror (whose name is on the terrorist watch list) buys a ticket online in the name of Joe Thompson using a stolen credit card. Joe Thompson is not listed on the terrorist watch list.

2. Joe Terror then prints his “Joe Thompson” boarding pass at home, and then electronically alters it (either by scanning or altering the original image, depending on the airline system and the technology he uses at home) to create a second almost identical boarding pass under the name Joe Terror, his name.

3. Joe Terror then goes to the airport and goes through security with his real ID and the FAKE boarding pass. The name and face match his real drivers license. The airport employee matches the name and face to the real ID.

4. The TSA guard at the magnetometer checks to make sure that the boarding pass looks legitimate as Joe Terror goes through. He/she does not scan it into the system, so there is still no hint that the name on the fake boarding pass is not the same as the name on the reservation.

5. Joe Terror then goes through the gate into his plane using the real Joe Thompson boarding pass for the gate’s computer scanner. He is not asked for ID again to match the name on the scanner, so the fact that he does not have an ID with that name does not matter. [Since Joe Thompson doesn’t actually exist it does not coincide with a name on the terrorist watch list] Joe Terror boards the plane, no questions asked.

Media coverage other than Senator Schumer's press release:

* Bruce Schneier (2003): Link
* Sen. Charles Schumer (2005): Link
* Andy Bowers, Slate.com (2005): Link
* Jacob Appelbaum (2005): Link

Being strong on security means exposing a problem and addressing it, not covering it up by punishing the messenger.

"The nail that sticks up gets hammered down." It's one of those phrases that embodies a principle that means different things in different situations, to different people. When a person exposes a problem, is the problem the problem, or is the person the problem? I believe that people of knowledge and ability are our greatest assets.

I think this is directly relevant to what we see unfolding before our eyes right now. On one hand, I have massive respect for the law enforcement agencies that tackle security problems. On the other, I fear their potential to be reactionary rather than mindful of purpose.

If we are to achieve real security, we can not simply opt for the path of least resistance. We must tackle problems rather than brush them under the rug, where they still exist, and can be found by others. As many on this system can attest, exposing security problems is like donning a big target; few are happy to see the messenger.

The manor in which information about a vital problem is exposed must be done ethically, but it is important to remember that ethical (or responsible) disclosure is an area that has no clear black and white distinctions. Many of the gray areas are defined by the means of the messenger. Do not lose sight of the big picture.

It was late 2003, and a contractor, Science Applications International Corp. (SAIC), had spent months writing 730,000 lines of computer code for the Virtual Case File (VCF), a networked system for tracking criminal cases that was designed to replace the bureau's antiquated paper files and, finally, shove J. Edgar Hoover's FBI into the 21st century.

"SAIC was at fault because of the usual contractor reluctance to tell the customer, 'You're screwed up. You don't know what you're doing. This project is going to fail because you're not managing your side of the equation,' " said Kay, who later became the chief U.S. weapons inspector in Iraq. "There was no one to tell the government that they were asking the impossible. And they weren't going to get the impossible."

"That was a little bit horrifying," said Matt Blaze, a professor of computer science at the University of Pennsylvania and a member of the review team. "A bunch of us were planning on committing a crime spree the day they switched over. If the new system didn't work, it would have just put the FBI out of business."

The conclusion: SAIC had so badly bungled the project that it should be abandoned.
"From the documents that define the system at the highest level, down through the software design and into the source code itself, Aerospace discovered evidence of incompleteness, lack of follow-through, failure to optimize and missing documentation," the report said.

Matthew Patton, a programmer who worked on the contract for SAIC, said the company seemed to make no attempts to control costs. It kept 200 programmers on staff doing "make work," he said, when a couple of dozen would have been enough. The company's attitude was that "it's other people's money, so they'll burn it every which way they want to," he said.

Patton, a specialist in IT security, became nervous at one point that the project did not have sufficient safeguards. But he said his bosses had little interest. "Would the product actually work? Would it help agents do their jobs? I don't think anyone on the SAIC side cared about that," said Patton, who was removed from the project after three months when he posted his concerns online.

Last year, FBI officials announced a replacement for VCF, named Sentinel, that is projected to cost $425 million and will not be fully operational until 2009. A temporary overlay version of the software, however, is planned for launch next year.

The project's main contractor, Lockheed Martin Corp., will be paid $305 million and will be required to meet benchmarks as the project proceeds. FBI officials say Sentinel has survived three review sessions and is on budget and on schedule.

The FBI's Upgrade That Wasn't

When checking my email this morning, I was quite infuriated to find a spam email advertising a child pornography site. I submitted the email to the FBI's TIPS page, and got a phone call from them within 3 minutes. Impressive. It's nice to know they watch that thing so closely.

They forwarded me on to the National Center for Missing and Exploited Children's CyberTipline web page, which is apparently the best clearing house to file these type of things.

I figured I'd share this information. It's not a hassle at all to report this stuff when you see it.

FBI Tips and Public Leads

A four-month ABC News investigation found gaping security holes at many of the little-known nuclear research reactors operating on 25 college campuses across the country. Among the findings: unmanned guard booths, a guard who appeared to be asleep, unlocked building doors and, in a number of cases, guided tours that provided easy access to control rooms and reactor pools that hold radioactive fuel.

Why does this not shock me at all?

ABC Investigation Finds Gaping Lapses in Security at Nuclear Reactors