Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×

FBI Raids Security Researcher's Home 516

Sparr0 writes, "The FBI has raided the home of Christopher Soghoian, the grad student who created the NWA boarding pass site. Details can be found on his blog including a scanned copy of the warrant. The bad news is that he really did break the law. The good news is that Senator Charles Schumer did it first, 19 months ago, on an official government website no less. The outcome of this trial should be at least academically interesting. At best, it could result in nullifying some portion of the law(s) that the TSA operates under." Read on for Sparr0's take on what laws may apply in this case.

Boiling down some of the legalese, the charges (if any are filed) will be "conspiracy to knowingly present a false and fictitious claim upon or against the United States, or any department or agency thereof in violation of USC 18 (secs. 2, 371, 1036, 1343, 2318) and USC 49 (secs. 46314 and 46316) and 49 CFR (secs. 1540.103 and 1540.105)" (edited for brevity).

This discussion has been archived. No new comments can be posted.

FBI Raids Security Researcher's Home

Comments Filter:
  • by Salvance ( 1014001 ) * on Saturday October 28, 2006 @07:10PM (#16626704) Homepage Journal
    Even faced with potential jail time, some people have a burning desire to be in the limelight. I wonder why Christopher Soghoian didn't just create a site anonymously. It would likely have the same effect, and he'd stay out of prison.

    It's unfortunate that exposing holes in our security gets no press until someone actually leverages the hole to cause harm. For years before 9/11, the U.S. knew our airports were pitifully insecure, particularly Boston Logan, yet failed to do anything about it. So even though we'll be safer as a result of Christopher's work, he may be in prison. Unfortunately our society aplauds the whistleblower only well after the whistle has been blown, and the government aplauds them almost never at all.
    • by Simon Garlick ( 104721 ) on Saturday October 28, 2006 @07:23PM (#16626826)
      The fact that you think Soghoian should have HIDDEN HIS IDENTITY FROM THE GOVERNMENT in order to identify a flaw in official security processes says a lot about your government.
      • Re: (Score:3, Funny)

        by ResidntGeek ( 772730 )
        He could have put it on gnunet, turned on active migration, waited a few weeks for it to disperse, then post a few mesages on IRC and his blog saying "Hey! check out what I found on gnunet! Why, who could have put that there?"
        • by ricree ( 969643 ) on Saturday October 28, 2006 @07:51PM (#16627102)
          Like others have said, it wouldn't be all that hard for him to have done it anonymously, but he shouldn't have to in the first place.
      • Mod parent up. Disclosure of vulnerabilities improves security for everything, not just software.
        • by jamesh ( 87723 ) on Saturday October 28, 2006 @07:58PM (#16627172)
          Sensible disclosure of vulnerabilities improves security for everyone.

          Thoughtless disclosure has the potential to make things a lot worse. In the software example, if another ping of death exploit were found, simply announcing it to everyone in full would be foolish (unless you wanted to make a point and shame an organisation, then it would be foolish and malicious, and possibly illegal).

          The line between sensible and thoughtless disclosure is a tricky one though. If the secret society of bad guys already know about it then all bets are off, but how do you know?

          "Excuse me bad guys, are you aware that a ping with x, y and z parameters will crash a machine running w OS?"
          "We are now"
          "... doh!"

          It should certainly be illegal for a commercial organisation to fail to respond to notification of a vulnerability in their software, but again, under what parameters? Does Microsoft have any obligation to fix holes in Windows 95? Is there any obligation to fix holes in Linux 1.x.y? (and who's obligation is it?)

          There should be answers to all of these questions though, and a protocol to follow, so that this sort of mess doesn't happen.
          • by chazwurth ( 664949 ) <cdstuart@GAUSSumich.edu minus math_god> on Saturday October 28, 2006 @08:14PM (#16627332)
            The line between sensible and thoughtless disclosure is a tricky one though. If the secret society of bad guys already know about it then all bets are off, but how do you know?

            In this case, the vulnerability had been made clear by others months prior to this disclosure. In fact, this wasn't so much a disclosure as much as it was a public demonstration of just how easy it is to exploit the already known vulnerability. ...unless you wanted to make a point and shame an organisation, then it would be foolish and malicious, and possibly illegal.

            Attempting to shame an organization isn't necessarily foolish and malicious. If that organization is a government body charged with insuring your safety, and it is failing spectacularly to do so, you might desire to shame it publicly in order to improve its behavior. Illegal, I'll grant -- and often the law is unjust.
            • Sorry for the unreadability of my last post. Insert a line break before the ellipsis and it will become much clearer.
            • Re: (Score:3, Informative)

              by Zeinfeld ( 263942 )
              In this case, the vulnerability had been made clear by others months prior to this disclosure. In fact, this wasn't so much a disclosure as much as it was a public demonstration of just how easy it is to exploit the already known vulnerability.

              Yes which is precisely why it will probably be possible to persuade the Feds not to prosecute in this particular instance.

              I absolutely disagree about putting the information up on the Freenet, that would have made the legal problem much much worse. In addition it

          • by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Saturday October 28, 2006 @09:31PM (#16627962) Homepage Journal
            ...of what the bad guys know is to tell them and mark it off on the list. Anything else is down to chance.


            The chance of them knowing is the probability of them finding the information multiplied by the probability of knowing the value multiplied by the probability of producing a workable exploit.


            The chance of you knowing if they know is the probability of them knowing multiplied by the probability of you knowing who the bad guys even are, multiplied by the probability of obtaining real information (they can jam anyone monitoring them by flooding the information space with junk information), multiplied by the probability of you knowing you even have real information, multiplied by the probability of being able to determine what the information actually means.


            Counterintelligence is an exceptionally difficult field with a painfully poor track record. Most published successes have been by a series of sheer fluke events and staggering luck. Most published failures were unlikely to be anything else. We don't know about the unpublished stuff, but percentagewise, are we more likely to see bragging over achievements or failures, if both can be equally hidden?


            I'm not saying that everything should be published, merely that it should not be assumed that not publishing is the same as others not knowing.


            Now, can a case ever be made for publishing everything? Yes. Game Theory requires that all "full information scenarios" have a strategy for one side and one side only that will ALWAYS result in the winning conditions being met, no matter what the other side does. It is possible to imagine situations, particularly in computing where there is essentially no randomness and a "full information scenario" is possible, where the outcome can be guaranteed, if you want it to be.


            No matter what anybody else might say, it is not the job of an enemy to make your life easy, so we shouldn't expect them to. We should expect them to do the researcxh, the legwork, the analysis to figure everything out. They might indeed just wait until someone tells them, but that should be a bonus. It should not be your modus operandi. In computer security, you must assume that there are opponents out there who could have all of the industry-standard backdoor passwords, a complete printout of every Operating System and network device QA test that failed and got overlooked, and a copy of the highest-end vulnerability scanner the commercial sector has going for it.


            Hell, we know that a Russian spammer got a tier-1 backbone provider to turn off Blue Frog's Internet connectivity. Turning off a link like that is very traceable, but appears to have been regarded as mere amusement for the backbone provider. The same provider is hardly likely to show scruples when it comes to handing out internal or commercially-sensitive data, software or anything else. Given the repeatedly low scores on security for many US government departments and the almost routine mishandling of classified data, there are probably those in the information black markets who know more national secrets than the entire White House combined. If one backbone provider is riddled with corruption and pwned by organized crime, then we must assume that such people are unlikely to be avoiding big money out of a sense of decency and moral fortitude.


            But if the most dangerous people have the most dangerous information already - and that includes whatever terrorists might actually exist - then most of the obscurity only serves to increase the value of what has already been stolen. This makes the thieves rich, the criminals dangerous, and the politicians popular for appearing to do something, but it doesn't make anyone else - users, vendors, bystanders - any better off at all. Illusions are fun on the stage, but they should be left there.

          • by Kanaka Kid ( 829457 ) on Saturday October 28, 2006 @11:20PM (#16628692)
            From Senator Schumer's (D-NY) Feb 13, 2005 Press Release: [senate.gov]

            Schumer today laid out the following scenario in which someone on the terrorist watch list can get through airline security undetected:

            1. Joe Terror (whose name is on the terrorist watch list) buys a ticket online in the name of Joe Thompson using a stolen credit card. Joe Thompson is not listed on the terrorist watch list.

            2. Joe Terror then prints his "Joe Thompson" boarding pass at home, and then electronically alters it (either by scanning or altering the original image, depending on the airline system and the technology he uses at home) to create a second almost identical boarding pass under the name Joe Terror, his name.

            3. Joe Terror then goes to the airport and goes through security with his real ID and the FAKE boarding pass. The name and face match his real drivers license. The airport employee matches the name and face to the real ID.

            4. The TSA guard at the magnetometer checks to make sure that the boarding pass looks legitimate as Joe Terror goes through. He/she does not scan it into the system, so there is still no hint that the name on the fake boarding pass is not the same as the name on the reservation.

            5. Joe Terror then goes through the gate into his plane using the real Joe Thompson boarding pass for the gate's computer scanner. He is not asked for ID again to match the name on the scanner, so the fact that he does not have an ID with that name does not matter. [Since Joe Thompson doesn't actually exist it does not coincide with a name on the terrorist watch list] Joe Terror boards the plane, no questions asked.

            Based on the above press release by a US Senator, shouldn't Schumer be charged with similar crimes?

        • Re: (Score:3, Insightful)

          by monkeydo ( 173558 )
          This isn't disclosure of a vulnerability. This vulnerability has already been disclosed and beaten to death (on the floor of the US Congress even). It was discussed by Schneier and others as soon as the ID checks at the gate stopped. What this guy did was much more like publishing an exploit script. It's even worse than that, since he was actually generating the fake documents for people.
      • Re: (Score:2, Interesting)

        He didn't have to publicly supply a way to bypass security. That is endangering everyone unnecessarily. First he should have contacted the airport security officials privately about it. If they did nothing, he should have then announced that he had found a way to bypass security, but not given any specifics. If they still did nothing, he should have publicly reported the problem.

        It's like someone showing burglars into your home to show you that you have a security problem, before they even tell you.
        • Re: (Score:2, Funny)

          by Anonymous Coward

          Maybe he shouldn't have bothered at all.

          That would have been best for him.

          If you find a flaw in a security system, you should be treated as a rock star for a few days.

        • by psykocrime ( 61037 ) <mindcrime@cpphacker . c o .uk> on Saturday October 28, 2006 @09:00PM (#16627698) Homepage Journal
          He didn't have to publicly supply a way to bypass security.

          He didn't.

          That is endangering everyone unnecessarily.

          No, it's not. As plenty of others have already pointed out, it doesn't matter if Osama f'in Bin Laden is sitting
          in the seat beside you on your flight... As long as he doesn't have a bomb, or any other means of creating problems
          on the flight, the fact that it's Osama is irrelevant. So these fake boarding passes *might* help somebody
          get on a plane who isn't allowed... big deal, they will still be searched, run through a metal detector, bomb-sniffing
          crap, etc. This is completely insignificant from a security standout.

          And even if it were a security flaw, people have to realize that with freedom comes danger. It's probably a little bit more
          dangerous to live in a very free country, than one with a strict totalitarian regime who controls every movement everybody makes... but most
          people will take that tradeoff. I know I sure will. "Give me Liberty or give me Death" is not just a cute sound bite to me.
          • by FractalZone ( 950570 ) on Sunday October 29, 2006 @08:50AM (#16631554) Homepage
            "It's probably a little bit more dangerous to live in a very free country, than one with a strict totalitarian regime who controls every movement everybody makes... but most people will take that tradeoff."

            One can only hope that most people see their freedom/liberty and individual rights being slowly eroded in the name of (bogus) safety.

            I don't know about you, but I have never been directly adversely affected by a terrorist or some obvious act of terrorism (not the namby-pamby kind of "terrorism" that involves nothing more than someone feeling uncomfortable or vaguely threatened).

            On the other hand, the War on Terrorism, like the War on (Some) Drugs, and every other crisis the U.S. government invents to further its agenda, to the detriment of the best interests of the people and in direct opposition to its ostensible reason for being, namely to uphold the Constitution of the United States, is making my life (and quite probably that of most people reading this) worse on a regular basis.

            These days, unlike when I was a teenager, the equivalent of the Gestapo goon's order, "Your papers, please!", is very real in the USA. The jackbooted thugs are not Nazi Germans, but rather TSA, BATF, DEA, EPA, and FBI agents as well as other minions of the federal government and their state and local bully boys.

            Why should any average person, engaged in ordinary behavior be expected to carry ID, much less present it like a good little subject/ward of the State?

            Of course, I may be out of touch...I remember when the very notion of patenting an idea was considered absurd. Software patents would have been dismissed as ludicrous. So it goes...downhill. I also remember when I could go to the airport, buy a ticket (paying with cash if that was my preference), get on a plane and travel, effectively anonymously as one's stated name was simply accepted, and arrive at my chosen destination (within the U.S., anyway); never feeling the presence of any government agency looming over me (with the remote exception being the FAA :-).

            It all boils down to this: Who do you want controlling your life (and the lives of the people you interact with on a daily basis) -- you (and them), or Big Brother armed with the latest high tech surveillance gear, weaponry and a nearly complete disregard for the Constitution?

            I'll take my chances when I get on a flight to Las Vegas that some rabid anti-abortion, anti-gambling activist group has not decided to hijack the plane and crash it into Caesar's Palace as some sort of protest against all the imagined evils that it's members think Sin City represents.

            I know, based on statistics and documented history, that I am far more likely to be harmed by government than I am by an organization such as Al Quaeda. Taxes taken out of my pocket to fund these government Wars on This, That, and The-Other-Thing which just happen to make me less free are definitely a threat to my well being. Are you any different?

            For liberty,
            Fractalzone
        • Re: (Score:3, Insightful)

          by Salvance ( 1014001 ) *
          While his actions do endanger everyone's security, I disagree that he could have pursuaded officials to make security changes just by publicly announcing the flaw. If Senator Charles Schumer couldn't get security officials and Northwest to change their policies (which he tried to do), how can a grad student? The only way is to publicly bypass the security and make people worry.

          It's no different than computer viruses. Nobody really cares too much about computer security until they get their first viru
        • by Anonymous Coward on Saturday October 28, 2006 @09:36PM (#16627990)
          He didn't have to publicly supply a way to bypass security. That is endangering everyone unnecessarily. First he should have contacted the airport security officials privately about it. If they did nothing, he should have then announced that he had found a way to bypass security, but not given any specifics. If they still did nothing, he should have publicly reported the problem.
          He was acting towards the end of your suggested sequence of events, it has already got to the point of being publicly reported - what Soghoian did was effectivly bring it to the public's attention.
          • This was such an obvious flaw - one could reasonably assume security officials knew about it
          • Many others - including Senator Schume, and Slate Magagine (http://www.slate.com/id/2113157/) had drawn attention to this "vulnerability" prior to Soghoian
          • Soghoian had tried to publicise the problem previously without sucess - then he had his brilliant idea of producing his PHP script to demonstrate the ease with which the vulnerability could be exploited - only by doing this did he really succeed in fulfiling his duty to publicly report the problem. He has done a better job than either the Senator or Slate Magazine or the others who knew about this flaw in bringing it to the public's attention - he should be applauded for doing that.
          • The fact that he has published on anonymity Preserving in P2P Networks strongly suggests that he could have acted anonymously if he had wanted to (or felt he needed to)
          I am quite shocked that if Slashdot was the Jury, and the Jury's opinions were the initial opinions of the individual Jurors and not those of the Jury acting as a committee following deliberation that we wouldn't have unaminously aquited Soghoian. I'm in the UK - and this scares me - given the state of the extridaition arrangements the UK has agreed to with the USA and the potential for indefinate imprisonment in the US for non-citizens. I've been to the US twice on business this year, reading this and the countless articles like it will certainly make me think twice before arranging another trip.
    • by bfields ( 66644 ) on Saturday October 28, 2006 @07:40PM (#16626988) Homepage
      I wonder why Christopher Soghoian didn't just create a site anonymously.

      He's one guy, he's young, and he's been entirely open and straightforward about why he's doing this--that gives him a much better chance to shame the TSA. It would've hurt his case (with the public, at least) if he'd looked furtive.

      And someone with determination (not to mention search warrants) could probably figure out who he was eventually anyway.

      Unfortunately our society aplauds the whistleblower only well after the whistle has been blown

      Well, I'm applauding.

      You can also contribute to his legal defense fund [blogspot.com], if you'd like to show your support.

      • by niiler ( 716140 ) on Saturday October 28, 2006 @07:59PM (#16627178) Journal

        If the government thinks that he is enabling the "terrorists", they may also see contributing to his defense fund as contributing to terrorists which would result in your loss of habeas corpus. That said, while I have mixed feelings about what he has done (in terms of leaving his identity out there vs. taking a clearly political stand), I do feel that his is a worthy cause.

        Just my 0.02 cents.

    • We won't be ANY safer after Christopher's work. Not because he was wrong about his claims but because he is right. We only have security theatre.

      No rational allocation of resources would have beefed up passenger screening after 9/11. I don't care if you do get a AK-47 on a plane nowadays you won't be able to hijack it and crash it into a building for the simple reason that the people on the plane KNOW they will die if they let you fly the plane.

      9/11 was a one time deal. It worked because no one expected
  • by CrazyJim1 ( 809850 ) on Saturday October 28, 2006 @07:11PM (#16626712) Journal
    They're straight out of Compton yo.
  • by hsmith ( 818216 ) on Saturday October 28, 2006 @07:14PM (#16626758)
    The gov't doesn't like to look bad. They don't like flaws being publically seen of their great "system" of boondoggles which they have created.

    We all now the TSA is a scam, we all know we are not one bit safer, we all know the airways are no better than they were before 9/11. Just a great hat trick.
    • He's going to be charged with "conspiracy to knowingly present a false and fictitious claim upon or against the United States, or any department or agency thereof in violation of USC 18..." So they are saying he's lying about TSA security sucking ass? Ahahah...I can't describe the irony and stupidity. They will basically have to defend their stupid policies in court.
      • So they are saying he's lying about TSA security sucking ass?

        No, they are saying he's lying by presenting a fake boarding pass to TSA agents, or making it easy for other people to do so.
    • We all now the TSA is a scam, we all know we are not one bit safer, we all know the airways are no better than they were before 9/11.

      That's not true. This particular measure has proven to be very effective in preventing terrorists from boarding a plane when they forgot to buy a ticket. Combined with preventing repeat suicide hijackers from buying plane tickets, it's almost foolproof, as long as you assume terrorists don't have access to computers.

      Personally, I like Ann Coulter's idea of having some seco

  • For his sake (Score:5, Insightful)

    by Lord_Dweomer ( 648696 ) on Saturday October 28, 2006 @07:16PM (#16626782) Homepage
    For his sake I'm glad this is getting so much coverage. Not only will it hopefully make a lot of America realize how dumb our government is, and make them realize that Democrats can be just as authoritarian as Neocons...but most importantly, it makes it near impossible for the Feds to "disappear" him because he has the media spotlight on him and the second he goes missing the entire internet will raise a royal hell storm. And that is a PR shitfest that the GOP definitely does not want to have on their hands, especially around election time.

    Of course, at this point...I wonder if they even care that the public would be aware.

    • by Simon Garlick ( 104721 ) on Saturday October 28, 2006 @07:26PM (#16626848)
      the second he goes missing the entire internet will raise a royal hell storm

      Oh no, not a hell storm of nerds posting anonymous comments on Internet messageboards! Anything but that!
      • Re: (Score:3, Interesting)

        Oh no, not a hell storm of nerds posting anonymous comments on Internet messageboards! Anything but that!

        I'm actually referring to the mass media who will be picking this story up, posting it online, and informing the unwashed masses about the situation. The internet is FAR more than anonymous nerds these days, perhaps you'd better re-evaluate your statement.

  • At least we know that he was arrested and charged, not undergoing extraordinary-rendition. Sadly without the prior publicity stating his intent, this may not have been the case.
    • by smchris ( 464899 )
      Your knowledge can be rendered retroactively confidential.

      It isn't like nobody saw this coming or anything, is it?

      • Not a terrorist (Score:2, Insightful)

        by suso ( 153703 ) *
        This guy is not a terrorist, he's a security researcher. I live in Bloomington as well and work with a guy who is taking a cryptographic protocols class with Chris. He says that Chris is a decent guy, which is probably the case. I for one commend Chris for releasing this kind of information to the public. Even if he had released it to the FAA or Northwest Airlines, its doubtful that the public would have ever known. He is simply doing what most security researchers do, its just that his research coinci
        • No, he was grandstanding. There are PLENTY of people in the media who would have taken this story, right around election time especially, wihtout actually making a page that facilitates the action. He didn't have to go to the lengths he did. Was it malicious? I don't think so. Should he be punished? Again I don't think so, though legally he could be. It was, however, not a very smart move unless he was willing to do time in order to bring this to light.

          There are SO many ways he could have gone about rai
  • Conspiracy? (Score:3, Interesting)

    by TubeSteak ( 669689 ) on Saturday October 28, 2006 @07:17PM (#16626788) Journal
    A conspiracy with who?
    • by jamesh ( 87723 )
      I always thought that a conspiracy could also refer to a plan made by a single person, but the dictionary is pretty clear that it means a group of 2 or more people getting together to do bad things. Possibly it is inferred that the offender here is giving the means to do wrong to others.

      Sounds a bit vague though... unless the law in question has a different meaning for conspiracy?
      • I remember reading Shakespeare in high school ... so many words had changed their meanings over the intervening centuries that the text was peppered with footnotes explaining what a particular word meant back in the Bard's time. I found it very hard to get into the flow, since I was constantly referring to the bottom of each page.

        The law is much the same, only worse given the near-unintelligibility (to the layperson) of what our esteemed misrepresentatives sign into law every day. That, in and of itself
  • Legal Defense Fund (Score:4, Informative)

    by Anonymous Coward on Saturday October 28, 2006 @07:18PM (#16626804)
    Soghoian is setting up a legal defense fund. You can learn more and donate at
    http://slightparanoia.blogspot.com/2006/10/legal-d efense-fund.html [blogspot.com]
  • If you are going to throw all the kings tea in the harbor, you make sure you and your friends are dressed in disguise and have plausable deniability.

    Honestly, with the incredible smarts we have today, why dont you experts learn from the past espically with the incredible insanity and lack of freedom we have today.

    Personally I really hope he does everything possible to make sure the case and events are in the news and getting LOTS of attention, because that is the only way this will be able to be won.
    • Look at the bottom. Look at all those people who signed their names instead of putting "John Doe".

      Freedom requires that people stand up, publicly, for what they believe in. That is why the 1st Amendment reads:

      Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.

      Simply striking against a conve

      • by Lumpy ( 12016 ) on Saturday October 28, 2006 @08:38PM (#16627536) Homepage
        And that did that AFTER they were of a size of group that was not easily quietened or disappeared. Until then you HAVE to be the silent dissent that they cant put a finger on. Only after your numbers are large enough that you can put up a fight and they have to think twice before arresting you and hanging you for treason.

        The founding fathers did not sign that document and then nailed a copy to the kings door when it was only 8 of them. They did that quietly and only AFTER they had sufficient strength to overcome the oppression that would be sent when they made their intentions public.

        THAT is the difference. If the article's author got 30-40 researchers and professors to all stand together and say "screw you Homeland security! you give us NO security!" and then published the proof to that effect, the FBI would not have raided their homes in 24 hours, a cowardly senator would not have opened his big trap against them and the government would have had to treat them very VERY differently.

        A single person is easily opressed and removed. a larger group, specifically a group that is well known is not.
    • In the infosec consulting world...

      1. Point to an unlocked door and scream loudly.
      2. Publicity.
      3. Arrest.
      4. People falling all over themselves to aquire your now LIGITIMATE services. (ie: Profit!!!).

      Oh, and it won't work if you are anonomous, you must be open and "shocked, SHOCKED, I tell you.".
  • The kid has a legal defense fund in the event that he can't find a lawyer to take the case Pro-Bono.

    http://slightparanoia.blogspot.com/ [blogspot.com]

    Scroll down to the "Donate" link.

    Let's help him out.
  • by dada21 ( 163177 ) * <adam.dada@gmail.com> on Saturday October 28, 2006 @07:29PM (#16626874) Homepage Journal
    1. "If you don't like it, move away." Considering the fact that Congress is severely limited by the Constitution in creating NO law that infringes on our God-given (or inherent, if you prefer) right to speak freely on our property, the laws listed above have nothing to do with what he did. In fact, his website IS his property, he rents it, and he's protected. Congress here should be the ones behind bars for continuing to violate the Constitution they took an oath to uphold.

    2. "He broke a law, he should go to jail." The court system should be mandated to tell the jurors in all trials about their right to nullify terrible laws. Jury nullifaction is more than a priviledge, it is a right even greater than serving on a jury.

    3. "He didn't do anything wrong." This shouldn't matter either way unless he violated someone's property or person himself. I find it outrageous that people are arrested for inciting violence -- the gun doesn't kill, the inciter doesn't kill, it is the person who physically performs a violent act that is the cause of the violence. Not only did he do nothing wrong, we shouldn't even be considering whether or not he did or didn't. Did he harm anyone physically? Did he physically steal anything? Did he trespass?

    On top of those 3, we should also realize that the laws pertaining to security are 100% unconstitutional. The airplanes are private. The airports should be privatized (I can't see how airports could be considered federally-regulated properties). The passengers are generally private citizens. The Constitution is clear on this, too -- it should be left up to the individual States and the people.

    This is what you get when you have democracy -- even a republican form of it.

    "Democracy is the most vile form of government...democracies have ever been spectacles of turbulence and contention: have ever been found incompatible with personal security or the rights of property: and have in general been as short in their lives as they have been violent in their deaths." James Madison

    "Democracy... while it lasts is more bloody than either [aristocracy or monarchy]. Remember, democracy never lasts long. It soon wastes, exhausts, and murders itself. There is never a democracy that did not commit suicide." John Adams

    The U.S. isn't going to hell in a handbasket, it's been there since 1913 (or 1865, if you consider the traitor Lincoln's actions).

    Thankfully, there are a great number of opportunities to vacate from the system without leaving the lands of the "Nation." I can only hope that more freedom lovers just stop voting for authority and move forward to taking that authority back.
    • Re: (Score:2, Interesting)

      by Anonymous Coward
      1. "If you don't like it, move away."
      You already pointed out that this point of view is morally bankrupt. It also may not be an option in the future. There's a rule inching toward approval to let the DHS deny permission to leave the country [hasbrouck.org].
    • Comment removed based on user account deletion
    • You fail to see the difference between a constitutional republic and a democracy. I doubt you even know what "tyranny of the majority" would mean or what kind of significance that would have. US is a constitutional republic not a democracy. Your quotes are quite the sentiment the founding fathers had about democracies.

      "The two great points of difference between a democracy and a republic are: first, the delegation of the government, in the latter, to a small number of citizens elected by the rest; secondly,
    • 2. "He broke a law, he should go to jail." The court system should be mandated to tell the jurors in all trials about their right to nullify terrible laws. Jury nullifaction is more than a priviledge, it is a right even greater than serving on a jury.

      Jury nullification in this case serves no long-term purpose. Sure, it could get this kid off the hook, but that's about it. The possibility remains that a future jury will convict rather than let someone off.

      On the other hand, strict application of the law an
  • Has anyone here used the script to make a fake boarding pass? Me, I took a look at the head line and didn't even dare look at the page. I had the feeling it was going to be a bit messy.

    I was just wondering if anyone used it and had a visit from the ever so friendly FBI.
    • The FBI is going to break into your house just for reading this slashdot article! You are now an enemy of the state!
  • by Anonymous Coward on Saturday October 28, 2006 @07:41PM (#16627020)
    Dear Senator,

    I would like to bring your attention to the outrageous behaviour our government agencies have displayed regarding the matter of security researcher Christopher Soghoian's comments on the TSA security procedures.

    Quite frankly the FBI raid on his premises are beyond comprehension for a country that preaches freedom and respect for human rights.

    Not only would I like you to help in resolving Christopher's plight, I would also ask that you investigate and bring to the public's attention the true nature of the effectiveness of the TSA policies as well as to the rather offensive nature of the "secrecy" of the policies upheld by the organization.

    Public transparency of the government is very important to me and any help you can give to avoid being virtually disenfranchised due being unable to evaluate the performance of my elected officals is critical.

    Sincerely
    • by sporkme ( 983186 ) *
      I sent Markey a letter. I feel sorry for the poor intern that has to respond to a bunch of angry geeks. I basically accused him of campaigning on the stump of homeland security by grasping for the first straw dog he could find. I explained that many of us feel that it was sensible, brave and patriotic to expose the blatantly obvious without obscuring his identity. I pointed out that people are not sure which to fear more these days, Osama Bin Laden, or Uncle Sam. some other things, too I would post the l
  • by davecb ( 6526 ) * <davecb@spamcop.net> on Saturday October 28, 2006 @07:43PM (#16627036) Homepage Journal

    And so a corollary is that any security researcher who exposes a risk or danger is a criminal (;-))

    --dave

  • The only way to get this situation under control.
  • by Beryllium Sphere(tm) ( 193358 ) on Saturday October 28, 2006 @07:49PM (#16627088) Journal
    Senators have constitutional immunity for what they say in the Senate. That might extend to his official website, though Proxmire set a precedent that points in the opposite direction.

    More to the point is that Bruce Schneier was pointing out the boarding pass problem in _2003_.
  • by TheSHAD0W ( 258774 ) on Saturday October 28, 2006 @07:52PM (#16627112) Homepage
    The man affirmed that he created the page, the FBI had plenty of grounds to charge him. Why search his premises? Looking for other dirt to kick up in case the judge disagrees with the prosecutor?
    • Re: (Score:2, Insightful)

      by jtobin ( 988724 )
      Possibly, but most likely to scare him. Especially given that they raided his house at 2AM. Their goal seems to be to try to frighten people out of questioning the authorities and the 'security' measures they've put in place (even when they're fundamentally flawed, ad in this case).
    • by loraksus ( 171574 ) on Saturday October 28, 2006 @08:34PM (#16627496) Homepage
      Harassment, mainly. He is looking at a period of several months and several appearances in court and discussions with his lawyer before he gets his computer and personal property back, assuming they aren't "lost" in the system.

      The repairs for any damage that the FBI did, include the maliciously broken window (really, the FBI doesn't know how to pick locks?) will come out of his pocket.

      And yes, now they can scan his hard drive for whatever they want, im / chat logs, "kiddie porn" (aka porn involving a girl who faked her ID, even if it is sold through regular channels under the belief that it is legal - it just takes 1 of these to get a mandatory sentence of several to a dozen years in prison, depending on the state).
      Anything that can be used for character assassination will be. It doesn't help that that congressman who is trying to look tough on terrorism opened his mouth either.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      The man affirmed that he created the page, the FBI had plenty of grounds to charge him. Why search his premises?

      According to his journal, the idiot talked with the FBI prior to the search warrant being issued. It didn't sound like he had a lawyer with him, either. Who knows what he blabbed about that could be used as cause for a warrant and additional charges.

      His blabbing almost certainly strengthened the government's case on the charges already in progress, too. Now, those words can be twisted and used aga

  • Boiling down some of the legalese, the charges (if any are filed) will be "conspiracy to knowingly present a false and fictitious claim upon or against the United States, or any department or agency thereof in violation of USC 18 (secs. 2, 371, 1036, 1343, 2318) and USC 49 (secs. 46314 and 46316) and 49 CFR (secs. 1540.103 and 1540.105)" (edited for brevity).

    So, in English, this means what? Slander/liable against the US government? So, if I say "Bush has an ass the size of Texas", I should expect the

    • Re: (Score:3, Funny)

      by PhxBlue ( 562201 )

      So, if I say "Bush has an ass the size of Texas", I should expect the FBI soon?

      No, that's only a wrong word choice. It should read, "Bush is an ass the size of Texas."

  • Title 18, 1036, 1343, and 2318

    Attempting to enter a vessel by false pretenses: [cornell.edu]

    Fraud by wire: [cornell.edu]

    Trafficking in counterfit labels: [cornell.edu]

    Personally I think he'll be vindicated of everything. Pointing out a security flaw is not an attempt to enter a vessel, commit fraud, or traffick in anything.
  • I haven't checked the cited sections of the US Code, but it doesn't appear to me that he violated any of the cited sections of the CFR. It's possible that a third party might have, without his knowledge, used the boarding pass generator to violate these regulations.

    The CFR 49 regulations say that:

    You can't make a fraudulent or intentionally false statement in any application for an identification medium. He didn't. Since he didn't hand a generated boarding pass to a TSA officer, he didn't make any applic
    • Re: (Score:3, Insightful)

      by ScrewMaster ( 602015 )
      Doesn't matter. I don't even think the FBI much cares if they win or lose the case, or if it even goes to trial. What does matter is that they've terrified some other potential geeks from publishing anything else negative about the TSA or other government organ. It's a win-win from their perspective. Pretty much a lose-lose from where I'm sitting ... free speech takes another hit. This is exactly the kind of situation the Founders envisioned when they came up with free speech and plugged it into the Constit
  • by oohshiny ( 998054 ) on Saturday October 28, 2006 @08:26PM (#16627440)
    Notice how in all this discussion, everybody is implicitly assuming that the watch lists are actually worth anything. In fact, I think the reason this hole has existed for several years without any problem due to them is that the watch lists simply don't make any difference at all.

    Which raises the question: why have the watch lists in the first place? I think they are more psychological than anything else: they give the impression that there is a continuing threat, they give the impression that the government is doing something, and they make people willingly give in to controls that they previously wouldn't have considered. Remember: you used to be able to travel across this nation without the government being able to track your every step.
    • by loraksus ( 171574 ) on Saturday October 28, 2006 @08:52PM (#16627640) Homepage
      60 Minutes did a great segment about the the No Fly list (titled "Unlikely Terrorists On No Fly List") which aired 2006-10-08.
      Great piece and it is pretty much guaranteed that you'll feel the watch lists are a joke (or a bigger joke) after you watch it.

      It's on their annoyingly bad website. These links should work.
      Video [cbsnews.com]
      Article [cbsnews.com]

      And "Security Theater" is an excellent way to describe the "security" measures that have been enacted over the past few years.
  • No, not necessarily (Score:2, Interesting)

    by RKThoadan ( 89437 )
    "He really did break the law?" I don't think so, but I'm not qualified to make that statement and neither are you. It takes a judge or a jury to say that. To me, it doesn't appear that he conspired to do any such thing. He simply wanted to public to realize how insecure it really was. It sounds like this law requires such intent. There is also the question of whether Northwest Airlines would be considered a Government agency or department for the purposes of this law.
  • by kaltkalt ( 620110 ) on Saturday October 28, 2006 @08:33PM (#16627482)
    Even if he did break a law, and I'm a lawyer and I'm far from convinced that he did, this is a prime example of when the US Attorney should use some prosecutorial discretion and, after investigating the matter and being content with the subject's explanation as to what happened and why he did what he did, decide not to prosecute. The worst thing this guy did was act imprudently. No terrorists got on airplanes, nor could they have. The best thing this guy did, and I don't think there is any question about his intentions, is to bring attention to a security flaw. He took down the website when asked (maybe even prior to that) and nothing bad resulted from his actions. He had no intent to hurt anyone, no intent to steal or deprive anyone of property, and no intent to help anyone actually break the law. So, even if he could be prosecuted, he shouldn't be. Not everyone who breaks the law should be charged with a crime.
    • A good time for prosecutorial DISCRETION

      Right, like the prosecutor assigned to this case doesn't have a stiffy right now because if he wins he will be known as "the prosecutor who put the fraudulent ticket terrorist behind bars" (which will only help his future political career).

      I could just have a slanted view of the legal system, but I have not once seen a prosecutor that has used any sort of common sense in the United States. It seems that the majority of prosecutors are sociopaths who just want to carve
  • Legal Defense (Score:3, Interesting)

    by BertieBaggio ( 944287 ) * <bob@noSPAM.manics.eu> on Saturday October 28, 2006 @08:34PM (#16627500) Homepage

    The fact that he is going through this for pointing out a flaw is pretty horrifying. That said, hopefully the justice system will 'do justice' to keep this guy out of prison. Even still at best he's going to be pretty shaken up by this for a while to come, and probably be out a fairly sizable chunk of money in legal defense; at worst, he's gonna have a pretty horrible time (can't check punishments as all but final 2 of the USC links The Fine Summary are 404s). All for pointing out what should be a fairly apparent flaw in a 'security' system. I guess the guys at the FBI just like arresting folk [wikipedia.org] for things like that. Hell, why didn't they arrest Andy Bowers of Slate for his research / article [slate.com] too?

    Also, can some pro-2nd amendment folk go and give him some "legal defence"? You know, protect people from the government and all that... ;-)

    • Re: (Score:2, Insightful)

      by ThatGuyPat ( 1004821 )
      "The fact that he is going through this for pointing out a flaw is pretty horrifying."

      Pointing out a flaw and developing a tool to exploit it are two different things.
  • My letter to Congressman Markey can be seen here: http://www.gather.com/viewArticle.jsp?articleId=28 1474976826167 [gather.com]

    I encourage all other security professionals to do the same.

  • by PhunkySchtuff ( 208108 ) <kai&automatica,com,au> on Saturday October 28, 2006 @08:53PM (#16627644) Homepage
    My dictionary definition of a terrorist:
    terrorist noun A person who uses terrorism in the pursuit of political aims.
    terrorism noun The use of violence and intimidation in the pursuit of political aims.

    I quote from his blog [blogspot.com]:

    I didn't sleep at home last night. It's fair to say I was rather shaken up.

    I came back today, to find the glass on the front door smashed.

    Inside, is a rather ransacked home, a search warrant taped to my kitchen table, a total absence of computers - and various other important things. I have no idea what time they actually performed the search, but the warrant was approved at 2AM. I'm sincerely glad I wasn't in bed when they raided the house. That would have been even more scary.


    This is a case of classic police-state gestapo tactics.
    This guy hasn't done anything wrong, he hasn't even hilighted a previously unknown security flaw, and now he's subject to this kind of treatment...
  • This guy should get a medal and the senator should get a severe case of ass-kicking.
    Congressman Markey is either dumb or incomptent to believe that closing eyes and ears to gaping security flaws and loudly chanting *our security is perfect* *our security of perfect* will magically prevent them from being exploited by a do-no-gooder. For heavens sake, Senator Schumer pointed out a similar exploit and NOTHING happened to fix it. *our security is perfect* *our security is perfect*.
    I wish Congressman Markey w

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...