Pointing out Vulnerabilities

When we discuss software vulnerabilities, one of the topics of conversation that constantly comes up, and one of the greatest disagreements, is whether it is best to tell the vendor about a flaw and wait for them to fix it... or to release the information to the world and trust that they will be motivated to fix it. The argument for releasing the information immediately is that hiding the vulnerability only helps the vendor's bottom line and the ability of "black hat" hackers to continue to use the exploit, while announcing it means that while in theory this means that less talented hackers will now be able to exploit the same "security hole", it will also allow users to work around the problem when possible, and that the vendor will be motivated to fix the problem now that their customers know about it. Since the license agreement for basically every piece of software indemnifies the vendor from any liability even if you should suffer attack because of their software, the vendor really has no significant motivation to fix bugs until they are announced, and they must fix it in order to continue to sell the software.

This is all well and good; while various companies have on occasion attempted to sue someone for pointing out vulnerabilities in their systems, they typically are unsuccessful. However, pointing out vulnerabilities in national security is a significantly more dangerous thing to do, because the federal government can (and probably will) punish you for them. One brave man who has taken it upon himself to share a major vulnerability in our system of airline security is Christopher Soghoian, "a PhD student in the School of Informatics at Indiana University Bloomington" (as proclaimed by his webpage.) Christopher wrote a Northwest Airlines Boarding Pass Generator and put it on his website for all to use.

This prompted Congressman Ed Markey (D-Mass) to immediately call for the young man's arrest. ABC News is covering the story, and provides the following quotations from Markey:

"The Bush administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane," wrote Rep. Edward Markey, D-Mass., a senior member of the Committee on Homeland Security, in a statement.

"There are enough loopholes at the backdoor of our passenger airplanes from not scanning cargo for bombs; we should not tolerate any new loopholes making it easier for terrorists to get into the front door of a plane," Markey wrote.

Now keep in mind, this is not a new loophole. Any schmuck can make a fake boarding pass, and here's how. I realize I'm taking a big risk by writing this - Markey could be calling for my arrest, next... but I'm willing to join Christopher in my own small way and take that risk. Of course, maybe no one will ever read this...

  1. Go to the southwest airlines website and buy a ticket.
  2. Instead of printing the ticket, save the webpage. (File -> Save As..., and save both HTML and images.)
  3. Open the HTML file in an HTML editor. If you're using the Mozilla SeaMonkey browser or something similar, you can replace this step and the previous step by invoking the editor from the file menu.
  4. Change the text where applicable.
  5. If there is text that is encoded in graphics form that needs to be changed, edit the graphic files in some editor. There are numerous free examples including paint.net (Windows) or The Gimp (Cross-Platform).
  6. Open the resulting HTML file, and print it.
  7. Repeat the editing steps as necessary to produce as many boarding passes as you need, to match your fake ID or what have you.

This is enough to get you through security, though not onto the plane, because the scanner at the plane itself verifies that your boarding pass is valid before you board. By the way, in between the time when I generated a fake pass for Osama Bin Laden (from the defaults - which generate a pass whose time is in the past) which I did immediately before starting this article, and this moment, the boarding pass generator has been removed from Christopher's page, leaving behind a 404. The link, however, is still on his page, and no explanation has been added there.

Below you will find the boarding pass image in question. Those who have flown Northwest Airlines recently will be more qualified than I am to judge whether or not it looks like the real thing:

Fake Boarding Pass for Osama

The article also includes some tasty quotes from "Avation expert" John Nance (also a long-time Good Morning America host, which is naturally a show on ABC) who doesn't seem to think that it's really all that bad:

"You or I can very easily go to an airline ticket counter, buy a refundable ticket for a particular flight, go through security, and come right out and sell it back," Nance said.

So why all the hubbub? Airport security is a pathetic joke anyway. Only a small percentage of travelers are "sniffed" for explosives residue, and we are meant to believe that being forced to take out laptops out of our bags and run them through the X-Ray machine separately is somehow going to enhance airline security. This is an unmitigated crock of shit. It is a complete triviality to disguise a bomb as a second battery, and they don't even make you turn the laptop on any more, so it could be the only battery.

My sincerest wishes go out to Christopher Soghoian for having the courage to do what so many of us have thought of doing.

I found this story on Slashdot in the first place, and I now leave you with what I consider to be the most insightful comment in the thread.


Re:Ummm. The First Amendment? (Score:4, Insightful)
by Tackhead (54550) on 10-27-06 15:36 (#16616578)

> The prosecutors would never file a criminal case, because it would be quickly thrown out on First Amendment grounds? Wouldn't it?

Much like the guy who looks at your boarding pass, you're trusting your life to something that's just a goddamn piece of paper.


Indeed.


Update 20061130: Chris is Free, but the government still doesn't "get" airline security. That, or they're not actually trying...

Add new comment