Monday, December 25, 2006

Google prediction for 2007

Merry Christmas and such from Morocco.

I've been here for 10 days now - my 4th trip to this country, and it's starting to feel familiar again. The police officers with their hand-me-down uniforms that look as if they were given to them by their mothers with the plan that they'd grow into them. The languages, the smells, the utter confusion of figuring out what to do in a hammam.

We're now in Chefchaouen, and have been here for a week or so. It's beautiful, calm, but freezing cold. After a few days of unpleasantness, we've now located a hotel with a fireplace and have gotten ourselves some custom tailored heavy wool clothes. All is good.

With that out of the way, onto the main point of this post:

I saw the news regarding the announce of Google Patent Search recently. This is extremely interesting, in that Google have been able to leverage their Book Search technology and used it to tap a large, useful database of information in the public domain.

The previous patent search website run by the USPTO & IBM was clunky, and slow. From a strategic intelligence and search privacy perspective, this is a fantastic/scary move.. Knowing which patents your competitors are looking at is very very useful information.


Which brings me to my prediction. A fantastic public domain body of information that is currently held hostage by pay-as-you go companies: Legal Opinions/Cases... I predict that Google will leverage its Book Search infrastructure, and begin scanning case law/history documents from court houses around the country. WestLaw and LexisNexis aren't particularly well loved by their users, and without a doubt, the public would certainly benefit from having all this information online and easily searched.

This kind of thing has already been done by the folks at Project Posner, putting online all of Judge Posner's legal opinions. Now, it's just an issue of scale - which Google can certainly take care of.


Small Print: I'm no longer a Google Employee, and have absolutely no inside knowledge of any projects like this at Google.

Friday, December 08, 2006

Not (yet) on the no-fly list

I was rather worried after receiving that nasty letter that TSA would put me on the no-fly list. Well, after a long 24 hour journey, I'm now in Spain - and can happily confirm that I was able to pass through the airports without any problems.

I'll be here for a week or so, and then will be off to Morocco for 3 weeks of R&R. I highly doubt if I'll be blogging much during this next month - not at the advice of lawyers, but just simply because I'd rather not be using a computer during my holidays.

I'll update the blog once I get back, and have some TSA news to share.

Happy Holidays

Wednesday, December 06, 2006

An Early Christmas Gift from TSA

Dear Christopher,

We were slightly worried that you might spend Christmas relaxing and spending quality time with your family. We can't have that.

Thus, please enjoy the enclosed letter - we're quite confident that it'll occupy your thoughts for the next few weeks. Have fun mulling things over. We expect a reply from you by Christmas day.

Enjoy your holidays!

Love,

Your Friends at TSA.

P.S. We continue to ignore the existence of a different boarding pass generator, written by someone else and which has been online for the past month. It wasn't in the Washington Post, so our bosses haven't seen it yet. Phew!

P.P.S. We don't actually plan on fixing any of the underlying security problems. That'd be far too difficult. We may, however, switch from requiring Ziplock bags to Reynolds Wrap foil pouches for passengers' liquids. The idea of people constructing oragami foil pouches in the security line has been making us crack up at the office, and we think it should do much to spread Christmas Cheer at the Airports.





Tuesday, November 28, 2006

Good news and bad news


The Good.


One of my lawyers flew into Indianapolis on Nov 14th and we met with two FBI cybercrime agents, as well as an assistant US Attorney. The short version of things, is that they've stopped the investigation, due to a lack of evidence of criminal intent on my part. They've given me back my passports, my computers, and I'll be getting the rest of my stuff back shortly. Essentially, I'm a free man - with no charges filed. I've been represented by two amazing lawyers throughout this mess - Stephen Braga and Jennifer Granick. Without them - this would not have ended so quickly, or with such a fantastic outcome.

The Feds (at least those that I met) fundamentally disagree with me on many subjects - the role that researchers, academics, and common citizens take in studying, criticizing and pointing out the flaws in our security systems. I have been laying the groundwork for some Tor related research at Indiana University (pending approval from the University Counsel) - in fact, two of Tor's designers are visiting researchers at IU this year. It was made perfectly clear during the meeting that parts of the US government, at least the two represented at the meeting, strongly disapprove of Tor - and in particular, thought that research universities such as IU, MIT, Georgia Tech, Harvard and others have no business supporting such projects.

It is difficult for me to properly express how deep the divide was at this meeting - between the positions and opinions expressed by the feds, and of the "common values" shared by most researchers in my field and those taught to me in university settings. However, in spite of this, after talking for a few hours, they came to understand that although in my own way, I'm trying to work towards the same thing as them: A safer flying experience.

Also - my lawyers tell me that it's now OK to do interviews.


The Bad.



The forced take down of my website a few weeks ago has not improved airport security. The bigger and more interesting question, is if putting the site up in the first placed made airport security any more vulnerable.

There are currently multiple goals of the airport security system in the US.

1. Make sure there are no weapons/bombs on-board an airplane.
2. Make sure that the people who 'should not' be flying do not get on airplanes.

Goal number one is easy enough:

TSA representatives have stated multiple times since my boarding pass generator went live that passengers are not placed at any additional risk when fake boarding passes are used. This is true. As long as the TSA checkpoint staff do their jobs, then evil-doers should not be able to bring bad things on-board. Recent reports seem to indicate that TSA is having a bit of trouble with their screening process, but at least for this discussion, let us imagine a world where TSA is able to actually stop every single knife, gun, binary chemical explosive device and box cutter from being smuggled on-board.

Goal number two - the no-fly list - is problematic for a number of reasons.

1. Terrorists do not pre-register themselves before committing their crimes. There are no repeat offender suicide bombers - and thus it should not be too difficult for terrorist organizations to recruit people with clean criminal records.

2. Terrorists evolve to avoid detection. If ethnic profiling is used, they recruit from local mainstream, or less-suspected ethnic groups (for example, the Jamaician/British "shoe bomber" and then the use of British born, south Asian Muslims in the London attacks). When gender profiling is used, women are recruited (see: Palestine, Sri Lanka, Chechnya). If we rely upon a watch list to find terrorists, they'll conduct 'dry runs' before the real event, to figure out who will be forbidden from participating in the real attack itself. The futility of using ethnic profiling to detect terrorists has been discussed at length by researchers from MIT, where they prove that random searches are far more effective.

3. You can legally refuse to show ID at the airport. They will let you board the plane, without a single piece of ID.

4. The implementation of the no-fly and mandatory-selectee lists is flawed, secretive and in no way transparent. Senator Ted Kennedy was put on the list for a while, Cat Stevens, the wife of the Senator made famous for stating that the "Internet is a series of tubes" has been repeatedly delayed at airports, due to the fact that she shares a name with the now-Muslim singer, and any passenger named Robert Johnson or John Smith is severely inconvenienced when they fly. Yet, at the same time, the 9/11 hijackers, all of whom are dead, are still on the list, while the names of the London liquid bombers were not placed on the list - due to the chance a boarding denial at the airport could tip them off to the fact that they were under investigation.


What to do with the no-fly list?



We, as a nation, must decide a few things. If we want no-fly, and mandatory search lists, we have to decide how effective we want them to be.

If we want to bar those who are on the no-fly list from boarding a plane, we must institute checks of ID at the gate. Airport staff, or TSA agents with access to the airlines' computers, must be able to scan a boarding pass, look at the name on the computer, and see that it matches the name on the passenger's ID. Looking at the printed boarding pass is not enough - the name in the reservation system must be verified and matched. This, will, of course, cost money - as someone will have to be paid to perform this check.

If we want to bar those no-fly list passengers from boarding the plane and from getting into the 'secure' area past the TSA checkpoint, then the TSA must be able to match the boarding pass and ID to a computer reservation at the security checkpoint. This would require barcode scanners/ticket readers at the checkpoint. Furthermore, TSA would either need to find a way to interface with every airlines' computer systems, or the airlines would need to get together, publish the data, and agree upon a common, computer readable and verifiable standard for boarding passes (Hint: this is where a bit of government guidance/regulation could be useful).

Each of these two computer based boarding pass/ID checks would make impossible the current and widely reported airport security vulnerability, which has been documented at length on Senator Schumer's website.

Let us imagine that the government rolls out computer boarding pass checks at the TSA checkpoint. One problem remains: You can fly without ID. You can either refuse to show ID, citing a right affirmed by the US appeals court, or tell the TSA staff that you've forgotten your ID. Sure, you will be subjected to a more vigorous search - but if your aim is to bypass the no-fly list (and not to sneak a weapon past security), then you'll have succeeded in your goal.

The domestic no-fly list and the ability to fly without ID simply cannot co-exist. The former is made completely useless by the latter. If we want to have a no-fly list, we must require ID to be shown. Otherwise, a passenger simply purchases a ticket in a fake name, refuses to show ID at the checkpoint, and then can successfully board the plane.

As things stand right now, Checking ID at the security checkpoint does nothing to stop people who are on the no-fly list from actually flying. It merely inconveniences regular passengers who play by the rules. A security system that "keeps the honest honest" doesn't work when the attackers you're worried about are intelligent, well funded and willing to kill themselves to get the job done. The question of forcing passengers to show ID for domestic flights is one that is currently working its way up to the US Supreme Court. This issue, and a larger discussion surrounding the no-fly list should be publicly debated by Congress and in the newspapers. The ability, right now, to fly without ID creates a gigantic loophole in a no-fly list that arguably wasn't doing so well to begin with. We need to figure out, as a nation where the majority of people do not support a national ID, if we want a no-fly list in the first place and if we are willing to be forced to present our papers when we want to fly/ride a train/get on a greyhound bus. How many 4-year old children, and countless John Smiths and Robert Johnsons are we willing to let the government search and inconvenience in the name of "security".

Takedown orders

After a significant delay (which I apologize for), I am putting the takedown order that TSA sent to me online. The main reason I'm posting this is to aid legal scholars, and the online community in general. I believe that I'm the first person who has ever had TSA force them to take a website down. This is interesting enough in itself to warrant further investigation by people who know the law.

Interestingly enough, the guy who signed it, Rich Adams, is the same person who I spoke to at TSA a few months back when I asked to see the policies regarding when a passenger can refuse to go through the air puffer machines (which he denied me, as the rules are Sensitive Security Information - i.e. a secret law that we have to trust they are implementing and enforcing correctly). More info on that conversation can be found here



Monday, October 30, 2006

No real news

My inbox has been flooded with emails of support, encouragement and best wishes from friends, family and people from around the world. The paypal legal defense fund is doing pretty well - and thus I thank everyone who has donated to the fund.

While the university's legal team have said they won't protect me - the professors/students here at IU have been amazingly supportive, esp. those in my department and my adviser in particular.

Members of the press: I really can't comment right now. Even if you send me an email saying you're on my side, I still can't comment. I urge you to read this blog going back for the last week or so, and top-notch coverage by places like Wired News and BoingBoing.

However, I can at least tell you that my last name is pronounced Soh-Goy-An.

Sunday, October 29, 2006

A bit of good news

Markey announced his change of heart Sunday morning in a press release:

On Friday I urged the Bush Administration to ‘apprehend’ and shut down whoever had created a new website that enabled persons without a plane ticket to easily fake a boarding pass and use it to clear security, gain access to the boarding area and potentially to the cabin of a passenger plane. Subsequently I learned that the person responsible was a student at Indiana University, Christopher Soghoian, who intended no harm but, rather, intended to provide a public service by warning that this long-standing loophole could be easily exploited. The website has now apparently been shut down.

Under the circumstances, any legal consequences for this student must take into account his intent to perform a public service, to publicize a problem as a way of getting it fixed. He picked a lousy way of doing it, but he should not go to jail for his bad judgment. Better yet, the Department of Homeland Security should put him to work showing public officials how easily our security can be compromised.

It remains a fact that fake boarding passes can be easily created and the integration of terrorist watch lists with boarding security is still woefully inadequate. The best outcome of Mr. Soghoian’s ill-considered demonstration would be for the Department of Homeland Security to close these loopholes immediately.


More here

A couple things

For those of you who do not want/cannot interact with Paypal, donations to the legal defense fund can also be sent to:

Christopher Soghoian
School of Informatics
Indiana University
901 E 10th St
Bloomington, Indiana 47408
USA

Please put my name as payable to.

The legal advice I've gotten thus far has been to not talk to the press for now.














Saturday, October 28, 2006

FBI Visit #2



I didn't sleep at home last night. It's fair to say I was rather shaken up.

I came back today, to find the glass on the front door smashed.

Inside, is a rather ransacked home, a search warrant taped to my kitchen table, a total absence of computers - and various other important things. I have no idea what time they actually performed the search, but the warrant was approved at 2AM. I'm sincerely glad I wasn't in bed when they raided the house. That would have been even more scary.

I'm trying to maintain a semi-normal life. I have grad-student work to do - and a conference deadline of Nov 20th for a paper I'm working on.

Legal Defense Fund

I'm still waiting for callbacks from potential pro-bono lawyers.

However, this could very well turn out to be an extremely expensive experience. I'm a grad student, and the university has been very straight forward about the fact that they won't cover my legal bills, or protect me themselves.

Thus, I've thrown together a Legal Defense Fund via Paypal. Any money donated will go towards my legal costs - and if for some reason, I come out of this unscathed and with remaining funds in the account - It'll donate it all to the EFF, or some other pro privacy/freedom group.

(Broken paypal link fixed. Thanks for the feedback!)

Also: There's now a "Keep Chris out of Jail" facebook group.












Friday, October 27, 2006

Post FBI Visit

The FBI visited.

They handed me with a written order to remove the boarding pass generator. By the time we were somewhere with internet access, the website had already been taken down.

I am now safe (and no longer with the FBI).

Still trying to find a lawyer.....

Edit:

If you want to help, a good start would be to email Congressman Markey - who initially called for my arrest.

FBI at the Door

The FBI are at the door.

Off to chat.

Congressman calls for my arrest

As reported by Wired News and ABC News:

"The Bush Administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane," Markey said in a statement. "There are enough loopholes at the backdoor of our passenger airplanes from not scanning cargo for bombs; we should not tolerate any new loopholes making it easier for terrorists to get into the front door of a plane."

In addition to calling for my arrest, the congressman may want to call for the arrest of Senator Schumer (D-NY). In April of this year, he posted rather detailed instructions for the exact same attack. See: here. Sure, he didn't produce a php script that'd do it for you, but he provided detailed enough instructions that a terrorist or evil-doer with basic computer skills could do it.

Perhaps he'll be my cell-mate.

In all seriousness, Indiana University's legal team have essentially said I'm on my own. Thus, if this issue becomes serious, and the feds knock at my door, any offers of pro-bono legal assistance would be much appreciated.

Also - just for the record: I have not flown, or even attempted to enter the airport with one of these fake boarding passes. I haven't even printed one out. All I have done is create a php script, which highlights a security hole made public by others before me.

Wednesday, October 25, 2006

Airport (in)security for the masses

I realized today that editing HTML, while easy enough for a geek, is still far too difficult for population at large.

And thus, I now present: Chris's Northwest Airlines Boarding Pass Generator

Using this, you can:

1. Meet your elderly grandparents at the gate
2. 'Upgrade' yourself once on the airplane - by printing another boarding pass for a ticket you're already purchased, only this time, in Business Class.
3. Demonstrate that the TSA Boarding Pass/ID check is useless.

Have fun!

Monday, October 23, 2006

A few useful applescripts

I sat next to Paul Syverson at the WESII workshop in Washington DC today.

During a discussion of Firefox/Safari, he remarked that it'd be really neat if something like Tor Button existed for the Safari Web browser (which instead of using its own proxy settings relies upon the OS's settings).

A an hour later, and after a bit if hackery, I present the following:

A script that toggles the proxy settings in Mac OSX (Tiger) on/off for Tor:
As a script and As an application that you can double-click on.

There's also a very useful script available elsewhere which will start Safari in private browsing mode by default.

One item of frustration is that to get any of the scripts to work, you must set the "Enable access for assistive devices" feature in the "Universal Access" system preference. Without this, nothing will work.

This appears to be a reasonably valid security preference in the OS. Without this option, scripts cannot control various elements of the user-interface.

Friday, October 20, 2006

Bumped 3x in 2 days

When I flew out of Indianapolis a month ago, I was told that there was no way for me to opt out of the air puffer machine used at the airport - as I was a SSSS (secondary screening selectee) due to not showing any ID.

Well, the security line at Indianapolis on Thursday was freakishly long, and although I had already made my mind up to be a good boy and follow the rules earlier in the morning, I changed my mind when I saw the line.

The airline gave me a special no-id boarding pass, and thus I was able to bypass the entire security line, and go straight through the special selectee line. W00t!

Much to my pleasant surprise, this time, no one batted an eyelid when I declined to go through the air puffer machine. I'm not sure if they have changed their policies, have new staff who do not know the rules, or I was lied to before. But I'll be calling TSA up when I get back to Indiana next week.

In other news - my flight to DC was oversold, and so I gave up my seat - and flew into DC 3 hours later. In exchange for suffering this delay, I was given a free round-trip ticket anywhere in the US on Northwest.

Today, sitting at Baltimore airport with my girlfriend, we gave up our seats once, and are waiting for the next flight - which is also looking oversold. If it works out, we'll get 2 free round-trip tickets each (we have one each already from the first flight today).

Which will mean 3 free round trip tickets earned in 2 days of airport shenanigans.

For those stuck in airports:

Northwest has free wireless access in their lounges. Sit outside and you can mouch signal.

United/US airways has t-mobile wifi in their lounges, and you can sign up for a free 30 day trial using this link: https://selfcare.hotspot.t-mobile.com/accountcreate/ExternalSetPromotionCode.do?promo=KD1MTH105

It makes the time just fly by.

Wednesday, October 18, 2006

Paging Osama, please meet your party at the Information Desk

[Ed: The technique outlined in this blog post was also documented by a journalist at Slate last year. See: http://www.slate.com/id/2113157/

The only way for these kind of problems to get fixed, are through through public full disclosure. TSA/DHS cannot be expected to fix anything unless they are publicly shamed into doing so.]



Shortly after 9/11, the airlines introduced a very reasonable security check (amongst a bunch of other stupid ones): They started checking ID at the gate.

It's really important to note why this is good. You see, when they scan your boarding pass, the screen will either beep yes, to tell them it's valid, or beep no, and tell them that it's a bogus pass. They'll be able to look on their terminal, see the name attached to the booking reference, and check it against the ID in front of them (ok, they rarely did this, and instead checked the name on the boarding pass - but at least they had the potential to do it correctly).

However, checking the ID of 300 passengers when you're trying to fill up and airplane can lead to considerable delays, and thus, once the hysteria of a few terrorists armed with exacto blades had calmed down, the airlines did away with this requirement, and instead offloaded it to TSA.

Herein lies the problem: TSA doesn't have access to the Airline's computer systems. Thus, they have no real way of knowing if a boarding pass is real or not. All they can do is verify that the name on the piece of paper (which may or may not be a boarding pass) matches the ID they have been given.

This situtation is made even worse when you consider the fact that you can print your own boarding pass online at home. This is often a bunch of text/html, with one or two images (a barcode, and perhaps an airline logo). It is trivially easy - as in, 20 seconds with a text-editor, and not even requiring you to open photoshop - to open it up, and change the name.

And thus, I introduce a perfectly valid method for a terrorist - known to the government, and already on the domestic no fly list, to board a US commercial flight.

Step 1. Purchase an airplane ticket in the name of "George P. Watkins"
Step 2. Check-in online the night before, and print out your boarding pass online.
Step 3. Save as HTML, edit the boarding pass code, and change it to your real name "Ali Terrorist"
Step 4. Print both boarding passes - the one which lists your real name, and the one with the name that the ticket was actually purchased under.

Step 5. Go to the airport the next day with both boarding passes.

Step 6. Present your real drivers license and modified boarding pass to the TSA checkpoint officers. Note that as they do not have access to a computer, they cannot check you against the no fly list, nor can they even verify that the name on the piece of paper matches the booking in the airline's reservation system.

Step 7. Clear security (after being frisked 5 times for looking middle eastern)

Step 8. Wait patiently at the checkin-counter, and when the gate agent announces that is time to board:

Step 9. Hand her the original boarding pass (with the fake name), which should scan perfectly, and should she even look at the computer, she'll see that the name on her screen matches the name on the boarding pass. She won't ask you for ID (as TSA already performed that task), and thus will let you on the plane.

Step 10. Board the plane, and do whatever nasty stuff you intend to do.

This is insanely easy, and unfortunately, will work.

The reasons for this massive security hole:

1. TSA agents cannot verify the authenticity of boarding passes.
2. TSA agents cannot access the airline's reservation systems, nor do a on-the-spot lookup of the ID presented to them against the no-fly-list.
3. Boarding passes are not tamper evident. One can easily edit them at home.

And just for fun, I thought I'd show off the modified boarding pass for my flight tomorrow. Of course, I won't be using this, as it'd guarantee me a one-way ticket straight to Gitmo. (Habeas Corpus not included):

Tuesday, October 17, 2006

Priceline mistake/Defcon 07

I'm a member of the flyertalk community - one of the largest online forums, and -the- place to go if you want to find out about flight/hotel deals. Due to knowledge gained there, I've flown free to Asia the last two times, to europe last summer, to Guatemala next month, and to Morocco this xmas. It's unlikely i'll be paying for international travel anytime soon.

In any case, this morning, someone posted information about a priceline mistake. Caesar's Palace in Las Vegas, for $20 per night. It seems to be a clear decimal point error (the weekend night price should be $200 per night).

With only a $25 cancellation fee, it seemed like a no brainer to go ahead, and book a 3 night stay in August 07 for Defcon.

Caesar's Palace, here I come!

(more info on the price mistake available here: http://www.flyertalk.com/forum/showthread.php?t=613722

Wednesday, October 11, 2006

Boycott the Mozilla Corp.

[Editor's note - This post was written by Chris Soghoian, the PhD student, and in no way reflects the opinions, thoughts, or policy of any of my sponsors/employers]

Firefox is now distributed by the Mozilla Corp - a for profit corporation, who, while supporting the open source development of the browser, has recently been flexing a bit of muscle.

In particular, their lawyers want linux distributions to start submitting patches to them for approval before they can be rolled out to their customer base. For critical things like security updates, this is just not possible. Distros want to roll out patches as soon as possible, and waiting for the Firefox team to OK something is just not possible.

Note, that no other open source project has tried to implement such a requirement. The Mozilla/Firefox guys are unique in this.

And essentially, what they've done is told the Debian team to fall in line (as Redhat and Novell have done), or to stop using the Firefox name and logos.

More info on this is available here http://lwn.net/Articles/200857/

Now, one interesting thing is that the Mozilla Corp makes millions of dollars per year through the google search bar in the top right hand corner of the browser. In fact, so does Apple through its Safari browser.

If you go to www.google.com, and then enter in the search, Mozilla earns nothing at all. If you use their search bar, they make a couple cents (I have no direct knowledge of the actual numbers, but they get something - and it adds up to millions of dollars when spread across all those users). This fact is public knowledge, and has been mentioned in many places: http://news.zdnet.com/2100-9588_22-6048377.html



http://www.calacanis.com/2006/03/06/firefox-mozilla-corporation-mozilla-foundation-made-72m-last/



http://www.scroogle.org/mozilla.html



http://www.techweb.com/wire/software/181501750

Now, I'm far too lazy to start going to google's homepage when I search.

So, instead, I whipped up a custom search engine for Firefox.

Simply go to this webpage http://www.dubfire.net/ffirefox, and you'll be prompted to install a new search engine for your search bar. The only difference between this custom one and the one that ships with Firefox, is that it won't identify itself to Google as coming from the Firefox toolbar. It'll look like any other search going to Google. And thus the Mozilla corp will be denied my one or two cents per search.

Sure, I like firefox. It's a great product, and far better than IE. However, it's an open sourced product, and I don't approve of them taking advantage of free community resources, debugging and code-contributions only to point their evil lawyers at Debian.

So, suck it Mozilla Corp.

Sunday, October 08, 2006

Knives on a ********** plane

Last year, while travelling on Air Deccan, a low-cost airline in India, I carried a pocket knife onboard the airplane.... The story is far more interesting than that summary alone, and I highly recommend you read the full writeup here:

http://slightparanoia.blogspot.com/2006/02/chennaiport-blair.html


The photographic evidence of the event is here:

A knife on the plane:
http://www.flickr.com/photos/csoghoian/120651089/

Sealing the locks to prove that they haven't been tampered with:
http://www.flickr.com/photos/csoghoian/120650920/

However, that was India - and this is America... land of the free, home of the brave - and more importantly, home of TSA - who is supposed to be protecting you from big bad terrorists.

It's common knowledge that a tiny fraction of the checked luggage (which is just a few feet below the passengers in the airplane's hold) is actually x-rayed.

On top of that, it's also common knowledge that the airlines only perform passenger matching on bags for one airplane trips: i.e. if you don't get on the airplane on a trip from Indy->DC, then they pull your bag off at the last minute. However, if you get on the airplane from Indy->DC, and then leave the airport instead of getting on your connecting flight from DC->San Francisco, they let the bag go on the next flight. A terrorist would simply put a timed bomb in their bag, and have it explode during the second flight.

However, lets ignore those facts for now.. and focus on what TSA is supposed to be good at... keeping liquids, nail clippers, and weapons out of the airplane cabin.

My girlfriend visited me this weekend, and accidentally left a sharp paring knife in her carry-on bag.. both ways (i.e. DC->Indy, and Indy->DC). It was only once she got back to DC this evening that she realized what happened.

And guess what... TSA didn't notice at all.

For the record, as much of a troublemaker as I am, my girlfriend wasn't trying to test TSA. She is a law-abiding citizen, and simply overlooked the knife in the rush to pack her (messy) bag for her flight....

The evidence is here:

http://www.flickr.com/photos/katmandoo/264556078/

Friday, October 06, 2006

TSA followup

Mr Harris, the TSA person whose business card I had been given never got back to me. Thus, after waiting 2 weeks, I decided to go ahead and contact his boss. This afternoon, I had a telephone conversation with Rich Adams, the Assistant Federal Security Director for Law Enforcement at TSA's Indianapolis Airport office.

The main points of the conversation were as follows:

TSA has many different configurations of checkpoints. At the gate/terminal that I went through, they have designed a special streamlined channel for SSSS (secondary screening passengers) to go through. They do not have enough physical space to allow for these SSSS people to opt for a manual pat down.

Other airports/terminals, where the SSSS people go through the same lines as everyone else may have more space, and thus, may allow people to opt out of being puffed by the creepy Smiths/GE entryscan machines.

The highlight of the conversation, for me, was after this;

Him: (the above bit of text, telling me why I could not decline to get puffered at this checkpoint if i was designated SSSS).

Me: Could you please send me that in writing, and include a copy of the specific regulation or law which documents and backs up that policy.

Him: No. It's classified as SSI (Sensitive Security Information).

Me: What? That doesn't seem fair. You're forcing me to follow a rule or law yet are not permitting me to see the text of the law. How can I know if your employees are following it properly?

Him: For security reasons, we do not allow this information to be made public.

Me: Have you heard of the book Catch 22 by Joseph Heller?

Him: Yes

Me: Does this not seem a bit similar, or perhaps, alternatively, to something by Kafka?

Him: *losing patience - he then reminds me of the TSA mission of keeping us safe, and that his employees are not out to hinder our "god given" rights*


I also complained about having to go up to 2 levels of supervisor to be able to take sex lube on the plane- even though this was listed as an acceptable item on their website.

He didn't seem to have any problems with this, and essentially said that they were always doing their best to educate their staffmembers, and that me pulling 2 supervisors over was a normal part of the security screening process.

Quite a fun conversation, i'd say.

Remember Kids: You're either with us, or are helping the terrorists.

Tuesday, October 03, 2006

A dystopian view of personal Tivos

At some point not to long into the future, we'll have personal recorders for our lives. The first versions will record all the audio we hear, and later, as storage/cpu becomes cheap, they'll start to record video too.

The killer technology that'll enable this will be speech recognition tech that actually works.

You'll carry this device on your person, it'll record all of the conversations that you participate in, will convert those to text which you'll then be able to easily search later.

This will solve that ever annoying problem of not being able to quite remember what so-and-so told you the other day. You'll just need to remember a couple of the words from the conversation and will be easily be able to go back and locate the conversation...

The other obvious benefit to this will be that you'll be able to easily figure out which song you heard on the radio, coming out of someone's car, or that you danced to in the Club. Song recognition technology is already out there, and so it's quite easy to imagine that this'd be rolled into such a device.

Due to the need to turn this info into searchable text, you're going to need to upload it somewhere for processing. It'll either be uploaded in real time over wireless/cellular networks, or maybe you'll dock the device at the end of your day for processing. Either way, it doesn't really matter for the purposes of this blog post.

Now, consider the fact that pretty much everyone has a cellphone on them. Cellphones all include GPS chips now - for E911 reasons (although, it's interesting to note that the ever-present greed of the cellphone companies is the main barrier to us having access to this GPS data right now. They want to make a buck each time you use this data to interact with a merchant).

And herein lies the problem. Consider the following scenario:

A crime occurs. The police contact the phone companies and get a list of everyone who was nearby to the crime when it happened (which they're able to get via the GPS/cell tower log data). Now, the feds demand that each person hand over the audio/video data from their personal Tivos so that they can piece together information on the crime.

This seems like a great idea. Right? Except when you consider the fact that large portions of society do not like the Police (this is due to many reasons - racial profiling, past abuses by the police, drug war overzealousness, etc).

If you witness a crime right now, it is quite easy for you to tell the police that you don't remember seeing anything. The real memories are your own, and so you have solid control over who you share these with.

Fast forward to the digital age of the personal Tivo - and suddenly, you do not have the right to keep this information from the police anymore.

Remember that you can only plead the 5th if you risk incriminating yourself. If you are incriminating someone else, you have no right to stay silent, nor keep your data to yourself.

Encryption - the magic pixie dust that has solved so many of the Security World's problems thus far, fails us... because the police can compel you to disclose your keys.

There are systems in place (StegFS, The Rubberhose filesystem) which aim to protect you against Rubber Hose Attacks (i.e. you being beaten by a CIA interrogator until you disclose your personal data). They work by essentially allowing you to say "I don't have any data on the disk"... Or by allowing you to have multiple encrypted files, one encrypted with your "real" key, and the other with a key which you give to the police when asked..

However, in the case of the personal tivo - through the GPS records that the Feds will gain from the phone companies, the police will know exactly where you are and when. Thus, if you give them bogus data, and they know you were walking past the Clocktower at noon - and your Tivo data does not have a clock chiming noon, they'll know you've given them false data.

Thus, we have an even more extreme form of the rubberhose attack. How do you protect your data from the police when they can 1. compel you to give it to them, and 2. They have a fair idea of at least some portion of the data on your disk? They can use what they know to verify if the data you later give them is in fact real.

It's a puzzling problem - and it's going to become real.... It's just a matter of time.

How do we solve this problem? I have no idea.

Tuesday, September 26, 2006

TSA = arbitrary rules

When you're pulled over by a Police Officer for speeding, things are fairly cut and dry. He tells you you're speeding, and if you have any questions as to why this is a problem, he can cite the specific local/state laws which prohibit the type of behavior/speeds that you were engaged in.

When you're ordered to do something by TSA, or worse, told that you're breaking the rules, you're in rough shape. Mainly because most of their rules are secret. As amusing as it was to test the TSA screening rules against a bottle of sex lube, I was at least lucky enough to be testing a rule which they post on their website.

Their rules for who must or need not show ID, or who can decline to go through puffer machines (and if so, what they must submit to in exchange for this) are all covered by secret rules that the TSA keep to themselves. TSA deems these "Secret Security Directives" and as such, is not required to share these with the public. Even though you are forced to submit yourself to these rules, and in spite of the fact that the TSA employees cite the rules when telling you what to do, you have no way of keeping them in check.

Checks and balances are extremely important. Without them, we become victims of those who abuse their powers. One day, they enforce the rules, the next day, they don't. They can pick and choose who to enforce them against (i.e. males with darker skin, those who don't shave, or anyone with a foreign sounding name).

I've sent an email to Rene Harris of the Indianapolis TSA office to seek clarification for their seemingly arbitrary rules regarding who can and cannot opt out of the puffer machines. Esp. after successfully avoiding them at DCA, it'll be very interesting to see what he says.

Washington National TSA experience

I assumed that security would be even tighter at Washington National (DCA), what with it being in the Nation's Capital, home to half of the 9/11 attacks, etc...

Having learned from my mistakes last week, I walked up to the Northwest desk with the boarding pass issued to me by the easy-checkin machine, and asked them to print me up a new one marked "SSSS" as I did not have ID. After verbally confirming that I was without ID, the agent printed me out a new pass.

Next stop: The TSA Checkpoint.

The contractor manning the pre-checkpoint security station received the news rather well (Note: "I don't have ID" works far better than "I am envoking my court-recognized right not to show ID", esp. for 8 dollar an hour security folks who don't want their jobs made more difficult). She wrote the words "NO ID" in very large red letters on my boarding pass, and shoo'ed me into the checkpoint line.

Alas, at DCA, selectees/terrorists to be must stand in the same lines as everyone else, and so I didn't get rushed to the front as at Indianapolis.

DCA, at least at the domestic Northwest checkpoint, has 2 lines. One line with just an x-ray/metal detector, and another with a High Tech "Smiths" creepy puffer machine.
As opposed to other airports where you are randomly selected for the puffer machine, at this airport, everyone going through the sole-xray line is spared the puffer treatment, and everyone unfortunate enough to think that the puffer line is shorter is subjected to a few blasts of air.

I approached the guy manning the Smiths machine - handed him my boarding pass (clearly marked "SSSS" and "NO ID"), and explained that I did not want to go through the puffer machine, and that I was happy to undergo additional screening.

2 supervisors later, after carefully explaining to me that by not going through the Smiths machine, that they would be looking at every individual item in my carry on bag, they let me skip it.

Success. Thus, while Indianapolis airport's TSA folks insisted that I go through the puffer machine, the folks at DCA let me skip it after speaking to a supervisor.

The rest of the story is the same as Wednesday for the most part. Again, they tried to take away my sex lube, and yet again, I had to pull over a supervisor and remind her of what the TSA website states.

Other than that. I yet again made it onto an airplane without showing a single piece of ID, and the entire search/TSA experience didn't take more than 15 minutes.

Friday, September 22, 2006

TSA Love

I flew from Indianapolis to Washington DC yesterday. Given that my flight was pretty early in the afternoon, and with a fairly free schedule, I figured I'd take John Gilmore up on the public challenge he issued earlier in the summer, and try to fly without my ID.

I arrived at Indy airport at 4:30ish, walked straight to the computer-easy-checkin machine that Northwest had at the curbside, inserted my credit card, selected my seats, and then promptly recieved my boarding pass. A friendly Northwest employee assisted me with the touch-screen which needed to be pressed rather firmly, but didn't ask for any ID.

Score. With my boarding pass in hand, I walked to the security checkpoint for the northwest terminal.

However, before I could get to TSA, I had to pass the 3rd party contractors who check ID/boarding passes. I walked up to a friendly 70 year old woman with a uniform on, gave her my boarding pass, and told her that I was declining to show ID. I didn't want to make her life too difficult, and asked her if I could speak to one of the TSA officers.

It seems that these guys are paid by the airlines, and not TSA - and as such, their responsibility is to the airline paying them. She had been told not to let people past without an ID, or a boarding pass stating that they didn't have an ID, and so she walked me to the Northwest checkin counter.

There, I spoke to their head supervisor. I explained what I was doing, that I was exercising my right to not show ID, and that I would be happy to undergo secondary screening. She was really nice, and told me that in the future, I should just tell them I had forgotten my ID (as there are standard procedures to deal with this). She had one of her employees print me up a new boarding pass which clearly listed me as "SSSS" - which is their lingo for Secondary Screening Selectee.

Armed with this new boarding pass, I was ushered into a special line at the TSA checkpoint, allowing me to bypass all the other people in line. Not bad! As I approached the x-ray machine, the words "We have a number 2 coming" were echoed down the line of TSA employees. It seems that SSSS = Number two.

In general, I tend to refuse to be screened by the fancy GE entryscan machines - the high tech gadgets that shoot air at you, and then analyze the particles which it dislodges. They freak me out, and I consider them a intrusion into my private space. After all, you never know what they're checking for, in addition to bomb making chemicals.

I declined to go through the easyscan machine as normal, and was mid-way through being hand-searched by a TSA guy with a hand-held metal detector when a supervisor came over, and informed me that as an SSSS selectee, I didn't have the right to decline the GE air-shooting machine. I could either submit to a search by the machine, or I could not fly. If I had any objection to this choice, he would be happy to summon a police officer who could explain it to me.

I could easily see that this could turn nasty, so I took down his name, got the business card of the TSA customer service person assigned to Indy airport, and consented to the creepy air-blast search.

Once that was done, they moved on to searching my bags...

The only thing worth mentioning, is that I had brought a bottle of personal lubricant (i.e. KY Jelly) - after seeing it on the TSA website as one of the medical necessity liquid items that you're allowed to bring.

During the rather extensive search of my bag, they of course found this.

The exchange went something like this:

TSA screener: You can't have this sir.
Me: I checked the TSA website, it says I can have 4.0oz of KY. That's 3.8. It's allowed.
TSA screener: I'm sorry sir, no liquids.
Me: Please get your supervisor.

The supervisor arrives..

Me: I checked your website, and this is on the list of approved items.
TSA Supervisor 1: No. You are not allowed to take it onboard.
Me: But the website....
TSA Supervisor 1: The sign over there says no liquids. That means no liquids.
Me: Can I speak to your supervisor?

Finally, a 2nd supervisor arrives:

Me: I checked your website. It clearly states I can have this. Why am I being forbidden from taking it on?
TSA Supervisor 2: That is for items of medical necessity like preperation H.
TSA Supervisor 2: What medical necessity do you have that you need KY on board?
Me: Are you a doctor? Are you qualified to decide what is and isn't a medical necessity. It's on the website as approved.
TSA Supervisor 2 grumbles and then intructs the junior officer to test the KY
for bomb-materials and then let it through.

Success!

In the end, the screening process took about 10 minutes - it was quite interesting to see them all at work. I successfully boarded an airplane without showing a single piece of ID to anyone at the airport, and managed to get bottle of sex lube onto
the plane without TSA taking it away.

I've emailed the TSA customer service rep to get a clarification on the SSSS/mandatory air-blast test issue, and to also find out why all of the TSA
staffmembers are not aware of the list of approved liquids.. I'll update the blog
once I hear back.

Wednesday, September 06, 2006

Facebook fun

Now that I'm a student again, it's time to join the masses and start playing with facebook.

I'll leave it to plenty of other people out there to point out how insane it is that people post rather important information on themselves. For fun, do a quick search for people between the age of 18-20 who list beer as a hobby/interest.

It's a shame that federal student loan data is private (and probably a federal crime to dig through if its not private) - as it'd be a rather fun query to see the intersection of students who list marijuana as an interest and those who receive student aid - given that you lose your right to get student aid forever if you ever get caught smoking pot.

So instead, lets focus on another fun feature of Facebook... privacy.

A user can specify that their profile is private, and thus only their friends can view it. Someone browsing through profiles will just see their name, a photo, and their school/year.

However, if you search for specific terms, Facebook will return all positive matches - including those people who have marked their profile as private.

Case in point. Which IU students moonlight at strip clubs in Bloomington:

http://indiana.facebook.com/s.php?adv&k=10010&n=-1&cy=Night%20Moves&o=4
http://indiana.facebook.com/s.php?adv&k=10010&n=-1&cy=Legends&o=4

From this, we learn that [redacted] ('06) works at Night Moves, but her profile is public, so this is not such a revelation.

However, far more interesting is that [redacted] ('07) also works there, and has marked her profile as private.

And what the hell. Since we're looking, it's also worth noting that [redacted] lists marijuana as one of her interests: [redacted facebook query]
Now, what about Legends.

Well, this is somewhat tougher.

[redacted] ('10), [redacted] ('09) and [redacted] ('06) all return a positive match.

[redacted]'s profile is public, and reveals the fact that she works at the Legends Title company. Drat, it seems there are false positives due to common names.

However, a quick search for Legends Title only returns Shelley's name (http://indiana.facebook.com/s.php?adv&k=10010&n=-1&cy=Legends%20Title&o=4), thus leading me to believe that either [redacted] and [redacted] work at the Legends strip club in Bloomington, or some other company whose name has legends in it.

Clearly, this is not foolproof.

I'm willing to bet that in the case of Night Moves, we won't have any false positives due to the uniqueness of that company's name.

And the moral of this story is:

Just because you mark something private on facebook, doesn't necessarily mean it is private....

Tuesday, September 05, 2006

First (sorta) Day of Classes

Due to Burning Man last week, I missed the real first week of classes. Thus, this week was the first for me.

Jean's class was a blast - and covered such fun topics as:
rightwing nutjobs posting the names of abortion doctors,
the right to privacy of john/jane doe in lawsuits,
the right of consenting adults to engage in non-typical sexual behavior,
and more craziness on the part of republicans.

It's really really cool to be taking a security related class with someone who is actually willing to talk about the societal + legal related issuesthat come along for the ride.

It's also awesome to be able to bring up Lawrence v. Texas and data protection in the same discussion.

Major high hopes for this class.

---

Markus's class proved to be exceedingly cool - mainly due to the fact that Roger Dingledine and Paul Syverson are in town for the next 2 weeks doing a guest lecture/visiting researcher thing.

They spent the class giving an intro to Tor, which wasn't too informative - due to the fact that I'm an avid Tor user, and implemented the v1 onion routing protocol as a class project back at Hopkins.

Markus's class is going to involve significant amounts of groupwork - which I'm always weary of. You never know who you're going to end up with, and how lazy/incompentent they'll be.

I've been assigned to a group doing something Phishing related.

The other half of the class is working on Click-Fraud - which is easily much much sexier and hot. However, it's probably a good idea for me to keep away from click-fraud related stuff for the near future, just to keep on the good side of my Google NDA.

---

My 3rd and final class is a security seminar. 4 students, one professor, we each present 2 papers - which we are assigned from a shortlist of 5 papers we give to the prof.

It doesn't look too bad. I'm just hoping my peers don't choose insanely boring papers.

---

The evening was wrapped up with a 3 hour dinner with Paul and Roger over turkish food.

Quite a few things were discussed - including open problems facing the Tor project.

Roger and I still don't see eye to eye on the future of Tor - but thats ok, because its his project ;)

To be able to sell my case, I need a sexy story.

The problem here, is that Chinese pro-democracy dissidents don't currently need to be able to use Bit Torrent anonymously. In fact, they really don't need to exchange multiple gigabytes of data on a regular basis...

Thus, I need to find a new and improved story - one that is better than Chinese Dissidents, and involves vast amounts of anonymous data.

Sunday, September 03, 2006

Terrorist Hummous

En route back from Burning Man, I stopped in Reno for the night.

Reno has a Trader Joes - and after a week of mostly cliff bars, this was too good to be true.

Alas, the Transportation Safety Administration doesn't see things my way.

In their view, factory sealed stuffed-grape leaves, Hummous, and yoghurt are all liquids - and thus components of a bomb.

My conversation with the TSA goons went something like this:

Them: You can't take these on board. They're liquids.
Me: No. They're solid foods. The hummous is more of a paste than a liquid.
Them: You can't take it through.
Me: I realize that hummous and Al Qaeda come from the same part of the world - but well, so does Algebra.
Me: Israel also produces lots and lots of hummous, and our government loves them.
Him: Sir, you're going to have to make up your mind. There are other people waiting.


Needless to say, when I eventually went back through the security checkpoint after having a rushed breakfast, I was "randomly" selected to be thoroughly screened....

Saturday, September 02, 2006

Back to Blogging

Now that I'm no longer a full time Google employee, it seems like a good idea to start blogging again.

Given that I'm also no longer travelling full time, this blog will be moving away from the documenting-my-backpacking-craziness subject matter, and well, will become more an outlet for my daily life and PhD student geekiness.

Saturday, May 06, 2006

Home

I'm now in Virginia (and thus, in theory, home).

I'm not too sure what'll happen to this blog. After-all, the trip is over now, right?

I fly off to Indiana for a spot of apartment hunting tomorrow, and a week later, will be off to San Francisco to begin my Google internship.

What happens next here - I don't know.

Bumpage/Marriott Rewards

DHS is a pain in the ass.

It seems that searching my bags was not enough. I got selected for secondary screening when I went through the x-ray, and was given the old 3x over with the magic wand. They found nothing.

I'm starting to think that arriving in the states wearing an orange skirt, and a beard is perhaps not the best thing - even after I explained to the customs guy that Thailand has the death penalty for drugs - and that I'd be a complete idiot to bring anything in the country.

However, after all that - fate seemed to smile at me.

My flight from San Francisco -> Washington DC was heavily oversold, with a number of business-men who had paid full price fares and were demanding to be in DC that night....

I happily gave up my ticket, was put on a flight to Baltimore leaving 15 minutes later - and in exchange, was given a free round-trip ticket anywhere in the US + a one-way upgrade to 1st class for my next United trip. Awesome!

Fate continued to smile on me....

Kat met me at the airport, we drove to DC. On the way, I called up the Marriott and asked to speak to the manager. I explained the bump-situation, and told him that we'd had to rent a car to get from Baltimore to DC. Was there any way he could waive the $27 parking fee? He Could? Lovely.... He also confirmed that they'd given us a free upgrade from a deluxe room to a junior suite.

However - once we got to the hotel, I did my very best to flirt with the manager-on-duty. After a few minutes of heavily-British-Accented chatting with him (man/woman, it's all the same if it gets us a nicer hotel room), he announced that he'd upgraded us to an executive suite, and that he'd given us an extra-late checkout time of 5PM. Woo!!

The room.. oh, the room.

A huge bed, 2 bathrooms, a living room with a huge dining table, a mini-kitchen, and a HUGE rooftop balcony overlooking the NPR headquarters on K street.

The next morning, I called down to the reservations desk, and found out that the room would normally have cost $600.

The power of flirting, and a British accent!

The Journey/ US Customs

Stayed up until 4AM at an internet cafe on Khao San Road, Bangkok... took a cab to the airport to be there when checkin opened, and scored exit row seats for the whole of the journey. Great!

The trip was rather uneventful for the first two flights. Lots of sleep, lots of legroom, amazing indian vegetarian meals (that made my seat-mates somewhat jealous, I think).

Things got rather interesting once I got to San Francisco airport.

First off, the passport screener immigration guy wrote "BCG" in big red letters on my immigration card. I peered over at other folks, all of whom lacked the letters, and knew that I was already in trouble.

While waiting for my bag to show up, a cop+dog wanders by, and starts to sniff my carry-on bag. I make nice, start a conversation, and ask the Customs agent the name of her dog. "I'm sorry sir, we can't reveal that for security reasons".

Thats right. It's perfectly ok for her own name to be pinned to her chest, but the dog is kept in some kind of dog-protection-program limbo.

Eventually, the dog sniffs out the orange i'd saved from my breakfast, the woman seizes it, and writes something else on my card (it seems that the undercover dog sniffs food, and not drugs).

I present myself to the final customs check, where-upon looking at my immigration card (now covered in red and black ink from various agents), he sends me over for 2nd and 3rd screening.

My bag is x-rayed, and then i'm sent over to a gentleman who proceeds to open up my bag, and ask me to identify every item.. "That is toothpaste, those are dirty clothes, those are drugs..."

I have 2 first aid kits in my bag - I've been in the 3rd world, and you can get lots of nasty things - so I've got lots of meds. The funny thing is, he doesn't seem to want to look inside. I could have all kinds of opiate-derived painkillers/viagara/or worse, but he doesn't care.

After asking me a bunch of questions (where did you go, why did you go there for so long, how did you afford to live in India for all that time, etc) - he lets me go.

Now - as a security student, I have to state that this was pretty stupid.

1. Marking my card in such an obvious way when I could easily go to the bathroom and flush anything illegal I had, or even leave my bag on the belt... If you're going to pull someone, don't tip them off ahead of time with big red letters.

2. The guy made a big scene of looking in my bag, but really didn't search it that well. I could have had lots and lots of drugs, and he never would have found them.

All this did was piss me off, and make me miss my chance at catching an earlier connecting flight.

Saturday, April 29, 2006

Marriott Rules!

We came back pretty late to the hotel last night, after wandering through the seedier parts of Bangkok in search of pirated t-shirts and such.

Sitting on the bed in the hotel room when we got back, was a card.

"Dear Mr. Soghoian, I understand that you have been feeling unwell during your stay at the Marriott. We hope you get well soon, and please accept this gift from us. Signed, Marriott General Manager"...

and under the card, was a large box of tasty chocolates.

In addition, they let us have a late-checkout, giving us over 24 hours in the hotel. What a deal!

----

I spent the rest of the day doing a bit of shopping on Khao San Road.. Honestly, I'm sick of buying stuff (and I bought so little). I just can't motivate myself to buy anything really - I have too much stuff back in the US, and there is just nothing I need that badly.

I'll be returning to the US with the same backpack that I arrived with.. no other suitcases...

I've spent most of the night here at a 24/7 internet cafe. In 20 mins, i'll catch a cab to the airport, putting me there at 4AM when checkin opens, and thus, insha'alla, I'll be rewarded with exit-row seats for my entire journey.

Fingers crossed. 20 hours of flying with no legroom will be awful otherwise.

Friday, April 28, 2006

In Bangkok

Bangkok traffic is awful.

Backtracking slightly - I arrived somewhat late to Chiang Mai airport, approx 25 minutes before the flight was due to leave. Had it not been for the fact the airplane was late, they surely would have told me to get lost.

Once I arrived in Bangkok...I hit the traffic. My flight arrived at 1PM, the airport bus showed up at 1:30PM, dropped me off at 2:30PM and the taxi for the final leg took another half hour.

However, it was worth the journey.

I got to the Marriott Bangkok Resort and Spa, went to the reception, was met by a lady with moist linen towels and fresh fruit juice, who checked me in.

Her: Sir, we have great news for you
Her:: We have upgraded you to a junior suite, and your wife has checked in early. She is waiting in the room for you.

My wife, eh?

One of my travel buddies from India (and later northern Thailand) had just come back from Laos, where I should have been. I told her about my awesome free night at a five star hotel, and offered to let her have the other double bed in the room - after all, with my foot, I can't really use the swimming pool, jacuzzi or sauna - so someone might as well enjoy it.

I was met at the door of the hotel suite by a Jumping-up-and-down excited Israel girl - going crazy over the fact that we have a huge room, a proper bathtub, a balcony (that is at least 20ft long), with a view over the river, and 2 beds covered from top to bottom in soft pillows.

It's the first time she's ever stayed in a hotel that costs more than 5 dollars a night :)

It seems that my trick worked quite well. I emailed Marriott a few days ago, told them that I had been travelling for 8 months, and this would be the first time that I'd seen my wife in all that time, and anything they could do to make the stay a bit nicer and more romantic would be much appreciated. Hence the suite upgrade.

The lady at the reception was rather shocked when I still insisted on 2 beds, even though I was supposed to be having a romantic rendevous with my long-lost-wife.

The even funnier thing, is that I've sent the same request to the Marriott in DC, where I'll be staying in 2 days - with a completely different wife.

Monday, April 24, 2006

Google Internship

The contract arrived by DHL international delivery today.

With a signed contract in hand, I assume it's fair to announce to the world (hah) that this summer, or rather, in just over 3 weeks, I'll start working at Google's HQ in Mountain View, California.

I learned a painful lesson last summer regarding how far Silicon Valley is from San Francisco (and thus anything fun), esp. for those without cars.

In spite of the availability of killer Indian food in Sunnyvale - I will not be moving back there. I'm currently in the process of craigslist-ing a summer sublet hopefully near to the panhandle/Haight street area of San Francisco.

As per prior reading on other blogs, I've gathered that Google doesn't like it when people discuss their jobs/internships on the internet, and so I doubt i'll be talking about the job again.

The one burning question for me - is going to be the quality of Google's food.

There is much hype spread around about the amazingness of the Google campus, the free food, etc..

However, last summer at Apple - was a thoroughly enjoyable experience for a vegetarian. After all, Steve Jobs, the CEO, is vegan.

We shall see if Google's food options beat those of Apple.

Sunday, April 23, 2006

Shopping Fatigue and Gifts

Chiang Mai has a reputation as one of the best places to buy stuff in Thailand.

Given that I'm leaving here on the 28th, today was my last Sunday Market (the major shopping event)... and while I saw loads and loads of 'stuff' - clothing, jewellery, etc that would make perfect gifts for people and general purchases for myself, I just can't do it.

After 2 hours of strolling, I managed to buy 5 loofahs (25 cents total) and 20 floating bath candles. That's it.

I'd like to say that after 8 months of backpacking, that I'm so used to living out of my backpack that I'm now beyond the materialness of buying nice looking clothes. Everything I have is functional, and gets thrown/given away when it's not needed anymore (For example, now that i'm staying in Fancy hotels all the way till my departure from Thailand, I managed to even give away my travelling bedsheets, laundered of course, to a fellow backpacker).

However, a more realistic explaination is probably that I'm suffering from choice fatigue. The fact is that backpacking, especially by yourself, is an excercise in selfishness. Within the confines of the country you're in, you do essentially whatever you want. And with 8 months to work with, and a fairly healthy budget, I essentially had free choice from thousands of options (where to go, what to do, who to be with, what to eat, what to wear, how long to stay, blah blah blah).

Combined with the hundreds of possible things you can buy here, that maybe i'm suffering from choice-overload. I'm so used to contemplating major choices (which town next), that the choice between red and blue pants is too much - andso I don't buy anything.

However, this attitude, if extended to its logical conclusion, would mean that I'll
arrive back to the US gift-less. Which will probably make me an asshole.

Luckily, i've managed to paint myself into a lucky corner....

I'm booked on a flight with Air Asia on the 28th from Chiang Mai to Bangkok - a dirt cheap, no frills airline, that only allows a single checked-bag of 15kgs...

If I start buying gifts here in Chiang Mai, my bag will rapidly become overweight, and thus I'll have to pay through the nose.

Thus, I'll really only have that one day in Bangkok to buy a few gifts. Spiffy. No major shopping.

Thursday, April 20, 2006

All falling into place

Ok, things are crystalizing somewhat.

The current plan is so:

Stay here in Chiang Mai till the 28th.
Fly to Bangkok.
Checkin to the Marriott Bangkok Resort for one night (freebie, woo woo!) for a bit
of pampering.

The next day, check-into a complete 2 dollar hovel, as I'll just be using the shower there.

I leave on the morning of the 30th, and have to be at the Airport at 4AM (esp. if I want to guarantee exit row seats all the way on my 25+ hour journey - legroom is totally worth arriving an hour extra). Thus, there is no point in sleeping, esp. since i'll have all that wasted time on the airplane.. So the plan is to stay up all night on or around Khao San Road, nip to my cheap hotel for a shower at 3AM, and then go to the airport to checkin.

I arrive in DC on the night of April 30th, spend one night at a spiffy DC Marriott (again, thanks to free points) to visit a friend.

Leave DC the night of May 1, fly 45 mins down to Charlottesville, where I stay for 5 days and take care of lots of things (my taxes are still not done. Eek!)

May 6th, fly to Indianapolis, and go direct to Bloomington for a bit of apartment hunting. I've found a few people from couchsurfing.com who have kindly agreed to put me up for free.. Awesome eh?

May 11th, fly back to Charlottesville.

May 13th, fly to San Francisco.

May 16th. Begin summer job.

Eeek! So much to do, so little time.

I now have health insurance, thank goodness.... although, I doubt it covers much.
The biggest item on the to-do list is to now find a place to live in SF... i've been sending out a million craigslist emails per day. Hopefully something will come through. Hopefully, it won't be in the middle of a ghetto.

In the Groove

It's taken a while, but I think i'm getting into the groove of Chiang Mai.

Foodwise, i'm in heaven now - I've found one restaurant that has about 10 different types of fake-meat, and their khao soi (yellow noodles, oyster mushrooms, tofu/soy, red curry and coconut milk soup and lots and lots of spice) is out of this world. I've started making friends with the street-side fruit and iced-tea vendors, and the ice-cream carts that walk by my hotel now know that I like lots and lots of peanuts on my coconut-ice cream.

My time is spent mostly strolling, slowly (due to the foot). The only thing I can really do here is sit on the internet and take care of stuff (so much to do, so little time), eat, and go to the hospital... and so, i've spread things out.

My hotel is in one part of town, my restaurant is 15 minutes away, just next door to the statue of the 3 kings (a big square where you can chill out) and also next to a giant Buddha statue which the songtao (pickup-truck-taxi) drivers Wai (semi-bow) to as they drive me by...

I've found an amazing massage place, with a male massuse (an extreme rareity here), who is perfect at applying extreme force to my muscles (far too many of the massuses here are pretty young girls, who, while they provide for significant eye-candy, leave much to be desired in the actual massage) all for the cheap sum of 120 baht per hour.

The blues bar has been closed for the last two days, due to local elections, but I'll be heading there tonight, I hope....

I'm planning my departure from the city, which will be in about a week. I'll be visiting the Sunday market in a few days to stock up on clothes for myself (and a few select others), and then that'll be it.. goodbye Chiang Mai.

I've been meaning to visit a foreigner in a Prison... I may do it in Chiang Mai, or if that doesn't pan out, I'll visit the much fabled Bangkok Hilton right before I leave......

Internship news soon

The contract is on its way to Thailand by Fedex.

As soon as it's physically in my hand, i'll have more news to report.

Monday, April 17, 2006

Sweet Salvation

Travellers get jaded. You can generally pick someone out when they've been on the road for a while - mainly because they tend to not drum up conversation. In fact, the less time someone has been travelling, the more likely they are to strike up a chat (due to the fact that there is so much info they need to get).

And so, I go for days here without chatting to a single foreigner... Every once and a while, someone strikes up a chat, but I honestly stereotype, and if I think they're fresh off the boat, I lead the conversation into a brick wall.

So today - I actually struck up a conversation with an Israeli/American woman (after overhearing her talk to someone on the phone enough to realize she lived in Chiang Mai). We start chatting, she invites me to lunch, and brings me on the back of her motorbike.

I hit the motherload! She's a vegetarian, and sings blues in the evenings at a few bars around town...

For days, i've been suffering with the crappy foreigner-aimed vegetarian food (which is overpriced, and bland)... She took me to an awesome hole-in-the-wall vegan place aimed at buddhist chinese people. A choice of 8 different soy-based fake meat dishes, all for 20 baht (50 cents). Woo! I'll be going there every day.

She also told me the name of 2 bars in town that have live blues/jazz every night - which means I'll be able to fill my time here with something other than BBC News and CNN.

In theory, there is an entire street filled with reggae bars less than 4 mins walk from my hotel - the only problem is, the bands playing there do nothing but non-stop awful Bob Marley covers (not exactly my cup of tea) - and are essentially a meat market where foreigners go to pick each other up (as opposed to the bars on the main strip near the moat, where foreign men go to pick up Thai women).

I'm not drinking anymore (my alcohol consumption lasted all of two days), I hate bob marley covers, and I don't want to have a one night stand with a thai hooker or a drunken foreigner - thus, that scene is just not for me.

The blues thing should be good though. I thoroughly enjoyed hearing live Blues every night in pai - it was the highlight of Thailand so far... If I can find the same quality level here, I'll be in heaven.

Saturday, April 15, 2006

Medicine 101

Open wounds (even those bandaged up), and public 5-day water fights do not mix well.

And so, when i went to the hospital this evening for my routine changing of dressings, I was told that my toe is re-infected... And that they had to cut me open, and remove the rest of the toenail.


So thats it. The entire nail is gone, my foot is yet again cut open, and there is no way in hell that i'll be able to go to the beach for a few days before I leave Thailand.

I'm essentially stuck in Chiang Mai until a day or two before I leave Thailand.

Bummer.

The Insurance company is quite nice, they're paying for everything - and contacted the hospital yesterday, so that they pick up the bills directly now. In theory, they'll be contacting my hotel soon to do the same...

But yeah, so i'm stuck here... and the doctor has now told me not to walk anywhere I don't absolutely have to. So i'll be hanging out at my hotel a lot for the next week or so.

Lame.

On the upside - I am hoping to have my internship contract signed by next wednesday, fingers crossed.

Scantily Clad Foreigners

The water festival is wrapping up today.. thank goodness.

The first two-three days were fun... but today is the 5th day, and honestly, I'm happy its over. I've spent the better part of the last two days hiding in internet cafes, just to avoid having more water splashed on me. For a few hours each day, it's fine.. but esp. as the afternoon fades, it becomes pretty annoying.

I must have seen tens of thousands of people in the streets the past few days. The crowds were jam-packed, traffic at an almost standstill, and you could see an endless stream of buckets-on-a-string being thrown into the moat before they were hoisted up, thrown on someone, and then plunged back into the water again.

In the last few days, with all those people.. so many people - The only topless people I've seen have been foreign men. Thats right, during a period where everyone is joining in with the local festival (which constists of water fights and getting drunk), quite a few foreign men (and unfortunately, most with American accents) seem to think it's cool to strut around in their swimming trunks and bare chests.

I'm not sure what goes through their heads - the thousands of other drenched men are still wearing t-shirts.... Do they think they're the first people to realize that it might be a bit more comfy without a t-shirt wet stuck to their back?

You can see the reactions amongst the Thai people..you hear the whispers, and the dirty looks...

And alas, we all get lumped into the same boat - damn farang.

Thursday, April 13, 2006

A Sexy Ride Home

Chiang Mai is actually a good city to be stuck in. Internet is dirt cheap here, fast, and I can use Skype to make free phone-calls back to the US.

What with the fact I still haven't signed a summer internship contract, I still don't have summer housing sorted out, and I'm still balancing abot $80k of 0% credit card debt - there are lots of things to take care of, and lots of phonecalls to make... And due to the timezone difference, I can really only get stuff done late at night (if I want to talk to people in the US).

And so, the other night, I finally left the internet cafe at 3AM.. and walked out to a completely empty street. I walked down to the main road, and there wasn't a tuk-tuk/rickshaw in sight.. What to do?

After 7 months on the road, in very safe countries, I've quite comfortable with the idea of hailing down a passing motorbike, and asking them for a ride...

Thus, the first person I saw, I waved down. It was a rather attractive young woman on a motorbike - her english wasn't that great, but good enough to understand where I wanted to go...

I started to make smalltalk...

Me: "So, are you a student"
Her: *laughing*, "No.."

The lightbulb in my head suddenly lit up.. Ding!.... She was a bargirl, on her way back to her bar/place of work after visiting a customer who was staying near my internet cafe.

We made a bit more smalltalk (she's from a poor village in the northeast, has been doing this for about 6 months, all her customers are foreigners, etc), before she dropped me off at my place... and refused any kind of cash for the ride home.

So, er, technically, I've now had a prostitute refuse payment for services rendered..

Tuesday, April 11, 2006

Water... everywhere

It started a few days ago. I can't blame the kids really, I'm sure the waiting was killing them.

Before leaving Pai, I was having a tough time deciding between the expensive minivan and the government bus.

(Chris's law of luxury: Get the cheapest option possible... whenever you pay more for comfort, you will invariably be disapointed in the quality you receive. Stick with the crappy level, and you'll know ahead of time that you're paying for the bare minimum).

Anyway. I opted to go for the A/C, and took the Minivan. Oh was I glad. You see, about 6 times during the journey, we were ambushed by bucket-wielding children on the side of the road.. Had I opted for the government bus, their icky-and cold water would have passed through the open bus-windows and covered me... Saved by crappy A/C.

Over the past few days, I've seen a few kids with squirt guns in the streets, but thats been it.. However, today, it kicked into full gear.

Which made it a pretty bad day to move my bags from my ghetto-guest-house to my Insurance Provided A/C+TV+Hot Water Playboy Mansion. I offered my tuk-tuk driver an extra 10-baht if he could get me from point A to B without getting wet. He failed to earn his bonus.

In any case - I made it to my fab hotel - put my passports and major money in the hotel safe, changed into a pair of swimming trunks, wrapped my foot in 3 plastic bags (which later proved very successful at stopping the water from flowing away from my foot), and went outside to fight.

You see - I'd been told before by many people that Chiang Mai was THE city to be in Thailand for the New Year. No one could quite explain why though.

Now I know. Chiang Mai has an old city in the center (where the tourists are), that is surrounded by a moat. Which means, when you want to have a huge public water fight - there is a ready supply of water nearby. Dirty, icky water. In addition, the roads run directly past the moat, making it a perfect area to stand and ambush passing cars.

I decided against purchasing one of the many super-soaker clones they were selling, and opted for the much better (and cheaper) 10 baht plastic bucket + string. With this, I could hurl absolutely huge amounts of water at passing motorcyclists, rickshaw passengers, and anyone stupid enough to leave their car windows open.

And so, for 3-4 hours today, I stood at the side of the road near the Tai Pai gate - with about 5-10 other Thai kids, and pelted people as they drove by. Any passing farang (foreigners) got special treatment....

Quite a few pickup trucks passed us by, filled with kids, large plastic barrels/oil drums filled with water (and in some evil cases, ice-water). These toured the circuit, and essentially engaged in drive-by warfare with anyone standing by the moat.

The advantage that we had was of an endless supply of dirty moat water. The advantage they had was of ice-cold water, and the ability to drive away....

All in all, great fun. My foot got soaked, but that couldn't be helped.

And the best part is.. the new year hasn't even started yet. The 3 day waterfight/public drunken party starts tomorrow.

Woo...

Monday, April 10, 2006

Rapunzel

One of my friends in Baltimore has often said that I have a gift for turning shit into gold.... It may be true.

I went back to the Hospital yesterday, and got something in writing from my doctor
expressly advising me to not go to Laos, esp. not to tiny villages in the middle of nowhere while I have my open wound. He also gave me written instructions to stay in Chiang Mai and to come back to his hospital every day for the next two weeks.

The only problem is - Chiang Mai is THE place to be in Thailand for the water festival (which starts in a few days), and so, all of the cheap-guesthouses are booked up.

The only place to stay, I'm afraid, is in a 25 dollar a night luxury resort (compared to the 2 dollar a night hovels I've been staying in, 25 bucks in 5 star).

Which my insurance will pay for, probably.

They'll also cover my food costs while I'm here, transport to and from the hospital, and will pay to refund the money I paid for my Laos visa.

If I'm stuck here for a week or two (depending on recovery time), this could add up to a fair bit.

God bless travel insurance.

Sunday, April 09, 2006

The Economics of Drug Smuggling

When travelling through India (and to a much, much, much lesser extent in Thailand), you meet a lot of people who smuggle drugs.

The facts are simple:

There is lots of marijuana grown in the north of the country (esp. the Himchal region).

There are backpackers all over India, some rich, some poor.

Many backpackers want to smoke cannabis, and are willing to pay a good price for it.

Many backpackers are broke, and want to keep travelling.

This is perhaps an over-simplification, but in general, there are two types of person smuggling ganja:

1. Someone who is doing it for the money
2. Someone who is doing it because they are going somewhere where it will not be readily (and affordably) available.

I've seen lots of Israelis sneak a kg or two out of the Manali region by hiding it inside their Enfield Motorbike, I've seen people cutting up their shoes to hide it under the in-sole, I've heard a number of first hand accounts from women who've hidden it in areas that Indian policemen will never ever search (even if they'd love to try), and just recently, I met an Italian man on the Andamans who bragged that his bottom currently resembled a cauliflower, after having ingested and pooped out a large quantity of plastic-wrapped hashish.

Almost everyone you meet has their own patented and foolproof method of smuggling drugs. You hear all kinds of stories involving vasoline, shampoo, peanut butter, coffee grounds, and ghee (clarifed butter).

In Varanasi, I met up with some friends of mine who I had initially met at Paradise beach in Gokarna. A week after I left, the police held a semi-raid on the beach, and one of the Israelis was locked up. It took a few weeks and multiple kickbacks (to the extreme that his friends had to buy a computer-printer for the Police Station, so they could print out his release form) before he was released. And he was just caught for smoking, not for smuggling.

The logic behind it is simple I suppose. People believe their chance of getting caught is very low, and that if they get caught, they'll be able to bribe their way out of it. This is often the case (although, when they do meet the rare variety of honest Indian policeman, they're in for a very very nasty shock).

The economics of it are simple:

Step 1. Buy 1 KG of charas in the north of India at 10-20 rupees per gramme.
Step 2. Smuggle it to Goa.
Step 3. Sell it 100 rupees per gram to other backpackers.
Step 4. Profit (approx 80,000 rupees, or $1800)

Given that you can live in India for a good 4-5 months on that kind of money, it's easy to see the temptation for someone who has run out of money and faces the threat of a return home.

However, there is no such thing as a free lunch... and this kind of business is so dangerous that the Indian drug dealers don't even smuggle it themselves - they hire Nepali mules to bring it down from the mountains... They're not stupid, after all...

But the backpackers are. For a mere $2500 (when you include the cost of a ticket home), they're willing to risk spending a long time in an Indian prison.. when they could probably work as a waiter back home, and make that in a month....

Interesting enough, you hear very very few stories here in Thailand about backpackers smuggling drugs...or at least, people don't brag about it and offer to sell to you the way they do in India. Perhaps it has something to do with Thailand's much publicized extreme willingness to give foreigners the death penalty for that kind of thing.

On Sex Tourism

Churchill: Madam, would you sleep with me for five million pounds?
Socialite: My goodness, Mr. Churchill... Well, I suppose... we would have to discuss terms, of course...
Churchill: Would you sleep with me for five pounds?
Socialite: Mr. Churchill, what kind of woman do you think I am?!
Churchill: Madam, we've already established that. Now we are haggling about the price.

One of the nice things about Pai, was that it was a sleepy town mostly visted by hippies and backpackers - not the type who tend to frequent sex workers.

Now that I'm back in a big city, I'm yet again surrounded by the sex industry... nearly empty bars with a few pretty women calling out to you as you walk by, and countless fat, balding, old white men with petite young thai girlfriends...

Just as in India, you find that backpackers are constantly talking about fecal matters - for the simple fact that everyone seems to have food poisoning at one point or another (and thus has a magic cure for it), backpackers here seem to spend a lot of time debating the merits and evils of the sex industry.

As gross as it is for me to see these fat old foreigners with tiny thai girlfriends, I find it difficult to judge the industry itself as being wrong.

The fact is, that I've seen people doing far worse jobs during my travels. I've seen poor Indian men up to their eyeballs in human waste, cleaning out the drains clogged by some stupid foreigner (who has yet to figure out that 3rd world plumbing and toilet paper do not mix well). These guys are probably exposed to every disgusting disease out there - no protective suits, just a loincloth, a pair of sandals, and a couple tools....

I've seen young kids sent from their homes in Bihar (the poorest state in India) to work at restaurants in other states, where they are beaten by management, not paid anything, and are forced to sleep on the floor at night.

Comparitively, sleeping with someone for money doesn't sound as bad...

Thus, I find it very difficult to harshly judge the women entering the industry - as someone remarked recently in a conversation, women, by their very gender, are literally sitting on a goldmine. It makes economic logic to take advantage of this.

Well? What about the fact that the women don't like sleeping with these ugly foreigners.

Equally, the women I pay 150 baht (3 dollars) per hour to give me a massage probably aren't crazy about massaging a stinky foreigner... And the guy at the train station carrying my bag on his head would probably rather not...except for the fact that they're all getting paid for it.

Earning money for doing something that you 'like' is a luxuary that many many people in the world do not have.....

The typical situation seems to be that an old guy goes to a bar, talks to a few thai girls, eventually picks one as his new 'girlfriend'. She'll tag along with him for the next few weeks, sleep in his room, be bought dinner/drinks and gifts, and before he leaves, will probably be given some kind of financial gift (she may tell a sob story about her poor mother in the village back home to encourage this). The guy gets sex, the women gets some money, some free food and drink, and maybe some outfits... It's not such a bad deal for her, really.

The Churchill quote I began this entry with, while funny, is both true, and quite fitting to this discussion. 5 million pounds to a British upper class woman can just as easily be 100 dollars to a poor girl from Burma or Cambodia working in the thai sex industry - in both cases, it's a relative huge amount of money.

It's worth noting a couple other things....

One of my friends told me that in Pattaya (a Thai beach resort famous for sex tourism), there is a street full of Nigerian male sex workers - who are there primarily for visiting Japanese women.... (clearly, the market will cater to unique tastes).

....

As sick as it is to see the old fat men - every once in a while, you see a very drunk one staggering home with what is most likely a lady-boy... and you can't but help smile thinking of the shock he's going to have in the morning.

....

I think Thailand is actually pretty good about STDs and HIV... You see condom machines everywhere, and sex is such a normal thing here, that I doubt there is any kind of stigma about going to a pharmacy and asking to buy condoms.

India is completely different - a sexually repressed country, where people are far too scared to ask for birth control at a chemist. In addition, from what I've been told, the condom is often about the same price as the sex act (a staggering thought in itself), and so there is a "race to the bottom" as the women compete with each other until eventually, they are forced to choose between no customer or no protection.