Wednesday, December 06, 2006

An Early Christmas Gift from TSA

Dear Christopher,

We were slightly worried that you might spend Christmas relaxing and spending quality time with your family. We can't have that.

Thus, please enjoy the enclosed letter - we're quite confident that it'll occupy your thoughts for the next few weeks. Have fun mulling things over. We expect a reply from you by Christmas day.

Enjoy your holidays!

Love,

Your Friends at TSA.

P.S. We continue to ignore the existence of a different boarding pass generator, written by someone else and which has been online for the past month. It wasn't in the Washington Post, so our bosses haven't seen it yet. Phew!

P.P.S. We don't actually plan on fixing any of the underlying security problems. That'd be far too difficult. We may, however, switch from requiring Ziplock bags to Reynolds Wrap foil pouches for passengers' liquids. The idea of people constructing oragami foil pouches in the security line has been making us crack up at the office, and we think it should do much to spread Christmas Cheer at the Airports.





16 comments:

maltrich said...

Strangely, none of the rules they just cited say that you can't publicly explain *how* to enter a secure area with altered documents, so I'm not sure I understand what they think you've broken. There's no way they can prove you've ever printed one of the things yourself, or that you would encourage us to use them.

Don't let them frighten you; we all know you're in the right.

Kevin said...

I hadn't considered the civil suit angle. I hope your legal team has. So does this mean you have until the end of the semester to officially respond? And do we have to endure another period of radio silence from your blog?

gl. Hope your holidays turn out happy.

Jordan said...

Chris, I just found out about this mess a few days ago, and have been following it closely. I have nothing to offer you except my best thoughts and wishes. Good luck my friend.

Anonymous said...

I wonder if Northwest Airlines could sue you for misusing their logo and for unauthorized use and for copyright infringement. No doubt Northwest Airlines got some bad PR out of this. They could file a civil suit as well.

I am also wondering - if you had known all these criminal and civil laws before you started this non-IU sanctioned project, would you have done what you done? I doubt it. No one can be THAT stupid. Doesn't it speak volumes that IU wouldn't sponsor this research? And now you are surprised they wouldn't provide legal support?

So what if someone else has posted a different generator? Maybe that person will be prosecuted in time. if it's posted anonymously and can't be traced, too bad. You were tracked down. Is this your best defense? Why not own up to your ignorance of the law and take whatever consequences may follow?

Oh that's right, young naive college grads shouldn't have to assume responsibility and be held accountable for anything! After all someone else is the problem...

Lastly, yeah faking a boarding can be a possible security issue. So can a dozen other things at the airports. People are aware of these problems already - you're no genius for pointing it out. The government can be slow and even hypocritical in fixing things. Get used to it.

I also find this quote from your attorney in the Washington Post to be revealing:

""I think the clear takeaway from this is for people to go ahead and do their research, develop a thesis of what the flaw is and bring it to the attention of the authorities if it has any potential for misuse, but don't post it online," Braga said. "People really need to think twice about whether putting things like this out there might fall into the wrong hands and be used for illegal purposes." - Steven Braga (source: http://blog.washingtonpost.com/securityfix/2006/11/boarding_pass_hacker_breaks_si.html)

Damn, this is your own attorney!! The point being there are better more effective ways to point out problems and try to get them fixed. Your approach was totally naive and stupid.

Anonymous said...

If those idiots make you pay, don't forget to notify us. I'd chip in a couple hundred.

Anonymous said...

Is there any way the University can help you out? Could they foot some of the legal bill. This story is outrageous. I don't understand why they would wast emoney trying to sue you when they could hire you to help them figure out how to fix the holes.

Anonymous said...

How do such fines work (ie: Civil Penalties)?

Does a government agency just decide that you owe them X (say 10K per siteview = 10 mil) without any due process or going through a court procedure?

If they can do this, what happens if you don't pay? I understand that if a *judge* tells you that you must cough up some cash and you don't, one may be in contempt of court.

Can some petty govt civil servant demand that you hand over a random amount of cash, without judicial review?

I don't see why you put up with this country at all (yes, educational opportunities)... Leuven has a good crypto program I hear.

(EO)

Anonymous said...

I wonder if the TSA people at the airport would allow you to access the airport secure areas by showing them a letter signed by the Federal Security Director authorizing you to inspect the airport.

Me personally, I just put on a priest collar. They don't search me, they don't look in my bags, it is just "Here you go father, have a nice flight." and I get on the plane.

Anonymous said...

Hope everything works out for you. If they did listen in the first place, this problem wouldn't ever exist. That's how things work in today's time. If you tell them, they'll disregard it. Think about it, people ... if you can write this tool in under two hours, wouldn't it be easier to fix the problem than to prosecute someone who has shown you what the problem is?

The biggest security-related mistake they ever made was they allowed tickets by e-mail. Hint: if their server can generate hundreds of these per second, so can someone with a few hours on their watch.

At least that's how I see it. Good luck buddy, I have to keep my name Anonymous due to my job sadly, as of course voicing my opinion may get me in trouble. Keep up the good work, I've bookmarked and check your site every day.


Once again, GOOD LUCK!

Anonymous said...

I think they're trying to use the first one, which says you can't make fake passes. However, there's a key clause: for fraudulent purposes. Until they prove that his intentions were fraudulent, this one shouldn't apply.

The second rule, tampering with a security system, could theoretically be involved, but only if they can prove the passes were actually used. Otherwise, it's all academic.

Finally, the third rule is completely irrelevant, unless, again, they can prove someone used the pass. In this case, it'd have to be Christopher himself in order for him to be charged with that.

Anonymous said...

Interesting, the way I read section 1540.105a it appears to be aimed at employees. Also notice section 1540.105(b) below that says none of (a) applies for when conducting security tests. I'm not trained in reading legal documents so someone else more knowledgeable in legalese may disagree with me.

---
http://a257.g.akamaitech.net/7/257/2422/09nov20051500/edocket.access.gpo.gov/cfr_2005/octqtr/49cfr1540.105.htm

TITLE 49--TRANSPORTATION

CHAPTER XII--TRANSPORTATION SECURITY ADMINISTRATION, DEPARTMENT OF
HOMELAND SECURITY

PART 1540_CIVIL AVIATION SECURITY: GENERAL RULES--Table of Contents

Subpart B_Responsibilities of Passengers and Other Individuals and
Persons

Sec. 1540.105 Security responsibilities of employees and other persons.

(a) No person may:
(1) Tamper or interfere with, compromise, modify, attempt to
circumvent, or cause a person to tamper or interfere with, compromise,
modify, or attempt to circumvent any security system, measure, or
procedure implemented under this subchapter.
(2) Enter, or be present within, a secured area, AOA, SIDA or
sterile area without complying with the systems, measures, or procedures
being applied to control access to, or presence or movement in, such
areas.
(3) Use, allow to be used, or cause to be used, any airport-issued
or airport-approved access medium or identification medium that
authorizes the access, presence, or movement of persons or vehicles in
secured areas, AOA's, or SIDA's in any other manner than that for which
it was issued by the appropriate authority under this subchapter.
(b) The provisions of paragraph (a) of this section do not apply to
conducting inspections or tests to determine compliance with this part
or 49 U.S.C. Subtitle VII authorized by:
(1) TSA, or
(2) The airport operator, aircraft operator, or foreign air carrier,
when acting in accordance with the procedures described in a security
program approved by TSA.

Anonymous said...

from the letter

Paragraph 3 states
29 CFR 1540.103(c) states yada yada yada for fraudulent purposes. Did you do this for fraudulent purposes?

Question did you do this for fraudulent purposes. If not they have to prove this part.

Also the security system angle. Is it the TSA’s angle that a boarding pass is a security system, measure or procedure? If so how is holding a boarding pass a security system considering they don’t confiscate them from the passengers after boarding. Being a flying type myself I keep old boarding passes. Does this make me a criminal also because I might “possess” a boarding pass. I would swing this as a overly broad regulation and check the federal register to see the intent of the statue when it was published which will give you insight into the intent of this particular standard. As for 105(a)(2) you didn’t attempt to enter they are just blowing smoke in my opinion. If they intend to charge you have them submit proof of boarding. If they can’t provide them with a valid boarding pass from past flying, oops maybe that will mean you have “fraudulently” kept a security device or measure.

Have them define a security system, measure and a procedure implemented under this statute. Also have them try to explain the process of 105(a)(1) & (2) as to how and when you “violated” these standards.

Also ask what the reasonable person would do under these circumstances and also file a whistleblower complaint. State that they are harassing you. Maybe a whistleblower complaint will explain that you were “trying” to help secure the unfriendly skies through showing their lack of a “security system”

I would write them back asking for clarifying information. Ask them point blank what they are fishing for and what standard you violated and how you supposedly violated such standard.

It’s a fishing expedition and a reasonable person would not expect an answer around the holiday’s.

Just my 2 cents worth

Anonymous said...

Hey Chris,

I've got a great idea for you! Why don't you create a web site where users could generate their own TSA "LETTER OF INVESTIGATION". Users could enter their name, address, the fine per violation, and a holiday deadline for proving their innocence. The web site would then generate an authentic looking invesitgation document like the one that you posted on your site. I personally would like to have until Hanukkah to prove my innocense or be fined 1 million dollars per violation.

Merry Christmas and I'll see you in Guantanamo!

Jason Sisk said...

Give me bureaucracy or give me death.

Anonymous said...

Hey any1 had succeess using the mirror site i'm having some trouble

gav said...

I personaly think your a genius if it wasn't for you posting it online and getting search it would not have made teh times or any newspaper for that matter you got your message across