Wednesday, February 28, 2007

RIAA Liars

The RIAA launched a new website recently: P2P Lawsuits. It's a one stop shop for anyone who has been sent a letter from the RIAA. They make it nice and easy to pay them their extortion... er, settlement money.

The most interesting part of the site, I think, is their FAQ.

In particular, I like this question the most:

Q: If I have Wi-Fi at home, how can you be sure it was me who did the downloading?

A: The fact that a wireless connection is involved does not mean that the individual engaging in copyright infringement cannot be identified. Cases are routinely pursued where a wireless connection is involved.

This is a total lie.

From the data that they have collected (essentially, logging onto a p2p network and downloading one or more files from you) - they have absolutely no way to know which computer in your house, or worse, which computer in your apartment building was using the Internet connection.

If you are dumb enough to accidentally share your home movies/homework folder too, and they download your World History final exam - then they may be able to claim that you are the evil-file sharer.. However, with just an IP address, they don't have anything.

Why are they lying? Because by stating this, they may get people to settle who would otherwise have a pretty reasonable defense.

Yes, there have been timing attack papers in the past few year (Kohno et all, in particular), and there are ways of fingerprinting a remote OS, even passively. However, none of these techniques will reveal which specific computer was using a wifi connection.

The RIAA are liars. Plain and simple.

Monday, February 26, 2007

My first FOIA request comes back empty

Late last year, liberal blogger Glenn Greenwald had reason to believe that someone from US customs and border patrol had looked up his border entry/exit records, and posted the information to the Internet. More on that can be viewed at Glenn's old blog site here.

Thus, I fired off a FOIA request to US customs and border patrol, now part of DHS, asking for any and all records and database searches done by an employee named 'Eric Wess' for data on Glenn Greenwald...

C&BP's FOIA office got back to me last week by telephone, and told me that they do not have now, or had in the past year (the scope of my request) any employee named 'Eric Wess' on their payroll. If I wanted to do a search for any agent who had done a search on Glenn, I'd need some kind of privacy act waiver....

Not the most fantastic result, but still, a useful FOIA writing experiene, and a chance to see the US government responding to them in a reasonable amount of time.

Sorry I couldn't be more helpful Glenn.

Saturday, February 24, 2007

My blog post leads to congressional investigation of TSA


Wired News is reporting that Henry Waxman - acting as chairman of the powerful House Committee on Oversight and Government Reform - has sent a letter to Kip Hawley, TSA director, demanding information on TSA's shamefully insecure and phishy TRIP website.

The letter, in its full glory, can be found here (pdf).

I was the first person to notice the website, and its lack of SSL encryption. I tipped off Ryan Singel of Wired News, and Brian Krebs from the Washington Post. There have been a couple articles written about the story so far...

I'm crossing my fingers, and hoping for hearings...

Thursday, February 22, 2007

TSA and the Amber Alert

I'm in the middle of finishing up a paper on airport security right now. I hope to make it public in the next couple weeks. I've been doing a lot of research, digging out quotes, facts, figures, etc. I came across this fantastic quote from John Gilmore in a discussion at the Volokh Conspiracy:

At United they eventually offered me a choice of showing an ID, consenting to an unspecified but intensive search, or not being able to buy a ticket. My lawyer always told me to never consent to a search -- if they have the right to search you, then they don't need your consent.



Which brings me to the topic of today's blog entry. On Feb 7, TSA announced that they were partnering with the National Center for Missing & Exploited Children to help find kidnapped children. TSA will circulate information such as photos and descriptions of the abducted child, the suspect and vehicle - to all of their screening officers.

Why is this a bad idea?

1. TSA can barely accomplish their primary task - keeping bombs and weapons off airplanes. In Red Team style tests at New Jersey airport last year, TSA failed to catch 20 out of 22 attempts to smuggle prohibited items past checkpoints.

2. Children do not have ID, typically and TSA does not require them to have ID when they travel, even when with parents.

3. The vast majority of children travelling through the airport system have not been kidnapped. Just as the vast majority of passengers detained or selected for secondary screening by TSA are not terrorists. Thus, the chances are that most of the children/parents who are detained by TSA for being suspect child-nappers are going to be innocent.

Remember, a 1% false positive rate with 2 million passengers a day is still a lot of false positives.

4. Since children have no ID, if you do happen to steal a child - TSA has no way of proving that the kid isn't yours. Kids tend to look alike - esp. the younger ones - and a 10 dollar an hour TSA screener is certainly not going to be an expert on the subject.

Bruce Schneier believes that the no-fly list has not caught a single terrorist. However, it has caused serious inconveniece to a number of innocent travellers - Esp. Maher Arar, a Canadian citizen who the US renditioned to Syria and had tortured for a year after his name was incorrectly included on the no-fly list, thanks to incorrect intelligence provided by the Canadian government.

These are the kinds of false positives we have to face already due to the no-fly list. With the introduction of the Ambert Alerts at TSA, we now have a whole new class of potential false positives that will cause significant delay and hastle to passengers.

On the upside, perhaps after a few highly public wrongful arrests initiated by TSA staff, parents will stop flying as much - and thus significantly reduce my chance of having a screaming baby, or annoying seat-kicking child directly behind me on a flight .... just kidding ;)

Wednesday, February 21, 2007

No ID: A letter to the DCA Police

Sergeant Sonya Westbrook
Police Department
Reagan National Airport
Washington, DC

CC: US Senator Jim Webb, US Senator John Warner, US Congressman Virgil Goode,
Virginia Delegate David Toscano, TSA Director Kip Hawley,

Dear Sergeant Westbrook,

I am writing to you to follow up on our conversion at Washington Reagan National Airport on February 19 2007.

On February 19 2007, you were called over to a security checkpoint where I was undergoing "secondary screening" by TSA checkpoint staff. I held a valid ticket on a Northwest Airlines flight to Indianapolis, and a boarding pass that had been marked "No ID" by airline staff. I requested this special pass at check-in, as I did not want to present ID to TSA staff. During the secondary screening process, TSA screeners called you over, at which point, you compelled me to show ID. The purpose of this letter is to get information about your demand that I show you my ID.

In September of 2006, I flew to Washington DC from Indianapolis on Northwest Airlines. I told the check-in agent that I was asserting my right to fly without showing any ID, and would be happy to submit myself to additional screening measures. To help things along, I brought a copy of the US Court of Appeals (9th Circuit) opinion in the case Gilmore vs. Gonzales, so that I could point out the specific text which states that passengers can fly without ID. The supervisor at the Northwest check-in desk spoke to me in an attempt to understand my intentions. She then suggested that in future trips, that I should claim that I had forgotten/lost my ID. She said that Northwest staff were clearly trained to work with passengers in this situation, and that it would be easier for me, and her colleagues, if I gave this reason for not showing ID. She advised me that attempting to assert my right to fly without ID would just confuse her staff, and that Northwest staff would print me out a "SSSS" (secondary screening) boarding pass whenever I needed one, without any problems or delay, as long as I presented my situation in such a way that their staff could easily understand what I needed. I documented my experience that day here:

The US Court of Appeals (9th Circuit) opinion in the case Gilmore vs. Gonzales states that: "As noted, we have reviewed in camera the materials submitted by the Government under seal, and we have determined that the TSA Security Directive is final within the meaning of § 46110(a). The Security Directive “imposes an obligation” by requiring airline passengers to present identification or be a “selectee,” and by requiring airport security personnel to carry out the policy. The Security Directive also provides a “definitive statement” of TSA’s position by detailing the policy and the procedures by which it must be effectuated (page 1148)"
It later stated that "The identification policy requires that airline passengers either present identification or be subjected to a more extensive search. The more extensive search is similar to searches that we have determined were reasonable and “consistent with a full recognition of appellant’s constitutional right to travel" (page 1155)." The full opinion of the court can be viewed here:

I have flown without any federal photo ID at least 8 times in the past year, on multiple airlines. These have included Northwest, American, Continental and Midwest. On at least three occasions, I have successfully been able to fly without a single piece of identification out of DCA Airport. A number of other US citizens have also done this, and documented their experiences, including Mr Jim Harper, a member of the DHS Privacy Advisory Committee (see:,71115-0.html).

On February 19 2007 at DCA Airport, during the the secondary screening process, I explained to the TSA screeners exactly why I had a "No ID" boarding pass - marked that way by a Northwest check-in agent. I told them that there is no law that requires that passengers present any ID to a government employee in order to fly, and that the only reason I was undergoing secondary screening was due to the fact that I was not showing them any ID. They told me that unless I showed them ID, that they would be forced to call over a law enforcement officer. They also warned me that this could cause me to miss my flight. I said this would not be a problem.

As part of the secondary screening process, I went through a magnetometer and underwent a full pat down by a TSA agent. My carry on bag was thoroughly searched, my prescription medicines examined, and all of my possessions swabbed and then analyzed for chemical/explosive traces. I willingly complied with the secondary screening process. Had I not declined to show ID, I would have been able to go through the security checkpoint in a couple of minutes without any of these additional searches.

It is at this point that we met. You introduced yourself, asked me why I did not wish to show ID, and then told me that I was obligated to show ID, to you. I asked you to confirm that you were compelling me to show ID, and you confirmed this. I again stated my belief that there was no law that required passengers to show ID to government employees in order to fly, but that since you were ordering me to present an ID, I would do so. I asked a TSA staff member to remove my wallet from my bag, who gave it to you. I then asked you to hand me my wallet, which you did. I removed my Virginia drivers license, handed it over to you, and waited.

You then read my drivers license number into your radio, and had a colleague of yours perform some kind of criminal record check on me. After this came up negative, you handed my license over to the TSA employees, who wrote down my personal information for the incident report that they were preparing.

At this point, there were 2 TSA screeners, 2 TSA supervisors in suits, and yourself, an armed police officer. I believe that it was quite reasonable for me to feel intimidated by this large gathering of law enforcement and security officers around me, all of whom were telling me that I was required to show ID. While I was, and still am confident that the law is on my side, I did not feel comfortable enough to risk any kind of major confrontation, and thus complied with your order. I know that it is better to state my objection, obey police orders, and then contest them after the fact.

I ask that you provide me with the following information:

1. What is the specific law or rule which allowed you to compel me to provide ID.

2. If I had not agreed to show you ID, how would you have responded? Would you have stopped me from flying?

3. What if any probable cause or reasonable suspicion did you have to compel me to show you my ID.

4. My boarding pass stated my full name and I introduced myself by full name to you when we met. Please explain the additional requirement that I show ID to you. This would seem to fall far beyond the requirements outlined in Hiibel v. Sixth Judicial District Court of Nevada.

5. Why did you give my drivers license to TSA staff - when the sole reason I submitted myself to the secondary screening process was so that I would not have to identify myself to TSA?

6. What is the specific law or rule which allowed you to give my drivers license, and thus access to my personal information, to the TSA employees - who would then use it to write a report. I had clearly expressed my intent to not show my identity documents to TSA.

I have full respect for the police, and I understand that you have a tough and stressful job. I ask, however, that you please respond to my questions in full.
I also ask that you confirm receipt of this letter, by US mail, within 10 working days.

Thank you,

Christopher Soghoian

Tuesday, February 20, 2007

New TSA Website back online - Now Less Phishy

Both Ryan Singel of Wired News, and Brian Krebs of the Washington Post picked up the story of TSA's extremely amateurish looking website last week.

The website was hosted by a private company, did not use SSL, did not have a OBM form number, and was riddled with typos - sure signs that you shouldn't trust it, and enough reason for some to claim (albeit humorously), that it was a phishing site.. After a few phone calls from members of the press, TSA pulled the website.

The TSA Traveler Identity Verification Program website still tells passengers to download and fill out a .pdf form. However,
just like a shady, perpetual going-out-of-business sale retailer, TSA's website has resurfaced again, only this time, with a new name. It isn't linked to yet from the main site, but can be found via links from

The new website is:

New improvements:

  1. http is redirected to https. Thus, even if their webmasters make future mistakes, and forget to link to the secure website, their webserver will redirect all non-secure content to their secure server. Good move! Try it. Go to and watch as your browser gets redirected to

  2. OBM Control Number. Any collection of personal information by the government is required to include a OBM Control Number. This was absent from their previous website, and as reportedly, from the Microsoft Word file previously available for download. You can view their Paperwork Reduction Act Statement (which includes their OBM #1652-0044) here:

  3. No more word documents! They previously had a MS-word file available for download, if you didn't wish to send your information to their outsourced webserver. Predictably, this ms word file included meta-data on who at TSA had edited the file. They have now shifted to a pdf file.

Problem: It is still outsourced.

Both and are served by akamai distributed proxies, so it's impossible to figure out where they're actually being hosted.

However, someone from TSA visited my website last month, so I do know that TSA's outbound web proxies are: A A A A A

(Note, this is why Tor is useful)

Additonally, (which runs a webserver, albeit not one configured for public viewing) resolves to: A

TSA's new website,, resolves to A

Now, it's quite possible that TSA/DHS own a number of chunks of ip address space. All i'm stating here, is that the ip addresses are known to be owned by TSA/DHS are nowhere near the ip used by the website.

I don't know the ip address of the old website - since it is no longer listed in DNS records. However, resolves to

Furthermore, a traceroute of, and leads me to believe that they're both hosted in the same data-center. I'd be willing to bet a couple Fin Du Monde beers that even with a change of DNS, that desyne is still running and hosting TSA's Traveler Redress Inquiry Program (TRIP) website.

traceroute to (, 30 hops max, 38 byte packets


12 ( 81.561 ms 118.933 ms 84.338 ms
13 ( 82.985 ms 81.489 ms 83.893 ms
14 * * *

traceroute to (, 30 hops max, 38 byte packets


12 ( 84.352 ms 83.722 ms 84.142 ms
13 ( 82.005 ms 82.326 ms 83.552 ms
14 * * *

Problem: It still uses cookies!

As Ryan Singel expertly notes, 2003 White House OBM rules state that government websites should not use cookies: "Particular privacy concerns may be raised when uses of web technology can track the activities of users over time and across different web sites. [...] Because of the unique laws and traditions about government access to citizens' personal information, the presumption should be that "cookies" will not be used at Federal web sites."

Ryan additionally states: If cookies are going to be used, the rules require that the site include "clear and conspicuous notice" of the cookies, that there exists a "a compelling need to gather the data on the site," that there are "appropriate and publicly disclosed privacy safeguards" for cookie information, and that the head of the agency personally approves the cookies.

When I browse to both, and this new unannounced TSA website, I am given a web cookie - "ForeseeLoyalty_MID_8El4YcUdgN".

Admittedly, this is not nearly as big a problem as their un-SSL encrypted webserver. However, I want TSA to have to follow the rules. Especially since they make us follow them, even in cases where they won't actually tell us what the rules are.

The big question is: If TSA is following official US government policy, Kip Hawley, Director of TSA will have signed off on the use of cookies for TSA's website. Did he indeed sign off? Inquiring minds wish to know.

Monday, February 19, 2007

ID rules inna Babylon: A police confrontation at DCA Airport

I have documented (at length) past successful attempts to fly without ID. In particular, on Northwest Airlines, it is possible to fly without ever showing a single piece of ID - whereas Continental, and American have required me to show 'some' form of ID - which included a prepaid credit card and my membership card to the local organic co-op supermarket. All of my previous experiences were based on the technique of claiming that I had forgotten/lost my ID. This was based on my very first experience last year, where a Northwest Airlines supervisor told me that the airline had easy procedures when passengers had lost their ID, and that if I instead tried to assert my right to not show ID, that I would just confuse their staff.

Flying without ID through the claim of a forgotten ID has gotten slightly stale - plus, I don't want to have to misrepresent myself. I would much rather be 100% honest, and tell them that I have an ID in my bag - but do not wish to show ID, and am asserting my rights.

Today, I tried to do just that - with TSA.

I printed out my boarding pass from one of the self-service terminals, told a NWA employee that I had forgotten my ID, and she wrote "No ID" on my boarding pass in a red ink marker without asking a single question. No problem.

I told the rent-a-cop checking ID's that I didn't have one, pointed to my specially marked boarding pass, and she, without batting an eyelid, sent me down the right hand lane at the security checkpoint - which is the one lane that leads to a puffer machine.

I declined to go through the puffer machine... Not a major problem - a supervisor had to come over - and once I told him that I wasn't legally required to go through the machine, he let me opt for a pat down instead.

Once the TSA guys started searching my bags, and wiping swabs against my possessions for chemical analysis - I started chatting with the agents. I told them I was used to the process, and that I habitually fly without any ID. They asked why, and I told them that I was asserting my right to fly without any ID - as documented by the Appeals Court.

It was at this point that things got interesting.

They notified their supervisor, who told me that if I wasn't willing to show them any ID, that they would have to bring in a law enforcement officer. She made it a point to mention that I could miss my flight due to this delay. No problem I said.

A Police Sergeant, Sonya Westbrook, with the Metro. Washington Airports Authority came over to chat. I politely explained that there was no law stating that passengers were obligated to show any ID to fly. I explained that I had happily submitted myself to a vigorous secondary search - which included a pat-down of my person and the hand search of my carry on bags.

Officer Westbrook told me that I had to show her ID. I asked her to confirm that she was compelling me to show my ID, and she agreed, and said that I had to show it.

I read the Hibel case in a privacy law class 2 years ago, and while the Supreme Court didn't do the most fantastic job of answering the question in the case (Court rules that you must tell a police officer your name, but the officer in the case actually asked Mr Hibel for his ID). In any case, the case was close enough to this situation that I pulled out my drivers licence, and showed an ID to Officer Westbrook.

She then called my drivers license number in on her radio, and ran some kind of criminal check against me, after again asserting that the law stated that I had to show ID to fly.

Jim Leonard, the TSA Security Manager at the checkpoint was also present (as well as some other unnamed TSA person in a suit) - who stated that he was filing an incident, and had one of his staff write down my license info, as well as the info from my boarding pass.

After all this was over, they let me board my fight.

This was a pretty unpleasant experience. Everything I have read thus far seems to suggest that you have the right to fly without ID. My past experiences have clearly demonstrated that if you claim to not have ID (something which any would-be terrorist can claim) - one should be able to board a flight without any problems.. However, if one attempts to tell the truth, and assert their rights, one can be met with threats and bullying from law enforcement and TSA.

I'll be writing to Officer Westbrook to ask her to cite the specific law which states that I have to show ID at the airport. I'll be interested to see how she responds.

Friday, February 16, 2007

Communal ziplock bags at airports?

I flew out of Indianapolis on Wednesday evening. The airport was in a complete state of chaos, due to the number of cancelled flights that day and the day before.

While in standing in line to get to the TSA checkpoint, I saw a scary, yet amazing thing:

TSA agent David: Remember, any liquid greater than 3.4 oz must be discarded. All liquids in small bottles must be placed in a ziplock bag.
Concerned female passenger: What about this item? *holds up some kind of liquid in a small bottle*
TSA agent David: It's small enough, but you still need a ziplock bag. Do you have one?
Concerned female passenger: No. *thinks quickly* Can I put it in someone else's bag?
TSA agent David: Sure, just as long as they all fit in a 1 quart ziplock bag.

The concerned female passenger then approached a random stranger standing in the line (who had her ziplock bag out in her hands already), and asked her if it would be ok to put her bottle of liquid in said random passenger's bag..

Not only did this person agree to taking a complete stranger's item through a TSA checkpoint - but the TSA agent, David, watched while it happened and didn't say a word.

Utter insanity!

The TSA checkpoint was pretty crazy once I got through the line. It seems that every passenger who is bumped from one airline to another is automatically given the SSSS treatment. Since US air had cancelled my flight, and had instead put me on a flight run by another airline, I was stuck in the back of the SSSS line that was about 10 people deep - including at least 4 passengers under the age of 7.

While killing the time, I looked over to my left, and saw a man in a blazer and suit pants helping out at the checkpoint. I peered at his badge, and made out the name: David Kane. The federal security director, the guy who signed the letter notifying me of my investigation, was actually helping out on the floor. Things were so crazy there it seems, that the suits from the office were drafted to come and help out.

When I got to the puffer machine - as usual, I declined to go through. I often get told in Indianapolis that I must go through the machine. I had them ask Mr Kane - who after coming over to verify my request, confirmed that I indeed have the right to go through security without submitting to the puffer machine.

Now if only I could get that in writing....

Tuesday, February 13, 2007

TSA has outsourced the TSA Traveler Identity Verification Program?

Feb 20 2007 Update: TSA took the site down, and has put it back up again. They've fixed a few of the problems, but the website is still outsourced, and still uses cookies (a violation of federal policy). See more here

Browsing TSA's website this evening, I came across a link to the new TSA Traveler Identity Verification Program.

"The TSA Traveler Identity Verification Program is designed to assist those airline passengers who have been delayed or prevented from traveling as a result of TSA's security measures."

The site is specifically aimed at passengers who have suffered from any of the following problems:

* Unable to print Boarding Pass at Kiosk/Home
* Directed to Ticket Counter every time I fly.
* Ticket Agent states that I am on a Federal Government Watch List
* Missed flight while attempting to obtain boarding pass

You can submit a handy-dandy form online to register your request/complaint.

Two things immediately jump out at me.

1. You are required to enter sensitive information from three of the following forms of identification:

A non-U.S. Passport, Voter Registration Card, Immigrant Visa, Driver's License, Birth Certificate, Government Identification Card, Naturalization Card, Military Identification Card, Certificate of Citizenship, DD Form 214.

These are very sensitive bits of info. A drivers licence number in particular, is often used by banks (due to Patriot Act provisions) to authenticate you when you open an account.

Worst of all - the form you submit doesn't go over an SSL connection! It goes plaintext over the wire. Heaven forbid you do this from an airport starbucks after being denied boarding, as anyone could sniff your info.

The relevant bit of code in question: form method=POST action=/pivf.htm

Now, they do at least have a ssl webserver running at But they're using a self-signed cert.

Update: I want to make it clear. I've only tested this by pressing submit on an empty form, and by viewing the source code to the form. To tell for sure, I'd have to submit a request to TSA - with bogus data.. and my now finely tuned "will TSA investigate me for this" radar tells me that submitting false information to an official government request form is a bad bad idea.

I searched the source for the words "https" - nothing.
I also found the 'form method' section, where it describes how the form is submitted.
It's quite possible that the creators of the website have created some kind of url-rewriting javascript sneaky tricks - although Occam's Razor leads me to believe that a simple mistake on a web designer's part is far more likely....

2. Unlike the rest of the TSA website, this is served from a different domain:

Which means that a private company is running this site...

The whois database shows as follows:

Administrative Contact, Technical Contact:
Desyne, Inc. dns@DESYNE.COM
Desyne Web Services, Inc.
PO Box 143
Boston, VA 22713
(703) 391-2400 fax: (703) 391-2550

Record expires on 21-Mar-2015.
Record created on 20-Mar-1996.
Database last updated on 13-Feb-2007 21:32:10 EST.

This begs the question: Who are these guys, why don't they know how to use SSL and how were they awarded this sweet contract?

Why can't TSA do a simple form submission themselves?

Digging up dirt on the International Intellectual Property Institute

One of my colleagues in my Copyright Law class today asked me if I knew anything about the International Intellectual Property Institute (IIPI). I had no idea.

A quick bit of googling, and I was able to discover quite a bit

From their own website "The International Intellectual Property Institute (IIPI) is a not-for-profit 501(c)(3) corporation located in Washington, DC. As an international development organization and think tank, IIPI is dedicated to increasing awareness and understanding of the use of intellectual property as a tool for economic growth, particularly in developing countries."

They've held seminars in IP Enforcement, as it relates to 'piracy' - and in general, most of the content on their website is very pro-industry. I assume that this is some kind of astro-turf group propped up by the major IP stakes holders.


I was able to pull up their IRS 990 filing from 2004. In that year, from a total budget of 1.1 million dollars, they received $2k short of 3/4 of a million dollars in "government grants".

Call me naive, but why is the US government giving nearly a million dollars in grant money to a totally pro-industry lobby group? Can't the RIAA and MPAA fund these guys out of petty cash?

Wednesday, February 07, 2007

Un-SAFE Behavior


Source code pulled until I chat with a couple legal minds. It's only 15 lines of perl, so it's not too tricky to create.


DISCLAIMER: I do not support child porn. I think it's sick, twisted, and should not be tolerated in our society.

However, I think that government surveilance and censorship are even more evil. I do not want to make life easier for child pornographers - but the threat of feature creep in anti-child porn systems is far too dangerous. One day it targets child porn, the next week it targets images of Mohammad (P.B.U.H.), and the week after, copies of the Anarchist Cookbook. No thank you.


Declan reports that Senators McCain and Schumer have proposed the SAFE act, which would create a national database of child porn images - or I'm guessing, simply require that the FBI make their own database public. ISPs would be given access to this database, and would be required to screen traffic and alert the authorities of any user who transmits/hosts an image that matches a fingerprint in this database.

For obvious reasons, they aren't going to give ISPs access to an actual database containing child porn. Thus, they're most likely going to give them a list of hashes of known child porn. The ISP's will then have to compare all sent/received attachments in emails and hosted files to this database of hashes. If they get a positive match, the ISP will be required to tell the G-Men.

I'm against this kind of thing for so many reasons. I don't want my ISP monitoring the traffic that passes through their network. I don't transmit any child porn, but this sets a very bad precident. Once the infrastructure is in place for them to compare hashes of child porn, it won't be too difficult for them to start comparing hashes of music, copies of dissident literature, photographs of dead soldiers in Iraq, anti-Scientology documentation, or anything else that someone with their hand in a Senator's pocket doesn't like.

Moreover, this law would also covers obscene images of minors including ones in a "drawing, cartoon, sculpture, or painting." (The language warns that it is not necessary "that the minor depicted actually exist.") This is not a good thing.

Lets get technical now...

MD5/SHA1 hashes are a very very bad way to compare images. If one single pixel in the image changes, the fingerprint completely changes.

There are significantly better methods to compare images to see if they are the same - which can withstand resizing, any number of slight modifications in Photoshop, or the modification of a few pixels - the problem with these, is that they are slow. If an ISP is going to run a comparison against every image that crosses its network, it needs to be super fast - which is why they'll probably end up using MD5/SHA1.

To combat against this evil intrusion into our private Internet behavior, I now introduce 'broken glass'. Apologies for the shoddiness of my code. This has been whipped up in a few minutes.

It is a perl script that when given an image file, will change 1 pixel's red component by +/- 1. It's not enough for the human eye to see, but it will make the MD5/SHA1 hash fingerprint of the image be completely different.

The perl script can be downloaded: *Removed*

It was developed on a Linux Ubuntu system. You may need to install imlib's perl bindings. On ubuntu, this can be done by issuing the following command:

apt-get install libimage-imlib2-perl

Just in case my server falls over, I'm including the relatively short source code here too:


# Chris Soghoian
# Feb 7, 2007.
# Licenced under the GPL. Find it via Google.

# Broken glass
# v. 0.1
# Modify a one pixel of an image by +/- 1 of its R (of RGB values).
# This will break any MD5/SHA1 comparison of images.


The Law Is Not A Machine

I have a number of projects I'm working on right now. Given that I'm taking two law classes - most of my ideas at least involve the law in some way.

I've had two conversations in the past few days - where I have sought advice from super intelligent and seriously kickass legal experts - and both of them have ended with me receiving a sharply worded (yet friendly) warning:

The law is not a machine. You cannot find a loophole in it in the same way that you would with a computer algorithm. The law is pliable, and if a judge wants to rule against you - he'll find a way.

As plain and simple as this may be, I'm still struggling to get my head around it.

I remember as a high school senior being amazed by the EFF's trickery regarding the Deep Crack machine. Since it was illegal to export the source code to this machine, they simply had it printed as a book - where it was transformed from code to speech - sent over to Europe, and then run through OCR scanners to turn it back into usable computer code. This single event was deeply inspirational, and got me thinking, way back then, that perhaps the law could be abused in the same way as the bugs and holes I was (ab)using in online games.

Clearly, there are loopholes to find - but the act of finding them is far more dangerous than in computer security. When you fail online, you get locked out of the service you want to analyze. When you fail with the law, you go to jail...

These are truly dangerous, yet interesting times.

Sunday, February 04, 2007

Plausible Deniability via 2 wifi-routers?

I like the idea of having an open wifi access point in my house. It makes me feel warm and fuzzy to know that people can use my excess bandwidth - something I've paid for, but am not really using.

However, there are a few major problems with simply leaving your access point unlocked.

1. Security - Anyone sitting outside your house instantly has a way of bypassing your firewall and getting access to your local network. This makes it much easier for you to get hacked.

2. Privacy - Anyone sitting outside your house can sniff your wifi network, and see the packets flying back and forth between your laptop in the living room, and the access point. Given that not all internet traffic is encrypted, this is a bad bad thing (do you really want someone to know which google queries you're submitting)?

3. Network Speed - While you may be happy to let your excess bandwidth get used by the folks next door - do you really want those dirty hippy freeloaders to get priority on your network, or at the least, do you want to have to compete with their downloads?

Which is why I now have 2 wifi routers.

I have a Buffalo 54G router which runs dd-wrt, a neato linux based customizable router, which runs an encrypted wifi network - this is the network that my own laptop and various wireless devices connect to. This device runs as the main router for the house, does all traffic shaping, firewalling, etc.

I have another el-cheapo wifi router plugged into the buffalo. This no-name router is left open, unlocked, and advertises itself as "Anarchy Free Wireless".

The linux-wifi router allows me to set a virtual vlan, so that the el-cheapo router doesn't get to see my internal network. Traffic from the no-name router is sent directly to the Internet connection. Do not pass go, do not collect 200 dollars.

On top of all of this, I have Quality of Service set on the linux router, so that the freeloaders across the street get the dregs of my Internet connection. Whatever I have left over, they can use - but if I need it, I get priority. This is exactly how it should be.

There were a few reasons I wanted to set this up - at the least, I shouldn't have to reveal my wifi password to friends that come over for a cup of coffee. Just because you want to check your email from my living room, it doesn't mean you should be able to later port-scan my home network from the comfort of your car.

But best of all - I now have quasi plausible deniability. For sure, this hasn't been proven in court yet, but it at least puts me on better ground than if my network were locked. If the G-Men ever show up at my house again (assuming it's for something that I didn't actually attach my name to, unlike last time), I can quite reasonably claim that it wasn't me, and that it must have been one of the hippy art students across the street.

Plus, in theory, I might be able to qualify as a common carrier under the DMCA. Given that I don't keep any logs at all on my wifi routers, I have absolutely no way of knowing who is using my open network - and just like a Tor exit node, I may be able to ignore DMCA threats - or at least explain that it wasn't me, and that I don't know who it was.

Saturday, February 03, 2007

Avoiding the NSA through gmail

I've been thinking a fair bit about the EFF's lawsuit against AT&T. According to court papers and press reports, AT&T is giving the NSA a direct network tap at multiple locations around the country, giving the US government access to all unencrypted email/IM conversations and web traffic that flow through AT&T's network. It's probably fair to assume that a few other backbone providers are also doing the same thing.

Consider the following situation:

Alice sends an email from her home computer (connected via Verizon DSL Connection) to her friend Bob, who checks his email from his desktop computer at work. Alice uses Hotmail, and Bob uses his company's email servers.

Alice's web connection to hotmail will most likely flow across AT&T's backbone, and if it doesn't, it'll cross one of the other Big Boys, like Level 3. Once Alice has created her email, it'll flow from Microsoft's email servers to Bob's employer's email server - unencrypted, again, probably over one of the major backbones, until it reaches Bob's desk.

There will be at least a couple chances for the NSA to sniff this.

What if Alice sends an email to her pal Charlie, who also uses hotmail?

Well, again, the spooks will have a chance to watch Alice construct the email, and then will be able to see Charlie login to hotmail and read it. Key to note here, is that since the email stays within Hotmail's network, it never has to flow across the Internet to go from Alice to Charlie.

Which brings me to the subject of gmail.

Google is nice enough to allow SSL encrypted sessions. Whereas Yahoo and Hotmail merely allow you to login via SSL (just to stop a passive network sniffer learning your email password), google allows the entire session to remain encrypted. Thus, any interaction between a user at their home computer, and Google's gmail servers remains secret, providing the user changes the url to be https://

Let us now consider a situation where Alice and Charlie each have gmail accounts, and each login via ssl. Alice's connection to google is encrypted, the email flows from one gmail user to another, so it never leaves google's network as it is transmitted from Alice's outbox to Charlie's inbox, and then Charlie's connection to Google is SSL encrypted, so the contents of his email is not revealed to anyone watching his packets cross the backbone.

Right now, very few of gmail's users are using SSL. It us turned off by default (mainly for performance reasons, I'm guessing. 10 million users all requiring an SSL handshake is expensive in processing power).

As gmail's user base grows, and if their users can be convinced to embrace SSL, the NSA's wholesale data slurping from the backbone will increasingly become less useful.

"If we all use encrypted email (PGP/GPG), we won't have this problem" - this is the very true. However, I cannot convince my less technically savvy friends/relatives to use PGP. It has far too many usability problems - still.

However, most of my friends already use gmail - due to the way accounts were given out in the early days, gmail has a very geeky user base. All I need to do now, is to convince them to use SSL... Which is where the Customize Google firefox extension comes in useful.

Customize Google is mainly used to screen out google's advertising - both in gmail, and in the "ads by goooogle" that you see everywhere on the web. I typically install this on the computers of most of my less tech savvy friends. In addition to blocking out ads, Customize Google also turns on SSL for all gmail/google calendar sessions, without requiring that the user do any fiddling themselves. Problem solved!

Small Print:

This only stops the massive sniffing of data currently done by the US government of backbone traffic. This in no way protects you from the feds asking Google for the contents of your email - either by presenting a warrant, or more likely (since it doesn't involve asking a judge), a national security letter. I have good reason to believe that the FBI did this to me - but that's beside the point. This at least requires them to know who you are, and to be interested in you - whereas under the current NSA sniffing scheme, they can watch all email flow by, and analyze it without knowing who they're interested in spying on.


Much respect to the the reporters committee for freedom of the press for their kickass FOIA letter generator .

FOIA/PA Mail Referral Unit
Department of Justice
Room 114, LOC
Washington, DC 20530-0001

Dear FOI Officer:

Pursuant to the federal Freedom of Information Act, 5 U.S.C. § 552, I request access to and copies of Any and all documents (including but not limited to) memos, electronic mail, presentations, briefings, meeting notes, guidelines and policies relating to "Tor", "onion routing", "onion router", and "anonymous/anonymizing proxy/proxies" . I am interested in anything that matches this description between the dates 01/01/2002 and 02/01/2007.


Transportation Security Administration
TSA-20, West Tower
FOIA Division
601 South 12th Street
Arlington, VA 22202-4220

Dear FOI Officer:

Pursuant to the federal Freedom of Information Act, 5 U.S.C. § 552, I request access to and copies of All documents including but not limited to) memos, electronic mail, presentations, briefings, meeting notes, guidelines and policies relating to the storage and or data deletion policies for the data from chemical/explosive analysis of passengers, passengers bags, items and personal possessions. In particular, I am requesting information on how long TSA keeps the data generated by the machines that perform the explosive residue analysis on the swabs that TSA agents wipe on passenger's bags/objects. I am also requesting information on how long data is kept from the "puffer" machines used by TSA (these are typically made by either GE or Smiths), which shoot air at passengers and then analyze the particles that are dislodged. In addition to this data, I also request any and all information relating to how the information is matched or associated to specific passengers, in what format, and held in what databases, if it is at all. The scope of this request is for all information matching this description between the dates of 01/01/2003 and 02/01/2007.

Friday, February 02, 2007

Tor: Lies or Ignorance?

I went to a symposium on Search and Seizure in the digital age at Stanford last week.

One topic that kept popping up was the so called "Creepiness Factor" of various surveillance technologies. Just like the 'ol government standard for obscenity, we can't quite define creepy surveillance, but we know it when we see it.

One of the last speakers of the day was an Assistant US Attorney - based in Silicon Valley, and who focused on cyber crimes. I'm fairly sure that his name was Matthew Lamberti. Fairly early into his talk, it was plainly obvious that his opinions did not mesh too well with the rest of the room - at least after he quite proudly announced that he didn't think it was in any way creepy to go through someone's trash. Facial expressions around the room quickly changed.

After his talk was over, I walked up to him, introduced myself, and asked him what he thought of Tor.

(I'm paraphrasing here)

"What's that", he asked.

I explained that it was an anonymity preserving system that enabled hundreds of thousands of Internet users to browse the web and communicate anonymously.

He replied that he wasn't familiar with the technology, so he really couldn't answer my question.


Back in November, when I met with the Cybercrime specializing Assistant US Attorney in Indianpolis, his eyes lit up at the mere mention of Tor, and he proceeded to give me a long lecture on the evils of the technology, and how Indiana University has no business doing anything that even comes close to anonymity-promoting research.

I find it shocking, yet amazing that an Assistant US Attorney who works out of the San Jose DoJ office - who prosecutes Internet/IP crime cases all the time - in possibly the most high-tech areas in the country, and who has never heard of Tor.

Are the Indianapolis DoJ more Internet Savvy than those in Silicon Valley? Did I catch Mr Lamberti on an off day, or what?

And that's where my latest FOIA request will come in handy ;-)

No ID on United: Piece of Cake

A trusted friend of mine flew out of San Francisco on a domestic United Airlines flight yesterday.

He realized earlier in the day that he had forgotten his wallet, and emailed me for advice/info. I sent him a pointer to the Appeals Court ruling in Gilmore vs. Gonzales, as well as a few news articles that tell you what to say at the airport.

He said he didn't have a single problem. The United check-in employee didn't bat an eyelid when he was told that my pal didn't have a single piece of ID. The employee typed in a few keystrokes on his computer, and out came a special SSSS boarding pass.

Likewise, at the TSA checkpoint, the person checking his pass shouted "secondary" and then let him bypass the entire security line. He was also able to successfully (and without any pushback from TSA) decline to go through the evil puffer machine, and instead opt for a hand pat down.

Total time to go through security: Less than 10 mins.
The knowledge that you were able to fly without presenting your papers: Priceless.