[IP] more on Web Site Lets Anyone Create Fake Boarding Passes
I don't condemn the actions of people, like Avi, who break systems
that are "unbreakable" but I do seriously question the ethics and
maturity of someone who demonstrates what is well understood just for
the sake of it all.
It is hard enough to travel with the Kabuki theater that passes for
security. I don't want to add the knee jerk reaction of banning
computer boarding passes which serve little or no use at the TSA
checkpoints anyway.
I strongly suggest we require a course in common sense and
professional ethics for undergrads and graduate students. I have seen
enough bad judgement calls to suggest it would be worth while (none
from my students (that I know of)).
Dave
Begin forwarded message:
From: Patrick Sinz <ps@xxxxxxxxxx>
Date: October 29, 2006 4:11:00 AM EST
To: dave@xxxxxxxxxx
Subject: Re: [IP] Web Site Lets Anyone Create Fake Boarding Passes
Hi,
My first reaction is very similar to yours, making this web site does
not show any particular IT security prowess, and is a sure way to stir
up trouble.
Then my second reaction was to check again the fine article and lookup
the student's field.
So he is not a political science student trying to evaluate government,
private authorities and public response to a perceived security threat.
So he deserved to be yelled at.
On the other hand IT security is not just about good crypto, but also
processes, ethics and all this kind of social sciences ("soft skills in
corporateese :-)).
So what was the "build up of the experiment" ? (if there was one).
IMHO the student should have sent a letter to the airline, then to the
supervision authority, then to a consumer organisation, and when all
these actions fail to have any positive result, or to explain why this
is a non issue: setup his site.
Flatly condemning his actions would lead to a situation where any
security related disfunction should be hidden in order to avoid "bad
things to happen".
So to somewhat caricature the situation: if you are working on a
post-grad on hospital management and you notice that a large hospital
chain is feeding junk to hearth patients you should keep silent because
revealing this publicly might get hearth patients to worrry and get an
hearth attack. duh!
Best Regards
[ps]
Le samedi 28 octobre 2006 à 16:03 -0400, David Farber a écrit :
This grad student would be an ex grad student if I were there or at
least a very very yelled at one. To do what was done is not research
-- in fact it is not hard and everyone knows the weakness so " just
pointing it out " is no excuse.
Then again maybe it is the Universities job to talk about ethics
Dave
Begin forwarded message:
From: EEkid@xxxxxxx
Date: October 28, 2006 3:08:20 PM EDT
To: dave@xxxxxxxxxx
Subject: Web Site Lets Anyone Create Fake Boarding Passes
http://articles.news.aol.com/news/_a/web-site-lets-anyone-create-fake/
20061027231809990001?ncid=NWS00010000000001
Web Site Lets Anyone Create Fake Boarding Passes
Student Says Site's Meant to Show Loopholes, Feds Don't See It That
Way
By JONATHAN SILVERSTEIN, ABCNews.com
(Oct. 28) - A 24-year-old computer security student working on his
doctorate at Indiana University Bloomington has created a Web site
that allows anyone with an Internet connection and a printer to
create and print fake boarding passes for Northwest Airlines flights.
The passes look virtually identical to the ones printed from the
airline's site, and are intended to get you past security -- but not
onto an airplane.
By entering your name and plugging in information about the flight --
flight number, gate, seat number, departing city, destination,
departure, and arrival times and class -- the site generates a
boarding pass the program's creator says will get you past security
checkpoints, even without ID.
Christopher Soghoian, creator of "The Northwest Airlines Boarding
Pass Generator," knew he would be opening up a can of worms by
writing the program and creating the site, but says it's the only way
to show people how deeply flawed airport and airline security are.
<snip>
-------------------------------------
You are subscribed as ps@xxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-
people/
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/