follow me on Twitter

    Saturday, November 8, 2008

    Altering Airline Boarding Passes—Schneier and Soghoian

    One of the conversations we had at the November 2600 meeting was about Bruce Schneier’s alteration of airline boarding passes and using one to get through a TSA checkpoint. Schneier admits that it is illegal, and if done, there is a possibility of arrest. (Note: If you’re reading this and considering doing it, remember that you are not Bruce Schneier. I don’t truly think that the Feds would arrest him, but they would arrest you.)

    At the meeting, we were discussing what those illegalities might be. To do so, we considered how fraud is different from a hoax or forgery. In short, fraud is where deception is used to unlawfully take property (usually money) or services from another. What about those theories applied to altering a boarding pass? Go to the link to see an altered boarding pass used by Jeffrey Goldberg—he even upgraded himself to 1st class for priority boarding. New York Senator Schumer was nervous about this exact scenario when he offered a bill that would treat these “federal criminals” named “Joe Terror” like a “…19 year old who makes a fake ID to buy a 6 pack of beer.” (Hhmm...Joe Terror sounds a lot like Joe Six Pack.)

    Not a "Joe Terror," or "Joe Six Pack," a PhD student named Chris Soghoian wrote a program accessible through is website that would generate a fake boarding pass. What happened is discussed in his blog: in short, the glass on his front door was smashed by the FBI, his computer equipment taken, and a search warrant (issued at 2 AM) was taped to his kitchen table. But how does the law address altering boarding passes? Consider this section of federal law addressing the falsification of airline tickets or boarding documents (highlighted for emphasis):

    From DHS Code Title 49, Volume 8; October 1, 2004 rev. [Page 302]:




    Part 1540.5 -- Terms used in this subchapter.
    §1540.5 Sterile area means a portion of an airport defined in the airport security program that provides passengers access to boarding aircraft and to which the access generally is controlled by TSA, or by an aircraft operator under part 1544 of this chapter or a foreign air carrier under part 1546 of this chapter, through the screening of persons and property.

    Subpart B_Responsibilities of Passengers and Other Individuals and

    Sec. 1540.103 Fraud and intentional falsification of records.

    No person may make, or cause to be made, any of the following:

    (a) Any fraudulent or intentionally false statement in any
    application for any security program, access medium, or identification
    medium, or any amendment thereto, under this subchapter.

    (b) Any fraudulent or intentionally false entry in any record or
    report that is kept, made, or used to show compliance with this
    subchapter, or exercise any privileges under this subchapter.

    (c) Any reproduction or alteration, for fraudulent purpose, of any
    report, record, security program, access medium, or identification
    medium issued under this subchapter.

    Below is something under the USC that is applicable to altering a document regarding a “matter within the jurisdiction of executive, legislative, or judicial branch of the Government":

    United States Code
    Title 18. Crimes and Criminal Procedure
    Part I.
    Chapter 47. Fraud and False Statements

    47 U.S.C. § 1001
    a) Except as otherwise provided in this section, whoever, in any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States, knowingly and willfully--
    (1) falsifies, conceals, or covers up by any trick, scheme, or device a material fact;
    (2) makes any materially false, fictitious, or fraudulent statement or representation; or
    (3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry;

    shall be fined under this title or imprisoned not more than 5 years, or both.

    Although these codes would answer our question about Bruce Schneier’s experiment with altered boarding passes, they do not exactly cover Chris Soghoian with his website that created boarding passes. Most people who saw it when it was up (I did), thought it was a parody. Here’s what Chris recently said about that experience: “In 2006, the FBI investigated me for some of my research into boarding pass security. While no charges were ever filed, it's reasonable to state that I have little affection for the DOJ computer crimes section.”

    In summary, altering boarding passes—for fraudulent purposes or not-- is covered under these statutes. Beware if you’re not Bruce Schneier. And if you are Bruce Schneier or Chris Soghogian, thank you for your security research and for potentially, “taking a hit for the team."

    No comments: