Update: Ed Markey put out a press release today softening his stance on this. Congressman Markey, While I'm not one of your constituents, your statements and actions often have an impact that reaches beyond your district. Yesterday you were quoted in several news media outlets as having called for the arrest of Christopher Soghoian, a PHD candidate at the University of Indiana Bloomington, because he created a web page that generates phoney airline boarding passes. As you are likely aware, your call was answered by the FBI who reportedly broke into Soghoian's house last night and seized all of his computer equipment. I am a professional computer security researcher. I work for one of the worlds largest IT companies. My job involves finding vulnerabilities in software systems and getting them fixed. Responsible vendors are usually very responsive and willing to work with my team when we contact them with information about problems with their products. Through this process we are able to locate and repair vulnerabilities in IT infrastructure before the bad guys can find them and exploit them. However, there are always a few unsophisticated people who seek to shoot the messenger instead of dealing with the flaw. Christopher Soghoian is one of the good guys. He is not a criminal and he is not enabling criminals. He did not create the vulnerability in the boarding pass screening process. This problem has existed for years, and it has been noted in other quarters, most recently by Sen. Chuck Schumer. However, the problem hasn't been fixed. Soghoian's website was intended to demonstrate how simple this is, and he has clearly and repeatedly stated that his intent in creating the site was to raise awareness about the problem so that it will be fixed. His website does not make this much easier than standard desktop publishing software available on anyone's personal computer. Your call for his arrest, and the subsiquent events that have unfolded over the past 24 hours, have done serious harm to the national security of the United States. You could have simply contacted him, informed him of the legal problems that one could face for operating such a website, and discussed shutting it down. By choosing instead to prosecute him you are sending a message to security professionals in this country that if you observe a problem with national security policies or practices and make people aware of those problems in good faith so that they might be fixed, the government will treat you as an enemy and will prosecute you if possible. The inevitable result will be that people will hold their tongues, and problems will persist until they are discovered by someone who has malicious intent. I strongly urge you to reconsider your position on this matter. The current course of action is not in the best interests of this country. Respectfully, Tom Cross |