Update: Ed Markey put out a press release today taking a more reasonable stance on this.

Congressman Markey,

While I'm not one of your constituents, your statements and actions often have an impact that reaches beyond your district. Yesterday you were quoted in several news media outlets as having called for the arrest of Christopher Soghoian, a PHD candidate at the University of Indiana Bloomington, because he created a web page that generates phoney airline boarding passes. As you are likely aware, your call was answered by the FBI who reportedly broke into Soghoian's house last night and seized all of his computer equipment.

I am a professional computer security researcher. I work for one of the worlds largest IT companies. My job involves finding vulnerabilities in software systems and getting them fixed. Responsible vendors are usually very responsive and willing to work with my team when we contact them with information about problems with their products. Through this process we are able to locate and repair vulnerabilities in IT infrastructure before the bad guys can find them and exploit them. However, there are always a few unsophisticated people who seek to shoot the messenger instead of dealing with the flaw.

Christopher Soghoian is one of the good guys. He is not a criminal and he is not enabling criminals. He did not create the vulnerability in the boarding pass screening process. This problem has existed for years, and it has been noted in other quarters, most recently by Sen. Chuck Schumer. However, the problem hasn't been fixed. Soghoian's website was intended to demonstrate how simple this is, and he has clearly and repeatedly stated that his intent in creating the site was to raise awareness about the problem so that it will be fixed. His website does not make this much easier than standard desktop publishing software available on anyone's personal computer.

Your call for his arrest, and the subsiquent events that have unfolded over the past 24 hours, have done serious harm to the national security of the United States. You could have simply contacted him, informed him of the legal problems that one could face for operating such a website, and discussed shutting it down. By choosing instead to prosecute him you are sending a message to security professionals in this country that if you observe a problem with national security policies or practices and make people aware of those problems in good faith so that they might be fixed, the government will treat you as an enemy and will prosecute you if possible. The inevitable result will be that people will hold their tongues, and problems will persist until they are discovered by someone who has malicious intent.

I strongly urge you to reconsider your position on this matter. The current course of action is not in the best interests of this country.

Respectfully,
Tom Cross

Tom Cross's Letter to Ed Markey

Being strong on security means exposing a problem and addressing it, not covering it up by punishing the messenger.

"The nail that sticks up gets hammered down." It's one of those phrases that embodies a principle that means different things in different situations, to different people. When a person exposes a problem, is the problem the problem, or is the person the problem? I believe that people of knowledge and ability are our greatest assets.

I think this is directly relevant to what we see unfolding before our eyes right now. On one hand, I have massive respect for the law enforcement agencies that tackle security problems. On the other, I fear their potential to be reactionary rather than mindful of purpose.

If we are to achieve real security, we can not simply opt for the path of least resistance. We must tackle problems rather than brush them under the rug, where they still exist, and can be found by others. As many on this system can attest, exposing security problems is like donning a big target; few are happy to see the messenger.

The manor in which information about a vital problem is exposed must be done ethically, but it is important to remember that ethical (or responsible) disclosure is an area that has no clear black and white distinctions. Many of the gray areas are defined by the means of the messenger. Do not lose sight of the big picture.

"The Bush Administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane."

Shoot the messenger! Shoot the messenger! For the love of god won't somebody PLEASE shoot that messenger!?

Update: This story is developing fast. According to a security researcher (who is maintaining their anonymity), Christopher Soghoian has been approached by the FBI. He has not been heard from since claiming that the FBI was at his door during a conversation with the unnamed researcher. The FBI is denying that he is under arrest, however the page with the boarding pass generator went down shortly thereafter. The rest of his website is still up and his IM account are both still online.

More information can be found on the Wired blog and BoingBoing.

Update2: Here is another quote from the Wired article linked:

In reality, the "loophole" is nothing new. Security expert Bruce Schneier wrote about it in 2003, and the online magazine Slate covered it as major news in 2005. Soghoian points out that Sen. Chuck Schumer (D-New York) publicized the same security hole in April 2006. "Perhaps Sen. Schumer will end up being my cellmate," Soghoian said.

Update3: Chris has been raided by the FBI and many of his possessions have been seized.

Ed Markey advocates shooting the messenger

When talking about web hacks that effect brokerages, Acidius is not kidding, exaggerating, or being alarmist.

Brokerages lose $22M to hackers in three months

Fifty or so other Republican candidates have also been made targets in a sophisticated “Google bombing” campaign intended to game the search engine’s ranking algorithms. By flooding the Web with references to the candidates and repeatedly cross-linking to specific articles and sites on the Web, it is possible to take advantage of Google’s formula and force those articles to the top of the list of search results.

The project was originally aimed at 70 Republican candidates but was scaled back to roughly 50 because Chris Bowers, who conceived it, thought some of the negative articles too partisan.

The articles to be used “had to come from news sources that would be widely trusted in the given district,” said Mr. Bowers, a contributor at MyDD.com (Direct Democracy), a liberal group blog. “We wanted actual news reports so it would be clear that we weren’t making anything up.”

Each name is associated with one article. Those articles are embedded in hyperlinks that are now being distributed widely among the left-leaning blogosphere. In an entry at MyDD.com this week, Mr. Bowers said: “When you discuss any of these races in the future, please, use the same embedded hyperlink when reprinting the Republican’s name. Then, I suppose, we will see what happens.”

The popular news page on Technorati indicates that enough blogs are participating in this to make the target stories some of the most widely linked in the blogosphere right now.

File this under information warfare case studies... I made the prediction awhile back that we would see a rise in politically motivated Google Bombing at key times.

Update: Chris Bowers, the organizer of the google bomb, has posted a statement for the press.

A New Campaign Tactic: Manipulating Google Data - New York Times

HOST: I’m curious, have you ever googled anybody? Do you use Google?

BUSH: Occasionally. One of the things I’ve used on the Google is to pull up maps. It’s very interesting to see — I’ve forgot the name of the program — but you get the satellite, and you can — like, I kinda like to look at the ranch. It remind me of where I wanna be sometimes.

The folks who run the Google Earth must be so proud.

Bush uses “the Google”

Revealing more about himself than he ever has, Garry Trudeau gives us tantalizing clues about what's behind his venerable comic strip's recent burst of genius, and pain.

As noteworthy might put it, this is a gold star article. Read the whole thing. It's a rare insight into the world of Garry Trudeau, who is nothing short of a pop-culture hero of mine. It's rare there is anything written about Trudeau that isn't an op-ed either complaining or cheering about this work.

Doonesbury's War - washingtonpost.com

A press release issued by the state-run Korean Central News Agency Monday confirmed that the Oct. 9 underground nuclear test in North Korea's Yanggang province successfully exploded the communist nation's total gross domestic product for the past four decades.

"This is a grand day for the Democratic Peoples Republic Of Korea, whose citizens have sacrificed their wages, their food, and their lives so that our great nation could test a nuclear weapon thousands of feet beneath our own soil," read an excerpt from the statement. "Now the rest of the world must stand up and take notice that the DPRK, too, is capable of decimating years of its wealth at any given moment."

North Korea's announcement would appear to support the CIA's intelligence information on the blast. According to the CIA, over 500 tons of compressed purchasing power, the equivalent of 40 years of goods and services produced by the impoverished country, vaporized in 560 billionths of one second. The device consumed 15 years of peasant wages' worth of uranium, two decades of agricultural- and fishery-export profits' worth for its above-ground emplacement tower, and the lifetime earnings of the entire workforce of the Kilchu fish-canning factory for tungsten/carbide-steel bomb casings.

"A nuclear device that size explodes with the force of 10 to 15 tons of TNT, or a moderately sized economic boom," said Ronald Shimokawa, a physicist at Los Alamos National Laboratory. "The detonation most likely sent the burning, liquified remains of North Korea's economy deep into the Earth's core."

Sheer brilliance.

North Korea Detonates 40 Years Of GDP | The Onion

A hacker known for cracking the copy-protection technology in DVDs claims to have unlocked the playback restrictions of Apple Computer Inc.'s iPod and iTunes music products and plans to license his code to others.

The move by Jon Lech Johansen, also known as "DVD Jon," could pit the 22-year-old against Apple's lawyers, experts say, but if successful could free users from some restrictions Apple and its rivals place on digital music.

Today, songs purchased from Apple's online iTunes Music Store can't be played on portable devices made by other companies. Songs purchased from many other online music stores also won't work on iPods because they similarly use a form of copy-protection that Apple doesn't support.

Johansen said he has developed a way to get around those restrictions. But unlike his previous work, which he usually posts for free, the Norway native plans to capitalize on his efforts through his Redwood Shores-based DoubleTwist Ventures, said the company's only other employee, managing director Monique Farantzos.

"There's a certain amount of trouble that Apple can give us, but not enough to stop this," Farantzos said Tuesday. "We believe we're on good legal ground, and our attorneys have given us the green light on this."

Fred von Lohmann, a staff attorney at the privacy-advocacy group, Electronic Frontier Foundation, said Johansen is treading carefully this time, consulting with lawyers, but isn't necessarily cleared from a legal fight over copy-protection laws.

"There is a lot of untested legal ground surrounding reverse engineering," he said.

I was talking about this with someone after my talk at PhreakNIC... Watching this play out is going to be interesting. Let the fireworks begin.

Hacker claims to have cracked iPod restrictions - CNN.com

Rock 'n' roll legend Elvis Presley ceded his crown to Nirvana lead singer Kurt Cobain on Forbes.com's list as the top-earning dead celebrity.

The list, published on Tuesday, said grunge rocker Cobain earned $50 million between October 2005 and October 2006. Presley wound up in the No. 2 slot with $42 million, down from last year's $45 million.

Forbes.com bases its dollar amounts on licensing deals for using the deceased celebrities' work or image in advertising or elsewhere.

Rounding out the top five were Beatle John Lennon at $24 million and groundbreaking physicist Albert Einstein at $20 million, whose estate profited from such licensing deals as the popular "Baby Einstein" educational videos.

Other celebrities on the list include Theodore Geisel, better known as children's book author Dr. Seuss; rhythm & blues pioneer Ray Charles, silver screen legend Marilyn Monroe and reggae superstar Bob Marley.

It's Cobain over Elvis as top-earning dead celeb