I have some concerns about the viability of computer security as an academic subdiscipline of computer science in the USA after this incident: security researcher announces flaw in airport security, congressman calls for his arrest. Whether or not Soghoian's proof-of-concept boarding-pass-generator crossed some line, it does not seem possible to do security research in an atmosphere in which pointing out flaws in security is seen by the government as evildoing and an opportunity for grandstanding. Too soon to have an opinion on how meaningful this development and Soghoian's subsequent lack of communication is, though.
And of course, if security research withers in the US, the net effect will be simply that the expertise in that area will be located elsewhere...not necessarily a desirable outcome.
Unfortunately, this is not an isolated incident. While the issue at hand changes, the tactics do not. Five years ago, Ed Felten and his colleagues withdrew an academic paper on digital watermarking schemes after being threatened with a lawsuit. A little after that, the FBI arrested a Russian security researcher when he gave a talk at DEF CON about his company's work on the digital rights management used in Adobe products. Avi Rubin's new book, _Brave New Ballot_, chronicles how he and his students were the target of rhetoric much like what we hear directed at Soghoian now. For their work on e-voting, they were said to "undermine democracy," while the vendors denied anything was wrong.
I know several people who no longer work on particular areas of security, especially digital rights management. I know others who intentionally hold back reporting some of their findings. Security research has labored under this shadow for a while now. I hope for the best for Chris...and I hope that I won't have to contribute to his legal defense fund any time soon. :(
Great site, I am bookmarking it!Keep it up! With the best regards! David
Hello, great site, I found a lot of useful information here, thanks a lot for Your work! With the best regards! David
Uh, you're welcome? With a message as generically-worded as this, anonymously on an old post, repeated twice with variation, from similar but not identical IPs (18.104.22.168 and 22.214.171.124 in case anyone else is curious) I was worried that this was spam, but there seems to be no payload. So I can only assume you read my more recent post about everyone being named David and decided to follow suit.
Great job done, keep it up!with the best regards!