Search

Professional Troublemaker ®

 Jonathan Corbett, Civil Rights Attorney

Tag

privacy

Cancun Airport Attempts “Man-in-the-Middle Attack” On Web Connection

Warning: This post is technical.  The non-technical tl;dr is that the airport lounge network in Cancun attempted to hack my Internet connection to work.


Mera Business Lounge @ CUN AirportIf my flight is in the evening on a weekday, I’ll often show up at the airport early, work from the airport lounge, and catch my flight.  They tend to have reliable Internet, I get to spend the day eating and drinking for free, and I don’t have to worry about traffic or making my flight on time.

I sat down in the “Mera Business Lounge” in CUN’s Terminal 3 last week and went to log into my work server via “SSH” — a secure protocol commonly used to interact with Linux computers — and was somewhat surprised to see this:

$ ssh -i xxxxx jon@127.0.0.1 (not the actual address)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA:256:wS09c2yexsr6pbxFdUUJBSsYykAbo02oDxfGV4ctD1Q…

No big deal — I assume someone at work has just changed around something on the server, like the message suggests after the scary warning part.  But, nonetheless, my standard practice is to connect to a VPN and repeat the attempt.  This mitigates any man-in-the-middle attack on the local side of the network, because although an attacker might be between Cancun and my work, if I have a VPN provider attempt the connection for me, the attacker no longer sits in the middle.  If the VPN attempt reports the same key mismatch, it’s probably not an attack.

Well, with VPN enganged…

$ ssh -i xxxxx jon@127.0.0.1
Welcome to Ubuntu 16.04.3 LTS…

I actually couldn’t believe it, so I disconnected from VPN, repeated, re-connected to VPN, repeated.  Same result: fingerprint mismatch, no fingerprint mismatch.

A lookup of the external IP address of the lounge showed the network was run by an ISP called “G TEL” —

% Joint Whois – whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6 queries

inetnum: 148.243.37/24
status: reallocated
owner: G TEL Comunicacion, S.A.P.I. de C.V.
ownerid: MX-GTCS-LACNIC
responsible: Sergio Antonio Bravo Garcia
address: DR. ATL, 2084, Int. 606, Zona Urbana Rio Tijuana
address: 22010 – Tijuana – BC
country: MX

I attempted contacting their LACNIC point of contact and the standard “abuse” e-mail address, but received no reply as of the date of this article.  It’s unclear whether the attacker had access only to the airport lounge local network, or was at G TEL, or somewhere else on the Internet. I also have no reason to assume that I was targeted specifically (instead of, say, targeting everyone who was on the network). But it’s clear that my connection was indeed attacked.

Watch yourself out there!  While “sophisticated” attacks like MitM are uncommon for the everyday Internet user, they apparently happen.  If you ever see those “certificate not valid/trusted” warnings, take them seriously, and understand that if you proceed, any credentials that you’ve put into that Web site — in the future or in the past, as they’ll be taking your authentication cookies — are now in someone else’s hands.

Full session…

MitM Attack @ CUN

TSA Accidentally Publishes Copy of My Drivers’ License in Brief About Privacy

I realized after I made my last post that the TSA, in its brief explaining why its employees deserve privacy in the form of having their names and faces redacted from any documents it releases, accidentally (I would assume) published a copy of my drivers’ license!

While not the cleareset image in the world, in the version you can download from the court, you can zoom in well enough to get most of my name, most of my drivers’ license number, and my date of birth (a violation of Fed. R. Civ. P. Rule 5.2(a)(2)). I’m leaving it up on the blog because I’m always happy to trade a little of my privacy for the sake of exposing the hypocritical foolishness of the TSA. That and you know that if you steal my identity, I’ll track you down. 😉

Jon to Judge: Release the Names of the TSA Screeners Who Harassed Me

A part of my lawsuit from when the TSA detained me in FLL airport in 2011 relates to a Freedom of Information Act request I submitted after the incident, which asks for all documents relating to their illegal detention: incident reports, video, e-mails, etc. After the airport initially lied to me (because they were worried about giving away the “secret” fact that they videotape TSA checkpoints), the airport and TSA have given me most of the documents — with the exception that they took out all the names of all the TSA employees who wrote the documents, and blurred the video so that you can’t see the faces of the screeners. That’s right — the TSA has the right to digitally strip search you, but a video of their faces might violate their privacy.

My brief explains why this is legally wrong, but also why it’s not in the public interest:

The public has an undeniable right to review the actions of its government, and this concept is the very reason for the existence of public records laws like FOIA. As any citizen who has contested a traffic violation has found out, in the context of where a member of the public offers a version of the facts that contradicts a version offered by an employee of the government, all other things equal, courts uniformly adopt the version proffered by the government employee, even in situations where the burden of proof is high. Often times, video evidence is the only means a criminal defendant has in order to dislodge an accusation by a police officer.

But, the public interest of the release of videos of government interaction goes far beyond that of the individual whose liberty or property is on the line. Release of video provides accountability of government officials to the public. When an official knows that his or her actions are being recorded and may be published on the evening news, it is axiomatic that he or she will be more likely to act lawfully and in the public interest.

If there were ever a government agency that could benefit from increased accountability to the public, the Transportation Security Administration is it. In 2012, the TSA has admitted that hundreds of its employees have been caught stealing from members of the public. It admitted to strip-searching grandmothers without lawful authority. It admitted that it hires former clergy accused of sex offenses against children to search children. And, regardless of whether or not such actions are technically legal, it is accused on a daily basis of bullying everyone from grown men to women and children. The TSA is more disdained by Americans than the Internal Revenue Service, a distinction which they have well earned.

Accountability is achieved not by releasing redacted video with blurred faces, but rather by the knowledge that the public – your friends, family, neighbors, letter carrier, Starbucks barista, and anyone else – will judge you if you make a 3-year-old on her way to Disney World cry because you were a power-hungry, arrogant, insensitive, and pathetic individual in the course of your service of the American people. When both the courts and Congress refuse to – or work at a snail’s pace to – leash an out-of-control agency such as the TSA, this is all that we, the people, have left. On the flip side, with the release of video, members of the public who make accusations of mistreatment when they were in fact to blame for an incident will lose their power to malign the agency and its employees.

Defendant TSA is absolutely correct that when the Court releases the full video to Plaintiff, he will publish this video for the world to see. However, if TSA and its employees have done nothing wrong, they should be proud to have that video published, demonstrating their faithful service and that Plaintiff is simply a “troublemaker.” The truth of the matter is that the TSA does not want disclosure of the videos in this case and many others because it knows that while it can argue the legality of its actions in court, it cannot justify its actions to the citizens.

The most awesome part of writing this brief was that the Department of Justice actually did all the research for me. As I was researching case law, I came across the Department of Justice Guide to the Freedom of Information Act, which was written (surprisingly) from an entirely neutral perspective and thoroughly analyzes, with case citations, privacy exemptions to the Freedom of Information Act. Lo and behold, the DoJ opines that “civilian federal employees who are not involved in law enforcement generally have no expectation of privacy regarding their names, titles, grades, salaries, and duty stations as employees…” I couldn’t have said it better myself!

If you want to see what the paperwork looks like when you say “no” to the TSA, check the end of the TSA’s motion (below).

Corbett v. TSA – Motion for Summary Judgment (Broward) (.pdf)
Corbett v. TSA – Motion for Summary Judgment (TSA) (.pdf) (3 MB)
Corbett v. TSA – Motion for Summary Judgment (Corbett) + Opposition to Defendants’ Motions (.pdf)

Blog at WordPress.com.

Up ↑