Slashdot Log In
TSA Now Investigating Boarding Pass Hacker
Posted by
Zonk
on Thu Dec 07, 2006 04:26 PM
from the make-up-your-mind dept.
from the make-up-your-mind dept.
An anonymous reader writes "A week after the Justice Department cleared him of any wrongdoing, Chris Soghoian, the Indiana University PhD student who created an online boarding pass generator for Northwest Airlines to highlight security holes is on the government's 'no-fly' list. The Transportation Security Administration has now launched its own investigation, says Wired blog 27strokeB. The TSA is claiming that Soghoian 'attempted to circumvent an established civil aviation security program established in the Transportation Security Regulations,' violations of which carry fines of up to $11,000 per violation. That could be a steep fine, says Washingtonpost.com's Security Fix blog: 'Something like 35,000 people viewed and possibly used the boarding pass generator during the less than 72 hours that it was live on his site in November. Soghoian told WaPo: "If they decide that the only safe way for me to leave the country is by boat, then that's pretty much the end of my career here in the States. It's one thing to harass researchers, but if they can chase them out of the country, then that's a real chilling effect."'"
Related Stories
[+]
News: FBI Raids Security Researcher's Home 516 comments
Sparr0 writes, "The FBI has raided the home of Christopher Soghoian, the grad student who created the NWA boarding pass site. Details can be found on his blog including a scanned copy of the warrant. The bad news is that he really did break the law. The good news is that Senator Charles Schumer did it first, 19 months ago, on an official government website no less. The outcome of this trial should be at least academically interesting. At best, it could result in nullifying some portion of the law(s) that the TSA operates under." Read on for Sparr0's take on what laws may apply in this case.
[+]
Charges Dropped In Fake Boarding Pass Case 135 comments
An anonymous reader writes, "Investigators have dropped the criminal case against Christopher Soghoian after satisfying themselves that he acted without criminal intent. The grad student had created a web site capable of printing fake airline boarding passes. Soghoian is quoted: 'If they fix the airport security problems... then this entire process has been worth it. If they don't fix airport security, then... what was the purpose?'" Soghoian's blog has insightful comments about the divide between security researchers and government officials on subjects such as TOR.
[+]
Lax TSA Website Exposed Travelers' Information 81 comments
sjbe sends in an old story with a poetic justice ending. Almost a year ago Chris Soghoian blogged about multiple security holes exposing visitors to a TSA site to possible identity theft. Wired and others picked up the story and the TSA took down the insecure site and fixed the problems. On Friday the US House of Representatives Committee on Oversight and Government Reform released a report (PDF; HTML summary) finding that the TSA contractor, Desyne Web Services, had received a no-bid contract for the faulty site from a former employee who was then a TSA project manager. TSA has taken no action to sanction the responsible parties for the vulnerabilities. The poetic justice is that Soghoian had been investigated for 6 months by the FBI and TSA because he pointed out a vulnerability in the US air transport system; no charges were ever filed.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
What's the fine? (Score:5, Insightful)
Re:What's the fine? (Score:5, Insightful)
Parent
Re:What's the fine? (Score:5, Funny)
I was in line behind a TSA employee from a local small airport. She was telling the cashier that she had left the check to pay for a number of photocopied documents in her car and must retrieve it to pay. BUT she could not leave the documents and had to take them with her to the car as they were VERY VERY sensitive. Here's the kicker, she left them at Staples overnight to be copied.
I wonder if they let her sleep there and then shot the copier tech out in the alley?
Parent
Go Chris... (Score:4, Insightful)
Fair is fair (Score:4, Funny)
The blog is "27B Stroke 6" (Score:5, Informative)
He can still travel (Score:5, Insightful)
Re:He can still travel (Score:5, Funny)
Parent
Airport Security is a joke (Score:5, Insightful)
Re:Airport Security is a joke (Score:5, Insightful)
I guess someone standing there with a rucksack full of explosives and going BOOM during a heavy traffic time, say the day before Thanksgiving, never occured to our overlords.
Parent
Re:Airport Security is a joke (Score:5, Insightful)
The purpose was to shame the TAA into fixing a problem which was widely known and publicized: August 2003 by security expert Bruce Schneier [schneier.com], February 2005 in Slate [slate.com], February 2005 press release by a US Senator [senate.gov], February 2006 article in CSO Online [csoonline.com]. The TSA has been ignoring the problem for over three years. Bad guys have known about the attack for at least three years, possibly longer. For all we know bad guys are using it right now; we have no way of knowing. Even without Soghoian's program, it was really, really trivial to exploit; all you need is a very basic understanding of HTML, enough to change one name to another, to execute the attack Schneier described in 2003. The media has been letting the TSA continue to ignore this. If Soghoian had simply published a "I can make fake boarding passes and get into the "sterile" area of an airport he would have gotten an article or two and nothing would have changed. By providing a working exploit things just became that much harder for the TSA. News coverage exploded. Finally something will happen.
The TSA has proven itself grossly incompetant. There is little to no oversight and zero public accountability. Drastic measures were necessary, as rational measures have clearly failed. The really sad thing is even in the face of such a drastic failure, they're not fixing the core problem.
Parent
Oh Snap (Score:5, Informative)
Coralized Archive of the mirror: http://geocities.com.nyud.net:8080/j0hn4dm5/forge
The mirror:
-http://j0hn4d4m5.bravehost.com/
(Coral CDN didn't seem to work on it)
Maybe now the TSA will actually do something about their security hole.
Actually, I doubt it, but we can hope.
Security Threat (Score:5, Interesting)
So, a bunch of terrorists captured a couple of airplanes and flew them into buildings. Yeah, a bunch of people died, which is tragic. And the Economy Burped, which is
However, we've learned our lesson, and have secured the airplanes better. In addition, I doubt, HIGHLY DOUBT, that they could get anywhere close to doing the same thing, given the same circumstances, mainly because the passengers wouldn't stand for it.
Screening 80 year old grandmas of their knitting needles is stupid. Taking off shoes is stupid. Banning Liquids is stupid. For all the inconvenience of it all, it will not prevent someone from trying to by-pass whatever security is setup, and eventually they will succeed.
I know for a fact that I could bring a knife on board a plane even today, even passing through all the security. They can't stop me if they can't see it. And there are such knives available.
The point is, all this "security" isn't really designed to prevent hi-jackers, it is designed to placate the masses. See my sig for more info
go to bed without supper! (Score:4, Funny)
Does that mean he is grounded for being naughty?
That's unfair. Obviously he did his homework.
Final proof the no-fly list isn't about safety (Score:5, Insightful)
He's there because the no-fly list is a tool for control and coercion at the whim of the authorities without the restraint of statute or jury.
Re:35,000 views? (Score:5, Insightful)
Parent
Re:35,000 views? (Score:5, Insightful)
Big fucking deal. It was an obvious security hole. If anything, he should be hailed, not jailed. But then again, we don't want to go out and make NWA (who fucking blow anyway) and the TSA look worse than they already do (if anyone is reading from MCO's TSA, fucking fix your system by doing a "best practices visit" to any number of other airports -- your system sucks even at 4:00AM)
Parent
Re:35,000 views? (Score:5, Informative)
But the man who introduced fire to the world was burned at the stake.
Bollocks he was. He (Prometheus) was chained to a rock, and an eagle would come every day and tear out his liver. Then, in the night, his liver would grow back. Sheesh, don't you kids learn any mythology anymore?
Parent
Re:he has it coming (Score:4, Insightful)
Parent
Re:he has it coming (Score:4, Insightful)
Molog
Parent
Re:he has it coming (Score:5, Insightful)
Your argument is simply foolish. The TSA is inept at running a dept, so they are also inept at hiring researchers or security folk to check up on their stuff. This is a government agency. This person committed no actual crime -- he didnt use one, and didnt even print one.
The criminal would have kept this secret, and used it to his/her benefit by selling it to terrorists, criminals, or whatever. Those types of actions should be punished, SEVERELY!
What did he do? He made us all safer. He did it by exposing how ridiculous the TSA is, and gave them all the knowledge to fix the problem. He did not personally gain from this experience. If anything, he has suffered already for it much more than he ever should have. I would feel differently if this was a private company and not a public-oriented service (like AIRLINE travel), to which my tax dollars go (both to bail out airline bankruptcy, as well as to operating the TSA).
IU needs to stick up for their researchers, and foot the legal bill. I doubt they will, however, having been a past student, the administration at IU is pretty much inept equivalent to the TSA in my eyes.
God forbid someone try to HELP the world...
Parent
Re:he has it coming (Score:4, Insightful)
It's a shame the TSA people think just like you, if people would quit trying to kill the messengers, we might start seeing something that looked more like security and less like cronies securing contracts.
Parent
Nice in theory (Score:5, Insightful)
You seem to be forgetting that that had already been done, up to and including having the information on how to create a fake boarding pass published on a congressman's web site for a year or so prior to his arrest. And yes, there had already be newspaper articles on it, and the TSA was either well aware of it and doing nothing or unaware of it even though it had been reported to them multiple times.
Ok, fine. It was trouble making. But for whom? It didn't lower airport security one iota. Anyone who cared about it already new how to do it. What it did do, though, was make trouble for the fake "security" providers at the TSA, and point out the fact that they are ripping us (the taxpayers) off.
We saw the same sort of misleading argument come up when people started pointing out that US Military personnel were being given ineffective bulletproof vests; somehow the people who were trying to raise awareness of the issue were supposedly "helping the terrorists." Which is just nuts. What they were doing is making things uncomfortable for the crooks selling the defective jackets, and having zero impact on the people wearing them unless and until they could raise enough awareness of the issue to get things changed--in which case their actions would have helped the roops, not hurt them.
--MarkusQ
Parent
Re:Proving a point is expensive.... (Score:5, Insightful)
Survey says - "Anonymously".
He could have written his boarding pass creator as a flash app and uploaded it to Newgrounds. He could have posted a JS version on any of a number of blogs without using his own name. He could have even posted about it, with a link to an anonymously hosted applet, and probably made the Slashdot FP. He could even have gotten someone outside the US to host the exact same content, with all occurrences of his name replaced by "Mr. CheeseNips".
But no. He had to use his own name, and therein lies his biggest mistake.
Anyone who says we don't need anonymity just doesn't fear the government enough for their own good. And anyone who makes the government look bad without at least trying to hide their identity needs to study their history a tad more.
I, for one, THANK Soghoian for exposing a glaring flaw in the farce we call the TSA. Not because it has made us safer (as we can see, they chose to shoot the messenger rather than, y'know, fix the goddamned problem), but because it has slightly reduced the false sense of security among the voting sheep.
Parent
Re:Proving a point is expensive.... (Score:5, Informative)
CSO Online told people about it in February 2006. [csoonline.com] Slate told people about it in February 2005. [slate.com] Senator Schumer told people about it in February 2005. [senate.gov] Security expert Bruce Schneier told people about it in August 2003. [schneier.com]
We're more than a little beyond "telling people" being productive.
Worse, apparently a proof of concept isn't enough. The TSA is busy trying to presecute the messenger, but they still haven't fixed the core problem. I'd sadly forced to conclude that the TSA will not fix a real threat to airline security until terrorists successfully exploit that threat. While honest people are stuck measuring their shampoo out of fear of a deeply implausible liquid-bomb threat, anyone with access to a printer and a reasonably plausible state ID can get into the "sterile" area of the airport. (I find it darkly humorous that the boarding pass vulnerability makes the cost of getting 30 ounces of liquid explosives onto a plane just 10 fake boarding passes for almost no cost and 10 evil conspirators.)
Parent