TSA Now Investigating Boarding Pass Hacker 270
An anonymous reader writes "A week after the Justice Department cleared him of any wrongdoing, Chris Soghoian, the Indiana University PhD student who created an online boarding pass generator for Northwest Airlines to highlight security holes is on the government's 'no-fly' list. The Transportation Security Administration has now launched its own investigation, says Wired blog 27strokeB. The TSA is claiming that Soghoian 'attempted to circumvent an established civil aviation security program established in the Transportation Security Regulations,' violations of which carry fines of up to $11,000 per violation. That could be a steep fine, says Washingtonpost.com's Security Fix blog: 'Something like 35,000 people viewed and possibly used the boarding pass generator during the less than 72 hours that it was live on his site in November. Soghoian told WaPo: "If they decide that the only safe way for me to leave the country is by boat, then that's pretty much the end of my career here in the States. It's one thing to harass researchers, but if they can chase them out of the country, then that's a real chilling effect."'"
The blog is "27B Stroke 6" (Score:5, Informative)
Proving a point is expensive.... (Score:3, Informative)
In this case, he would have been better off just telling people it could be done IMO. Just the same, if Kazaa isn't guilty, how can this guy be held responsible for what people did with his demonstration? If he personally used the fake boarding passes to fly and thus circumvent TSA rules, then he's guilty, should be punished. To demonstrate that its possible doesn't make him guilty. Even making it possible for others to do so doesn't make him guilty of anything except making the TSA look stupid.
Printing counterfeit money is not illegal... using it is. Normally, nobody would print it without the intent of using it, but in this case, the whole effort was to prove that it could be done and show that a fake boarding pass ruins security measures. If he can print fake boarding passes, any reasonably savvy group can. The manner used to demonstrate this flaw surely makes it impossible to not fix the problem?
I hope that he is not slapped with huge fines...
Oh Snap (Score:5, Informative)
Coralized Archive of the mirror: http://geocities.com.nyud.net:8080/j0hn4dm5/forge
The mirror:
-http://j0hn4d4m5.bravehost.com/
(Coral CDN didn't seem to work on it)
Maybe now the TSA will actually do something about their security hole.
Actually, I doubt it, but we can hope.
Re:Proving a point is expensive.... (Score:3, Informative)
Printing counterfeit money is not illegal...
Actually, it is [moneyfactory.gov]:
Re:Security Threat (Score:3, Informative)
Re:Irresponsible researcher (Score:2, Informative)
What Chris S. did was just plain stupid. Yes, the web-based boarding document system was originally designed to keep unticketed passengers from getting onto planes, not from getting past the (at the time non-existent) TSA security points. Giving non-technical nogoodniks an easy way to exploit the system was wrong, unwise, and dangerous.
People relevant to the technology are trying to resolve the security issues involved with web-based boarding documents right now, so don't think nothing is being done just because you don't hear anything about it.
Yes, the people involved in that are smarter than the TSA. You'll just have to trust me on that. Don't ask how I know.
Re:35,000 views? (Score:5, Informative)
But the man who introduced fire to the world was burned at the stake.
Bollocks he was. He (Prometheus) was chained to a rock, and an eagle would come every day and tear out his liver. Then, in the night, his liver would grow back. Sheesh, don't you kids learn any mythology anymore?
Re:Proving a point is expensive.... (Score:5, Informative)
CSO Online told people about it in February 2006. [csoonline.com] Slate told people about it in February 2005. [slate.com] Senator Schumer told people about it in February 2005. [senate.gov] Security expert Bruce Schneier told people about it in August 2003. [schneier.com]
We're more than a little beyond "telling people" being productive.
Worse, apparently a proof of concept isn't enough. The TSA is busy trying to presecute the messenger, but they still haven't fixed the core problem. I'd sadly forced to conclude that the TSA will not fix a real threat to airline security until terrorists successfully exploit that threat. While honest people are stuck measuring their shampoo out of fear of a deeply implausible liquid-bomb threat, anyone with access to a printer and a reasonably plausible state ID can get into the "sterile" area of the airport. (I find it darkly humorous that the boarding pass vulnerability makes the cost of getting 30 ounces of liquid explosives onto a plane just 10 fake boarding passes for almost no cost and 10 evil conspirators.)
Hey, look, the investigator's name and phone #... (Score:3, Informative)
James A. Roberts
(317) 390-6916
Re:What's the fine? (Score:3, Informative)