Slashdot Mirror

← Back to Stories (view on slashdot.org)

TSA Now Investigating Boarding Pass Hacker

Posted by Zonk on from the make-up-your-mind dept.

An anonymous reader writes "A week after the Justice Department cleared him of any wrongdoing, Chris Soghoian, the Indiana University PhD student who created an online boarding pass generator for Northwest Airlines to highlight security holes is on the government's 'no-fly' list. The Transportation Security Administration has now launched its own investigation, says Wired blog 27strokeB. The TSA is claiming that Soghoian 'attempted to circumvent an established civil aviation security program established in the Transportation Security Regulations,' violations of which carry fines of up to $11,000 per violation. That could be a steep fine, says Washingtonpost.com's Security Fix blog: 'Something like 35,000 people viewed and possibly used the boarding pass generator during the less than 72 hours that it was live on his site in November. Soghoian told WaPo: "If they decide that the only safe way for me to leave the country is by boat, then that's pretty much the end of my career here in the States. It's one thing to harass researchers, but if they can chase them out of the country, then that's a real chilling effect."'"

10 of 270 comments (clear)

  1. The blog is "27B Stroke 6" by toby · · Score: 4, Informative

    And it's a "Brazil" reference, of course, which is nicely appropriate in this context...

    --
    you had me at #!
  2. Proving a point is expensive.... by zappepcs · · Score: 2, Informative

    This is the same problem with all kinds of security systems/programs. How does one point out the error/flaws in said system without falling afoul of the law(s)?

    In this case, he would have been better off just telling people it could be done IMO. Just the same, if Kazaa isn't guilty, how can this guy be held responsible for what people did with his demonstration? If he personally used the fake boarding passes to fly and thus circumvent TSA rules, then he's guilty, should be punished. To demonstrate that its possible doesn't make him guilty. Even making it possible for others to do so doesn't make him guilty of anything except making the TSA look stupid.

    Printing counterfeit money is not illegal... using it is. Normally, nobody would print it without the intent of using it, but in this case, the whole effort was to prove that it could be done and show that a fake boarding pass ruins security measures. If he can print fake boarding passes, any reasonably savvy group can. The manner used to demonstrate this flaw surely makes it impossible to not fix the problem?

    I hope that he is not slapped with huge fines...

    --
    Support NYCountryLawyer RIAA vs People
    1. Re:Proving a point is expensive.... by TripMaster+Monkey · · Score: 3, Informative

      Printing counterfeit money is not illegal...

      Actually, it is:

      Manufacturing counterfeit United States currency or altering genuine currency to increase its value is a violation of Title 18, Section 471 of the United States Code and is punishable by a fine of up to $5,000, or 15 years imprisonment, or both.
      --
      ____

      ~ |rip/\/\aster /\/\onkey

    2. Re:Proving a point is expensive.... by ChaosDiscord · · Score: 4, Informative
      In this case, he would have been better off just telling people it could be done IMO.

      CSO Online told people about it in February 2006. Slate told people about it in February 2005. Senator Schumer told people about it in February 2005. Security expert Bruce Schneier told people about it in August 2003.

      We're more than a little beyond "telling people" being productive.

      Worse, apparently a proof of concept isn't enough. The TSA is busy trying to presecute the messenger, but they still haven't fixed the core problem. I'd sadly forced to conclude that the TSA will not fix a real threat to airline security until terrorists successfully exploit that threat. While honest people are stuck measuring their shampoo out of fear of a deeply implausible liquid-bomb threat, anyone with access to a printer and a reasonably plausible state ID can get into the "sterile" area of the airport. (I find it darkly humorous that the boarding pass vulnerability makes the cost of getting 30 ounces of liquid explosives onto a plane just 10 fake boarding passes for almost no cost and 10 evil conspirators.)

      --
      Search 2010 Gen Con events
  3. Oh Snap by TubeSteak · · Score: 4, Informative

    Wired doesn't mention it, but in the kid's blog, he links to a re-implementation of his boarding pass generator, this time using html & java.

    Coralized Archive of the mirror: http://geocities.com.nyud.net:8080/j0hn4dm5/forge. tar.gz

    The mirror:
    -http://j0hn4d4m5.bravehost.com/
    (Coral CDN didn't seem to work on it)

    Maybe now the TSA will actually do something about their security hole.
    Actually, I doubt it, but we can hope.

    --
    [Fuck Beta]
    o0t!
  4. Re:Security Threat by Archangel+Michael · · Score: 2, Informative

    http://www.specialtyblades.com/blade_types/ceramic .html

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  5. Re:Irresponsible researcher by Rinzai · · Score: 2, Informative
    First of all, it's not "persecution." If he broke the law, then he needs to pay the penalty for that transgression. According to your semantics, we persecute murderers for murdering and thieves for stealing. I just don't think so.

    What Chris S. did was just plain stupid. Yes, the web-based boarding document system was originally designed to keep unticketed passengers from getting onto planes, not from getting past the (at the time non-existent) TSA security points. Giving non-technical nogoodniks an easy way to exploit the system was wrong, unwise, and dangerous.

    People relevant to the technology are trying to resolve the security issues involved with web-based boarding documents right now, so don't think nothing is being done just because you don't hear anything about it.

    Yes, the people involved in that are smarter than the TSA. You'll just have to trust me on that. Don't ask how I know.

  6. Re:35,000 views? by Aardpig · · Score: 4, Informative

    But the man who introduced fire to the world was burned at the stake.

    Bollocks he was. He (Prometheus) was chained to a rock, and an eagle would come every day and tear out his liver. Then, in the night, his liver would grow back. Sheesh, don't you kids learn any mythology anymore?

    --
    Tubal-Cain smokes the white owl.
  7. Hey, look, the investigator's name and phone #... by loraksus · · Score: 2, Informative

    How about giving him a call and talking to him about this situation...

    James A. Roberts
    (317) 390-6916

    --
    1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcfv gbhnjmk,l.;/
  8. Re:What's the fine? by Beryllium+Sphere(tm) · · Score: 2, Informative

    Massive investigations and threats of jail time if you don't help them cover up how ineffective their screening is.