TSA Now Investigating Boarding Pass Hacker

An anonymous reader writes "A week after the Justice Department cleared him of any wrongdoing, Chris Soghoian, the Indiana University PhD student who created an online boarding pass generator for Northwest Airlines to highlight security holes is on the government's 'no-fly' list. The Transportation Security Administration has now launched its own investigation, says Wired blog 27strokeB. The TSA is claiming that Soghoian 'attempted to circumvent an established civil aviation security program established in the Transportation Security Regulations,' violations of which carry fines of up to $11,000 per violation. That could be a steep fine, says Washingtonpost.com's Security Fix blog: 'Something like 35,000 people viewed and possibly used the boarding pass generator during the less than 72 hours that it was live on his site in November. Soghoian told WaPo: "If they decide that the only safe way for me to leave the country is by boat, then that's pretty much the end of my career here in the States. It's one thing to harass researchers, but if they can chase them out of the country, then that's a real chilling effect."'"

The blog is "27B Stroke 6"

[toby]

And it's a "Brazil" reference, of course, which is nicely appropriate in this context...

Oh Snap

[TubeSteak]

Wired doesn't mention it, but in the kid's blog, he links to a re-implementation of his boarding pass generator, this time using html & java.

Coralized Archive of the mirror: http://geocities.com.nyud.net:8080/j0hn4dm5/forge. tar.gz

The mirror:
-http://j0hn4d4m5.bravehost.com/
(Coral CDN didn't seem to work on it)

Maybe now the TSA will actually do something about their security hole.
Actually, I doubt it, but we can hope.

Re:Proving a point is expensive....

[TripMaster+Monkey]

Printing counterfeit money is not illegal...

Actually, it is:

Manufacturing counterfeit United States currency or altering genuine currency to increase its value is a violation of Title 18, Section 471 of the United States Code and is punishable by a fine of up to $5,000, or 15 years imprisonment, or both.

Re:35,000 views?

[Aardpig]

But the man who introduced fire to the world was burned at the stake.

Bollocks he was. He (Prometheus) was chained to a rock, and an eagle would come every day and tear out his liver. Then, in the night, his liver would grow back. Sheesh, don't you kids learn any mythology anymore?

Re:Proving a point is expensive....

[ChaosDiscord]

In this case, he would have been better off just telling people it could be done IMO.

CSO Online told people about it in February 2006. Slate told people about it in February 2005. Senator Schumer told people about it in February 2005. Security expert Bruce Schneier told people about it in August 2003.

We're more than a little beyond "telling people" being productive.

Worse, apparently a proof of concept isn't enough. The TSA is busy trying to presecute the messenger, but they still haven't fixed the core problem. I'd sadly forced to conclude that the TSA will not fix a real threat to airline security until terrorists successfully exploit that threat. While honest people are stuck measuring their shampoo out of fear of a deeply implausible liquid-bomb threat, anyone with access to a printer and a reasonably plausible state ID can get into the "sterile" area of the airport. (I find it darkly humorous that the boarding pass vulnerability makes the cost of getting 30 ounces of liquid explosives onto a plane just 10 fake boarding passes for almost no cost and 10 evil conspirators.)