Slashdot Mirror

← Back to Stories (view on slashdot.org)

TSA Now Investigating Boarding Pass Hacker

Posted by Zonk on from the make-up-your-mind dept.

An anonymous reader writes "A week after the Justice Department cleared him of any wrongdoing, Chris Soghoian, the Indiana University PhD student who created an online boarding pass generator for Northwest Airlines to highlight security holes is on the government's 'no-fly' list. The Transportation Security Administration has now launched its own investigation, says Wired blog 27strokeB. The TSA is claiming that Soghoian 'attempted to circumvent an established civil aviation security program established in the Transportation Security Regulations,' violations of which carry fines of up to $11,000 per violation. That could be a steep fine, says Washingtonpost.com's Security Fix blog: 'Something like 35,000 people viewed and possibly used the boarding pass generator during the less than 72 hours that it was live on his site in November. Soghoian told WaPo: "If they decide that the only safe way for me to leave the country is by boat, then that's pretty much the end of my career here in the States. It's one thing to harass researchers, but if they can chase them out of the country, then that's a real chilling effect."'"

39 of 270 comments (clear)

  1. What's the fine? by HangingChad · · Score: 5, Insightful

    What's the fine for making TSA look stupid?

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
    1. Re:What's the fine? by towermac · · Score: 5, Insightful

      apx. $11,000 per incident.

  2. Re:35,000 views? by 'nother+poster · · Score: 5, Insightful

    No, shame on the TSA for not implimenting real secuity requirements.

  3. Go Chris... by Anonymous Coward · · Score: 4, Insightful

    The people responsible within the TSA need to be dealt with. These fuckheads have some nerve harrassing a researcher for bringing their errors to wider attention.

  4. Congress @$!^^#**# by Anonymous Coward · · Score: 1, Insightful
    What oversight does the TSA have?

    WTF was Congress (not) thinking when they created the Dept. of Homeland Security?

    From what I've been seeing over the last few years, they can do pretty much anything they want and unless you have a Whitehouse contact or are a Senator, you have to bend over and take it.

    1. Re:Congress @$!^^#**# by towermac · · Score: 2, Insightful

      When they started throwing around the term "Homeland" a few years ago, it sounded a lot like "Fatherland" to me, and I knew then that no good could come of it.

  5. He can still travel by Col.+Klink+(retired) · · Score: 5, Insightful

    As long as they don't fix the flaw, he can still exploit it and circumvent any extra scrutiny they try and put on him.

    --

    -- Don't Tase me, bro!

  6. Re:35,000 views? by garcia · · Score: 4, Insightful

    I was one but I didn't get to it from Slashdot. I got to it from several local bloggers that pointed it out.

    Big fucking deal. It was an obvious security hole. If anything, he should be hailed, not jailed. But then again, we don't want to go out and make NWA (who fucking blow anyway) and the TSA look worse than they already do (if anyone is reading from MCO's TSA, fucking fix your system by doing a "best practices visit" to any number of other airports -- your system sucks even at 4:00AM)

  7. Irresponsible researcher by Echoez · · Score: 2, Insightful

    What is the actual value and goals of his research? A responsible researcher could have created a proof-of-concept, and raised awareness through media channels, research paper, blog etc. He should have also presented his research to the TSA and the airlines. Instead what he did was not research. He created a website to create fake boarding passes and released it to the public. There was no academic benefit. If I created forged passport software and released it, that's not research. Let's call this for what it is: trouble-making, not research.

    1. Re:Irresponsible researcher by soft_guy · · Score: 3, Insightful

      First of all, it's not "persecution." If he broke the law, then he needs to pay the penalty for that transgression. Putting him on the "no fly" list has nothing to do with the law. He wasn't convicted in court - no we just had a bunch of mindless beaurocrats take it upon themselves to start handing down punishment to whoever they don't like.
      --
      Avoid Missing Ball for High Score
  8. Airport Security is a joke by bigbadbuccidaddy · · Score: 5, Insightful

    Airport security is a joke, and all he did is point that out. I will point something else out. When I was waiting in the immensely long line for United Domestic Check-In, I noticed they controlled access to the door behind the ticket counter with a simple mechanical combination lock. I observed several United Airlines employees entering and every time I could clearly see the code being entered. I felt very secure.

    1. Re:Airport Security is a joke by smooth+wombat · · Score: 4, Insightful

      The biggest flaw in airport security is having large groups of people wait in closely packed lines to go through the check-in process.

      I guess someone standing there with a rucksack full of explosives and going BOOM during a heavy traffic time, say the day before Thanksgiving, never occured to our overlords.

      --
      We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    2. Re:Airport Security is a joke by DerekLyons · · Score: 2, Insightful
      Airport security is a joke, and all he did is point that out.

      And that's the crux of the problem - he didn't act like a researcher (as he claims) and merely point a security hole (as you claim). He crossed the line from researcher to (potentially) criminal when he published a tool on the web that had no other purpose than to make it possible for others to circumvent security.
    3. Re:Airport Security is a joke by Echoez · · Score: 1, Insightful

      Your point is well-taken. In your case, the responsible thing to do then would be to notify the TSA and the authorities at the airport to your concerns. It would not be "research", however, to post the combination to that door on the Internet, or to reveal its location. This is analogous to what he did. It's one thing to point out flaws in order to help address them. It's another thing entirely to create tools and resources to help people exploit holes in the system.

      Airport security is not tight, nor anywhere near a bulletproof system. But his actions in no way benefit or ameliorate this system; it only had the potential to cause more problems.

    4. Re:Airport Security is a joke by Archangel+Michael · · Score: 1, Insightful

      19 Hijackers killed some 4000 people, or about 200 people per hijacker. Totally destroyed several buildings, but all in a geographic location. Very spectacular. One building, in another geographic location, partially destroyed. One plane, completely missed.

      I suspect that if they coordinated across 20 of the largest airports during the busiest time they could probably do a lot more damage (kill more people), without having to go through any security. But see, that wouldn't be as "Spectacular" as having buildings crash down.

      Terrorism is a tactic, not the enemy. Islam isn't even the enemy, it is an idiology/religion. The enemy is RADICAL MUSLIMS*

      *Possible redundancy detected, please confirm. Y /N ???

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    5. Re:Airport Security is a joke by loraksus · · Score: 3, Insightful

      I'll have to admit that a small part of me wanted someone to drive up in a large vehicle and drive through the lines outside the airport killing and injuring dozens when the TSA retards had people lined up outside of the airport buildings in the last "security crisis"

      --
      1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcfv gbhnjmk,l.;/
    6. Re:Airport Security is a joke by onkelonkel · · Score: 2, Insightful

      And yet I'll bet if buddy puts on navy blue pants, navy blue jacket, a white shirt (or whatever UA employees wear), plus a nicely laminated photoshop badge, and walks around the end of the counter instead of jumping over, he'll have the run of the place.

      --
      None of them can see the clouds; The polished wings don't care.
    7. Re:Airport Security is a joke by ChaosDiscord · · Score: 5, Insightful
      He crossed the line from researcher to (potentially) criminal when he published a tool on the web that had no other purpose than to make it possible for others to circumvent security.

      The purpose was to shame the TAA into fixing a problem which was widely known and publicized: August 2003 by security expert Bruce Schneier, February 2005 in Slate , February 2005 press release by a US Senator, February 2006 article in CSO Online . The TSA has been ignoring the problem for over three years. Bad guys have known about the attack for at least three years, possibly longer. For all we know bad guys are using it right now; we have no way of knowing. Even without Soghoian's program, it was really, really trivial to exploit; all you need is a very basic understanding of HTML, enough to change one name to another, to execute the attack Schneier described in 2003. The media has been letting the TSA continue to ignore this. If Soghoian had simply published a "I can make fake boarding passes and get into the "sterile" area of an airport he would have gotten an article or two and nothing would have changed. By providing a working exploit things just became that much harder for the TSA. News coverage exploded. Finally something will happen.

      The TSA has proven itself grossly incompetant. There is little to no oversight and zero public accountability. Drastic measures were necessary, as rational measures have clearly failed. The really sad thing is even in the face of such a drastic failure, they're not fixing the core problem.

      --
      Search 2010 Gen Con events
  9. Re:he has it coming by GungaDan · · Score: 4, Insightful

    I *so* wanted to mod this post "troll," but that is unfitting - your ideas are not meant to provoke, but to unprovoke, and breed grudging contentment with the sad status quo. So no troll moderation for you. Sadly, there is no "defeatist fucktard lemming" moderation available. That would be fitting.

    --
    Eloi are stupid, throw morlocks at them!
  10. Re:35,000 views? by bostonkarl · · Score: 3, Insightful

    No kidding. This was an obvious loophole that had been pointed out a very long time ago. Investigating the kid till you're blue in the face doesn't make the problem go away. Anyone with moderately good office-suite type computer skills could fake a bording pass. TSA needs to focus on security, not obscurity of their obvious failures. TSA needs to focus on security, not their obvious complicity with the airlines and the airlines heavey lobbying.

  11. New Homeland Security Motto: by Lord_Slepnir · · Score: 2, Insightful

    "Homeland Security: We can't secure any of our borders, but we'll inconvenience hijackers by making sure they can't brush their teeth!"

  12. So what did we learn kids? by drgonzo59 · · Score: 2, Insightful
    Don't trust the government. Whenever you feel the "I just want to help" vibe coming on, rephrase that into "How can _I_ profit from this?". If he did that he would have sold his generator to al-Qaeda for cash and retired by now. He wanted to "help" and he got screwed!


    The thing is, Americans cannot understand how someone could possibly just "want to help" and not "want to make money". If such a thing happens, then surely they must be up to something, they are probably a terrorist and should be locked up anyway.

  13. Re:he has it coming by PatrickThomson · · Score: 2, Insightful

    No, if he was a criminal he'd have kept it quiet and sold it. How do we know a criminal's version of this scheme wasn't already running? We don't, but we know that now it won't work. For every security researcher there are 3 self-serving fiscally-motivated elitist assholes and it is the security researcher's moral obligation to practice full disclosure (after giving the company notice and time to fix the hole).

    --
    I am one of many. My idea is not unique, nor do I expect my voice alone to sway you. I speak in a chorus of opinion.
  14. Re:he has it coming by molog · · Score: 3, Insightful

    Like how ABC news had permission when they showed that they could sneak box cutters onto a plane, just 1 year after 911?

    Molog

    --
    So Linus, what are we going to do tonight?
    The same thing we do every night Tux. Try to take over the world!
  15. No-fly list? by theoriginalturtle · · Score: 2, Insightful

    Is that their latest pre-emptive penalty, sticking people they don't like on the no-fly list? While not legally in the same category as house arrest, by infringing on his right to travel, have they or have they not already imposed a civil penalty?

    I didn't actually see a citation of where he'd been placed on the no-fly list, can anyone find one and post it? Probably not, since the list doesn't even technically "exist" except as an abstract concept... sorta.

    I have to strongly disagree with the dude above who insists that what CS did was "wrong." He neither invented the method of subverting a broken access control system (it had been possible to alter boarding passes with a $50 scanner and a cheap inkjet printer for who-knows-how-long) nor did he encourage anyone to break the law. Worse, TSA's head-in-anus response only even more strongly points up the problem with DHS overall: we can't fix our problems, but we CAN harrass people who point the problems out to the world in the hope we might actually do something.

    They're too busy making old ladies take off their shoes.

    --
    ---------------------------------------
    Rotate the pod, please, HAL....
  16. Re:he has it coming by Anonymous Coward · · Score: 1, Insightful

    Hm I could swear I once heard something along the lines of government of the people, by the people, for the people.

    It's our obligation to watch the government, question it, and try to fix it when it's not doing its job. The airlines and the government were clearly aware of this problem as it had been "exploited" by a congressman a couple years back. This is a case of government employees covering their asses instead of fixing the problem. Soghoian publicized the problem because no one was doing anything about it.

    I'm glad to know there are some people who won't roll over saying the government always knows what's best for us. WE run the government and write their checks. Don't forget it.

  17. Re:he has it coming by d3fault · · Score: 2, Insightful

    Do you think the flaw ever would have been brought to attention had he gone through the proper channels? I for one am happy he did this and brought it to everyone's attention, once it's out like this it's hard to down play and ignore.

  18. Re:he has it coming by Broken+scope · · Score: 2, Insightful

    So when normal attempts at bringing a problem to light fail because they are to lazy to fix what is found he should just drop it till someone with malicious intent finds it and then start screaming "I TOLD YOU SO!!!". Great idea, I'm sure that would console everyone who was hurt or lost friends and family because of the problem. Pardon him for not wanting people to get hurt first.

    --
    You mad
  19. Re:he has it coming by Brushfireb · · Score: 5, Insightful

    Nice Flaimbait...But i'll bite.

    Your argument is simply foolish. The TSA is inept at running a dept, so they are also inept at hiring researchers or security folk to check up on their stuff. This is a government agency. This person committed no actual crime -- he didnt use one, and didnt even print one.

    The criminal would have kept this secret, and used it to his/her benefit by selling it to terrorists, criminals, or whatever. Those types of actions should be punished, SEVERELY!

    What did he do? He made us all safer. He did it by exposing how ridiculous the TSA is, and gave them all the knowledge to fix the problem. He did not personally gain from this experience. If anything, he has suffered already for it much more than he ever should have. I would feel differently if this was a private company and not a public-oriented service (like AIRLINE travel), to which my tax dollars go (both to bail out airline bankruptcy, as well as to operating the TSA).

    IU needs to stick up for their researchers, and foot the legal bill. I doubt they will, however, having been a past student, the administration at IU is pretty much inept equivalent to the TSA in my eyes.

    God forbid someone try to HELP the world...

  20. Re:he has it coming by Qzukk · · Score: 3, Insightful

    Well, his intentions were obviously meaningless, since I can apparently still print out my own boarding passes, legit or not.

    It's a shame the TSA people think just like you, if people would quit trying to kill the messengers, we might start seeing something that looked more like security and less like cronies securing contracts.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  21. Having it both ways... by Vellmont · · Score: 1, Insightful

    I didn't actually see the site while it was up, so maybe the guy actually DID this, but.

    To avoid being arrested, why not make the boarding pass have VOID VOID VOID printed all over it in such a way as it exposes the problem, but doesn't actually create a valid boarding pass. Then he would have violated no laws, AND exposed the poor security procedure at the same time.

    Once the story broke he could create a boarding pass that's given to someone that's authorized to test the fake boarding pass, or others others could independently confirm that the fake pass would work by comparing it to a real boarding pass.

    Anyone know if the site did anything to show that the pass was actually invalid?

    It seems a bit foolish to put up a working system and not expect the government to go all apeshit.

    --
    AccountKiller
  22. Final proof the no-fly list isn't about safety by Beryllium+Sphere(tm) · · Score: 5, Insightful

    There's no reason to believe he even might endanger any airplane that he boards. There's not even the thread of suspicion you'd get from guilt by association. There's no allegation that he has violent tendencies or has threatened violence.

    He's there because the no-fly list is a tool for control and coercion at the whim of the authorities without the restraint of statute or jury.

  23. Balancing act... by multimediavt · · Score: 1, Insightful

    I'm not saying that what the TSA is doing to this guy (or any of us) is right. I think it's blatant sour grapes! But, I don't condone Chris Soghoian's actions either. He should have "done the right thing" and approached the TSA *BEFORE* he made his findings public, and he certainly *NEVER* should have made his web app public. What he did was dumb and irresponsible, period. Was it illegal, ummm, that's up to the courts to decide.

  24. Nice in theory by MarkusQ · · Score: 5, Insightful
    A responsible researcher could have created a proof-of-concept, and raised awareness through media channels, research paper, blog etc. He should have also presented his research to the TSA and the airlines.

    You seem to be forgetting that that had already been done, up to and including having the information on how to create a fake boarding pass published on a congressman's web site for a year or so prior to his arrest. And yes, there had already be newspaper articles on it, and the TSA was either well aware of it and doing nothing or unaware of it even though it had been reported to them multiple times.

    Let's call this for what it is: trouble-making, not research.

    Ok, fine. It was trouble making. But for whom? It didn't lower airport security one iota. Anyone who cared about it already new how to do it. What it did do, though, was make trouble for the fake "security" providers at the TSA, and point out the fact that they are ripping us (the taxpayers) off.

    We saw the same sort of misleading argument come up when people started pointing out that US Military personnel were being given ineffective bulletproof vests; somehow the people who were trying to raise awareness of the issue were supposedly "helping the terrorists." Which is just nuts. What they were doing is making things uncomfortable for the crooks selling the defective jackets, and having zero impact on the people wearing them unless and until they could raise enough awareness of the issue to get things changed--in which case their actions would have helped the roops, not hurt them.

    --MarkusQ

  25. A little bit frightened by blankinthefill · · Score: 2, Insightful

    This is a little bit frightening to me, not because they're prosecuting him and all, because I've come to expect that, but because of where it could lead. We all know that security is never permanent. If there is a way to stop someone from doing something, there is a way around it. What happens when the government realizes this? Some of the cases that get pushed through, like this one (IMHO, anyways) are ridiculous, but what happens when the government realizes that it's just the tip of the iceberg? It sounds kinda funny now, but after seeing the ways in which the government has evolved over the last few years, I would believe anything of them. What happens when they start bringing cases against people who make a proof of concept? Once we know something can be done, the rest is relatively easy, right? So proving that something can be done is like telling the terrorists how to do it, right? Of course, once you think of an idea of how to do something, you've taken your first step on the road to making a proof of concept, am I right? I look at those last few sentences and it makes me shudder, how absurd the logic is, but it's all too familiar to me. It's very like certain justifications to get a hold on certain domestic phone records, or even records from your local library. I've always been of the opinion that America is the best place to live (for me, at least), but if thought processes like this continue to spread and grow, I don't know that America will continue to be a good place to live for very much longer. I like my freedom, and I am not willing to give up personal freedoms in order to lead a life filled with a false sense of security, under a tyrannical government that is unwilling to admit that it can and does make mistakes.

  26. Re:Proving a point is expensive.... by pla · · Score: 4, Insightful

    How does one point out the error/flaws in said system without falling afoul of the law(s)?

    Survey says - "Anonymously".

    He could have written his boarding pass creator as a flash app and uploaded it to Newgrounds. He could have posted a JS version on any of a number of blogs without using his own name. He could have even posted about it, with a link to an anonymously hosted applet, and probably made the Slashdot FP. He could even have gotten someone outside the US to host the exact same content, with all occurrences of his name replaced by "Mr. CheeseNips".

    But no. He had to use his own name, and therein lies his biggest mistake.

    Anyone who says we don't need anonymity just doesn't fear the government enough for their own good. And anyone who makes the government look bad without at least trying to hide their identity needs to study their history a tad more.

    I, for one, THANK Soghoian for exposing a glaring flaw in the farce we call the TSA. Not because it has made us safer (as we can see, they chose to shoot the messenger rather than, y'know, fix the goddamned problem), but because it has slightly reduced the false sense of security among the voting sheep.

  27. Re:Looks the same as the FBI investigation by westlake · · Score: 2, Insightful
    All of the legalease (as well as I can read it) states is that you can't make these or higher some one else to make them. Well, he didn't, he just created a program that COULD

    only a Geek would believe that this kind of argument plays well in court.

  28. Get used to it by iviagnus · · Score: 2, Insightful

    That's the United States today, unfortunately. If I had the financial resources I'd move to Europe, Russia, Asia, Australia, anywhere other than here. Anything is better than the $@&^ed-up crap our government is getting away with now. They are a bunch of psychopaths that can't stand to have anyone smarter than they are (which is any non-government employee) point out their flaws. I'll be glad when the common people of this once great nation are fed up and take it back. Terrorist attacks on the United States and abroad have brought out the worst in our government . . . so much so that we're hated around the world by everyone not a government scumbag. Losers!

  29. wait... by UrktheTurk · · Score: 3, Insightful

    They put the guy who can forge boarding passes on the no-fly list? does anybody else find that kinda... i don't know... retarded?