TSA Now Investigating Boarding Pass Hacker

An anonymous reader writes "A week after the Justice Department cleared him of any wrongdoing, Chris Soghoian, the Indiana University PhD student who created an online boarding pass generator for Northwest Airlines to highlight security holes is on the government's 'no-fly' list. The Transportation Security Administration has now launched its own investigation, says Wired blog 27strokeB. The TSA is claiming that Soghoian 'attempted to circumvent an established civil aviation security program established in the Transportation Security Regulations,' violations of which carry fines of up to $11,000 per violation. That could be a steep fine, says Washingtonpost.com's Security Fix blog: 'Something like 35,000 people viewed and possibly used the boarding pass generator during the less than 72 hours that it was live on his site in November. Soghoian told WaPo: "If they decide that the only safe way for me to leave the country is by boat, then that's pretty much the end of my career here in the States. It's one thing to harass researchers, but if they can chase them out of the country, then that's a real chilling effect."'"

Re:he has it coming

[Daemonstar]

I agree.

The U.S. is a country of laws: we believe in the rule of law (before anyone comments, this is a standard question covered in Texas police training under the TCLEOSE module "The History of Policing"). Whether it was right or not, it was against the law. It is up to governmental authority whether or not to punish the individual.

They have to weigh the fact that a) it was illegal, it was known by the individual that his actions were illegal, and he intentionally violated the law, and b) his actions publicized a major flaw in national security and personal safety, exemplifying how security could be circumvented even when the flaw was previously known.

In hindsight, what he should have done was got in touch with the entity responsible for security of the airport and presented his evidence. This is analogous to the scientist that invents some "cure", skips FDA approval, injects himself, and it ends up harming himself and others. It also reminds me of the ST:TNG episode Force of Nature.

While what he did was "noble" or "right", he went about it the wrong way.

Re:Irresponsible researcher

[bugnuts]

This was almost exactly what I said when it first happened. It was also nothing unique in its implementation. I wrangled a -1 Troll, too! :-)

The problem exposes some very alarming trends I see in security research. It used to merely be embarassing when someone would release exploit code, but there really wasn't any recourse other than fix the flaw asap. Then, the separation between blackhat and whitehat hacking became more distinct... the responsible researchers started to notify the manufacturers with enough time to fix, with an underlying veiled threat of embarassment as the cost of exploits rose. But there was always a threat of "fix this before I release the information".

But somehow, somewhere, the government got involved and everything went to hell in research. Now we have the DMCA, and asshat maneuvers like Adobe getting people arrested for legal activities, chilling effects on legal speech through threats BY corporations who are negligent, bullying academics, and so on. We have the USA PATRIOT Act. We have a war on US citizens, not just terrorists. And then, in this windstorm, Soghoian was an idiot by sticking out his neck while the farmer had been sharpening his axe.

What he did wasn't research... it was /obvious to any hacker who's ever printed a boarding pass in advance. What he did was simple embarassing exposure. Now, I fully believe his speech should be protected, but frankly he was irresponsible in the first place and it's difficult to find any sympathy.