Slashdot Mirror
TSA Now Investigating Boarding Pass Hacker
An anonymous reader writes "A week after the Justice Department cleared him of any wrongdoing, Chris Soghoian, the Indiana University PhD student who created an online boarding pass generator for Northwest Airlines to highlight security holes is on the government's 'no-fly' list. The Transportation Security Administration has now launched its own investigation, says Wired blog 27strokeB. The TSA is claiming that Soghoian 'attempted to circumvent an established civil aviation security program established in the Transportation Security Regulations,' violations of which carry fines of up to $11,000 per violation. That could be a steep fine, says Washingtonpost.com's Security Fix blog: 'Something like 35,000 people viewed and possibly used the boarding pass generator during the less than 72 hours that it was live on his site in November. Soghoian told WaPo: "If they decide that the only safe way for me to leave the country is by boat, then that's pretty much the end of my career here in the States. It's one thing to harass researchers, but if they can chase them out of the country, then that's a real chilling effect."'"
What's the fine for making TSA look stupid?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
No, shame on the TSA for not implimenting real secuity requirements.
The people responsible within the TSA need to be dealt with. These fuckheads have some nerve harrassing a researcher for bringing their errors to wider attention.
The fine seems reasonable, will they accept cash?
There are no karma whores, only moderation johns
And it's a "Brazil" reference, of course, which is nicely appropriate in this context...
you had me at #!
As long as they don't fix the flaw, he can still exploit it and circumvent any extra scrutiny they try and put on him.
-- Don't Tase me, bro!
I was one but I didn't get to it from Slashdot. I got to it from several local bloggers that pointed it out.
Big fucking deal. It was an obvious security hole. If anything, he should be hailed, not jailed. But then again, we don't want to go out and make NWA (who fucking blow anyway) and the TSA look worse than they already do (if anyone is reading from MCO's TSA, fucking fix your system by doing a "best practices visit" to any number of other airports -- your system sucks even at 4:00AM)
Airport security is a joke, and all he did is point that out. I will point something else out. When I was waiting in the immensely long line for United Domestic Check-In, I noticed they controlled access to the door behind the ticket counter with a simple mechanical combination lock. I observed several United Airlines employees entering and every time I could clearly see the code being entered. I felt very secure.
I *so* wanted to mod this post "troll," but that is unfitting - your ideas are not meant to provoke, but to unprovoke, and breed grudging contentment with the sad status quo. So no troll moderation for you. Sadly, there is no "defeatist fucktard lemming" moderation available. That would be fitting.
Eloi are stupid, throw morlocks at them!
No kidding. This was an obvious loophole that had been pointed out a very long time ago. Investigating the kid till you're blue in the face doesn't make the problem go away. Anyone with moderately good office-suite type computer skills could fake a bording pass. TSA needs to focus on security, not obscurity of their obvious failures. TSA needs to focus on security, not their obvious complicity with the airlines and the airlines heavey lobbying.
Wired doesn't mention it, but in the kid's blog, he links to a re-implementation of his boarding pass generator, this time using html & java.
. tar.gz
Coralized Archive of the mirror: http://geocities.com.nyud.net:8080/j0hn4dm5/forge
The mirror:
-http://j0hn4d4m5.bravehost.com/
(Coral CDN didn't seem to work on it)
Maybe now the TSA will actually do something about their security hole.
Actually, I doubt it, but we can hope.
[Fuck Beta]
o0t!
This whole airline TSA thing is a crock of BS. Over Kill.
... expected.
So, a bunch of terrorists captured a couple of airplanes and flew them into buildings. Yeah, a bunch of people died, which is tragic. And the Economy Burped, which is
However, we've learned our lesson, and have secured the airplanes better. In addition, I doubt, HIGHLY DOUBT, that they could get anywhere close to doing the same thing, given the same circumstances, mainly because the passengers wouldn't stand for it.
Screening 80 year old grandmas of their knitting needles is stupid. Taking off shoes is stupid. Banning Liquids is stupid. For all the inconvenience of it all, it will not prevent someone from trying to by-pass whatever security is setup, and eventually they will succeed.
I know for a fact that I could bring a knife on board a plane even today, even passing through all the security. They can't stop me if they can't see it. And there are such knives available.
The point is, all this "security" isn't really designed to prevent hi-jackers, it is designed to placate the masses. See my sig for more info
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Like how ABC news had permission when they showed that they could sneak box cutters onto a plane, just 1 year after 911?
Molog
So Linus, what are we going to do tonight?
The same thing we do every night Tux. Try to take over the world!
Nice Flaimbait...But i'll bite.
Your argument is simply foolish. The TSA is inept at running a dept, so they are also inept at hiring researchers or security folk to check up on their stuff. This is a government agency. This person committed no actual crime -- he didnt use one, and didnt even print one.
The criminal would have kept this secret, and used it to his/her benefit by selling it to terrorists, criminals, or whatever. Those types of actions should be punished, SEVERELY!
What did he do? He made us all safer. He did it by exposing how ridiculous the TSA is, and gave them all the knowledge to fix the problem. He did not personally gain from this experience. If anything, he has suffered already for it much more than he ever should have. I would feel differently if this was a private company and not a public-oriented service (like AIRLINE travel), to which my tax dollars go (both to bail out airline bankruptcy, as well as to operating the TSA).
IU needs to stick up for their researchers, and foot the legal bill. I doubt they will, however, having been a past student, the administration at IU is pretty much inept equivalent to the TSA in my eyes.
God forbid someone try to HELP the world...
Well, his intentions were obviously meaningless, since I can apparently still print out my own boarding passes, legit or not.
It's a shame the TSA people think just like you, if people would quit trying to kill the messengers, we might start seeing something that looked more like security and less like cronies securing contracts.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Printing counterfeit money is not illegal...
Actually, it is:
____
~ |rip/\/\aster /\/\onkey
Does that mean he is grounded for being naughty?
That's unfair. Obviously he did his homework.
"Hannibal's plans never work right. They just work." Amy/A-Team
There's no reason to believe he even might endanger any airplane that he boards. There's not even the thread of suspicion you'd get from guilt by association. There's no allegation that he has violent tendencies or has threatened violence.
He's there because the no-fly list is a tool for control and coercion at the whim of the authorities without the restraint of statute or jury.
You seem to be forgetting that that had already been done, up to and including having the information on how to create a fake boarding pass published on a congressman's web site for a year or so prior to his arrest. And yes, there had already be newspaper articles on it, and the TSA was either well aware of it and doing nothing or unaware of it even though it had been reported to them multiple times.
Ok, fine. It was trouble making. But for whom? It didn't lower airport security one iota. Anyone who cared about it already new how to do it. What it did do, though, was make trouble for the fake "security" providers at the TSA, and point out the fact that they are ripping us (the taxpayers) off.
We saw the same sort of misleading argument come up when people started pointing out that US Military personnel were being given ineffective bulletproof vests; somehow the people who were trying to raise awareness of the issue were supposedly "helping the terrorists." Which is just nuts. What they were doing is making things uncomfortable for the crooks selling the defective jackets, and having zero impact on the people wearing them unless and until they could raise enough awareness of the issue to get things changed--in which case their actions would have helped the roops, not hurt them.
--MarkusQ
How does one point out the error/flaws in said system without falling afoul of the law(s)?
Survey says - "Anonymously".
He could have written his boarding pass creator as a flash app and uploaded it to Newgrounds. He could have posted a JS version on any of a number of blogs without using his own name. He could have even posted about it, with a link to an anonymously hosted applet, and probably made the Slashdot FP. He could even have gotten someone outside the US to host the exact same content, with all occurrences of his name replaced by "Mr. CheeseNips".
But no. He had to use his own name, and therein lies his biggest mistake.
Anyone who says we don't need anonymity just doesn't fear the government enough for their own good. And anyone who makes the government look bad without at least trying to hide their identity needs to study their history a tad more.
I, for one, THANK Soghoian for exposing a glaring flaw in the farce we call the TSA. Not because it has made us safer (as we can see, they chose to shoot the messenger rather than, y'know, fix the goddamned problem), but because it has slightly reduced the false sense of security among the voting sheep.
But the man who introduced fire to the world was burned at the stake.
Bollocks he was. He (Prometheus) was chained to a rock, and an eagle would come every day and tear out his liver. Then, in the night, his liver would grow back. Sheesh, don't you kids learn any mythology anymore?
Tubal-Cain smokes the white owl.
CSO Online told people about it in February 2006. Slate told people about it in February 2005. Senator Schumer told people about it in February 2005. Security expert Bruce Schneier told people about it in August 2003.
We're more than a little beyond "telling people" being productive.
Worse, apparently a proof of concept isn't enough. The TSA is busy trying to presecute the messenger, but they still haven't fixed the core problem. I'd sadly forced to conclude that the TSA will not fix a real threat to airline security until terrorists successfully exploit that threat. While honest people are stuck measuring their shampoo out of fear of a deeply implausible liquid-bomb threat, anyone with access to a printer and a reasonably plausible state ID can get into the "sterile" area of the airport. (I find it darkly humorous that the boarding pass vulnerability makes the cost of getting 30 ounces of liquid explosives onto a plane just 10 fake boarding passes for almost no cost and 10 evil conspirators.)
Search 2010 Gen Con events
They put the guy who can forge boarding passes on the no-fly list? does anybody else find that kinda... i don't know... retarded?
Avoid Missing Ball for High Score
Anyone who makes the government / any powerful organization look bad without at least pausing to think about the repercussions is foolish. Hiring a lawyer might be a good idea. Contacting the TSA and giving them six months notice is also a good idea. Contacting two or three major newspapers and letting them know about it is also a good idea.
But for once, I think Chris Soghoian is brace to use his real name and not hide. If he is really willing to face imprisonment and fines to make the TSA more accountable, the USA safer, and the draconian new "security" measures less credible, he's brave and patriotic in my book.
Just my two cents.