Slashdot Mirror

← Back to Stories (view on slashdot.org)

TSA Now Investigating Boarding Pass Hacker

Posted by Zonk on from the make-up-your-mind dept.

An anonymous reader writes "A week after the Justice Department cleared him of any wrongdoing, Chris Soghoian, the Indiana University PhD student who created an online boarding pass generator for Northwest Airlines to highlight security holes is on the government's 'no-fly' list. The Transportation Security Administration has now launched its own investigation, says Wired blog 27strokeB. The TSA is claiming that Soghoian 'attempted to circumvent an established civil aviation security program established in the Transportation Security Regulations,' violations of which carry fines of up to $11,000 per violation. That could be a steep fine, says Washingtonpost.com's Security Fix blog: 'Something like 35,000 people viewed and possibly used the boarding pass generator during the less than 72 hours that it was live on his site in November. Soghoian told WaPo: "If they decide that the only safe way for me to leave the country is by boat, then that's pretty much the end of my career here in the States. It's one thing to harass researchers, but if they can chase them out of the country, then that's a real chilling effect."'"

10 of 270 comments (clear)

  1. What's the fine? by HangingChad · · Score: 5, Insightful

    What's the fine for making TSA look stupid?

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
    1. Re:What's the fine? by towermac · · Score: 5, Insightful

      apx. $11,000 per incident.

    2. Re:What's the fine? by JohnnyGTO · · Score: 5, Funny

      Can they fine themselves?

      I was in line behind a TSA employee from a local small airport. She was telling the cashier that she had left the check to pay for a number of photocopied documents in her car and must retrieve it to pay. BUT she could not leave the documents and had to take them with her to the car as they were VERY VERY sensitive. Here's the kicker, she left them at Staples overnight to be copied.

      I wonder if they let her sleep there and then shot the copier tech out in the alley?

      --
      Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
  2. Re:35,000 views? by 'nother+poster · · Score: 5, Insightful

    No, shame on the TSA for not implimenting real secuity requirements.

  3. He can still travel by Col.+Klink+(retired) · · Score: 5, Insightful

    As long as they don't fix the flaw, he can still exploit it and circumvent any extra scrutiny they try and put on him.

    --

    -- Don't Tase me, bro!

  4. Airport Security is a joke by bigbadbuccidaddy · · Score: 5, Insightful

    Airport security is a joke, and all he did is point that out. I will point something else out. When I was waiting in the immensely long line for United Domestic Check-In, I noticed they controlled access to the door behind the ticket counter with a simple mechanical combination lock. I observed several United Airlines employees entering and every time I could clearly see the code being entered. I felt very secure.

    1. Re:Airport Security is a joke by ChaosDiscord · · Score: 5, Insightful
      He crossed the line from researcher to (potentially) criminal when he published a tool on the web that had no other purpose than to make it possible for others to circumvent security.

      The purpose was to shame the TAA into fixing a problem which was widely known and publicized: August 2003 by security expert Bruce Schneier, February 2005 in Slate , February 2005 press release by a US Senator, February 2006 article in CSO Online . The TSA has been ignoring the problem for over three years. Bad guys have known about the attack for at least three years, possibly longer. For all we know bad guys are using it right now; we have no way of knowing. Even without Soghoian's program, it was really, really trivial to exploit; all you need is a very basic understanding of HTML, enough to change one name to another, to execute the attack Schneier described in 2003. The media has been letting the TSA continue to ignore this. If Soghoian had simply published a "I can make fake boarding passes and get into the "sterile" area of an airport he would have gotten an article or two and nothing would have changed. By providing a working exploit things just became that much harder for the TSA. News coverage exploded. Finally something will happen.

      The TSA has proven itself grossly incompetant. There is little to no oversight and zero public accountability. Drastic measures were necessary, as rational measures have clearly failed. The really sad thing is even in the face of such a drastic failure, they're not fixing the core problem.

      --
      Search 2010 Gen Con events
  5. Re:he has it coming by Brushfireb · · Score: 5, Insightful

    Nice Flaimbait...But i'll bite.

    Your argument is simply foolish. The TSA is inept at running a dept, so they are also inept at hiring researchers or security folk to check up on their stuff. This is a government agency. This person committed no actual crime -- he didnt use one, and didnt even print one.

    The criminal would have kept this secret, and used it to his/her benefit by selling it to terrorists, criminals, or whatever. Those types of actions should be punished, SEVERELY!

    What did he do? He made us all safer. He did it by exposing how ridiculous the TSA is, and gave them all the knowledge to fix the problem. He did not personally gain from this experience. If anything, he has suffered already for it much more than he ever should have. I would feel differently if this was a private company and not a public-oriented service (like AIRLINE travel), to which my tax dollars go (both to bail out airline bankruptcy, as well as to operating the TSA).

    IU needs to stick up for their researchers, and foot the legal bill. I doubt they will, however, having been a past student, the administration at IU is pretty much inept equivalent to the TSA in my eyes.

    God forbid someone try to HELP the world...

  6. Final proof the no-fly list isn't about safety by Beryllium+Sphere(tm) · · Score: 5, Insightful

    There's no reason to believe he even might endanger any airplane that he boards. There's not even the thread of suspicion you'd get from guilt by association. There's no allegation that he has violent tendencies or has threatened violence.

    He's there because the no-fly list is a tool for control and coercion at the whim of the authorities without the restraint of statute or jury.

  7. Nice in theory by MarkusQ · · Score: 5, Insightful
    A responsible researcher could have created a proof-of-concept, and raised awareness through media channels, research paper, blog etc. He should have also presented his research to the TSA and the airlines.

    You seem to be forgetting that that had already been done, up to and including having the information on how to create a fake boarding pass published on a congressman's web site for a year or so prior to his arrest. And yes, there had already be newspaper articles on it, and the TSA was either well aware of it and doing nothing or unaware of it even though it had been reported to them multiple times.

    Let's call this for what it is: trouble-making, not research.

    Ok, fine. It was trouble making. But for whom? It didn't lower airport security one iota. Anyone who cared about it already new how to do it. What it did do, though, was make trouble for the fake "security" providers at the TSA, and point out the fact that they are ripping us (the taxpayers) off.

    We saw the same sort of misleading argument come up when people started pointing out that US Military personnel were being given ineffective bulletproof vests; somehow the people who were trying to raise awareness of the issue were supposedly "helping the terrorists." Which is just nuts. What they were doing is making things uncomfortable for the crooks selling the defective jackets, and having zero impact on the people wearing them unless and until they could raise enough awareness of the issue to get things changed--in which case their actions would have helped the roops, not hurt them.

    --MarkusQ