The home of a PhD student and security researcher Christopher Soghoian from the School of Informatics at Indiana University Bloomington was raided by the FBI early Saturday morning. Soghoian had created a fake boarding pass generator to demonstrate flaws in the Government's implementation of a no-fly list and posted the generator on his webpage stating that "The TSA Emperor has no clothes". The FBI visited Soghoian on Friday and told him to take the site down and Soghoian complied. That following morning shortly after midnight, his home was raided by the FBI and his computers along with other important items were gone.
Earlier in the week, US Congressman Ed Markey (D-Mass) called for Soghoian to be arrested and his website shutdown. After being blasted by bloggers around the web, Congressman Markey rescinded his call early Sunday morning.
Michael Hampton of "Homeland Stupidity" wrote:
"It’s also not like this particular security problem requires any particular technical skill. Anybody who can operate Microsoft Word could exploit this airport security problem. And only the most basic knowledge of Web programming would be necessary to re-create this particular code. Sites hosting mirrors of the boarding pass generator are already starting to appear on the Internet, as I predicted Friday.
So what we have is the FBI going after security researchers who are actually helping make us more secure. Apparently it’s perfectly fine to have bad airport security. After all, as long as nobody actually points out how bad the security is, then the security must be good! This is really how these people think.
[UPDATE 10/30/2006 9:30 PM]
Joris Evers has more on this story and writes:
Bruce Schneier, a noted security expert, linked to it from his blog on Thursday. Schneier highlighted the same issue with the print-at-home boarding passes on his mailing list more than three years ago. U.S. Sen. Charles Schumer, a New York Democrat, warned of the same security issue last year and again in April this year.
It appears that nothing has been done in more than three years about this poor authentication issue and it took a website with a do-it-yourself PHP script and an FBI raid to garner national attention.