Researcher raided by FBI for blowing whistle on Airport security

Researcher raided by FBI for blowing whistle on Airport security

Summary: The home of a PhD student and security researcher Christopher Soghoian from the School of Informatics at Indiana University Bloomington was raided by the FBI early Saturday morning.  Soghoian had created a fake boarding pass generator to demonstrate flaws in the Government's implementation of a no-fly list and posted the generator on his webpage stating that "The TSA Emperor has no clothes".

SHARE:
TOPICS: Government US
76

The home of a PhD student and security researcher Christopher Soghoian from the School of Informatics at Indiana University Bloomington was raided by the FBI early Saturday morning.  Soghoian had created a fake boarding pass generator to demonstrate flaws in the Government's implementation of a no-fly list and posted the generator on his webpage stating that "The TSA Emperor has no clothes".  The FBI visited Soghoian on Friday and told him to take the site down and Soghoian complied.  That following morning shortly after midnight, his home was raided by the FBI and his computers along with other important items were gone.

Earlier in the week, US Congressman Ed Markey (D-Mass) called for Soghoian to be arrested and his website shutdown.  After being blasted by bloggers around the web, Congressman Markey rescinded his call early Sunday morning.

Michael Hampton of "Homeland Stupidity" wrote:
"It’s also not like this particular security problem requires any particular technical skill.  Anybody who can operate Microsoft Word could exploit this airport security problem.  And only the most basic knowledge of Web programming would be necessary to re-create this particular code.  Sites hosting mirrors of the boarding pass generator are already starting to appear on the Internet, as I predicted Friday.

So what we have is the FBI going after security researchers who are actually helping make us more secure.  Apparently it’s perfectly fine to have bad airport security.  After all, as long as nobody actually points out how bad the security is, then the security must be good!  This is really how these people think.

[UPDATE 10/30/2006 9:30 PM]
Joris Evers has more on this story and writes:

Bruce Schneier, a noted security expert, linked to it from his blog on Thursday. Schneier highlighted the same issue with the print-at-home boarding passes on his mailing list more than three years ago. U.S. Sen. Charles Schumer, a New York Democrat, warned of the same security issue last year and again in April this year.

It appears that nothing has been done in more than three years about this poor authentication issue and it took a website with a do-it-yourself PHP script and an FBI raid to garner national attention.

Topic: Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

76 comments
Log in or register to join the discussion
  • Yep just like

    "Apparently it?s perfectly fine to have bad airport security. After
    all, as long as nobody actually points out how bad the security
    is, then the security must be good! This is really how these
    people think."

    blaming the writers of malware for a malware ridden OS.

    Now that wouldn't be defended by anyone would it;-)
    Richard Flude
    • That really takes the cake

      Do you seriously not understand that posting research on flaws is not the same as committing actual crimes? Does your zealotry know no bounds?
      georgeou
      • And do you not know better...

        ... than to respond to such an obvious troll?

        I'll have to award him at least 7.2 for hooking you so easily!

        :-)
        bportlock
      • Clearly not

        "Do you seriously not understand that posting research on flaws
        is not the same as committing actual crimes?"

        In the US of A it can be a crime to publish research into software
        bugs so your point is completely lost on me.

        My understanding of the events was Soghoian published a site
        that enabled fake boarding passes to be produced. These
        boarding passes could have been used fraudulently to by-pass
        security at airports - A FEDERAL OFFENCE AND A CRIME so again
        your point fails.

        I was having a bit of fun but it's ironic that George defends MS
        and their malware ridden OS yet doesn't extend the same
        fanboyism for the bug ridden Homeland Security program.
        Mustn't pay as well;-)


        "Does your zealotry know no bounds?"

        Clearly not;-)
        Richard Flude
      • Actually, they are very much the same...

        This would be like posting an exploit for an OS without contacting the proper people to fix the exploit first. I believe that would be called Black Hat Hacking.

        The ones committing the crime would be the ones who actually use the exploit.
        nucrash
        • Not sure I can agree

          ---This would be like posting an exploit for an OS without contacting the proper people to fix the exploit first.---

          But this exploit has already been reported repeatedly:
          Here in 2003
          http://www.schneier.com/crypto-gram-0308.html#6

          Here in 2005
          http://www.slate.com/id/2113157/fr/rss/

          And here, by a member of Congress in 2006:
          http://schumer.senate.gov/SchumerWebsite/pressroom/record.cfm?id=259517&&
          tic swayback
      • Re: That really takes the cake

        [i]Do you seriously not understand that posting research on flaws is not the same as committing actual crimes?[/i]

        Uh, hello!

        If this guy did not commit an "actual crime" then the FBI has a lot of explaining to do. They raided his house and seized his property!


        :)
        none none
        • FBI has a lot of explaining to do

          And exactly when was the last time you heard of the FBI explaining anything to anybody? We're the government, so we are right by definition!
          dmhunter@...
      • Sorry, George

        I travel a hundred thousand miles a year by plane. Airport security
        matters to me.

        This guy knowingly published a way for terrorists or other
        criminals to bypass federal security. That's a little more severe than
        'posting research on flaws'.
        jragosta
        • I call Bull

          I think you are just posting an opposition to George just to spite anything he may say.
          nucrash
          • I think..

            you're full of it.

            I fly 100,000 miles per year. I'm opposed to anything that makes
            airports less safe. Publiicly posting the information for terrorists to
            get around one key security procedure makes flying less safe.

            Of course, you've never hesitated to make stupid posts before, so
            I'm not suprised that you're doing it again.
            jragosta
          • What was posted...

            Is what I would consider Common Sense.

            With Security that can be tharted that easily, I think the problem is with the Airlines, not the poster.
            nucrash
          • It's still wrong

            Some experts claim that it's not that hard to build a nuclear
            weapon. Should publishing the details of how to build a 500
            megaton weapon on the internet be allowed?

            The fact is that there was no purpose to him publishing the
            information other than to aid criminals.
            jragosta
          • Airport security

            has never really been an issue, even though we make a show of pretending it does. Current airport security measures could not stop a nearly identical attack from happening tomorrow.

            And for all of the foolish people who are so freaked out by the possibility of a terrorist hijacking their plane and slamming it into a building, consider this: Combined passengers, rew, and building occupants killed on 9/11/2001: less than 6,000; total US fatalities from post 9/11 military actions: less than 6,000 (that's a significant overstatement). Total highway deaths in the United States in 2003: 42,643 (source http://www-nrd.nhtsa.dot.gov/pdf/nrd-30/NCSA/TSF2003/809767.pdf).
            Multiply that by the five years this conflict (and the "security" measures) has been going on, and you get 213,215 highway deaths (number is actually somewhat higher).

            Fact of life is that you are more than 20 times as likely to get killed driving home from the airport than be killed in terrorist related activities. So quit whining about how many miles you fly, nobody who knows anything about physical security considers the airports of this country any safer than they were ten years ago. The measures taken cause passengers inconvenience, employ thousands nationwide, and do absolutely nothing to prevent terrorism.
            bladehawke@...
          • Airport security

            You forgot to mention that the "war on terror", like the "war on drugs" - has spawned whole industries and is making some people very rich.
            Neither war is designed to be won, after all that would kill the golden calf.
            antinym
          • Ya, you fly alright. High on something thats for sure.

            Okay. Lets give yappy mouth jragosta the benefit of the doubt for a few second here. 100000 air miles a year translates into about 1900 miles a week every single week of the year, personally I do not see how you even have the time to post on Zdnet if you have a job that requires that kind of travel time, but if you do not want to be caught in what appears on the surface to be an obvious overstatement (lie) then I suggest you back up such a wild claim with some further explanation or leave the issue alone.

            Given your past ludicrous statements you are already perceived as a wicked story teller, so unless you want to make your already tattered credibility worse off then it is you had better explain the 100000 miles a year story.
            Cayble
          • No wonder you and George get along

            You and George both like to babble about things you have no
            clue about.

            I've been to China twice this year - that's 32,000 miles just for
            those trips. Three trips to Europe add 36,000 miles. Add in the
            domestic trips and it's about 100,000. I've hit Platinum on
            American (60,000 miles) every year for the last 5. I've hit
            Executive Platinum (100,000 miles) 2 of the last 3.

            But, then, you and George never did hesitate to make things up
            when you have no way of knowing the reality of a situation
            jragosta
      • Evidently the FBI believes a crime ...

        ... was commited by the researcher or there wouldn't have been a raid. research is one thing. Publishing a tool to forge boarding passes is another. wether a crime was committed or not is up to a judge to decide. Let me ask you something. If I am researching how easy it is to forge money is it all wright if I publish a tool for doing so on the Internet?
        ShadeTree
        • Should airlines all be arrested? Or dreamweaver?

          ---Let me ask you something. If I am researching how easy it is to forge money is it all wright if I publish a tool for doing so on the Internet?---

          Given that all boarding passes printed online can be modded by hand editing the html, aren't all airlines liable here? Aren't they essentially providing a tool for forging boarding passes? Or is that responsibility more due to companies that make html editing software?
          tic swayback
          • Let's put it this way

            Airlines give you the ability to print a boarding pass online - as a
            mechanism of improving their customer service. There is
            therefore a legitimate reason for their system.

            The hackers who publish this information in spite of knowing
            that it can be used for criminal activity don't have any legitimate
            business reason to do so. The ONLY possible purpose is for
            bypassing the required security.

            Since there's no legitimate reason and it's clear that it's being
            done to bypass security, they should be punished.

            I don't buy your 'they were only doing it to get the government
            to act' argument. There are other ways to do that. How about
            writing to a major newspaper and explaining that there's a
            simple way to bypass airport security - without publishing the
            details?
            jragosta