ie8 fix
madison

Real World IT

George Ou
Home / News & Blogs / Real World IT

Researcher raided by FBI for blowing whistle on Airport security

By | October 29, 2006, 12:44pm PST

The home of a PhD student and security researcher Christopher Soghoian from the School of Informatics at Indiana University Bloomington was raided by the FBI early Saturday morning.  Soghoian had created a fake boarding pass generator to demonstrate flaws in the Government's implementation of a no-fly list and posted the generator on his webpage stating that "The TSA Emperor has no clothes".  The FBI visited Soghoian on Friday and told him to take the site down and Soghoian complied.  That following morning shortly after midnight, his home was raided by the FBI and his computers along with other important items were gone.

Earlier in the week, US Congressman Ed Markey (D-Mass) called for Soghoian to be arrested and his website shutdown.  After being blasted by bloggers around the web, Congressman Markey rescinded his call early Sunday morning.

Michael Hampton of "Homeland Stupidity" wrote:
"It’s also not like this particular security problem requires any particular technical skill.  Anybody who can operate Microsoft Word could exploit this airport security problem.  And only the most basic knowledge of Web programming would be necessary to re-create this particular code.  Sites hosting mirrors of the boarding pass generator are already starting to appear on the Internet, as I predicted Friday.

So what we have is the FBI going after security researchers who are actually helping make us more secure.  Apparently it’s perfectly fine to have bad airport security.  After all, as long as nobody actually points out how bad the security is, then the security must be good!  This is really how these people think.

[UPDATE 10/30/2006 9:30 PM]
Joris Evers has more on this story and writes:

Bruce Schneier, a noted security expert, linked to it from his blog on Thursday. Schneier highlighted the same issue with the print-at-home boarding passes on his mailing list more than three years ago. U.S. Sen. Charles Schumer, a New York Democrat, warned of the same security issue last year and again in April this year.

It appears that nothing has been done in more than three years about this poor authentication issue and it took a website with a do-it-yourself PHP script and an FBI raid to garner national attention.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Real World IT”

Topics

Disclosure

George Ou

http://blogs.zdnet.com/Ou/?page_id=557

Biography

George Ou

George Ou, a former ZDNet blogger, is an IT consultant specializing in Servers, Microsoft, Cisco, Switches, Routers, Firewalls, IDS, VPN, Wireless LAN, Security, and IT infrastructure and architecture.

76
Comments
Add Your Opinion

Join the conversation!

Just In

Airport security
antinym 2nd Nov 2006
You forgot to mention that the "war on terror", like the "war on drugs" - has spawned whole industries and is making some people very rich.
Neither war is designed to be won, after all that would kill the golden calf.
View in thread
0 Votes
+ -
Yep just like
Richard Flude 29th Oct 2006
"Apparently it?s perfectly fine to have bad airport security. After
all, as long as nobody actually points out how bad the security
is, then the security must be good! This is really how these
people think."

blaming the writers of malware for a malware ridden OS.

Now that wouldn't be defended by anyone would it;-)
0 Votes
+ -
That really takes the cake
georgeou 29th Oct 2006
Do you seriously not understand that posting research on flaws is not the same as committing actual crimes? Does your zealotry know no bounds?
0 Votes
+ -
And do you not know better...
bportlock 29th Oct 2006
... than to respond to such an obvious troll?

I'll have to award him at least 7.2 for hooking you so easily!

happy
0 Votes
+ -
Clearly not
Richard Flude 29th Oct 2006
"Do you seriously not understand that posting research on flaws
is not the same as committing actual crimes?"

In the US of A it can be a crime to publish research into software
bugs so your point is completely lost on me.

My understanding of the events was Soghoian published a site
that enabled fake boarding passes to be produced. These
boarding passes could have been used fraudulently to by-pass
security at airports - A FEDERAL OFFENCE AND A CRIME so again
your point fails.

I was having a bit of fun but it's ironic that George defends MS
and their malware ridden OS yet doesn't extend the same
fanboyism for the bug ridden Homeland Security program.
Mustn't pay as well;-)


"Does your zealotry know no bounds?"

Clearly not;-)
0 Votes
+ -
Actually, they are very much the same...
nucrash 30th Oct 2006
This would be like posting an exploit for an OS without contacting the proper people to fix the exploit first. I believe that would be called Black Hat Hacking.

The ones committing the crime would be the ones who actually use the exploit.
0 Votes
+ -
Not sure I can agree
tic swayback 30th Oct 2006
---This would be like posting an exploit for an OS without contacting the proper people to fix the exploit first.---

But this exploit has already been reported repeatedly:
Here in 2003
http://www.schneier.com/crypto-gram-0308.html#6

Here in 2005
http://www.slate.com/id/2113157/fr/rss/

And here, by a member of Congress in 2006:
http://schumer.senate.gov/SchumerWebsite/pressroom/record.cfm?id=259517&&
0 Votes
+ -
Re: That really takes the cake
none none 30th Oct 2006
Do you seriously not understand that posting research on flaws is not the same as committing actual crimes?

Uh, hello!

If this guy did not commit an "actual crime" then the FBI has a lot of explaining to do. They raided his house and seized his property!


happy
0 Votes
+ -
FBI has a lot of explaining to do
dmhunter@... 30th Oct 2006
And exactly when was the last time you heard of the FBI explaining anything to anybody? We're the government, so we are right by definition!
0 Votes
+ -
Sorry, George
jragosta 30th Oct 2006
I travel a hundred thousand miles a year by plane. Airport security
matters to me.

This guy knowingly published a way for terrorists or other
criminals to bypass federal security. That's a little more severe than
'posting research on flaws'.
0 Votes
+ -
I call Bull
nucrash 30th Oct 2006
I think you are just posting an opposition to George just to spite anything he may say.
0 Votes
+ -
I think..
jragosta 30th Oct 2006
you're full of it.

I fly 100,000 miles per year. I'm opposed to anything that makes
airports less safe. Publiicly posting the information for terrorists to
get around one key security procedure makes flying less safe.

Of course, you've never hesitated to make stupid posts before, so
I'm not suprised that you're doing it again.
0 Votes
+ -
What was posted...
nucrash 30th Oct 2006
Is what I would consider Common Sense.

With Security that can be tharted that easily, I think the problem is with the Airlines, not the poster.
0 Votes
+ -
It's still wrong
jragosta 30th Oct 2006
Some experts claim that it's not that hard to build a nuclear
weapon. Should publishing the details of how to build a 500
megaton weapon on the internet be allowed?

The fact is that there was no purpose to him publishing the
information other than to aid criminals.
0 Votes
+ -
Airport security
bladehawke@... 30th Oct 2006
has never really been an issue, even though we make a show of pretending it does. Current airport security measures could not stop a nearly identical attack from happening tomorrow.

And for all of the foolish people who are so freaked out by the possibility of a terrorist hijacking their plane and slamming it into a building, consider this: Combined passengers, rew, and building occupants killed on 9/11/2001: less than 6,000; total US fatalities from post 9/11 military actions: less than 6,000 (that's a significant overstatement). Total highway deaths in the United States in 2003: 42,643 (source http://www-nrd.nhtsa.dot.gov/pdf/nrd-30/NCSA/TSF2003/809767.pdf).
Multiply that by the five years this conflict (and the "security" measures) has been going on, and you get 213,215 highway deaths (number is actually somewhat higher).

Fact of life is that you are more than 20 times as likely to get killed driving home from the airport than be killed in terrorist related activities. So quit whining about how many miles you fly, nobody who knows anything about physical security considers the airports of this country any safer than they were ten years ago. The measures taken cause passengers inconvenience, employ thousands nationwide, and do absolutely nothing to prevent terrorism.
0 Votes
+ -
Airport security
antinym 2nd Nov 2006
You forgot to mention that the "war on terror", like the "war on drugs" - has spawned whole industries and is making some people very rich.
Neither war is designed to be won, after all that would kill the golden calf.
0 Votes
+ -
Ya, you fly alright. High on something thats for sure.
Cayble 30th Oct 2006
Okay. Lets give yappy mouth jragosta the benefit of the doubt for a few second here. 100000 air miles a year translates into about 1900 miles a week every single week of the year, personally I do not see how you even have the time to post on Zdnet if you have a job that requires that kind of travel time, but if you do not want to be caught in what appears on the surface to be an obvious overstatement (lie) then I suggest you back up such a wild claim with some further explanation or leave the issue alone.

Given your past ludicrous statements you are already perceived as a wicked story teller, so unless you want to make your already tattered credibility worse off then it is you had better explain the 100000 miles a year story.
0 Votes
+ -
No wonder you and George get along
jragosta 31st Oct 2006
You and George both like to babble about things you have no
clue about.

I've been to China twice this year - that's 32,000 miles just for
those trips. Three trips to Europe add 36,000 miles. Add in the
domestic trips and it's about 100,000. I've hit Platinum on
American (60,000 miles) every year for the last 5. I've hit
Executive Platinum (100,000 miles) 2 of the last 3.

But, then, you and George never did hesitate to make things up
when you have no way of knowing the reality of a situation
0 Votes
+ -
Evidently the FBI believes a crime ...
ShadeTree 30th Oct 2006
... was commited by the researcher or there wouldn't have been a raid. research is one thing. Publishing a tool to forge boarding passes is another. wether a crime was committed or not is up to a judge to decide. Let me ask you something. If I am researching how easy it is to forge money is it all wright if I publish a tool for doing so on the Internet?
0 Votes
+ -
Should airlines all be arrested? Or dreamweaver?
tic swayback 30th Oct 2006
---Let me ask you something. If I am researching how easy it is to forge money is it all wright if I publish a tool for doing so on the Internet?---

Given that all boarding passes printed online can be modded by hand editing the html, aren't all airlines liable here? Aren't they essentially providing a tool for forging boarding passes? Or is that responsibility more due to companies that make html editing software?
0 Votes
+ -
Let's put it this way
jragosta 30th Oct 2006
Airlines give you the ability to print a boarding pass online - as a
mechanism of improving their customer service. There is
therefore a legitimate reason for their system.

The hackers who publish this information in spite of knowing
that it can be used for criminal activity don't have any legitimate
business reason to do so. The ONLY possible purpose is for
bypassing the required security.

Since there's no legitimate reason and it's clear that it's being
done to bypass security, they should be punished.

I don't buy your 'they were only doing it to get the government
to act' argument. There are other ways to do that. How about
writing to a major newspaper and explaining that there's a
simple way to bypass airport security - without publishing the
details?
0 Votes
+ -
Sorry, that didn't work
tic swayback 31st Oct 2006
---How about
writing to a major newspaper and explaining that there's a
simple way to bypass airport security - without publishing the
details?---

Bruce Schneier blogged about it in 2003, Slate wrote a big article about it in 2005, Senator Chuck Schumer (D NY) released a press release about it and talked about it in a speech in 2006. Nothing happened. It took this incident to get the TSA's attention.
0 Votes
+ -
Whether you buy it or not, getting the gov't to act IS a legitamate reason
ajole 31st Oct 2006
for some actions, which is why we all celebrate the revolutionary war and the patriots who fought in it; rather than calling them traitors, which is what the English called them.

Not having looked at his site, I don't know if it helped terrorists or not; but it sure made the folks in charge act like the situation mattered. Which you have said DOES matter to you.

Sounds like you really believe the system is always right; but you are wrong. Our system is probably one of, if not THE best systems around, but civil disobedience helped make the system as good as it is. Get off this kid's back unless he was actually trying to get terrorists to use his method.
0 Votes
+ -
There are already tools for forging money, it's called a color printer
georgeou 30th Oct 2006
Color copiers work pretty well too apparently, just don't get caught passing the bills.
0 Votes
+ -
And.. they cant print money.
Techanalyst 31st Oct 2006
That is why security is in place in printers and copier so they can't duplicate money. There are color blocks so they won't look the same and they cannot print the microprint or two tone inks. And as you said "Just don't get caught". The logic of criminal acts are only criminal if you get caught is why we have a lot of problems today we didn't have decades ago.
0 Votes
+ -
It's not the first time it has happened...
bportlock 29th Oct 2006
... when Mathius Rust flew a Cessna through the Soviet missile defences and landed in Red Square he proved how worthless the Soviet Defense system was. Did they thank for improving security against the "imperialist west"?

No - they gave him 5 years in prison and confiscated his plane.

When UK "hacker" Gary McKinnon casually wandered in and out of "secure" U.S. Govt computers, did they thank for exposing holes in the system?

No - they're trying to extradite him from the UK.

It seems to be a standard human response. When the Watergate investigations were ongoing someone asked "Who ordered the coverup?". It turned out no one had, they all just knew deep inside that such things HAD to be covered up.....

Sad really, and very stupid.... sad
0 Votes
+ -
Please stop the degenerate worship
georgeou 29th Oct 2006
Gary McKinnon is someone who broke in to hundreds of systems. He was NOT a whistle blower who simply exercised free speech on a webpage. Please do not compare him to a security researcher who merely posted information on a webpage.
0 Votes
+ -
McKinnon isn't bright enough...
bportlock 29th Oct 2006
... to be a real hacker. If he got into those systems then their security was a joke. The responsibility for that lies with their admins.

I've listened to him trying to defend what he did and he's not all that coherent. If this guy's a cutting edge hacker then it's a d*mn good disguise he's wearing.

I don't worship him - I think he's a complete plonker! He didn't know how to cover his tracks, he took no precautions against being caught (like hacking the boxes outside work hours at the server's location) and he hasn't had the sense to keep his mouth shut.

I have a few servers that are exposed to the net. They get about a dozen hack attempts per day, mostly automated attempts. In three years they haven't been penetrated and yet the security precautions taken were the obvious ones that took about an hour per box. Any idiot can secure a server up to the point were it takes an expert to hack them. You can certainly make them McKinnon proof.
0 Votes
+ -
Why compare him to a legitimate researcher?
georgeou 29th Oct 2006
They guy is an idiot that broke in to US Government systems. Just because he's incompetent doesn't mean he's not a criminal. He broke the law and he should pay the price for it. There should be no comparisons between him and a security researcher who simply posted information on a website.
0 Votes
+ -
I didn't compare McKinnon ....
bportlock 30th Oct 2006
... to a legitimate researcher. Kindly show me which part my post said that. Your emotional cup runneth over methinks.

"Just because he's incompetent doesn't mean he's not a criminal."

He hasn't been tried yet George, so he is an alleged criminal.

"He broke the law and he should pay the price for it. "

No - he is accused of breaking the law.


Having said all that he's blabbed so much in the press that I do not see how he could avoid a conviction, but at this point he is not guilty. That's the law.
0 Votes
+ -
Why did you bring him in to this discussion then?
georgeou 30th Oct 2006
If not to make comparisons, why did you bring him in to this discussion then?
0 Votes
+ -
I brought him in as an example...
bportlock 30th Oct 2006
... of my point. The messenger often gets shot regardless of the message.

Put McKinnon aside for a moment and consider this - all the people I gave as examples did they

a) Uncover weaknesses in systems and organisations, and

b) as a result did the systems get reviewed?

Forget that it is McKinnon, Rust and the researcher. The messengers, no matter what you think of them got shot for showing that the systems were flawed.

Additional charges such as Rust getting 5 years prison and McKinnon being extradited are somewhat secondary. They were all initially derided for exposing weak systems and making those who ran them look foolish. No one said "Whoops - we'd better get that fixed". The incompetants who ran these systems where more concerned with diverting the blame elsewhere and holding on to their phoney-baloney jobs.
0 Votes
+ -
Get your facts straight
moonchacha 29th Oct 2006
1) It's Mathias not Mathius 2) He was allowed to fly in there. He was escorted by military planes on either side ready to shoot him down. Excerpt from wiki: "Some sources were quick to claim that the very fact that Rust landed freely in the center of Moscow is the proof that Soviet Union had no credible air defences. This is certainly untrue. In fact, Rust didn't evade the air defences, and was tracked for most of his flight path. The reason why he was allowed to continue his flight was pretty complex, but mostly it stems from the fact that after the scandal over Korean Air Flight 007 shot down just about five years previous, Soviet air defences were explicitly forbidden to act agressively about any definitely civillian aircraft." Idiot.
0 Votes
+ -
Get your own facts straight!
bportlock 30th Oct 2006
"It's Mathias not Mathius"

Sorry - I didn't understand that such a trivial spelling mistake could change the entire meaning of the post.

"He was escorted by military planes on either side ready to shoot him down."

No he wasn't. He WAS detected when he crossed the baltic coast but then they lost him. His entire flight profile, practically minute by minute is on Wikipedia.
http://en.wikipedia.org/wiki/Mathias_Rust

Whilst we're straightening out facts, I said he got five years, Wikipedia says he got 4 years and only served 432 days.

So get your own facts right and don't make me get my ascii-art out!!
0 Votes
+ -
FBI
xstep 29th Oct 2006
Don't be surprised if they raid your house next for this. The credibility of the FBI/CIA/NSA tends to be more of a concern the the security of the people of this Country.

Heck.. might raid my place too just for the comment. I for one have always had it in mind that it's up to "The People" of this Country to protect themselves, family, and town/City. These Agencies should understand The people write the laws to Govern themselves and not the other way around. I read the 911 commission report and those that have Don't trust or have faith in the Agencies designed to protect us. These agencies Failed us on 911!
0 Votes
+ -
I should be fairly safe then....
bportlock 29th Oct 2006
... it's a long drive across the Atlantic to get me. Of course they might start extradition proceedings! shocked
0 Votes
+ -
Over the atlantic.
Techanalyst 31st Oct 2006
Unfortunately, since 9/11, the US Congress in it infinate wisdom, expanded the FBI's jurisdiction to overseas so they work out of the Embassies. Personnally I think the State Department should be more up in arms about that then they are, but congress loves the FBI for some silly reason. Now they can go and get you accross the Atlantic with the blessings of your government.
0 Votes
+ -
So, is the FBI gonna raid...
UserLand 29th Oct 2006
...the home of New York Senator Charles E. Schumer? Senator Schumer put up his own page in February '05 explaining in detail how to get past security with your own forged boarding pass:

http://www.senate.gov/~schumer/SchumerWebsite/pressroom/press_releases/2005/PR4123.aviationsecurity021305.html

Somehow, I don't think so.
0 Votes
+ -
Maybe.
Techanalyst 31st Oct 2006
It is an election year... Don't put anything past the FBI.
0 Votes
+ -
What should the FBI have done then?
JetJaguar 30th Oct 2006
Conversely, was this the only way Soghoian could have pointed out the problem? He certainly got some headlines this way.
0 Votes
+ -
You found it, you fix it.
rschror 30th Oct 2006
I agree there are other means to coming at this. I find it al ittle apprehensive that someone in the Security field be accosted for giving out information in the persuit of strengthening the view of security.

I think the FBI has more productive ways of solving a problem, but in this instance did not use them. What about you found it you fix it? obviously someone who finds the problem should be able to figure out a solution.

The Media uses "RAID" as the operative word, which by definition is what they did. I find myself being a little apprehensive of the word, which in actuality is correct but reality points out to me that this is nothing more than media reaction and propably no injustice has been done.

However I do think the FBI are a bunch of goons in well dressed suits. So I employ them to find more creative methods of using there budgetary moneys. For instance could they not have asked for more detail, handed over the information to homeland security and possibly hire the guy to do some investigative work (for his country and not for $ as he's crossed the line to more criminal acts. Call it community service).

I see he complied with the taking down of the website, proper FBI information gathering protocol calls for confication of the material and any tools under the perps ownership. So I can see how that might seem injust to the technical, but you have to have known it would have gone down that way.


There's probably some other secret government group with the mandate to help out the guy with a job and make it so he has a job when he gets out of University. Then again all this press might just ruin his career.

When it comes down to it, democracy is the political landscape but capitalism's at the wheel. Ruin the business and there's no money in it for the little guy only the stuff that rolls down the hill.
0 Votes
+ -
Sometimes a big gesture is necessary
tic swayback 30th Oct 2006
Because the problem had been repeatedly pointed out in the press and by members of Congress, and the TSA and FBI chose to ignore it, was he so wrong to release a proof-of-concept exploit? Sometimes a computer company has to be shamed into fixing flaws, and apparently, sometimes the TSA has to be shamed into protecting us.
0 Votes
+ -
So....
jragosta 31st Oct 2006
So if I happen to see a weakness in bank security, I should rob the
bank to demonstrate the flaw? After all, I'd merely be doing that to
point out the security flaw.
0 Votes
+ -
Not what he did
tic swayback 31st Oct 2006
He never tried to use one of these fake boarding passes, so no, don't rob the bank. Do what he and others did, try for 3 years to get the bank security's attention. When that fails a public gesture that does not threaten security would be a good idea.
http://www.startribune.com/535/story/772107.html
"Does this pose a threat to security? No," TSA spokeswoman Carrie Harmon said.
0 Votes
+ -
Checking boarding passes
Erik Engbrecht 30th Oct 2006
Is checking boarding passes a measure that directly contributes to improved security, or is it simply a means of restricting traffic through security lines to people who actually have planes to board?

Are the people who will be pulled aside in the security line selected before they enter it, so the guard has to know "you're so-and-so, I'm supposed to harass you?" I've never seen the TSA guard checking my boading pass looking at any sort of list.

Given that teenagers manage to produce fake driver's licenses and people produce counterfeit money, how surprising is it that someone could produce a fake boarding pass?
0 Votes
+ -
Sounds like a solution for Drivers Licenses as well
nucrash 30th Oct 2006
Imagine using a swipe code on the back to see if your drivers license checks out when you enter a bar. Egad, that could get evil.
0 Votes
+ -
Too late
ImUpAbvIt 30th Oct 2006
I've already been to both bars and liquor stores that have electronic verifacation of the ID. It was faster than the cashier/bouncer trying to calculate my age.
0 Votes
+ -
Limiting entry
jragosta 30th Oct 2006
Limiting entry to real passengers IS a real security measure. First,
for a given number of hours in the day, TSA has to screen fewer
people - so they can do it better.

Second, having lots of extra people inside security creates more
confusion and more likelihood that a real security problem would
be missed.
0 Votes
+ -
Method not substance
frgough 30th Oct 2006
There are proper ways to do this if you are seriously concerned
about airport security problems. Posting the flaws on a website is
not one of them. A notification to the FBI with a demonstration of
the problem is the mature, adult, serious and responsible way to do
this, not make some narcisistic juvenile teenage prank to get hits
to your website and your fifteen minutes of fame.
0 Votes
+ -
Been there, done that
tic swayback 30th Oct 2006
---There are proper ways to do this if you are seriously concerned
about airport security problems.---

Like writing about it in your highly read blog? Bruce Schneier did that, in 2003:
http://www.schneier.com/crypto-gram-0308.html#6

Hmm, that brought the issue into the public eye safely, but the TSA seemed to have ignored it. The same thing happened in 2005 when Slate wrote an article about it:
http://www.slate.com/id/2113157/fr/rss/

Wow, still ignored. Even worse, in 2006, New York senator Chuck Schumer issued a press release covering the same subject:
http://schumer.senate.gov/SchumerWebsite/pressroom/record.cfm?id=259517&&

The result? The TSA completely ignored the issue.

Moral of the story?
Sometimes it apparently takes a large public gesture to get our government to do its job.
0 Votes
+ -
Am I the only one who thinks that...
dscates@... 30th Oct 2006
It may be very easy to build an atomic weapon, or forge boarding passes or do any number of things that bad people in the world would like to do.
Does it make us safer to post on the web detailed directions or tools to do these things?

If these so called champions of our safety were not more concerned about generating impressive credentials, or basking in the limelight, maybe they would communication to the people concerned with our safety.

If it is because they think the people charged with security won't make the changes due to costs, I have news for them. Not only will the businesses not make the changes if the public doesn't know, but they won't make the changes if the public does know.

It is possible to establish perfect or near perfect security.

PEOPLE WON'T ALLOW THE INCONVENIENCES.

So these "guardians of our safety" are just making it easier to find ways to hurt us.

I hope that in the future anyone harmed, or their families, will research whether the method used to harm was one published by one of these self-centered idiots and sue that individual for everything they have or will ever have.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix