A new entry in annals of stupid programmers. Christopher Soghoian, a graduate student at Indiana University's School of Informatics, posted a program on his website to create fake airline boarding passes, The Washington Post.
He says he was exposing a security flaw. The government says he's assisting terrorists.
Wendy Osborne, a special agent with the FBI's Indianapolis field office, said the FBI would investigate jointly with the Transportation Security Administration and then decide whether charges would be filed.
Reached at his home in Charlottesville, Stephen Soghoian, Christopher's father, defended his son's actions. "Chris was only pointing out that the government is not using its resources in a good way to provide real public safety at airports," the elder Soghoian said. "Instead, what they're doing is probably best described as security theatre."
On Soghian's website, anyone could enter a name and flight information and print out a realistic boarding pass for Northwest Airlines. Soghoian and the TSA seem to agree that the fake pass wouldn't get past the electronic scanning devices at boarding gates.
Amy Kudwa, a spokeswoman for the TSA, said that while the fake boarding pass generator "had the potential to promote illegal activity, it will not aid anyone in circumventing airport security."
She added: "The TSA assures that every person is thoroughly screened at the checkpoint for dangerous weapons or explosives. There are many layers of security at the nation's airports, including many methods that are not obvious to the casual observer."
Rep. Edward J. Markey (D-Mass.) praised Soghoian, a week after calling for his arrest. Now, he says, DHS should hire him to show "public officials how easily our security can be compromised."
The prank does emphasize the security gap between initial screening where fliers have to show photo ID and boarding, where they don't.
Security expert Bruce Schneier said yesterday that it would be easy for someone to use a fake boarding pass to bypass the TSA's "no-fly list," which contains the names of thousands of people whom the U.S. government has flagged as potential security or terror risks. A terrorist on the list could make a reservation in someone else's name and print a legitimate pass, along with a fake one in his real name. He'd present the fake pass and real ID at the security gate, then use the legitimate pass to board.
"I think we really need to ask why the government is shooting the messenger here when it should be spending its time fixing this obvious loophole," Schneier said.