Last week Christopher Soghoian, a 24 year-old Ph.D. student in information security at Indiana University, whipped together a website that allowed anyone to create a fake Northwest Airlines boarding pass. He hoped to bring attention to a security hole that allows anyone, including someone on the No-Fly list, to enter the security line with a fake document. Instead he got another kind of attention.
For those unfamiliar with the story, it’s one I’ve been following in my blog and in a proper news story for Wired News since Soghoian told me about his site Wednesday night.
Soghoian, a security researcher who has done work at Google, Apple and IBM, told me the site’s purpose was to demonstrate the futility of the No-Fly list:
I want Congress to see how stupid the TSA’s watch lists are. Now even the most technically incompetent user can click and generate a boarding pass. By doing this, I’m hoping [Congress] will see how silly the security rules are. I don’t want bad guys to board airplanes but I don’t think the system we have right now works and I think it is giving us a false sense of security.
Even without his generator, the No-Fly list can be avoided:
If you can purchase a ticket over the internet with a pre-paid debit card and can fly without I.D., then for domestic flights the No-Fly list doesn’t work.
On Friday, Congressman Ed Markey (D-Mass) called for the site to be shut down and arrested, and later that day, the FBI shuttered the site and met with Soghoian. Whatever he said must not have been convincing, since the FBI raided his house with a search warrant signed by a judge at 2 a.m. Saturday morning and seized his computers, though they didn’t arrest him. Markey then retracted his call for Soghoian’s arrest on Sunday and in fact, suggested the government hire him instead (though Markey called the site a ‘lousy way’ of publicizing the problem).
Since Sunday, the story has slowed considerably. Soghoian has lawyers now and isn’t talking to reporters, though is occasionally updating his blog.
Soghoian’s site exploited a well-known security hole, one first publicized by security expert Bruce Schneier in 2003, given the full-on Slate treatment in 2005, and, according to security blogger Adam Shostack, was explained to high-level Homeland Security officials in 2004.
That doesn’t mean all security researchers applaud Soghoian’s method. Indeed, Avi Rubin, who’s best known for his voting security work, told Xeni Jardin that his former teaching assistant should have shown this to the government privately.
So what’s the upshot? Will the government ban boarding passes ticketed at home? Will they prosecute Soghoian for building this site? Won’t other hackers put their own version online? Will this prompt reconsideration of the use of notoriously ineffective watch lists for domestic travel?
The short anwsers, in my opinion, are No, No, Maybe but not as many as you’d expect, Definitely Not.
The long answers are here at 27BStroke6, which despite Noah’s dig, is a great name for a blog. (Think Brazil).
– Ryan Singel