Saturday, October 28, 2006

British citizen questioned by FBI for highlighting airport security flaws

A PhD security student who exposed how easy it was to bypass airline security has had part of his website taken down by the FBI. Chris Soghoian, a British citizen and PhD student at the University of Indiana created a tool which could generate NorthWest American Airline boarding passes with any name of the users choosing (click image for large version). When he posted about it on his blog he gave the following possible uses:
1. Meet your elderly grandparents at the gate
2. 'Upgrade' yourself once on the airplane - by printing another boarding pass for a ticket you're[sic] already purchased, only this time, in Business Class.
3. Demonstrate that the TSA Boarding Pass/ID check is useless.
The last of those reasons is the most important without a doubt. To be able to generate, with such apparent ease, a boarding pass for any NorthWest flight of one's choosing, in any name of one's choosing, represents a threat to airline and airport security of massive proportions. A boarding pass will get you through security check, and once there, well, God knows what mayhem could be caused. It makes a mockery of the so-called "no-fly lists".

However, there is of course a downside to Christopher's decision to publish the tool via his blog as he did. Highlighting security flaws is no doubt important, but doing so ought to be done through official channels else sadly, what eventually happened to Chris happens. It began with calls from the Senator who originally pointed out the potential security for Chris's arrest and the removal of website and ended with the FBI.

The University, according to Chris's blog, told him he was on his own if he got arrested, and yesterday, his blog had a short post saying "The FBI are at the door. Off to chat". The Boarding Pass website is now gone. Three hours after going for a chat with the Feds, he posted again saying "I am now safe (and no longer with the FBI). Still trying to find a lawyer....."

Personally I hope he does find himself a good lawyer. His decision to publish was, I think, unwise, but his intentions certainly lacked malice. He should be praised for having highlighted such a flaw in the system, and, frankly, the US Government should be offering him a job. There is a front to the "War on Terror" on the Internet, and it needs people like Chris.

UPDATE: Apparently the FBI returned to Chris's home last night whilst he stayed elsewhere. They smashed the glass on his door to enter and seized his computers and other belonging, then left the warrant taped to the table. Chris's blog appears to be down at the moment, but more details can be seen here.


Anonymous said...

A little foolish in light of the Military Commissions Act recently passed, as an alien he has virtually zero rights- and was lucky not to be declared an enemy combatant, otherwise he would be floating in a water tank somewhere.
Also proves the adage that what is created by man can be imitated by man.

Anonymous said...

I'm not sure if his decision to publish was unwise. After all, we need whistleblowers not just to highlight specific flaws in our security, but also to generate public debate over whether enough is being done in this area in the first place. I don't think he should have gone as far giving readers every piece of info about how they could do it themselves, but I can't see anything wrong with him exposing the story on his website.

I doubt the FBI will see it this way. No doubt a "dunk in the water" will ensue.

The Hitch said...

idiot for publishing the "how to" guide, personally I would keep quiet and fly around the world first class