Network News

X My Profile
View More Activity

Boarding Pass Hacker Breaks Silence

Chris Soghoian, the Indiana University doctoral student whose online demonstration of serious flaws in airport security prompted an FBI investigation, broke his silence this week after the government terminated its investigation into the matter.

Soghoian had refused to talk to the media ever since the FBI visited his home in Bloomington, Ind., on Oct. 27 and carted away computers and other equipment. The federal action came in response to Soghoian's decision to post a tool on his Web site that would allow someone to print a fake boarding pass that could be used to evade the "no-fly" list -- a key government tool in keeping suspected terrorists off of airplanes.

In an interview with Security Fix on Saturday, Soghoian said he was ready to set the record straight now that the FBI had ended its investigation and the local U.S. attorney had declined to press charges. A spokesperson for the FBI's Indianapolis field office confirmed that the investigation was closed on Nov. 14.

Soghoian's boarding pass generator highlighted a loophole in the Transportation Security Administration's policy for screening passengers against the no-fly list. The problem is that boarding passes are compared to a person's ID only at initial airport security checkpoints, not at the gates where passengers board planes. And the boarding passes are scanned and verified only at departure gates, not security checkpoints.

In discussing the tool that he created, Soghoian said that even if the TSA plugged the security loophole -- by requiring ticket readers at the initial terminal security checkpoint and integrating the no-fly list with every airlines' computer systems -- the current legal status of the TSA's policy allows anyone to refuse to show ID at check-in if they consent to additional screening.

"Everyone focused on this issue of fake boarding passes, but no one touched on the issue of a person [telling airline security screeners] that they don't have any ID on them," Soghoian said.

To help put Soghoian's point in perspective, consider the case of John Gilmore, co-founder the Electronic Frontier Foundation. In 2002, Gilmore refused to show his ID while checking in for a cross-country flight. He was told he could fly if he agreed to a "secondary screening," which he also refused. Gilmore said he was told that there were security directives that mandated the showing of ID, but that he was not allowed to view said rules.

Gilmore later sued the government to gain access to the rules. The case wound its way up to the 9th Circuit Court of Appeals, which privately viewed the rules and decided that airline passengers could either present identification OR opt to be subjected to a more extensive search.

This summer, Gilmore challenged members of the Department of Homeland Security's privacy advisory committee to test the court's ruling -- i.e. to see if it's possible to fly domestically without an ID. Committee member Jim Harper, director information policy studies at the CATO Institute, a libertarian think tank, accepted the challenge. After a thorough screening that involved a slew of tests for traces of explosive materials, Harper made it through screening and was allowed to fly without showing ID. And he believes he made it through security faster than he would have had he showed an ID.

In a phone interview Monday, Harper said the whole ordeal demonstrates the ineffectiveness of identity-based screening at airports.

"You could fix all these holes in airline security screening and you still wouldn't have a secure, identity-based system," Harper said. "Identity doesn't tell you what someone plans to do, especially a person who has newly-adopted terrorist plans or who has just joined some terror-related organization recently. The 9/11 operation -- with two exceptions -- was carried out by people who weren't known to U.S. authorities and were already operating in a mode to defeat the watch list we've since put in place. So the current system merely requires al Qaeda to continue using techniques they were using in the past. So this -- like so many other security systems that we have post-9/11 -- start[s] from such a level of abstraction that they end up being total surveillance systems."

Indeed, Soghoian himself said he successfully tested the no-ID policy on four different flights over the past four months. The experience, he said, left him scratching his head as to why the government bothers with the no-fly list at all.

"There's the ability to get on a plane and do bad things and the ability to get on a plane to avoid the government knowing who you are. We as citizens have given up some of our rights to fly safely, and that takes care of the first issue," Soghoian said. "The question is whether we're willing to be searched and inconvenienced solely to protect the government's no-fly list, which doesn't make us any safer."

So what lessons should other people take away from this before they try to publicize loopholes in U.S. security checks?

One of Soghoian's attorneys, Stephen L. Braga, a partner with the Washington, D.C., law firm Baker & Botts, said doing the research to find such loopholes is fine. It's what you do with the information that matters.

"I think the clear takeaway from this is for people to go ahead and do their research, develop a thesis of what the flaw is and bring it to the attention of the authorities if it has any potential for misuse, but don't post it online," Braga said. "People really need to think twice about whether putting things like this out there might fall into the wrong hands and be used for illegal purposes."

Soghoian said that when he met with officials from the U.S. Attorney's office in Indianapolis to retrieve his computer equipment, he was told that the crisis might have been averted if he had pasted some sort of "SAMPLE" or "NOT FOR BOARDING" disclaimer watermark on his boarding pass generator -- to better illustrate that the tool was created merely to make a point, not to abet anyone trying to evade the no-fly list. But Soghoian said he believes that the issue would not have garnered the national attention that it did if he had included those disclaimers.

"The fact is that [the government] has been told about these vulnerabilities time and time again. When a U.S. Senator puts step-by-step instructions on how to fake boarding passes on his Web site and the problem isn't fixed, we have to ask ourselves what more will it take?" he said. "My hope is things will get fixed but my worry is they won't and this will all get get swept under the carpet again."

By Brian Krebs  |  November 28, 2006; 9:30 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Exploit Released for Unpatched Mac OS X Bug
Next: With Fans Like These...


Chris Soghoian is a genius and a hero

Posted by: Stony | November 28, 2006 10:03 AM | Report abuse

Almost from its inception, the TSA has been security theatre. First, after Flight 93, no competent terrorist group would harbor the thought of hijacking a plane full of passengers. Second, the TSA was a feel-good egalitarian watchdog, spending as much or more attention on tall middle aged American men of German descent (me)as it did on anyone who resembled a real terrorist. Third, the focus was on shoes and other objects and not people; time to interview and assess people, not shoes. And, fourth, our national government is decades behind the curve on identification of people--we need a 21st century solution to the issue of who is whom.

Posted by: TSA--Not | November 28, 2006 10:29 AM | Report abuse

Showing ID is not much of a burden, and is probably a practical & less annoying step than pulling your shoes off, not being able to pack shampoo and whatever other personally invasive measures the TSA comes up with next.

It'd be nice if there was better border security, and we could fly more freely in domestic flights, while reserving more onerous precautions for international flights.

However, the simple fact of re-enforced cockpit doors, and other preclusive measures are going to do more to prevent another severe terrorist incident than looking at a million shampoo bottles.

TSA is a bit too reactive, and somewhat unbalanced in it's threat reaction to say the least. They need to have a bit better balance of freedom and personal privacy than they currently do.

That said, I wouldn't want their job either, they don't have an easy task.

Credit should be given to the US Atty's office & the FBI for not over-reacting with CYA charges, or an open-ended 'ongoing investigation'. Rather by returning the guys equipment and clearing him, they're demonstrating a much more mature understanding of technology related issues than was the case in the 90's.

Posted by: Gentry | November 28, 2006 10:57 AM | Report abuse

The most important goal in security screening is to find and stop criminals, not be senior documentation clerks these T.S.A. people appear to be.

Posted by: Peter Roach | November 28, 2006 11:17 AM | Report abuse


Posted by: test | November 28, 2006 11:18 AM | Report abuse

Asking for a second ID check at the gate will do nothing but slow down boarding--because all those advocating this second check seem to forget how easy it is to obtain a FAKE ID to begin with. If a high schooler can get a fake ID good enough to fool the ABC, surely a terrorist can do the same to pass the existing and proposed ID checks at the airport.

The whole "no-fly list" is patently ridiculous due to the problems of fake IDs and the fact that the most dangerous terrorists aren't even placed on the list for various security concerns.

Posted by: John N. | November 28, 2006 11:34 AM | Report abuse

The TSA no-fly list is a fatally flawed instrument, and it deserves to be discredited by any means available. I have a very common first name and a very common last name. There are dozens of entries for my name in my city's phone book. My name is also on the no-fly list, inconveniencing hundreds, if not thousands, of like-named persons in this country. Even assuming that there is a real person of this name who deserves to be on this list, TSA has no device for excluding from this dragnet those who are not threats. Middle initials, dates of birth, or any other means to avoid the no-fly list are not available for those who clearly are not threats. As a result, the list is no more than a figleaf and it should be discredited.

Posted by: John | November 28, 2006 11:47 AM | Report abuse

This weekend, while flying from Portland to Santa Fe, I learned that it's possible to print multiple boarding passes for Southwest. The airline allows you to print boarding passes at home 24-hours in advance. Without knowing that I'd already printed my boarding pass, my husband printed another one for me. This leaves open some interesting possibilities. For instance, an entire group of terrorists could get past at least the first "security" checkpoint, which occurs where carry-ons are screened. Think about it, multiple persons with the same boarding pass bought under a fake name, each accompanied by the same fake id, (easy to get, and untrained screeners would have no clue), can get through the initial security screening area no problem, all on one ticket purchase. While that doesn't exactly get them on the plane, it gets them one step closer. It'd be interesting to test whether Southwest's scanner before boarding the plane would recognize bar codes from the same pass, or allow all of them to board.

Posted by: ES | November 28, 2006 12:09 PM | Report abuse

The missed lesson of 9/11 was that the security
system worked. The 19 terrorists did not have guns,
bombs or machetes. What they did was game the system.

The Old rules of Hijacking were "C-D-E":Cooperate,De-escalate.
Evacuate. By forcing entrance to the cockpits, they killed the
crews by taking advantage of cooperation.

Within an hour the new rules were Deathmatch. The passengers
and crew of 93, fought back. The ultimate view of this was
richard reed the shoe bomber. 15 passengers kicked his posterior.

Let the Old rules stay, just let the passengers be informed that
they will be asked to cooperate with crew on any in flight emergency. Let the screeners focus on bombs, guns, machetes. I and my fellow passengers will handle the

Posted by: TSA is a waste | November 28, 2006 12:10 PM | Report abuse

TSA is a waste -- that was pretty funny!

Posted by: TLAWRENCEVA | November 28, 2006 12:30 PM | Report abuse

It stands for thousands standing around. And they're doing nothing. Most of those jokers wouldn't know a terrorist threat if it jumped up and bit them in the ass.

We're wasting our time and money fussing with this nonsense while the terrorists have moved on to new tactics which will be just as unexpected as September 11 was.

Posted by: Down with the TSA | November 28, 2006 1:10 PM | Report abuse

For those interested in current TSA shenanigans: see Bruce Schneier's most recent TSA security roundup (contains links to some of scary yet amusing hijinks):

Posted by: antibozo | November 28, 2006 1:19 PM | Report abuse


I'd have to see someone who is on the no-fly list actually get on a plane by not showing ID or otherwise, before I'd make too much of this.

He is highlighting one other point, though, that the TSA regs are a major pain in the butt to the average traveller who even questions or challengs the rules, who is by definition not a security risk.

Try this with a person who is on the no-fly list. Assuming that they are allowed to go on the plane instead of being arrested, then the system is working awfully backwards.

Posted by: cc | November 28, 2006 3:03 PM | Report abuse

cc, no one who is legitimately on the no-fly list is going to bother giving you a demo. To the extent that any of these people are truly a threat, they will simply go through with their plans.

There have been plenty of legitimate demonstrations already (just read the article), and it is quite clear that if someone who is not on the no-fly list can get on a plane without presenting ID, someone who *is* on the no-fly list can accomplish the same thing. Is it effective security? No. Are we paying for it anyway? Yes. Could we instead spend that money on a security measure that *is* effective? Certainly.

Posted by: antibozo | November 28, 2006 3:18 PM | Report abuse

plus if you try to board a plane and you are wearing a long beard and carrying a prayer rug, you're going to get stopped regardless. Human xenophobia is a well-regarded security tool.

Posted by: cc | November 28, 2006 3:18 PM | Report abuse

cc> Human xenophobia is a well-regarded security tool.

What is your evidence for that? I'm not really aware of any good case for the theory that foreigners are statistically criminals, so I don't see how xenophobia could be considered well-regarded.

A mildly clever person will simply use xenophobia as misdirection, and do his or her thing while everyone's attention is focused on the foreigner over there.

As for "wearing a beard and carrying a prayer rug", read these and see if you still think xenophobia brought anything useful to the table:

Posted by: antibozo | November 29, 2006 2:56 AM | Report abuse

Who even needs a passport?(or boarding pass for that matter)

Posted by: Robin Lockhart | November 29, 2006 6:37 PM | Report abuse

No doubt the FBI left a rootkit and NSA-built spyware on Chris Soghoian's computer to monitor future activities. That's why they returned it.

Posted by: Ken L | November 30, 2006 1:09 PM | Report abuse

>>First, after Flight 93, no competent terrorist group would harbor the thought of hijacking a plane full of passengers.

On the evidence, I very much doubt that.

Posted by: Mark Odell | December 2, 2006 3:59 PM | Report abuse

@TSA is a waste
>>The missed lesson of 9/11 was that the security system worked.

Only for certain definitions of "worked".

>>Let the screeners focus on bombs, guns, machetes. I and my fellow passengers will handle the thugs.

Wouldn't that be easier for you to do if the TSA and its screeners would just cease trying to solve the wrong problem?

Posted by: Mark Odell | December 2, 2006 4:05 PM | Report abuse

Mark Odell> Wouldn't that be easier for you to do if the TSA and its screeners would just cease trying to solve the wrong problem?

It's not clear to me after looking at the referenced page what you mean by "solve the wrong problem". Care to elucidate?

Posted by: antibozo | December 2, 2006 5:15 PM | Report abuse

Help your relatives!!!

We are glad to welcome you in our online drugstore.
Do your relatives require medicines? They are already not young, is it hard for them to go to a drugstore? Learn, what medicines are necessary for them and buy. Keep your forces and time, do not spend them for searches of medicines in drugstores. Make the order for our site, - and the courier of a delivery service will bring necessary medicines for you to any address. In our Drugstore - it is quickly and conveniently!

Posted by: choiceinfo | December 14, 2006 2:25 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company