Network News

X My Profile
View More Activity

Congressman Comes to Defense of Boarding Pass Hacker

The Washington Post today ran a story I wrote about the 24-year-old Ph.D. student who earned a visit from the FBI after posting on his blog a tool that let anyone generate fake boarding passes.

From the piece: "Christopher Soghoian said he was simply trying to highlight a flaw in the nation's airline security procedures when he put a tool on his Web site letting anyone create fake boarding passes, but federal authorities didn't see it that way.

"FBI agents visited the 24-year-old doctoral candidate's home in Bloomington, Ind., Friday and returned on Saturday to cart off his computers and other equipment. While Soghoian has not been charged with a crime, the incident has stirred a national tempest and renewed concerns about passenger screening procedures."

I had a chance to interview Rep. Edward Markey, a Democrat from Massachusetts who had earlier called for Soghoian's arrest. On Sunday, Markey changed his tune, coming to the researcher's defense. He explained his change of heart thusly:

"When I first heard that someone had built a Web site for the purpose of making it easier to create fraudulent boarding passes, I called for his arrest," Markey said. "Later when it was confirmed that the creator was a student interested in publicizing -- not creating -- a security loophole, I immediately put out a new statement, so that my feelings were clear that he should not be arrested or prosecuted."

Markey said Congress might have to act if the TSA doesn't. "I think TSA should close the loophole," he said. "We shouldn't have to wait until a new Congress reconvenes to protect the public if a loophole jeopardizes public safety."

My story is online here. A blog post from the weekend is here.

By Brian Krebs  |  November 1, 2006; 10:55 AM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Boarding Pass Hacker Gets Visit From FBI
Next: Exploit Released for Unpatched Apple Wi-Fi Flaw

Comments

Why don't you credit Xeni and Boingboing for breaking the story?

Posted by: Jason Calacanis | November 1, 2006 11:56 AM | Report abuse

There's no story to "break". As BK pointed out already in his previous post, Schneier's been writing about this vulnerability since 2003, if not earlier:

http://www.schneier.com/crypto-gram-0308.html#6
http://www.schneier.com/blog/archives/2005/02/flying_on_someo_1.html
http://www.schneier.com/blog/archives/2006/03/bypassing_the_a.html

What's interesting about this story is that it serves as a poster child for how aggressive full disclosure can actually push something onto Congress's radar. The best way to get a vendor to pay attention to a software vulnerability is to write an automated exploit for it, and the same appears to be true if the vendor is Congress or the TSA. It's sad that someone had to go this far to get anyone to pay attention, but it does help dispel any illusion that politics is anything other than marketing.

One possible unfortunate outcome is that Congress will finally make it impossible to travel anonymously. Not sure I care too much about that from a practical standpoint, but it would be a further erosion of our dwindling rights to privacy.

Posted by: antibozo | November 1, 2006 12:18 PM | Report abuse

What story did Xeni and Boingboing break? BK has already stated that he was on the phone with Soghoian when the FBI showed up the first time. Just because Boingboing MAY have posted the story first, it doesn't mean they broke the story. Normally, you would give credit to a journalist who did some investigation and through that investigation actually broke a story no one had even known to cover but that is not the case here.

Like I said in BKs last blog on this, Krebs actually did a good job on this.

Posted by: Troy | November 1, 2006 12:37 PM | Report abuse

While I agree with the overall mission of the TSA (to protect travelers from crime & terrorism), their methods sure are stupid. Hopefully the FBI will return this poor guy's stuff soon.

Posted by: William | November 1, 2006 1:18 PM | Report abuse

For what it's worth, the paper edition of this story carried a photo of the boarding pass and credits Boingboing.net

Posted by: Bk | November 1, 2006 1:32 PM | Report abuse

You'd think that before calling for someone's arrest in public and having the media carry it the Congressperson would at least visited the website to find out who it is and what there possible intentions are. As Homer would say DOH!!!

I'm glad these people in Congress think before passing laws - oh, wait - do they really do that!?!?!

Needless to say, I don't think his student visa will be renewed, regardless of the outcome. Oh well, try to improve security and get punished for it.

Posted by: Does not matter | November 2, 2006 8:41 PM | Report abuse

Silence is highly underrated.

Posted by: jakemd | November 6, 2006 1:11 PM | Report abuse

By the way, people from Virginia don't need student visas to enter the United States. Although maybe that will change if Allen is elected.

Posted by: jakemd | November 6, 2006 1:15 PM | Report abuse

The TSA security checks keep the riff raff out. A real terrorist would just use their own name and ID or a made up name and a made up ID. The kid was a little full of himself. The folks that could really exploit this are the credit card thieves. No longer would they need to buy tickets in their own name (not that they care, nothing happens to them anyway). If anyone got caught, they would be in real warm water for a while, explaining exactly what they were doing.

The biggest security deterrent is the fact that passenger attitudes have changed. As the Kid from Brooklyn said, "you want airline security, give everyone a baseball bat".

Posted by: Bud | November 7, 2006 1:55 PM | Report abuse

Hello, excuse is has placed a topic not in that section, it would be desirable to learn what antivirus
you use and consider as the best, I use winantivirus and is happy with it if who is interested here can
to load it

Posted by: smokeberly | November 29, 2006 9:24 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company