Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

TSA Now Investigating Boarding Pass Hacker

Zonk posted more than 7 years ago | from the make-up-your-mind dept.

Security 270

An anonymous reader writes "A week after the Justice Department cleared him of any wrongdoing, Chris Soghoian, the Indiana University PhD student who created an online boarding pass generator for Northwest Airlines to highlight security holes is on the government's 'no-fly' list. The Transportation Security Administration has now launched its own investigation, says Wired blog 27strokeB. The TSA is claiming that Soghoian 'attempted to circumvent an established civil aviation security program established in the Transportation Security Regulations,' violations of which carry fines of up to $11,000 per violation. That could be a steep fine, says Washingtonpost.com's Security Fix blog: 'Something like 35,000 people viewed and possibly used the boarding pass generator during the less than 72 hours that it was live on his site in November. Soghoian told WaPo: "If they decide that the only safe way for me to leave the country is by boat, then that's pretty much the end of my career here in the States. It's one thing to harass researchers, but if they can chase them out of the country, then that's a real chilling effect."'"

cancel ×

270 comments

Sorry! There are no comments related to the filter you selected.

Error (-1, Offtopic)

geodescent (871514) | more than 7 years ago | (#17151358)

Nothing for you to see here. Move along.

Re:Error (1)

coolgeek (140561) | more than 7 years ago | (#17151810)

It's Twenty Seven B Stroke Six YIC

35,000 views? (2, Funny)

denebian devil (944045) | more than 7 years ago | (#17151388)

I wonder how many of those were Slashdot users. Shame on us! Shame!!

Re:35,000 views? (5, Insightful)

'nother poster (700681) | more than 7 years ago | (#17151416)

No, shame on the TSA for not implimenting real secuity requirements.

Re:35,000 views? (3, Insightful)

bostonkarl (795447) | more than 7 years ago | (#17151630)

No kidding. This was an obvious loophole that had been pointed out a very long time ago. Investigating the kid till you're blue in the face doesn't make the problem go away. Anyone with moderately good office-suite type computer skills could fake a bording pass. TSA needs to focus on security, not obscurity of their obvious failures. TSA needs to focus on security, not their obvious complicity with the airlines and the airlines heavey lobbying.

Re:35,000 views? (4, Insightful)

garcia (6573) | more than 7 years ago | (#17151500)

I was one but I didn't get to it from Slashdot. I got to it from several local bloggers that pointed it out.

Big fucking deal. It was an obvious security hole. If anything, he should be hailed, not jailed. But then again, we don't want to go out and make NWA (who fucking blow anyway) and the TSA look worse than they already do (if anyone is reading from MCO's TSA, fucking fix your system by doing a "best practices visit" to any number of other airports -- your system sucks even at 4:00AM)

Re:35,000 views? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17151882)

N.W.A [wikipedia.org] ruleZ

Captcha: hostage

I hope they fine his smug ass the whole nut (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17151402)

I could probably smuggle a bomb into a packed sporting event, but would I do it to show it can be done? No. This is no different.

What's the fine? (5, Insightful)

HangingChad (677530) | more than 7 years ago | (#17151412)

What's the fine for making TSA look stupid?

Re:What's the fine? (5, Insightful)

towermac (752159) | more than 7 years ago | (#17151490)

apx. $11,000 per incident.

Re:What's the fine? (2, Funny)

Anonymous Coward | more than 7 years ago | (#17151738)

"What's the fine for making TSA look stupid?"
slightly embarrass = $1,000 obviously embarrass = $5,000 Making them look Stupid = Priceless!!

Re:What's the fine? (0)

Anonymous Coward | more than 7 years ago | (#17151826)

What's the fine for making TSA look stupid?

You mean they aren't?

Re:What's the fine? (1)

loraksus (171574) | more than 7 years ago | (#17152106)

It usually consists of a strip search with a cavity check performed by homosexual TSA agents who derive "great pleasure" from conducting one.
That and missing your flight.

Welcome to life under Occupation. Population You. (1, Interesting)

mikelieman (35628) | more than 7 years ago | (#17151418)

Enjoy your stay.

Re:Welcome to life under Occupation. Population Yo (1)

MollyB (162595) | more than 7 years ago | (#17151582)

Suggestion for Rule #1 in LUO: No good deed shall go unpunished.

Go Chris... (4, Insightful)

Anonymous Coward | more than 7 years ago | (#17151430)

The people responsible within the TSA need to be dealt with. These fuckheads have some nerve harrassing a researcher for bringing their errors to wider attention.

Fair is fair (4, Funny)

The Clockwork Troll (655321) | more than 7 years ago | (#17151440)

The fine seems reasonable, will they accept cash [secretservice.gov] ?

Congress @$!^^#**# (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17151464)

What oversight does the TSA have?

WTF was Congress (not) thinking when they created the Dept. of Homeland Security?

From what I've been seeing over the last few years, they can do pretty much anything they want and unless you have a Whitehouse contact or are a Senator, you have to bend over and take it.

Re:Congress @$!^^#**# (2, Insightful)

towermac (752159) | more than 7 years ago | (#17152344)

When they started throwing around the term "Homeland" a few years ago, it sounded a lot like "Fatherland" to me, and I knew then that no good could come of it.

The blog is "27B Stroke 6" (4, Informative)

toby (759) | more than 7 years ago | (#17151470)

And it's a "Brazil" reference, of course, which is nicely appropriate in this context...

MOD PARENT UP! (0)

Anonymous Coward | more than 7 years ago | (#17151572)

He seems to know something others don't! Mod as "insightful" or something.

>The blog is "27B Stroke 6"

>And it's a "Brazil" reference, of course, which is nicely appropriate in this context...



He can still travel (5, Insightful)

Col. Klink (retired) (11632) | more than 7 years ago | (#17151480)

As long as they don't fix the flaw, he can still exploit it and circumvent any extra scrutiny they try and put on him.

Re:He can still travel (4, Funny)

griffjon (14945) | more than 7 years ago | (#17152328)

The popping sound you heard after parent post was made were hundreds of small brains at TSA HQ.

he has it coming (-1, Flamebait)

Lxy (80823) | more than 7 years ago | (#17151526)

I may cynical, but what this guy did was WRONG.

The difference between a black hat and a white hat is one simple thing: PERMISSION. He wrote a tool to exploit a federal system, and he used it without permission. He is not a hero, he is not the good guy, he is a criminal. I'm sorry, but you need signed permission to do stuff like that.

This guy is a criminal, plain and simple. His intentions are meaningless without permission.

Re:he has it coming (4, Insightful)

GungaDan (195739) | more than 7 years ago | (#17151620)

I *so* wanted to mod this post "troll," but that is unfitting - your ideas are not meant to provoke, but to unprovoke, and breed grudging contentment with the sad status quo. So no troll moderation for you. Sadly, there is no "defeatist fucktard lemming" moderation available. That would be fitting.

Re:he has it coming (1)

Scarblac (122480) | more than 7 years ago | (#17151634)

Exactly, of course this is against the law.

I'd also say it's deserving of a fine of around $100 or so, nothing more.

And immediate job loss without privileges for several of the highest ranking managers responsible for letting the insanely lacking security system live for so long.

Re:he has it coming (1)

drinkypoo (153816) | more than 7 years ago | (#17151872)

Uh, why should he pay a fine? He wasn't attempting to circumvent anything. If he's guilty of anything it's violating the airline's copyright on their logo.

Re:he has it coming (1)

soft_guy (534437) | more than 7 years ago | (#17152236)

Uh, why should he pay a fine? He wasn't attempting to circumvent anything. If he's guilty of anything it's violating the airline's copyright on their logo.
Wouldn't that be a trademark, not a copyright?

Re:he has it coming (0)

Anonymous Coward | more than 7 years ago | (#17151656)

>He wrote a tool to exploit a federal system, and he used it

Did he use it? a fake boarding pass? I gave just a brief look at the story (sorry, should never RTFA) but I missed it.

Re:he has it coming (2, Insightful)

PatrickThomson (712694) | more than 7 years ago | (#17151682)

No, if he was a criminal he'd have kept it quiet and sold it. How do we know a criminal's version of this scheme wasn't already running? We don't, but we know that now it won't work. For every security researcher there are 3 self-serving fiscally-motivated elitist assholes and it is the security researcher's moral obligation to practice full disclosure (after giving the company notice and time to fix the hole).

Re:he has it coming (3, Insightful)

molog (110171) | more than 7 years ago | (#17151688)

Like how ABC news had permission when they showed that they could sneak box cutters onto a plane, just 1 year after 911?

Molog

Re:he has it coming (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17151724)

Hm I could swear I once heard something along the lines of government of the people, by the people, for the people.

It's our obligation to watch the government, question it, and try to fix it when it's not doing its job. The airlines and the government were clearly aware of this problem as it had been "exploited" by a congressman a couple years back. This is a case of government employees covering their asses instead of fixing the problem. Soghoian publicized the problem because no one was doing anything about it.

I'm glad to know there are some people who won't roll over saying the government always knows what's best for us. WE run the government and write their checks. Don't forget it.

Re:he has it coming (3, Insightful)

d3fault (934623) | more than 7 years ago | (#17151748)

Do you think the flaw ever would have been brought to attention had he gone through the proper channels? I for one am happy he did this and brought it to everyone's attention, once it's out like this it's hard to down play and ignore.

Re:he has it coming (1)

letxa2000 (215841) | more than 7 years ago | (#17152302)

Really? The story made headlines for a day or two at most. Then nothing. It's very easy to ignore and that's exactly what the government, TSA, and airlines appear to have done. And I for one am glad that was the reaction.

Re:he has it coming (2, Insightful)

Broken scope (973885) | more than 7 years ago | (#17151754)

So when normal attempts at bringing a problem to light fail because they are to lazy to fix what is found he should just drop it till someone with malicious intent finds it and then start screaming "I TOLD YOU SO!!!". Great idea, I'm sure that would console everyone who was hurt or lost friends and family because of the problem. Pardon him for not wanting people to get hurt first.

Re:he has it coming (5, Insightful)

Brushfireb (635997) | more than 7 years ago | (#17151770)

Nice Flaimbait...But i'll bite.

Your argument is simply foolish. The TSA is inept at running a dept, so they are also inept at hiring researchers or security folk to check up on their stuff. This is a government agency. This person committed no actual crime -- he didnt use one, and didnt even print one.

The criminal would have kept this secret, and used it to his/her benefit by selling it to terrorists, criminals, or whatever. Those types of actions should be punished, SEVERELY!

What did he do? He made us all safer. He did it by exposing how ridiculous the TSA is, and gave them all the knowledge to fix the problem. He did not personally gain from this experience. If anything, he has suffered already for it much more than he ever should have. I would feel differently if this was a private company and not a public-oriented service (like AIRLINE travel), to which my tax dollars go (both to bail out airline bankruptcy, as well as to operating the TSA).

IU needs to stick up for their researchers, and foot the legal bill. I doubt they will, however, having been a past student, the administration at IU is pretty much inept equivalent to the TSA in my eyes.

God forbid someone try to HELP the world...

Re:he has it coming (1)

Sargeant Slaughter (678631) | more than 7 years ago | (#17151782)

The difference between a black hat and a white hat is one simple thing: PERMISSION. He wrote a tool to exploit a federal system, and he used it without permission. He is not a hero, he is not the good guy, he is a criminal. I'm sorry, but you need signed permission to do stuff like that.

Wouldn't asking permission defeat the purpose?

Ever heard of whistleblower laws to protect people who serve the common good?

Don't you think we should be free to examine the system on our own?

When nobody listens, soemtimes you ahve to make a stronger statement. Thats what he did and should be commended for it. I would guess that you think Dieboold's e-voting machines are a good thing as well...

Re:he has it coming (0)

Anonymous Coward | more than 7 years ago | (#17151806)

So, this whole "who watches the watchmen" bit doesn't wash with you? How does it feel to be so servile?

Re:he has it coming (3, Insightful)

Qzukk (229616) | more than 7 years ago | (#17151822)

Well, his intentions were obviously meaningless, since I can apparently still print out [aa.com] my own boarding passes [southwest.com] , legit or not.

It's a shame the TSA people think just like you, if people would quit trying to kill the messengers, we might start seeing something that looked more like security and less like cronies securing contracts.

Re:he has it coming (2, Interesting)

phoenixwade (997892) | more than 7 years ago | (#17151998)

No, I strongly disagree. The DOJ has already decided he is not a criminal, or at least decided not to procescute. TSA seems to be getting their panties in a wad because he pointed out that the system is flawed, and did it in such a way as to force them to fix it. However, he didn't defraud anyone. He didn't use the tool to fly or to even bypass security. Seems to me, that after 4 years of TSA "Security" (more actually, but lets count from 9/11) stupid holes like that one should have been fixed.

Re:he has it coming (1)

rudeboy1 (516023) | more than 7 years ago | (#17152230)

BS.

    White hat hackers do things like this pro bono all the time. Perhaps you might recall when a security researcher found a critical flaw in the Cisco OS that could have potentially been exploited to bring down half the internet's backbone infrastructure? Or perhaps you might recall the time that a security pro found a rootkit on a Sony CD? If I went up to you and told you your fly was down, that is a white hat hacker exploit report. If I went up to you and stuck a red hot pocker through your open fly, that is a black hat exploit.

    Though, I'm tempted to do that to you anyway, despite the color of hat I wear.

    This guy didn't exploit the issue, he immediately made the responsible party aware of the problem. I don't recall him ever flying on a bogus boarding pass. Learn the difference and stop preaching blindly.

Re:he has it coming (0, Flamebait)

letxa2000 (215841) | more than 7 years ago | (#17152262)

I may cynical, but what this guy did was WRONG.


The idiots here at Slashdot have modded you troll, but you are right.

Legally, what he did was wrong. And it doesn't require a degree in law to know that.

Second, what did he think was going to happen? It's one thing to state what everyone already knows: The security is a joke. But to demonstrate it in a way that makes the security easy to circumvent so that any idiot can do it is stupid. It serves no purpose. Consider the only three possible outcomes of this fiasco: 1) We can no longer print boarding passes at home, which really would annoy those of us who try to be as efficient as possible. 2) The security checkpoints would need scanners to scan the boarding passes to make sure they are real which is costly and just one more thing to slow down lines. 3) No change. It looks like we made it with #3, which was what I was hoping for myself.

And as a traveler, what he did was wrong. Yes, we know the security is worthless but the last thing I want is more security on planes. We have too much as it is. Make an effort to make sure no firearms, explosives, or unusually sharp objects are let into the secure area and call it done. I don't want more security, I want less. And drawing undue attention to the weakness of the current system only serves to increase the probability of them implementing real security that is going to make air travel so inconvenient as to be useless. Sorry, I don't want that.

So, basically, the guy that put up that boarding-pass generator is an idiot. Is he really a threat such that he should be on the no-fly list? No, of course not. But in this particular case, do I care? Nope. His little exercise had (and still has) the potential of making traveling less convenient for millions of people. So forgive me if I don't really care if his travel convenience is impacted.

The message? (1)

marcello_dl (667940) | more than 7 years ago | (#17151534)

So, what's the message these kind of reactions from the authorities send? To me it seems: "We don't really care if the system is really secure, there are always some friends might need to sneak in, one day. You just let yourself be searched and stay well put during the flight, cause if you don't we call you a terrorist. Trust us or else."

Re:The message? (1)

Who235 (959706) | more than 7 years ago | (#17151778)

The fact is that this is bullshit, plain and simple. If this guy goes down or gets fined, I hope all nerds with any discretionary cash pony up a little to help him out. He did nothing wrong. As a matter of fact, a pretty persuasive argument could be made that he did something very right.

So, what's the message these kind of reactions from the authorities send?

You are no longer being governed, you are being ruled.

Irresponsible researcher (3, Insightful)

Echoez (562950) | more than 7 years ago | (#17151550)

What is the actual value and goals of his research? A responsible researcher could have created a proof-of-concept, and raised awareness through media channels, research paper, blog etc. He should have also presented his research to the TSA and the airlines. Instead what he did was not research. He created a website to create fake boarding passes and released it to the public. There was no academic benefit. If I created forged passport software and released it, that's not research. Let's call this for what it is: trouble-making, not research.

Re:Irresponsible researcher (2, Interesting)

Midnight Thunder (17205) | more than 7 years ago | (#17151916)

This is something I was thinking. It is one thing proving there is an exploitation, it is another making it available to just anyone. The least he could have done is print void over the valid document he created. When you live in a society you need to exert a certain sense of responsibility. It should also be noted nothing is free from flaws and no security will ever be perfect.

Re:Irresponsible researcher (1)

maztuhblastah (745586) | more than 7 years ago | (#17152048)

I think the benefit is twofold:

1) If he had just submitted a report to the TSA, it would get lost in the bureaucratic hell that is the TSA (or more likely, it would just be ignored, since fixing it would cost money and time.)

2) The media coverage that the site, and subsequent harassment that he has received has raised awareness far more than a report to the TSA or a blog entry ever would.

By bringing up the issue in a very public way, he has made many, many people very aware of the "security theatre" that the TSA is. The fact that he is drawing so much fire from the TSA also helps demonstrate exactly how poorly suited they are to deal with the flaws in their system -- it's easier to silence those who point out the problem than it is to actually purchase real clothes for the emperor.

Added irony: the CAPTCHA for my post is "barefoot".

Re:Irresponsible researcher (0)

Anonymous Coward | more than 7 years ago | (#17152268)

"He should have also presented his research to the TSA and the airlines."

No, that would have also resulted in him getting investigated.

Currently in the US, anonymous submission to the media, or a specialised security forum, is the only safe option; and even then, it may not be that way for very long.

Nice in theory (5, Insightful)

MarkusQ (450076) | more than 7 years ago | (#17152280)

A responsible researcher could have created a proof-of-concept, and raised awareness through media channels, research paper, blog etc. He should have also presented his research to the TSA and the airlines.

You seem to be forgetting that that had already been done, up to and including having the information on how to create a fake boarding pass published on a congressman's web site for a year or so prior to his arrest. And yes, there had already be newspaper articles on it, and the TSA was either well aware of it and doing nothing or unaware of it even though it had been reported to them multiple times.

Let's call this for what it is: trouble-making, not research.

Ok, fine. It was trouble making. But for whom? It didn't lower airport security one iota. Anyone who cared about it already new how to do it. What it did do, though, was make trouble for the fake "security" providers at the TSA, and point out the fact that they are ripping us (the taxpayers) off.

We saw the same sort of misleading argument come up when people started pointing out that US Military personnel were being given ineffective bulletproof vests; somehow the people who were trying to raise awareness of the issue were supposedly "helping the terrorists." Which is just nuts. What they were doing is making things uncomfortable for the crooks selling the defective jackets, and having zero impact on the people wearing them unless and until they could raise enough awareness of the issue to get things changed--in which case their actions would have helped the roops, not hurt them.

--MarkusQ

Re:Irresponsible researcher (1)

soft_guy (534437) | more than 7 years ago | (#17152322)

What is the actual value and goals of his research? A responsible researcher could have created a proof-of-concept, and raised awareness through media channels, research paper, blog etc. He should have also presented his research to the TSA and the airlines.Instead what he did was not research. He created a website to create fake boarding passes and released it to the public. There was no academic benefit. If I created forged passport software and released it, that's not research.Let's call this for what it is: trouble-making, not research.
I agree with you, but I still think his "trouble making" had value of raising awareness and also he should not be persecuted for it.

Airport Security is a joke (5, Insightful)

bigbadbuccidaddy (160676) | more than 7 years ago | (#17151564)

Airport security is a joke, and all he did is point that out. I will point something else out. When I was waiting in the immensely long line for United Domestic Check-In, I noticed they controlled access to the door behind the ticket counter with a simple mechanical combination lock. I observed several United Airlines employees entering and every time I could clearly see the code being entered. I felt very secure.

Re:Airport Security is a joke (4, Insightful)

smooth wombat (796938) | more than 7 years ago | (#17151650)

The biggest flaw in airport security is having large groups of people wait in closely packed lines to go through the check-in process.

I guess someone standing there with a rucksack full of explosives and going BOOM during a heavy traffic time, say the day before Thanksgiving, never occured to our overlords.

Re:Airport Security is a joke (1, Insightful)

Archangel Michael (180766) | more than 7 years ago | (#17152208)

19 Hijackers killed some 4000 people, or about 200 people per hijacker. Totally destroyed several buildings, but all in a geographic location. Very spectacular. One building, in another geographic location, partially destroyed. One plane, completely missed.

I suspect that if they coordinated across 20 of the largest airports during the busiest time they could probably do a lot more damage (kill more people), without having to go through any security. But see, that wouldn't be as "Spectacular" as having buildings crash down.

Terrorism is a tactic, not the enemy. Islam isn't even the enemy, it is an idiology/religion. The enemy is RADICAL MUSLIMS*

*Possible redundancy detected, please confirm. Y /N ???

Re:Airport Security is a joke (3, Insightful)

loraksus (171574) | more than 7 years ago | (#17152232)

I'll have to admit that a small part of me wanted someone to drive up in a large vehicle and drive through the lines outside the airport killing and injuring dozens when the TSA retards had people lined up outside of the airport buildings in the last "security crisis"

Re:Airport Security is a joke (2, Insightful)

DerekLyons (302214) | more than 7 years ago | (#17151762)

Airport security is a joke, and all he did is point that out.

And that's the crux of the problem - he didn't act like a researcher (as he claims) and merely point a security hole (as you claim). He crossed the line from researcher to (potentially) criminal when he published a tool on the web that had no other purpose than to make it possible for others to circumvent security.

Re:Airport Security is a joke (1)

RexRhino (769423) | more than 7 years ago | (#17152176)

Well, he figured that the only way they would FIX the security hole was to make it public. He didn't consider that Soviet style suppression of information would be how the U.S. government chooses to solve it's security problems.

Re:Airport Security is a joke (1)

loraksus (171574) | more than 7 years ago | (#17152298)

Because just pointing to a security hole would actually result in something getting changed.

Clearly the TSA listens and has people smart enough to create countermeasures.

Oh wait... Even after all this fucking publicity, the fucking hole is still fucking open, MONTHS FUCKING LATER.

At least they're spending their (your) money on frivolous prosecution. That must be worth something right?
Right?

Re:Airport Security is a joke (2, Insightful)

Echoez (562950) | more than 7 years ago | (#17151854)

Your point is well-taken. In your case, the responsible thing to do then would be to notify the TSA and the authorities at the airport to your concerns. It would not be "research", however, to post the combination to that door on the Internet, or to reveal its location. This is analogous to what he did. It's one thing to point out flaws in order to help address them. It's another thing entirely to create tools and resources to help people exploit holes in the system.

Airport security is not tight, nor anywhere near a bulletproof system. But his actions in no way benefit or ameliorate this system; it only had the potential to cause more problems.

Not helping... (0)

Anonymous Coward | more than 7 years ago | (#17151568)

If these people think that they're making air travel safer by suing/investigating someone who makes a blatant security hole public, they're diminishing my trust in their methods. Jail time doesn't scare a suicide bomber.

Looks the same as the FBI investigation (1)

Thansal (999464) | more than 7 years ago | (#17151594)

His blog (http://slightparanoia.blogspot.com/) has scans of the letter.

Reading the letter makes it sound much like the case the FBI was workign on against him (and subsequently droped).

All of the legalease (as well as I can read it) states is that you can't make these or higher some one else to make them.

Well, he didn't, he just created a program that COULD. In this case (as with the FBI one) it all seems about intent...

Re:Looks the same as the FBI investigation (1)

Zonnald (182951) | more than 7 years ago | (#17151876)

Was there a scan of the letter he sent to TSA (or whoever) to say: Guys, on a hunch that your system may not be secure, I have created a program which generates realistic boarding pass , in my opinion.
With your permission I would like to take this to the next level and supply several anonymous passengers with these "boarding passes".
I will supply the names and times that these people will be attempting to board, so that you can have hard evidence that this flaw in the system can have serious ramifications to Homeland Security (tm).
Details of the flaw will be provided upon request. I await your response...

Would that have been to hard?

Re:Looks the same as the FBI investigation (1)

bonoboboy (1033874) | more than 7 years ago | (#17152246)

I'm personally not surprised that the TSA is taking up the same case and evidence the FBI was using. Robert Mueller (Director of the FBI) has been very careful in protecting his agency from certain scandals; for example, FBI agents were no where to be found any time the CIA used torture during any interrogation. Likewise, I wonder if he is worried about fallout if the public continues to question the methods and tactics used by certain federal enforcement agencies. He may well have decided that this investigation could put his agency in water that was too hot for his comfort. The TSA, on the other hand, appears to have little in the way of self restraint or ethical guiding.

Proving a point is expensive.... (2, Informative)

zappepcs (820751) | more than 7 years ago | (#17151598)

This is the same problem with all kinds of security systems/programs. How does one point out the error/flaws in said system without falling afoul of the law(s)?

In this case, he would have been better off just telling people it could be done IMO. Just the same, if Kazaa isn't guilty, how can this guy be held responsible for what people did with his demonstration? If he personally used the fake boarding passes to fly and thus circumvent TSA rules, then he's guilty, should be punished. To demonstrate that its possible doesn't make him guilty. Even making it possible for others to do so doesn't make him guilty of anything except making the TSA look stupid.

Printing counterfeit money is not illegal... using it is. Normally, nobody would print it without the intent of using it, but in this case, the whole effort was to prove that it could be done and show that a fake boarding pass ruins security measures. If he can print fake boarding passes, any reasonably savvy group can. The manner used to demonstrate this flaw surely makes it impossible to not fix the problem?

I hope that he is not slapped with huge fines...

Re:Proving a point is expensive.... (3, Informative)

TripMaster Monkey (862126) | more than 7 years ago | (#17151836)


Printing counterfeit money is not illegal...

Actually, it is [moneyfactory.gov] :

Manufacturing counterfeit United States currency or altering genuine currency to increase its value is a violation of Title 18, Section 471 of the United States Code and is punishable by a fine of up to $5,000, or 15 years imprisonment, or both.

Re:Proving a point is expensive.... (1)

Chosen Reject (842143) | more than 7 years ago | (#17152112)

You were gone for nearly three months and that is the best reponse you can come up with? If you made counterfiet US currency as a substitute for monopoly, it would have no value, thus it is legal. According to what you wrote, you could even alter a genuine $20 bill into a $10 bill and that would also be legal. But perhaps, you would have been more wise to read Title 18 section 471. [findlaw.com]

Whoever, with intent to defraud, falsely makes, forges, counterfeits, or alters any obligation or other security of the United States, shall be fined under this title or imprisoned not more than 20 years, or both.

Now we are talking intent. Thus, counterfeiting money that you never use is in fact legal. Read the whole page you linked to and then read the actual contents of the law, and you will find every time they talk about intent to defraud. Thus the original poster was correct in saying it's not illegal to counterfeit money.

Re:Proving a point is expensive.... (0)

Anonymous Coward | more than 7 years ago | (#17151890)

Printing counterfeit money is not illegal... using it is.

Not true. Even taking and printing a full scale photo of any denomination of paper currency is highly illegal. Scanning a bill is also illegal. AFAIK, printing fake bills is a federal crime.

Re:Proving a point is expensive.... (1)

elviscious (681985) | more than 7 years ago | (#17152074)

"Printing counterfeit money is not illegal..."

Actually it is [moneyfactory.gov] . Despite that, I agree with you, the problem is not the fact that money is being reproduced, but that it is being used illegally. However, there is also a long history of counterfeiting being used to reduce the value of money [wikipedia.org] . With that in mind, it is legal to reproduce a dollar bill, provided that the reproduction is sufficiently larger or smaller. I believe the proportion was 50% or 150% normal size.

The gentleman being investigated by the TSA probably should have included a "This is a illegal reproduction" as text, as a watermark, or something else included in the image. At least then he would of had plausible deniability.

Re:Proving a point is expensive.... (1)

Chosen Reject (842143) | more than 7 years ago | (#17152148)

Actually, it isn't. [slashdot.org]

Predicting the /. responce (0)

Anonymous Coward | more than 7 years ago | (#17151636)

"$11,000 per violation is ludicrous... he can't be held responsible for all those downloads by others."

Follow this recent thread [slashdot.org] on Slashdot and replace 'Kazaa customer' with 'Chris Soghoian'.

Oh Snap (4, Informative)

TubeSteak (669689) | more than 7 years ago | (#17151646)

Wired doesn't mention it, but in the kid's blog, he links to a re-implementation of his boarding pass generator, this time using html & java.

Coralized Archive of the mirror: http://geocities.com.nyud.net:8080/j0hn4dm5/forge. tar.gz [nyud.net]

The mirror:
-http://j0hn4d4m5.bravehost.com/
(Coral CDN didn't seem to work on it)

Maybe now the TSA will actually do something about their security hole.
Actually, I doubt it, but we can hope.

New Homeland Security Motto: (2, Insightful)

Lord_Slepnir (585350) | more than 7 years ago | (#17151662)

"Homeland Security: We can't secure any of our borders, but we'll inconvenience hijackers by making sure they can't brush their teeth!"

Security Threat (4, Interesting)

Archangel Michael (180766) | more than 7 years ago | (#17151670)

This whole airline TSA thing is a crock of BS. Over Kill.

So, a bunch of terrorists captured a couple of airplanes and flew them into buildings. Yeah, a bunch of people died, which is tragic. And the Economy Burped, which is ... expected.

However, we've learned our lesson, and have secured the airplanes better. In addition, I doubt, HIGHLY DOUBT, that they could get anywhere close to doing the same thing, given the same circumstances, mainly because the passengers wouldn't stand for it.

Screening 80 year old grandmas of their knitting needles is stupid. Taking off shoes is stupid. Banning Liquids is stupid. For all the inconvenience of it all, it will not prevent someone from trying to by-pass whatever security is setup, and eventually they will succeed.

I know for a fact that I could bring a knife on board a plane even today, even passing through all the security. They can't stop me if they can't see it. And there are such knives available.

The point is, all this "security" isn't really designed to prevent hi-jackers, it is designed to placate the masses. See my sig for more info

Re:Security Threat (1)

drinkypoo (153816) | more than 7 years ago | (#17151914)

Yeah, just put a plastic knife in your sock, underneath your foot. Bingo! You can slide right in with it. There are so many holes in TSA security that it's hard to know where to start pointing them out - and even harder to know when to stop.

Re:Security Threat (1)

Rombuu (22914) | more than 7 years ago | (#17152052)

know for a fact that I could bring a knife on board a plane even today, even passing through all the security. They can't stop me if they can't see it. And there are such knives available.

I'd like to hear more about your invisible knives.

Re:Security Threat (1)

kanweg (771128) | more than 7 years ago | (#17152352)

Ceramic knives, because they're not made of metal you can walk with them thru the Electronic Security Gates (not the first time I notice that Gates and security are mentioned in one sentence and that there's something bad with the security, but I disgress). And they're extremely sharp (yes, Gates too, but I meant the ceramic knives). Of course, you don't need to buy an expensive knive, you just take your heavy glass bottle with liquor, which can serve as a multipurpose weapon and doesn't need to be concealed. Don't bring mother's milk in bottles. TSA wants it in the natural packaging.

I have a nice dad and we go on holidays some times. On one of those occasions after 9/11 he noticed in the airplane that he'd forgotton to take his pocket knife out of his carry-on luggage. Here, that shows how nice a person he is. I didn't have to convince him not to hijack the plane knowing that nobody else had a knife.

If he'd been a "researcher" he would have written the mistake on a piece of paper and stuck it with the knife on the cockpit door.

Bert

Re:Security Threat (1)

Ezzaral (1035922) | more than 7 years ago | (#17152078)

That's been my take on it ever since they went apeshit over security after 9-11. They slammed a bunch of kneejerk overreaction policies into place, made air travel a huge pain in the ass for the normal everyday person taking a flight, and pushed airline security hand-wringing to the forefront of everyone's eyes and minds - all to effect an illusion of having everything under control. I mean, just look at how hard they are scrutinizing us, it must be secure, right?

Thanks TSA. Preventing us from traveling with a lighter and shampoo has made the US a safer place to fly.

Re:Security Threat (1)

b0s0z0ku (752509) | more than 7 years ago | (#17152136)

So, a bunch of terrorists captured a couple of airplanes and flew them into buildings. Yeah, a bunch of people died, which is tragic. And the Economy Burped, which is ... expected.

The economy was starting to downturn months before 9/11 - I was taking off a semester from school and working. I wanted to take another semester off and move to Calif. for 6 months, and in October 00, there were still jobs available for the asking. By January 01, the supply of jobs had largely dried up.

However, we've learned our lesson, and have secured the airplanes better. In addition, I doubt, HIGHLY DOUBT, that they could get anywhere close to doing the same thing, given the same circumstances, mainly because the passengers wouldn't stand for it.

Actually, if they wanted truly good security, they'd hand out Tasers to randomly-selected passengers before boarding. Anyone trying anything overtly boneheaded will most likely get their ass (non lethally) zapped.

-b.

Re:Security Threat (1)

Dog-Cow (21281) | more than 7 years ago | (#17152360)

I agree completely, and I'll go one further.

Even if all passengers had to board naked and were not allowed any carry-on, there would still be successful hijackings if someone were desperate enough.

The 9/11 hijackers used box cutters because they could. If box cutters were banned (they aren't anymore), the terrorists would simply have used a cord to strangele or threaten to strangle someone. Should we ban all cloth now because it could be used in a hijacking attempt? It doesn't matter what is banned. There will always be a way to threaten deadly force.

So what did we learn kids? (2, Insightful)

drgonzo59 (747139) | more than 7 years ago | (#17151674)

Don't trust the government. Whenever you feel the "I just want to help" vibe coming on, rephrase that into "How can _I_ profit from this?". If he did that he would have sold his generator to al-Qaeda for cash and retired by now. He wanted to "help" and he got screwed!


The thing is, Americans cannot understand how someone could possibly just "want to help" and not "want to make money". If such a thing happens, then surely they must be up to something, they are probably a terrorist and should be locked up anyway.

The terrorists have won (0)

Anonymous Coward | more than 7 years ago | (#17151684)

It seems to me that the whole point of terrorism is to disrupt the normal lifestyle of those who are terrorized. The US government has often stated that they don't negotiate with terrorists. That's apparently true - they don't negotiate - they just capitulate and let them completely destroy the American way of life. BTW - I'm posting this anonymously so that I don't wind up on the no-fly list :-)

No-fly list? (2, Insightful)

theoriginalturtle (248717) | more than 7 years ago | (#17151694)

Is that their latest pre-emptive penalty, sticking people they don't like on the no-fly list? While not legally in the same category as house arrest, by infringing on his right to travel, have they or have they not already imposed a civil penalty?

I didn't actually see a citation of where he'd been placed on the no-fly list, can anyone find one and post it? Probably not, since the list doesn't even technically "exist" except as an abstract concept... sorta.

I have to strongly disagree with the dude above who insists that what CS did was "wrong." He neither invented the method of subverting a broken access control system (it had been possible to alter boarding passes with a $50 scanner and a cheap inkjet printer for who-knows-how-long) nor did he encourage anyone to break the law. Worse, TSA's head-in-anus response only even more strongly points up the problem with DHS overall: we can't fix our problems, but we CAN harrass people who point the problems out to the world in the hope we might actually do something.

They're too busy making old ladies take off their shoes.

Re:No-fly list? (1)

b0s0z0ku (752509) | more than 7 years ago | (#17152284)

Is that their latest pre-emptive penalty, sticking people they don't like on the no-fly list?

I don't see the societal benefit of this either. He released the software, rather than selling it or using it for his own nefarious purposes. So he's unlikely to be "up to" anything evil. Since it's a government mandated list and not optional for large private carriers to follow, they should not place people (at least not US citizens or permanent residents[1]) on the no-fly list without trial.

-b.

[1]-> If someone in the US is suspected of planning a terrorist attack, they should be brought up on treason charges and a jury should be allowed to decide based on evidence. Petty penalties based on mere suspicion are unacceptable.

double jeopardy? (1, Interesting)

Joe The Dragon (967727) | more than 7 years ago | (#17151696)

This may fall under double jeopardy

Heil! (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17151710)

Heil Cheney!

(plus one Informative) (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17151780)

project faceS a set [th3os.com] on his

You don't need a boat to get to Canada! (0)

Anonymous Coward | more than 7 years ago | (#17151838)

Although you might need some grizzly bear rifles and a big sign that says, "I do not want to marry a homosexual man!"

Simcurity: Fake Security (0)

Doc Ruby (173196) | more than 7 years ago | (#17151862)

The TSA will not bring any real charges against Soghoian. This entire exercise is pure simcurity, simulated security. The TSA runs a hollywood show for its political stakeholders, in Congress, the White House and in the media, to generate PR showing they're "tough on terrorists, strong on security". Without making us safer. In fact, putting us in danger, by ignoring real security requirements, creating security holes, suppressing serious research, and wasting time on this whole charade, when there isn't enough time, money, people, or actual resources to work on the real security work.

Soghoian is being sacrificed to this simcurity charade. As is the confidence of the public, ironically the only worthwhile product of simcurity.

The whole fake, yet lethal Bush simcurity apparatus has to be ripped out by the roots. We need more security than on 9/10/2001, not less. Congress should grab hold of the BS TSA next year and remake it according to our ranks of real security experts. Along with the rest of the leviathan Homeland Security Department, with its flagship FEMA. When Bush stands in the way, that will be even more reason to rip that terrorist incompetent, and his designated successors, out of the path of securing America.

Having it both ways... (1, Insightful)

Vellmont (569020) | more than 7 years ago | (#17151868)

I didn't actually see the site while it was up, so maybe the guy actually DID this, but.

To avoid being arrested, why not make the boarding pass have VOID VOID VOID printed all over it in such a way as it exposes the problem, but doesn't actually create a valid boarding pass. Then he would have violated no laws, AND exposed the poor security procedure at the same time.

Once the story broke he could create a boarding pass that's given to someone that's authorized to test the fake boarding pass, or others others could independently confirm that the fake pass would work by comparing it to a real boarding pass.

Anyone know if the site did anything to show that the pass was actually invalid?

It seems a bit foolish to put up a working system and not expect the government to go all apeshit.

Re:Having it both ways... (1)

Mex (191941) | more than 7 years ago | (#17152296)

Well, the US Government allows guns, yet owning one is not a reason for anyone to go to jail. Just because he created software that *could* be used maliciously, he hasn't broken the law.

"attempted to circumvent an established civil aviation security program established in the Transportation Security Regulations"

As far as anyone knows, he did NOT personally attempt to circumvent the security program, and he did not encourage people to use it. He just said "You know it's possible to do this, you guys should be more careful."

It's the same as saying "You know, you can make a BOMB by combining these chemicals". He doesn't go to jail for that.

I read his blog, and it was clear he did it because he was concerned about the illusion of security from airports. He was just trying to help.

wtf! (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17151874)

so wait, He makes it so anyone can get a boarding pass.. aka, get through security.. etc etc..

basicly gives terrorists boarding passes and now he's the victim? wtf?

Seen this before (1)

Nom du Keyboard (633989) | more than 7 years ago | (#17151902)

They're just not going to leave the poor guy alone. He embarrassed them, and they're going to make him pay and pay and pay. It looks a lot like getting on the wrong side of the RIAA. They can be entirely wrong, but it costs you a fortune and year(s) of your life to win, and then they only pay a pittance for all their unwarranted grief at best.

go to bed without supper! (4, Funny)

zeromorph (1009305) | more than 7 years ago | (#17151924)

Chris Soghoian [...] is on the government's 'no-fly' list.

Does that mean he is grounded for being naughty?

That's unfair. Obviously he did his homework.

NWA Boarding Passes are just HTML (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17152018)

I'll probably be on the no-fly list soon for this, but it's worth pointing out that what Chris did to NWA's boaring passes could be duplicated by just about anyone without special software. While I don't agree with how he exposed the issue (he should have used a fake airline/pass to show the risk), it is worth exposing some very very bad software design. The real criminals here are the coders who developed the boaring pass system for NWA.

The NWA online boarding pass generator uses HTML to render the boarding passes. There's no image processing or anything special involved in changing values on these. Just save it to your desktop, open it in your favorite text editor, and change the text. Bingo. You're flying first class.

Final proof the no-fly list isn't about safety (5, Insightful)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#17152064)

There's no reason to believe he even might endanger any airplane that he boards. There's not even the thread of suspicion you'd get from guilt by association. There's no allegation that he has violent tendencies or has threatened violence.

He's there because the no-fly list is a tool for control and coercion at the whim of the authorities without the restraint of statute or jury.

Balancing act... (1, Insightful)

multimediavt (965608) | more than 7 years ago | (#17152134)

I'm not saying that what the TSA is doing to this guy (or any of us) is right. I think it's blatant sour grapes! But, I don't condone Chris Soghoian's actions either. He should have "done the right thing" and approached the TSA *BEFORE* he made his findings public, and he certainly *NEVER* should have made his web app public. What he did was dumb and irresponsible, period. Was it illegal, ummm, that's up to the courts to decide.

Why is that a problem? (0)

Anonymous Coward | more than 7 years ago | (#17152258)

that's pretty much the end of my career here in the States.

So what?

Most Americans who have never lived anywhere else, or who immigrated from third-world countries, think the USA is the best place in the world to live.

But if you travel to any pleasant country, you will find that lots of Americans have chosen to live there.

YMMV, of course. But living in a country where the language is different from the one you grew up with is one of the most educational experiences there is, and you might eventually be grateful for the event which prompted you to leave the USA.

Geez, didn't this guy realize that... (1)

Kazoo the Clown (644526) | more than 7 years ago | (#17152356)

...it's illegal to make the TSA look stupid?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>