At 3:54 p.m. last Friday, Christopher Soghoian wrote this on his blog: “The FBI is at the door.”
He wasn’t kidding.
Just two days before, the 24-year-old Indiana University computer science doctoral student posted a simple program on his blog — slight paranoia — that creates and prints fake boarding passes for Northwest Airlines flights.
The fake passes exploit the convenience of online check-in promoted by all major airlines. By printing boarding passes at home, travelers avoid airport waits at ticket lines or check-in kiosks.
In theory, the faux pass wouldn’t get you on an airplane, but it would get you past the airport security checkpoints, defeating the whole point of the boarding pass program.
Soghoian said he created the program to demonstrate that the Transportation Security Administration’s (TSA) boarding pass/ID check is “useless.” He calls the TSA’s efforts “security theater.”
On his blog, Soghoian stresses, “I have not flown, or even attempted to enter the airport with one of these fake boarding passes. I haven’t even printed one out. All I have done is create a PHP script, which highlights a security hole made public by others before me.”
Upon his lawyer’s advice, Soghoian is no longer talking with the media but he told ABC News over the weekend that the TSA wants to make you feel secure without actually making you secure.
“As a member of the academic research community, I consider this to be a public service,” he said.
The TSA and the FBI do not.
The FBI showed up Friday afternoon with a written order to take down “Chris’s Northwest Airlines Boarding Pass Generator” from his site. By the time he responded, it had already been done for him.
But it didn’t end there.
Congressman Ed Markey (D-Mass.) issued a fiery statement calling for Soghoian’s arrest and prosecution.
“The Bush Administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane,” Markey said.
Perhaps Markey was unaware the online check-in vulnerability being spotlighted by Soghoian is hardly news. Last year, several Web sites pointed out the same flaw in the system, albeit without providing a convenient way to print out fake boarding passes.
Last year’s flap prompted Sen. Charles Schumer (D-N.Y.) to demand the TSA close the loophole.
“It’s unbelievable that after over three years of recalibrating aviation and airport security so that we can keep a close eye on suspicious individuals, this enormous hole remains in the system. It has rendered the terrorist watch list nearly useless,” Schumer said in a statement last year.
“In this post 9/11 era, the terrorists will find our weakest link and we can’t leave any stone unturned.”
But we have and all Soghoian did was show — again — where a security problem exists.
Frightened after the FBI visit, Soghoian spent the night elsewhere and began seeking an attorney since Indiana University told him he was on his own, graduate work or not.
It didn’t end there, either. The FBI returned with a search warrant issued at 2 a.m. Saturday morning.
“I came back today to find the glass on the front door smashed,” Soghoian later wrote. “Inside, is a rather ransacked home, a search warrant taped to my kitchen table, a total absence of computers — and various other important things.”
As of Wednesday, Soghoian hasn’t been charged with any crime and even Markey changed his mind.
“Under the circumstances, any legal consequences for this student must take into account his intent to perform a public service, to publicize a problem as a way of getting it fixed,” Markey said. “He picked a lousy way of doing it, but he should not go to jail for his bad judgment.”
Indeed, he should not.
Instead, Soghoian should be seriously listened to not only on the loopholes in the TSA boarding-pass program but on the larger point: what looks like security isn’t really security.
Take, for instance, e-passports.
Much has been made over the last few years about securing the information contained on the RFID chip embedded in the new passports. The government ultimately weaved a metallic mesh into the passport cover to thwart unauthorized efforts to read the chips (often called skimming).
What is rarely noted is that once government machines read the chip, the information is matched with data in federal databases, which are notoriously weak on security.
Why bother with skimming when it’s easier to just hack into the government databases? The latest computer security report card compiled by the House Government Reform Committee gave the Department of Homeland Security an F.
Seven other agencies, including the State Department, also received F’s.
Soghoian is right: It’s all theater.