A PhD security student who exposed how easy it was to bypass airline security has had part of his website taken down by the FBI. Chris Soghoian, a British citizen and PhD student at the University of Indiana created a tool which could generate NorthWest American Airline boarding passes with any name of the users choosing (click image for large version). When he posted about it on his blog he gave the following possible uses:
1. Meet your elderly grandparents at the gateThe last of those reasons is the most important without a doubt. To be able to generate, with such apparent ease, a boarding pass for any NorthWest flight of one's choosing, in any name of one's choosing, represents a threat to airline and airport security of massive proportions. A boarding pass will get you through security check, and once there, well, God knows what mayhem could be caused. It makes a mockery of the so-called "no-fly lists".
2. 'Upgrade' yourself once on the airplane - by printing another boarding pass for a ticket you're[sic] already purchased, only this time, in Business Class.
3. Demonstrate that the TSA Boarding Pass/ID check is useless.
However, there is of course a downside to Christopher's decision to publish the tool via his blog as he did. Highlighting security flaws is no doubt important, but doing so ought to be done through official channels else sadly, what eventually happened to Chris happens. It began with calls from the Senator who originally pointed out the potential security for Chris's arrest and the removal of website and ended with the FBI.
The University, according to Chris's blog, told him he was on his own if he got arrested, and yesterday, his blog had a short post saying "The FBI are at the door. Off to chat". The Boarding Pass website is now gone. Three hours after going for a chat with the Feds, he posted again saying "I am now safe (and no longer with the FBI). Still trying to find a lawyer....."
Personally I hope he does find himself a good lawyer. His decision to publish was, I think, unwise, but his intentions certainly lacked malice. He should be praised for having highlighted such a flaw in the system, and, frankly, the US Government should be offering him a job. There is a front to the "War on Terror" on the Internet, and it needs people like Chris.
UPDATE: Apparently the FBI returned to Chris's home last night whilst he stayed elsewhere. They smashed the glass on his door to enter and seized his computers and other belonging, then left the warrant taped to the table. Chris's blog appears to be down at the moment, but more details can be seen here.