Fake NWA Boarding Pass Site Removed, Creator Visited By FBI

The creator of the NWA Boarding Pass Generator has taken down his site after coming under heavy national scrutiny.

BoingBoing reports that this Saturday morning, the FBI visited Chris Soghoian and handed him a written order to take down the site. By this time, Soghoian had already removed the generator.

On Friday, Rep. Edward Markey (D- Massachusetts) called for the site’s removal and Soghoian’s arrest.

As Wired points out, the hole is nothing new. Bruce Schneier wrote it up in in ’03, Slate in ’05, and Sen. Chuck Schumer issued a press release about it in April ’06.

Soghoian, a security researcher, has never used one of the facsimile boarding passes and says his only intent was to bring public attention to a glaring security hole.

“The only way for these kind of problems to get fixed, are through through public full disclosure,” Soghoian wrote on his blog when releasing the boarding pass generator. “TSA/DHS cannot be expected to fix anything unless they are publicly shamed into doing so.”

(Thanks to Ian and Luke!)

Comments

Edit Your Comment

  1. homerjay says:

    Lets all say it together– “DURRRRRRRRR!!!!!!”

  2. Chris H says:

    This security hole was rather obvious, and I hope pointing it out doesn’t result in losing online checkin!

  3. Grrrrrrr, now with two buns made of bacon. says:

    I’m with homerjay–“DURRRRRRRRR!!!!!!”

    Sure, it’s a flaw and a loophole, but that’s not a good way to point it out. Members of the TSA and FBI have a sense of humour that dips well into the negative numbers, so messing with them is like asking for a one-way coach ticket to your local penitentiary.

  4. acambras says:

    Not a shocker that the feds got involved.

  5. mechanismatic says:

    I wouldn’t put myself out on that limb, but I think that is the way to go about getting something done. Sadly, a lot of politicians and bureaucrats only seem to do anything when some glaring public circus is made out of a particular fiasco.

  6. RumorsDaily says:

    What better way to point out the problems in the system than to demonstrate it in a way that demands a response and endangers nobody? This was an excellent, well targeted effort.

    Now, using one of the tickets, of course, would be an AWFUL idea. That will land you in jail. Showing why and how the system is flawed is the only way to get it fixed (especially since it’s clear people have been complaining about the problem for years with no response forthcoming from the feds).

  7. RumorsDaily says:

    Also, you know, it’s funny.

  8. Guess he got his fifteen minutes! :)

  9. Wow. Can’t say that I’m surprised. In fact, when I followed the link not long after it was posted, the site was already down. I guess he heard those black helicopters circling overhead…

  10. Trai_Dep says:

    “On Friday, Rep. Edward Markey (D- Massachusetts) called for the site’s removal and Soghoian’s arrest”

    This is outrageous. A guy, another guy, and a THIRD guy (a Senator, no less) all warn the Powers That Be that there’s a glaring hole in our airline security.

    Gods forbid that we address real threats (unscreened cargo, inadaquate boarding pass generation, credit card spoofing of electronic tickets, screening of maintenance contractors…). Instead we have Kabuki Security that turns air travel into the ninth circle of Hell while doing nothing to make us safe.

    Then we get a bright guy who casts a spotlight on the same security hole that a US Senator and others tried to publicize, to no avail. Only Soghoian was clever enough to get the issue national attention. He deserves a medal.

    Sen Markey is a grandstanding fool. He’s shooting a civic messenger trying to point out the threats to air travelers instead of fixing real threats.

    Absurd.

  11. Solo says:

    Next thing you know, the FBI is subpoena-ing Adobe to get a list of all people who own Photoshop. Then they’ll go after everyone who has a printer. Or a computer.

    I wonder on what ground he could be arrested.

    There are (alot) more dangerous things availabale to the public. And anyway, this focus on airline travel is idiotic. Ask the subway travelers in London.

  12. Chongo says:

    I would actually say Thank You to the man who made this site. These types of things are the only true red tape cutters out there.

  13. homerjay says:

    I would like to hear if he even tried to let the ‘proper authorities’ know that he was able to do this and that its a major security hole BEFORE he went and broadcast it to the word. Although it still wouldn’t make it right in their eyes, it would certainly give him personal justification.

  14. XopherMV says:

    The authorities have known about this possibility for years. Public officials have mentioned it before, but have been ignored. They’ve known that anyone can edit their boarding passes. All our security warnings and hysterics over bringing shampoo, apple juice, and other liquids on airlines is small potatoes against the possibility of this boarding pass problem.

    The only reason this guy got in trouble is that he set up a website to do so, very publically humiliating the TSA, Homeland Security, the President, and all the Republican party right before the election. We’re no safer with these clowns in charge and this guy let everyone know.

  15. ajn007 says:

    I’m just glad we aren’t seeing photos of him with a zip tie around his wrists and a canvas bag over his head. Or that he hasn’t disappeared. I think this example shows great restraint by a government pretty reactionary when it comes to anything remotely considered “terrorist” (even though Rep Markey’s rhetoric seemed to indicate he wanted Soghoian thrown into Guantanamo). But one has to wonder if the same treatment would have been afforded to Soghoian had he not been white or if he was Muslim.

  16. Grrrrrrr, now with two buns made of bacon. says:

    But one has to wonder if the same treatment would have been afforded to Soghoian had he not been white or if he was Muslim.

    Oh come on, now..this is the United States. Of course not.

  17. Trai_Dep says:

    HomerJay: if a freaken SENATOR raises this issue of the boarding pass security failure, and it doesn’t cut through the red tape, then the top five layers of Homeland Security should be fired.

    It’s a sad state if it takes a freaken blogger to raise an important issue to the national stage.

    Oh, wait a minute…

  18. madderhatter says:

    DOH ! Dumbass, I saw that coming a mile away. No doubt they got the history of who tried to go to the site as well. Suckers ! (I can’t remember if I did or not … DOH x 2 !)

  19. Yeah, right, dumbass. Because obviously his goal was to stay under the radar and make Mad Phat Loot by photoshopping boarding passes. Talk about duh.

    The guy was trying to get attention called to a dangerous security problem and he did it. Bravo! We need to see more of this, because “Homeland Security” has been doing a shitty job and concerned mostly with making certain companies money, and public humiliation is the only thing that will make them stop.

  20. Trai_Dep says:

    I’m not usually in the habit of quoting, but Wil Wheaton had an apt comment on BoingBoing that I’ll share:

    “Doesn’t it seem like the FBI is coming down on this guy with all the power of a fully-operational space station to make an example of him, and thereby silence anyone else who may get some crazy ideas like speaking freely about how ineffective the Department of Homeland Security is?

    I wish the government spent 1/10 the effort tracking down really bad guys as they spend going after American citizens who use their constitutional rights.

    This shit (and the martial law thing) are the scariest things I’ve read this Halloween season.”

  21. acambras says:

    trai_dep — was that THE Wil “Wesley Crusher” Wheaton?

  22. Trai_Dep says:

    Yup. He’s transcended his, “1,000 Ways We Want To See Wesley Chrusher Die Improbably Yet Horrifically Painful Deaths” stage. He now posts some pretty decent stuff on his blog.

    Guess that means, no more posting all those Wesley Gang-raped In Klingon Gulag slashfics. Damn you, Homeland Security, for crushing Art(r) yet AGAIN!

  23. Trai_Dep says:

    (should also note here, that pre-adolescent sci-fi geeks can blossom into HOT(!) (!!) adults. Would hate any potential mates get the wrong idea, if ya know what I’m saying…)

    (wink. wink. nudge.)

  24. kegsofduff says:

    I applaud this man for making some huge flaw in the TSA apparent. This may have been published before but I for one did not know about it.

    To think that the newly created TSA is any better than the pre 911 security is ridiculous. It took a lot of balls on the creators part to make the whole so easy to exploit. He of course knew it would be shut down quickly, but if it takes individuals to make things safer then I’m proud of them.

    I’m in my 20s and wouldn’t have had the balls to make an exploit so easy and draw the attention of the feds, but this guy is beter than me in that point.

    Terrorists aren’t going to use the same channel after it has been focused on and closed, they are going to find another whole, use that, then after they succeed, the fed will close that whole.

  25. Celeste says:

    Yes, it’s extremely unfortunate our security seems to be directed in an entirely reactionary instead of anticipatory manner. The only way to get anyone to do something about a major security flaw is to exploit it, as publicly talking about it is obviously just not enough. DHS has been a joke from day one, and its security philosophy seems to rely on inconveniencing travelers as much as possible in order to show they’re ‘doing something’ instead of addressing actual threats and vulnerabilities.

    When people point out things like this, they should be applauded, and asked what they recommend to fix it, not threatened with arrest.

  26. I was going to comment on the topic but then I read this:

    Guess that means, no more posting all those Wesley Gang-raped In Klingon Gulag slashfics.

    Thank G-d I wasn’t eating something; I’d have choked to death. Is this the first reference to slash made on this site?