[Infowarrior] - Boarding Pass Hacker Breaks Silence

[Richard Forno]

Boarding Pass Hacker Breaks Silence
http://blog.washingtonpost.com/securityfix/2006/11/boarding_pass_hacker_brea
ks_si.html#more

Chris Soghoian, the Indiana University doctoral student whose online
demonstration of serious flaws in airport security prompted an FBI
investigation, broke his silence this week after the government terminated
its investigation into the matter.

Soghoian had refused to talk to the media ever since the FBI visited his
home in Bloomington, Ind., on Oct. 27 and carted away computers and other
equipment. The federal action came in response to Soghoian's decision to
post a tool on his Web site that would allow someone to print a fake
boarding pass that could be used to evade the "no-fly" list -- a key
government tool in keeping suspected terrorists off of airplanes.

In an interview with Security Fix on Saturday, Soghoian said he was ready to
set the record straight now that the FBI had ended its investigation and the
local U.S. attorney had declined to press charges. A spokesperson for the
FBI's Indianapolis field office confirmed that the investigation was closed
on Nov. 14.

Soghoian's boarding pass generator highlighted a loophole in the
Transportation Security Administration's policy for screening passengers
against the no-fly list. The problem is that boarding passes are compared to
a person's ID only at initial airport security checkpoints, not at the gates
where passengers board planes. And the boarding passes are scanned and
verified only at departure gates, not security checkpoints.

In discussing the tool that he created, Soghoian said that even if the TSA
plugged the security loophole -- by requiring ticket readers at the initial
terminal security checkpoint and integrating the no-fly list with every
airlines' computer systems -- the current legal status of the TSA's policy
allows anyone to refuse to show ID at check-in if they consent to additional
screening.

"Everyone focused on this issue of fake boarding passes, but no one touched
on the issue of a person [telling airline security screeners] that they
don't have any ID on them," Soghoian said.

To help put Soghoian's point in perspective, consider the case of John
Gilmore, co-founder the Electronic Frontier Foundation. In 2002, Gilmore
refused to show his ID while checking in for a cross-country flight. He was
told he could fly if he agreed to a "secondary screening," which he also
refused. Gilmore said he was told that there were security directives that
mandated the showing of ID, but that he was not allowed to view said rules.

Gilmore later sued the government to gain access to the rules. The case
wound its way up to the 9th Circuit Court of Appeals, which privately viewed
the rules and decided that airline passengers could either present
identification OR opt to be subjected to a more extensive search.

This summer, Gilmore challenged members of the Department of Homeland
Security's privacy advisory committee to test the court's ruling -- i.e. to
see if it's possible to fly domestically without an ID. Committee member Jim
Harper, director information policy studies at the CATO Institute, a
libertarian think tank, accepted the challenge. After a thorough screening
that involved a slew of tests for traces of explosive materials, Harper made
it through screening and was allowed to fly without showing ID. And he
believes he made it through security faster than he would have had he showed
an ID.

In a phone interview Monday, Harper said the whole ordeal demonstrates the
ineffectiveness of identity-based screening at airports.

"You could fix all these holes in airline security screening and you still
wouldn't have a secure, identity-based system," Harper said. "Identity
doesn't tell you what someone plans to do, especially a person who has
newly-adopted terrorist plans or who has just joined some terror-related
organization recently. The 9/11 operation -- with two exceptions -- was
carried out by people who weren't known to U.S. authorities and were already
operating in a mode to defeat the watch list we've since put in place. So
the current system merely requires al Qaeda to continue using techniques
they were using in the past. So this -- like so many other security systems
that we have post-9/11 -- start[s] from such a level of abstraction that
they end up being total surveillance systems."

Indeed, Soghoian himself said he successfully tested the no-ID policy on
four different flights over the past four months. The experience, he said,
left him scratching his head as to why the government bothers with the
no-fly list at all.

"There's the ability to get on a plane and do bad things and the ability to
get on a plane to avoid the government knowing who you are. We as citizens
have given up some of our rights to fly safely, and that takes care of the
first issue," Soghoian said. "The question is whether we're willing to be
searched and inconvenienced solely to protect the government's no-fly list,
which doesn't make us any safer."

So what lessons should other people take away from this before they try to
publicize loopholes in U.S. security checks?

One of Soghoian's attorneys, Stephen L. Braga, a partner with the
Washington, D.C., law firm Baker & Botts, said doing the research to find
such loopholes is fine. It's what you do with the information that matters.

"I think the clear takeaway from this is for people to go ahead and do their
research, develop a thesis of what the flaw is and bring it to the attention
of the authorities if it has any potential for misuse, but don't post it
online," Braga said. "People really need to think twice about whether
putting things like this out there might fall into the wrong hands and be
used for illegal purposes."

Soghoian said that when he met with officials from the U.S. Attorney's
office in Indianapolis to retrieve his computer equipment, he was told that
the crisis might have been averted if he had pasted some sort of "SAMPLE" or
"NOT FOR BOARDING" disclaimer watermark on his boarding pass generator -- to
better illustrate that the tool was created merely to make a point, not to
abet anyone trying to evade the no-fly list. But Soghoian said he believes
that the issue would not have garnered the national attention that it did if
he had included those disclaimers.

"The fact is that [the government] has been told about these vulnerabilities
time and time again. When a U.S. Senator puts step-by-step instructions on
how to fake boarding passes on his Web site and the problem isn't fixed, we
have to ask ourselves what more will it take?" he said. "My hope is things
will get fixed but my worry is they won't and this will all get get swept
under the carpet again."