Saturday, October 28, 2006

Airport security whistleblower being scrutinized, questioned?

Fake Northwest Airlines Boarding Pass

The FBI was at security researcher Christopher Soghoian's house today. Soghoian, a Ph.D of Indiana University, decided to create a Fake Boarding Pass Generator (apparently made to shutdown by the FBI today) to bring attention to a serious security risk to airports. Soghoian had no intention of using a fake pass, and no intention of breaching airport security. In fact, as Soghoian states, ". I haven't even printed one out."

Despite Soghoian's intentions, his arrest was called for by Rep. Edward Markey (D- Massachusetts), a member of the House Homeland Security committee. And as Ryan Singel of Wired writes, "Even if Soghoian's site is shut down, any boarding pass purchased over the web can still be easily edited in any browser." Got a computer? Got a printer? You've got a fake boarding pass!

This specific loophole is not new. Bruce Schneier wrote about it in 2003, and Slate covered it in 2005. Soghoian points out that Sen. Chuck Schumer (D-New York) made the same security hole public in April 2006. "Perhaps Sen. Schumer will end up being my cellmate," Soghoian said.

I believe that this sort of "testing" should actually be encouraged. It's how security firms create better products and systems, by having hacker's test them and try bypassing them. It's raw and it works. The only thing the FBI should be "investigating" is ways to make it more difficult to make fake boarding passes, and Christopher Soghoian should be praised.

Via Christopher Soghoian's Slight Paranoia and Wired

No comments: