Fake Boarding Pass Site Stirs Concerns
(Soundbite of music)
ALEX CHADWICK, host:
It's Halloween, dear listeners. Time for a scary story. No ghosts and goblins, rather airline security. Joining us in our studio is DAY TO DAY tech contributor Xeni Jardin. And a couple of days ago, Xeni, you sent us an e-mail with this story.
XENI JARDIN: That's right, Alex. A 24-year-old student in Indiana named Christopher Soghoian created a Web site where you can produce a fake Northwest Airlines boarding pass. This could get you past security screening in the airport right up to the boarding gate. And he says he did this to draw attention to a security vulnerability that airlines and the government have ignored since 2003, when others first wrote about it.
CHADWICK: It wouldn't have the right bar code on it, so you couldn't actually get on the plane, but it would get you right up to the point where you were about to get on the plane.
JARDIN: Yeah, where you're close enough to potentially do damage. On Friday, Congressman Edward Markey issued a statement calling for Soghoian's arrest and the takedown of the Web site. Now that same day, according to Soghoian, FBI agents came to his house in the afternoon and those agents returned late that night with a search warrant. They confiscated his computer and some other belongings. And the FBI also took the Web site down, but they did not arrest Soghoian.
CHADWICK: Okay, well, he's done this because he sees this security flaw and he wants to draw attention to it. A number of computer security researchers now have come to his defense exactly on these grounds, yes?
JARDIN: Many believe that since the security flaw was first exposed all the way back in 2003 and hasn't been fixed, Soghoian should be commended. I spoke with Bruce Schneier. He's a computer security expert who, as far as I know, was the first to report the problem a few years back. In this case, he says writing about the problem wasn't enough. Someone needed to demonstrate the flaw and get various government agencies and airlines to pay attention.
Mr. BRUCE SCHNEIER (Computer Security Expert): My fear is that we're trying to scare people into not pointing out the vulnerabilities. And once we do that, then the bad guys know them and they never get fixed.
CHADWICK: Well okay, this has gotten attention, but still I'm a little uncomfortable with the idea of some Web site where you can print your own boarding pass.
JARDIN: Right, and it's not the intent that's at issue, but the way Soghoian went about it. One of his former professors at Johns Hopkins University is Avi Rubin, a computer security researcher, and he says he would've advised Soghoian to handle it differently.
Professor AVI RUBIN (Professor, Johns Hopkins University): I would contact the authorities and I would say that I have created a private demonstration that I want to show them to explain why there's a vulnerability.
CHADWICK: Okay, well the FBI did go to his house Friday and they took his computer. What is the FBI saying?
JARDIN: Right. They say that there's an ongoing investigation. They're probably looking at what he has on his computers. But as of yet he has not been charged. The findings will be reported to federal prosecutors, and they'll decide what to do. Special Agent Wendy Osborne from the bureau's Indianapolis office told me that getting help from the public is important, especially from computer whizzes like Soghoian.
Special Agent WENDY OSBORNE (Federal Bureau of Investigation): There's a lot of intelligent individuals out there that could assist law enforcement in its mission, and that would be something like referrals; contact us, let us know.
JARDIN: And I should note that Congressman Markey sort of backed off his earlier calls for Soghoian's arrest. He released a statement Sunday that while the Web site was a lousy way to make a point, the point was important. He said the government should hire Soghoian and not throw him in jail.
CHADWICK: DAY TO DAY tech contributor Xeni Jardin with a Halloween scare story. Xeni, thank you.
JARDIN: You're welcome.
CHADWICK: And stay with us on Halloween on DAY TO DAY.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.