Blog Insights: Airline Insecurity

by Dan Blacharski

November 7, 2006 —

What bloggers are saying about the latest in information technology

A noisy flap took place last month when Indiana University student Christopher Soghoian created and made available a computer program that allows people to print bogus airline boarding passes. Cnet correctly reported in a recent piece that this episode brought a security flaw to the public's attention. According to the report however, Federal agents quickly shut the site down and seized the student's computers. The program he created was in fact based on a potential flaw that was not new at all, and the security flaw had already been made public. But the reason Soghoian was targeted by the Feds was that he was the first to actually create a program that could be used to exploit that flaw. Security expert Bruce Schneier has written about this vulnerability in the past as well. His blog, Schneier on Security tells a bit of the history of this flaw, which existed and was known long before Soghoian ever considered it.

Airport security is a mish-mash of procedures and protocols, some that work and some that don't. Schneier makes an interesting point that the photo ID requirement does very little for security --the reason for implementing it was purely financial, since it prevented individuals from reselling their tickets.

I've always wondered why people hack computers. Mostly, they do it for illicit financial gain, but some have other axes to grind, points to make, and a certain level of self-righteousness that gives way to a sort of virtual vigilantism. They say, "I don't like what this organization represents, so I'm going to hack their site. In Soghoian's case, perhaps he wanted to make a point about flaws in airline security, and went about it by exploiting those flaws publicly and providing a vehicle for others to do so as well. This system can be broken, so I'm going to break it. Simple.

Soghoian's own blog tells an interesting tale of testing the limits of airport travel and security. On October 25, he posted his "boarding pass generator" program, in an attempt to "demonstrate that the TSA boarding pass/ID check is useless." He's probably right, but it was only a couple days later that he writes about being visited by the FBI, who demanded that it be removed immediately. The second FBI visit was a bit more dramatic, as they smashed in his front door, ransacked his home, and removed his computers -- an unnecessary over-reaction in my opinion, since (1) the web site had already been taken down, and (2) Soghoian was obviously not a terrorist or a criminal. Yes, the web site should not exist, and the authorities were correct in demanding that it be shut down. But he shouldn't be subject to late-night raids and the threat of prison.

His intentions may have been good, but Soghoian chose a poor way to make his point. Suppose for example, you happen upon a secret entrance to a bank vault. What is the ethical thing to do? Rattle the secret entrance door, make sure it opens, and announce to all the bank robbers nearby that it is available, and then loudly proclaim that having done so was a legitimate means of pointing out a security flaw? Or go straight to the authorities and report it so that it can be fixed? I admit, as a college student I loved creating a little drama and getting my fifteen minutes of fame, so I may have opted for the former option had that opportunity made itself available. But of course, that option is ethically flawed.

A Harvard Law blog takes a look at the law of the situation, and the real question is whether disclosing sensitive information, in this case a serious flaw in airline security, does more harm than good, and an argument can be made in Soghoian's defense to the effect that while he was indeed guilty of creating a dangerous web site, his actions may have prevented a "greater harm" by bringing this information to light. At the end of the day, we have to realize that Christopher Soghoian isn't the problem here, and prosecution of him is only taking attention away from the shortcomings of airport security and the TSA.

ITworld.com