Last Friday, Rep. Edward Markey (D-MA) called for the arrest of Christopher Soghoian, and the takedown of his "Boarding Pass Generator" website which illustrated an airline security hole documented on the web for several years. Hours after the congressman's statement, Soghoian says FBI agents visited his home, then returned a second time after he'd left -- in the middle of the night -- with a search warrant signed at 2AM, and seized Soghoian's computer(s) and other belongings.
Now, several days too late, Markey issues another pronouncement which backtracks on his earlier statement. It's 250 words, but they boil down to one: "oops." Snip:
“On Friday I urged the Bush Administration to ‘apprehend’ and shut down whoever had created a new website that enabled persons without a plane ticket to easily fake a boarding pass and use it to clear security, gain access to the boarding area and potentially to the cabin of a passenger plane. Subsequently I learned that the person responsible was a student at Indiana University, Christopher Soghoian, who intended no harm but, rather, intended to provide a public service by warning that this long-standing loophole could be easily exploited. The website has now apparently been shut down.Link. (Thanks, Alex Therrien)
“Under the circumstances, any legal consequences for this student must take into account his intent to perform a public service, to publicize a problem as a way of getting it fixed. He picked a lousy way of doing it, but he should not go to jail for his bad judgment. Better yet, the Department of Homeland Security should put him to work showing public officials how easily our security can be compromised.
“It remains a fact that fake boarding passes can be easily created and the integration of terrorist watch lists with boarding security is still woefully inadequate. The best outcome of Mr. Soghoian’s ill-considered demonstration would be for the Department of Homeland Security to close these loopholes immediately."
Markey describes the website as "a lousy way" to point out the security vulnerability, and it would appear that he is not alone in this opinion.
On Friday, I spoke to Avi Rubin, a computer science professor at Johns Hopkins who previously exposed security vulnerabilities in RFID technology, and Diebold's electronic voting machines. Soghoian lists Rubin on his resume as a reference, and served as his teaching assistant for a semester in 2004 in a "Security and Privacy in Computing" class at Johns Hopkins University. Snip from interview with Rubin:
BOINGBOING: What's your take on the "Boarding Pass Generator" website?Reader comment: Adam Fields writes,
RUBIN: Even if he has a legitimate point, it shows a real lapse in judgement.
BOINGBOING: How would your team at Johns Hopkins approach it? How do you believe something like this might be handled more responsibly?
RUBIN: When we find a security vulnerability, we think about how to publish that information responsibly, and what information we may need to omit. When we find an exploit, the first thing we do is have a meeting about who to tell and how. When we discovered the problems with RFID, we brought the company involved into our lab for several weeks before we released the information.
Markey said,Ian Varley says,"He picked a lousy way of doing it, but he should not go to jail for his bad judgment. Better yet, the Department of Homeland Security should put him to work showing public officials how easily our security can be compromised."I don't think there's room in the budget for hiring everyone who can point out how easily our security can be compromised.
I'd like to take exception with the idea that Soghoian's web site is a "lousy way of doing it". The fact that he was not the first person to bring the vulnerability to light means that this information--the mere concept that any goof with photoshop skillz and a color printer could waltz onto any flight in the country--was already well known. But no one was doing anything to remedy that. In situations like this, a civil disobedience (which is truly what his web site is) sometimes represents the only ethical way to bring about change. Rep. Markey's retraction is a step in the right direction, but the only thing "lousy" here is the transportation security theater itself.BACKGROUND POSTS ON BOINGBOING:
* Fake Boarding Pass Generator guy and FBI: what about the law? (10-28-06)
* FBI returns to "Fake Boarding Pass" guy's home, seizes computers (10-28-06)
* Fake boarding pass guy reports he was visited by FBI (10-27-06)
* Congressman wants fake boarding pass guy arrested (10-27-06)
* Website generates fake boarding passes (10-26-06)
* Slate's Andy Bowers on airline security loopholes (02-07-05) Discuss Next post