Fake boarding pass guy reports he was visited by FBI – UPDATED

Christopher Soghoian, who created the Fake Boarding Pass Generator website, claims to have been visited by FBI agents this afternoon at his home in Bloomington, Indiana, according to a security researcher with whom he was instant-messaging at the time.

This news comes just hours after Rep. Edward Markey (D-MA) called for Soghoian's arrest, and for the takedown of his website, which generates phony Northwest Airlines boarding passes to illustrate an airline security weakness documented on the 'net since 2003.

Calls and emails I made to the 24-year-old computer science student after learning of the reported FBI visit were not returned.

An iChat transcript provided to BoingBoing shows Soghoian claimed the FBI was at his door between 345 and 350pm PST. He stopped responding to incoming IM messages at that time, and has not responded to other incoming messages since.

FBI special agent Wendy Osborne declined to confirm whether Soghoian had been visited or if an investigation was taking place, citing FBI policy, but said "We will confirm that he has not been arrested."

Soghoian's Fake Boarding Pass Generator website was taken offline today, but other content on the same domain is still accessible.

Soghoian's personal web page states that he is a PhD student at Indiana University's School of Informatics in Bloomington. According to an online copy of his resume, he has interned for Google since June, 2006, and in 2004 served for a semester as a teaching aide to Avi Rubin, a computer science professor at Johns Hopkins who exposed security vulnerabilities in Diebold's electronic voting machines. Reached by phone this evening, Avi Rubin confirmed to BB that Soghoian served as his teaching assistant for one Spring, 2004 semester in a "Security and Privacy in Computing" class at Johns Hopkins University.

UPDATE: Ryan Singel at Wired News has been following this story, also, and has a report here: FBI Says No Arrest of Boarding Pass Hacker. Snip:

While the boarding pass generator, which was intended to point out flaws in airport security, is gone, other portions of Soghoian's website, dubfire.net, are still live. Soghoian's computer still registers as being online according to Google chat, indicating that the feds have not probably not confiscated his computer.

See also this earlier Wired News story by Singel, Boarding Pass Hacker Under Fire. Snip:

"I want Congress to see how stupid the (Transportation Security Administration)'s watch lists are," he said. "Now even the most technically incompetent user can click and generate a boarding pass. By doing this, I'm hoping (Congress) will see how silly the security rules are. I don't want bad guys to board airplanes but I don't think the system we have right now works and I think it is giving us a false sense of security."

BACKGROUND — Previous posts on BoingBoing:

* Congressman wants fake boarding pass guy arrested
* Website generates fake boarding passes

UPDATE, 840pm PT:

The "Slight Paranoia" blog credited to Chris Soghoian now contains two posts which reference an FBI visit:

3:54pm PT
FBI at the Door
The FBI are at the door.
Off to chat.


Post FBI Visit

The FBI visited. They handed me with a written order to remove the boarding pass generator. By the time we were somewhere with internet access, the website had already been taken down. I am now safe (and no longer with the FBI). Still trying to find a lawyer…..

If you want to help, a good start would be to email Congressman Markey – who initially called for my arrest.

Soghoian's Blogger profile indicates that he is also credited as a co-author of this blog, where the Fake Boarding Pass Generator was announced in this post. Soghoian details the security vulnerabilities that inspired him to write the php Generator here on "Slight Paranoia:" Link.

He is hardly the first or only person to have pointed out this flaw. Over a year ago, in February 2005, my NPR "Day to Day" colleague Andy Bowers wrote a piece for Slate.com titled "A Dangerous Loophole in Airport Security," which was also blogged here on BoingBoing. In the Slate essay, Bowers described the same security loophole which Soghoian's "Generator" demonstrates in code.

And two years before that, security expert Bruce Schneier outlined the problem in an issue of Crypto-Gram Newsletter item titled "Flying on Someone Else's Airplane Ticket," dated August 15, 2003.

Assuming that Schneier was the first to publish an outline of the security vulnerability — that's more than three years during which the problem has been publicly known, but not resolved by either the airlines or government.

"The only way for these kind of problems to get fixed, are through through public full disclosure," Soghoian wrote when releasing the Fake Boarding Pass Generator. "TSA/DHS cannot be expected to fix anything unless they are publicly shamed into doing so."

* FBI returns to "Fake Boarding Pass" guy's home, seizes computers (10-28-06)
* Fake Boarding Pass Generator guy and FBI: what about the law? (10-28-06)