Monday, October 30, 2006

No real news

My inbox has been flooded with emails of support, encouragement and best wishes from friends, family and people from around the world. The paypal legal defense fund is doing pretty well - and thus I thank everyone who has donated to the fund.

While the university's legal team have said they won't protect me - the professors/students here at IU have been amazingly supportive, esp. those in my department and my adviser in particular.

Members of the press: I really can't comment right now. Even if you send me an email saying you're on my side, I still can't comment. I urge you to read this blog going back for the last week or so, and top-notch coverage by places like Wired News and BoingBoing.

However, I can at least tell you that my last name is pronounced Soh-Goy-An.

48 comments:

Anonymous said...

What is your defense for offering a fake document generator?

Don't even think of "First Amendment" protections. They do not apply.

Do you also stand up in theatres and scream, "FIRE!" - just to watch the resulting chaos?

Clint Bradford
Riverside, CA

Anonymous said...

Hey Clint,

If the government fix this hole, you'll be more safe when you fly. Trolls aren't terrorists so you're safe---annoying but safe.

Brian McKechnie said...

Chris,

Thanks for getting back to me about your name today.

Our segment turned out well and I wish you the best of luck.

-Brian

Anonymous said...

He didn't do this to see the chaos. He did it to make a point. It was fairly harmless. As plenty have said, this won't get you past the security checkpoints. He simply wanted to draw attention to this before someone else did.

Anonymous said...

Frankly, I beleive you are getting everything you deserve. You state three reasons for producing this generator:

1. Meet your elderly grandparents at the gate

2. 'Upgrade' yourself once on the airplane - by printing another boarding pass for a ticket you're already purchased, only this time, in Business Class.

3. Demonstrate that the TSA Boarding Pass/ID check is useless.

In response:

1. Yeah, this would work. However, if you can demonstrate a need any ticket agent in the country can issue you a security pass that allows you to pass into the 'sterile area' beyond the checkpoint and assist your grandparents. Redundant.

2. You would need to know which business class seat is empty for this to work. How are you going to know that? Without this knowledge, you would most likely end up duplicating seats with someone. Who fixes this problem? The gate agent. All you would accomplish is getting yourself thrown off the aircraft.

And all US network carriers provide the lead flight attendant with a list of all seated business/first class passengers. Using your bogus pass wound ensure your name does not appear on this list. At best, the flight attendant would ignore the discrepancy and let it go. But in most cases the flight attendant would suspect fraud and have you detained at destination for investigation.

3. And the most important one... This check is the most important link in security next to the scrutiny when the ticket is purchased.

There is now no verification of boarding pass to passenger at the gate. Why not? Because the only thing that prevents a terrorist or someone on the no-fly list from using a ticket/boarding pass purchased in another name from boarding an aircraft is the TSA check administered before entering security.

Yeah, the one you characterized as 'useless'.

I can't beleive that a PhD candidate would not be able to reason this out. So I question your reasons for posting this php script. I submit the following:

1. Get your 15 minutes of fame.

2. Get free money through your 'legal' fund.

3. A goof that got out of hand.

Or, what I think really happened:

4. Response to a bad experience with TSA. What happened? Forgot your government-issued ID and they wouldn't let you through? Running late and didn't have a boarding pass? Didn't watch the news and had to throw out all your toliteries?

Look, I don't think you should do jail time. But a fine is very much in order, as well as addition to the no-fly list for a good long time.

Just as a driver's license is not a right but a privilege, air travel is also a privilege. And you have proved you are not entitled to it.

Good luck.

Anonymous said...

Just thought you should know: work with your lawyer and try to get a detailed list of everything they took. If you work fast and play your cards right, you might possibly get everything back.

http://thomas.loc.gov/cgi-bin/query/z?c106:H.1658.RFS:

Know your rights.

Sid Stamm said...

clint-

I suppose you hold the same regard for the makers of photocopy machines and white-out. They too can be used to make copies or fraudulent documents.

Your analogy makes no sense. I'm not exactly sure why you are comparing this work to shouting "FIRE!" in a theater... If he had posted warnings to the feds about bombs in football stadiums THAT would be like shouting "FIRE". What he did is point out that his photocopier can be used to create fake theater tickets -- and this was not the first time it was done.

And anyway, Chris needs not justify his actions in terms of "defense", rather in "reasons." Many things done in the history of our country were illegal, though considered justified by today's standards. Do a search for Civil Disobedience or Rosa Parks and see what comes up.

Anonymous said...

To clint bradford:

It's more like screaming "The theater seats aren't flame retardant!"

What is your defense for posting without thinking first? How many times must it be said, the exploit has been available for three years. All he did was say "see, look at this!". I flew Northwest a couple of weeks ago, and all I'd have to do is scan, photoshop, and reprint my boarding pass, so it's not like he's shown us anything new. Knee-jerk "look at me, i'm a PATRIOT!!!" posts are just sad.

Anonymous said...

Clint,

Aside from your misguided notions, this is very much a free speech issue. Is is the same reason that a person can publish materials that show and detail how to manufacture bombs and explosives. It is the same free speech that gives you the right not to use said feature.

The flaw isn't that the individual targeted in this case abused any law but rather materially provided bona-fide proof, that has been in the public domain prior, of the TSA's ineptitude.

If you stop to think that some terrorist is going to just run off and use a PHP page and generate a boarding pass and not generate fake credentials through other means, you sir are a bonehead.

Do you think terrorists are so stupid as to not think of these things ahead of time? Is it so hard to think that maybe some terrorist is actually smarter than you are?

Instead of badgering this poor guy for excercising his rights, why don't you call your congressman and beg for more useless Orwellian security tactics.

Anonymous said...

You don't get it, do you, Clint? The terrorists already knew about this loophole; the generator shouted, "Hey, TSA, stop pretending they don't!"

Anonymous said...

That analogy is really not apt. I wish that idiot John Nance would stop using it. Yelling "fire" in a crowded theater is an act that presents a clear and present danger to the public. In this case, he exposes a problem that has been public knowledge since at least February 2005. Tell me, if this was such a dangerous security loophole, then why hasn't it been fixed? Nance himself argues that the loophole he exposed is not serious.

What Chris has done is precisely what he intended to do. He raised awareness of an issue that he felt should be addressed. That is, that the security measures at airports are "security theater" and do not provide much, if any, protection against terrorists.


Source: ABC News

Anonymous said...

Your intentions are incredibly noble. I applaud your desire to improve the security of this great nation. While your intentions were noble the means may not have been in the best judgement. Eitherway, this only shows the current status of our government. A public criticism results in persecution by the police and other agencies. If you had gone to the FBI directly to show them the flaw the result would most likely still be the same. They would be investigating you for criminal actions. I also am a specialist in the computer field and do a lot of security analysis. I have found numerous flaws in many government networks including local police agencies. I have not exploited them though as I am well aware of how they would respond. So I pray that you will be allowed to continue to do what you do best. Perhaps, the government will be able to remove head from sphincter and realize that you would be best used in the employ of the U.S. government improving a very insecure country. Fear is a great motivator and you have put the fear in them. But like usual their motivation is misdirected. You have my support and encouragement. To put a smile on your face just go to google and enter failure then hit the i feel lucky button. That always makes me laugh.

Anonymous said...

Just read the H-T story about the FBI Raid. What thugs! It's the typical post 9/11 government response: when a systemic flaw is pointed out, shout "treason" (essentially) and get into full, repressive cover-up mode. If they put half the energy into *solving* problems that they do into silencing critics, we might actually have some real security, instead of the "security theater" that involves lots of fancy equipment, uniformed staff, and inconvenience, but almost no real protection, as has been shown time and again.

Hang in there!

Anonymous said...

Hey Chris,

The way you have been treated by these people is outrageous. Creating the website probably wasn't a good idea, but it hardly constitutes an act of terrorism or an act supporting terrorism. At worst it is a case of shenanigans. At best you highlighted how pointless some of the security procedures are.

I'm also a PhD student and have some idea of how disruptive this must be for you. Good luck. I hope this blows over and you get a magazine deal or two. :-)

Les
Sydney Australia

Anonymous said...

What if this guy was a student in say Cuba or something like that? Web scripts can be used in all sorts of ways and can (as clearly demonstrated) be used for all sorts of things,

The fact is, it shouldn't be so easy to bypass security in the way illustrated.

Get over yourself Mr Clint Bradford.

Robert UK

Anonymous said...

Clint,

If you are going to be exceptionally ignorant, you really shouldn't be advertising it on the web.

This young man just pointed out inanity of the TSA's "Security Theater" approach to air travel in this country. The "fake document generator" you refer to is entirely different than sceaming,"FIRE", in a crowd. It is completely harmless (What idiot could *not* figure out how to generate a fake boarding pass off the web?), a great piece of parody, and actually managed to get some press pointing out the absurdity of what we are now subjected to at the airport as a result of GW's "politics of fear".

He should need no "defense" for his actions, as nothing he did should be against any law in a "civilized" society. Unfortunately, he did it in the United States, which is rapidly moving away from what the rest of the world considers to be civilized social behavior.

My only criticism of his actions are that, as a presumably educated grad student, I believe he should have kept himself well enough informed of recent events to know that, under the Bush Administration, he was begging to be "squashed" by a heavy-handed government that no longer cares about whether or not they have the constitutional authority to do the "squashing".

rlparker

Anonymous said...

>>...I applaud your desire to improve the security of this great nation...

Let's get real.

A true "hero" would have taken this privately to the apropriate authorities. THEN published his account of how he solved a security problem.

He stated his true intentions: To allow unauthorized access to boarding gates ("meet your grandparents"), and defrauding the airlines with bogus upgrades.

And he deserves acclaim and accolades and support for this?

Clint Bradford
Member, ACLU
Member, Electronic Frontier Foundation

Anonymous said...

Chris -
1. You made the newspaper, congrats.
2. What are you doing with the donations if you don't need them.

Anonymous said...

I think you were right in pointing out the flaw. I probly will never fly myself(I am afraid of flying, I've been that way my whole life) but I know alot of people who do. I hope things go well for you:)

Anonymous said...

I wrote a similar service to generate fake service notifications for the New York City subway system:

whereandy.com

I'm sure this has been said already, but maybe if they made the printable boarding passes less easily reproducible, we wouldn't have had this whole mess...

Anonymous said...

Chris you have a right to do what you want. Don't let the evil mongers threaten you in anyway shape or form. These who claim to protect the innocent while going off to war without any warrant thus creating more enemies who in the end target us.
Stand up for what you beleive in!

Having a novelty item and the real thing is totally different. So read this you hypocrytes! "You think your doing right for the innocent and free but your not!"

Hope it all works out for you chris! All the best.
AviationNut

Anonymous said...

I've known it for years but this just proves again that free speech is a lie.

Anonymous said...

I recently received a boarding pass which made me think - 'How easy to fake is this? How slack on the airline's part...'

I'm glad someone made the point in a way that can't be ignored.

I truly hope they don't shoot the messenger and that you get your stuff back.

Anonymous said...

Clint,
Chris is not the first one to bring this flaw to the attention of the authorities. Congress has known about this for years. A senator demonstrated how it could be done in his office a couple years ago. Mind you that he is a politician and not technically minded. So what Chris did is right. The authorities were well aware of the issue. The public was informed but not well. Chris shined a spotlight on this flaw and screamed look! He has the nations attention. What he did was to simply use the snowball effect. He did something small and let the rest of the world snowball it into something massive. Now the nation is screaming for this to be fixed. Lets see Congress and the airlines ignore the flaw now. The only reason Chris is in trouble with the government is that he pointed out to the world yet once again how inept and ineffective our government is. And mind you I am a solid Republican. Perhaps you all should go through archive media footage and relive 9/11. They stopped showing it because it was to upsetting to the American people. Well we sould be upset...in fact we should be pissed. Chris has probably just made it more difficult for those who would terrorize us to do their evil deeds. If Chris was a soldier, he would get a silver star for his actions. We should be thanking him not criticising him. He has probably saved hundreds of lives. He may have saved yours or someone you know and love. Did you consider that reality? So Clint, go back to whatever hole you crawled out of...get on the web and do some serious research before you decide to come back out and speak. Thomas Jefferson said this of free speech, "The freedom of speech is like an outstretched fist. You can wave it all around but if you hit someone it is no longer freedom of speech as you have infringed upon someone else's rights." So whose rights did Chris infringe when he posted that? He did not infringe upon any individual's rights or even a group of individuals. What he did was point out something the government was aware of and doing nothing about it. That is free speech. That is part of checks and balances. So Chris, Thank you from the bottom of my heart. You have served this nation well. I do not think the government is stupid enough to martyr you for helping the country.

Anonymous said...

I just read about your story. While I would never do something so bold, I agree that the TSA needs to review its security measures. I am living in London right now, and I have noticed so many differences in the treatment of security in many airports. For example, on my flight here, I left from Pittburgh. No problems there, got through security without even batting an eye. Here, I go to Dublin and Paris and get patted down both times. The most bizarre thing was that they don't check ID at the first checkpoint. They just look at the boarding pass. Once you get to the gate, then they will check the pass. So, you just proved to the world that there is a serious flaw in the system. I wish you luck, and I'm sure you will be fine in all of this.

Anonymous said...

Sad that people can't even have "fun" anymore. It's a fucking generator. There are hundreds of these on the net of all diff. kinds.

Perhaps they should pay better attention to what is going on in the airports and borders and other more important sites on the net..than this.

I bet while I sit here and type this and you sit there and read it, that someone has just illegally boarded a plane with a pair of scissors.....OMG...the horror.

This country is turning out to be a fucking joke and while "officials" are spending their time with trivial bullshit...the country is going to hell in a handbasket.

God Bless the Divided States of America

Anonymous said...

Chris is just paying the price for the ignorance of our government. I contacted the TSA and Fox News via telephone back in 2003 regarding this same loophole. Their response... Yawn, we'll look into it sir. Now that it has people's attention, something may actually get done to correct the 'hole'. If the Avis Car Return agent can have a wireless scanning device to track rental car arrival, why can't a TSA agent have one for boarding pass validation?

Anonymous said...

http://draconum.net/index.php?title=fake_boarding_pass_generator_mirror_d&more=1&c=1&tb=1&pb=1

Mirror for the new Javascript version. I'm hosting the tar.gz file of the new site's source code.

Anonymous said...

"It is not the function of the government to keep the citizen from falling into error; it is the function of the citizen to keep the government from falling into error."

-- U.S. Supreme Court Justice Robert H. Jackson


I commend you for bringing attention to this gaping physical security flaw I've often wondered about myself while waiting in airport security checkpoint lines.

I don't necessarily agree with the manner used to deliver the point (akin to publishing proof of concept exploit code), though there indeed are times when a "push" is needed to gain attention.

The Feds response is yet another reminder of life post 9/11.

Anonymous said...

LMAO... And the government thought they could just shut down the website hosting the generator. Apparently, it is being hosted on at least another site. This will not go away until they fix the flaw.

Anonymous said...

It's nice to see our government, with all it's wonderful resources, as managed to find this student and shut down his site.

You should have changed your name to Jimmy Hoffa. Not a chance in the world they could find you.

Anonymous said...

Personally I hope the Gov't hires you...to expose their flaws...goodluck to ya.

Anonymous said...

Chris --- hang in there, ok? We are thinking of you and hope that you will make it through this alright.

Love,
Steffi

London, UK

Anonymous said...

I would think a grad student would have better things to do than cause legal trouble for themself.

In some part, it is because of people like you that we get knee-jerk reactions from politicians that make things even more difficult at the airport. Grow up.

Anonymous said...

From spusa.org: "If you were in Soghoian’s shoes would you have published the website to expose holes in aviation security?

Answer: No, I have too much to lose and am afraid of the Government.

Was there a genuine risk associated with this site, and, if so, did the benefits of the site outweigh the risks?

Answer: Herro - Do we all think the terrorist types are dumb? Hell, I thought of printing a fake boarding pass 4 years ago so I could take my mom to the gate. Duh. I have seen a guy after 9/11 put a 3" pocket knife thru x-ray get it back. Hows that for suckurity. I would have turned him in but he was in his 70's and I didnt want to miss my flight because I knew the concourse would be evacuated. ...and I lived to tell the tale.

Should legal action be taken against Soghoian?

Answer: What did he do wrong? Embarass big brother. For that he must pay. This is a hi-tech Ruby Ridge or Waco. Go get him feds. Chris, I doubt NWA will redeem your miles. Plan on driving for awhile.

The university has informed Soghoian that they will not provide him with legal counsel. Do you think the university has an obligation to protect graduate students exercising academic freedom who run into legal trouble?"

The University should fight but they are chickensh*t. This is evidenced by the fact they fired Bobby Knight. But they won't.

Anonymous said...

This isn't a security hole.

Boarding pass and ID checks to clear the security checkpoint could be discarded and we'd be no less safe.

Persecuting or prosecuting someone for this is idiotic. Northwest Airlines suing him would be more appropriate than government agents going berserk like this over an issue that has no security implications when it comes to flight safety.

The chicken little, nervous nelly surrender monkeys need to grow up and realize that there is no security threat to a flight posed by someone clearing a security checkpoint with a fabricated boarding pass or even fake ID available to most every college kid in America.

Anonymous said...

Yeah Chris,
Become a responsible adult- find a wife who needs you to take care of her (it's the responsible decision!)make babies all willy-nilly, continue to work and pay your taxes...maybe then you'll be a real human being so afraid of disrupting the status quo that you'll hush up (or maybe you're just too busy working to support your freeloading wife and kids and to pay those taxes that perpetrate a government you don't support...yikes)



You know where I stand, and I'll brace you with all the support I can.


Good luck.

Anonymous said...

I personally would like to thank you for exposing this, and I hope you don't suffer the wrath of the govt. for trying to prove a point.
I hope our skies are safer because of it. I hate all these so called goody two shoes, who if on a hijacked plane would the first ones crying, please dont hurt me, instead of trying to save their asses like the brave people on flight 93 on 9/11. If they dont have something supportive to say, then just shut up.

Anonymous said...

Hey,

Way to go! I hope this brings enough attention to the issue that changes are made to the system. Your 15 minutes of fame may have made our future flying experiences safer. If it works-- THANKS!! If not... at least you've got a story to tell the grandkids 60 years from now. :)

Anonymous said...

In the sunday(Nov.5th) Baltimore Sun News Paper, they said you aren't going to jail.I think thats great news(here's the article:
http://www.baltimoresun.com/news/opinion/ideas/bal-id.blog05nov05,0,7933516.column

I hope you continue what you are doing, because I believe you havedone a good thing(just be a little careful in the future;))

Anonymous said...

Best of luck Chris. Your experience makes me further glad that I don't live in the US. The idea that by pointing out a previously publicized flaw and publishing code to that effect makes you a criminal or terrorist is ludicrous.

The forms generated by that code are not false documents until they are printed by a site visitor for use. Publishing the means and highlighting a security failure is the act of a responsible citizen.

Only an unthinking jingoist would argue otherwise.

Anonymous said...

1. Nothing done by Chris Soghoian has made us safer.

If Chris gets his way, shutting down (or overhauling) online check-in or print your own boarding passes will still do nothing to provide security, especially because boarding pass checks at the airport security checkpoint don't provide security; nor are boarding pass checks designed to provide security (except in the minds of fools); nor will boarding pass checks ever provide any form of flight safety/security.

2. Chris Soghoian's website boarding pass creator didn't make us any less safe either.

Using a fake boarding pass is not a pass to skip the airport security checkpoint, so putting up the website had 0 -- ZERO -- security implications.

Why are so many people unable to see that the airport security measures are mostly a dog and pony show, a charade? Why are so many people unable to see that boarding pass and ID checks provide no security, nor are they meant to provide security, when it comes to airplane passengers. Instead of the government and government apologists obsessing over ID and boarding pass checks, perhaps focusing on searching for explosives, weapons and improvised weapons would yield better results than the current security nonsense.

And now we even have this foolish "war on liquids" at airports. But the twits who defend the liquid and gel restrictions at airports don't realize that the screeners are still not determining what is in those mandatory plastic bags full of liquids and gels and that it's easy to circumvent anyway.

So many fools, so little understanding. That's why we've got the government we deserve.

Anonymous said...

thank god for people like you. i really admire what you did.

traki, bet labi (translation: crazy, but good)

Anonymous said...

word to the republicans.

Scott said...

Keep up the good work! It's funny that you are being punished for showing people that a vulnerability exists. Do we close the loophole? No, it's cheaper to shoot the messenger.

Anonymous said...

You really made my day, knowing that we "free speech" Americans have let everyone know of another one of our security flaws. Does anyone else want to point out any of the other 1,000 ways to breach security at the airports? Perhaps we can list them all, then post more ways to get around the new security checks that the airports have to impose; all the while complaining about the increased cost of airline tickets (to cover the expensive security equipment and increased staff to run it)and wasted time getting through screenings (because they have to check everything)!

People complain about being "tracked" and how "Big Brother" is watching, to the point that our SSN isn't even safe any more, yet posts like yours just make fingerprinting, microchipping, and tracking devices all the more necessary so we can "prove" our identity. Nothing is private any more! It's too bad the airport didn't force you into the puffer-machine when you didn't have your id, but then you'd have some civil rights group claiming your rights were violated or that you were singled out because of your age, race, sex, color, or strange piercings and purple hair, rather than accepting the fact that these machines have become necessary because of people like yourself.

Thanks to people who have nothing better to do than try to cause trouble, we'll soon be boarding planes in hospitals gowns, while everything else has to get checked into the hold. Next, we'll have "cavity searches". (How about posting your thoughts on that, Christopher?!?!?!?!?)

"Click Here" to contribute to your "defense fund"? You get yourself into trouble and then expect hard-working Americans to pay to bail you out? And you want a pro-bono lawyer, too? Grow up and quit expecting others to take care of you, little boy! The homeless need my financial help. You, dear boy, need to grow up and get a life! Offer your services to the airport, free of charge, if you're so concerned about safety!!!

And by the way, the government had every right to confiscate your equipment and search your house. Just because you say your aren't a terrorist doesn't mean that you aren't. How do I know you aren't going to use that Paypal $ to fund terrorist operations? You certainly wouldn't be the first person to take advantage of the American public and play on their sympathy with false claims of "dying of cancer" or "only doing it to expose a problem with security". By the way, have you written any good worms or viruses lately? The ones who got caught claim they are only trying to expose a security breach (but they've ruined a lot of computers and bankrupted a lot of businesses along the way)! Maybe your time would be better spent helping close security risks rather than exposing how to exploit them!!!

Look at CLOSING the security problem, not EXPOSING the security problem!!!

Anonymous said...

Look at CLOSING the security problem, not EXPOSING the security problem!!!

Wow, Chris' own troll! Congrats; I think that means you're officially big-time now.

Anonymous said...

The boarding pass generator is NOT a security problem ... and so therefore it does NOT need to be closed. Therefore "exposing" that a boarding pass generator exists is NOT exposing a security problem either.

The nuts simply can't think. It's time to wake up and realize that ID and boarding pass checks are not security; they are a wasteful dog and pony show and should not be done at airports.