October 30, 2006 4:04 PM PST
DIY boarding pass site gets shut down
- Related Stories
Post-9/11 antiterror technology: A report cardSeptember 7, 2006
Homeland Security chief promises privacy safeguardsAugust 21, 2006
U.S. passenger tracking plan under scrutinyDecember 8, 2005
Tens of thousands mistakenly matched to terrorist watch listsDecember 6, 2005
FBI agents raided Christopher Soghoian's home over the weekend, seizing computers and other equipment, Soghoian wrote on his blog. They first visited him Friday afternoon with a request to take the site down, but when he got online, he found that the site had already been removed, he wrote.
Soghoian, reached via e-mail on Monday, declined to comment for this story, citing advice from his lawyers to lie low.
Wendy Osborne, a spokeswoman for the FBI's Indianapolis office, confirmed that agents had searched Soghoian's home as part of a joint investigation with the Transportation Security Administration. "We will conduct a thorough and complete investigation," Osborne said. "We are certainly concerned with any potential breach in security, particularly at the airports."
Soghoian, a computer security student at Indiana University Bloomington built the Web site to underscore an airport security weakness, he wrote. The site was spotlighted late last week after Wired News and ABC News reported on it. U.S. Rep. Edward Markey, a Massachusetts Democrat, called for Soghoian's arrest, but then backed off on Sunday.
The FBI will present the findings of its investigation to the U.S. Attorney's Office for the Southern District of Indiana, which will determine whether Soghoian violated any federal laws, she said. At this point, the student has not been charged and he has not been arrested, Osborne said.
Soghoian's "Northwest Airlines Boarding Pass Generator" let people create boarding passes that look virtually identical to the ones printed from the Northwest Airlines Web site. They could be used to get past airport security, but not to get on an airplane, because the airline would have no record of the reservation, Soghoian said.
"I have not flown, or even attempted to enter the airport with one of these fake boarding passes," Soghoian wrote Friday. "I haven't even printed one out. All I have done is create PHP script, which highlights a security hole made public by others before me."
The Web site went online last Wednesday and immediately attracted attention. Bruce Schneier, a noted security expert, linked to it from his blog on Thursday. Schneier highlighted the same issue with the print-at-home boarding passes on his mailing list more than three years ago. U.S. Sen. Charles Schumer, a New York Democrat, warned of the same security issue last year and again in April this year.