A Ph.D Doesn’t Make You Smart
An idiot at the University of Indiana setup a website that allowed anyone to create fake boarding passes for a NorthWest Airlines flight. He did this in order to highlight a flaw in the checkin procedure for E tickets, claiming that anyone can use photo editing software to forge a false name on the ticket. While his complaint about the vulnerability may have been legitimate, his methods of exposing the flaw was completely wrong.
From Wired here:
Security researcher Christopher Soghoian created the Northwest Airline Boarding Pass Generator in the hope of spurring Congress to look closely at the nation’s aviation security policies, which he calls “security theater.”
Soghoian, a Ph.D. student at Indiana University, says he has never used one of the fake boarding passes, which are likely good enough to get someone through airport security into the “sanitized” area of the airport, but not good enough to get anyone on a plane. He was waiting for clearance from lawyers at Indiana University before attempting to test if the method worked to get through security.
Soghoian told Wired News Thursday he built the site to expose security holes, not to help terrorists.
“I want Congress to see how stupid the (Transportation Security Administration)’s watch lists are,” he said. “Now even the most technically incompetent user can click and generate a boarding pass. By doing this, I’m hoping (Congress) will see how silly the security rules are. I don’t want bad guys to board airplanes but I don’t think the system we have right now works and I think it is giving us a false sense of security.”
Soghoian uses the same flawed thinking of virus writers and publishers of exploit code. Rather than remain cooperative with the company or manufacturer of the defective product and wait until they fix the flawed item, be it software or a security process, he jumped the gun and exposed the flaw unilaterally. Some security research companies have sat silently on critical flaws in software and procedures for months and months without exposing them. EEye is a perfect example of a company that urgently wants software to be patched, but will wait and not expose the vulnerability until a patch is available.
Soghoian had the gall to act surprised that all of his computers were seized in an FBI raid. I bet he’s on the no-fly list now too. This huge gaffe represents a critical flaw in his own resume, and it will be difficult for this man to get a clearance for any meaningful government security position. What a stooge.