Christopher Soghoian

Christopher Soghoian
Born 1981 (age 30–31)
San Francisco, California
Residence Washington, DC, United States
Alma mater
Occupation Researcher, activist, and blogger
Known for Security and privacy activism
Website
www.dubfire.net/

Christopher Soghoian is a Washington, DC based researcher, activist, blogger, and Ph.D. Candidate at Indiana University. He first gained notoriety in 2006 as the creator of a website that generated fake airline boarding passes. Since that incident, he has continued to engage in high-profile activism related to privacy and computer security. Between 2009 and 2010, he worked for the US Federal Trade Commission as the first ever in-house technical advisor to the Division of Privacy and Identity Protection.[1] Soghoian is a Open Society Foundation fellow [2]

Contents

Education

Soghoian received a B.S. from James Madison University (Computer Science) and a Masters from the Information Security Institute of Johns Hopkins University (Security Informatics; May 2005).[3]

Boarding pass security

On October 26, 2006, Soghoian created a website that allowed visitors to generate fake boarding passes for Northwest Airlines. While users could change the boarding document to have any name, flight number or city that they wished, the generator defaulted to creating a document for Osama Bin Laden.

Soghoian claimed that his motivation for the website was to focus national attention on the ease with which a passenger could evade the no-fly lists.[4] Information describing the security vulnerabilities associated with boarding pass modification had been widely publicized by others before, including Senator Charles Schumer (D-NY)[5] [6] and security expert Bruce Schneier, [7] but Soghoian received media attention for posting a program on his website to enable the automatic production of modified boarding passes.

At 2 AM on October 28, 2006, his home was raided by agents of the FBI to seize computers and other materials. [8] Soghoian's Internet Service Provider voluntarily shut down the website, after it received a letter from the FBI claiming that the site posed a national security threat.[9] The FBI closed the criminal investigation in November 2006 without filing any charges. [10] The TSA also initiated a civil investigation in December 2006, [11][12] which was closed without any charges being filed in June 2007. [13][14]

Privacy research and activism

In May 2011, Soghoian was approached by public relations firm Burson-Marsteller and asked to write an anti-Google op-ed, criticizing the company for privacy issues associated with its social search product. Soghoian refused, and instead published the email conversation. A subsequent investigation by journalists revealed that the PR firm, which had refused to identify its client to Soghoian, had been retained by Facebook.[15]

In May 2011, Soghoian filed a complaint with the FTC, in which he claimed that online backup service Dropbox was deceiving its customers about the security of its services.[16] Soon after Soghoian first publicly voiced his concerns, Dropbox updated its terms of service and privacy policy to make it clear that the company does not in fact encrypt user data with a key only known to the user, and that the company can disclose users' private data if forced to by law enforcement agencies.

In December 2009, Soghoian released an audio recording he made at a closed-door surveillance industry conference. In the recording, an executive from Sprint Nextel revealed that the company had created a special website through which law enforcement agents can obtain GPS information on subscribers and that the website had been used to process 8 million requests during the previous year. A Sprint spokesperson later clarified that the number reflected the number of individual "pings" for location, not unique individuals under surveillance.[17]

In December 2009, Soghoian released a letter written by lawyers for Yahoo!, objecting to the release of documents detailing how much the company charges for government requested surveillance activities. In the letter, Yahoo!'s attorneys argued that: "[T]he [pricing] information, if disclosed, would be used to 'shame' Yahoo! and other companies – and to 'shock' their customers. Therefore, release of Yahoo!'s information is reasonably likely to lead to impairment of its reputation for protection of user privacy and security, which is a competitive disadvantage for technology companies." [18] When a copy of the price list subsequently appeared on Cryptome, Yahoo! sent a DMCA takedown request to the website in an attempt to force the removal of the information.[19]

In June 2009, Soghoian published an open letter [20] to Google that was signed by an additional 37 prominent security and privacy experts, urging the company to protect the privacy of its customers by enabling SSL encryption by default for Gmail and its other cloud based services.[21] In January 2010, Google enabled SSL by default for users of Gmail,[22] and in May 2010, the company announced that it would soon offer SSL encryption for search (although not enabled by default).[23] One month after Google started to encrypt Gmail traffic, the Iranian government blocked all domestic access to the service, an action motivated by the fact the government can no longer monitor Gmail communications.[24]

Congressional investigation into TSA website flaws

In February 2007, Soghoian announced that a TSA website was collecting private passenger information in a highly insecure manner.[25] The website was intended to provide a way for passengers to file disputes in the event that they were incorrectly included on the No fly list. Passengers who submitted their information through the website were at risk of identity theft. TSA shut down, fixed and then relaunched the website within days, after the press was tipped to the story by Soghoian. [26]

In January 2008, The House Committee on Oversight and Government Reform issued a report on the incident, the result of investigation.[27]

The report stated that the flawed website had operated insecurely for over four months during which over 247 people had submitted personal information using the insecure web-forms.[28] According to the report, the TSA manager responsible for assigning the contract was a high-school friend and former employee of the owner of the firm that created the website.[29] The report also noted that "neither [the private contractor] nor the technical lead on the traveler redress Web site have been sanctioned by TSA for their roles in the deployment of an insecure Web site. TSA continues to pay [the private contractor] to host and maintain two major Web-based information systems. TSA has taken no steps to discipline the technical lead, who still holds a senior program management position at TSA."[30]

References

  1. ^ Zetter, Kim (2009-08-17). "Outspoken Privacy Advocate Joins FTC". Wired News. http://www.wired.com/threatlevel/2009/08/soghoian-joins-ftc/. Retrieved 2009-11-20. 
  2. ^ http://www.wired.com/magazine/2011/11/mf_soghoian/all/1
  3. ^ [1]
  4. ^ Soghoian, Christopher (2006-10-26). "Chris's NWA Boarding Pass Generator". http://www.dubfire.net/boarding_pass/. Retrieved 2007-03-05. 
  5. ^ Schumer, Charles E. (2005-02-13). "Schumer reveals new gaping hole in air security". Archived from the original on 2006-11-21. http://web.archive.org/web/20061121183131/http://www.senate.gov/~schumer/SchumerWebsite/pressroom/press_releases/2005/PR4123.aviationsecurity021305.html. Retrieved 2006-11-30. 
  6. ^ Schumer, Charles E. (2006-04-09). "Schumer Reveals: In Simple Steps Terrorists Can Forge Boarding Pass And Board Any Plane Without Breaking The Law!". http://schumer.senate.gov/SchumerWebsite/pressroom/record.cfm?id=259517. Retrieved 2006-11-30. 
  7. ^ Schneier, Bruce (2003-08-15). "Flying on Someone Else's Airplane Ticket". Crypto-Gram. http://www.schneier.com/crypto-gram-0308.html#6. Retrieved 2006-11-30. 
  8. ^ Krebs, Brian (2006-11-01). "Student Unleashes Uproar With Bogus Airline Boarding Passes". Washington Post. http://www.washingtonpost.com/wp-dyn/content/article/2006/10/31/AR2006103101313.html. Retrieved 2006-11-30. 
  9. ^ Singel, Ryan (2007-11-29). "Is A Gov Shutdown Of A Website Without A Court Order Ilegal? Supreme Court Suggests Yes". Wired News. http://blog.wired.com/27bstroke6/2006/11/is_a_gov_shutdo.html. Retrieved 2008-03-05. 
  10. ^ "IU Student, Focus Of FBI Probe, Speaks Out". TheIndyChannel.com. http://www.theindychannel.com/news/10419665/detail.html. Retrieved 2006-11-30. 
  11. ^ Kane, David (2006-11-28). "Letter of Investigation, page 1". Transportation Security Administration. http://photos1.blogger.com/x/blogger/6601/1598/1600/34338/tsa1.jpg. Retrieved 2006-12-07. 
  12. ^ Kane, David (2006-11-28). "Letter of Investigation, page 2". Transportation Security Administration. http://photos1.blogger.com/x/blogger/6601/1598/1600/401327/tsa2.jpg. Retrieved 2006-12-07. 
  13. ^ Kane, David (2007-06-06). "Warning Notice, page 1". Transportation Security Administration. http://bp3.blogger.com/_Jo3bGS8EYL8/Rp9KTdFd0hI/AAAAAAAAAUs/K2zF59o8yY4/s1600-h/tsa_01.jpeg. Retrieved 2007-07-23. 
  14. ^ Kane, David (2007-06-06). "Warning Notice, page 2". Transportation Security Administration. http://bp1.blogger.com/_Jo3bGS8EYL8/Rp9KT9Fd0iI/AAAAAAAAAU0/uxio-7G47pg/s1600-h/tsa_02.jpeg. Retrieved 2007-07-23. 
  15. ^ Helft, Miguel (2011-05-13). "Facebook, Foe of Anonymity, Is Forced to Explain a Secret". The New York Times. http://www.nytimes.com/2011/05/14/technology/14facebook.html. Retrieved 2011-07-17. 
  16. ^ Singel, Ryan (2011-05-13). "Dropbox Lied to Users About Data Security, Complaint to FTC Alleges". Wired News. http://www.wired.com/threatlevel/2011/05/dropbox-ftc/. Retrieved 2011-07-17. 
  17. ^ Zetter, Kim (2009-12-01). "Feds ‘Pinged’ Sprint GPS Data 8 Million Times Over a Year". Wired News. http://www.wired.com/threatlevel/2009/12/gps-data/. Retrieved 2010-05-15. 
  18. ^ Zetter, Kim (2009-12-01). "Yahoo, Verizon: Our Spy Capabilities Would ‘Shock’, ‘Confuse’ Consumers". Wired News. http://www.wired.com/threatlevel/2009/12/wiretap-prices/. Retrieved 2010-05-15. 
  19. ^ Zetter, Kim (2009-12-04). "Yahoo Issues Takedown Notice for Spying Price List". Wired News. http://www.wired.com/threatlevel/2009/12/yahoo-spy-prices/. Retrieved 2010-05-15. 
  20. ^ Soghoian, Christopher (2009-06-16). "An open letter to Google's CEO, Eric Schmidt". http://www.cloudprivacy.net/letter. Retrieved 2009-06-20. 
  21. ^ Helft, Miguel (2009-06-16). "Gmail to Get More Protection From Snoops". The New York Times – Bits Blog. http://bits.blogs.nytimes.com/2009/06/16/gmail-to-get-more-protection-from-snoops/. Retrieved 2009-06-20. 
  22. ^ Schillace, Sam (2010-01-12). "Default HTTPS Access For Gmail". The Official Gmail Blog. http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html. Retrieved 2010-05-15. 
  23. ^ Eustace, Alan (2010-05-14). "WiFi data collection: An update". The Official Google Blog. http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html. Retrieved 2010-05-15. 
  24. ^ Fathi, Nazila (2010-02-10). "Iran Disrupts Internet Service Ahead of Protests". The New York Times. http://www.nytimes.com/2010/02/11/world/middleeast/11tehran.html. Retrieved 2010-05-15. 
  25. ^ Soghoian, Christopher (2007-02-13). "TSA has outsourced the TSA Traveler Identity Verification Program?". Slight paranoia. http://paranoia.dubfire.net/2007/02/tsa-has-outsourced-tsa-traveler.html. Retrieved 2007-06-16. 
  26. ^ Singel, Ryan (2007-02-14). "Homeland Security Website Hacked by Phishers? 15 Signs Say Yes". Threat Level – Wired News. http://blog.wired.com/27bstroke6/2007/02/homeland_securi.html. Retrieved 2007-06-16. 
  27. ^ Waxman, Henry (2007-02-23). "Letter Requesting Documents from TSA: Oversight Committee Requests Information on TSA Traveler Identity Verification Website". House Committee on Oversight and Government Reform. Archived from the original on 2007-03-28. http://web.archive.org/web/20070328233646/http://oversight.house.gov/Documents/20070223122534-10589.pdf. Retrieved 2007-06-16. 
  28. ^ "Background on Committee Report Regarding TSA's Redress Web Site". Transportation Security Administration. 2008-01-11. http://www.tsa.dhs.gov/press/happenings/tsa_site.shtm. Retrieved 2008-03-05. 
  29. ^ Singel, Ryan (2008-01-11). "Vulnerable TSA Website Exposed by Threat Level Leads to Cronyism Charge". Wired News. http://blog.wired.com/27bstroke6/2008/01/cronyism-led-to.html. Retrieved 2008-03-05. 
  30. ^ "Chairman Waxman Releases Report on Information Security Breach at TSA's Traveler Redress Website". United States House Committee on Oversight and Government Reform. 2008-01-11. Archived from the original on 2008-01-31. http://web.archive.org/web/20080131042333/http://oversight.house.gov/story.asp?ID=1680. Retrieved 2008-03-05. 

External links