Long but very good read, funny!!!!
The Pest Who Shames Companies Into Fixing Security Flaws
By Mike Kessler November 23, 2011 | 3:33 am | Wired December 2011
Christopher Soghoian likes to find security flaws, and then shame big
organizations into fixing them.
Photo: Graeme Mitchell
Every Christopher Soghoian production follows a similar pattern, a
series of orchestrated events that lead to the public shaming of a
large entity - Google, Facebook, the federal government - over
transgressions that the 30-year-old technologist sees as unacceptable
violations of privacy. Sometimes he discovers these security flaws by
accident, other times because someone has pissed him off, but mostly
because he's parked at his computer all day looking for security
When he finds one, Soghoian, a PhD candidate in computer science at
Indiana University Bloomington, learns everything he can about it and
devises what he sees as a viable solution. Then he alerts the
offending party and gives them a chance to fix things, explaining that
if they don't, he'll go public with his discovery. (OK, sometimes he
skips the give-them-a-chance step.) When the inevitable wave of media
coverage starts breaking, Soghoian is often the first expert that
reporters turn to for sound bites - about stories he has effectively
handed them. In the end, the security holes get patched, and Soghoian
gets more notoriety and more work. He's vertically integrated.
`If Chris Soghoian points out a technology-related privacy problem,
then it should probably be taken seriously,' says Marcia Hofmann, a
senior staff attorney at San Francisco-based Electronic Frontier
Foundation, which tackles free speech and privacy issues. `Nobody else
is doing what Chris does - at least not at his level.'
Consider Gmail. Everything you send and receive through Google's email
servers is automatically encrypted using secure sockets layer, or SSL,
which is indicated by the letters https at the beginning of a Gmail
URL. It wasn't always so. Google used to keep SSL off by default; it
can slow things down a bit. It was left to users to figure out how to
opt in for extra security.
Soghoian interned at Google in the summer of 2006 and says that, like
many Google employees, he was issued an encrypted laptop. He found it
unacceptable that the company wasn't offering the same level of
protection to the public. So three years later, when a fellowship at
Harvard's Berkman Center for Internet & Society gave him access to
free legal counsel and contacts to numerous tech-world leaders, he
persuaded 36 of them, including Ronald Rivest (the R in RSA encryption
algorithm) to sign an open letter urging Google to make SSL the
default. He sent the letter to reporters and to then Google CEO Eric
Soghoian won't claim direct credit, and Google won't give it (or deny
it). But hours after the letter was published, Google changed its
position, claiming that it had been planning to make SSL the default
for Gmail. Seven months later, it did so. `All of the privacy lawyers
at the big Internet companies now have Chris on their radar,' says
Caspar Bowden, a former Microsoft exec who recently moderated a panel
on privacy organized by Soghoian. `He has a natural talent for
bringing issues to a head, making real changes to corporate and
government policies, and communicating the issues to the wider public.
Organizations will probably feel bruised by the encounter but will
realize in time they have been moved to a better place. Few people can
do that, and Chris is a rare example of a genuinely strategic
The impression that Soghoian is trying to become a Ralph Nader for the
Internet age is only strengthened by his personal style - rumpled,
alternately charming and grumpy, as righteous as he is intelligent.
He's notoriously frugal; he bikes everywhere, and he lives in a
basement room of a Washington, DC, house he shares with four
And he talks. A lot. With a slight British accent - the product of a
childhood spent in London - he speaks in 1,000-word bursts with nary a
like, y'know, or pause. Whether he's talking to staffers on the Hill,
presenting at conferences, or giving interviews, he's direct,
confident, focused, and unwavering. `I can walk into a room and
explain how a cookie works or how geolocation tracking works or how
encryption works or why data retention is a bad idea,' he says. `This
is what I'm good at.'
Soghoian was born in San Francisco in 1981, his mother a social worker
and his father a jazz musician and computer engineer. When Soghoian
was a year old, the family moved to London, where his father had a job
as a computer engineer.
He has been using computers for as long as he can remember. When
Soghoian was 11, he persuaded his headmaster to sign paperwork that
let him head over to King's College London computer lab, where he used
email, jumped into Usenet groups, and explored the nascent World Wide
Web. As a teen, he took evening classes in computer science at a
community college. He finished high school at 16 and went to James
Madison University in Virginia to study computer science. There he
talked his way into a few graduate-level security classes, which
piqued his interest in the field.
In 2006, Soghoian enrolled in the PhD program at Indiana University
Bloomington's School of Informatics and Computing. During the late
summer of that year, the 25-year-old was en route to Indianapolis from
that most public of venues, the Burning Man festival in Nevada, when
privacy became a much more personal issue. At the airport in Reno,
Transportation Security Administration agents told him he couldn't
take his Middle Eastern lunch through security. He wrote about it on
his security-themed blog, Slight Paranoia.
Them: You can't take these on board. They're liquids.
Me: No. They're solid foods. The hummous is more of a paste than a liquid.
Them: You can't take it through.
Me: I realize that hummous and Al Qaeda come from the same part of the
world, but, well, so does algebra.
Soghoian was pulled aside for a thorough search.
Once he got back to Bloomington, Soghoian set about exposing what he
saw as the absurdity of TSA procedures. He devoured papers on airline
security, looking for loopholes and back doors. Then he realized he
could make his point simply by altering a Northwest Airlines eticket
he had on his PC from a recent flight. The October 18 blog post he
wrote about it, titled `Paging Osama, please meet your party at the
information desk,' explained how to bypass the FBI's no-fly list in 10
Over the past five years, the technology activist has delighted in
publicizing the questionable practices of powerful organizations.
In October 2006, Soghoian revealed a TSA security breach by publishing
a method for printing fake boarding passes, which earned him an FBI
apartment raid. The TSA began to close the loophole the following
In 2009, he created TACO, a security plug-in for Firefox that enables
users to opt out of targeted advertising.
Soghoian published an open letter to Google, in June 2009, calling for
automatic encryption for Gmail users. Seven months later, Google made
encryption the default. The following year, he filed an FTC complaint
against the company for providing search info to third parties.
While working for the FTC in the fall of 2009, Soghoian secretly
recorded a Sprint Nextel executive admitting that his company gave
user data to law enforcement some 8 million times in one year. The
recording was featured on The Colbert Report (punch line: `Can you
hear me hear you now?'). The following year, a Ninth Circuit Court
judge cited the Sprint recording in a decision about how Fourth
Amendment protections relate to GPS tracking.
In December 2009, Soghoian released a list of the prices companies
charge the government for handing over private data. This past July,
he went on NPR to explain phone spoofing and voicemail hacking. He
later appeared on CBS Evening News and demonstrated the technique by
breaking into his own voicemail.
Soghoian coauthored a paper, published in March, that explains how
governments are able to spy on allegedly secure websites; for example,
a federal agency could use a surveillance device from the likes of
Arizona-based Packet Forensics to route around encryption software.
In April, he blogged about Dropbox's backdoor access to user data. Two
days later, Dropbox clarifies its terms of service.
He helped expose Facebook as the unnamed entity behind a PR campaign
In June, Soghoian persuaded AT&T to require passwords for user
voicemail accessed from their own phones.
`TSA doesn't have access to the Airline's computer systems,' he wrote.
`Thus, they have no real way of knowing if a boarding pass is real or
not. All they can do is verify that the name on the piece of paper
(which may or may not be a boarding pass) matches the ID they have
been given.' In other words, if you were on the no-fly list, all you
had to do was buy an eticket under a fake name and save it as HTML.
You could then go into the HTML code and replace the fake name with
your real one, print the ticket, and present it and your ID at
security, which has no computers to check the no-fly list or confirm
that the name on the ticket matches airline records. At the gate,
where ID is not required, you could use your original boarding pass
with the fake name, which, when scanned, wouldn't come up as a
Soghoian spread the word to the media - including Wired.com - and the
workaround quickly made headlines. On October 27, US representative Ed
Markey, a Massachusetts Democrat who was then a senior member of the
House Committee on Homeland Security, called for the arrest of whoever
was responsible. When the FBI showed up, Soghoian asked the agents to
wait a moment, went to his computer, and posted a quick note to his
blog - 'FBI are at the door. Off to chat.' - then told them to come back
with a warrant. They did. `Having my own computer seized by the FBI
turned what had been an academic interest in privacy into something
that directly impacted my life,' Soghoian says. `I saw firsthand how a
massive government agency can, in my opinion, abuse its power to go
after a critic of government policies. That one experience made it
very easy to see the government as an adversary, against which I
continue to fight.'
But Soghoian is not against fighting from within the system. Once
Markey realized the perpetrator was a grad student who studied
security, he backed down and even suggested that the Department of
Homeland Security give Soghoian a job `showing public officials how
easily our security can be compromised.' DHS passed, but three years
later, the Federal Trade Commission's Division of Privacy and Identity
Protection recruited Soghoian as a staff technologist. `They didn't
have anyone doing this,' Soghoian says. `That's the equivalent of the
EPA not having any environmental scientists on staff.'
His first act at the FTC was to refuse to submit to the required
background check. `I shouldn't have to sacrifice my own privacy to
protect consumers,' he says. The FTC brought him in anyway to, in his
words, `add technical weight to their privacy-enforcement team and to
help them find new cases.' Emboldened by his new position, Soghoian
attended the October 2009 Intelligence Support Systems World
conference, a sort of South by Southwest for security wonks - cops,
intelligence-gathering experts, surveillance-tech vendors, and telecom
brass who gather to discuss everything from the Patriot Act to the
latest spyware. It's known informally as the Wiretapper's Ball.
When Soghoian's contract came up in August 2010, the FTC chose not to
renew it. Soghoian claims his boss's boss told him the conference
stunt was the reason. (The FTC wouldn't confirm this.)
Regardless, Soghoian says going to the conference was worth it. `I
shaved for the first time in several years and put on a cheap suit,'
he says. `I felt like a secret agent, infiltrating the enemy's HQ. It
was easily the most creepy yet exciting place I've ever been.'
After leaving the FTC, Soghoian went back to living off his savings, a
graduate stipend, and income from a fellowship and consulting work.
And he has found plenty of opportunities to continue his privacy
crusade. He files up to four Freedom of Information Act requests each
week, an arcane task that he says delights him, and he has an ongoing
suit against the Department of Justice for its refusal to hand over
600 pages of documents related to the FBI's use of GPS tracking.
Last spring, he and some friends discovered a flaw in the privacy
policy of Dropbox, the cloud service that allows users to sync files
across multiple devices. The company failed to disclose that it had a
back door into that data. Soghoian wrote a blog post about the flaw.
`The response from the tech community and paying users was instant and
disclosing its access to data stored on its servers. (The company
declined to comment for this article.)
A few weeks later, he received an email from an employee at the PR
giant Burson-Marsteller offering to help him write and publish a smear
unnamed client. Soghoian refused. Instead, he posted the exchange
online and tweeted about it. The media picked it up, and Dan Lyons of
The Daily Beast determined that the client was Facebook, which quickly
found itself engulfed in a storm of bad publicity.
In June, Soghoian persuaded AT&T to require customers to always enter
a password to access voicemail, a policy that leaves users less
vulnerable to phone hacking. He has been pressing T-Mobile and Sprint
to do the same. After the Murdoch empire's News of the World phone
scandal blew up last summer, Soghoian appeared on NPR, explaining how
phone-spoofing technology allowed reporters to access voicemail
illegally. The next night, he broke into his own voicemail on the CBS
Evening News in front of 5.5 million viewers.
Soghoian's financial situation improved in August when he began a
George Soros Open Society Foundations fellowship, which gives him a
high-five-figure stipend and a research assistant. His fellowship
project is a website called PrivacyReports.org, which will grade
telecom and ISP privacy practices for the layperson. Search engines,
email providers, cell phone companies, online backup services - Soghoian
will break down each company's level of security and privacy
protections. `Visitors will be able to know how long providers are
retaining their text messages and whether they provide law enforcement
easy access to your location data,' he says. `People have a right to
know what companies aren't telling them. My hope is that after a year,
once I have the data up and it's proving to be useful, I can give it
to the ACLU or someone like that to run.'
And then? Soghoian says that under the right circumstances he'd
consider another government job - ideally for the Privacy and Civil
Liberties Oversight Board, which advises the White House on matters of
individual privacy. It has been inactive since 2008. `I don't want
security clearance,' he says. `I don't need a staff. I just want to be
an ombudsman, with an office and letterhead and access to lawyers and
a fax machine. I know it'll never happen. They're not going to want
someone who has a track record of speaking truth to power using their
soapbox to point out their flaws. But that would be an ideal gig.'
Mike Kessler (@mikeskessler) is a freelance writer in Los Angeles.
This is his first piece for Wired.
The Pest Who Shames Companies Into Fixing Security Flaws
No replies to this topic
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users