I saw the story at Schneier on Security but the 27B Stroke 6 blog at Wired has the full details. The Wired coverage actually seems to have shown this was a gaffe committed by a design company, not an actual hack. However, this was a pretty bad mistake as it certainly has all the hallmarks of a phishing site. Has DHS/TSA never heard of staging servers? What sort of freaking QA, if any, do they have? This is a pretty crummy screw up to commit, given how contentions a point the no fly list is.