Warning: Don't Say the King Has No Clothes
Rather than criminalizing those that point out the bugs and flaws in our systems, lets fix the problems.
There are examples aplenty, but the most recent one I saw happened last month when a university student demonstrated how easy it is to print fake (but real-looking) airline boarding passes. The spoofed passes proved to be quite adequate at defeating the first tier of airport security, although not sufficient to actually board an aircraftat least not in theory.
|Recent Alignment Articles|
Shaping Your Enterprise Privacy Management
'Tis the Season (To Get Scammed)
Sure enough, shortly after the site was made public, the students home was raided, his computer equipment seized, and he was charged with criminal activities.
Dont get me wrong, as one who spends a fair amount of time on airplanes, Im all for good security in the process. I also think that the way that the student demonstrated his work showed remarkably poor judgment. And Im not qualified or adequately informed on the facts to say whether he actually broke any laws.
But what Im trying to say is that throwing this kid into jail does absolutely nothing to fix an egregiously flawed security system. Come on, who among us security folk ever thought that the airlines had come up with some magic printing algorithm that was somehow immune to a simple spoofing attack? The mere thought is laughable.
In our realm of information security, wed be appalled to see a simple system like this used in any sort of production data processingparticularly when lives are literally at risk. Wed insist on much stronger identification and authentication in the process, right? Of course we would.
Wed consider anything less to be downright negligent, but thats exactly what is deployed at our airports. The first tier security people do nothing more than ensure the names on our printed boarding passes match the names on our drivers licenses and that the photos match our faces. Thats identification, not authentication.
But it doesnt stop there. Weve all seen similar issues in our information security world. (Does DMCA ring a bell?) We have near endless examples of big companies bullying techies with the DMCA legal stick when the techies have tried to point out security weaknesses in the companies products to the public, when the real stick that should be applied is the clue stick for the companies.
Again, dont misinterpret my meaning hereIve long been a fan of responsible disclosure of vulnerability information. Anything less hurts us all far more than it may help. But responsible disclosure is not mutually exclusive of inevitable disclosure. And the messenger certainly should not be shot (or jailed) for pointing out a product vendors mistakes.
Next page: Why Not Robust Software Engineering?