When did it become acceptable to arrest the (proverbial) little boy that declared the emperor has no clothes? I must have missed that memo, but that’s exactly what’s been happening recently. I just can’t imagine a more short-sighted, simple-minded course of action.

There are examples aplenty, but the most recent one I saw happened last month when a university student demonstrated how easy it is to print fake (but real-looking) airline boarding passes. The spoofed passes proved to be quite adequate at defeating the first tier of airport security, although not sufficient to actually board an aircraft—at least not in theory.

Recent Alignment Articles
Shaping Your Enterprise Privacy Management

'Tis the Season (To Get Scammed)

TSpam Bust: The Lessons of Yesmail

Pirated Vista, Office 2007 Already on The 'Net

FREE IT Management Newsletters

Sure enough, shortly after the site was made public, the student’s home was raided, his computer equipment seized, and he was charged with criminal activities.

Don’t get me wrong, as one who spends a fair amount of time on airplanes, I’m all for good security in the process. I also think that the way that the student demonstrated his work showed remarkably poor judgment. And I’m not qualified or adequately informed on the facts to say whether he actually broke any laws.

But what I’m trying to say is that throwing this kid into jail does absolutely nothing to fix an egregiously flawed security system. Come on, who among us security folk ever thought that the airlines had come up with some magic printing algorithm that was somehow immune to a simple spoofing attack? The mere thought is laughable.

In our realm of information security, we’d be appalled to see a simple system like this used in any sort of production data processing—particularly when lives are literally at risk. We’d insist on much stronger identification and authentication in the process, right? Of course we would.

We’d consider anything less to be downright negligent, but that’s exactly what is deployed at our airports. The first tier security people do nothing more than ensure the names on our printed boarding passes match the names on our drivers’ licenses and that the photos match our faces. That’s identification, not authentication.

But it doesn’t stop there. We’ve all seen similar issues in our information security world. (Does DMCA ring a bell?) We have near endless examples of big companies bullying techies with the DMCA legal stick when the techies have tried to point out security weaknesses in the companies’ products to the public, when the real stick that should be applied is the “clue stick” for the companies.

Again, don’t misinterpret my meaning here—I’ve long been a fan of responsible disclosure of vulnerability information. Anything less hurts us all far more than it may help. But responsible disclosure is not mutually exclusive of inevitable disclosure. And the messenger certainly should not be shot (or jailed) for pointing out a product vendor’s mistakes.

Next page: Why Not Robust Software Engineering?