When did it become acceptable to arrest the (proverbial) little boy that declared the emperor has no clothes? I must have missed that memo, but that’s exactly what’s been happening recently. I just can’t imagine a more short-sighted, simple-minded course of action.
There are examples aplenty, but the most recent one I saw happened last month when a university student demonstrated how easy it is to print fake (but real-looking) airline boarding passes. The spoofed passes proved to be quite adequate at defeating the first tier of airport security, although not sufficient to actually board an aircraft—at least not in theory.
Sure enough, shortly after the site was made public, the student’s home was raided, his computer equipment seized, and he was charged with criminal activities.
Don’t get me wrong, as one who spends a fair amount of time on airplanes, I’m all for good security in the process. I also think that the way that the student demonstrated his work showed remarkably poor judgment. And I’m not qualified or adequately informed on the facts to say whether he actually broke any laws.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
But what I’m trying to say is that throwing this kid into jail does absolutely nothing to fix an egregiously flawed security system. Come on, who among us security folk ever thought that the airlines had come up with some magic printing algorithm that was somehow immune to a simple spoofing attack? The mere thought is laughable.
In our realm of information security, we’d be appalled to see a simple system like this used in any sort of production data processing—particularly when lives are literally at risk. We’d insist on much stronger identification and authentication in the process, right? Of course we would.
We’d consider anything less to be downright negligent, but that’s exactly what is deployed at our airports. The first tier security people do nothing more than ensure the names on our printed boarding passes match the names on our drivers’ licenses and that the photos match our faces. That’s identification, not authentication.
But it doesn’t stop there. We’ve all seen similar issues in our information security world. (Does DMCA ring a bell?) We have near endless examples of big companies bullying techies with the DMCA legal stick when the techies have tried to point out security weaknesses in the companies’ products to the public, when the real stick that should be applied is the “clue stick” for the companies.
Again, don’t misinterpret my meaning here—I’ve long been a fan of responsible disclosure of vulnerability information. Anything less hurts us all far more than it may help. But responsible disclosure is not mutually exclusive of inevitable disclosure. And the messenger certainly should not be shot (or jailed) for pointing out a product vendor’s mistakes.
Next page: Why Not Robust Software Engineering?
Wouldn’t it be nice if, instead of putting this college kid in jail, we actually fixed the underlying problems he pointed out in the passenger screening system? Perhaps that’s just too naïve an idea to survive in the real world, but it seems like a far more appropriate thing to do if you ask me.
|Recent Alignment Articles|
|Shaping Your Enterprise Privacy Management
'Tis the Season (To Get Scammed)
TSpam Bust: The Lessons of Yesmail
Pirated Vista, Office 2007 Already on The 'Net
And, using that as a cue, why shouldn’t we follow suit here in the information security world? Rather than criminalizing those that point out the bugs and flaws in our systems, let’s fix the problems.
We can even cite the transportation industry as a model in this regard. When accidents happen, tragic as they invariably are, the investigators study the accidents in minute detail and go to extreme measures to ensure that those same problems aren’t likely to happen again. Yes, I am well aware of what gets written about the vulnerabilities in our systems, but then why do we keep finding the same mistakes made over and over and over again? Why weren’t buffer overflow attacks eradicated after Morris’s 1988 Internet worm?
Sure, some problems are a lot more difficult than others to fix. Some require us to go back to the drawing board and do things the way we should have in the first place. That fact, all by itself, is a highly compelling argument to be made in favor of robust software security engineering, to be sure. (Don’t even get me started on that…)
But, no matter how we end up addressing the problem, let’s be sure to not forget it is the emperor’s fault for not wearing clothes, not the kid’s fault for simply pointing it out. That’s not such a tough principle, is it?