Student Who Breached Airport Security To Be Charged

How does this case compare with the ABC News reporters who did the test case for smuggling dirty plutonium through the ports of call?

It sounds like they both used similar procedures in their tests. Should both cases be treated the same?

Good point, Butrfly. I'd forgotten that earlier story...

I have mixed feelings about this incident. On the one hand, he proved that airline security was not it was all cracked up to be after spending billions. On the other, this kid cost the airline industry millions of dollars at a time when our economy doesn't need any handicaps, and delays for thousands of passengers on business and leisure travel. Some probably going to their family or loved one's wedding or funeral. Not an easy one to answer, but I think he needs to pay some fine to discourage others from the same "prank" whether it's for testing airport security or not. We don't need any more false alarms on terrorist alerts in our lives.

Is he any different then the "whistle blowers" who expose problems in corporations and government operations?

Do whistle blowers inconvenience thousands of passengers, and cost millions for airlines that had nothing to do with the security breech?

Depends, like I said, there is a big difference between probing vulnerabilities responsibly and probing vulnerabilities irresponsibly.

Would you like to have your home probed for vulnerabilities without your knowledge?

Recognizing that the main point is security hoaxes, does anybody know what a box cutter really is? It's one of those little utility knives with a replaceable blade that extends maybe 3/4 inch. What the TSA is calling a box knife includes those dinky little keychain knives that seem to multiply at checkout counters of places like Home Depot. It's only a weapon in the hands of someone who needs no weapon in the first place. This is the same agency that classifies a butane lighter as an incendiary device, for crying out loud.

Sorry for the digression. To the main point, what the kid did was illegal, but not especially dangerous. Yes, punishment, even confinement, is in order. He broke the law and caused financial loss to airlines and passengers. The prank, if that's what we decide to call it, is exactly on a par with deliberately spreading a computer virus.

Awesome, somone else picked up on hackers' self proclaimed role of security consultants for us all, elightening us to vulnerabilities by exploiting them.

What the kid did was not a victimless crime, he could have accomplished the same thing without causing any financial loss.

To further the computer virus analogy take the last big one that many here were infected by.

The RPC vulnerability was discovered and reported responsibly to Microsoft, the hackers who found it deemed it too dangerous of an exploit to release source code for and submitted it to Microsoft so that a fix was prepared before the code was released. The fix was in place but other hackers got their hands on the source code and an automated exploit in the form of a virus was inevitable. The black hat hackers released the virus and enlightened quite a few here that their computers were vulnerable. By fine tuning the viruses (one guys said "I don't like broken exploits so I fixed (and posted online) it" when he modified the virus to be able to infect more computers) and releasing them to the public they made a forceful point that many home users had a remote procedure call vulnerability that made a mockery of their security measures but did so in an irresponsible way.

I do not agree that the kid should do time for this. he should be tasked with public service as a punishment. When our system is always driven by a realization of somethings 'legal implications" then forward motion is stopped. security probing by the rules is a joke. ive been part of security probes at National labs for DOE. they do everything ut announce the probe. Same thing with Homeland inc. Its invested with so much political capitol so the agency wont "fail" yhay it too is kind of a joke.
I think were gonna need some kids like this to keep homeland Inc on its toes.
as far as probing my house. it can already be done with a writ of 'teasonable suspicion", any one else , its called "breaking and entering"
My home isnt a public conveyance with a stated purpose of trust , like 'keep me alive while i fly". The rules, for me, see, to disappear when the job isnt bein g done.to That point , we all seem to stipulate. No one has denied that what the kid did was to define a huge gaping hole in security. he did it at great personal risk because he acted as a vigilante . Sometimes we need vigilantes.
i still say, Id love to be on his defense team because no one wants to try this in an election year. the admins gonna look silly and vindictive and the point that Homeland Inc wants made will be lost in the op-eds.
course, well see, wont we?

After September 11, US authorities have introduced a lot of placebo measures that restrict civil rights without improving national security. These measures only generate the facade of security to calm people down. Security experts and civil rights activists have long ago started to question the wisdom of these measures, and tried to argue the point in a nice, discursive way. Result: they were frequently ignored or even denounced as lacking patriotism. (Computer enthusiasts may notice a parallel with Microsofts paranoia when they failed to acknowledge serious bugs in their software until white-hat-hackers published exploits of them on the internet.)

At this point, there was no other way to expose the hollowness of America's Potemkin security facade, and I applaud the student for his courage to follow through with it. Yes, some managers will be embarrassed. Some pompous fakes at the department of homeland security will receive a flush of cold water on their heads. But it will ultimately serve to make America more secure. (Computer enthusiasts may notice the parallel with the IETF / Open Source communities. Full disclosure is the main reason why Linux is a lot more secure than any version of Windows.)

I hope this unnamed will not go to jail. But if he does, he deserves a medal of honor when he comes out.

I wrote my last response after answering the poll, but before I read the rest of the thread. (My answer was "Nothing", btw) Having read up now, I now realize that Craven has already addressed the hacker parallel. But I think he chose the wrong precedent -- Microsoft's RPC bug -- to make his point.

As Craven said, when the Blaster worm exploited the RPC vulnerability, Microsoft had already published a patch for it. So the guy who set the worm loose made a point that didn't need making anymore. But in the case of homeland security, the appropriate parallel is what Microsoft did in the earlier days of the Web. People report security bugs to Microsoft. Microsoft ignores them. More people report the bug, Microsoft continues to stick its head in the sand. People get fed up, post descriptions of the bug online. Microsoft issues press release that there's no problem, and encourages the bearer of the bad news to shut up or face an encounter with their lawyers. Finally, someone posts an exploit (anonymously unless he's brain dead). Microsoft throws a fit about this illegal irresponsibilty. But the bug gets fixed at last.

Substitute "Microsoft" for "Dept. of Homeland Security", and you have a pretty accurate description of recent events.

I think we don't like the truth. Someone comes along and demonstrates the truth tends to earn anger, not appreciation. Much later, after someone has suffered for discovering a truth, he may get a medal.... or after he's dead. Could we maybe change this?

Maybe they should put a few more of the dollars into security instead of the pockets of the airline CEO's and executives.

The point this student was trying to make was clear to every American here already. We KNOW that airport and airline security is still badly lacking. We did not need anyone to jump up and down yelling it at the top of their voice while at the same time letting terrorists know that idiots like this are leaving potential weapons on various airlines ... if they'd like to use them!

Odd thinking there. Just as there was a patch for the RPC exploit we know that boxcutters are dangerous. The blaster worm was illustrating a new method of loading code onto the user's machine, just as the kid is trying to illustrate that there are still ways to get box cutters on a plane.

If the ability to exploit is the measure by which you deem a point needs to be made then there is a distinct parallel.



I think we live in different worlds. Can you please cite this? Bits and pieces are true (commercialware generally tends more toward security through obscurity than the open source community) but by and large the rest is unrecognizable from what I have followed closely (e.g. cite just ONE example of a reported exploit going unfixed and ignored by Microsoft till disclosure spurred a patch, just ONE).

The concept you are talking about is security through obscurity vs. full disclosure. But the way you reference it makes no sense (it's complete hogwash that MS relied exclusively on security through obscurity) and misses everything the computer security world has learned.

Have you heard of the concept of responsible disclosure as it relates to exploits? That's the middle ground.

You compare it to posting code, that's a flawed comparison. Posting code and executing an exploit are wto different things. What the kid did was execute an exploit when posting the code would have done nicely.

To futher the PC analogy:

There is an exploit in theory. Then there is "proof of concept". Lastly there is exploitation (both malicious and "beneign").

As it relates to airport security the exploit would be to carry out the act, the proof of concept would be a controlled experiment, and the theory would be simply discussed or written about.

We all know that it's possible to exploit anything, I doubt that this kid's prank will improve security at all depite the feel-good David vs. Goliath aspect of the story.

Why was the actual exploit necessary? Why was the theory and proof of concept not enough?

In short, I can tell you that you need to patch your computer or I can show you by infecting it with a virus.

Which is more responsible? And if I tell you, and you don't immediately act on it does it mean your computer is fair game?

Airport security's limitations are in inconvenience and money. There is no way to achieve perfect security so it's a hit and miss game in which the security is limited by the inconvenience the passengers are willing to put up with and the cost of the measures in place.

To proove his "point" (more on this later) the kid both cost money and caused inconvenience.

I didn't vote in the poll because "throwing the book" at him is ludicrous and won't happen. But what excuse do his apologists give for the irresponsibility of exploiting when a theoretical exploit could have taught the same lesson?

And furthermore what exactly was the lesson? What WAS the point? You will hear lots of noise by politicians about how this needs to be learned from but I would like for someone to try to imagine exactly what we were supposed to have learned from the stunt.

We already knew it was still possible to get a box cutter on a plane. I hope that wasn't supposed to be the "point". If the kid had found a loophole, presenting a theoretical exploit of proof of concept in a controlled enviroment would have sufficed to teach us the lesson.

If he has not found anything special then he was illustrating that in the hit and miss world of security a miss is possible. And that's not news, there's no reason to waste the currency by which the security is paid for (money and inconvenience) to state the obvious.

Craven- I agree with what you are saying. It was a stupid, irresponsible act. My concern is that this kid is going to be held up as an example. I think that to many people, the government got caught with its pants down.
I would like to see him chastised, and move on!

I doubt he'll get railroaded, but I have an interesting question.

Would exemplifying him increase security?

Note: Probing goes both ways, not all probing is beneign.

I know people think of it like the government getting caught with their pants down but I think that's folkloric.

No, but I think that the government might deal with him harshly in order to discourage others from pulling a similar stunt!

Well, I for one, hope that others are discouraged from doing the same. Others might not be as benevolent.

In any case I fully expect a slap on the wrist. Let's wait and see.