1
   

Student Who Breached Airport Security To Be Charged

Forums: News
Email this Topic Print this Page
 
 
Thomas
 
  1  
Reply Tue 21 Oct, 2003 08:14 am
Craven de Kere wrote:
Odd thinking there. Just as there was a patch for the RPC exploit we know that boxcutters are dangerous.

But most people didn't know, and the authorities didn't want them to know, is that the problem hasn't been fixed. In spite of lots of officials striking a pose of doing so. In demonstrating how easy it still is to plant a boxcutter in an airplane, the student provided valuable information to the public which the authorities didn't want provided.

Craven de Kere wrote:
I think we live in different worlds. Can you please cite this? Bits and pieces are true (commercialware generally tends more toward security through obscurity than the open source community) but by and large the rest is unrecognizable from what I have followed closely (e.g. cite just ONE example of a reported exploit going unfixed and ignored by Microsoft till disclosure spurred a patch, just ONE).


I can do even better than that. In 2000, some people found out that Microsoft had intentionally planted a security hole into Front Page. The hole, which was intended as a backdoor for the NFS, had been in there for 4 years. It wasn't until white hat hackers disclosed the bug that Microsoft closed the hole.

This is not quite what you were asking for because it hadn't been necessary to actually post an exploit. But it goes to demonstrate the point I intended to make. Microsoft used to be terrible at handling bugs, and it wasn't the people exposing them who acted irresponsibly. It was the company itself. Your post tells me that maybe you weren't following the scene that closely in the nineties -- Microsoft has improved a lot this century. If so, you might find this Bill Gates interview instructive with regard to Microsoft's attitude to bugs. (Highlight: "There are no significant bugs in our released software that any significant number of users want fixed")
0 Replies
 
Thomas
 
  1  
Reply Tue 21 Oct, 2003 08:25 am
Craven de Kere wrote:
I didn't vote in the poll because "throwing the book" at him is ludicrous and won't happen. But what excuse do his apologists give for the irresponsibility of exploiting when a theoretical exploit could have taught the same lesson?

I don't have an excuse, just some kind of cost-benefit analysis. There are bugs in the national security system, the most severe being the people currently in charge of fixing them. These bugs will be discovered and exploited by someone. They could be terrorists, or they could be pranksters who like poking around and enjoy creating a stir. I prefer the latter scenario.

Another thing I believe is that harsh punishment will make it no harder for the terrorist to exploit weaknesses. If you intend to commit suicide anyway, why worry about the Feds throwing you in jail afterwards? On the other hand, punishment will make it harder for the good guys to make the system safer.
0 Replies
 
Phoenix32890
 
  1  
Reply Tue 21 Oct, 2003 08:30 am
Quote:
On the other hand, punishment will make it harder for the good guys to make the system safer.



Interesting point, Thomas!
0 Replies
 
Craven de Kere
 
  1  
Reply Tue 21 Oct, 2003 09:41 am
Thomas wrote:

But most people didn't know, and the authorities didn't want them to know, is that the problem hasn't been fixed. In spite of lots of officials striking a pose of doing so. In demonstrating how easy it still is to plant a boxcutter in an airplane, the student provided valuable information to the public which the authorities didn't want provided.


One of the dillemas inherent to the whole thing is that the public really won't accept reality. That it's simply impossible to guarantee security. At the same time they want the economcy to do well. Authorities are in the unenviable position of being responsible for spuring economic growth and keeping people's heads on.

Of course the "problem" hasn't been "fixed" and it never ever will be.

Quote:
I can do even better than that.


How is it better if it's not at all what we were talking about? You illustrate that Microsoft used to be worse at dealing with bugs. But I asked you to cite what you claimed, not something else that you were able to find.

Quote:
In 2000, some people found out that Microsoft had intentionally planted a security hole into Front Page.


It's misleading to claim that "Microsoft" intentionally did this, some employee did and "Microsoft" had absolutely no knowledge. Back then, even the open source activists didn't believe it was intentional.

Quote:
The hole, which was intended as a backdoor for the NFS, had been in there for 4 years. It wasn't until white hat hackers disclosed the bug that Microsoft closed the hole.


Yes, and it's important to remember that Microsoft was not aware of the hole. Only the saboteur(s) were. So this is not an example of what you claimed, that Microsoft deliberately ignored reports of exploits.

Quote:
This is not quite what you were asking for because it hadn't been necessary to actually post an exploit.


You are right, it's not at all what I was asking for. Not a single element of what you'd claimed and that I asked you to cite is contained in that example.

You claimed that Microsoft ignored reports of exploits till they were disclosed. I asked you to cite. So you cite a case in which Microsoft was sabotaged from within, then someone found out and Microsoft promptly fixed it as an example?

Saying it's not "quite" what I'd asked for (and note that all I was asking was for you to cite your own false claim) is a huge understatement.

Quote:
But it goes to demonstrate the point I intended to make. Microsoft used to be terrible at handling bugs, and it wasn't the people exposing them who acted irresponsibly. It was the company itself. Your post tells me that maybe you weren't following the scene that closely in the nineties -- Microsoft has improved a lot this century.


Well, you have altered your point. First it was that Microsoft ignored reports of exploits till hackers disclosed them (which is a lie) and now it's just that they were bad with bugs (no duh).

If your point was that the makers of the largest most complex software in the history of computing are the producers of the most bugs you are preaching to the converted. But you dodged the request for a citation to your claim entirely.

You claimed that Microsoft ignored reports of exploits. You have failed to cite ONE example of this, as I had requested. In any case, since I know you won't find anything to cite for your original claim I'd like to address the modified version.

Yes, white hat hackers responsibly help Microsoft fix holes all the time. But that is what I have been saying all along. White hat hackers practice responsible disclosure, and I am contending that this kid acted in the manner of a black hat hacker, a cracker, instead of a white hat hacker.
0 Replies
 
Craven de Kere
 
  1  
Reply Tue 21 Oct, 2003 09:43 am
Thomas wrote:

Another thing I believe is that harsh punishment will make it no harder for the terrorist to exploit weaknesses. If you intend to commit suicide anyway, why worry about the Feds throwing you in jail afterwards?


Who said we were talking about terrorists? I'm talking about more idiotic pranks.

Quote:
On the other hand, punishment will make it harder for the good guys to make the system safer.


How will punishing a reckless prankster accomplish that?
0 Replies
 
blueveinedthrobber
 
  1  
Reply Tue 21 Oct, 2003 09:49 am
D'artagnan wrote:
I think he's a young idiot. What point did it serve to remind us how vulnerable we are when we fly and how easy it would be for terrorists to take over an aircraft?

I'm not saying he should be locked up and we throw away the key, but this exercise strikes me as the act of a young smart-ass. My only sympathy is based on the memory that I was one myself once...


well, since our government refuses to spend money to tighten up security, preferring instead to spend it in Iraq where GWB's supporters can continue to rack up profits....and since the bought and paid for news media downplays the threat on orders from the also bought and paid for head of the FCC.....I think it's a damn good idea for someone to keep it in the front of peoples minds.......the fact that the debate is not about the laxness of security but whether or not this kid should go to jail only amplifies the fact that someone needs to be shouting from the rooftops that our priorities are misplaced
0 Replies
 
Craven de Kere
 
  1  
Reply Tue 21 Oct, 2003 09:51 am
There's a difference between pants being down and people wanting them to be down...
0 Replies
 
blueveinedthrobber
 
  1  
Reply Tue 21 Oct, 2003 09:57 am
craven....truer words were never spoken........
0 Replies
 
Thomas
 
  1  
Reply Tue 21 Oct, 2003 10:54 am
Craven de Kere wrote:
It's misleading to claim that "Microsoft" intentionally did this, some employee did and "Microsoft" had absolutely no knowledge. Back then, even the open source activists didn't believe it was intentional.

Quote:
The hole, which was intended as a backdoor for the NFS, had been in there for 4 years. It wasn't until white hat hackers disclosed the bug that Microsoft closed the hole.


Yes, and it's important to remember that Microsoft was not aware of the hole.

As far as I am concerned, it's not important with regard to the subject of the thread, which is how big a problem pranksters are. It's perfectly possible that Microsoft had been ignorant rather than malicious about the gaping security hole in their software. For me as a user, what matters is that I was exposed to it for four years, and Microsoft didn't fix it before someone published it. The blame should be on Microsoft for leaving a security hole unfixed, not on the people exposing the hole.

Likewise, it is perfectly possible that the department of homeland security has tricked itself into thinking that their show of strength in their airports actually improved security. It is possible that they're not cynically spreading propaganda. But again, for me as a traveller, it doesn't matter. What matters is that the administration was ineffective at preventing another terrorist attack from happening the same way it happened on 9/11. Given that, it was high time somebody proved it was still a problem, thus giving the department (and the public) a much-needed wakeup-call.

Craven de Kere wrote:
Who said we were talking about terrorists? I'm talking about more idiotic pranks.

Please speak for yourself. You may not have been talking about terrorists, but I have. And I think my point continues to stand if you account for more idiotic pranks. If idiotic pranks can fool airport security, that's a symptom. The disease is that the Department of Homeland Security doesn't increase homeland security. And I prefer pranksters as symptoms of the disease if the alternative is another terrorist attack.

Craven de Kere wrote:
How will punishing a reckless prankster accomplish that?

Because reckless pranksters are good at finding security problems and publishing their results, as the topic of this thread demonstrates. As an unintended consequence, they provide valuable information to the security community and the public. Therefore I want a large population of reckless pranksters out there to discover problems before the terrorists do, because this is when the good guys can do something about them. By punishing pranksters too hard, this information will flow less abundantly, thus making the good guys' job harder.
0 Replies
 
Craven de Kere
 
  1  
Reply Tue 21 Oct, 2003 11:36 am
Thomas wrote:

As far as I am concerned, it's not important with regard to the subject of the thread, which is how big a problem pranksters are. It's perfectly possible that Microsoft had been ignorant rather than malicious about the gaping security hole in their software. For me as a user, what matters is that I was exposed to it for four years, and Microsoft didn't fix it before someone published it. The blame should be on Microsoft for leaving a security hole unfixed, not on the people exposing the hole.


Sure, but that has nothing to do with what you claimed. You did not say that it's important to blame Microsoft for their security holes you accused them of ignoring reports of these holes till people posted them. That is false.


Thomas wrote:

Please speak for yourself. You may not have been talking about terrorists, but I have. And I think my point continues to stand if you account for more idiotic pranks. If idiotic pranks can fool airport security, that's a symptom. The disease is that the Department of Homeland Security doesn't increase homeland security. And I prefer pranksters as symptoms of the disease if the alternative is another terrorist attack.


You seem to think this is a "disease" that can be cured. Like I said, it's hit and miss. The ability to thwart an attack rests in the funding and manpower those tasked with security receive. Pranks such as this drain both the funding and the manpower. To try to portray them as helpful toward security is a bit of a stretch, even more so when you consider that my contention is simply that the same thing can be accomplished through responsible methods.

Self-proclaimed whistle blowers need to practice responsible disclosure.

Furthermore it's not news that you can get a knife on a plane. US airlines will never have the type of security where it's impossible to bring a knife on a plane.

Thomas wrote:

Because reckless pranksters are good at finding security problems and publishing their results, as the topic of this thread demonstrates.


Bull. The kid suceeded in getting contraband on a plane. That's a pedestrian task. He has "illuminated" us to absolutely nothing.

Thomas wrote:
As an unintended consequence, they provide valuable information to the security community and the public.


You can call it valuable all you want but you have failed to even attempt to illustrate that it is so.

Thomas wrote:
Therefore I want a large population of reckless pranksters out there to discover problems before the terrorists do, because this is when the good guys can do something about them. By punishing pranksters too hard, this information will flow less abundantly, thus making the good guys' job harder.


Now you are just in the realm of the absurd, that would drain resources and make the airlines more vulnerable. You are making this more ludicrous by the second. I hope your dream of an army of pranksters lives and dies within your head.
0 Replies
 
patiodog
 
  1  
Reply Tue 21 Oct, 2003 11:44 am
Here's what's striking about this story: if the details hold up, security didn't just fail to catch this guy once -- it failed six times (though this is questionable, since only two are cited specifically). This is indicative not of an occasional failure of the system, but of complete inefficacy. And that wouldn't even bother me, except for the big show that's made about how these efforts work.

If 10% of such objects made it through inspections each time, the odds of him succeeding six consecutive times would be 1 in a million, which tells me that the likelihood of getting these purported weapons through security, at least at some airports, is much, much, much greater than 10%. That's worthy of note.

Really, I don't much care what happens to the kid. He knew the potential consequences, and when you perform civil disobedience you take the chance of suffering them. I'd let him walk if it was up to me, but that's not a big concern. What does bother me is that the threat of terrorism is one that continues to be used to subdue our population, and much of the security activity at airports seems to me to be designed to remind us that the threat of real and make us feel like the authorities are taking care of it. And they may be taking care of it, behind the scenes, but the gates are a joke. hell, every time I fly Northwest Airlines through Detroit the only people pulled out of line to be searched are the elderly (who are easy to boss around) and attractive young women (who are fun to search). It's a joke, and I appreciate that someone's done something to help illustrate this.

As to the massive delays and lost revenue, I'd think the authorities have to shoulder some of that blame. Five weeks to forward this email to the FBI? Shame.
0 Replies
 
Craven de Kere
 
  1  
Reply Tue 21 Oct, 2003 11:53 am
patiodog wrote:
every time I fly Northwest Airlines through Detroit the only people pulled out of line to be searched are the elderly (who are easy to boss around) and attractive young women (who are fun to search). It's a joke, and I appreciate that someone's done something to help illustrate this.


The majority of the checks that flag old people are due to a randomly generated system. This random element is one of the only statistical improvements to the system that was made.

Lots of people like to poke fun at the searching of old ladies, but since you seem to be interested in statistical probability you must cede that a completely aleatory system to compliment the selective searches initiated by humans is a boon.

Quote:

As to the massive delays and lost revenue, I'd think the authorities have to shoulder some of that blame. Five weeks to forward this email to the FBI? Shame.


If the kid had acted responsibly this would not have happened. Other pranksters help make the response time for email "tips" so slow. He emailed it to an address that receives 5,700 such emails every day.

It is idiotic pranksters that made for the delay.
0 Replies
 
Thomas
 
  1  
Reply Tue 21 Oct, 2003 11:59 am
Okay, Craven. I have made my point as good as I can; I can't improve on it at the moment, and if that's not good enough for you, too bad. I see no point in getting repetitive just to have a cock fight with you. Enjoy your snide remarks. You can have the thread to yourself now.
0 Replies
 
Craven de Kere
 
  1  
Reply Tue 21 Oct, 2003 12:00 pm
Thomas,

You operate under the illusion that you are not snide yourself. You do this a lot, discuss something, then throw a fit and take parting shots. It doesn't have to be "good enough" for me. You can disagree with me without the tantrum. We agree to disagree, such is life. You'll get over it soon.
0 Replies
 
Tartarin
 
  1  
Reply Tue 21 Oct, 2003 12:54 pm
Pretty patronizing, Craven!!
0 Replies
 
Craven de Kere
 
  1  
Reply Tue 21 Oct, 2003 01:49 pm
I know, and I regretted it. But I don't think Thomas was very nice with his parting shots either.
0 Replies
 
blueveinedthrobber
 
  1  
Reply Tue 21 Oct, 2003 01:57 pm
You boys stopo sniping at each other Craven, or lock your thread, one of the two. Do I have to separate you?
0 Replies
 
Craven de Kere
 
  1  
Reply Tue 21 Oct, 2003 02:04 pm
Just for the record I really like discussing things with Thomas. He articulates things well and I generally agree with him. But any time I am discussing something I like people to put the pressure on and not give me any breaks. That's the way I learn and I guess I do it to others as well (which is sometimes not appreciated).

Thomas was almost at a point in which we would have found common ground (on a more vague "sometime drastic measures are needed to raise awareness" type of argument) and I was not angry at him at all and had no intention of a "cock fight".

I was having an interesting conversation with one of few people on this board who could take the computing security analogies all the way with me.

That he didn't want to continue the discussion is no biggie but this is the second time he has done this by not just deciding not to pursue it but deciding to get a few parting insults in.

It was a surprise last time and a surprise this time but I guess now the next time won't come as a surprise.
0 Replies
 
rufio
 
  1  
Reply Tue 21 Oct, 2003 03:03 pm
I said nothing, but I change my vote. He should be made to work for airport security.
0 Replies
 
blueveinedthrobber
 
  1  
Reply Tue 21 Oct, 2003 03:39 pm
I am shocked at how this conversation is about what should be done to this boy instead of what should be done to repair the security system that allowed 9/11.

On our present course...we are doomed.
0 Replies
 
 

Related Topics

Another major school shooting today ... Newtown, Conn - Discussion by tsarstepan
T'Pring is Dead - Discussion by Brandon9000
Another Calif. shooting spree: 4 dead - Discussion by Lustig Andrei
Before you criticize the media - Discussion by Robert Gentel
Fatal Baloon Accident - Discussion by 33export
RIP Professor Snape - Alan Rickman Passes at 69 - Discussion by engineer
Fergusonj shooting, autopsy in, all shots from front - Discussion by gungasnake
The Day Ferguson Cops Were Caught in a Bloody Lie - Discussion by bobsal u1553115
Robin Williams is dead - Discussion by Butrflynet
Amanda Berry's desperate 911 call to police - Discussion by smithy988
Amanda Knox - Discussion by JTT
 
  1. Forums
  2. » Student Who Breached Airport Security To Be Charged
  3. » Page 3
Copyright © 2024 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.04 seconds on 05/18/2024 at 01:32:27