Home page logo

interesting-people logo Interesting People mailing list archives

more on Web Site Lets Anyone Create Fake Boarding Passes
From: David Farber <dave () farber net>
Date: Wed, 1 Nov 2006 10:50:25 -0500

Begin forwarded message:

From: Rich Kulawiec <rsk () gsp org>
Date: November 1, 2006 10:25:07 AM EST
To: David Farber <dave () farber net>
Cc: EEkid () aol com, Dave Crocker <dcrocker () bbiw net>, Patrick Sinz <ps () ethiqa com>, Seth Breidbart <sethb () panix com>, Jim Huggins <jhuggins () kettering edu>, john kemp <john.kemp () mac com>, Richard Forno <rforno () infowarrior org>
Subject: Re: [IP] Web Site Lets Anyone Create Fake Boarding Passes

This incident is symbolic of a much larger problem.

Those who report security issues *should* expect:

        - prompt attention to the report from those responsible
        - candid admission that the report is accurate (and it
                often is *very* accurate)
        - unconditional public apology from those responsible
                (to customers, to the public, etc.)
        - immediate resignation or public firing of those
                responsible in especially egregious cases
                (e.g. ChoicePoint)
        - financial or other compensation to those affected where
                appropriate (e.g. ChoicePoint)
        - stop-gap/band-aid solutions deployed very quickly
        - long-term/solid solutions deployed in a timely manner
        - concurrent investigation of any similar issues in order
                to try to avoid similar problems
        - when necessary, sweeping changes in technology, policies,
                procedures, etc. to avoid a repeat
        - public expression of gratitude to reporter for their
                (nearly always unpaid) services

However, what those who report security issues *can* expect:

        - silence
        - denial, minimization, evasion, and propaganda
        - attacks on character, competence, motivation, etc.
        - attempts to silence reporter through intimidation and litigation
        - claims that the report, not the issue, is the real problem
        - legal and other threats (including criminal charges, raids
                by jack-booted thugs, spying/privacy invasion, etc.)
        - failure to tackle the substantive issue in any way: no
                short-term fix, no long-term development, no attempt
                to locate/repair similar problems
        - no repercussions for those responsible no matter what
        - use of report as excuse to advance own agenda
        - promotion of self-serving "responsible disclosure" nonsense
        - business as usual no matter what

I understand that nobody likes having their mistakes pointed out.
But there really is NO excuse for those equipped with immense human,
financial and organizational resources to be making the kinds of foolish
mistakes that we see on a depressingly/alarmingly regular basis.

Thus, the lesson here is: if you find a security problem, your best
course of action is NOT to quietly inform those responsible, because in
nearly all cases, nothing useful will happen.  Ever.  And you will be
tagged for close scrutiny and possible reprisal.

No, the best course of action is to loudly and anonymously publish the
problem on the Internet, since it's clear that the only -- and I mean the
ONLY -- way that it stands even a tiny chance of receiving the attention
that it requires is to pull the shorts of those responsible up over their
head and tie them in a knot.  And public humiliation actually seems to
work some of the time -- it certainly seems to work far better than any
other approach.

Is this a desirable situation?  Heck no.  But it is the situation that
those incompetent, lazy, stupid, cheap, and self-serving bureaucrats in
corporations and government have deliberately created.  It's the fault
of Microsoft and Cisco, DHS and DoD, and all the others who have failed
to behave in a minimally professional manner -- an essential component
of which is "admit your own mistakes".


You are subscribed as lists-ip () insecure org
To manage your subscription, go to

Archives at: http://www.interesting-people.org/archives/interesting-people/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]