Interesting People mailing list archives
more on Web Site Lets Anyone Create Fake Boarding Passes
From: David Farber <dave () farber net>
Date: Wed, 1 Nov 2006 10:50:25 -0500
Begin forwarded message: From: Rich Kulawiec <rsk () gsp org> Date: November 1, 2006 10:25:07 AM EST To: David Farber <dave () farber net>Cc: EEkid () aol com, Dave Crocker <dcrocker () bbiw net>, Patrick Sinz <ps () ethiqa com>, Seth Breidbart <sethb () panix com>, Jim Huggins <jhuggins () kettering edu>, john kemp <john.kemp () mac com>, Richard Forno <rforno () infowarrior org>
Subject: Re: [IP] Web Site Lets Anyone Create Fake Boarding Passes
This incident is symbolic of a much larger problem.
Those who report security issues *should* expect:
- prompt attention to the report from those responsible
- candid admission that the report is accurate (and it
often is *very* accurate)
- unconditional public apology from those responsible
(to customers, to the public, etc.)
- immediate resignation or public firing of those
responsible in especially egregious cases
(e.g. ChoicePoint)
- financial or other compensation to those affected where
appropriate (e.g. ChoicePoint)
- stop-gap/band-aid solutions deployed very quickly
- long-term/solid solutions deployed in a timely manner
- concurrent investigation of any similar issues in order
to try to avoid similar problems
- when necessary, sweeping changes in technology, policies,
procedures, etc. to avoid a repeat
- public expression of gratitude to reporter for their
(nearly always unpaid) services
However, what those who report security issues *can* expect:
- silence
- denial, minimization, evasion, and propaganda
- attacks on character, competence, motivation, etc.
- attempts to silence reporter through intimidation and litigation
- claims that the report, not the issue, is the real problem
- legal and other threats (including criminal charges, raids
by jack-booted thugs, spying/privacy invasion, etc.)
- failure to tackle the substantive issue in any way: no
short-term fix, no long-term development, no attempt
to locate/repair similar problems
- no repercussions for those responsible no matter what
- use of report as excuse to advance own agenda
- promotion of self-serving "responsible disclosure" nonsense
- business as usual no matter what
I understand that nobody likes having their mistakes pointed out.
But there really is NO excuse for those equipped with immense human,
financial and organizational resources to be making the kinds of foolish
mistakes that we see on a depressingly/alarmingly regular basis.
Thus, the lesson here is: if you find a security problem, your best
course of action is NOT to quietly inform those responsible, because in
nearly all cases, nothing useful will happen. Ever. And you will be
tagged for close scrutiny and possible reprisal.
No, the best course of action is to loudly and anonymously publish the
problem on the Internet, since it's clear that the only -- and I mean
the
ONLY -- way that it stands even a tiny chance of receiving the attentionthat it requires is to pull the shorts of those responsible up over their
head and tie them in a knot. And public humiliation actually seems to work some of the time -- it certainly seems to work far better than any other approach. Is this a desirable situation? Heck no. But it is the situation that those incompetent, lazy, stupid, cheap, and self-serving bureaucrats in corporations and government have deliberately created. It's the fault of Microsoft and Cisco, DHS and DoD, and all the others who have failed to behave in a minimally professional manner -- an essential component of which is "admit your own mistakes". ---Rsk ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on Web Site Lets Anyone Create Fake Boarding Passes David Farber (Nov 01)
- <Possible follow-ups>
- more on Web Site Lets Anyone Create Fake Boarding Passes David Farber (Nov 01)