So lets see how far one wants to go in informing the public of a problem

[David Farber <dave () farber net>]

I am getting tired of the statement -- he did us a favor by  
publicizing it.  The favor one can do is to find a reasonable cure.  
What would be your reactions if some person demonstrated  the  
vulnerability of the internet by crashing it, the serious impact of  
viruses on Windows;  the serious weakness of our port security by  
actually smuggling in a WMD. Mature researchers don't do this, they  
talk to the public, newspapers etc.

The statement that the Government should hire the person is just one  
more indication that the Hill does not understand at all technology.  
Maybe there should be a special GSA rating for virus creators etc.

Dave

Begin forwarded message:

From: Richard Forno <rforno () infowarrior org>
Date: October 31, 2006 10:11:20 AM EST
To: Dave Farber <dave () farber net>
Subject: Re: [IP] more on Web Site Lets Anyone Create Fake Boarding  
Passes


I think the question really comes down to the emperor being peeved  
that the
public was told he had no clothes by someone "outside the system."

While the outcome may be the same, I think there's a different sense of
"anger" when you present such a finding (or demo, even) in a  
conference or
semi-restricted venue as opposed to just making it available to  
EVERYONE on
the net.  And, of course, saying the same thing sans an "OMG it  
works!" demo
on Capitol Hill seems to be perfectly acceptable. Hypocritical, yes.

Security-wise, this is nothing more than a public secret blown  
horribly out
of proportion.  I've been on many airport lines where folks asked the  
same
thing that this student does, and questioning the utility/real security
benefit presented.  Just because it was publicized on the Internet  
doesn't
mean aviation security is undermined -- if Joe Sixpack notices and  
discusses
something, it's a good bet that Billy BadGuy probably does, too.  And  
given
how the travelling public is treated these days, they notice LOTS of  
little
things standing on endless lines and/or having to scrutinize all  
kinds of
shifting - and often nonsensical - security restrictions.

Frankly I think the greater problem isn't the actual "demonstration" but
rather the uninformed, emotional knee-jerk reaction made by folks in
Washington whose first reaction is to accuse/punish the messenger whilst
concurrently running around waving their hands about how the sky is  
falling
because someone clearly showed what many in the travelling public have
witnessed and question for years.  While emotions run high on  
vulnerability
disclosure, I'd posit such is a useful demonstration of civic  
participation
in an attempt to implement REAL security and hold those charged with it
accountable for failing their tasks.

The emperor doesn't like accountability.  Or being told he's naked.

-rick
Infowarrior.org





On 10/31/06 9:44 AM, "David Farber" <dave () farber net> wrote:

> When will our Senators understand ANYTHING
>
>
> Begin forwarded message:
>
> From: Jim Huggins <jhuggins () kettering edu>
> Date: October 30, 2006 9:04:22 PM EST
> To: David Farber <dave () farber net>
> Cc: Ip ip <ip () v2 listbox com>
> Subject: Re: more on Web Site Lets Anyone Create Fake Boarding Passes
>
> On Sun, 29 Oct 2006, David Farber wrote (in part):
>
> > I do seriously question the ethics and maturity of someone who
> > demonstrates what is well understood just for the sake of it all.
>
> I guess I'm not convinced that the boarding-pass loophole is actually
> well
> understood ... at least, by those with the authority to change things.
>
> As evidence, I cite the reaction of Congressman Edward Markey (D- 
> Mass),
> member of the House Homeland Security committee, who, after news of  
> the
> website became widely known, called for the creator of the website  
> to be
> arrested:
>
> http://www.wired.com/news/technology/0,72023-0.html
>
> And then, once it was explained to him that the creator only took a
> previously-known attack and made it easier, called on the  
> government to
> *HIRE* him instead:
>
> http://blog.wired.com/27bstroke6/2006/10/congressman_res.html
>
> So, is the guy a criminal or a hero?  If Congress can't figure it
> out, I'm
> not convinced they understand the underlying problems ...
>
>
>
>
> -------------------------------------
> You are subscribed as rforno () infowarrior org
> To manage your subscription, go to
>   http://v2.listbox.com/member/?listname=ip
>
> Archives at: http://www.interesting-people.org/archives/interesting- 
> people/




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/