On exploits, hubris, and software security

[secureCoding2dave at davearonson.com (SC-L Subscriber Dave Aronson)]

Gary McGraw [mailto:gem at cigital.com] writes:

> The main thing I wonder is, what do you think? When you have a hot
> demonstration of an exploit, how do you responsibly release it?

This isn't so much about that, in the usual sense. This was, as you say, a well-known vulnerability, one screamingly 
obvious to anybody who bothered to think about how to get around the No-Fly List. Bruce Schneier wrote about it on his 
blog long ago, as did many others.

> What role do such demonstrations play in moving software security forward?

It could help dramatically. Not so much because of the demo itself, which will of course be ignored by the Powers that 
Be, but the publicity around it. That might possibly eventually make enough of a dent in the public consciousness, to 
wake them up to the fact that what the PTBs have been doing is almost all just security THEATER.

However, it depends how much the media gives background. Unfortunately, even a brief blurb like "this flaw in the 
No-Fly List concept has been well known for several years" is unlikely to be aired or printed, since it takes valuable 
time/space away from the latest scandals of skanky "socialites" and other such much more important news. Without this 
little bit of trivia, the sheeple will just ass-u-me that the demo-giver was, as the PTBs will insinuate, a malefactor 
in league with $ENEMY[$YEAR], and deserves to be shipped off to the Git-lag.

-Dave

-- 
Dave Aronson
"Specialization is for insects." -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/