So.....

1. Security researcher discloses a legitimate and important security vulnerability.

2. Security researcher uses a provocative method to display how the vulnerability can exploited.

3. Authorities overreact because it's the only

tactical option they have/they don't understand the real issue/someone higher up wants action immediately/the enforcement tools at their disposal are too blunt to finesse a better solution.

4. Well.....More News at 11.

Actually I have a lot of sympathy for Chris. The issue he raises should be openly debated and considered. In other countries this would probably have resulted in probing questions being raised to the government by the opposition party, some embarrassment for officials and airlines, cries for action from concerned citizens groups, and eventually a resolution being found to improve the situation to some degree (oh and probably a little bit of media butt kicking for the researcher for being unnecessarily provocative).

But this is the USA. When you do disclose you need to fully consider the environment you are disclosing into and the very real risk disclosure carries here.

Would the message and intent of this research have been just as easily delivered in a "hypothetical" whitepaper rather than a "make-your-own-boarding-pass.com" style website? Probably - although undoubtedly it would have had less media zing.

Would the chance of getting your home raided by law enforcement be lower? Almost certainly.

Hopefully sanity will be restored in this instance, and more importantly the state of airline security may actually be improved. Good luck Chris. Not the smartest move in the world by any means, but it sounds like your had our best interests (and security) in mind.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/342/1470#1470