

“Bye bye electronics ... all now in custody/seized” - mholt
https://twitter.com/Sidragon1/status/588572906063409152

======
kleer001
So, he jokes about messing with a plane he's on and then posts sad pics of his
computer hardware being confiscated? Or maybe I misuderstand. Jokes at 1pm,
Confiscation at 10pm. That looks like a pretty solid narrative.

If that's true... I just don't know. Even as a kid I've always respected the
"Don't joke about a bomb as you pass through security." culture. I mean,
christ, a plane flight is so f-ing short. Best practices is shut up, sit down,
and keep quiet. It's hyper-public, seven powers of magnitude more touchy than
screaming "Fire" in a crowded theatre.

Airplanes, airports, and other international public places are not sanctified
platforms of free speech. They're special cases, like visiting your in laws
that you want to be on the good side of. Religion, politics, blue-humor,
graveyard whistling, none of them are appreciated by anyone, for the most
part.

Right? Am I completely retardomantobhan?

------
mholt
Apparently authorities noticed this tweet:
[https://twitter.com/Sidragon1/status/588433855184375808](https://twitter.com/Sidragon1/status/588433855184375808)
and confiscated his devices.

Edit: I submitted this link not because the action wasn't justified (joking
about hacking into the electronics on a plane obviously isn't OK) but rather
as a reminder of who is listening and what can happen.

------
Nadya
"Harmless pranks" like this can have bad results... however they highlight how
insecure flights can be in a way that will grab attention in ways that would
otherwise be ignored.

There needs to be more available venues for PenTesters and white/greyhat
hackers to be paid for their line of work. But security is often overlooked
because the masses aren't educated on the subject.

The number of companies that have lied about "your information is totally
secure" is beyond belief. This is one of the reasons why.

~~~
kleer001
Yes, more venues for PenTesters! Forms to fill out for the volunteer
ombudsman. But Twitter is not it. A few screen shots and anonymous submission
maybe. All done well after the flight you're on.

~~~
Nadya
How would compensation be done? What about public awareness? How would the
PenTester know the security flaw was patched?

These sorts of changes would need to be drastic - and therefore are
unrealistic. Until something bad happens because of them... unfortunately
that's the only thing that causes change.

~~~
kleer001
> How would compensation be done?

That's what freelancers are for. If a citizen PenTester found something I
guess there should be some kind of token "reward". But I can imagine that a
big company doesn't want every Tom, Dick, and Harry poking at their sensitive
bits.

>What about public awareness?

What about it? I think Computer Security and Security in general should be
taught in school along side critical thinking. But that's not happening any
time soon.

>How would the PenTester know the security flaw was patched?

That would most likely be in the compensation agreement, lots of legaleese.

~~~
Nadya
>But I can imagine that a big company doesn't want every Tom, Dick, and Harry
poking at their sensitive bits.

I think they'd prefer whitehats over blackhats poking at their sensitive bits.

>What about it?

Situations like this can make the news. They can cause a big hubbub. They can
raise awareness. Not always (this case seems like it definitely won't) - but
doing these greyhat sort of pranks has a larger chance than never talking
about it at all.

>That would most likely be in the compensation agreement, lots of legaleese.

I meant if it was anonymously reported (unless this is optional) - they would
not be able to be contacted for compensation. I'm all for emailing/anonymous
tips without expectations of compensation.

Should we really be defending companies because "they shouldn't have to pay
out money to improve their security of OUR PERSONAL DATA"?

I don't care if every Tom, Dick, Jane, and Harry is poking around sensitive
areas. If they're getting into 'secured' areas or stealing personal
information - that's a problem for people and it's the companies job to have
tighter security.

~~~
kleer001
I agree with everything you say. Except:

>Should we really be defending companies because "they shouldn't have to pay
out money to improve their security of OUR PERSONAL DATA"?

I don't think anyone was saying that.

... and would like to add: If an idle, up to date, informal, and benign actor
can poke around the sensitive bits of a company that company needs to do some
serious work, possibly firing sec staff or suing previous freelancers. I think
that at a high level businesses need to do due diligence, but then also trust
professionals and experts that a job done is actually done.

Also, my previous statement about systemic secEd would apply here as those
businesses would understand that security is a process not a destination.
Right?

