I don't know what I'm trying to contribute here, except that whilst I have no problem with EFF working on this, their article here seems overly shrill and over-reactionary at how shrill and over-reactionary the airline was in their response to what (admittedly, in hindsight) could have easily been interpreted as a threat by an over-zealous corporate drone blind to smily-face emoticons.
In the age of Twitter, such hijinks are amplified further due to their world-readable nature. The problem with innocent, uncomfortable-but-well-intentioned jokes is that you have to consider how it will play with someone whose job it is to flag up and respond to any and all threats, no matter how credible.
Fundamentally it's your joke versus a member of staff who is not in a position to deviate from the procedure and brush it aside.
Plus, who'd want to be the guy who gets their face on the news after an incident because they ignored a threat and thought it was a joke? They won't, and often CAN'T, take that risk - they are simply not in a position where they are allowed to do so.
As you say, we live in shitty knee-jerk reactionary tines, but whatever the rights and wrongs, in this kind of situation it's prudent to moderate one's comedy appropriately.
Every time they ask me that question - I do a quick mental checklist, always mention that my luggage did leave my control when placed in the boot of the cab - which they always understand is an acceptable loss of control.
There are a couple alternatives that one could take to further increase security - first, presume that 100% of people are threats, and do a full security scan, and hand check/rejection, of 100% of checked luggage. Likewise, enhance the carry-on security check, and further restrict what people can carry-on. In particular, shift the carry-on check to the gate (where it should be).
I'd bet that a fair number of the people who thoughtfully answer that question give an answer that is calculated to produce the least amount of hassle for themselves, even if they know that their luggage could have potentially been tampered with. Most people probably aren't aware enough of their surroundings to give an informed answer. I'd like to know out of the number of extra checks that have been initiated due to this question, how many have yielded anything useful.
In fact, I don't see why anyone would have a problem with that...it's a constant and (imo) fair assumption of mine that my friends are not trying to kill me.
Also - while you can be trusted to make judgements about your own safety, the airlines have to make somewhat more conservative decisions about the safety of everyone else on the plane.
And carrying packages for someone else is just one of likely hundreds (thousands?) of factors that they are concerned about.
This doesn't guarantee airplane safety (Nothing ever will), but it reduces the number of easy attacks one can make, such that it's becoming somewhat more difficult for a passenger to bring down the plane they are flying on now. Of course, now we have to worry about the pilots (a thankfully rather rare vector)
Then, with images of airport holding cells and enhanced interrogation jumping to mind, I hastily explained what I meant. Interestingly, the agent was happy not to unwrap and open the present, and just inspected the rest of the contents...
Carrying eg an apple into the US is probably not going to be fun if they find it.
People are easy to manipulate into carrying a parcel across international borders.
Also, isn't it the start of gathering evidence? If you say it's your bag and you had control of it and then they find it full of contraband they can use your comments to tie the bag and contents to you?
it exists to weed out the absolute moronic and deranged. not everyone is a supervillain with an iq of 300.
plus, i guess it also exists for legal reasons. lying to the question can be used against you.
there is a lot of smart people out there, working keeping things running and safe. if something looks ridiculous from the outside, it still might be ok - you just might be lacking context to understand it.
That's exactly the problem, right there. Such jobs should not exist, because non-credible/joking threats are not threats, they are just jokes.
That is achieved through men with badges, confiscation of property, the disruption of travel, and the kind of inconvenience being written about here.
I think the infosec community needs to grow up. We all hate when legislators use the word 'cyber.' Title 18 is a mess. The new computer crime proposals are worse. Every couple of years we get the occasional story about licensing security professionals. It is because of exactly this type of clownish behavior.
There are consequences for the attention seeking type of behavior. This idiot is catnip for government regulation.
It isn't exactly his fault though. Our community has been doing this to garner press attention for the sake of the attention. He is following the pattern that has long been set. Stunt hacking scares the shit out of normal people. Eventually people will demand regulatory intervention.
But you're taking things too far by casting aspersions on all of "stunt hacking".
The problem with this idiotic tweet is that, if there is a vulnerability in the electronics of an airplane, this is exactly the thing you'd expect to see before some moron accidentally forced an emergency landing by tinkering with it. Vulnerability researchers disrupt and disable systems all the time without trying to.
The same is not true of people using logic analyzers on car CANbus systems (the archetypical example of stunt hacking).
The real criticism I've seen of stunt hacking is that (a) we don't learn all that much from it and (b) it's not particularly difficult ("look at this debugger debugging", as a friend of mine summarizes most stunt hacking talks).
What's going to get people talking about security? "Target got hacked" "Oh, what a shame, I'll replace my card then go shopping at Target again". Or what about "I can bring down a plane while it is flying without needing a bomb. I can shut down hydroelectric dams from my living room and flood the entire state of Washington". Now you've got people talking.
"It's not particularly difficult" is the precise problem. It should be difficult. People should be demanding that gaining access to flight control and SCADA systems be made impossible by the general public. Dismissing a hack as "easy" means you're forgetting that it's a hack. It's not supposed to be possible, let alone trivial.
This is what I have concerns with. It's this "ends justify the means" argument that disregards some important consequences.
There are many ways to breach these topics. You can go to the FAA. You can go to the individual companies. You can post on mailing lists. Ultimately, it may be a grind. But going the press route with inflammatory statements has consequences that exceed your own experiences with law enforcement. The legislators want to regulate infosec. It won't be pretty when they do.
We need people to understand that a successful disclosure doesn't require headlines in arstechnica. You have to be empathetic to interactions with large organizations. Flashy press may get attention to your issue, but it can also have disastrous consequences for the rest of the community. Is it worth it?
I've heard him talk for years. Same thing every year. So seeing what I saw on Twitter was no surprise. He's not publishing an exploit on Twitter, he's making a joke to the followers he has that all know what he's done. He's making the joke that this year, again, the flight control systems are still vulnerable to literally anyone with a laptop and an ethernet cable.
It's not that he's saying he's tinkering with what he believes to be flight control systems on an actual flight in transit. Of course he wouldn't do that... again. He's already done it once, years ago. Why was there no outrage then?
(a) There is no real flaw here, other than the potential for maybe sending scary messages to people's In Flight Entertainment screens, and so the disruption he's causing by suggesting that there might be a flaw has no upside.
(b) There is a real flaw here, for instance a message he can send across in-flight wireless that would deploy an oxygen mask, and his broadcast that he intended to tinker with that system is actually threatening.
Am I missing a case (c) here?
Perhaps it's entirely possible that the EFF is just like any other organization that needs to find ways to justify their existence. The same with security researchers cloaking many of the things that they do in some quest for the greater good (the "if it wasn't for us" argument).
You know locksmith tools are available for purchase over the internet. But that's not enough! We should teach lock picking in schools so that people develop new and better ways to prevent their own locks from being picked and invest in more security against people that have been trained to pick locks. Because disclosure and transparency makes everything better and nobody thinks there is any value at all in obscurity or making things a bit more difficult by not being so out in the open.
Pretending that finding some security flaw is not about capturing the flag and all about saving humanity really bothers me to no end.
Robots are not going door to door picking locks, but that is exactly what happens every second of every day to every system on the Internet. It only takes one, and there are lot of disenfranchised smart people around the globe.
Good. Maybe they'll actually start caring about security instead of obscurity through law.
The flashy stories have been happening for close to 20 years now. Are vulnerabilities becoming more rare?
Vauge non-specific demands of a loose and fluid group with little to no control over it's members set the group up for inevitable failure.
Without critical thought, it appears to be a reasonable request. Which is why the people who never want to listen to The Cavalry or EFF say it, and why the rest of us propagate the idea. But it's a trap.
There is some amount of control when you are accepting and possibly celebratory in response to behaviour that should be discouraged.
For example, if you never sexually harass someone yourself, but you are silent while other do so, you are ceding a control that you have over the situation.
If more people that were respected in the community called out these behaviours when they happen, you may see them happen less (though this isn't an absolute control, so they wouldn't go away completely).
It is a complete waste of time.
The appropriate sanction is the professional scorn that he's already beginning to receive.
There is no rational reason for their action. This is simply a PR move by United and the FBI. Which leads to the same conclusion: just don't tweet things like this. Not because you're wrong, but because they are assholes.
Many, Many bad actors have a pretty good trail/history of signals that made it clear that they were going to do something stupid. And a lot of them are stopped because authorities stepped in when those signals were reported.
Would you want to be the person who was notified that someone was communicating they were considering interfering with the proper operation of an aircraft, and ignored them, only to discovery they later on did do damage to the aircraft?
I think at the very least, people responsible for flight safety can engage with those making claims they are going to endanger airplanes, and subject them to a strenuous interview to determine what their actual intent is.
In this case, all the authorities did was interview him, and seize his electronics. My reading of the story is they didn't even charge him with a crime or put him in a cell. I don't find it surprising whatsoever that United Airlines does not want him flying on their planes.
What did he expect was going to happen?
I hate how often this line is used to defend bullies and blame victims. It's an attitude that ensures the overly aggressive can browbeat their way to getting whatever they want.
So if you don't want them to react, don't threaten the president, don't make threats about messing around with aircraft EICAS systems.
Remember, the FBI isn't responsible for designing safe aviation comms systems, their job here is to investigate potential threats. I think most of us on HN would suspect that Roberts is not a threat, but from the perspective of the FBI, he's certainly a potential threat that needs to be investigated.
This is definition is too narrow, in my opinion. Workplace bullying, for example, isn't just for amusement, or even to hurt others deliberately.
I would define a bully as anyone or any group that uses coercion to get their way, rather than persuasion. Alternatively I would say a bully wantonly throws their weight around.
As such, using the power of the FBI to seize equipment as the first response to an unproven alert is bullying.
It should be noted though, that in the case of the FBI seizing the equipment, it turns out to be the case that Roberts actually was guilting of making the threat/joke about messing with the airplane's EICAS system, so it's not clear to me that we can claim it was an "unproven alert."
You can always seize the equipment, perform an investigation, and then return it. But if you fail to seize the equipment, then the suspect can wipe it/destroy it if you later determine you do need to review it.
I'm guessing the FBI (any police agency), in this situation will follow the "Better safe than sorry" approach.
And, as to how you can avoid having your shit seized by the cops - most of us were taught at the age of 5 not to use the B word in an airport - just extend that logic to not making jokes about messing with the aircraft safety and you should be fine.
Someone tattled (Twitter) and he was taken to the principle's office to explain his comments. He was not suspended or kicked out of school (possibly because they decided he had not actually threatened the weaker student, etc).
This is more a function of the airlines just being stupid though. There was a case where an Arabic family was taken off of an airplane because on of the teenagers asked how safe it was to sit in a seat next to the wing. The FBI cleared them, but the airline refused to allow them back on a plane.
I.E. He was talking about directly interfering with the planes EICAS system. What if he'd joked about running a GPS, or VOR (http://en.wikipedia.org/wiki/VHF_omnidirectional_range) jammer during final approach? At what point do the authorities decide they need to have a conversation with such an individual?
That's the problem with concentrating blame. It leads to net counterproductive behavior. One in such a position is thinking about their position, not just the people they are protecting.
You can't know that.
> If the FBI already had reasonable suspicion he would, they shouldn't have let him get on the plane in the first place.
They may well have stopped him getting on the plane if he'd made similar tweets beforehand. "I'm going on a plane next month. What should I do with EICAS ;-)" would probably have had the same effect.
He shouldn't have had his stuff confiscated, but he has no excuse for not knowing how "they" reacted. Their over reaction is entirely predictable, not just from theory but from their past behaviour.
This plane has <security vulnerability> ... shall we play with it and do <bad thing>?
On the other hand, maybe this would go down better:
Oh god, this plane has <security vulnerability>. That does not make me feel safe. What if someone did <bad thing>? D:
> Oh god, this plane has <security vulnerability>. That does not make me feel safe. What if someone did <bad thing>? D:
No! There are plenty of examples of people who stumbled over a security vulnerability, and who responsibly, confidentially, reported those vulns to the companies, and who then faced scary legal action.
I agree that the actions taken against him are far too severe; and that there should be a way for people to talk about security flaws without facing this level of harassment.
Good judgement needs to be taken into account. I recall having to "reapply" for my temporary job in the computing center every semester (because, of course, it was "temporary") - and one of my fellow students, after having done this for a couple years, and having a bit of ego, basically just scrawled on his application form, "Hire me again or I will murder all of you." You see, if you knew him, it was actually really, really funny. We were all a close group, and everyone on the team thought it was hilarious. The HR organization that unbeknownst to this student, screened all applications, and had no idea who he was, took a decidedly different perspective on his application.
The proper response was to alert security, and thankfully his hiring managers - who then de-escalated the situation.
The problem with the airline situation - their is no easy "oracle" who can confirm that this person is most decidedly not a threat.
It'd be like making a rape joke when you pass a woman on a dark street.
It's not my job to make anyone feel safe. That is merely the bias of my personal style. Pure coincidence. The fact is, talking about religion with derision could incite violence, pain, and fear. Am I someone who gets off on pain? No. But I'm not going to go out of my way to protect someone's heart either. It's their job to rule their own heart. It's not their psychiatrist's job or their pastor's job. On a side note, I would add that many religions go out to deliberately propagate fear ("Jesus is the sacrifice to save us from hell"). Nobody cares. I have a friend who is really pained by the thought that he can't convert his close friends, and worse of all, his parents! What agony he must go through now that somebody decided to exercise their free speech and tell him about the eternal torture of hell. It was his job to rule his own heart.
Similarly, it is not the job of students to avoid discussion of rape on campus because the mere mention of rape could cause a reliving of trauma. It is instead out of personal will for a healthier future that we deliberately choose superior speech over unrefined speech.
It is okay for society to shame those they think are tactless. It's not okay to bring logistical or material pain to someone's life because they made one feel terror, or angst, or outrage. Discussion of hell could bring more pain into someone's life than most other subjects one can summon up without a priori knowledge.
If the security is as bad as he claims, the risk his testing might inadvertently put people in danger could be pretty high. And he was a repeat offender, as by his own admission he'd hacked planes 15-20 times so far in a live environment. That's incredibly dangerous, and it takes an incredible amount of ego and an incredible lack of consideration to fail to realize that he could be putting people at risk himself.
I totally disagree and am confused how that could be your reading
The guy has bad judgment, but he's not saying anything that should trigger any action against him (they should investigate the basis for his claim, not him as an individual).
I'm sorry, but that tweet actually is threatening in my eyes. Note that I know __nothing__ about airplane-system-security, but that looks to me like he gained some kind of cmdline and/or admin-tool access and "PASS OXYGEN ON" looks like something that would cause the oxygen masks to drop down for all passengers. And he did this while on the plane with other passengers while it was flying? If so, he got what was coming to him. Sorry.
EDIT: Screencap in case someone(s) decide to delete tweets http://i.imgur.com/Uqfh0oL.png
Archive.org will delete everything on request. For example if you add a robots.txt file blocking them they will automatically remove the entire history for your domain
Archive.org will not delete anything, they do censor though. In case of court orders there should be no problem getting hidden content from them.
737/800: is the type of aircraft and specific model (Boeing 737, stretched version (800)).
Box-IFE-ICE-SATCOM: Is a theoretical (or actual?) exploitation path.
Box: I'm assuming is in-flight WiFi
IFE: Is the in-flight entertainment system
ICE: Is also part of the IFE, but I'm guessing he specifically referenced that due to the "I" (in ICE) namely, the information that gets fed into the IFE from the flight systems (speed, altitude, and position)
SATCOM: The uplink used by in-flight WiFi but also the IFE to provide "latest news." If can be used to deliver information to the airline about the aircraft so they can keep track of if its on schedule and such.
EICAS messages: Used on aircraft's secure network for flight crew alerts and diagnostic information. Some of these may be relayed onto the insecure network and forwarded to the airline (similar to ACARS, but over SATCOM).
PASS OXYGEN ON: The implication is he wants to cause the oxygen masks to drop down into the passenger cabin (although in reality sending this wouldn't do that, it would just set off a warning on the flight deck letting the pilots know that the oxygen masks dropped, even if they physically hadn't).
If he could send EICAS messages to the aircraft's secure network, that would be a legitimate safety concern. However if he just witnessed EICAS messages from the insecure network, that isn't really a concern except maybe he could send misleading ones to the airline and give them a metaphorical heart attack.
At worst this guy could send a fake message to other passengers, and maybe cause a IFE system warning in the cockpit. Oxygen Masks are controlled by a completely separate system to the IFE.
* The 737NG has various displays for warnings, but its not quite the same as the Airbus EICAS
> "I'm on an Amtrak train, which, for the record, I'm pretty sure I can't take over via the wifi."
"legitimate researcher" is not a specific job, researching is an activity any citizen can and should be free to conduct within the confines of the law, and all of that is "legitimate".
The whole "legitimate researcher" creates a huge loophole through which the powers that be can create some kind of registered researcher status, with the obvious consequences for everyone else.
Also, the gateway between the aircraft safety systems and the CANBUS is one-way. The worst he could have done is shutdown the In-Flight Entertainment system, and inconvenienced a bunch of passengers.
I'm not saying that the possibility of security flaw isn't there, only that this CANBUS issue isn't it.
A legitimate researcher would arrange a ground test, or even a test flight, and not experiment on an airliner with passengers. They can do "hardware in the loop" tests on the ground, with minimal risks. The FAA are actually involved in requesting security assessments on airline systems with safety implications.
IMHO This guy come very close to crossing the line of "interfering with the safety of an airliner" when he conducted previous tests, and that is most certainly is illegal. People have gone to prison for less.
The EFF should be pushing for further evaluation of the actual issues, whatever they may be, in an appropriate manner. If Boeing/Airbus blow off the EFF, push back harder.
A well trained crew can operate a 737 quite safely using the Standby Flight Instruments for an emergency landing, even if some sort of compromise shut down the primary Flight Management System and Primary Flight Displays.
I happen to know several computer programmers/security researchers who are also test pilots. More than one called the CANBUS risks "inconvenience" and not safety of flight.
Makes sense to me. Mere thoughts should never be forbidden, but acting on a criminal intent, even if the acts, taken independently, wouldn't be forbidden, is something else entirely. First, actions can be punished. Second, actions are actual evidence for the intent.
Criminal intent is not illegal. Only actions.
And, of coure, there are crimes of "Conspiracy to X" that involve merely the intent to commit a crime.
For the kind of plot you describe, prosecution would usually occur when there are multiple persons involved based on conspiracy charges, which require an overt act in furtherance of the conspiracy (which can be a fairly minor act, but it still requires an act.)
I bet the prosecutors are kicking themselves for not thinking of that one earlier, as well - they could have simply rocked up to certain pubs in Belfast and arrested and jailed everone singing IRA songs ;)
I wonder how they connect the tweets to the persons? Do they actually actively search Twitter for keywords, and when they hit they dig into it until they have found a name, which they check against their passengers lists? There's probably some shortcuts they can use, but it still seems weird to me.
Sometimes the way we keep airplanes full of passengers from falling out of the sky, is by looking for, and engaging, potential bad actors. The way to determine if someone is a bad actor, is by looking for signals of such intent. And, I think all things equal, this guy probably was throwing off signals that he was a bad actor, even if it's obvious to anyone who knows him, that he's just being a jackass.
 Foreign Object Damage. In this case, at-speed impacts with grit, ice, and whatever.
If someone says "I'm gonna bring down the Golden Gate Bridge with this 12" stick of balsa wood." you don't give them a second thought. They may have hostile intent, but they clearly lack the understanding of how to, or the means to, cause harm to the bridge.
If someone says "I'm the operator of this container ship full of high explosives and I'm going to ram it into the GG Bridge and detonate the explosives.", then you investigate that, as the person very probably has both the intent and means to cause actual harm.
We -as a society- used to refuse to be terrorized. We used to laugh off incredible threats as the insanity, bluster, or cathartic ranting that they clearly were. We (or maybe just our investigative and enforcement organizations) freak out much more over much smaller things these days. Our society is poorer and weaker because of this.
I hope that encouraging people to learn to put threats into perspective will help reverse this trend. Perhaps a calm, level-headed populace will calm its over-reactionary leaders, investigators, and enforcers.
 Or both.
 I mean this in the "in-credible" sense.
Doing so while on a plane full of people is not a good idea.
Are there people who know this stuff better and have pointers? I would love to know more.
The 737NG engine instrument display is somewhat similar, except non-engine warnings are on other displays. Some warnings go on the Primary Flight Display. The 737NG also has a warning panel with lightbulbs.
Really dumb of this security consultant to have bragged about tampering with airplane control systems in the middle of a flight.
Really dumb of EFF to make a cause célèbre of him.
EFF's analysis of this situation seems to revolve around the consultant's intent. He's a security researcher, ego not a real threat, and undeserving of scrutiny.
I'd have thought that EFF would be better acquainted with pentesters by now. Anyone who spends a lot of time with pentesters knows that when it comes to disrupting or disabling critical systems, intent doesn't have much to do with the outcome of a pentest. We break shit all the time without trying. We break shit even when we're trying not to. Smart clients who have spent the last decade working with pentesters often have e-l-a-b-o-r-a-t-e rules of engagement designed to avoid prod disruption. We still break shit in prod, even when we follow the letter of the rules.
So this goofy tweet the consultant sends: is it what you'd expect right before a terrorist crashes a plane? Of course not. But is it exactly what you'd expect right before some idiot trips a bug that does something to force an emergency landing? It absolutely is.
Is it outside the realm of possibility that some control system somehow bridged to airplane wireless would have a problem that would allow a passenger to deploy the oxygen masks? It is not. Would that design flaw be idiotic? Yes it would. Does the idiocy of that design flaw mean it's unlikely to be there? No it does not. Virtually every system you interact with in the world has idiotic design flaws. Wait, that's not a question. "Does virtually every system..." YES. YES THEY DO.
So imagine that, just like in pretty much every pentest ever, this consultant is merely poking around trying to see what functionality is exposed to him through this design flaw. No intention to make anything happen at all. Now imagine he purely by accident does manage to, I don't know, deploy oxygen masks. No harm done (stipulate nobody on the flight has a severe heart condition). Plane integrity undamaged. Plane fully capable of continuing along its itinerary. Nonetheless, what's the likely outcome here? Unplanned emergency landing.
There probably is no such vulnerability. But then you have to ask yourself: who in United's flight operations chain of command is qualified to assess whether there is? Really, who in the entire flight safety chain of command, from flight captain through FAA to DOJ, is? There aren't that many people in the world who know how EICAS messages work. All they have to work with is the hypothetical. "Unexpected behavior found in in-flight wireless. Tinkering in process!" That's a threat!
I think the thing that frustrates me most about this story is the fact that it's probably not possible to launch anything more than nuisance attacks from the vantage point of a passenger. And yet because of our (admirable and effective) attitude with regard to flight safety, those nuisance attacks are all economically devastating. In other words, this kind of "research" is unhelpful.
Where EFF made me flip out this time: Nevertheless, United’s refusal to allow Roberts to fly is both disappointing and confusing. As a member of the security research community, his job is to identify vulnerabilities in networks so that they can be fixed. Wat. United's decision here is extremely easy to understand: they do not want to offer service to someone who was willing to disrupt a flight to make a point. Meanwhile: the "security research community" does not deputize its members, make them swear an oath, and given them a little tin badge. No part of this guy's "job" gave him the right to tamper with the computer systems on an aircraft. If EFF thinks that's what it means to be a vulnerability researcher, they are broken. They cannot advocate effectively for legitimate research while promoting the idea of special rights for people who call themselves security researchers.
It's the 1 in 100, 1 in 1,000,000 chance that the tweet wasn't a joke, but a real threat. They can't take the risk that they knew about it, and didn't take it seriously and 100's died.
In my case they almost apologized for having had Federal Air Marshals detain me.
>Mr. Pollock conceded that he told the flight attendant he planned to ignore the sign, which other travelers had questioned in online travel forums.
Do you also drive around on public roads without a licence stating the "Right to Travel" like people also talk about online?
The people in business class (or whatever it was in front of you) have paid more to be less crowded. Therefore the airline puts up a curtain and asks you not to cross it. That seems super reasonable to me.
You don't like the curtain and sign. A reasonable response might be to fly a different airline or pay to get in that section next time.
Deliberately ignoring the sign, going out of your way to tell them that you're going to do that, and then filming the poor guy when he stops you, that seems pretty far off into psycho land to be honest.
In fact, I'm glad that they went out of their way to protect the people in the seats in front of you from being unnecessarily bothered by people like you hiking past.
Am I missing part of the story?
Note: They keep saying "HACKERS" and not criminals!