Opinions on how to handle security vulnerabilities vary quite a bit. It is
probably safe, to say, however, that a majority of people who have studied
security issues are in favor of some form of disclosure. Hiding security
problems reduces awareness of the issues and reduces the chance that those
problems will be fixed in a timely manner - without actually making anybody
more secure. There is a rather smaller group that favors the release of
exploit tools, however. Sharing information is one thing, but empowering
groups of script kiddies is seen differently; the majority point of view
here, arguably, is that the release of exploit tools just increases the
damage from security problems without getting things fixed any more quickly.
The recent, short-lived creation of a web site which can print fake
boarding passes would appear to be a classic example of the difference in
how information and tools are seen. In the U.S., and other places as well,
the security gauntlet which must be run to get onto an airliner includes an
identification check: each passenger must produce some sort of
identification which matches the name printed on their boarding pass. The
weakness of this check has been well known for years; boarding passes
printed by passengers on their own printers are accepted as valid with no
verification. So it has always been true that anybody with minimal skills
could print up a boarding pass, under any name, which would pass this
In this case, disclosure of the vulnerability did little to inspire any
sort of fix, however. So Christopher Soghoian put together his web site.
In response, the FBI raided his house and took his computers, and a
U.S. Congressman publicly called for his arrest (though he later
reconsidered that position). The web site got pulled down in a hurry.
Mr. Soghoian has taken a storm of criticism, and is now facing an uncertain
Many of the people who have criticized the creation of the boarding pass
generator are normally in favor of the disclosure of security problems.
The boarding pass site, however, has been deemed to be an exploit tool, and
is thus beyond the pale. Mr. Soghoian, they say, should have found a more
responsible way of making his point about the security of the boarding pass
checks. This despite the fact that people have been "responsibly" making
that point for years. Would the site have had the same impact had it, for
example, printed "VOID" on its output?
The boarding pass generator was not released as free software, so it was
easy to pull off the net. But there will be many readers of this site who
could reproduce this tool in the time it takes to work one's way through
the security lines in some airports. It would not be surprising to see
such a tool show up on the net somewhere before too long. It is simply too
easy to do.
Anybody contemplating such an action may want to take care to post the
result anonymously. Mr. Soghoian may well avoid serious legal problems,
assuming that, as he claims, he never actually used a fake boarding pass to
get through a security line. Had he distributed his code, however, there
is little doubt that rather more effort would be put into finding some
crime to charge him with.
When we talk about software freedom, we often pass over a freedom so
fundamental that we accept it implicitly: the freedom to write programs in
the first place. But there are clearly limits on what we can really
write. Authors of encryption tools, game servers, DVD decoders, electronic
book liberators, and, now, boarding pass generators have found themselves
in legal hot water. This will not be the last such episode, and the next
one may affect the free software community more directly. There are
programs that we are not supposed to write.
to post comments)