Full disclosure and exploit tools in the wider world [LWN.net]

Opinions on how to handle security vulnerabilities vary quite a bit. It is probably safe, to say, however, that a majority of people who have studied security issues are in favor of some form of disclosure. Hiding security problems reduces awareness of the issues and reduces the chance that those problems will be fixed in a timely manner - without actually making anybody more secure. There is a rather smaller group that favors the release of exploit tools, however. Sharing information is one thing, but empowering groups of script kiddies is seen differently; the majority point of view here, arguably, is that the release of exploit tools just increases the damage from security problems without getting things fixed any more quickly.

The recent, short-lived creation of a web site which can print fake boarding passes would appear to be a classic example of the difference in how information and tools are seen. In the U.S., and other places as well, the security gauntlet which must be run to get onto an airliner includes an identification check: each passenger must produce some sort of identification which matches the name printed on their boarding pass. The weakness of this check has been well known for years; boarding passes printed by passengers on their own printers are accepted as valid with no verification. So it has always been true that anybody with minimal skills could print up a boarding pass, under any name, which would pass this check.

In this case, disclosure of the vulnerability did little to inspire any sort of fix, however. So Christopher Soghoian put together his web site. In response, the FBI raided his house and took his computers, and a U.S. Congressman publicly called for his arrest (though he later reconsidered that position). The web site got pulled down in a hurry. Mr. Soghoian has taken a storm of criticism, and is now facing an uncertain legal situation.

Many of the people who have criticized the creation of the boarding pass generator are normally in favor of the disclosure of security problems. The boarding pass site, however, has been deemed to be an exploit tool, and is thus beyond the pale. Mr. Soghoian, they say, should have found a more responsible way of making his point about the security of the boarding pass checks. This despite the fact that people have been "responsibly" making that point for years. Would the site have had the same impact had it, for example, printed "VOID" on its output?

The boarding pass generator was not released as free software, so it was easy to pull off the net. But there will be many readers of this site who could reproduce this tool in the time it takes to work one's way through the security lines in some airports. It would not be surprising to see such a tool show up on the net somewhere before too long. It is simply too easy to do.

Anybody contemplating such an action may want to take care to post the result anonymously. Mr. Soghoian may well avoid serious legal problems, assuming that, as he claims, he never actually used a fake boarding pass to get through a security line. Had he distributed his code, however, there is little doubt that rather more effort would be put into finding some crime to charge him with.

When we talk about software freedom, we often pass over a freedom so fundamental that we accept it implicitly: the freedom to write programs in the first place. But there are clearly limits on what we can really write. Authors of encryption tools, game servers, DVD decoders, electronic book liberators, and, now, boarding pass generators have found themselves in legal hot water. This will not be the last such episode, and the next one may affect the free software community more directly. There are programs that we are not supposed to write.

(Log in to post comments)

Full disclosure and exploit tools in the wider world

Posted Nov 2, 2006 2:45 UTC (Thu) by lordsutch (guest, #53) [Link]

Of course, the point of the boarding pass requirement is not to improve security per se; you'd never get on a plane with the fake boarding pass unless you hacked into the reservations database, because the passes are scanned by gate personnel, and whether or not you have a boarding pass you have to go through screening. Any determined attacker could pay a few hundred bucks for an airline ticket and have no need for a fake.

Instead, the boarding pass requirement is a rationing tool to reduce the number of people who go through screening in the first place... if (as was the case pre-9/11) all and sundry could go through the checkpoints to meet arriving passengers or give good-bye hugs, the screening system would be even more choked at major airports than it already is.

Full disclosure and exploit tools in the wider world

Posted Nov 2, 2006 14:19 UTC (Thu) by bfields (subscriber, #19510) [Link]

you'd never get on a plane with the fake boarding pass unless you hacked into the reservations database, because the passes are scanned by gate personnel, and whether or not you have a boarding pass you have to go through screening.

As I understand it the attack is to carry two boarding passes, one that you get from the airline (and show at the gate), one that you present at security screening. The people at the gate don't check your photo id, so you can give them a pass bought with somebody else's name. The screeners check your photo id but don't scan your boarding pass, so you can give them a fake that happens to have a name matching your id. Since the screeners don't look up anything in a database they won't notice if your name is on a no-fly list, for example.

(To me the whole idea of doing security checks based on people's names seems kind of strange.)

Gate checks

Posted Nov 3, 2006 19:26 UTC (Fri) by egoforth (guest, #2351) [Link]

you'd never get on a plane with the fake boarding pass unless you hacked into the reservations database, because the passes are scanned by gate personnel

You might be surprised at what can happen at a busy airport. On my last trip (two weeks ago), there was at least one gate (I believe it was in LAX) where there was no scanning done in real-time. The passes were collected, presumably to be scanned later, but none were checking prior to entering the jetway.

Gate checks

Posted Nov 3, 2006 23:32 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

And you're suggesting this lessens security? I don't see how. In the unlikely event that an anomaly is found in the stack of passes, they can still empty the whole plane of people and property before takeoff if necessary.

It sounds to me like a clever optimization.

Gate checks

Posted Nov 4, 2006 0:24 UTC (Sat) by egoforth (guest, #2351) [Link]

And you're suggesting this lessens security? I don't see how.

My point was just that it wasn't as air tight a process as was indicated. But, yes, I think it does lessen security. Perhaps not a lot, or even not significantly. But there is still a chance for someone to board a plane who's not supposed to be there.

It sounds to me like a clever optimization.

Which is fine, so long as it doesn't degenerate into a shortcut that causes a real security lapse (like not getting to the passes until after takeoff). Of course, I don't even know if that is possible, and I could just be paranoid.

Full disclosure and exploit tools in the wider world

Posted Nov 2, 2006 4:29 UTC (Thu) by error27 (subscriber, #8346) [Link]

There's a difference between saying something is wrong and saying something should be illegal. Which you didn't talk about, but I will. Software is like other kinds of speech and even offensive speech should be protected.

The boarding pass trick doesn't create a security problem. It shouldn't be enough to let you on the plane. Right now people are scared at airports so it seems like a big deal, but really it's just hype.

My feeling is that if people do stuff that's really stupid they should put in jail for 1 week. So say if someone joins the KKK the judge would be like, "Well, that's protected by free speech but it's really stupid so I'm sending you to jail for a week."

Software as free speech

Posted Nov 3, 2006 23:46 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

Software is like other kinds of speech ...

Well then so is hardware. A slim jim is just someone's expression in steel of a clever way to open a car door without a key. Software has no special place in the discussion.

In the early days of freedom of speech as US law, courts recognized that nobody wants all speech to be free. Speech that facilitates breaking the law with no higher purpose doesn't deserve any protection.

Software as free speech

Posted Nov 5, 2006 0:43 UTC (Sun) by timschmidt (guest, #38269) [Link]

Sure. That nasty declaration of 'independence' _should_ have been illegal.

Oh wait...

It was.

The problem with your draconian view of 'free' speech is that a 'higher purpose' is relative. Your higher purpose obviously isn't mine. I want _all_ speech to be free. Even yours.

--tim

Software as free speech

Posted Nov 6, 2006 4:36 UTC (Mon) by giraffedata (subscriber, #1954) [Link]

I want _all_ speech to be free.

I seriously doubt that. You probably haven't considered the full spectrum of the kinds of speech there are. Shouting fire in a crowded theater? Libel? Exposing an undercover cop? Broadcasting troop positions? Publishing someone's password? Exposing trade secrets given in confidence by one's employer?

It's back up

Posted Nov 2, 2006 5:02 UTC (Thu) by JoeBuck (subscriber, #2330) [Link]

Rather, others have put up versions of the boarding pass generator that further generalize it, and provide source code (so it's not just running at the server end). Since it's clear that Jon objects to this kind of thing, I won't post a link. But this business of printing boarding passes at home always struck me as absurd. If the boarding pass were only used to get onto the plane, no problem: they read the bar code, and each bar code gets you on the plane only once. But since it's also used as a credential to get past security, it's already trivial to print multiple copies and change the names.

It's back up

Posted Nov 2, 2006 14:36 UTC (Thu) by kleptog (subscriber, #1183) [Link]

Last time I flew with easyjet I took the option to print my own boarding pass. They have this print page that only lets you print it twice. Since my printer is flaky, I automatically have the "print to file" option ticked so I can easily retry if it broke.

So now I still have it somewhere and could print it again if I wanted.

I'm just amazed they have a screening that doesn't check the boarding pass against the reservation database. Certainly at Londen Gatwick they scan your boarding pass at the security checkpoint. It has a 2-D barcode on it that my printer had a hard time printing, it took the lady several tries before the scanner picked it up.

Kill a tree.

Posted Nov 3, 2006 18:13 UTC (Fri) by Max.Hyre (subscriber, #1054) [Link]

(Remember PGP Source Code and Internals?)

One of my favorite books (right here at my elbow because I was just looking up Schneier's remark about Congress and can openers*) is Cracking DES, 1998. One of its features is complete code and complete VHDL for building a machine to break DES in a reasonable time, at a cost easily within the reach of a mid-sized corporation.

This was all in an OCR-scannable font so you could just order a copy (even outside the U.S.) and have at it. The hardcopy made it perfectly legal to export what was (allegedly) illegal to do with a floppy. (I wonder whether anyone brought up the question of a PDF of the book. :-)

* ``All too often, convincing Congress to violate the Constitution is like convincing a cat to follow a squeaking can opener[.]''

Full disclosure and exploit tools in the wider world

Posted Nov 2, 2006 14:15 UTC (Thu) by RobSeace (subscriber, #4435) [Link]

> the majority point of view here, arguably, is that the release of exploit
> tools just increases the damage from security problems without getting
> things fixed any more quickly

I'd certainly argue with that POV (and, I'm not sure if I believe that it's
the majority POV, either)... Without published exploit code, tools like
Nessus could never exist... People couldn't test their own systems for
being vulnerable, or verify that a vendor-supplied binary patch really and
truly works to stop the vulnerability... Is it a double-edged sword? No
doubt... But, so are lots of things in life; just because a thing can be
used for bad purposes by bad people is no reason to start claiming the thing
itself is bad (especially when it has several very important and legitimate
uses, as well)...