[IP] more on Web Site Lets Anyone Create Fake Boarding Passes
Begin forwarded message:
From: Rich Kulawiec <rsk@xxxxxxx>
Date: November 1, 2006 10:25:07 AM EST
To: David Farber <dave@xxxxxxxxxx>
Cc: EEkid@xxxxxxx, Dave Crocker <dcrocker@xxxxxxxx>, Patrick Sinz
<ps@xxxxxxxxxx>, Seth Breidbart <sethb@xxxxxxxxx>, Jim Huggins
<jhuggins@xxxxxxxxxxxxx>, john kemp <john.kemp@xxxxxxx>, Richard
Forno <rforno@xxxxxxxxxxxxxxx>
Subject: Re: [IP] Web Site Lets Anyone Create Fake Boarding Passes
This incident is symbolic of a much larger problem.
Those who report security issues *should* expect:
- prompt attention to the report from those responsible
- candid admission that the report is accurate (and it
often is *very* accurate)
- unconditional public apology from those responsible
(to customers, to the public, etc.)
- immediate resignation or public firing of those
responsible in especially egregious cases
(e.g. ChoicePoint)
- financial or other compensation to those affected where
appropriate (e.g. ChoicePoint)
- stop-gap/band-aid solutions deployed very quickly
- long-term/solid solutions deployed in a timely manner
- concurrent investigation of any similar issues in order
to try to avoid similar problems
- when necessary, sweeping changes in technology, policies,
procedures, etc. to avoid a repeat
- public expression of gratitude to reporter for their
(nearly always unpaid) services
However, what those who report security issues *can* expect:
- silence
- denial, minimization, evasion, and propaganda
- attacks on character, competence, motivation, etc.
- attempts to silence reporter through intimidation and litigation
- claims that the report, not the issue, is the real problem
- legal and other threats (including criminal charges, raids
by jack-booted thugs, spying/privacy invasion, etc.)
- failure to tackle the substantive issue in any way: no
short-term fix, no long-term development, no attempt
to locate/repair similar problems
- no repercussions for those responsible no matter what
- use of report as excuse to advance own agenda
- promotion of self-serving "responsible disclosure" nonsense
- business as usual no matter what
I understand that nobody likes having their mistakes pointed out.
But there really is NO excuse for those equipped with immense human,
financial and organizational resources to be making the kinds of foolish
mistakes that we see on a depressingly/alarmingly regular basis.
Thus, the lesson here is: if you find a security problem, your best
course of action is NOT to quietly inform those responsible, because in
nearly all cases, nothing useful will happen. Ever. And you will be
tagged for close scrutiny and possible reprisal.
No, the best course of action is to loudly and anonymously publish the
problem on the Internet, since it's clear that the only -- and I mean
the
ONLY -- way that it stands even a tiny chance of receiving the attention
that it requires is to pull the shorts of those responsible up over
their
head and tie them in a knot. And public humiliation actually seems to
work some of the time -- it certainly seems to work far better than any
other approach.
Is this a desirable situation? Heck no. But it is the situation that
those incompetent, lazy, stupid, cheap, and self-serving bureaucrats in
corporations and government have deliberately created. It's the fault
of Microsoft and Cisco, DHS and DoD, and all the others who have failed
to behave in a minimally professional manner -- an essential component
of which is "admit your own mistakes".
---Rsk
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/