How do they protect against corrupt staff. It's like they're not even thinking. Why don't they just fast track staff checks.
Are they cryptographically signed by a system that was inaccessible?
Or is it just a matter of figuring out the bar code format and writing out some KCM id?
He convinced me at the time, but I wasn't expecting such an on-the-nose demonstration.
What the US lacks in cybersec, it tends to make up for with IRL pew pews...
What I mean: security through obscurity is imo the best situation to be in. You can't attack something if you don't know it exists in the first place. That alone gives this system a leg up over more exposed (but hardened) platforms.
Second, convenience always beats secure. Requiring password rotations is worse than requiring none at all, because people tend to find the path of least resistance (writing a password on a notepad instead of memorizing).
If it was faster/easier to ship a useful (but vulnerable) app, that's net better than the app not shipping at all because of security hurdles. I have to imagine sanitizing inputs doesn't take much more time to include, but I don't know the systems involved.
Ultimately, what damage was experienced here? We can throw out hypotheticals about what -could- have happened, but you can't sue every driver on the road because they -could- have hit you.
An insecure system served a useful purpose for years, got more secure, and continues ticking.
Besides, I am not sure what sort of "security through obscurity" you are talking about? Ian and Sam found it, and frankly - with a public page, page title + first h1 tag clearly stating that this relates to a Cockpit Access system, this has got to show up in a shit ton of security research search engines instantly.
These guy are going to end up with some serious federal charges.
Time and time again these cancerous institutions have shown that their only interest is in surviving and they attempt that by concealing the flaws and brutally harassing the people that report them.
At this point only useful idiots give them the benefit of the doubt.
(edit) the charging guidelines are somewhat re-assuring but still https://www.justice.gov/opa/pr/department-justice-announces-...
Two guys from (or based in) the Midwest:
Ian did his first DEFCON talk a couple weeks ago (https://x.com/iangcarroll), and Sam (the other author), was the guy that a couple years back Google accidentally sent 200K USD to, and has 81K X followers, and was recently singing the praises of that much lauded recent PHRACK article on "Hacking means understanding the world" (that was also popular round here): https://x.com/samwcyo/status/1823571295189008601
They both seem like legit security researchers from their X feeds.
I guess that petulance-tinged adolescent attitude is like the secret handshake of the security researcher world, which sounds too disparaging -- but it's not meant to be...only that probably that's what you need to expect from folks who "understand the world", where they're smarter, what's broken, and should be fixed.
I get how that attitude rubs people the wrong way and causes more harm than good - but I don't mind it much myself - I guess I just set high expectations for the kind of impact such folks could have, and I think they could have more impact if they adopted a more professional, collegiate attitude in their way of working.
But I guess that comes with the territory. Because it's really only the "outsiders" who will sit around poking at things to figure out how they work, and how to fix em, make em better. Those who feel themselves to be "rejects' from the normal world, in sense, are always gonna carry a bit of the tinge of that perspective with them. But, whaddayagonnado? Those are really only gonna be the ones who "understand the world", so you have to rely on them. Odd couples, that pairing. Between industry and these hackers.
<knock> <knock>'d
Then again, if they have this system where they can match me to a flight by ID, why they need any boarding passes at all? Just ask to see my ID again when boarding the plane, no? Why boarding passes still exist if this system is in place?
Thanks for the updated TSA experience.
I’m continually amused, amazed, and exasperated at how classes of software defects older than I am continue to be a problem.
Bobby is growing up
It is really telling that they try to cover up and deny instead of fix it, but not surprising. That is a natural consequence of authoritarian thinking, which is the entire premise and culture of the TSA. Any institution that covers up and ignores existential risks instead of confronting them head on will eventually implode by consequences of its own negligence- which hopefully will happen to the TSA.
The article mentions that FlyCASS seems to be run by one person. This isn't a matter of technical chops, this is a matter of someone who is good at navigating bureaucracy convincing the powers that be that they should have a special hook into the system.
What should really be investigated is who on the government side approved and vetted the initial FlyCASS proposal and subsequent development? And why, as something with a special hook into airline security infrastructure, was it never security audited?
Some quick googling shows the FlyCASS author used to work for a small airline, so this may piggyback off of his prior experience working with these systems for that job. He just turned it into a separate product and started selling it.
The biggest failure here is with ARINC for not properly securing such a critical system for flight safety.
Authentication should not need to be re-implemented by every single organization. We should have official auth servers so that FlyCASS doesn't need to worry about identity management and can instead just hand that off to id.texas.gov (or whatever state they operate from) the same way most single-use tool websites use Google's login.
Is their name Jia Tan, by chance?
I would love to know how one can get what I'd imagine is at least a 6 figures contract with the government? How does this work?
I imagine the author of FlyCASS must be making a good amount of money off their product.
I wonder if they just subcontract everything? One popular hack of the preferences they give to veterans and minorities in government procurement is to have essentially one person fronts that get maximum preference and which subcontract everything to a real company at a markup.
Or it's beuracracy being beuracracy. The TSA is a lot of security theater anyways.
It's supposed to give you the illusions of security while giving a DHS a bigger budget, and it employs a lot of low skilled workers.
It is what you should think of when you think "big, dumb government."
[1] https://abcnews.go.com/US/tsa-fails-tests-latest-undercover-...
That's a problem with authoritarian organisations/regimes in general. They value loyalty over competence and you end up with people being in positions they shouldn't be in.
I'm not suggesting this is what they have done here, but this is exactly what authoritarian governments do. Straight from the pneumatic into the furnace.
Because it's a scam and the system is a grift.
I'm a pilot and own a private aircraft. Landing at any airport, even my home airport which is restricted by TSA is legal without any special requirement or background check. In fact, I have heard horror stories where TSA wouldn't let a pilot retrieve their aircraft for some bullshit administrative reason or another, so they enlisted a friend with a helicopter to drop them into the secure area to fly it out. Perfectly legal. The fact that the system can be brought down with a SQL attack is the least of it.
We haven’t had a large commercial plane go down in over 10 years since 9/11. Everyone that comes to the USA has been fully screened, vetted, and background checked. We’re all very safe. Mayorkis at the DHS has made sure there aren’t any terrorists in our homeland because the government only exists to protect us from danger and make our lives better.
They make it sound like the job pool between the public and private sector is completely separate when many people move back and forth between the two.
Take away the accountability that often governs the private sector and that seems to be the recipe for situations like this.
There are oodles and oodles of apps like this powering our daily lives.
The reason there aren't more terrorist attacks isn't because various security agencies around the world protect us from them. It's because there are extremely few terrorists.
Out of that multibillion dollar budget, TSA allocates $10.4M for “cybersecurity staffing, as well as the development and implementation of enhanced cybersecurity-related measures to improve cyber resiliency across the U.S. Transportation Systems Sector.”
Glad to see our tax dollars working so effectively! \s
What a joke of a country this is
[1] https://www.tsa.gov/news/press/testimony/2023/03/29/fiscal-y...
LOL
> Unfortunately, our test user was now approved to use both KCM and CASS
smh...
Pre-9/11, the expectation was you don't draw attention to yourself, wait it out, you're going to have a long day and a story to tell. Post-9/11, the expectation is you fight for your life.
Better cockpit doors and access hygiene probably come second.
"Post-9/11" began minutes after the first planes found their targets. Flight 93—the one that crashed in Pennsylvania—never made it because the passengers revolted after hearing about the other planes.
It only took a few minutes for the calculus to change. Knowing what was up, those passengers flipped from wait-and-see mode to fuck-you mode. This is pretty good evidence that you're right: the biggest increase in security was and still is that passengers will not be meek anymore.
While that may be a factor, there's never any news about this happening, except maybe shortly after 9/11 with shoe or underwear bombs.
The attacks of September 11th 2001 are fundamentally not reproducible irrespective of whether there is _any_ security screening at airports.
The default assumption before that morning was that a hijacked plane would fly around for a bit, then land. The default assumption afterwards is that it will be crashed if a hijacker is allowed to gain control, so the calculus on passenger intervention is quite different.
How so? The delay between the hijacking and the crashes in the buildings for both planes were around 40 minutes... even if there were jet fighters ready to go at the time, the lack of knowledge of the hijacking being in progress for much of this time and the short delay make this kind of attack still feasible.
What was actually improved our chances to avoid such attacks are the limited access to the cockpit and processes pilots must follow in case of hijacking.
The measures at the airport are to limit the risks of hijackings to begin with.
There's plenty of terrorists, but destabilisation of Middle East diverted them away from continental US. Wasn't that the whole point of Afghanistan and Iraq wars?
I put on my critical thinking hat and look at the timeline of "US meddling in the Middle East" and "first terror attack in the US by a middle eastern".
I then notice that the years are 1948 and 1993 respectively and that wet roads actually do not cause rain after all.
The planning for 9/11 took several years, $500k in financing, and had a lot of moving parts between recruiting, research, travel/visas, flight training etc. It's hard to believe that people motivated at that level would truly be deterred by what you see happening at the typical American airport these days.
So are they stopping anything serious? It's a safe bet they're not.
But the counterpoint to that is that a gunman almost succeeded in killing Trump despite showing the behaviours online and offline of your stereotypical amateur assassin.
I'm a little butthurt right now, in particular, about the security at Heathrow. They confiscated a bottle of whisky that we got in Edinburgh. After 10 minutes of head-scratching and consulting with a supervisor, they concluded that "it does not say 100ml" (it had "10cl" cast into the glass) and "even then, that is just the size of the bottle, not the liquid inside it." What an incredible demonstration of intelligence there.
They gave us a receipt and said we could have it shipped. We checked when we got home. 130 GBP with shipping. Ended up just buying a 700ml bottle from an importer, cost about half as much.
1. Ok, security is bad, what are you going to do? Go to different, competing security?
2. Nobody wants to be the politician that relaxes the security right before an accident, even if the accident wouldn't be prevented with tighter security anyway.
That's largely due to the US and 9/11. In fact, the US even pressures other countries into creating a separate mini TSA at their boarding gate for flights that fly into the US.
For one, why does is it that every TSA checkpoint feels like it was scrambled together? 9/11 was a long time ago. There's no reason why checkpoints can't have better signage, clearer instructions for what should or shouldn't go on a conveyor belt, an efficient system for returning containers (I've lost count of how many times the line was held up because employees didn't feel like bringing over a stack of containers in clear view), and so on. The checkpoints do seem to go a bit faster than they used to a long time ago, but it's still a frustrating process that makes me feel like an imbecile every time I use it. I do my best to follow directions, but directions are often lacking so I have to use my best judgment from past experience, and often get yelled at anyway. Do does the TSA want to be hated?
Secondly, there's been multiple occasions where I've made it through the security checkpoint with items that should obviously set off red flags. I recently made it through with a humongous center punch which, while not sharp like a knife, could do some serious damage to another person if used as a weapon. Got it through with no questions asked. I've also gotten through with scissors, knives, strangely shaped electronics, a custom build electronic device that a naive person could see as suspicious, and so on. Never have I been stopped for those things.
But laptops and e-readers? I'd better not forget one of them in my carry-on bag or I'm gonna get shouted at and be forced to re-run the bag through the scanner again. I can get through with sharp metallic tools and weird unlabeled boxes with wires hanging out of them, but I can't leave my kindle in my backpack? And what about the humongous battery packs I carry? No problem having 2 or 3 of those in my bag. I guess my Macbook Air or my e-reader possess uniquely dangerous powers I don't comprehend. Even if I try to comply with the "laptops out of your bag" rule, I might still get shouted at if I place it in a container instead of right on the conveyor belt... or if I place it in a container with some other belongings next to it.
Maybe the TSA stops terrorists that are as stupid as they are, which I guess is a good thing. But how good can stupid people be at catching other stupid people? Is it really worth it to waste everyone else's time and to treat them like crap in the process?
Yup, not surprised that the TSA also reacts with as much stupidity to cybersecurity flaws. If I became supreme leader overnight, I would work to completely dismantle the TSA and rebuild it from scratch. There doesn't appear to be any value in that agency that can't be easily replaced with something better.
Because all airport security is reactionary. They don't try to anticipate what an attacker might do, and how they could prevent that. They simply add one more item to a check-list of "no good" items or of "must be separately screened" items.
Therefore, because, one time, someone tried to ignite their shoes, there's now a checkbox that says: "shoes must be scanned separately".
As well, because, one time, someone purportedly tried to mix together two liquids into an explosive that they brought on board in bottles, you are now limited to 100ml max in any bottle, but you can freely walk in with a 7-11 64oz Big Gulp cup and they won't blink an eye. The "bottles" are on the check-list, but the check-list has no entry (yet) for "64oz 7-11 Big Gulp".
Passengers have intervened in several other terrorists attacks and now regularly intervene for other (non-terrorist) threat passengers.
It is extremely easy to get weapons into the boarding area, people do it accidentally every day all over the country and the TSA's own testing show that their screening misses the majority. Doors and procedures absolutely help as does the passenger response. Airport screening, OTOH, is primarily security theater.
Hijackings used to be common, they're not anymore post 9/11. There were 27 hijackings in 2000 worldwide. There were none in 2017, 1 in 2018, etc.
This recent video by RealLifeLore drives it home: https://www.youtube.com/watch?v=550EdfxN868&t=1504s
the last time in history that Sovereign American territory was invaded and occupied by a
hostile foreign power was between 1942 and 1943 when the Japanese occupied the
small and sparsely populated Alaskan islands of ATU and Kisa which they struggled to reinforce with supplies and
were only able to hold on to for a year before getting overrun by much better supplied American and Canadian soldiers
Later in the video: https://youtu.be/550EdfxN868?si=gpTplY4Z36tJPxLv&t=2706
that doesn't mean that the US cannot be hurt or have its interests disrupted in other ways the US Mainland
can obviously still become the subject of major attacks from hostile foreign powers if not outright invasions and the
biggest and worst attack that ever befell the US on its own territory happened recently only 23 years agoNot especially accurate. The US and Canadian forces that landed on Kiska had no opposition because the Japanese had already left. They did not overrun Japanese forces that were not there.
Wikipedia describes this as: "On 15 August 1943, 1st SSF was part of the invasion force of the island of Kiska, but after discovering that the island had been recently evacuated by Japanese forces, it re-embarked ..."
And yet, there were still friendly fire casualties, a point omitted from many descriptions of the invasion.
The US did not supply Israel in any way until 2 decades later, and it was Eastern European arms dealers first, France second. The first weapons sold to Israel by the US were in 1962 (anti air missiles), followed by some tanks and aircraft later in the decade. Things ramped up considerably after 1967 due to Arab states aligning with the USSR. [1]
RFK was assassinated by a Palestinian terrorist in 1968. [2]
0. https://en.m.wikipedia.org/wiki/Partition_of_the_Ottoman_Emp...
1. https://en.m.wikipedia.org/wiki/Israel%E2%80%93United_States...
2. https://en.m.wikipedia.org/wiki/Assassination_of_Robert_F._K...
I put on my history hat and check the books
> Liberia's Ambassador to the United States complained that the US delegation threatened aid cuts to several countries.
> After a phone call from Washington, the representative was recalled and the Philippines' vote changed.
> After considering the danger of American aid being withheld, France finally voted in favour of it. So, too, did France's neighbours, Belgium, Luxembourg, and the Netherlands.
> [......]
Mind you that I am not calling foul play here, this is par for the course for politics. This is just to refute the quoted point above, unless you consider bribery and threats of sanctions a "nothing".
The US had nothing to do with Israel forming beyond being part of the UN vote
True for the U.S. at the government -- but not for the U.S. as a country. One of the earliest major Zionist associations (the Federation of Zionist Societies - a forerunner of the modern ZOA) was formed in New York in 1897. The movement would continue to receive key funding from American backers, and held one of its key meetings in New York in 1942:
https://en.wikipedia.org/wiki/Biltmore_Conference
The movement's ideological (some would even say "spiritual") underpinnings can be traced to the mid-19th century writings of this American playwright and utopian activist - said to be the originator of the idea of resettling Jews in Palestine, predating the efforts Herzl himself by half a century:
https://en.wikipedia.org/wiki/Mordecai_Manuel_Noah
So American meddling in the region goes back quite far indeed.
Amazingly, you can do that. SFO doesn't use the TSA, for example.
https://www.flysfo.com/about/airport-operations/safety-secur...
From https://en.m.wikipedia.org/wiki/Guantanamo_Bay_detention_cam...:
> As of August 2024, at least 780 persons from 48 countries have been detained at the camp since its creation, of whom 740 had been transferred elsewhere, 9 died in custody, and 30 remain; only 16 detainees have ever been charged by the U.S. with criminal offenses.
Given what we do know about the secretive and illegal activities of the federal government during the War on Terror I don’t think it’s a reasonable assumption that everyone accused of terrorist activity got their day in court.
Added, why would they use FlyCass when they could just access the data directly?
Honeypot? Legit logins are logged differently than non-legit?
The classic way to covertly move a person is to give them a new passport to travel under, and have them move around like every other schlub on the planet. Competent intelligence services make sure that this isn't easy to detect by making the fake passport's identifier indistinguishable from real ones. Russia has prominently failed to do this several times[1][2].
[1]: https://www.bellingcat.com/news/uk-and-europe/2019/11/07/how...
[2]: https://www.bellingcat.com/news/2022/08/25/socialite-widow-j...
Then a simple interactive client could do something like:
``` > select * from users where username = :username username? admin
+----+----------+----------+ | id | username | password | +----+----------+----------+ | 7 | admin | 12345 | +----+----------+----------+ ```
While a fancier client could, in fact, transparently translate queries exactly as you write them today--pull out the values, replace them placeholders, then send the query and values over the wire.
``` > select * from users where username = 'admin'
sent as: query: select * from users where username = :placeholder1 placeholder1: admin ```
There's, of course, nothing stopping any given library or application from doing the same thing, but the vast majority of the time I'd wager this is happening because someone tried the obvious and simple thing (string concatenation) and it worked and they stopped there. Anyone who knows enough to write their own SQL parser or even think to go find a library to do this is probably going to know why they absolutely should not be doing this.
>There's, of course, nothing stopping any given library or application from doing the same thing
would happen. People already use a library to talk to the RDBMS back end; a "convenience wrapper" library that adds literals back into the grammar sounds like something that might easily become popular, and then you're back to square one.
The question of how best to nudge people away from these footguns is certainly interesting, and applicable to other languages (e.g., HTML). Another option would be to allow, say, BASE64-encoded literals only.
Also, Bush had to sign the ASTA into law (checks and balances) which he did so he's part of the problem.
One of the more reasonable theories for MH370 is similar to the Germanwings case. Pilots can refuse access even if the person outside knows the access codes for the cockpit doors.
Unfortunately (as with everything else), even obvious improvements have potential downsides.
[1]: https://en.m.wikipedia.org/wiki/Helios_Airways_Flight_522 [2]: https://www.youtube.com/watch?v=YaOvtL6qYpc
I’m pretty sure there is a second code on some planes that alerts the pilots someone is attempting to force the crew to open the door.
Some countries allow you to clear CBP on the boarding side, skipping it at the destination.
It's like Ireland/Dublin, Aruba and a few others.
One person can make a lot of impact
The most common thing I hear people say with respect to their jobs is: “I’m just one person, I can’t actually do anything to make things better/worse…”
But it’s just wrong and there’s thousands of examples of exactly that over and over and over
In this case, if this is true, it’s both amazing that:
One person, or a small number of people, could build something into the critical path as a sidecar and have it work for a long time and
And second, the consequences of “hero” systems that are not architecturally sound, prove that observability has to cover all possible couplings
Given the nature of these systems, this 1 person likely made the day to day lives of a lot of people better, providing an (arguably) snappier web interface to existing systems.
Granted, they've probably made someone's day a lot worse with this discovery, but..
> The most common thing I hear people say with respect to their jobs is: “I’m just one person, I can’t actually do anything to make things better/worse…”
Yup. This is something on the order of a large-scale blackpill meme lately. Comment sections are usually rife with low-agency thinking. Which is quite something in tech, given that devs are the means of production for tech. True, tech as of late seems to be veering into more capital-heavy ventures (AI), probably to head off existential risk from the fact that a few skilled individuals can still really make a dent.
It all comes down to belief and will.
You have to be in the right place at the right time.
Real life is all of us and all of us have an enormous impact in some way. Especially if we try and apply ourselves. Not all the time, not for everything, but if we try enough things enough times and learn and grow, then people usually come out with impressive results of some sorts after a while.
People overestimate what can be done in the short term, and underestimate what can be done in the long term.
In a lottery the ratio is against you. In real life the ratio is almost guaranteed in your favor in some respect in the long term for anyone who tries.
Chin up.
Be that as it may, of course the error needs correction. If it really is a one man show for tool like this, it isn't even surprising that there are shortcuts.
THis then begs the question of how ARINC passed security audit.
That's why I said "If the CA had entered earlier".
I’ve seen huge issues, like exposed keys, being treated as a small issue. While an outdated js library, or lack of ip6 support being escalated.
I’m sure TSA and their partners wants to downplay potential exposure, I’m also sure it’s hard for a lot of their managers to fully understand what the vulnerability entails (most likely their developers are downplaying their responsibility and pointing fingers at others)
Edit: Fixed a double negative (previously: This is the Transportation SECURITY Agency. If the managers involved here can't understand why this is a huge deal, they're not exceptionally unqualified for their jobs.)
> It’s very hard for management, even IT managers,
I'm confident that the grandparent's comment is correct.
TSA is closer to the issue than HSA; I'd wager big that they sense embarrassment.¹²
TSA management would have immediate access to people capable of framing the issue correctly, including their own parent agency. Their reaction was never going to be held back by technical facts.
¹ US Sec/LEO/IC agencies have a long and unbroken history of attacking messengers that bring embarrassment. There is ~no crime they are more dedicated to punishing.
² The worlds easiest presupposition: Discussions took/are taking place on how they might leverage the CFAA to deploy revenge against the author.No manager (or human) is perfect, mistakes happen- we need to be humble enough to listen and learn from mistakes.
I think DHS mid level manager yelled at a TSA mid level manager who reported this to the senior TSA officials and then their usual policy kicked in... deny/deflect/ignore
(It's very easy to believe the worst possible thing about every corner of our government, since every corner of our government has something bad about it. But it's a fundamental error to think that every bad thing is always present in every interaction.)
I didn't see any comment about them being contracted to do this at least.
But that isn't even relevant when you can go traipsing through the SQL query itself just by asking; wouldn't matter how well the passwords were stored.
I’m not buying this. Feels more like they knew the site developer would just fix it immediately and they wanted to make a bigger splash with their findings.
Would you rather to be prepared and do a full (well, for a govt agency, full enough) check on all people allowed to access flying death machines, or have a dev silently fix the issue with possible issues later?
It seems pretty remarkable that airlines are buying such a security sensitive piece of software from a one person shop. If you make it very far into selling any piece of SaaS software to most companies in corporate America, at the absolute minimum they're going to ask you for your SOC2 audit report.
SOC2 is pretty damn easy to get through with minimal findings as far as audits go, but there are definitely several criteria that would should generate some red flags in your report if the company is operated by a single person. And I would have assumed that if your writing software that integrates with TSA access systems, the requirements would be a whole lot more rigorous than SOC2.
You could be an "airline" by purchasing a couple of older airliners and converting them to cargo use. Is it valuable for new airlines to get started? Should we force them out of business because they don't already have the systems in place that take years to decades to build out? Should they pay $$$ for boutique systems designed for a large passenger airline when they have 2 aircraft flying 1 route between nowhere and nowhere?
Requirements and audits really aren't the answer here. The fundamental design problem is that the TSA has used authentication "airline XXX says you're an employee" with a very large blanket authorization "you're allowed to bypass all security checks at any airport nationwide" without even the basic step of "does your airline even operate here?"
Though given that airlines are responsible for the safety of their crew, passengers, and anyone in the vicinity of their aircraft, requiring them to do some basic vetting of their chosen vendors related to safety and security doesn’t seem unreasonable.
What is it, the year 2000 ?
It should be a criminal offence for whoever developed that system.
To think otherwise is beyond naive.
Everyone dropped the ball... and kept dropping it. The part where its handed to them on a silver platter and its essentially smacked away. Maddening.
> 06/04/2024: Follow-up to DHS CISO about TSA statements (no reply)
There should be a public Shitlist of Organisations that don't get the Benefit of Responsible Disclosure anymore, just a Pastebin drop linked to 4chan.
The TSA would have been the one suing you and would easily win.
Pilot: "Years ago we’d get a random enhanced check (which just means go to TSA precheck) now and then. These days it’s 60% of the time, so it’s not possible to get a whole crew through KCM anymore, and we wait on each other because the jet can’t be boarded until the flight attendants are ALL through security, and with the 2022/2023 KCM random checks being so high, that just doesn’t happen. Honestly, I rarely use KCM anymore. I just walk through TSA precheck. The odds are we’re going there anyway so just cut to the chase and hit precheck."[1]
VIP treatments (including the likes of KCM) should be removed no matter if someone is a prime minister[2], media personality[3] or airline CEO. In this way, VIPs can experience the inadequate security processes and staffing levels that everyone else has to deal with, and hopefully with their louder voices will be able to force airports and government agencies to improve the situation for all.
[1] https://www.quora.com/As-a-pilot-how-does-it-feel-like-to-ha...
[2] https://www.theage.com.au/national/red-faces-as-nz-leader-ge...
[3] https://www.smh.com.au/traveller/travel-news/louise-milligan...
It is sadly an all-too-common occurence when you give uneducated dimwits police-level power with no oversight and no recourse for anyone affected. I assume flexing government power is the real objective here since everybody knows that security is not.
> We did not want to contact FlyCASS first as it appeared to be operated only by one person and we did not want to alarm them
It’s incredible (and entirely too credible) that this kind of “high security” integration could be built in such an amateur way: and a good reminder why government projects often seem to be run with more complexity than your startup devs might think is necessary.
Wait, what? Is this a euphemism for they didn't believe they would take it seriously? Reporting it over their heads to DHS was probably not less "alarming" to anyone...
I wouldn’t have a clue who to report it to myself; the record of DHS is pretty awful too. Lots of folks are saying (and one even betting on!) them being charged for their find within the next couple of years, and given US federal agencies’ records when it comes to these vulns I’d be quite worried about it too if I had found it.
This program seems like the root cause of the security issue.
(Outside of the US) I've often gone through security screenings just before or after crew groups in fast track, but otherwise normal security screening lanes.
Also… you can fix all the SQL issues, but you’re still not going to be able to fix the “men in hoodies with a big wrench talk to an authorized administrator (while their kids are kidnapped in Mexico)”
To be clear, I really hope they don’t, but they are also clearly trying to spin this in a way at odds with the researchers, and I’d hate to be in a position where they want to have leverage over me if I’d done this.
Brave that they did so though and I do think the severity of the vuln warrants this.
If they had added themselves as known crewmembers and used that to actually bypass airport screening, then yeah, they'd be in jail.
Which is why Jury selection usually removes people who understand the situation.
I think it could go any which way. The prosecution could argue that the defendant may have tampered with existing records or deleted some. In this particular case, it’s probable that the system does not have any or adequate audit trails to prove what exactly transpired. Or the claim could be that the defendant exfiltrated sensitive data (or that the defendant is trying to hide it) to share with hostile entities.
Doing this under your own name is insane.
That just means the best minds from other, potentially less friendly countries, will do the picking. I doubt they will responsibly disclose.
https://bugcrowd.com/engagements/dhs-vdp
They've had that relationship for a few years now, so I'm guessing they're somewhat versed. TSA specifically might be less so, but I can't imagine the DHS referring anything to the DOJ for prosecution given that they both have a VDP for the entire department and advise other departments on how to run VDPs (via CISA).
But I might just be overly optimistic.
I can imagine an email to some generic email address could have gone down the way you describe, but I guess they look at these reports more professionally.
Kudos to the author for alerting DHS. Methodology questions aside, it sounds like the author did a service, by alerting of a technical vulnerability that would be plausible for a bad actor to seek out and successfully discover.
But regardless, I hope any new/aspiring security researchers don't read this writeup, and assume that they could do something analogous in an investigation, without possibly getting into trouble they'd sorely regret. Some of the lines are fuzzy and complicated.
BTW, if it turns out that the author made a legality/responsibility mistake in any of the details of how they investigated, then maybe the best outcome would be to coordinate publishing a genuine mea culpa and post mortem on that. It could explain what the mistake was, why it was a mistake, and what in hindsight they would've done differently. Help others know where the righteous path is, amidst all the fuzziness, and don't make contacting the proper authorities look like a mistake.
I have never heard of a plain clothes non-employee in cockpict jumpseat.
I take issue with the way that disclosure was implemented here. The responsible thing to do would be to contact the site first, no matter if 1 or 1000 employees.
Then you move forward with FAA, DHS, Etc. Assume that the site will act in good faith and recommend that they take down access until the problem is remedied, then back that up with disclosures and calls for auditing and verification to partner agencies.
Contacting the site first is the only honorable thing to do. It doesn’t mean you wait to contact other agencies, but contacting the site means the quickest halt to the vulnerability and least interruption to service. Disclosing to partner agencies is still required, of course, but hopefully they will be looking at a patched site and talking about how they can implement improvements in auditing the systems connected to the KCM service.
By disclosing in the right order you improve the possibility that organisations will focus on their appropriate role. The site fixes their egregious error and realises that their business depends on being secure, the TSA KCM manager realises that they need to vet access, and the FAA realises that the TSA needs to be supervised in the way that they interact with aircrew access.
Otherwise, everyone might just focus on the technical problem, which will be solved in a few hours or days and then go back to business as usual.
The vulnerability here actually is much, much larger thanSQL injection. It is an inherent vulnerability in the organisational structure and oversight, and this will only be addressed in a bureaucracy if the actual problem is made clear at each organisational level and no red herring excuses that allow finger pointing are provided.
Not to mention it’s a dick move to leave the technical people out of the loop completely in the process of disclosure, even if the disclosure is primarily of a systemic organisational failure.
I’m sure the individual responsible was much more alarmed to get a call from DHS than they would have been to get a call from security researchers, so the given rationale is clearly fictional.
Assume people will act in good faith, but don’t give them room not to. Trust but verify. When dealing with companies and orgs this is the way. When dealing with randos on the internet, not so much.
It was done for a reason and the fact that it persists despite all odds, means it’s doing something useful
That's what happened to Tulsi Gabbard: https://www.racket.news/p/the-worm-turns-house-senate-invest...
Worst case, nobody comes to help you, you spend all of your money, still lose the case, end up in a shitty US prison, and get stabbed in the shower by some guy driven crazy by spending months in solitary.
Personally, I would not mess with security research on anything even distantly related to US Gov.
And in a system this broken the defence could even argue that anyone could have done it and modified the logs to implicate the defendant. You can't use any data from this system as evidence.
[0] https://www.complexsystemspodcast.com/episodes/prediction-ma...
It is one thing to write the needed software, it is a much bigger task to convince enough companies that they need a different approach to this problem.
However, what I can offer is that if someone has the backing to actually make a difference in this market, I'll volunteer 50 hours to act as a reviewer and test developer. But that is if your project is backed by someone I believe can make a difference.
The United States has it, too: https://login.gov
But with a government as large as America's it's going to take time to get everyone converted to the new system.
> You are part of a federal agency or a state, local, or territory government
I'm talking about a more generic service that any random industry system or individual can use. The way many websites use Google's OAuth without using really using Google's APIs. Things that just want someone else (Google) to handle asking for and authenticating a name/password.
Topic drift, but no tools should use google login. Doing that means handing over to google the authority to decide who can and can't use your tool. And we all know google support is nonexistent and unreachable, so once it fails it's forever.
If you market a tool, you'd really want to own the decision on who you can sell it to.
For a government organization though, I'd agree it makes sense to use a government-run login service. (government run, not outsourced so some for-profit third party!)
And that's pretty much my point. 2FA? Password Resets? Account Activation? Updating Email Address? No thanks. I would rather not have to deal with any of that. I literally just need a unique identifier to associate with your data and preferences.
Sorry if I wasn't clear. It is not that google will remove the service overnight (although they are infamous for canceling things, but not that bad). The problem is google will lock out users randomly for no reason and no recourse.
If that user was using google login to access your service/tool, you lost that user and there is nothing you can do. You really don't want to gate the access to your product via an unreachable unresponsive third party like google.
Would still need an audit to make sure sites are actually using the shared auth and not rolling their own.
I'm saying we need the digital equivalent of "show me your driver's license".
It's what the IRS uses.
> CAT is linked electronically to the Secure Flight database, which confirms travelers’ flight details, ensuring they are ticketed for travel that day.
I believe most of it is open source: https://github.com/18F/identity-idp
The DoJ announced in 2022 that they would not prosecute "good faith" security researchers, but it's not binding, just internal policy: https://www.scmagazine.com/analysis/doj-wont-prosecute-good-...
The policy (https://www.justice.gov/jm/jm-9-48000-computer-fraud) explicitly states at the end that it's for guidance only / does not establish rights, and it includes a provision for additional consultation on cases involving terrorism or national security–terms which have both been overloaded by the government to justify overreach in the past.
Personally, given the history of the CFAA, I wouldn't want to be in a position to test out this relaxed guidance on prosecuting good-faith researchers, but perhaps I'm unnecessarily averse to the idea of federal prison.
I don't think any sort of absolute assurance is possible, and if it was given I wouldn't trust it to be permanently binding :-)
This is my intuition from having interacted with CISA, and my impression from talking to policy people: it's not 1993 (or even 2013) anymore, and there's a much better basal understanding of security researchers vs. someone trying to secure a "get out of jail free" card for doing something they shouldn't have. That doesn't mean the government can't mess up here, but I can't remember a prominent example of them throwing the book at a good faith report like this in the past decade.
(Swartz is who I think of as an example of an extreme miscarriage of justice under an overly broad interpretation of the CFAA. And, of course, there could be facts in this situation that I'm not aware of that would motivate a criminal or civil CFAA investigation here. But "pre-dawn raids" aren't really it in situations like this one.)
The FBI did raid this guy in 2016 after what was seemingly an attempt at responsible disclosure of leaked medical records: https://arstechnica.com/information-technology/2016/05/armed...
And this journalist last year, though the facts of this story are less clear and obviously not responsible-disclosure related: https://www.cjr.org/the_media_today/tim-burke-florida-journa...
---
Here is the next YC: An app that uses AI to navigate all the Civil Injections and allow the easist way to contact, petition, complain, praise, poll, explain a law, measure etc ELI5.
Get OpenAI and/or Amazon (Given they run DataCenter Infra for CoIntelPro) - since they have/seek government contracts - and have Massive AI - make them create a USA-GPT.gov and its the most informed bot that will connect you to, explain, write-your-[representative/lobbiest/committee], and these companies have to provide these govGPTs in order to maintain any federal/defense contracts.
Was it a huge deal though?
You can easily get on a plane, you buy a ticket to board it.
People try and succeed to get weapons through TSA checkpoints. I don't know what the idea is though. If you want to shoot and kill someone, do it at the security checkpoint, as happened at Domodedovo. People hijacked planes because the media covered it. You could also hijack busses. I don't know. What is the threat model?
Bag handlers smuggle drugs. I don't know. Airports are fairly porous.
I don't think this little SQL hack gets you into a cockpit. I suppose I could also buy an ordinary ticket, change in the bathroom into pilot clothes, and then bluff my way in. It should be obvious what personal facts about me make that easier for me than for someone else.
Do you see what I mean? This isn't a big deal. It's fun to be dramatic about that's for sure. IMO the large number of high drama personalities in the "security" field - when you are a customer, and on the other side, the technical person is high drama - is harmful to security goals.
So internally the question would probably how can you open it up responsibly.
Closing the api is probably a support nightmare; they probably gave too many rights and too little safety checks.
Nullification in not so many words.
Yeah, I know you're busy and easily bored.
https://www.independent.co.uk/climate-change/news/inner-lond...
You're literally describing jury nullification in a situation where by the hypothetical judge's instructions they're obviously guilty. I might agree with you that the law is bullshit but by right you and I should be dismissed.
The only real protection is the fact that you can vote whatever way you want and not even a judge can compel you to state your reasoning.
But that is not what we are talking about. It is not that you are browsing the web randomly and some random company identifies you as d1sxeyes.
It is that you can identify yourself towards any company if you choose to. Then you can decide if that is in your best interest or not.
This isn’t hard to exploit.
This is the entire reason that we have trial by jury and not trial by judge. I'm not sure how this got lost over the centuries. If 12 of your peers think you did it but the law is bullshit and you shouldn't have your life destroyed because of some stupid technicality in a bullshit law, then you should walk free! I'm aware this has been used to horrible ends in the past (e.g. 12 white jurors nullifying a lynching) but that's a problem with jury selection (and those so-called peers), not with nullification.
> You're literally describing jury nullification in a situation where by the hypothetical judge's instructions they're obviously guilty
Yes, that is the only time nullification is relevant. If a judge can lead the jury to one verdict or another via his instructions, then it's not a trial by jury at all. It's a trial by judge. The founders understood that -- they didn't want a trial by judge. The jury is a check on the judge's power!
From goatse security to the Daily Stormer.
His stay in Ukraine was rather brief, he was… not well liked there.
Huh. Uh, weird choice, given, well, you know…
Fundamentally, it has given control over the DNS records to a different country (.me == Montenegro).
It's training people that really, any domain could be a government domain, you'll never know.
Welcome to the neoliberal wet dream.
It's the company providing the service that the government could provide on its own, but that service is being provided by a private company through a lucrative contract agreement.
Yes, it's unfair that the US gets naked .gov - but that doesn't preclude the rest of the world from doing the right thing, and it certainly doesn't excuse the US government doing the stupid thing.
"Scan the front and back of your Driver's License."
[upload scan of front of DL @ 200DPI]
"Unable to find a face in the image you uploaded."
[upload scan of front of DL @ 300DPI]
"Unable to find a face in the image you uploaded."
Huh. Maybe I'll try with a lower resolution.
[upload scan of front of DL @ 72DPI]
"Thank you, now please upload the back of your Driver's License."
Hmm, 72DPI worked for the front, so...
[upload scan of back of DL @ 72DPI]
"Unable to read a barcode in the image you uploaded."
[upload scan of back of DL @ 200DPI]
"Unable to read a barcode in the image you uploaded."
[upload scan of back of DL @ 300DPI]
"Thank you for verifying your Driver's License".
(This is one of the reasons I'm generally pro-OSS for digital infrastructure: security quickly becomes a compliance game at the scale of government, meaning that it's more about diligently completing checklists and demonstrating that diligence than about critically evaluating a component's security. OSS doesn't make software secure, but it does make it easier for the interested public to catch things before they become crises.)
Also, any certificate bears a certificator company name. We can always say "company A was hacked despite having its security certified by company B". So that company B at least share some blame.
But yes, there are many standards for this (e.g. SOC Type 2 reports).
In defense of their utility, the good ones tend to focus on (a) whether a control/policy for a sensitive operation exists at all in the product/company & (b) whether those controls implemented are effectively adhered to during an audited period.
You're totally right. Why are people afraid to say that they're worthless? Why caveat or equivocate?
Adversaries in computer security do not mince words.
That shoudl have caught these types of exposures?
I almost feel I could write novels (if only I had time and could adequately structure my thoughts!) on this and adjacent topics but the simple fact is that the SDLC in a lot of enterprises/organizations is fundamentally broken, unfortunately a huge portion of what breaks it tends to occur long before a developer even starts bashing out some code.
Yes you can, you can access the source code to audit it.
So, I guess you could have some sort of escrow third party that isn't Crowdstrike or MS to do this "audit"?
Or see this for a much better write up: https://stratechery.com/2024/crashes-and-competition/
That's not the default option for kernel drivers on Windows, so this was an explicit choice on Crowdstrike's part.
Your company must meet said requirements to become a vendor for certain agencies or even be able to submit an RFP for governmental agencies.
Now, why wasn't the requirement enforced? Or why didn't the audit turn this up? Good questions.
But all of those are going to have some kind of requirement, e.g. FedRAMP.
Around here, people are clamoring for a judge to be recalled because she is on top of rights for defendants. A recent one I watched on Zoom was a prosecution motion to revoke bail:
Prosecutor: "Because blah blah blah, and in addition the defendant shows no signs of taking responsibility for his actions, we..."
Judge, cutting her off: "I'm going to stop you there. The defendant entered a plea of not guilty, and as of this moment has not been found guilty at trial. In the eyes of the court, he has precisely zero obligation to take responsibility for alleged actions at this point in time."
Prosecutor was not happy.
If jury nullification is not a possible outcome, then either the defendant doesn't have a right to trial by jury, or that jury is not allowed to make an independent decision.
Defendants don't have a direct constitutional right to jury nullification (the Constitution doesn't say anything about nullification). It's just a logical consequence: if the jury really can make independent decisions, then nullification is necessarily one of those possible decisions.
Legally it can mean a case where a man met a women in a bar, she was not drunk and wanted to go home with him. She explicitly consented. Later it ends up that she was using a fake ID to get into the bar, she was only 17.9 years old in a state where the age of consent is 18. Or alternatively, the guy recently moved a block over. In his old location the age of consent was less than 18, but now he moved and he committed rape (aka, the opinion that got Richard Stallman to step down).
And no, there is no exception for mistaking the age. https://scholarlycommons.law.wlu.edu/cgi/viewcontent.cgi?art...
If there's no force/threats/drugs etc involved and the minor consents, it's charged as statutory rape which is different than capital-R rape.
Statutory rape can be a felony, but in cases like an 18 year old and a 17.5 year old having sex it's a misdemeanor and realistically 99.999% of the time it happens there are no charges
Flee to Western Europe under an assumed identity, get taken in as a refugee?
An auditor would certainly have some consequences if they were exposed for auditing negligently.
This is how the PCI SSC manages to claim that no compliant merchant/service provider has ever been breached, because they assume being breached means that the breached party was non-compliant at the time of the breach. Which is probably a technically true statement, but is a bit misleading about what they’re actually claiming that means.
Actually, I doubt they would have upgraded the apps and pocketed the profits instead but SOC2 is providing cover instead of real change.
Maybe the org prioritized poorly and sucks overall, but that doesn’t mean SOC2 or compliance generally is worthless.
THAT WAS THE PROBLEM. My bad, I thought most hacks were due poor software management but I'm glad SOC2 truly addressed the real problem.
But also you gotta have the balls to stand up to the guy pushing soc2 and say. No. There are known vulnerabilities. We are patching those first then we are doing soc2. The way I frame it is “we know we have critical vulnerabilities, we don’t need to go hunting for more till we fix them. Once we fix them we go looking for other ways to improve security posture” And if the ceo still insists (big client requires it so we’re doing soc2 simultaneously) you say fine, then hire a security consultant so we can go twice as fast. And if he refuses you quit because fuck that place.