November 17th, 2003

Latest Great Security Newsletter From Bruce Schneier

Crypto-Gram of 15 Nov 2003. An excerpt:

Nathaniel Heatwole is a student at Guilford College. Several times between February 7 and September 15 he tested airline security. First he smuggled box cutters, clay simulating plastic explosives, and bleach simulating bomb-making chemicals through security. Then he hid these things in the lavatories of airplanes, along with notes. And finally, he sent an e-mail to the Transportation Security Administration (TSA) titled “Information Regarding 6 Recent Security Breaches.”

The problem is that the TSA never asked him to test their security.

For years, computer networks have been plagued with hackers breaking into systems. These people are not breaking into systems for profit. They don’t commit fraud. They don’t commit theft. They’re breaking into systems for the intellectual curiosity. They’re breaking into systems for the fun. They’re breaking into systems to see if they can.

A traditional and common defense by hackers is that they’re breaking into systems in order to test their security. The idea is that the only way to learn about computer and network security is to attack systems. Never mind that these hackers don’t own the systems they’re breaking into; that’s the excuse.

The Department of Homeland Security and the Transportation Security Administration have been attacked by their first hacker. This wasn’t a terrorist; he wasn’t out to take over planes. This wasn’t even a criminal; he didn’t try to extort money. He was a hacker, plain and simple. He wanted to test the efficacy of the security screeners. He wanted to demonstrate that the security measures were, in his eyes, inadequate. He wanted to hack airport security.

Point 1: This is extraordinarily silly. Every traveler I know has stories of knives being missed by airport security. No one who flies regularly thinks that the TSA is doing a good job of keeping sharp objects off airplanes. Even worse, no one who flies regularly thinks that keeping sharp objects off airplanes makes us all safer. Most of what the TSA does is security theater — window dressing. It keeps up appearances, and maybe (hopefully) makes the terrorists a little less sure they can smuggle their weapons aboard airplanes. Probably not.

Point 2: This is, and should be treated as, a crime. “I was only testing security” is not a valid defense. For years, we in the computer security field have been hearing that excuse. Because the hacker didn’t intend harm, because he just broke into the system and just looked around, it wasn’t a real crime. Here’s a thought experiment for you. Imagine you return home and find the following note attached to your refrigerator: “I was testing the security of back doors in the neighborhood and found yours unlocked. I just looked around. I didn’t take anything. You should fix your lock.” Do you feel violated? Of course you do.

Point 3: While it is a crime, it isn’t a terribly serious crime. Heatwole’s stunt was embarrassing, and cost a whole lot of money to investigate and clean up. It could have disrupted the travel schedules of lots of people. But he’s not a terrorist. He didn’t do this to feed security information to al Qaeda. His actions didn’t endanger anyone’s lives. There’s a tendency to want to throw the book at him because he embarrassed important government officials, but that’s not a good enough reason. We need to discourage this behavior, but the punishment needs to fit the crime. Treat Heatwole as a criminal, but not a serious criminal.

Welcome to our world, Department of Homeland Security. Welcome, TSA. We’ve been fighting these sorts of people for years. You’re going to have better luck prosecuting them, but don’t let your anger get in the way of reason.

The whole thing is worth a close sober read. Go!

Leave a Reply