Hacker Detained by FBI after Tweeting about Airplane Software Vulnerabilities

This is troubling:

Chris Roberts was detained by FBI agents on Wednesday as he was deplaning his United flight, which had just flown from Denver to Syracuse, New York. While on board the flight, he tweeted a joke about taking control of the plane's engine-indicating and crew-alerting system, which provides flight crews with information in real-time about an aircraft's functions, including temperatures of various equipment, fuel flow and quantity, and oil pressure. In the tweet, Roberts jested: "Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? 'PASS OXYGEN ON' Anyone ? :)" FBI agents questioned Roberts for four hours and confiscated his iPad, MacBook Pro, and storage devices.

Yes, the real issue here is the chilling effects on security research. Security researchers who point out security flaws is a good thing, and should be encouraged.

But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he was on, and sent an FBI team to the Syracuse airport within a couple of hours. There's some serious surveillance going on.

Now, it is possible that Roberts was being specifically monitored. He is already known as a security researcher who is working on avionics hacking. But still...

Slashdot thread. Hacker News thread.

EDITED TO ADD (4/22): Another article, this one about the debate over disclosing security vulnerabilities.

Posted on April 21, 2015 at 5:26 AM • 116 Comments

Comments

AnuraApril 21, 2015 5:48 AM

So... First amendment, anyone? Oh, yeah, I forgot it doesn't apply to potential terrorists.

Andrew WallaceApril 21, 2015 6:00 AM

I'm against anyone talking about security vulnerabilities in public which could tip off people with criminal or terroristic intent.

Security vulnerabilities should be addressed to the manufacturer and governmental authorities and not to public realm where the addressee is unknown.

Andrew

Claudio GuarnieriApril 21, 2015 6:11 AM

@Andrew: reporting and handling vulnerabilities in secret with vendors and governments is exactly what led to years of one just not giving two shits about fixing bugs and the other using them for their own interests.

The sad reality is that vendors and manufacturers need to be called out publicly, or else they won't act. With that in mind, keeping a vulnerability secret just leaves the hole open for malicious actors to discover without giving the public the possibility to know the problem itself exists and pressure the vendors to fix it.

In this case specifically he perhaps could have spared tweeting from on board of an airplane, but it is good that he's been raising attention to the issue when he's been ignored for years.

Andrew on crackApril 21, 2015 6:12 AM

@andrew Wallace

I am not sure if this cutting sarcasm or you are actually stating this drivel with a straight face.

airportzoneApril 21, 2015 6:14 AM

Did he give them his stuff? Or did they take it? First question, can I haz my stuff back please? Or are they pulling this airport travel zone not in the usa you have no rights here crap?

Anthony FioritoApril 21, 2015 6:15 AM

I don't find this troubling in the least. It's one thing to joke from your lab. It's another to joke from the plane in flight. You don't yell 'Fire!' in a theater, even in jest and you don't tease a TSA agent about the bomb in your bag while you're going through pre-flight screening. A little common sense would have served Chris Roberts well. I have zero sympathy for the state he's put himself in and, make no mistake, he brought this on himself. As for the sophisticated surveillance, my guess is that one of his followers either forwarded his tweet or called law enforcement... or is a member of law enforcement and did what they thought was right.

jesseApril 21, 2015 6:22 AM

I think the problem was the tweet not so much the research. It was unprofessional and irresponsible. If an Air Marshall had joked that he was "going to pull out his gun and hijack the plane" referencing his flight he was working everyone would be up in arms to have his hide. Yet we as information security professionals are not required to maintain. Professionalism? We have to maintain ourselves at a higher standard if we are to be seen as anything other than geeks who live in our parents basement or the evil enemy of CSI:Cyber.

KevinApril 21, 2015 6:29 AM

Brilliant.

Roberts just successfully provoked the Feds into revealing that they have him under surveillance.

HiTechHiTouchApril 21, 2015 6:36 AM

At a news conference, United said:


"Given Mr. Roberts' claims regarding manipulating aircraft systems, we've decided it's in the best interest of our customers and crew members that he not be allowed to fly United," airline spokesman Rahsaan Johnson told The Associated Press. "However, we are confident our flight control systems could not be accessed through techniques he described."


Johnson did not respond to a follow-up question Sunday why Roberts would still be a threat if he couldn't, in fact, compromise United's control systems.

United, known for their arrogance, expects sheeple to unquestioningly accept persecuting the messenger.

Andrew WallaceApril 21, 2015 6:38 AM

If I'm on a plane or live above a flight path. I do not want security vulnerabilities known to every tom, dick and harry.

Instead, I would be far better at ease with the security researcher being more responsible.

And certainly not disclosed in the style of a tweet or social media platform.

Show a little bit more respect to passengers, the airline industry and those in charge of security.

As a side note:

If you are a security researcher and the manufacturer and governmental authority isn't listening to you,

Then there are other recognised and respected industry bodies and organisations who can contact the manufacturer and governmental authority on your behalf.

Andrew

Colin StampApril 21, 2015 6:58 AM

Much as I hate to say it, the Bad People will absolutely agree with Andrew.

We got ourselves into this mess by Software Manufacturers either being in total denial or being dinosaur slow to fix security bugs in the past.

I have to agree with Bruce and Chris and Google; by being open and exposing flaws (after a "reasonable" period of time to fix them), naming and shaming seems to be the only way to get the Software Industry to take matters, such as airline security, seriously.

In the above case, the Airlines had previously publicly stated that there was a Zero Risk, it "couldn't be done", so one has to ask, why was Chris detained?

Are we next going to start arresting Science Fiction and Horror Story writers who use such plots in their books and films?

Bruce himself has been warning of the vulnerability of inflight systems to hacking for several years, this is all nothing new....

unless Chris "hit a nerve" ....

Alfonzo RivieraApril 21, 2015 7:01 AM

This isn't sophisticated surveillance. I could replicate this with a $5k/month Twitter feed (many vendors will sell you full Twitter data in near real time) and Splunk. Basically throw the keywords you care about into alerts and it's done.

I have ZERO sympathy for Chris in this instance. Some of these researchers let their hubris take over, trading opsec for notoriety and Twitter followers. Do what you need to do, but if you post it on Twitter you're no smarter than a bagged Anon who bragged on IRC.

Andrew WallaceApril 21, 2015 7:04 AM

"Much as I hate to say it, the Bad People will absolutely agree with Andrew."

I don't understand your argument here. The bad people only know how to bring down a jumbo if you tell them how.

I'm completely against telling them how.

Andrew

Alastair McKinstryApril 21, 2015 7:16 AM

Anthony Fiorito:

The idiom of "Don't yell Fire! in a theater" dates back to an era when Theaters were badly designed fire-traps, and people would be hurt or killed in the panic to escape. Simply yelling 'Fire!' had serious consequences in itself.

Today, If you're not able to get out of the theater safely, it should be shut down. The only consequence of the yelling should be pissed off customers.

Ditto with Chris Roberts' actions. Note that he didn't explain how to use a vulnerability. If there is a vulnerability, it should be fixed, NOW, and the emphasis should be on that, not the disclosure.

His tweeting about it, rather than publicising by more "responsible" methods could be considered immature. Except if such disclosures elsewhere didn't succeed in getting the vulnerabilities fixed, in which case, I have a hard time saying his publicity stunt was over the top.

Bob S.April 21, 2015 7:22 AM

I wondered how Roberts was found out so quickly, too.

I also wondered why no one else in the business wondered how he was found out so quickly, until now. Where's the professional curiosity?

Bruce Schneier apparently was the only one with a public voice to notice.

There may be a simple explanation, or a more complex explanation. When you live in a secret police state these kind of things never get explained satisfactorily, however.

I have read in the past certain influential journalists and writers are under constant electronic surveillance or possibly have been hacked to one degree or another. Indeed many are on the Main Core list.

I wonder too why so very few people care about this. Now that's really scary!

Snarki, child of LokiApril 21, 2015 7:26 AM

@Andrew: Wow, an exploit of United's in-flight systems could be communicated in 140 characters? That's some seriously bad security.

Andrew WallaceApril 21, 2015 7:32 AM

"Wow, an exploit of United's in-flight systems could be communicated in 140 characters?"

It could if a link was provided and or if just a text tweet could give tips to pointers or leads as where to look.

Andrew

Leonardo HerreraApril 21, 2015 7:34 AM

@Andrew Wallace: security researchers have the duty to disclose any security flaws they find. If they don't, what happens is that a _market_ is created for this kind of knowledge. Care to guess who will is more interested in this information and for it not to be revealed?

I agree what this guy did was very bad form and that he deserved to be detained. But any security minded person cannot agree that obscurity is the way to keep safety. It is very naive to think only white hat researchers have the skills needed and are actively trying to find this kind of vulnerabilities.

Harald MilzApril 21, 2015 7:38 AM

@Andrew, I would be willing to consider your point if 1. the black hats actually needed our help to find out about security holes, if 2. there weren't a black market for zero day exploits, and 3. if there weren't many software makers with a really poor track record of fixing security flaws, exposing everyone to 1. and 2.

But since we don't live in a world of fairies and elves, please reconsider your point. It has been common sense to disclose security flaws publicly for quite a while in the security community.

This being said, I agree that Mr. Roberts could have acted more cleverly, e.g. by 1. making sure the hole is actually exploitable, and then 2. writing to the airline or the device maker that he would be going to publish the flaw within, say, 30 days if it wasn't going to be fixed, Plus, if he were going to be arrested for pointing out the bug.

Paul CoddingtonApril 21, 2015 8:00 AM

@Andrew There was no security hole to publicise: it was an obviously tongue-in-cheek comment. You should not be able to arrest people over what might have happened if the tweet had contained a completely different message.

It's a bit like being arrested for phoning your mother and mentioning what an idiot the Prime Minister is on the grounds that if the call had been to ISIS and contained instructions for an assassination it would have been an act of terrorism.

bystanderApril 21, 2015 8:11 AM

Seriously, Andrew?

"The bad people only know how to bring down a jumbo if you tell them how."

Seriously? If you really believe that there is no "bad" person who is as smart and as skilled as you (or, Chris Roberts), then you have well and truly missed the whole point of the privacy-security debate. You're stuck on wanting to feel safe at all costs, and thinking, erroneously, that secrets and surveillance can keep you safe. That sense of safety you crave is an illusion.

There are plenty of very, very smart and very, very skilled "bad" people in the world who decidedly do not need "Cliffs Notes."

SteveApril 21, 2015 8:14 AM

His tweet was voiced as a threatened attack, hence an appropriate response by law enforcement.

We all know the threat was tongue-in-cheek, but we can't expect law enforcement to walk that tightrope. They are accountable to follow a strict protocol, and so should the researcher.

SomeSecurityResearcherApril 21, 2015 8:18 AM

This is just one more reason that I've stopped reporting security flaws. People forget that there's not just the two options of full disclosure and covert "disclosure". There's also the option of no disclosure, where you tell neither the vendor nor the public.

Obviously it's difficult to get metrics on how many people take this route, but I suspect it's a lot. There's little to no personal gain, and much to fear such as civil and criminal legal action, fame (which means extra surveillance), and so forth. I support those who are willing to take the risk to speak up to make everyone safer, but it's a risk I'm not personally willing to take.


Also, to the "it's illegal to shout 'Fire!' in a crowded theater" argument, I think you're a bit behind the times. This was overturned in 1969. Like it or not, his speech is legally protected until the precedent set in Hess v. Indiana (1973) is overturned.

https://en.wikipedia.org/wiki/Shouting_fire_in_a_crowded_theater

Andrew WallaceApril 21, 2015 8:28 AM

I'm sorry everyone, I'm deeply against the publication of unpatched technical software vulnerabilities, especially in critical national infrastructure and the avionics industry.

I understand researchers have their 'for the greater good' arguments for releasing such information publicly, but I find it largely insane to do so without the backing of the Government.

This lad mentioned in the article obviously didn't have that backing and is why the lad has been detained by the authorities. When you have thousands of flights a day you simply can't release info willy nilly into a tweet.

Andrew

JRDApril 21, 2015 8:49 AM

@Andrew

Looking at the tweet in question, I do not see technical details. I don't see enough information to bring down an airplane or even turn on the oxygen like he joked.
All I see is that someone is suggesting that the security on the airplane is lax enough that it is trivial for him to perform the action.
No vulnerability was disclosed in his tweet.
I imagine almost every geek with a mobile device has "listened" to the WiFi on a plane before. It is not a novel idea. If that is adequate enough to discover that an airplane's network isn't very secure, then this guy is no the first person to discover it and won't be the last.

BeepeepeepApril 21, 2015 8:54 AM

@Andrew

My issue here is the complete lack of sense of humor by the Feds. Given Chris' obvious joking nature, the Feds could have used this as am opportunity to ask Chris to go to them in the future and they'll make sure it gets fixed rather than him making joke tweets.

It's fair to say that the Feds and security researchers don't have the best of relationships right now. I'd conjecture that building bridges between security researchers and the National Security communities would yield better long-term gains for both parties than the short-term solution of shooting-the-messenger.

BrianApril 21, 2015 9:04 AM

Being a computer security researcher isn't a license to do whatever you want free of consequences. Yes, it's important to have people looking at security of things like airplane systems. And yes, it can be appropriate to publicly disclose issues if the manufacturer refuses to act.

But this guy didn't get in trouble for doing either of those things. Instead, he got in trouble for suggesting he was going to do a specific malicious thing with a specific plane that he was actually on. That's not "security research", that's being a moron. And the security research community would be a lot better off if people like Bruce and the EFF supported the idea of researches acting like professionals instead of crying foul when someone acting like an irresponsible dumbass predictably gets in trouble.

And I honestly find myself mystified by the "surveillance" angle on the story. The tweet was made publicly. Even if the police were monitoring his feed in real time, so what? That would be perfectly legal, as would it be if any random Joe was doing the same thing. That's what PUBLIC means.

Andrew WallaceApril 21, 2015 9:23 AM

I don't usually be nice to researchers but I will say this.

The industry needs to help lads build a rapport with manufactuers and Government.

If a lad apporaches a manufacturer or government department and his grammar, style or explanation isn't great then yes there is a chance a lad isn't taken seriously.

There needs to be mechanisms in place for ordinary lads to report vulnerabilities and be taken seriously without a lad thinking the only way is PUBLIC disclosure.

That is the problem here and that is what the industry needs to focus on.

The industry should not be backing public disclosure but SHOULD be helping lads get taken seriously in private and building mechanisms for that to happen.

Andrew

kingsnakeApril 21, 2015 9:24 AM

You don't need a security researcher to crash a plane: Just a psycho co-pilot.

BeepeepeepApril 21, 2015 9:29 AM

@Brian

The issue with what you said is that you expect serious security researchers to practice security theatre just to assuage the irrational fears of law enforcement officials.

To be clear: I am not saying the concept of a plane being hacked is an irrational fear, but that the assumption that someone would hack a plane based on the amount of information he provided, is.

Second, there are so few Security Researchers out there that you really aren't in any position to call for professionalism. The brilliant are often eccentric. In many cases, that personality is part of the reason they're brilliant.

bodeApril 21, 2015 9:34 AM

This is ridiculous - the guy got in trouble for being a moron. I would suggest this: Bruce Schneier often writes about "security theater" and how easy it would be to bypass the TSA security. Next time he flies I suggest he start tweeting about "security theater! Bombs and knives anyone? I'm on United, the security holes are HUGE and maybe I should smuggle some stuff on."

Oh wait, he'd be detained, searched, etc. This joke is identical: sophomoric and unhelpful. If he wants to publish an op-ed in the NYT like Bruce, be my guest. He was not arrested for presenting at a conference or publishing a paper, he was detained for making a joke about something illegal - which, NO JOKE, is actually illegal. Someone wrote "the Feds don't have a sense of humor." Well no sh*t sherlock. This is a surprise how? What an idiot - not only did he deserve what he got, he did not help the cause at all. Also, where is his published research in this area?

JohnApril 21, 2015 9:39 AM

@Andrew

There is no bad information. Knowledge has no morals. You can either continue to act as an ostrich, keeping your head in the dirt(La La La La Everything is Awesome!), or you can be part of the solution and FORCE the VENDORS to FIX the problems.

Stifling Dissent of those you disagree with is not moral or the correct solution.

ThothApril 21, 2015 9:41 AM

Security Research cannot continue in an environment of constant threat to democracy and continuous threat to efforts at helping everyone with personal privacy and security. The only possible places to continue such research in relative peace would probably be Switzerland and Iceland.

Security Researchers are high on the target profile list due to the nature of their work which is usually viewed as eccentric and a possible threat due to their curiosity and knowledge.

As a Security Researcher (and also being a bigger target), public data should be as limited as possible to throw off possible tracing attempts and correlation of behaviours. As limited Twitter, Facebook, Instagram and whatsoever social media as possible.

Chris Roberts can start thinking of either:
a.) Throw all the contaminated devices during the FBI operation.
b.) Dismantle the devices, post them to public and have crowdsourced analysis on any possible suspicious parts to have a better glimpse of possible surveillance technologies.
c.) Do both part a. and b. together starting with part b. first.

BeepeepeepApril 21, 2015 9:42 AM

@bode

Chris didn't tweet a threat saying that he'd hack the plane. His tweet was obviously meant to bait the Feds in a not-so-uncommon attempt at hacker humor. Also, I am not aware of any law that illegalizes his speech.

Additionally, I *want* security researchers like him to be able to speak this stuff publicly. I feel safer knowing that the problems will be fixed than knowing the Feds are taking enforcement action on the messenger.

I want to live in an actually safer world, bode. I don't want to live in a security theatre where every inevitable security failure prompts more fear-mongering and doomsday calling.

ScottApril 21, 2015 9:43 AM

Troubling? In what way? He did it while en route. The level of stupidity on the part of the "hacker" is the only thing that troubles me. There's a right way and a wrong way to handle your information, and revealing it just to show the world how gosh darn smart you iz doesn't fall into the right tranche.

Free speech doesn't extend to shouting fire in a crowded theater. Never has, never should.

Also, could you please cease and desist calling professional door rattlers hackers?

Here's a helpful list to help you visualize the difference:


  • Vint Cerf: Hacker

  • Ted Nelson: Hacker

  • Bob Metcalf: Hacker

  • Doug Engelbart: Hacker

  • Captain Crunch: Hacker

  • Jerzy Różycki: Hacker

  • Ken Thompson: Hacker

  • Robert Morris: Door Rattler

  • Kevin Mitnick: Door Rattler


The former have actually put some thought into their work, the latter have just walked around looking for unlocked doors. Huge difference and no point in glorifying their actions.


Security ProfessionalApril 21, 2015 9:49 AM

This is a perfect example of an appropriate response by the authorities to a possible threat. Ethics is the most important part of what separates security researchers from hackers. Public disclosure of vulnerabilities should only ever be the last option to choose for researchers and only in the interest of protecting public safety. Tongue in cheek jokes on public media just aren't funny.

Peter ManciniApril 21, 2015 9:51 AM

I don't know who Chris Roberts is, or if Hacker is just what the news called him after the fact or if he was known as a hacker. If he was known as a hacker then he was probably being watched. He used very specific keywords in association with aircraft operation, on a plane, either just prior to or during a flight. Let's assume security agencies are smart. They are looking for any signal that is of interest in airports and on planes. I am not surprised they acted. As much as I am against the abuses by the Government lately, I would say this one seems pretty reasonable.

If I were in their shoes I would have picked him up and given him the bright light in a warehouse treatment myself. I agree with @bode, this guy doesn't deserve sympathy.

BeepeepeepApril 21, 2015 9:53 AM

So many unusually hostile opinions in the comment section of this blog from many new names! Why, if I didn't know any better, I'd say there's a shill or two here!


@Scott
Pray tell, how is what Chris did substantively different than publicly presenting security findings at civilian conventions?

Andrew WallaceApril 21, 2015 9:56 AM

We need PROJECT DETER.

To deter lads away from a public disclosure ethos and to help them build meaningful relationships with manufacturers and Government.

We need to change and shape the industry for the better.

Andrew

TimHApril 21, 2015 10:12 AM

There are problems with avionic security known by FBI.

Roberts said he had met with the Denver office of the FBI two months ago and was asked to back off from his research on avionics

BeepeepeepApril 21, 2015 10:13 AM

@Security Professional

From my understanding, he did try to contact officials to bring attention to these vulnerabilities, without success. So I believe your threshold for what needs to be done prior to public disclosure had already been met.

I also struggle to see why Twitter is worse then any other public medium to disclose security vulnerabilities. And private disclosure has quite a few precedents for the researcher either being ignored or incarcerated. Or maybe even rewarded, it seems to depend solely on the whims of the company in question.

@Peter So scaring Feds with an edgy joke should be punished by torture in your eyes? I can't say you are the most rational minded person I've come across.

BeepeepeepApril 21, 2015 10:18 AM

@Andrew

You'd need a wealth of precedent to convince people that not disclosing publicly is a good idea. To the contrary, precedents showing that private disclosure doesn't work to get most companies to fix vulnerabilities is plentiful.

For the sake of public safety, we need these vulnerabilities fixed.

Andrew WallaceApril 21, 2015 10:27 AM

"You'd need a wealth of precedent to convince people that not disclosing publicly is a good idea."

I agree. Something that is big, bad and awesome but doesn't actually cause harm would need to happen.

The National Security Agency (NSA) could create that precedent if they wanted to do so.

Andrew

RRApril 21, 2015 10:28 AM

You don't have to assume he was personally under surveillance. He almost certainly posted using a mobile device. The local stingray-like interceptor logged it, along with all the other mobile Internet traffic. He sent his tweet directly to law enforcement.

fajensenApril 21, 2015 10:40 AM

The bad people only know how to bring down a jumbo if you tell them how.

That only works by assuming that "bad people" are also dumb people who cannot work out things for themselves.

- Or maybe the hackers are not bad people per se, but someone who do contract work for one of the TLA's collecting vulnerabilities for "later", then the TLA's share information with one our "allies" - like terrorist-sponsoring Pakistan or terrorist-sponsoring and global religious zealots Saudi Arabia and It's On - or - they just kind of lose the goodies somewhere, like happened with Snowden - may there is a "Evil Snowden"?

Better to KNOW for CERTAIN that all the "bad people" have the information because it is on the Internet, then it cannot be swept under the carpet, it MUST be fixed.

RobApril 21, 2015 10:43 AM

@Andrew:

"There needs to be mechanisms in place for ordinary lads to report vulnerabilities and be taken seriously without a lad thinking the only way is PUBLIC disclosure."

And while you're dreaming, I'd like a pony.

Who does one report to? The companies that have time and time again been shown to ignore reports? The government that has been shown hoard zero days for their own use? Who's left?


BeepeepeepApril 21, 2015 10:43 AM

@Andrew

Or it could backfire spectacularly on the NSA by demonstrating the lack of actual harm.

Again, there is a wealth of precedent of public disclosure being the only reliable avenue towards getting vulnerabilities fixed.

dvvApril 21, 2015 10:47 AM

There's no code or even security hacked — he's no hacker. There's no research — he's no researcher. There's no message — he's no messenger. He's just an asshole who joked about a threat to the aircraft he was on-board. So why is it even a news?

ConcernedCitizenApril 21, 2015 10:53 AM

According to some of the articles, the FBI had talked to Chris a couple of weeks earlier and he had agreed to back off. This leads to a couple of thoughts:
1) The FBI got on to him because they were already watching (he had discussed the issues with the airline(s)
2) The FBI was led to the conclusion that it was better to shut him up then address the vulnerability (at least publicly).

I think that a bit can be inferred from (2). The implication here may be that this isn't a problem that can be fixed very easily with a quick software patch. There is likely only a single network on the aircraft and the WiFi system was grafted onto as an afterthought as it became available for passenger entertainment. Everything else is likely (a) hardwired and (b) uncredentialed. I say that because you don't want the oxygen masks in the passenger compartment depending on a wireless signal and you don't want the elevator controls on an A320 on approach suddenly failing to respond to the control stick of the fly-by-wire system because they don't recognize the credentials. Therefore, get past the administrative credentials of the WiFi system and you have access to the network.

If this logic is correct, the two choices would then be either rewire/restructure the fleet or turn off the WiFi. The first is an expensive, long range proposition and the second is going to lead to very frayed nerves among passengers who are already stretched to the breaking point in over-packed tin tubes. The FBI and the airlines are hoping that the crews can detect an intrusion before it becomes catastrophic in-flight and turn-off the WiFi.

fajensenApril 21, 2015 10:58 AM

@Beepeepeep:
My issue here is the complete lack of sense of humor by the Feds.

These guys/girls look like people but in reality they are robots, they don't think or apply discretion, they follow Protocol to the letter. Always.

As long as they do that, they will move one slot up in pay-grade and pension rights every year; If they don't, they won't. Anyone with, for example, a sense of humour - or indeed just common sense - will be filtered out. Exactly as intended - hook up an AI-based work-flow system to drive their assignments and the loop is closed: The people will become fleshy and flexible end-effectors that are easily replaced with new parts. The AI core can stay unchanged - the meat adapts as it must.

Well....April 21, 2015 11:01 AM

Well, in the wired article it sounds like he admits connecting to the avionics network during several previous flights, so if true, I can understand why an airline wouldn't allow him to fly again. It's one thing to test this on a simulator (which he also did) - completely something different to test on an in-flight aircraft where probing may trigger an accident. I sure as heck wouldn't want him plugged in on my plane.

Bottom line:

1) Government monitors social media (well, duh).
2) Questionable search and seizure by FBI
3) VERY questionable judgement by researcher issuing that tweet (again in the duh category).
4) Boeing and Airbus need to get their security act together - at the very least, passenger and aircraft networks need to be isolated (and the latter not accessible from the passenger cabin).

BeepeepeepApril 21, 2015 11:01 AM

I am thoroughly amused at the wealth of National Security contributers to this topic of conversation. I'm sure a meaningful conversation can be had on the merits of public disclosure for critical infrastructure vulnerabilities, but it isn't going to be had by either side starting with an extreme conclusion and not budging. Kudos to Andrew though for going from "No disclosures period" to "Lets get people to responsibly disclose to the government". It's a step in the right direction.

@dvv
He was on his way to present at a BSides conference. Pretty sure they only have security researchers present at BSides conferences.

RobApril 21, 2015 11:04 AM

@ConcernedCitizen:

The FBI and the airlines are hoping that the crews can detect an intrusion before it becomes catastrophic in-flight and turn-off the WiFi.

If this is indeed the case, I want to stay away from any flightpaths. I can trivially think of several ways around that protocol, and I'm not even trying. This is a passive defense that will fail, probably the first time it's tested in the real world.

Andrew WallaceApril 21, 2015 11:09 AM

Beepeepeep,

I was thinking along the lines of Stuxnet where there was perceived harm by the media but no actual harm caused.

That is enough to tip the balance and to get the topic discussed in media circles about disclosure ethics.

At the moment the disclosure debate is locked in our own little world of geekland, it is not a hot topic on FOX or CNN.

Andrew

MCApril 21, 2015 11:11 AM

I am very much a civil libertarian, but this reads like a threat to me. He knew what he was doing, and moments after about landing in an orange jump suit, "pre-packaged" for the authorities. We know it was a joke, but TSA goons do not. I'd be more troubled if they didn't detain him for questioning. Hopefully he learns something about prudence & discretion.

As a side note, when that jerk tried to light his shoes on fire it caused all of us to go through airports barefoot. If I get singled out for "extra liberty" next time I fly due to my CISSP study books, I'm gonna be pissed!

BeepeepeepApril 21, 2015 11:16 AM

@Andrew

Perhaps, but the media has had a strange track record of reporting on vulnerability disclosures. Stuxnet was novel in that it was the first substantive publicly disclosed Nation State hack made against infrastructure. I'd argue that the novelty factor has been greatly diminished after years of publicized disclosures.

ConcernedCitizenApril 21, 2015 11:18 AM

@Rob

I'm not arguing that it is the preferable course; only that given the alternatives (should my supposition that the problem would require a complete re-design/rewiring of the fleet) it might be the course that has been chosen. The alternative of telling passengers that the WiFi/in-flight entertainment systems will not be available is not likely to go over very well with a flying public already lacking in much charity.

BeepeepeepApril 21, 2015 11:25 AM

@mc

The FBI interrogated him and confiscated his electronics, not the TSA.

And tweeting about this doesn't make it any more visible to bad actors than presenting at conventions (which also show it to good actors that can fix the issue).

All this event shows me is that edgy non-threat jokes are punished rather than used as an opportunity for Feds to mend bridges with the security researcher community. Short-termist thinking as usual.

Andrew WallaceApril 21, 2015 11:29 AM

Beepeepeep,

We need wider public debate to properly sort out the right and wrongs of public disclosure OUTWIDTH of geekland.

This debate has been locked in geekland far too long and needs dusting off.

We need help to unlock the debate and push it to CNN and FOX to sort out.

Andrew

David DaysApril 21, 2015 11:29 AM

@RR

While you may be right about "sent directly to law enforcement", I'm having trouble with the concept that he had his own personal surveillance team sitting there waiting to pounce.

While it is completely possible, it kinda runs up against the "agents are robots" concept--if the protocol is to assign a surveillance team to every person deemed to be in the range from "annoying" to "menace", then the manpower would get pretty expensive pretty quickly.

OTOH, it's not just a matter of filtering Twitter traffic for key words; once you have a hit, you have to back-trace to who it was (is this someone we know?), where they are now, and what assets are available to go and get them. IT systems can make those connections quickly, but they have to be set up in advance, mapping from account to physical human to current location.

I think that's what @Bruce meant when he talks about a sophisticated system in place...

Nick PApril 21, 2015 11:33 AM

@ Andrew Wallace, all

re responsible disclosure

Remember The Bigger Picture

Your position is reasonable on the surface. Yet, security researchers who did that in the past got zero results. Matter of fact, companies even sued researchers to prevent them from telling the public about the quality or security issues. On top of that, the hackers and criminals figured out the weaknesses themselves with extra effectiveness due to secrecy keeping those problems around. Likewise, there are standards for highly secure systems and products/techniques for how to build them. Big airplane vendors know about them. Do they use them? No: it's more profitable to leave you in danger and then have their lawyers push the myth that they did all they could do.

So, the real question isn't whether or not the security researcher should state the obvious. The real question is, "Should airplane manufacturers be held accountable for making changes to a plane that let hackers with wifi access potentially harm or kill passengers?" Yes, because that's a totally irresponsible and unnecessary design decision. Starting from there, it makes even less sense to gripe at the person who tells us about it.

Note: I'm not defending how Chris was acting in this instance. I'm just pointing out the responsible disclosure to airplane vendors (and others) has happened continuously for years with no action by them. And what Chris pointed out, most black hats and foreign nation states already know. So, what he said doesn't help criminals and he couldn't do it differently in a way that vendors would care about. And third parties such as he or I really shouldn't have to do their QA work for them to begin with.

BeepeepeepApril 21, 2015 11:36 AM

Andrew,

I'm not entirely certain what benefit to the conversation there'd be putting it on the mainstream news.

If the desire is to get researchers and National Security types to make their case to the public, why not take the debate to venues such as IQ2?

DarrenApril 21, 2015 11:39 AM

@Andrew, you say the "bad people" will only know how to bring down a jumbo if we tell them how. What makes you think that's true?

Do you think that no one with the same skills and abilities as a security researcher could possibly be a criminal or other bad actor?

The reality is that responsible disclosure has been a subject of debate for decades, because it's difficult to balance the reality that unpatched flaws that were found by a "white hat" can also be found by a bad actor against the worry of releasing details about a flaw to a bunch of people will educate more bad actors.

Generally, security researchers do reach out privately before disclosing a flaw. Frequently they are ignored or threatened with legal action, and this happened much more commonly before researchers made a habit of disclosing flaws publicly. The threat of public disclosure motivates organizations to respond to reports of problems promptly, and disclosure after the patch encourages customers to ensure that they're using updated software.

Andrew WallaceApril 21, 2015 12:01 PM

"I'm not entirely certain what benefit to the conversation there'd be putting it on the mainstream news."

The public deserve to be included in the debate because it is the public who fly on the planes in the first place.

Andrew

hoApril 21, 2015 12:02 PM

I have a T shirt that discreetly says "suspected terrorist" on it in smallish letters on the front. I've worn it through TSA checkpoints, and was not detained or questioned. Is that illegal? Or should it be illegal? Should I be rotting in prison for the rest of my life?

BeepeepeepApril 21, 2015 12:05 PM

@Andrew

Yes, they are the ones that fly on planes. Issue is that the mainstream news engenders sensationalism more than thoughtful debate. Sensationalism is the enemy of rational discourse as nuance and critical thought are often discouraged.

Citizen FirstApril 21, 2015 12:06 PM

I am still waiting for the FBI to claim they stopped another domestic terrorist.

The level of absurdity here is mind boggling.

I am definitely seeing the need to require any and all government employees to self identify(full disclosure) in all opinion stating matters relating to "security." With that in mind, I work for a US government entity. And these status quo shills are really pissing me off, this reeks of JTRIG style op's. Anyone adding visibility to security holes and oversights is doing good work. As a vet, I see this as a requirement of being a decent citizen, help make things better. This shilling for the status quo, makes me want to ask, again, who stands to gain from no changes. Answer that to yourself.

This guy has been telling these issues at cons for over the last two years. And still zero fixes by the manufacturers. I see this joke of his as a public shaming of them and so should you. Poor taste is not the issue. Just look at all the trolling done in the past by the real hackers. It will always fly over the head of the shills, it is not aimed at them. It is aimed at us, we are the ones that can force the vendors to fix the problems. So lets do the right thing here. Tell the public not to fly until this gets fixed. The problem is real, the fear is all in the heads of the public/shills. The former we can fix, the latter can only be fixed by the individual.

nycmanApril 21, 2015 12:08 PM

@Andrew, would you seriously like to be in the dark about security vulnerabilities that could affect you? What makes you think the "security researcher" is the only person who knows about a specific vulnerability? If one person figured it out, isn't it possible others have too? And it's quite possible someone who's found a vulnerability does not have your best interest.

The reason for publicizing vulnerabilities is so that people and organizations can assess the risk for themselves, and put in compensating controls. If your door lock could easily be picked, would you rather be in the dark about that fact? While the manufacturer took it's time to possibly fix it? Or would you rather know so you could replace or add another different lock?

The reason for publishing an exploit (the how to take advantage of a vulnerability) is so everybody knows the true risk of a vulnerability. It is not just theoretical anymore, it tells you under what exact circumstances you are at risk. If those circumstances apply to you, then you are at risk.

Of course the government would rather you be in the dark. They rely on these same vulnerabilities to spy on you, and they don't really care if the "bad" guys spy on you or do bad things to you.

SamApril 21, 2015 12:13 PM

He didn't even us a hashtag for the airline's twitter feed. I could see the airlines picking up the hashtag and notifying the FBI. Since the security researcher didn't use a hashtag Bruce is right. There's some serious autonomous surveillance going on.

No wonder the government is freaking out about end-to-end encryption. It messes up their mass autonomous surveillance apparatus.

Andrew WallaceApril 21, 2015 12:14 PM

Beepeepeep,

You are pro public disclosure and are scared of public scrutiny regarding the subject because you know if the public knew what was going on in geekland that the public would want public disclosure outlawed.

You are basically running scared of CNN and FOX at the moment and even the suggestion is making you uncomfortable and are asking that it doesn't happen.

Andrew

HoApril 21, 2015 12:16 PM

@ Andrew

So what do you say? wearing T shirt that says "suspected terrorist".... legal or illegal? punishable by what?

Citizen FirstApril 21, 2015 12:19 PM

@Andrew

Only a Sith deals in absolutes. Sith have always sought to have dominate others. You are transparent. Give it up. Come back to the Light side of the Force.

Marcos El MaloApril 21, 2015 12:31 PM

@dvv

Well, now he's a famous asshole. We've moved from the realm of security theater to security research theater. My first reaction was "poor impulse control", but now I'm thinking this was a calculated stunt by Chris Roberts.

What else did Mr. Roberts accomplish? As others have noted, he didn't reveal anything to avionics hackers. But as Bruce has noted, he inadvertently(?) revealed something about government surveillance. Roberts probed the surveillance system, revealing something about suspected capabilities.

As for his four hour detention for questioning, this isn't anything that some people with "suspicious" skin color, last names, or nationalities don't go through every time they fly. In his case, questioning him is actually reasonable.

Others criticized the search and seizure of his property. This is a textbook example of probable cause. If one doesn't want to give LE probable cause, one shouldn't tweet, even jokingly, about hacking the avionics of a plane on which one is traveling.

There are responsible ways to disclose vulnerabilities. Joking about avionic vulnerabilities while traveling on a plan as Roberts did isn't one of them.

BeepeepeepApril 21, 2015 12:48 PM

@andrew

That's intellectually dishonest of you to attack my character and a strawman of me instead of addressing my argument. I'm disappointed in you.

Nick PApril 21, 2015 1:08 PM

@ Andrew Wallace

Fox and CNN are for-profit U.S. media organizations whose incentive is to keep people's attention to deliver ads. Common techniques they use to get attention are sensationalism, inspiring fights between different sides of politics, exaggeration of threats, and so on. Many have squashed stories on dangerous activities of their advertisers. Fox also led a court battle that argued they can lie to their viewers while calling the information news under the First Amendment. So, they (a) receive money from manufacturers of dangerous products, (b) push nonsense to get viewers worked up, and (c) will lie whenever it suits them. Mainstream media in this country is therefore the *worst* place to get an honest assessment of product security or how to improve it.

I'd rather see professionals in the various fields discuss it in a neutral venue. Each side can promote their views. Members of the public, security researchers and product engineers at the least, could comment on the various posts in a way that the general public can see. People would probably sum up their views on the subject on personal or commercial web sites. Then, the media outlets can read, analyze, and report on *those* posts. Otherwise, they're just going to be spouting whatever gets ratings or ad revenue. And that's not going to be something in our interests.

Far as the debate itself, I noted in my above post that what you and others propose has already happened. It failed pervasively in every industry. There were more successful attacks and industrial accidents back then than there were once full disclosure took off. The reason is companies started adding more real safety and security because the exposure of their lies would cause lost sales. Disclosure transformed issues they create from an externality to a liability. The community's biggest success story was using full disclosure to turn Microsoft Windows from the biggest source of vulnerabilities to a higher quality of product with decent security practices. All the letters, emails, and lawsuits thrown at them failed to get even a second of action. Publishing the flaws for all to see? They fixed them.

See how that works? Only thing that ever worked so why go back to what didn't...

BrrrrrianApril 21, 2015 1:09 PM

Why are people like Andrew outraged about the tweet but not any underlying vulnerabilities? Forest and trees, people!

MarkHApril 21, 2015 1:12 PM

Thank you, Bruce, for picking this up. I saw this story during the weekend, and thought it Very Important.

For me, sometimes the tenor of comments here is more illuminating than the event referenced in Bruce's post.

I find a strong current here of commenters tripping over their own feet in their passionate haste to discard civil liberties, even those with clear constitutional protection in the United States. May I remind you, that these can be awfully difficult to retrieve, once lost?

I wonder how many of those who are eager for government to use its compelling and suffocating force to silence speech, would furiously object to limitations on personal weaponry?

If you wish to be effectively imprisoned by the sacrifice of your liberties, will you kindly not include others (such as myself)?

It is human nature that our emotions tend to strongly dominate our reason.

It is human nature that we convince ourselves that our positions are based in reason, even when our limbic system governed our decisions.
________________________

In the interests of Full Disclosure: when persons or agencies with authority over security are not responsive to information about vulnerabilities, I believe the appropriate remedy is Full Disclosure.

JustinApril 21, 2015 1:14 PM

I think a lot of people (including government officials and FBI agents) have at least some fear of flying, and are tense or nervous when they have to fly, so they panic when some security researcher makes a joke about dropping the oxygen masks. It is unfortunate that the man was detained and had his computer confiscated for nothing worse than a joke in bad taste. It's like walking on eggshells anymore---you have to be so careful what you write or say, lest if offend someone or scare someone. I mean, a bad joke is literally a felony anymore, and people _want_ to live in a society where this is so, because it makes them feel comfortable when scary people are locked up. The trouble is, you can never know what might make someone else feel scared.

BeepeepeepApril 21, 2015 1:33 PM

So much shilling! It's impressive the passions that this topic is igniting in the comment section.


@Bob T

Only children need concern themselves with petty concerns like growing up. Free adults have greater liberty (in many, but not all respects) to act as they want.

albertApril 21, 2015 1:38 PM

Another twit thwarted thru twttr. What an idiot. Anyone with at least two brain cells connected together knows that the IC is extremely sensitive about anything to do with air travel (Hint: 911), especially if there are known flaws in the system (http://www.gao.gov/assets/670/669627.pdf). The FBI agents 'sense of humor' doesn't extend beyond the agency.
.
EVERYONE involve in "security research" is being monitored. I'll bet dollars to donuts on that. It wouldn't surprise me at all if this blog is being monitored as well. It's trivial to load up search algorithms with acronyms, and twttr does the 'filtering' for you. Wonderful!.
.
Once you get on the (s)hit list, you'll be there forever. Count on it. Unless you're prepared to do a Snowden or Manning, just do the best you can, and wait 'til the next event.
.
It works something like this:
1. Everything's fine
2. A plane crashes, due to faulty part/system design (NTSB does great work)
3. Manufacturer/vendor disputes finding, FAA sit on hands
4. delay()
5. Is public still bitching? If 'no', goto 1, else
6. FAA forces redesign
7. goto 1
.
The preceding is a 'regular' aircraft incident. When you add malicious hacking*, overreaction is sure to follow. The 'loops' disappear; it's different flowchart now.. Manhunts, retribution, finger-pointing, and more billions spent on...what?
More 'security'? I've lost my sense of humor...I wonder how much cynicism has penetrated the IC?
.
* it's always 'terrorism'.
...

SJApril 21, 2015 1:41 PM

@AlfonzoRiviera,

wasn't there some joke on twitter that was misconstrued as a comment about terrorism?

I think it was a person from England using the term "destroy" when they were implying "party".

Fairly certain that it was mentioned here at the time.

I think these two provide strong circumstantial evidence that various US-GOV agencies have a Twitter monitor which searches for keywords.

And that the keywords include verbs like "destroy", as well as control-commands for airplane avionics.

999999999April 21, 2015 1:47 PM

@n3tdev

I agree with you that airplanes don't need good security at all because the TSA is guarding us anyways. The X-ray machine, metal detector, pat downs and the person checking IDs and boarding passes are there exactly for that reason so there is no need to worry. Why would you need excellent software security if the TSA banned nail clippers and shampoo? It is absurd and unpatriotic to to even think that the TSA and DHS are useless and don't actually provide security.

@Bruce

"the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he was on, and sent an FBI team to the Syracuse airport within a couple of hours."

What I find fascinating is that they had someone on the ground in two hours instead of diverting the plane. They could have also forced the plane to a separate taxiway and boarded with a mobile stair. They could have done many things that make sense if the LEO actually thought that there is a threat. I think you missed the really fascinating part where they waited until he was on the ground and then "black bag" him.
-Can someone more articulate, please rewrite this point in a way that conveys that the GOV. proved that they don't believe he had any nefarious intent and still came to bully him?

JesseApril 21, 2015 1:55 PM

@Bob S. @RR

Aside from Stingray, the other non-surprising method for how this tweet may have reached the right ears in time is that it was not a private message. How many followers does this guy have? So, all it takes is one of those pressing twitter's "report" button or retweeting to an LEO contact.

It really is not a case where a computer had to determine the severity of the threat at all.

Bob TApril 21, 2015 2:02 PM

@ Beepeepeep

Adults who act out childishly because they are at liberty are still childish.

rgaffApril 21, 2015 2:33 PM

@999999999

I believe you're trying to say:

If the FBI considered him a real threat, why the heck didn't they send a fighter escort to take that plane to the ground IMMEDIATELY after the tweet at gunpoint... not wait until the threat arrived in a large city at a crowded airport hours later... that's irresponsible to let a real threat go on like that, and get worse even.

So if they did NOT think he was a real threat, why did they interrogate him with bright lights for 4 hours? Intimidation? Strike fear into the hearts of the general populace so nobody does that again? Hmm... I wonder who does acts with intent to strike fear or terror into general populations? Could it be terrorists? Did the FBI commit a terrorist act?

Or maybe I am going a bit farther than you intended, 999999999? I'm doing it to additionally illustrate how easy it is to use "terrorism" to mean anything you want, just like "collect" or other word games... So giving someone a blank check to remove any and all freedoms and constitutional and human rights for "terrorism" is a blank check to do it any time one pleases for any reason at all.

Everyone is a "suspected terrorist." You. Me. Hackers. FBI agents. Everyone.

gordoApril 21, 2015 2:37 PM

WESTERN SPY AGENCIES SECRETLY RELY ON HACKERS FOR INTEL AND EXPERTISE
BY GLENN GREENWALD | The Intercept | 02/24/2015

In a separate document, GCHQ officials discuss plans to use open source discussions among hackers to improve their own knowledge. “Analysts are potentially missing out on valuable open source information relating to cyber defence because of an inability to easily keep up to date with specific blogs and Twitter sources,” according to one document.

https://firstlook.org/theintercept/2015/02/04/demonize-prosecute-hackers-nsa-gchq-rely-intel-expertise/

BeepeepeepApril 21, 2015 2:48 PM

@Bob T

I'm not sure what your point is. All you're managing to do is come off as judgmental.

Milo M.April 21, 2015 3:08 PM

@SomeSecurityResearcher

"Obviously it's difficult to get metrics on how many people take this route, but I suspect it's a lot."

Have had a few incidents in the past year that violate the fundamental security rule that the party initiating the contact is responsible for authenticating. The contacted party should never authenticate first.

One was a young (apparently) employee of a health insurance brokerage who called and began by asking for SS number. Another is a pharmacy (major chain) that makes robo-calls when they think it's time to refill a prescription. The bot begins by asking you to punch in some personal information.

In both cases I tried to contact someone at the corporation who might possibly understand that this was a problem that needed to be fixed. Never heard back in either case.

An added reason why people who detect security flaws may not report them is the sheer difficulty of doing so. Modern corporations insulate themselves as completely as possible from the public. Human interactions cost them money. Bots, not so much. It usually takes a considerable amount of time just to find contact info for someone who might be able to do something with the information.
So much easier just to shrug and forget it.

Spaceman SpiffApril 21, 2015 3:16 PM

So, the little boy who pointed out that the emperor has no clothes is arrested and harassed for doing so? For shame!

dvvApril 21, 2015 3:26 PM

@Beepeepeep So he was going to a security researchers' conference. On a plane. He mist be a security researcher of airplane systems then. I get it now, thank you.

SnotbotApril 21, 2015 4:10 PM

Beepeepeep @ 9:35 dingdingdingding, correct for 500 points.

Andrew thinks it's insane to criticize a corner-cutting corporation without the backing of the Government.

Evidently Andrew thinks it's insane to do anything without the backing of the Government. Read his twitter feed and you see he's a professional bedwetter whose business model is skimming public/private money in crooked backroom deals. Andrew wants to humbly offer tips in secret so the C-Suite bosses can pay him off and then ignore him. He can't cut deals with the secret police if real experts respect the public's right to know.

Andrew is a shining example of the corruption of the Five-Eyes bloc's security sector. Without people like him, 9/11 wouldn't have happened.

Note how all the other personas are cooperating with Andrew to push the story of this FBI panic attack in one specific direction: blame and vilify the dissident: he did it wrong, his attitude was wrong, protected speech might give somebody ideas. All gumshoe G-man moron tricks to make other morons miss the point: the FBI stepped on their crank again and exposed their crude domestic COINTELPRO tricks.

What's worse, we see that FBI can catch an obviously harmless satirist making open-source jokes; but we're expected to believe that they didn't notice the Boston Marathon mad bomber running around in his jihadi costume and eyeliner, getting booted out of mosques for crazy shit. 100% certainty: when the next flying Ali Mohamed hacks unprotected Wi-Fi to crash a plane on a money-losing see-through office building in Chicago, the FBI goons will go, "Duh, Doi, never saw that comin!"

AnonymApril 21, 2015 4:14 PM

I agree with @Brrrrrian - information on security vulnerabilities should be no excuse to have these vulnerabilities in the first place. Who thought it was a good idea to take the two separate networks and merge them in the first place? Was the apparent cost saving justified compared to the cost of keeping up to date with security patches?

JohanApril 21, 2015 5:41 PM

@ "His tweet was voiced as a threatened attack"
... and other similar pearlclutching

lolwut? This isn't the same as yelling Fire in a theatre, since no one in this particular theatre was even aware that he'd siad anything. It also wasn't 'a threatened attack', unless you have an extraordinarily low threshold for 'threat' ... a threshhold so low that basically saying *anything* could be constituted as a threat.

OccamApril 21, 2015 6:25 PM

Now, it is possible that Roberts was being specifically monitored. He is already known as a security researcher who is working on avionics hacking. But still...

Apply Occam's Razor, and conclude that the simpler explanation - that the guy's well-known and specifically surveilled - is a priori more likely to be correct.

Clive RobinsonApril 21, 2015 6:43 PM

I suspect that this researcher is being monitored quite closely but not by the FBI of necessity.

Although many have never heard of him his name has popped up in the past with "avionics", which is a multibillion dollar industry with an eye wateringly high liability risk.

Thus I suspect their are "private organisations" (anyone remember Kroll Associates, Blackwater or HB Garry?) taking a considerable interest in him and what he says for their "clients". Because there is rather more than a kings ransom riding on this, think along the lines of the total GDP for multiple nations. Thus they would have active files on him and probably "PR Spin" pre-prepared to discredit him in a number of ways. This is quite normal procedure and has been seen to occure frequently with those concerned with "site safety" in the construction industry and the likes of Unions. The Koch brothers are known to activly spend millions of dollars on these so called "background checks" and in the UK the Met Police were found to be activly collating files on "protestors" etc and handing it on to "interested parties" in industry such that they could use it to take civil action through the courts.

Thus it's quite possible one of these "private organisations" is monitoring him closely and picked up on the twitter and either they or their client picked up the phone to a contact well known to them in the more senior levels of the FBI.

Prior to this little stunt if he had been found "hanged under a bridge" or "jumped out a window" (known by some as a "Kroll coincidence") nobody would have taken any notice, now he has a "media name" people will take a little more notice. So he might now be about as "safe as a two dollar watch at a pick pocket convention", or then again maybe not.

BuckApril 21, 2015 8:20 PM

This story strikes me as awfully similar to say, making a public claim that there are WMDs in Baghdad... Great! Now any Tahmeed, Dakhil, and Hareef can just waltz right in and get a nuke to use for their own nefarious schemes!? It matters not that this was a joke - the theoretical harms have already been inflicted.

rgaffApril 21, 2015 8:37 PM

@Buck

It's ok, in the next story on this blog, @Andrew himself explains how to hack airplane systems too... haven't heard from him since... if the FBI is following his own rulebook, I guess he's under the bright lights now. The irony. :)

65535April 21, 2015 9:09 PM

@ Kevin

“Brilliant. Roberts just successfully provoked the Feds into revealing that they have him under surveillance. “

If that was indeed Roberts' motive he is highly justified in making that tweet. This was a very heavy handed ordeal.

It is clear the Feds are attacking legitimate researchers [I would not be surprised if Bruce S. is on their list and half of the posters on this blog – the other half being TLA agency shills].

@ Bob S.

“I have read in the past certain influential journalists and writers are under constant electronic surveillance or possibly have been hacked to one degree or another. Indeed many are on the Main Core list. I wonder too why so very few people care about this. Now that's really scary!”

I agree. You can add the TIDE data base to that list.
https://en.wikipedia.org/wiki/Terrorist_Identities_Datamart_Environment

If Roberts did this to raise awareness of the vast number of people who are normal citizens in USA and are considered “Terrorists” by the government then he is fully justified in making that tweet.

impuristApril 22, 2015 12:51 AM

"...the freedom of speech..." - 1st Amendant of USA

Yet another joke made a serious trouble.
Google is under surveillance, so all of us should know Twitter is also under
surveillance.

If you want to post a joke comment, don't use real identity.
Use Tor or Freenet to post something.

In 22nd century, people will stop joking on the Internet.

---
Stupid example:

Theater
Some jackass sitting in a back seat eating a popcorn.
I hate it.
I freak out and yell "WTF a bomb under my seat!!"
Everyone rushed away.

WaelApril 22, 2015 2:10 AM

@Buck,

Tahmeed, Dakhil, and Hareef

Hey! These are the counterparts of Tom, Dick, and Harry!

@Bruce,

There's some serious surveillance going on.

Imagine my shock!

WaelApril 22, 2015 2:17 AM

@Clive Robinson,

Thus it's quite possible one of these "private organisations" is monitoring him closely

Or someone ratted on him! You know, if you hear something, "say" something?

Brice ShoeshinerApril 22, 2015 5:35 AM

Mr. Bruce! Given your work in security, and your awareness of the Snowden leaks, nothing about this story should surprise you. Why not just say, "hey here's the new normal --a jaggoff pentests an airliner in flight, while the feds give him an auto-colonoscopy."

Wesley ParishApril 22, 2015 5:40 AM

I get so sick of this tired old example of someone shouting "Fire!!!" in a crowded theatre. FWVLIW, I did read an anecdote once about an actual fire in an actual theatre when an actual man jumped up on the stage and told the actual audience to remain calm and stay seated. He himself left by the sidedoor, while the audience stayed calm and seated and burned to death.

Of course, as is rather well known, Microsoft ignored all the Internet Explorer vulnerabilities during the days of its unchallenged monopoly after wiping the floor with Netscape. People began to call Internet Explorer various other names, none of them polite. Then Mozilla stepped up with a browser that had less vulnerabilities, and all of a sudden Microsoft began taking those vulnerabilities seriously.

Avionics does not have such an option - it's maybe less vulnerable to monopolies, but far more vulnerable to cartels. If someone doesn't step up and say loudly enough, there are these vulnerabilities and so on and so forth, then they will be fixed in God's Own Sweet Time, which is to say, Sweet Fuck All Chance Of That Happening!

Sancho_PApril 22, 2015 10:27 AM


I don’t see monitoring comm from an airplane as surveillance issue,
but people_must_be_informed_about. No secrecy.
I can barely see any surveillance issue in following tweets of an “respected” researcher.

Chris had his “fun (+1), the Feds had their fun (-1), result is a straight zero.

Bonus point for the Feds for their speed.
Err, any evidence for “a computer was monitoring” (@Bruce)?
- Bonus point lost for not understanding the tweet. [1]

Obviously the tweet was a joke, and a very dumb one for a researcher.

But is it the time to close the books and go to lunch?

Now the serious part for United:
@Chris: Show us the vulnerability within 4 weeks to earn 100k,
miss that point and we’ll sue you for damaging United’s reputation.


@Andrew Wallace

“the industry needs to help … needs to be mechanisms in place … the industry needs to focus on … the industry should not … but SHOULD be helping … … we need to change and shape …”

Yeah, nice, but that’s exactly the way we’re ignoring risks since years.
Self control instead of accountability.
- Politician or pastor speaking?

[1]
Who would believe to find a serious threat by checking for buzz words?
OK, you’ll find all the idiots, and there are a lot of. It's justified.

Jim LippardApril 22, 2015 12:35 PM

"the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he was on, and sent an FBI team to the Syracuse airport within a couple of hours. There's some serious surveillance going on."

Or, at least one of the nearly 4,000 people who follow him on Twitter reported him.

Erich SchmidtApril 22, 2015 1:39 PM

@Rob "And while you're dreaming, I'd like a pony."
Careful, your wish and an earlier post reminded me of the danger posed by ponies: http://popehat.com/2012/09/26/ponies-101-introduction-to-ponies/

I second @Beepeepeep, who said "So many unusually hostile opinions in the comment section of this blog from many new names! Why, if I didn't know any better, I'd say there's a shill or two here!" I've lurked for years, and I don't remember many threads so inundated with unknown players.

And Andrew Wallace is clearly either stunningly naive or playing a part.

hankApril 24, 2015 7:28 AM

An ethical issue it is rather interesting. Yelling Fire! in a crowded theatre is debatable only up to the point where the benefits of maintaining a false sense of security to slow roast can be proven morally and politically correct.

ZaphodApril 24, 2015 9:59 AM

@all, especially Clive R. (from a UK perspective).


There have been a couple of cases in the UK (that I am aware of and no doubt many more) of members of the UK public tweeting offensive (in legal terms) messages and being arrested the same afternoon. That's an 'impressive' response time........

Now I don't see how we can go from someone (e.g.) tweeting at a soccer match, to being reported to the police, for the police to decide to investigate, to the police getting a court order to obtain the IP address of the tweeting device from twitter, to getting another court order applied to the ISP owning said IP address to obtaining the customer details of the owner of the tweeting device all in a couple of hours.

How is this possible?


Zaphod

SchneieronSecurityFanApril 24, 2015 4:27 PM

The ISP for the United Airlines flight was probably GoGo/Aircell. There are several links from Wikipedia on how this company has issued fake-SSL certificates and can assist government agencies in real-time:


http://en.wikipedia.org/wiki/Gogo_Inflight_Internet


Mr. Roberts was on his way to speak to an audience of law enforcement personnel. Maybe it was all a test.

Clive RobinsonApril 25, 2015 5:01 AM

@ Zaphod,

There are many ways it could have happened.

But the thing with "tweets" is many use their real name or an easily recognisable version of their real name (ie Bob instead of Robert etc). People also have to supply in advance all the details such as real name and address etc when buying their ticket which is then logged into a database that many have easy access to. Further "unhappy tweets" are likely to happen within a couple of hours of expected flight time. Thus linking a "known" tweet to the likely passenger is usually relatively trivial for airport operators / airlines.

The question then is how does a tweet become "known" to the airport operators / airline or other authorities with easy access to the passanger details...

Well this is the bit where the "parallel construction" starts from the authorities or is often covered by the IC name of "Methods and Sources" under "National Security" if the defence pushes hard in court.

The usuall argument from the authorities is the old "anonymous tip off" of somebody who follows the suspect/defendent on line phoning it in. Whilst a judge might accept this as might a jury, people with any kind of knowledge about such things are generally skeptical due to response times.

Well from personal experience I know that under certain circumstances the response can be very fast. I happened to be at a south london hospital as an out patient when some idiot came into a public area and threw a large bag of some unknown substance screamed something and ran away. The hospital went almost immediately into lockdown and within five to ten minutes the first of the emergancy services had arrived to enforce the lockdown and cordon off the hospital site. Shortly there after the London Fire Brigade (LBF) major incident and bio-hazzard teams arrived and within a couple of hours the "all clear" was given as the substance had been analysed by one of the teams and was apparently a large bag of cooking ingredient.

Whilst this was a rapid response time, it was abnormal in that the initial reporting would have followed a "known emergancy" script in the hospitals "disaster plan" which would have had the correct telephone numbers etc to phone. Those who received the call would also have had an emergancy response script for the hospital to follow.

When "joe public" phones in they would phone a general emergency number and this would take quite a while longer to process including some kind of "hoax verification" procedure. Then some kind of "threat verification" and "threat response" proceadures which would take further time. How much is time we don't actually know and it would also depend on what the National "threat level" status is. Prior to 9/11 and 7/7 the response would have been "verify before action" after it would have been "action before verify" which drasticaly shortens response times, but is also inordinately expensive in physical and human resources and vastly increases the likelyhood of collateral damage such as injury or death to members of the public. Which might account for why there is "major sense of humour failure" in the authorities who then come down very hard on people.

However the "actual response" suggests that the authorities are "verifying befor action"... Which calls into question the response time and suggests it's not "joe public" calling in, which leads to the question of "If not then how?"...

This raises further questions such as where the message is being intercepted. If the sender is using a "smart device" then untill quite recently the chances are the message went as "plain text". Thus could have been intercepted on the Airport WiFi / Mobile Phone air interfaces or downhauls "on site"... We know from shopping mall systems that faux certificates etc can and have been used at such places so the technology to intercept is fairly readily avavailable. Likewise we know that bulk twitter feeds are available with various types of filtering.

So we know that the communications path is effectivly "open" to inspection at either end, and in all probability at any point in between as well to the likes of GCHQ. Again however "response time" and "response type" suggest it's more likely to be at the end points of the communications. And if I had to guess I'd go for the twitter end as my first choice because it's going to cover the service not a myriad of individual locations and would thus be less expensive overall, whilst also covering a greater variety of threat types as well as other intel activities.

Arguably twitter feed monitoring would have been put in place as soon as it was possible for "anti-terror" purposes along with the other "bulk surveillance" technologies we are now aware of. Thus what we are seeing with these Police activities are a way of justifing the cost of such a system to the "purse string holders" etc. If that is the case then we can expect to see the scope of such Police activities to increase with time...

NathanaelApril 29, 2015 10:00 AM

It's pretty clear Roberts is being personally monitored. Roberts is being harassed and his property is being stolen by the FBI because he's exercising his free speech rights to report dangerous situations.

Well, we do live in a police state. We're going to have to shut it down somehow; even if you don't mind police states, the obsession with harassing harmless patriots is preventing the government from paying attention to real threats. In fact, it's supressing the people who are trying to warn about the real threats.

This genuinely endangers national security.

J.C. DentonApril 30, 2015 8:12 PM

I would like to share an interesting report by German news agency "Zeit" (Time) with all of you. It basically tells that the State Police was able to bust someone (with Islamic background) right before that individual was able to use a self-made bomb near Frankfurt/Germany.

The highly interesting thing is that a shop assistant from a near hardware store informed the police. According to the assistants statement the arrested person wanted to purchase three liters (0.79 US gallons) hydrogen peroxide. When federal officers entered the suspects house they found a ready-to-use bomb (explosive TATP). The German "Sauerland-Group" used similar explosives in 2007.

As a final note I would like to add that the German law enforcement became aware of that (now arrested) person for 30 times in the past (incredible!?). Also NO MASS SURVEILLANCE (at all) was necessary to bust the guy; it was merely traditional police work (with aid from the hardware store) that led to the suspect and therefore the finding of the explosives (plus some other guns and rifles).


[Link #1] http://www.zeit.de/gesellschaft/zeitgeschehen/2015-04/hessen-sek-terroranschlag-vereitelt

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.