Wednesday, 22 April 2015

A reasonable warning and a terrible example

The FBI decided to detail an airline passenger for several hours because of a tweet.

Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)

He’s suggesting that he might be able to deploy the oxygen masks.

He tweeted this while he was on the plane and the FBI were waiting for him 2 hours later when the plane landed.  Either they were already watching him because he’s a security expert who has spoken about the security of plane networks in the past or they have software mining tweets for threats against airports.  Or – my personal favourite explanation – they have compromised the plane wifi themselves, with or without the airline’s permission.  Or someone reported him, I guess. I don’t much like any of the possibilities.

In response to criticism, the FBI has issued a warning to airlines.  It’s long overdue.  We have no idea how secure plane networks are or how isolated plane controls and safety critical systems are from networks passengers have access to.  The warning should be taken seriously and it’s kind of weird that it took an incident like this for it to come.

But reasonable though the warning is, the example the FBI have set is a terrible one.  The best way to improve security is to have experts think up ways to attack your networks.  Scaring off creative experts is one of the worst possible ways to improve or maintain security.  I’m not suggesting passengers hack planes in flight to see what they can do. I’d really, really rather they didn’t.  But the message the FBI is sending is that speculation and creative thinking about how plane networks might be compromised will not be tolerated.  That’s a terrible idea.

No comments:

Post a Comment