54 votes

Bypassing airport security via SQL injection

6 comments

  1. [2]
    balooga
    Link
    Awesome read, thanks for posting it. What does current US law say about the actions he took? My knowledge might be out of date but I thought the actual infiltration of these systems is illegal?...

    Awesome read, thanks for posting it. What does current US law say about the actions he took? My knowledge might be out of date but I thought the actual infiltration of these systems is illegal? Even though it was responsibly disclosed and white hat at the end of the day.

    Should be legal, regardless. This kind of hacking is heroic.

    9 votes
    1. ShroudedScribe
      Link Parent
      So, I originally found this on HackerNews, and someone there said there are guidelines around responsible disclosure for these agencies, but it's very clear they aren't explicitly laws or even...

      So, I originally found this on HackerNews, and someone there said there are guidelines around responsible disclosure for these agencies, but it's very clear they aren't explicitly laws or even more than just recommendations.

      So, if any of the involved agencies wanted to break down their door, it would have already happened. But it would be difficult to defend such actions if it was to make it to a public court of law. They clearly were not trying to exploit the system in a way that would get them or anyone else access to bypass security, unless you happen to know someone who looks like a purple square in photos and goes by the name "TestOnly."

      9 votes
  2. Sodliddesu
    Link
    I gotta send this to ex-TSA people I know. Hilarious. Also, props to the TSA Press Office and DHS for proving that the gate agents aren't the only incompetent ones.

    I gotta send this to ex-TSA people I know. Hilarious. Also, props to the TSA Press Office and DHS for proving that the gate agents aren't the only incompetent ones.

    9 votes
  3. [3]
    Greg
    Link
    Maybe I just woke up on the wrong side of bed today, but the main thing I’m thinking is how the hell did the original software author (a single person, according to the article) get this crap to...

    Maybe I just woke up on the wrong side of bed today, but the main thing I’m thinking is how the hell did the original software author (a single person, according to the article) get this crap to market at all and how much have they made from the airlines in all this time?

    There are so many talented developers out there! How and why are major industrial players like this working with someone who apparently didn’t make it past chapter two of the intro textbook? I’m fully in favour of them working with small businesses rather than pouring hundreds of millions into a black hole with Oracle or whoever, but this is the equivalent of giving a first year apprentice from a local mechanics’s shop a wrench and letting them service a 787. There’s some middle ground to be found between the two, y’know…

    Or to put it another way: I can guarantee I’ve made it to at least chapter three of the textbook; where’s my airline contract?!


    Great article though, and in its own odd way a reassuring reminder that air travel probably isn’t actually that much of a target - we’d be seeing visible consequences from failures like this if it were.

    7 votes
    1. Grumble4681
      Link Parent
      I assumed that the way something like that happens is that it's a very niche case where someone who was familiar with the challenges of that system had enough technical proficiency to set...

      I assumed that the way something like that happens is that it's a very niche case where someone who was familiar with the challenges of that system had enough technical proficiency to set something like that up, but probably not enough to be a professional at it ordinarily. However it was good enough to be useful to anyone who was wanting to purchase a solution to that problem and they likely aren't going to be aware of the technical deficiencies of that solution that are generally behind the scenes.

      Basically, their talent wasn't in being a developer, it was in being knowledgeable enough about a system most talented developers probably didn't even know existed. You can't build a solution to a problem you don't even know exists.

      4 votes
    2. bkimmel
      Link Parent
      It's just the other edge of the double-edged sword of "working in a highly paid field with no credentialing". That's the way I always think of it, anyway: You get more freedom to move around and...

      It's just the other edge of the double-edged sword of "working in a highly paid field with no credentialing". That's the way I always think of it, anyway: You get more freedom to move around and try different things but you pay for it with three-week-nightmare interview processes and stuff like this.

      On the upside, they'll have to pay a real SE to fix it... TSA will likely force them to hire at least a couple people who know what they're doing now...so you end up getting your shot then.

      3 votes