Bypassing airport security via SQL injection
ian.shThe TSA's response here is childish and embarrassing, although perhaps unsurprising given the TSA's institutional disinterest in actual security. It's interesting to see that DHS seemingly (initially) handled the report promptly and professionally, but then failed to maintain top-level authority over the fix and disclosure process.
It’s very hard for management, even IT managers, to fully understand what such things mean.
I’ve seen huge issues, like exposed keys, being treated as a small issue. While an outdated js library, or lack of ip6 support being escalated.
I’m sure TSA and their partners wants to downplay potential exposure, I’m also sure it’s hard for a lot of their managers to fully understand what the vulnerability entails (most likely their developers are downplaying their responsibility and pointing fingers at others)
This is the Transportation SECURITY Agency. If the managers involved here can't understand why this is a huge deal, they're exceptionally unqualified for their jobs.
Edit: Fixed a double negative (previously: This is the Transportation SECURITY Agency. If the managers involved here can't understand why this is a huge deal, they're not exceptionally unqualified for their jobs.)
Probably, they can and do understand it. They just have a deny/deflect culture.
> If the managers involved here can't understand why this is a huge deal
Was it a huge deal though?
It was the most humongous deal if we talk about IT security. SQL injection shouldn't be a thing in today's IT landscapes. And here we are giving everyone and their mother admin access to a database where the attackers can literally get not only on a plane but also in the fucking Cockpit. So yes, big big deal.
> where the attackers can literally get not only on a plane but also in the fucking Cockpit.
You can easily get on a plane, you buy a ticket to board it.
People try and succeed to get weapons through TSA checkpoints. I don't know what the idea is though. If you want to shoot and kill someone, do it at the security checkpoint, as happened at Domodedovo. People hijacked planes because the media covered it. You could also hijack busses. I don't know. What is the threat model?
Bag handlers smuggle drugs. I don't know. Airports are fairly porous.
I don't think this little SQL hack gets you into a cockpit. I suppose I could also buy an ordinary ticket, change in the bathroom into pilot clothes, and then bluff my way in. It should be obvious what personal facts about me make that easier for me than for someone else.
Do you see what I mean? This isn't a big deal. It's fun to be dramatic about that's for sure. IMO the large number of high drama personalities in the "security" field - when you are a customer, and on the other side, the technical person is high drama - is harmful to security goals.
Or you could buy a real ticket, bypass security with this (and whatever you have in your bags), then hijack an international flight full of fuel.
This isn’t hard to exploit.
TSA spends $6.3 billion per year on screening operations. Someone being able to bypass the entire apparatus of airport screening using a SQL injection attack is a really big deal.
It wasn’t an sql injection in their code. It was a third party issue.
So internally the question would probably how can you open it up responsibly.
Closing the api is probably a support nightmare; they probably gave too many rights and too little safety checks.
If this is not a huge deal, than we don’t really need the TSA at all.
>> The TSA's response here is childish and embarrassing,
> It’s very hard for management, even IT managers,
I'm confident that the grandparent's comment is correct.
TSA is closer to the issue than HSA; I'd wager big that they sense embarrassment.¹²
TSA management would have immediate access to people capable of framing the issue correctly, including their own parent agency. Their reaction was never going to be held back by technical facts.
¹ US Sec/LEO/IC agencies have a long and unbroken history of attacking messengers that bring embarrassment. There is ~no crime they are more dedicated to punishing. ² The worlds easiest presupposition: Discussions took/are taking place on how they might leverage the CFAA to deploy revenge against the author.Part of being a good manager is knowing how to get good folks to give you advice on things you don't understand, and knowing how to follow that advice. Yeah, its hard- but that's a huge part of the whole dang job!
No manager (or human) is perfect, mistakes happen- we need to be humble enough to listen and learn from mistakes.
Well said. One of my friends came to cyber management from a legal background. You'd better believe my buddy is calling the most respected nerd in the building when learning about a possible vulnerability. Knowing your technical limitations and where to go to get answers is an important skill for tech managers.
TSA is security theater, it is there to give the illusion of security. In reality it seems more like the goal is the entrenchment of surveillance and the appearance of strength.
> It's interesting to see that DHS seemingly (initially) handled the report promptly...
I think DHS mid level manager yelled at a TSA mid level manager who reported this to the senior TSA officials and then their usual policy kicked in... deny/deflect/ignore
TSA is DHS, though. At some point, it's the same high-level manager...
What was surprising to me was that they didn't immediately do pre-dawn raids on the pentesters' homes and hold them without a lawyer under some provision of an anti-terror law.
That's not really how this works. TSA is maliciously incompetent, but there is a reporting pipeline and procedure for these things that's formalized and designed to protect exactly this kind of good-faith reporting[1].
(It's very easy to believe the worst possible thing about every corner of our government, since every corner of our government has something bad about it. But it's a fundamental error to think that every bad thing is always present in every interaction.)
Is there any sort of assurance that this wouldn't turn into a prosecution, though? It's not obvious to me on that site. Perhaps the CISA doesn't want to deter researchers, but do they get to make the final call?
The DoJ announced in 2022 that they would not prosecute "good faith" security researchers, but it's not binding, just internal policy: https://www.scmagazine.com/analysis/doj-wont-prosecute-good-...
The policy (https://www.justice.gov/jm/jm-9-48000-computer-fraud) explicitly states at the end that it's for guidance only / does not establish rights, and it includes a provision for additional consultation on cases involving terrorism or national security–terms which have both been overloaded by the government to justify overreach in the past.
Personally, given the history of the CFAA, I wouldn't want to be in a position to test out this relaxed guidance on prosecuting good-faith researchers, but perhaps I'm unnecessarily averse to the idea of federal prison.
> Is there any sort of assurance that this wouldn't turn into a prosecution, though? It's not obvious to me on that site. Perhaps the CISA doesn't want to deter researchers, but do they get to make the final call?
I don't think any sort of absolute assurance is possible, and if it was given I wouldn't trust it to be permanently binding :-)
This is my intuition from having interacted with CISA, and my impression from talking to policy people: it's not 1993 (or even 2013) anymore, and there's a much better basal understanding of security researchers vs. someone trying to secure a "get out of jail free" card for doing something they shouldn't have. That doesn't mean the government can't mess up here, but I can't remember a prominent example of them throwing the book at a good faith report like this in the past decade.
(Swartz is who I think of as an example of an extreme miscarriage of justice under an overly broad interpretation of the CFAA. And, of course, there could be facts in this situation that I'm not aware of that would motivate a criminal or civil CFAA investigation here. But "pre-dawn raids" aren't really it in situations like this one.)
I guess... at the end of the day without some reform to the CFAA I just wouldn't ever feel comfortable using exploits to gain access to a random website–particularly one related to air travel security–that I had no engagement with, even if there are enlightened folks in government who want to protect good-faith research. The downsides are just way too serious in the case someone, somewhere decides there's something worth prosecuting.
The FBI did raid this guy in 2016 after what was seemingly an attempt at responsible disclosure of leaked medical records: https://arstechnica.com/information-technology/2016/05/armed...
And this journalist last year, though the facts of this story are less clear and obviously not responsible-disclosure related: https://www.cjr.org/the_media_today/tim-burke-florida-journa...
Well yeah, I personally don't pen-test random websites without a clear terms or bug bounty program.
I generally agree with you, but I would worry that an overzealous agency would be fine with finding and reporting the SQL injection vulnerability but object to the author creating an obviously fake record. It's hard to know exactly where the line is.
the more safe way is to have a US congress member read the report into a hearing....as the funny thing is that US has a law and rule that a congress person is not breaking the law if reading something into a hearing...sort of US Congresses own SQL injection....
Even better, it's not a law, it's a provision of the Constitution. Article 1, Section 6 lets members of Congress say whatever they want on the floor.
I can't decide whether it would be considered an SQL injection or a SSRF attack, actually. I'm leaning towards the latter. Or maybe even a reflected XSS?
>'...there is a reporting pipeline and procedure...'
---
Here is the next YC: An app that uses AI to navigate all the Civil Injections and allow the easist way to contact, petition, complain, praise, poll, explain a law, measure etc ELI5.
Get OpenAI and/or Amazon (Given they run DataCenter Infra for CoIntelPro) - since they have/seek government contracts - and have Massive AI - make them create a USA-GPT.gov and its the most informed bot that will connect you to, explain, write-your-[representative/lobbiest/committee], and these companies have to provide these govGPTs in order to maintain any federal/defense contracts.
There's still _plenty_ of time for that to happen. I wouldn't want to be this person right now. I like my dog alive.
I was thinking. They seem much more likely to react that way to public disclosure, and losing face as a result than from a professional looking private disclosure that they (either the org, or someone further up the org chart) can pretend never happened.
that is apparently not a popular move anymore since people keep logs and have credentials, strong social media presence and readily available cloud enabled cameras. one email to any news org and whoever authorizes the raid will probably face some music. but knowing TSA, we can expect this any minute now...
Why bother if they could just put everyone involved on the "dangerous terrorist" list which has zero controls and zero accountability because "national security"?
That's what happened to Tulsi Gabbard: https://www.racket.news/p/the-worm-turns-house-senate-invest...
They just add you to a secret watch list to annoy you when you travel when you're critical of them... or the current administration, so it would seem.
Yeah, I don't know if I would go testing such systems and then reporting the results under my own name (presumably)...
I didn't see any comment about them being contracted to do this at least.
Since they actually went past the SQL injection and then created a fake record for an employee, I'm shocked that Homeland did not come after and arrest those involved. Homeland would have been top of the list to misinterpret a disclosure and prefer to refer to the disclosure as malicious hacking instead of responsible disclosure. I'm more impressed by this than the incompetence of the actual issue.
You're not wrong, but I would have a hard time as a jury member convicting them of a CFAA violation or whatever for creating a user named "Test TestOnly" with a bright pink image instead of a photo.
If they had added themselves as known crewmembers and used that to actually bypass airport screening, then yeah, they'd be in jail.
That's what jury instructions are for. The judge can instruct the jury to ignore pretty much any facts and consider any subset of what really happened that they want. So they'd just instruct "did they access the system? Were they authorized? If the answer to the first question is yes, and to the second is no, the verdict is guilty, ignore all the rest". The jury won't be from the HN crowd, it would be random people who don't know anything about CFAA or computer systems, it will be the easiest thing in the world to convict. Those guys got so lucky DHS exhibited unusually sensible behavior, they could have ruined their lives.
As my good fortune would have it, I'm called to jury duty two weeks from now. I doubt I'll be sat though. Should I be, I'll keep the above in mind.
If you don't want to be sat, just mention Jury Nullification. Courts really hate that sanity check on the process.
I once got called into jury duty and sat through jury selection. On that day, protesters were outside the courthouse calling awareness to jury nullification, so the judge brought it up. He said something like: "jury nullification is a constitutional right, but you waive those rights when you take the oath of a juror. It is not an option to you." I really wanted to say "but that constitutional right is not my right, it's the defendant's right. How can I waive the defendant's constitutional right to a trial where jury nullification is a possible outcome?" However, it was a rape trial, where nullification would be an awful outcome (basically saying: yeah, he raped her, but that shouldn't be illegal in this case ... yuck), so I kept my mouth shut. But it still bothers me that the judge was so glib about "waiving" the constitutional rights of the defendant.
> But it still bothers me that the judge was so glib about "waiving" the constitutional rights of the defendant.
Around here, people are clamoring for a judge to be recalled because she is on top of rights for defendants. A recent one I watched on Zoom was a prosecution motion to revoke bail:
Prosecutor: "Because blah blah blah, and in addition the defendant shows no signs of taking responsibility for his actions, we..."
Judge, cutting her off: "I'm going to stop you there. The defendant entered a plea of not guilty, and as of this moment has not been found guilty at trial. In the eyes of the court, he has precisely zero obligation to take responsibility for alleged actions at this point in time."
Prosecutor was not happy.
People want that judge to be recalled? So not only are people opposed to trial by jury, they also want the judge to be biased towards the prosecution? Why? Just the usual "tough on crime" dogwhistles?
Mostly so. They're the same ones who comment on posts about fires at homeless encampments as "Good" or "Too bad it didn't wipe the place out" and sycophantic "Thank you Sheriff" when the department posts about an arrest.
Which countries make Jury Nullification a constitutional right for defendants? I looked at the wikipedia article (US section), and it only refers to it as power possessed by a jury.
If a defendant has the constitutional right to trial by a jury, and that jury has autonomy to make an independent decision, then jury nullification is a possible outcome.
If jury nullification is not a possible outcome, then either the defendant doesn't have a right to trial by jury, or that jury is not allowed to make an independent decision.
Defendants don't have a direct constitutional right to jury nullification (the Constitution doesn't say anything about nullification). It's just a logical consequence: if the jury really can make independent decisions, then nullification is necessarily one of those possible decisions.
Impliedly all countries that have jury trials. But most of those deny this explicitly somewhere, typically in statutes or convention.
I don't know your case, but the term "rape" has been legally expanded a lot from what we might imagine when we hear the word "rape" (forceful sexual act).
Legally it can mean a case where a man met a women in a bar, she was not drunk and wanted to go home with him. She explicitly consented. Later it ends up that she was using a fake ID to get into the bar, she was only 17.9 years old in a state where the age of consent is 18. Or alternatively, the guy recently moved a block over. In his old location the age of consent was less than 18, but now he moved and he committed rape (aka, the opinion that got Richard Stallman to step down).
And no, there is no exception for mistaking the age. https://scholarlycommons.law.wlu.edu/cgi/viewcontent.cgi?art...
YMMV but I don't think in my state either of those things would be tried as just "rape".
If there's no force/threats/drugs etc involved and the minor consents, it's charged as statutory rape which is different than capital-R rape.
Statutory rape can be a felony, but in cases like an 18 year old and a 17.5 year old having sex it's a misdemeanor and realistically 99.999% of the time it happens there are no charges
I had a very similar situation when I was called. The trial subject was systematic elder abuse and neglect by a person in a position of power at a hospital. I was very glad to not be chosen. I would not have nullified and I did not want to spend weeks hearing about how this woman basically tortured helpless people.
I told a prosecutor during voir dire that I wouldn’t follow a judge’s instruction if it was a case involving drugs (I think it was a shoplifting case, so not relevant to the particular case). That was enough to be excused by the prosecutor.
Nullification in not so many words.
Smarter people avoiding jury duty delegates justice to dumber people.
Yeah, I know you're busy and easily bored.
Careful, you can get into trouble for reminding jurors of their rights
https://www.independent.co.uk/climate-change/news/inner-lond...
They tend to specifically choose against people with critical thinking skills.
Everyone says this but when people say "critical thinking skills" it really means "is obvious they will willfully disobey the instructions given to them by the judge and hold their own moral/ethical code above the law."
You're literally describing jury nullification in a situation where by the hypothetical judge's instructions they're obviously guilty. I might agree with you that the law is bullshit but by right you and I should be dismissed.
> hold their own moral/ethical code above the law ... I might agree with you that the law is bullshit
This is the entire reason that we have trial by jury and not trial by judge. I'm not sure how this got lost over the centuries. If 12 of your peers think you did it but the law is bullshit and you shouldn't have your life destroyed because of some stupid technicality in a bullshit law, then you should walk free! I'm aware this has been used to horrible ends in the past (e.g. 12 white jurors nullifying a lynching) but that's a problem with jury selection (and those so-called peers), not with nullification.
> You're literally describing jury nullification in a situation where by the hypothetical judge's instructions they're obviously guilty
Yes, that is the only time nullification is relevant. If a judge can lead the jury to one verdict or another via his instructions, then it's not a trial by jury at all. It's a trial by judge. The founders understood that -- they didn't want a trial by judge. The jury is a check on the judge's power!
Jury is peer, not subordinate of judge, and they should keep each other in check. Some tyrannical judges don't understand this. Sometimes the judge has to be reminded he is wrong in a way he can't prove he's been reminded, however.
If it's a criminal case, be sure to checkout the innocence project to inform yourself on some of the junk science police and prosecutors like to use.
DHS officially uses bugcrowd for their VDP, for what it's worth.
> That's what jury instructions are for. The judge can instruct the jury to ignore pretty much any facts and consider any subset of what really happened that they want. So they'd just instruct "did they access the system? Were they authorized? If the answer to the first question is yes, and to the second is no, the verdict is guilty, ignore all the rest".
The only real protection is the fact that you can vote whatever way you want and not even a judge can compel you to state your reasoning.
What if they incremented a number in a url on a publicly available website?
Is this a reference to a past event? I don't get it.
Jeez, I just read about him. Was he the first who went down the alt right pipeline? What happened there?
From goatse security to the Daily Stormer.
In part yes but inevitably devolves into an ad hominem attack against the most high profile case of a guy who did it, who is now hiding in Ukraine on a Prednistrovian passport after having his conviction overturned (temporarily) giving him an escape window.
Weev hasn’t been in Ukraine in a good few years. He was last confirmed spotted in Transnistria before the 2022 invasion and apparently hasn’t moved on since.
His stay in Ukraine was rather brief, he was… not well liked there.
How do you have a conviction temporarily overturned? I thought the US had rules about double jeopardy. Unless you're referring to some other charges he hasn't been tried for.
Overturning a conviction is usually permanent, however, that does not necessarily mean the verdict becomes Not Guilty, and only when the verdict is Not Guilty does double jeopardy come into play. It is possible for a higher court to overturn a lower courts decision, have it returned for reconsideration, or even a whole retrial. In other cases a higher court will overturn a verdict and instruct the lower court the change the verdict to Not Guilty.
They ruled it was tried in the wrong jurisdiction thus basically never happened. There is likely a sealed indictment awaiting in another jurisdiction where they will try again, now knowing the trial strategy of the defense.
> hiding in Ukraine
Huh. Uh, weird choice, given, well, you know…
Maybe not. If you claim to be living in an active warzone and go missing who would look for you?
Flee to Western Europe under an assumed identity, get taken in as a refugee?
Assuming you can fluently speak in a language expected of a refugee and are not from a country that has your prints on file...
Before he spent some time in Transnistria as well, which is also a weird choice.
It's an excellent choice IMO from his perspective. They grant citizenship after 1 year with not a lot of questions and have a cash economy. And they don't extradite to the US.
They'll also not above confiscating your cash and killing you if its suits them. Or (before the war) they wouldn't think twice to send you to Russia to be used as a bargaining chip.
Weev is effectively banned from the banking system. The list of places with enough infrastructure to survive as a hacker, without foreign citizenship and in a cash/crypto economy with no extradition treaty is thin. I'm sure Transnistria might do that but apparently it wasn't worth their time to kill him. Seems better than North Korea, Iran, or the bush of Africa.
It's an incredibly basic form of pen testing. For example, this reply page URL refers to id=41393364, which is presumably your comment. So what happens if I replace it with a different number? Probably something innocent, but maybe not.
Another one from Australia from over a decade ago: https://amp.smh.com.au/technology/super-bad-first-state-set-...
Thanks for all the references / replies, folks. I appreciate it.
Yeah I wouldn't have convicted weev either. There is a difference though. He used that incremented number to access actual user PII. These guys created a user with no PII and no actual malicious use.
It looks like they got access to a list of names of existing users.
>You're not wrong, but I would have a hard time as a jury member
Which is why Jury selection usually removes people who understand the situation.
But would it really matter if they were convicted, after being in jail for who knows how long awaiting trial, losing their job, etc?
> You're not wrong, but I would have a hard time as a jury member convicting them of a CFAA violation or whatever for creating a user named "Test TestOnly" with a bright pink image instead of a photo. If they had added themselves as known crewmembers and used that to actually bypass airport screening, then yeah, they'd be in jail.
I think it could go any which way. The prosecution could argue that the defendant may have tampered with existing records or deleted some. In this particular case, it’s probable that the system does not have any or adequate audit trails to prove what exactly transpired. Or the claim could be that the defendant exfiltrated sensitive data (or that the defendant is trying to hide it) to share with hostile entities.
If the system has no audit logs, the prosecutor would have no evidence of any of that.
And in a system this broken the defence could even argue that anyone could have done it and modified the logs to implicate the defendant. You can't use any data from this system as evidence.
Yeah so best case you spend tens of thousands on lawyers and probably win.
Doing this under your own name is insane.
Best case, assuming you even get charged, your case gets picked up by the EFF, ACLU, IFJ, etc. You spend nothing, you win, and you get a lot of free publicity for your pen testing company.
Worst case, nobody comes to help you, you spend all of your money, still lose the case, end up in a shitty US prison, and get stabbed in the shower by some guy driven crazy by spending months in solitary.
Personally, I would not mess with security research on anything even distantly related to US Gov.
If anyone from there reads the parent, they should know they have created an atmosphere where the worry of possible prosecution over responsible disclosure has the potential to scare away the best minds in our country from picking at these systems.
That just means the best minds from other, potentially less friendly countries, will do the picking. I doubt they will responsibly disclose.
I personally don't comprehend how these people are taking such a huge risks. Once bureaucrat wakes one morning in the wrong mood and your life is ruined at least for the next decade, maybe forever. Why would anyone do it - just for the thrill of it? I don't think they even got paid for it?
I’m not sure any country’s bureaucracy really appreciates responsible disclosures that make the government’s systems look very poorly designed. There is always the risk of being classified as an enemy agent/criminal depending on who’s reading the report and their own biases.
DHS officially uses bugcrowd, for what it's worth.
https://bugcrowd.com/engagements/dhs-vdp
They've had that relationship for a few years now, so I'm guessing they're somewhat versed. TSA specifically might be less so, but I can't imagine the DHS referring anything to the DOJ for prosecution given that they both have a VDP for the entire department and advise other departments on how to run VDPs (via CISA).
But I might just be overly optimistic.
In some countries where this is the norm, like Germany, the usual route is to report the issue to journalists or to non-profits like the CCC and those then report the issue to the government agency/company. This way you won't get prosecuted for responsible disclosure. Alternatively an even safer route is to write a report and send it to them anonymously with a hard deadline on public/full disclosure, won't get any credit for the discovery this way of course.
The statute of limitations is long and HSI often delays their indictment until the investigation is mostly wrapped up.
So you're suggesting they're not out of the woods?
Depends. If no one currently cares, there is no significant structure or personnel or political change in the future several years, and they don't have any assets worth taking, and the government doesn't get any more desperate for assets to seize -- then they're out of the woods.
I doubt asset seizure is what they'd be after. I was thinking more of the "make an example out of them" mentality as an attempt to prevent others from being curious. Government entities don't tend to do well with knowing the difference of malicious hacking and responsible disclosure. The infamous governor and the View Source is a fun one to trot out as exhibit A.
Asset seizure is not because the government needs the money. It's because you need the money to pay for lawyers, legal experts, etc., and if your assets are seized, you can't - so you are much easier to pressure into making a quick guilty plea and get another successful prosecution added to the list. Of course, the whole process is the punishment as usual, but the asset seizure also plays an important coercive role there.
don't even need to make an example... they probably have a warning/welcome pop up that says 'unauthorized access to this system will result in...' because the TSA lawyer is going to follow this simple train of thought - were the 'accused' authorized to access the system - gotcha!
Both are definitely valid. I think saving face and cash grabs are the two fastest way to get in deep shit with the government.
The timeline mentions the disclosure was made through CISA, and on their website there is an official incident report form.
I can imagine an email to some generic email address could have gone down the way you describe, but I guess they look at these reports more professionally.
Good catch. Of course, different people wear different shades of hat, and I guess the author might have good rationale for going quite as far as they did, I don't know.
Kudos to the author for alerting DHS. Methodology questions aside, it sounds like the author did a service, by alerting of a technical vulnerability that would be plausible for a bad actor to seek out and successfully discover.
But regardless, I hope any new/aspiring security researchers don't read this writeup, and assume that they could do something analogous in an investigation, without possibly getting into trouble they'd sorely regret. Some of the lines are fuzzy and complicated.
BTW, if it turns out that the author made a legality/responsibility mistake in any of the details of how they investigated, then maybe the best outcome would be to coordinate publishing a genuine mea culpa and post mortem on that. It could explain what the mistake was, why it was a mistake, and what in hindsight they would've done differently. Help others know where the righteous path is, amidst all the fuzziness, and don't make contacting the proper authorities look like a mistake.
I mean... they still might if the wrong people end up getting embarrassed by this. The wheels of bureaucracy are slow.
You know it's bad when it's so bad that as I write this no one has even bothered talking about how bad storing MD5'd passwords is. This even proves they aren't even so much as salting it, which is itself insufficient for MD5.
But that isn't even relevant when you can go traipsing through the SQL query itself just by asking; wouldn't matter how well the passwords were stored.
This used to be a question on the Triplebyte interview almost verbatim, and a huge percentage of (even quite good) engineers got it wrong. I'd say probably <20% both salted and used a cryptographically-secure hash; MD5 specifically came up all the time. And keep in mind that we filtered substantially before this interview, so the baseline is even worse than that!
Damn. Using salts and avoiding MD5 in favour of SHA-1 was well known even around 2005. Rainbow tables were a thing even then.
Using pure SHA for passwords is almost equally bad as MD5, because the biggest problem with these algorithms is their speed (MD5 is completely broken when it comes to collision resistance, of course, but that's not the main concern with passwords). Instead, you should use functions like bcrypt or PBKDF2, which are purposefully built for passwords.
How are people still learning about basic MD5 for security twenty years later? Are the resources people use that old?
Probably because a lot of computer science programs are stuck in 90s era curricula and many don't teach web development whatsoever.
The md5 part of the sqli is added by the pentester, likely because they needed a call that would end in a parenthesis within the injection parameter
There is already a call to MD5 in the original query; see the first image in the article, which they apparently obtained by submitting ' as the username: https://images.spr.so/cdn-cgi/imagedelivery/j42No7y-dcokJuNg...
Yup, and there we can see the password is just splatted in with no salt. 99%+ the password is an injection attack too, but one only needs one set of the keys to the kingdom to make the point, so the article never discusses getting in via password instead and the author may well never have checked, because it couldn't make things any worse.
The screenshot in the article shows MD5() is returned as part of the error message from the web server, so it is probably also a part of the original server-side query.
> We did not want to contact FlyCASS first > as it appeared to be operated only by one person > and we did not want to alarm them
I’m not buying this. Feels more like they knew the site developer would just fix it immediately and they wanted to make a bigger splash with their findings.
This is exactly the kinda bug where you want to make a big splash though. You don't just want the guy to silently fix it, everyone in the database needs to be vetted again.
Whatever their motive was, the engineering process that allowed such a common bug to sneak in is broken. If the sole developer immediately fixed it, it would have been hard to escalate the issue so that maybe someone up the chain can fix this systematically. I'm not sure such overhaul would really happen but it's more likely that it won't if not escalated.
Agreed that they wanted to fully understand the extent of the hack before disclosing
I came here to say this. Totally uncalled for not to contact the site first that had these holes and instead go to homeland security.
Yes, and what about the possibility that an attacker already accessed this database and added themself as an employee?
Would you rather to be prepared and do a full (well, for a govt agency, full enough) check on all people allowed to access flying death machines, or have a dev silently fix the issue with possible issues later?
ya because the person who developed this is totally trustworthy to fully fix it and assess any other possible vulnerabilities. he definitely isn't gonna just add a front end validation to throw a message on the front end when you submit a single quote...
Not surprised that they deny the severity of the issue, but I am quite surprised they didn't inform the FBI and/or try to have you arrested. Baby steps?
The author made the right move by doing this through FAA and CISA (via DHS), rather than directly via TSA. It's not inconceivable that a direct report to TSA would have resulted in legal threats and bluster.
Those kind of wheels turn very slowly. I will bet any takers $50 that Ian will be prosecuted.
I'll take that bet. How long of a time window? 1 year, 2 years?
Lets say 2 years. Email in profile.
After listening to patio11's podcast [0] with the owner of Manifold [1] I'd suggest that could be a good platform for this bet
[0] https://www.complexsystemspodcast.com/episodes/prediction-ma...
edit: OK, that's enough takers.
This should be news lol, I’m surprised a bored year 17 year old with a fake id hasn’t made a TikTok sneaking on board a plane. Sql injection ffs
A good old SQL injection negates the entire security theatre worth probably billions a year, hilarious, but probably not all too surprising.
Does anyone remember Bruce Schneier and his faked boarding passes? The TSA scribble used to be the weak point of the entire system.
I don't
https://www.schneier.com/crypto-gram/archives/2003/0815.html...
https://www.schneier.com/essays/archives/2006/11/the_boardin...
Thanks for posting the links. I looked for 5 minutes but couldn't get Google to give me what I wanted, so I gave up and hoped for a kind internet stranger to help. Today you were that hero!
> We did not want to contact FlyCASS first as it appeared to be operated only by one person...
It seems pretty remarkable that airlines are buying such a security sensitive piece of software from a one person shop. If you make it very far into selling any piece of SaaS software to most companies in corporate America, at the absolute minimum they're going to ask you for your SOC2 audit report.
SOC2 is pretty damn easy to get through with minimal findings as far as audits go, but there are definitely several criteria that would should generate some red flags in your report if the company is operated by a single person. And I would have assumed that if your writing software that integrates with TSA access systems, the requirements would be a whole lot more rigorous than SOC2.
The "airlines" that are using something like FlyCASS are themselves smaller operations and typically running on razor thin margins (if not just unprofitable and wishfully thinking that money will suddenly appear and make their business viable). Literally everything on their backend is held together with more duct tape than the average small business.
You could be an "airline" by purchasing a couple of older airliners and converting them to cargo use. Is it valuable for new airlines to get started? Should we force them out of business because they don't already have the systems in place that take years to decades to build out? Should they pay $$$ for boutique systems designed for a large passenger airline when they have 2 aircraft flying 1 route between nowhere and nowhere?
Requirements and audits really aren't the answer here. The fundamental design problem is that the TSA has used authentication "airline XXX says you're an employee" with a very large blanket authorization "you're allowed to bypass all security checks at any airport nationwide" without even the basic step of "does your airline even operate here?"
I'm curious why a small cargo airline would even need to use the KCM system. If they don't fly passengers, then wouldn't their crew access the aircraft from the cargo ramp (with a SIDA badge) and never need to enter the passenger terminal/sterile area?
Get lucky and get an interline agreement with a larger pax-facing carrier? Sure no one is going to ride on your little cargo planes but your crew gets to fly on someone elses metal.
They also may need to transit crews to different airports, sometimes on commercial flights.
I mean, yes, in this particular situation it seems like there is many layers of screw ups from several different organizations.
Though given that airlines are responsible for the safety of their crew, passengers, and anyone in the vicinity of their aircraft, requiring them to do some basic vetting of their chosen vendors related to safety and security doesn’t seem unreasonable.
This was a wild read, that something like this could be so easy, but the later part describing the TSA response is incredibly alarming
The dudes who did this are going to probably be visited by homeland security or FBI. Not sure what they thought they will get out of this. I don't think the government cares about security, but they are vengeful.
And what will homeland security or the FBI get out of it after concluding that that these "dudes" are two well known talented security researchers trying to conduct responsible disclosure to make air travel safer?
These aren't two dudes acting ethically, these are "two hackers arrested by the FBI for breaking into TSA security", good job FBI!
Made the world a safer place again, by capturing two evil terrorists! Also: Good that our security is impenetrable, as we can see here!
So, the trick here would be to purchase a ticket with a major airline, pack a no-no in your carry-on, and then bypass TSA security by adding yourself to the Known Crew Member list of a small airline using the third-party FlyCASS system, via the SQL-injection. You'd then board the major airline with the no-no. Is that the vulnerability?
Pretty much, although most TsA check lines no longer require even a boarding pass- so in theory you could pack a bomb with you then bypass all the security theater with this.
My presumption was that when you give TSA your ID and they scan it, their systems check that there’s a boarding pass in your name (and DOB)?
Boarding pass checks etc are independent of the security checks. At least security never checked my boarding pass or ID, it was usually a step before and after security checks.
I don’t think so- I believe it just checks the outstanding warrant/no fly list and that’s all, but I could be wrong.
No, it checks that you have a boarding pass: https://www.tsa.gov/travel/security-screening/credential-aut...
> CAT is linked electronically to the Secure Flight database, which confirms travelers’ flight details, ensuring they are ticketed for travel that day.
Sounds like you get to sit in the cockpit too?
Yes you could sit in the third seat, the jumper seat, with this. I feel like one could already sneak something malicious through TSA (this already happens and if you attempt it enough times eventually you'll get through), but being able to sit in the freaking cockpit behind the pilots who assume you're another pilot is CRAZY.
It'd be an entertaining sketch to watch, these two airline pilots trying to suss out if the rando weirdo behind them with the ticking suitcase and nervous glances is actually a terrorist... or maybe just afraid of flying?
The safety of airports and air travel compromised by a simple SQL injection ?
What is it, the year 2000 ?
It should be a criminal offence for whoever developed that system.
If there are any criminal charges here it will be for the reporters. Not the developers.
To think otherwise is beyond naive.
I said there should be, not that there will be :)
I wouldn't get myself into this honestly. Wrong turn and you're a terrorist. Especially with how crooked and backward the people responsible for it seem.
Very brave of them to report this. They're likely on no-fly lists for life now, and will probably be investigated by the FBI. The government does not like to be embarrassed.
What mind-melting levels of incompetency. I would love to suggest pay raises so the Government can hire better individuals... but I worry the problem is so systemic it wouldn't do any good.
Everyone dropped the ball... and kept dropping it. The part where its handed to them on a silver platter and its essentially smacked away. Maddening.
> 05/17/2024: Follow-up to DHS CISO about TSA statements (no reply)
> 06/04/2024: Follow-up to DHS CISO about TSA statements (no reply)
There should be a public Shitlist of Organisations that don't get the Benefit of Responsible Disclosure anymore, just a Pastebin drop linked to 4chan.
Straight to jail, if this would have happened in Germany.
The TSA would have been the one suing you and would easily win.
Only malicious foreign actors are encouraged to survey the security of systems of national interest, since they can't easily get prosecuted. Systems working as intended.
I disagree. Give me an example of a white hat hacker in Germany going to jail.
Why does KCM still need to exist? It doesn't help airlines nor air crew:
Pilot: "Years ago we’d get a random enhanced check (which just means go to TSA precheck) now and then. These days it’s 60% of the time, so it’s not possible to get a whole crew through KCM anymore, and we wait on each other because the jet can’t be boarded until the flight attendants are ALL through security, and with the 2022/2023 KCM random checks being so high, that just doesn’t happen. Honestly, I rarely use KCM anymore. I just walk through TSA precheck. The odds are we’re going there anyway so just cut to the chase and hit precheck."[1]
VIP treatments (including the likes of KCM) should be removed no matter if someone is a prime minister[2], media personality[3] or airline CEO. In this way, VIPs can experience the inadequate security processes and staffing levels that everyone else has to deal with, and hopefully with their louder voices will be able to force airports and government agencies to improve the situation for all.
[1] https://www.quora.com/As-a-pilot-how-does-it-feel-like-to-ha...
[2] https://www.theage.com.au/national/red-faces-as-nz-leader-ge...
[3] https://www.smh.com.au/traveller/travel-news/louise-milligan...
Meanwhile, my wife just had a beautiful ameythyst she bought as a birthday gift for my son stolen by security in Mexico because it "could be used as a weapon". I say stolen because they wouldn't throw it away and just smirked the whole time at her.
It is sadly an all-too-common occurence when you give uneducated dimwits police-level power with no oversight and no recourse for anyone affected. I assume flexing government power is the real objective here since everybody knows that security is not.
Honestly, this is the most shocking part:
> We did not want to contact FlyCASS first as it appeared to be operated only by one person and we did not want to alarm them
It’s incredible (and entirely too credible) that this kind of “high security” integration could be built in such an amateur way: and a good reminder why government projects often seem to be run with more complexity than your startup devs might think is necessary.
> We had difficulty identifying the right disclosure contact for this issue. We did not want to contact FlyCASS first as it appeared to be operated only by one person and we did not want to alarm them.
Wait, what? Is this a euphemism for they didn't believe they would take it seriously? Reporting it over their heads to DHS was probably not less "alarming" to anyone...
Real reason: the dev would fix it and they'd be stuffed. That doesn't encourage the DHS to actually look into the issue and see what else is broken.
This is confusing to me as well. You could always escalate later, right?
I’m wondering if their thinking was: if they contacted the sole developer, and he perceived it as a threat (whether security or personal livelihood) then the deck is stacked against them when they then have to escalate. The dev has already said “some hackers say they hacked my service” to TSA and kicked the beehive.
I wouldn’t have a clue who to report it to myself; the record of DHS is pretty awful too. Lots of folks are saying (and one even betting on!) them being charged for their find within the next couple of years, and given US federal agencies’ records when it comes to these vulns I’d be quite worried about it too if I had found it.
> KCM is a TSA program that allows pilots and flight attendants to bypass security screening, even when flying on domestic personal trips.
This program seems like the root cause of the security issue.
(Outside of the US) I've often gone through security screenings just before or after crew groups in fast track, but otherwise normal security screening lanes.
Accessing CASS is a big deal, and should be fixed but you’re gonna need more than this to board an aircraft.
Also… you can fix all the SQL issues, but you’re still not going to be able to fix the “men in hoodies with a big wrench talk to an authorized administrator (while their kids are kidnapped in Mexico)”
You'd need more than this to board an aircraft, but who's to say that the goal of an attacker is to board an aircraft?
At the very least it sounds like you can get the password of many users (MD5 isn't exactly secure) and if they're sharing passwords then that's bad for them. You can also gain admin access and mess around with the site practically undetected for an indefinite amount of time.
I feel like TSA is downplaying it to avoid public backlash. This is not childish or amateur. They are just doing what any government agency would do. If you speak up louder you will get arrested or screwed by some random agency knocking on your door, FYI.
i wonder if TSA will audit the entire list, also it opens up more questions too like how long accounts remain active? are they simply assuming each airline will update pilot status? they clearly haven't been treating this sytem as important it seems.
I’m glad they uncovered and reported this but I’d be super reluctant to actually log in using purloined credentials if I were them. As macNchz says elsewhere in this discussion, CISA/TSA/DHS does not appear to make any assurances that they won’t prosecute what appears to be a facial CFAA violation just because someone is doing valid security research.
To be clear, I really hope they don’t, but they are also clearly trying to spin this in a way at odds with the researchers, and I’d hate to be in a position where they want to have leverage over me if I’d done this.
Brave that they did so though and I do think the severity of the vuln warrants this.
Security Theatre 3000... keeping us entertained
It's a stupid system anyway. Corrupt airline staff can easily bypass all security checks, bring a pistol in a handbag and leave that in the cabin luggage bin for prearranged pickup by an unscrupulous passenger or any sort of shenanigans.
How do they protect against corrupt staff. It's like they're not even thinking. Why don't they just fast track staff checks.
What’s so special about bar codes that the testers couldn’t create one themselves?
Are they cryptographically signed by a system that was inaccessible?
Or is it just a matter of figuring out the bar code format and writing out some KCM id?
I can't find the essay now, but I remember reading something from years and years ago: Bruce Schneier arguing that it made sense for airline pilots to go through security with everyone else, in spite of the silly appearance, because the inherent complication in implementing a two tier system would both eat up efficiency gains and unavoidably introduce security flaws.
He convinced me at the time, but I wasn't expecting such an on-the-nose demonstration.
Makes you wonder why there were no plane hijacks since 9/11. TSA does not seem a credible prevention mechanism given how easy it is to go around it.
Because you can't get near the pilots anymore, and because everybody assumes a hijack is suicidal and reacts accordingly.
Maybe a SQL injection gets you onto the plane, but crashing that plane gets your country destroyed and the neighboring ones bombed for good measure.
What the US lacks in cybersec, it tends to make up for with IRL pew pews...
Part of the issue here may be the policy of "need to know" for these high profile secret systems. If the only person who "needs to know" doesn't know what they're doing then the proper audits of the code will never be done.
I wonder how many entities knew about this before today
Does anyone know how the KCM barcodes differ from employee IDs? Seems like TSA is indexing pretty heavily on those.
While this report is embarrassing for all involved, in a practical sense, I'd argue the security of this app was "fine."
What I mean: security through obscurity is imo the best situation to be in. You can't attack something if you don't know it exists in the first place. That alone gives this system a leg up over more exposed (but hardened) platforms.
Second, convenience always beats secure. Requiring password rotations is worse than requiring none at all, because people tend to find the path of least resistance (writing a password on a notepad instead of memorizing).
If it was faster/easier to ship a useful (but vulnerable) app, that's net better than the app not shipping at all because of security hurdles. I have to imagine sanitizing inputs doesn't take much more time to include, but I don't know the systems involved.
Ultimately, what damage was experienced here? We can throw out hypotheticals about what -could- have happened, but you can't sue every driver on the road because they -could- have hit you.
An insecure system served a useful purpose for years, got more secure, and continues ticking.
I am sorry, are you non-sarcastically arguing that being able to pass through airport security, potentially accessing cockpits and planting bombs onboard airplanes, with a high-school level SQL injection on a federal website used by dozens of airlines & airlines employees, is actually, "fine"?
Besides, I am not sure what sort of "security through obscurity" you are talking about? Ian and Sam found it, and frankly - with a public page, page title + first h1 tag clearly stating that this relates to a Cockpit Access system, this has got to show up in a shit ton of security research search engines instantly.
Every person working in security, or even familiar with security, would know how to exploit this. It was a ticking time bomb. And it gives you admin access to the entire system. People could have already have exploited it and we wouldn't even know.
I'm not sure I'd write this off because having a weak spot like this and information gained could lead to more discovery of the obscure. It's never a good security design to rely on someone never finding my secret API routes that I named after my co-workers that I despised
Guys, I think you should not have done this. You can really piss a lot of people off doing that kind of stuff.
I agree they shouldn't have written it in such a "now let me embarrass you and show how right I am" way (and they also should have shown a lot more awareness of how embarrassing this was and, also of how: while infosec is super important, there are other priorities that need to be protected in how this is disclosed, too -- especially if they are hoping for constructive engagement with the orgs involved which, like it or not, is what practical security requires, if your point in disclosing is to make a meaningful positive difference, which is really important given the scale/scope of this vulnerability), but I don't think it worked out bad for these two judging from their Twitter feeds. I don't know them, but:
Two guys from (or based in) the Midwest:
Ian did his first DEFCON talk a couple weeks ago (https://x.com/iangcarroll), and Sam (the other author), was the guy that a couple years back Google accidentally sent 200K USD to, and has 81K X followers, and was recently singing the praises of that much lauded recent PHRACK article on "Hacking means understanding the world" (that was also popular round here): https://x.com/samwcyo/status/1823571295189008601
They both seem like legit security researchers from their X feeds.
I guess that petulance-tinged adolescent attitude is like the secret handshake of the security researcher world, which sounds too disparaging -- but it's not meant to be...only that probably that's what you need to expect from folks who "understand the world", where they're smarter, what's broken, and should be fixed.
I get how that attitude rubs people the wrong way and causes more harm than good - but I don't mind it much myself - I guess I just set high expectations for the kind of impact such folks could have, and I think they could have more impact if they adopted a more professional, collegiate attitude in their way of working.
But I guess that comes with the territory. Because it's really only the "outsiders" who will sit around poking at things to figure out how they work, and how to fix em, make em better. Those who feel themselves to be "rejects' from the normal world, in sense, are always gonna carry a bit of the tinge of that perspective with them. But, whaddayagonnado? Those are really only gonna be the ones who "understand the world", so you have to rely on them. Odd couples, that pairing. Between industry and these hackers.
Reminds me of the guy that created a simple one-page website to make fake boarding passes, only to get into controlled areas of airports (not to actually fly).
<knock> <knock>'d
I don't remember any case over the last 5 years or so TSA even asked me for a boarding pass. I think they gave up on that entirely. They do ask for an ID (and take a picture now - looks like bots are better at matching faces than TSA agents) but until you get to the boarding nobody now even looks at the boarding pass, so anything before the gate is freely accessible to anyone with an ID.
I’ve assumed you still have to have a ticket and they’re matching ID to the tickets in database. Anyone know otherwise? I can say, I asked the airline for a pass to accompany a passenger to their gate in ATL. If ID was enough I expect they would have told me so, but they gave me a paper pass and said it’s only good for one entrance into secured area.
I obviously can't verify it without taking undue risks, but I remember they used to ask to see the boarding pass, now they don't.
Then again, if they have this system where they can match me to a flight by ID, why they need any boarding passes at all? Just ask to see my ID again when boarding the plane, no? Why boarding passes still exist if this system is in place?
Blissfully, I have not flown since 2012.
Thanks for the updated TSA experience.
If you have precheck, TSA is pretty much not an issue now (unless you fly out of one of badly run airports where they are massively under-provisioned) - just ID check and quick metal detector pass usually does it.
Why do people even attempto to disclose this?
These guy are going to end up with some serious federal charges.
They should just leave the system wide open?
post it on 4chan from behind seven proxies and let full disclosure do its thing
Yes!
Time and time again these cancerous institutions have shown that their only interest is in surviving and they attempt that by concealing the flaws and brutally harassing the people that report them.
At this point only useful idiots give them the benefit of the doubt.
Other issues aside my biggest takeaway is that no one at TSA employed even the most basic auditing of external systems accessing their secure process.
Well, government is being government. I never think bureaucracy could solve an issue when they could just hide it.
Of course the worst part is TSA and Homeland Security trying to sweep everything under the rug and ignoring the problem.
this isn't a "weakest link breaks the chain" this is a chain with 10000 weak links and we found one.
Like something you'd see in a movie and think "well, that could never really happen". Yikes.
Love reading this while sitting in the MCO terminal waiting to go home after the fourth non-stop flight in a week.
... and that was the last time Ian was allowed to fly without a printed boarding pass with SSSS on it.
How is this a thing in 2024?
Honestly, if I discovered and reported this, I'd be so scared of being charged with a crime under the CFAA or some other statute, there are just too many high profile faces that can be covered with egg here.
(edit) the charging guidelines are somewhat re-assuring but still https://www.justice.gov/opa/pr/department-justice-announces-...
If NYTimes or WSJ had any backbone or journalistic integrity, they would write a front page piece on this to fix our agencies from being defensive to bug reports, shed light to the horrid incompetency in these agencies and how there was no oversight to any of this. They would also protect the two individuals as white hat hackers and teach non-technical people that these are good guys. You know, the job of the press.
SQL injection, a real blast from the past, like a child with mumps
Little Bobby Tables' story is still a valuable lesson.
How can this even be possible? What the hell...
Who else emailed this to Frank Abagnale?
yeah i would not mess around with this and get put into a for-life no fly list dude. you even wrote data to the prod system, christ!
I found the pink picture underwhelming. So many possibilities, yet a missed opportunity.
Great work and writing - thank you!
Bobby Tables strikes again!
I’m continually amused, amazed, and exasperated at how classes of software defects older than I am continue to be a problem.
> FlyCASS seems to be run by one person
Bobby is growing up
Hilarious that the entire TSA system is vulnerable to the most basic web programming error that you generally learn to avoid 10 minutes into reading about web programming- and that every decent quality web framework automatically prevents.
It is really telling that they try to cover up and deny instead of fix it, but not surprising. That is a natural consequence of authoritarian thinking, which is the entire premise and culture of the TSA. Any institution that covers up and ignores existential risks instead of confronting them head on will eventually implode by consequences of its own negligence- which hopefully will happen to the TSA.
> Hilarious that the entire TSA system is vulnerable to the most basic web programming error that you generally learn to avoid 10 minutes
The article mentions that FlyCASS seems to be run by one person. This isn't a matter of technical chops, this is a matter of someone who is good at navigating bureaucracy convincing the powers that be that they should have a special hook into the system.
What should really be investigated is who on the government side approved and vetted the initial FlyCASS proposal and subsequent development? And why, as something with a special hook into airline security infrastructure, was it never security audited?
Based on the language on their site about requiring an existing CASS subscription, my guess is there was no approval at all. It appears this person has knowledge of the CASS/KCM systems and APIs, and built a web interface for them that uses the airline's credentials to access the central system. My speculation is that ARINC doesn't restrict access by network/IP, so they wouldn't directly know this tool even exists.
Some quick googling shows the FlyCASS author used to work for a small airline, so this may piggyback off of his prior experience working with these systems for that job. He just turned it into a separate product and started selling it.
The biggest failure here is with ARINC for not properly securing such a critical system for flight safety.
This right here people need to pay attention to gut the following reason:
One person can make a lot of impact
The most common thing I hear people say with respect to their jobs is: “I’m just one person, I can’t actually do anything to make things better/worse…”
But it’s just wrong and there’s thousands of examples of exactly that over and over and over
In this case, if this is true, it’s both amazing that:
One person, or a small number of people, could build something into the critical path as a sidecar and have it work for a long time and
And second, the consequences of “hero” systems that are not architecturally sound, prove that observability has to cover all possible couplings
Oh, everyone knows that one single person can make things a lot worse. That's all that's happening here. That doesn't say anything about how much one single person can make things better. In the former case, your powers are amplified by the incompetence of everyone else involved; in the latter case, they are diminished.
Better / worse for whom?
Given the nature of these systems, this 1 person likely made the day to day lives of a lot of people better, providing an (arguably) snappier web interface to existing systems.
Granted, they've probably made someone's day a lot worse with this discovery, but..
They made the day of a lot of people, making the KCM program available to crewmembers of thousands of smaller airlines.
I take issue with the way that disclosure was implemented here. The responsible thing to do would be to contact the site first, no matter if 1 or 1000 employees.
Then you move forward with FAA, DHS, Etc. Assume that the site will act in good faith and recommend that they take down access until the problem is remedied, then back that up with disclosures and calls for auditing and verification to partner agencies.
Contacting the site first is the only honorable thing to do. It doesn’t mean you wait to contact other agencies, but contacting the site means the quickest halt to the vulnerability and least interruption to service. Disclosing to partner agencies is still required, of course, but hopefully they will be looking at a patched site and talking about how they can implement improvements in auditing the systems connected to the KCM service.
By disclosing in the right order you improve the possibility that organisations will focus on their appropriate role. The site fixes their egregious error and realises that their business depends on being secure, the TSA KCM manager realises that they need to vet access, and the FAA realises that the TSA needs to be supervised in the way that they interact with aircrew access.
Otherwise, everyone might just focus on the technical problem, which will be solved in a few hours or days and then go back to business as usual.
The vulnerability here actually is much, much larger thanSQL injection. It is an inherent vulnerability in the organisational structure and oversight, and this will only be addressed in a bureaucracy if the actual problem is made clear at each organisational level and no red herring excuses that allow finger pointing are provided.
Not to mention it’s a dick move to leave the technical people out of the loop completely in the process of disclosure, even if the disclosure is primarily of a systemic organisational failure.
I’m sure the individual responsible was much more alarmed to get a call from DHS than they would have been to get a call from security researchers, so the given rationale is clearly fictional.
Assume people will act in good faith, but don’t give them room not to. Trust but verify. When dealing with companies and orgs this is the way. When dealing with randos on the internet, not so much.
This is exactly it
It was done for a reason and the fact that it persists despite all odds, means it’s doing something useful
This case is a demonstration of how one person (sorry, two people, Ian & Sam) can make things much better.
When things go well nobody notices. I’ve certainly headed off and found/fixed a lot of bad decisions in my career, some of my own included. There was a lot of impact there, and it’s good when it’s invisible!
Good observation! This person is obviously meeting a need, and probably doing pretty well for themselves, SQL injection and all.
> The most common thing I hear people say with respect to their jobs is: “I’m just one person, I can’t actually do anything to make things better/worse…”
Yup. This is something on the order of a large-scale blackpill meme lately. Comment sections are usually rife with low-agency thinking. Which is quite something in tech, given that devs are the means of production for tech. True, tech as of late seems to be veering into more capital-heavy ventures (AI), probably to head off existential risk from the fact that a few skilled individuals can still really make a dent.
It all comes down to belief and will.
Yeah but this is not very actionable. It is like saying that one person can win the lottery.
You have to be in the right place at the right time.
The lottery has many players and few winners.
Real life is all of us and all of us have an enormous impact in some way. Especially if we try and apply ourselves. Not all the time, not for everything, but if we try enough things enough times and learn and grow, then people usually come out with impressive results of some sorts after a while.
People overestimate what can be done in the short term, and underestimate what can be done in the long term.
In a lottery the ratio is against you. In real life the ratio is almost guaranteed in your favor in some respect in the long term for anyone who tries.
Chin up.
Beware of black and white thinking here. There's no "winning," just small wins building momentum towards whatever change you want to effect. Luck is always a factor (and don't believe anyone who says otherwise), but don't discount your ability to work smarter and harder.
Why is it critical for flight safety? It is critical for security theatre we have to endure at airports because some people have heightened neuroticism.
Be that as it may, of course the error needs correction. If it really is a one man show for tool like this, it isn't even surprising that there are shortcuts.
Gaining access to the normally-locked flight deck jump seat seems like a pretty big potential flight safety threat to me.
Because your luggage is not checked at all. I'm sure that a state level actor could circumvent TSA but an amateur could not, and they pose a huge threat too, see the recent bombing attempt at the Tailor Swift concert or the Trump assassination attempt
Imagine if you could bring your own water, and drown in it! Horrifying!
Tell you haven't read the article without telling me you haven't read the article.
??? You can bring anything you want in your KCM/CASS luggage, including a water bottle, which is not allowed through the "civilian" checkpoint
Allowing literally anyone to get into any airport and into any locked cockpit without any screening is critical to flight safety. If you can’t immediately see why I’m not sure what to tell you.
If this were the case, then it seems quite plausible that the website itself was just a passthrough, and the APIs provided by ARINC would be exposed.
THis then begs the question of how ARINC passed security audit.
Someting I’ve been thinking about, esp since that crowdstrike debacle. Why do major distributors of infrastructure (msft in case of crowdstrike, DHS/TSA here) not require that vendors with privileged software access have passed some sort of software distribution/security audit? If FlyCASS had been required to undergo basic security testing, this (specific) issue would not exist
They often do. The value of those kinds of blanket security audits is questionable, however.
(This is one of the reasons I'm generally pro-OSS for digital infrastructure: security quickly becomes a compliance game at the scale of government, meaning that it's more about diligently completing checklists and demonstrating that diligence than about critically evaluating a component's security. OSS doesn't make software secure, but it does make it easier for the interested public to catch things before they become crises.)
Well, the value is ok, if considered seriously.
Also, any certificate bears a certificator company name. We can always say "company A was hacked despite having its security certified by company B". So that company B at least share some blame.
In practice, most commercial attestations/certifications contain enough weasel language that the certifier isn't responsible for anything missed (i.e. reasonable effort only).
But yes, there are many standards for this (e.g. SOC Type 2 reports).
In defense of their utility, the good ones tend to focus on (a) whether a control/policy for a sensitive operation exists at all in the product/company & (b) whether those controls implemented are effectively adhered to during an audited period.
That’s not really how they work. The auditor attests that they were provided with evidence that the systems/business units audited were compliant at the time of auditing. That doesn’t mean that the business didn’t intentionally fake the evidence, or that the business is compliant at any time subsequent to the assessment.
An auditor would certainly have some consequences if they were exposed for auditing negligently.
This is how the PCI SSC manages to claim that no compliant merchant/service provider has ever been breached, because they assume being breached means that the breached party was non-compliant at the time of the breach. Which is probably a technically true statement, but is a bit misleading about what they’re actually claiming that means.
We're talking about getting a judgement in the court of public opinion not a court of law, and no one is exempt from the former.
Many live in a special labelled class that cannot be criticized
Yes, certifiers are not responsible in legal sense, but nothing stops us from posting crap about them on internets.
> The value of those kinds of blanket security audits is questionable,
You're totally right. Why are people afraid to say that they're worthless? Why caveat or equivocate?
Adversaries in computer security do not mince words.
“Worthless” is quite a strong claim. There isn’t much work I’ve encountered that’s truly “worthless”, even though bad work can make me quite upset. Anyways, that’s why I would often caveat.
Mandatory audits by accredited auditors in order to participate in a market, inevitably create a market for accredited auditors that don't uncover too much but ensure all checkboxes are ticked. Much of the security industry is actually selling CYA and not actual security. The same dynamic at play means buyiong a home/boat/car you should get your own inspector, not blindly trust the seller's.
I'll say they are worthless because most of time they are dragging time away from things that could improve security. For example, $LastJob we spent a ton of time on SOC2 compliance and despite having applications with known vulnerabilities, we got hacked and ended up all over the news. Maybe of instead of spending all the time getting SOC2 compliance finished, we could have worked at upgrading those apps.
Actually, I doubt they would have upgraded the apps and pocketed the profits instead but SOC2 is providing cover instead of real change.
SOC2 covers a set of vectors (mostly social/separation of controls from what I’ve seen), and you were attacked on another vector.
Maybe the org prioritized poorly and sucks overall, but that doesn’t mean SOC2 or compliance generally is worthless.
>SOC2 covers a set of vectors (mostly social/separation of controls from what I’ve seen)
THAT WAS THE PROBLEM. My bad, I thought most hacks were due poor software management but I'm glad SOC2 truly addressed the real problem.
I don’t understand your hostility. Internet strangers are responding to your comments in good faith.
In this particular case it was worthless. If you have known vulnerabilities and you deprioritize that work to waste time on soc2, and get hacked because of it… soc2 was worthless. Because the whole point is security assurance. When you get hacked you’ve proved the opposite of security assurance.
But also you gotta have the balls to stand up to the guy pushing soc2 and say. No. There are known vulnerabilities. We are patching those first then we are doing soc2. The way I frame it is “we know we have critical vulnerabilities, we don’t need to go hunting for more till we fix them. Once we fix them we go looking for other ways to improve security posture” And if the ceo still insists (big client requires it so we’re doing soc2 simultaneously) you say fine, then hire a security consultant so we can go twice as fast. And if he refuses you quit because fuck that place.
That’s some bad prioritizing there Lou.
I’d rather understate a medium-confidence opinion than overstate it.
Because it's better than nothing when independent organizations are reviewing systems or other organizations. It's like saying that penetration tests are useless because you cannot prove security with testing.
Even if these govt. security audits are checkboxes, dont they require some nominal pentesting and black box testing, which test for things like SQL injection?
That shoudl have caught these types of exposures?
It may not apply to this specific incident, but pen-testing only ensures you meet a minimum standard at a specific point in time.
I almost feel I could write novels (if only I had time and could adequately structure my thoughts!) on this and adjacent topics but the simple fact is that the SDLC in a lot of enterprises/organizations is fundamentally broken, unfortunately a huge portion of what breaks it tends to occur long before a developer even starts bashing out some code.
In the case of msft/crowdstrike isn't this exactly the opposite of what HN rallies against? The users installed crowdstrike on their own machines. Why should microsoft be the arbiter of what a user can do to their own system?
They automatically occupy that position because in practice no user of a microsoft system can audit the entire "supply chain" of that system, unlike one built from open-source components. Any "control" someone has over "their own" system is ultimately incomplete when there is a company that owns and controls the operating system itself and has the sole power to both fix and inspect it
>no user of a microsoft system can audit the entire "supply chain" of that system,
Yes you can, you can access the source code to audit it.
Microsoft determines who they give root access signing keys to
Because the EU required them to.
I’ve read that story, it inspired my question. Such a requirement wouldn’t be out of bounds with the regulation
Money. Eventually the lobbyists would make it so cumbersome to get the certification that only the defense industry darlings would be able to do anything. Look at Boeing Starliner for an example of how they run a “budget”.
They do. But market forces have pushed the standards down. Once upon a time a "pen test team" was a bunch of security ninjas that showed up at your office and did magic things to point out security flaws you didn't know were even a thing. Now it is a online service done remotely by a machine running a script looking for known issues.
"I made my fortune with nmap, you can too."
Great, now my YouTube recommendations are also on HN...
Unfortunately we're in kind of the worst of all possible worlds here too. Not only do we want to "automate" these kinds of tests, but governments have bought into the "security through obscurity" arguments of tech giants, so the degree to which these automations can even be meaningfully improved is gated in practice by whoever owns the tech itself approving of some auditor (whether automated or human) even looking at it. The author of this article takes the serious risk of retaliation by even looking into this
Part of the reason why Crowdstrike have access, why MS wasn't allowed to shut them out with Vista was a regulatory decision, one where they argued that somebody needs to do the job of keeping Windows secure in a way that biased Microsoft can't.
So, I guess you could have some sort of escrow third party that isn't Crowdstrike or MS to do this "audit"?
Or see this for a much better write up: https://stratechery.com/2024/crashes-and-competition/
MS could have provided security hooks similar to BPF in Linux, and similar mechanisms with Apple, rather than having Crowdstrike run arbitrary buggy code at the highest privilege level.
Crowdstrike configured Windows to not start if their driver could not run successfully.
That's not the default option for kernel drivers on Windows, so this was an explicit choice on Crowdstrike's part.
They could have, however the timeline the regulators gave Microsoft to comply was incompatible with the amount of work required to build such system. With a legal deadline hanging over their heads Microsoft chose to hand over the keys to their existing tools.
^ This statement cannot be accepted without proof. It sounds outlandish and weird. Which regulator? Under what authority. Also Microsoft doesn’t listen to ANYBODY.
I've seen this stated before, but I haven't been able to find reliable data on when regulators required Microsoft to provide the access that they provided, or whether there's been time to provide a more secure approach. Do you know?
Crowdstrike could have included a BPF interpreter in their driver and used it for all the dangerous logic.
Replied in another comment, but I’m aware of the regulation that made msft give access. To my knowledge though, there’s nothing in the regulation that stops them from saying “you have to pass xyz (reasonable) tests before we allow you to distribute kernel level software to millions of people”
So, all companies must gatekeep like Apple? By law?
I've delivered software to the US government. My software has always been required to undergo security auditing.
Oh they usually do require some kind of proof of security certification. However the checkbox audits to get those certs and the kinds of solutions employed to allow them to check off the boxes are the real problem.
I do believe that is the point of having things like FedRAMP and StateRAMP.
Your company must meet said requirements to become a vendor for certain agencies or even be able to submit an RFP for governmental agencies.
Sigh. The company is a different problem than the product. Sally in accounting who has pii on her desk is a totally different problem than that the team that wrote insecure code 15 years ago.
Of course they require that.
Now, why wasn't the requirement enforced? Or why didn't the audit turn this up? Good questions.
But all of those are going to have some kind of requirement, e.g. FedRAMP.
Good to know, didn’t know this program existed, but makes a lot of sense that it does. Why it wasn’t enforced is an incredibly huge question now
The problem is deeper and simpler than that.
Authentication should not need to be re-implemented by every single organization. We should have official auth servers so that FlyCASS doesn't need to worry about identity management and can instead just hand that off to id.texas.gov (or whatever state they operate from) the same way most single-use tool websites use Google's login.
Authentication and authorization, and especially on the web, is one of those things that has never been implemented well. I hate every single piece of software, every standard, every library, every approach I have come into contact with from this domain. I am so glad I have nothing to do with this field anymore. It makes me angry even thinking about it.
Be the change you want to see in the world.
I agree with that sentiment, and I have tried to contribute in the past, but then again, you have to choose your battles. Making the kind of impact on auth that means I, or anyone else, will not have to deal with rubbish systems in the future is a big task.
It is one thing to write the needed software, it is a much bigger task to convince enough companies that they need a different approach to this problem.
However, what I can offer is that if someone has the backing to actually make a difference in this market, I'll volunteer 50 hours to act as a reviewer and test developer. But that is if your project is backed by someone I believe can make a difference.
This exists in some European countries, in Hungary for example you have an identity service (KAU) which authenticates you and operates as an SSO provider across a number of different government properties.
This exists in some European countries, in Hungary for example you have an identity service (KAU) which authenticates you and operates as an SSO provider across a number of different government properties.
The United States has it, too: https://login.gov
But with a government as large as America's it's going to take time to get everyone converted to the new system.
FWIW, as a regular user of login.gov, from the outside, it looks like a well-designed system. I am able to add strong forms of 2FA (e.g., security keys or biometric authenticators), it requires strong passwords, etc. It also has decent developer documentation, has a support process, and comes with a vulnerability disclosure form baked into the main website. However, I have not used their API, nor have I seen any of the code (although I wonder if a FOIA request would actually compel them to give it to you).
> although I wonder if a FOIA request would actually compel them to give it to you
I believe most of it is open source: https://github.com/18F/identity-idp
The first bullet point on the /partners page of login.gov (regarding who should use it) says:
> You are part of a federal agency or a state, local, or territory government
I'm talking about a more generic service that any random industry system or individual can use. The way many websites use Google's OAuth without using really using Google's APIs. Things that just want someone else (Google) to handle asking for and authenticating a name/password.
Not 100% sure how I feel about random companies being able to definitively identify me. I’m sure we’re drifting in that direction anyway, but it feels like it would negatively impact privacy online.
> Not 100% sure how I feel about random companies being able to definitively identify me.
But that is not what we are talking about. It is not that you are browsing the web randomly and some random company identifies you as d1sxeyes.
It is that you can identify yourself towards any company if you choose to. Then you can decide if that is in your best interest or not.
It also is not necessarily your actual ID. As far as the individual website needs to know, it could just be a random string of numbers and letters. As long as it's the same string each time they ask the authentication authority to confirm you.
Americans as a whole are so allergic to government doing anything that we can't even get a national ID system nor a centralized database of gun sales or ownership. The bogeyman of evil Big Government, privacy, and censorship gets invoked. It's fine if the Free Market does it, so Google, Facebook, Amazon, Twitter, Microsoft, et al get a free pass.
The "free" market, i.e., government-funded market.
> single-use tool websites use Google's login
Topic drift, but no tools should use google login. Doing that means handing over to google the authority to decide who can and can't use your tool. And we all know google support is nonexistent and unreachable, so once it fails it's forever.
If you market a tool, you'd really want to own the decision on who you can sell it to.
For a government organization though, I'd agree it makes sense to use a government-run login service. (government run, not outsourced so some for-profit third party!)
Trusting Google's OAuth not to vanish overnight is less stressful than managing your own username/password database.
And that's pretty much my point. 2FA? Password Resets? Account Activation? Updating Email Address? No thanks. I would rather not have to deal with any of that. I literally just need a unique identifier to associate with your data and preferences.
> Trusting Google's OAuth not to vanish overnight
Sorry if I wasn't clear. It is not that google will remove the service overnight (although they are infamous for canceling things, but not that bad). The problem is google will lock out users randomly for no reason and no recourse.
If that user was using google login to access your service/tool, you lost that user and there is nothing you can do. You really don't want to gate the access to your product via an unreachable unresponsive third party like google.
Many well-established web frameworks have plugins or components to handle user management out of the box, with sane defaults. Nobody should have to roll them by themselves with each hobby project. You're probably using a similar plugin to integrate with Google anyway.
This seems like exactly the sort of work the US Digital Service should take on.
Would still need an audit to make sure sites are actually using the shared auth and not rolling their own.
I'm not saying anyone should be disallowed to run their own authentication.
I'm saying we need the digital equivalent of "show me your driver's license".
Ah, but there are third-party services that provide identity verification, such as id.me. And now that there are for-profit entities involved in a government service, you will never be able to convince the government to implement their own solution. It's telling that id.me is headquartered in McLean, Virginia; gotta be in the DC metro area so your lobbyists have easy access to Congress.
I want you to be wrong, but you probably aren't.
I think that is the goal of https://id.me
Would that be https://id.me ?
It's what the IRS uses.
That's of course the stupidest possible domain for a government website. (Or at least it's up there)
Fundamentally, it has given control over the DNS records to a different country (.me == Montenegro).
It's training people that really, any domain could be a government domain, you'll never know.
It's also not a government web site. It's a private company who, for some reason, my own government outsources identity verification to. Meanwhile, the authorization system the US government has built (login.gov) is deemed "insecure" by the IRS and Social Security for some inexplicable reason. (But it's fine for Trusted Traveler Programs.)
Social Security has implemented Login.gov integration. IRS returned detailed feedback that GSA is working on.
This is good news. Thanks for sharing.
> It's a private company who, for some reason, my own government outsources identity verification to
Welcome to the neoliberal wet dream.
It's not a government website.
It's the company providing the service that the government could provide on its own, but that service is being provided by a private company through a lucrative contract agreement.
Because it's not a government website, it's a company the government contracts with.
Yes. I know how this works. This doesn't change that's it's stupid. You can't outsource stupid and then claim it's not your problem.
Yes, welcome to the rest of the world.
You're aware that there's a registry per country, no? And that that each country can choose to set aside a subdomain for all government services?
Yes, it's unfair that the US gets naked .gov - but that doesn't preclude the rest of the world from doing the right thing, and it certainly doesn't excuse the US government doing the stupid thing.
The US government can still basically yoink any ccTLD very very easily. It won't, but it could.
And what a steaming pile of dogshit it was when I registered:
"Scan the front and back of your Driver's License."
[upload scan of front of DL @ 200DPI]
"Unable to find a face in the image you uploaded."
[upload scan of front of DL @ 300DPI]
"Unable to find a face in the image you uploaded."
Huh. Maybe I'll try with a lower resolution.
[upload scan of front of DL @ 72DPI]
"Thank you, now please upload the back of your Driver's License."
Hmm, 72DPI worked for the front, so...
[upload scan of back of DL @ 72DPI]
"Unable to read a barcode in the image you uploaded."
[upload scan of back of DL @ 200DPI]
"Unable to read a barcode in the image you uploaded."
[upload scan of back of DL @ 300DPI]
"Thank you for verifying your Driver's License".
Apparently Venmo also has a option to look up an image of any person, we could use that too.
I think they (quietly) turned that off after a researcher exposed it earlier this week.
> FlyCASS seems to be run by one person
Is their name Jia Tan, by chance?
Well my username, "\\'\truncate table user;;\''" has served me well over the years. But some sites I cannot log into for some reason.
> This isn't a matter of technical chops, this is a matter of someone who is good at navigating bureaucracy convincing the powers that be that they should have a special hook into the system.
I would love to know how one can get what I'd imagine is at least a 6 figures contract with the government? How does this work?
I imagine the author of FlyCASS must be making a good amount of money off their product.
> The article mentions that FlyCASS seems to be run by one person.
I wonder if they just subcontract everything? One popular hack of the preferences they give to veterans and minorities in government procurement is to have essentially one person fronts that get maximum preference and which subcontract everything to a real company at a markup.
We know that backdoors can be intentional for use by 3-letter agencies. And there is plausible deniability of the bureaucracy when they can pass blame onto a single individual.
Or it's beuracracy being beuracracy. The TSA is a lot of security theater anyways.
This is a bit of ridiculous comment. Who in the right mind would say a sql injection is a backdoor for a 3LA?
Added, why would they use FlyCass when they could just access the data directly?
I have to say I admire the linguistic beauty of your turning Three-Letter Agency into a three-letter acronym.
You'll enjoy https://en.m.wikipedia.org/wiki/Three-letter_acronym
To move someone from one place to another without an official record of the person?
Honeypot? Legit logins are logged differently than non-legit?
The US (and almost every government) has reliable ways to covertly move a person that don't involve putting SQLi in their own codebases.
The classic way to covertly move a person is to give them a new passport to travel under, and have them move around like every other schlub on the planet. Competent intelligence services make sure that this isn't easy to detect by making the fake passport's identifier indistinguishable from real ones. Russia has prominently failed to do this several times[1][2].
[1]: https://www.bellingcat.com/news/uk-and-europe/2019/11/07/how...
[2]: https://www.bellingcat.com/news/2022/08/25/socialite-widow-j...
yes, they _definitely_ need to access flycass to achieve this. Almost certainly no other way.
I think a TLA would jsut generate the proper flight crew credentials.
That's bc TSA is all theatre. They fail Homeland Security audits more often then they pass. [1]
It's supposed to give you the illusions of security while giving a DHS a bigger budget, and it employs a lot of low skilled workers.
It is what you should think of when you think "big, dumb government."
[1] https://abcnews.go.com/US/tsa-fails-tests-latest-undercover-...
Having done software development with other federal agencies, they probably outsourced maintenance of critical national security mandates to Deloitte who has a team with managers in India running everything with a completely counterproductive culture of hubris solely to make the two managers look good, and anybody that questions that gets terminated in a week
Authoritarians don't like being challenged like this and it tends to enrage them. Its not unheard of for them to arrest/imprison well meaning security researchers who rightfully point out their own failings.
That's a problem with authoritarian organisations/regimes in general. They value loyalty over competence and you end up with people being in positions they shouldn't be in.
For an overtly authoritarian institution it actually surprises me they do the old delete and pretend it never happened approach to basic security.
>pretend it never happened
I'm not suggesting this is what they have done here, but this is exactly what authoritarian governments do. Straight from the pneumatic into the furnace.
> Hilarious that the entire TSA system is vulnerable to the most basic web programming error
Because it's a scam and the system is a grift.
I'm a pilot and own a private aircraft. Landing at any airport, even my home airport which is restricted by TSA is legal without any special requirement or background check. In fact, I have heard horror stories where TSA wouldn't let a pilot retrieve their aircraft for some bullshit administrative reason or another, so they enlisted a friend with a helicopter to drop them into the secure area to fly it out. Perfectly legal. The fact that the system can be brought down with a SQL attack is the least of it.
So it's also vulnerable to a Helicopter Injection Attack?
Just goes to prove that old saying true: "With friends with helicopters, who needs more friends!"
It sure would be nice if someday we get to have some TSA-free airlines and TSA-free flights for people that don’t want to get sprayed by ionizing radiation before every flight but don’t fly often enough to warrant a yearly membership fee. It would be interesting to see what people choose if a choice is available.
We haven’t had a large commercial plane go down in over 10 years since 9/11. Everyone that comes to the USA has been fully screened, vetted, and background checked. We’re all very safe. Mayorkis at the DHS has made sure there aren’t any terrorists in our homeland because the government only exists to protect us from danger and make our lives better.
(Partial sarcasm.)
I find it amusing (actually more tragic than amusing) that the same politicians who tell us all day that corporations can't be trusted because they are run by people with character flaws (greed, lying, laziness, etc.); will turn around and tell us that handing more power and influence over to a government agency is a good idea.
They make it sound like the job pool between the public and private sector is completely separate when many people move back and forth between the two.
Take away the accountability that often governs the private sector and that seems to be the recipe for situations like this.
What mythical private sector accountability are we talking about? A government agency didn’t build the software, it was a one man, private sector company. Maybe the moral is not outsourcing every last thing in existence?
Not always, but often the marketplace will punish you if you screw up royally as a private company or employee. It seems that nearly every government snafu results in a promotion.
Being that CISA is under the same parent org of TSA that there should be ongoing internal evaluation/remediation of sibling services.
In practice, these systems get stronger rather than imploding. Any failure becomes a justification for more power that they can use to "prevent this from ever happening again". A system that ran smoothly and never had issues wouldn't be able to grow like this (and might even shrink as people start to take it for granted).
True but even though I’ve always been careful to escape sql, I’ve also made an oversight once by writing a custom SQL filter and missing to escape it. The code reviews also missed it (we were so used to the framework solving it for us). Luckily a pen test found it and was only shortly in production.
It might have been an insanely old application that predates SQL injection being common knowledge (or required to be protected against) and has been forgotten about/poorly maintained.
There are oodles and oodles of apps like this powering our daily lives.
TBF, TSA =/= 'Trained SQL Administrator' - so we can't hold _that_ against them...
Looks to me like there's a reason this vulnerability exists ... for example, to help certain people have a simple way to avoid TSA searches and/or credential checks.
Little Bobby Tables strikes again:
really feels like SQL should have never been written in such a fundamentally insecure manner, or immediately fixed once it was discovered that it was
SQL in itself is not the weak point in this case (or any of the other cases of a successful SQLi attack). The problem is the treatment of user-controllable input data and using that data as part of a SQL query without properly sanitising/escaping special characters first.
How would you "fix" it, while still allowing people to write ad hoc queries?
Don't allow non-parameterized queries at all? Like right at the protocol and parser level? Strip "literal value" as a token right out of the query parser.
Then a simple interactive client could do something like:
``` > select * from users where username = :username username? admin
+----+----------+----------+ | id | username | password | +----+----------+----------+ | 7 | admin | 12345 | +----+----------+----------+ ```
While a fancier client could, in fact, transparently translate queries exactly as you write them today--pull out the values, replace them placeholders, then send the query and values over the wire.
``` > select * from users where username = 'admin'
sent as: query: select * from users where username = :placeholder1 placeholder1: admin ```
There's, of course, nothing stopping any given library or application from doing the same thing, but the vast majority of the time I'd wager this is happening because someone tried the obvious and simple thing (string concatenation) and it worked and they stopped there. Anyone who knows enough to write their own SQL parser or even think to go find a library to do this is probably going to know why they absolutely should not be doing this.
Well, I agree that this would be a force acting in the direction of Good, though it's hard to gauge how much
>There's, of course, nothing stopping any given library or application from doing the same thing
would happen. People already use a library to talk to the RDBMS back end; a "convenience wrapper" library that adds literals back into the grammar sounds like something that might easily become popular, and then you're back to square one.
The question of how best to nudge people away from these footguns is certainly interesting, and applicable to other languages (e.g., HTML). Another option would be to allow, say, BASE64-encoded literals only.
SQL was devised far before web apps or the internet were even a thing…
Lol, that's the oldest trick [fail?] in the book
This shows that anyone with the slightest motivation to do harm would have zero difficulty replaying 911.
The reason there aren't more terrorist attacks isn't because various security agencies around the world protect us from them. It's because there are extremely few terrorists.
I believe the biggest increase in security since 9/11, is that passengers are no longer expected to sit down and behave.
Pre-9/11, the expectation was you don't draw attention to yourself, wait it out, you're going to have a long day and a story to tell. Post-9/11, the expectation is you fight for your life.
Better cockpit doors and access hygiene probably come second.
I've written this comment here before, but I'll do it again.
"Post-9/11" began minutes after the first planes found their targets. Flight 93—the one that crashed in Pennsylvania—never made it because the passengers revolted after hearing about the other planes.
It only took a few minutes for the calculus to change. Knowing what was up, those passengers flipped from wait-and-see mode to fuck-you mode. This is pretty good evidence that you're right: the biggest increase in security was and still is that passengers will not be meek anymore.
It was a paradigm shift.
This recent video by RealLifeLore drives it home: https://www.youtube.com/watch?v=550EdfxN868&t=1504s
Up until 9/11, the US people had forgotten what it was like to be on defense.the last time in history that Sovereign American territory was invaded and occupied by a hostile foreign power was between 1942 and 1943 when the Japanese occupied the small and sparsely populated Alaskan islands of ATU and Kisa which they struggled to reinforce with supplies and were only able to hold on to for a year before getting overrun by much better supplied American and Canadian soldiersLater in the video: https://youtu.be/550EdfxN868?si=gpTplY4Z36tJPxLv&t=2706
that doesn't mean that the US cannot be hurt or have its interests disrupted in other ways the US Mainland can obviously still become the subject of major attacks from hostile foreign powers if not outright invasions and the biggest and worst attack that ever befell the US on its own territory happened recently only 23 years ago> were only able to hold on to for a year before getting overrun by much better supplied American and Canadian soldiers
Not especially accurate. The US and Canadian forces that landed on Kiska had no opposition because the Japanese had already left. They did not overrun Japanese forces that were not there.
Wikipedia describes this as: "On 15 August 1943, 1st SSF was part of the invasion force of the island of Kiska, but after discovering that the island had been recently evacuated by Japanese forces, it re-embarked ..."
And yet, there were still friendly fire casualties, a point omitted from many descriptions of the invasion.
Pilots are also now told to not open the cockpit door, no matter what's happening in the cabin and to land the plane. There is a near 0 change you could take control of the plane. I would be more concerned about someone bringing a bomb on board.
The thing with this hack though is that it seems to be able to greenlight someone pretending to be staff to enter the cockpit as a passenger.
How did they get the keycode? It’s basically two factor. You need both the code and the pilot allowing you in.
I’m pretty sure there is a second code on some planes that alerts the pilots someone is attempting to force the crew to open the door.
What if you hack a system that allows you into the cockpit with no additional checks? That would be crazy...
A random person pretending to be an airline pilot in a room full of airline pilots? I don’t see it happening, they’ll get kicked out in a second.
You don't have to pretend to be a pilot. Any cabin crew is allowed in the cockpit, AFAIK
Not just cabin crew, a lot of the time anyone flying standby is offered the jumpseat if there are no other seats available out of courtesy. Especially if they are an airline employee, but often non-employees too.
In US, and I imagine elsewhere....this is completely untrue for any commercial flights or honestly anything carrying legitimate insurance.
I have never heard of a plain clothes non-employee in cockpict jumpseat.
I don't think just anyone is allowed to sit in the jumpseat in the cockpit.
My dad was an airline pilot. Policy was you had to be in uniform to sit in the jump seat, and, yeah, it's not open to just anybody. If he was flying standby to get home, he would take it if no other option was open.
The 9/11 hijackers were trained as pilots though.
This is like a person who took a few python courses pretending to be a software engineer with a full time job, the lie becomes very clear after a few sentences.
I would argue, the most effective change post 9/11, is the reinforcement of cockpit doors, and stricter cockpit access procedures.
Which, ironically, made it impossible to prevent this crash: https://en.wikipedia.org/wiki/Germanwings_Flight_9525
This is easily prevented by requiring at least 2 people in the cockpit at all times. Some airlines had this policy long before Germanwings happened.
There's also at least one case[1] where the locked door itself stopped someone from stopping the crash (the CA had flying experience and Mentor Pilot[2] showed that even someone with no flying experience could be instructed to autoland if they know how to use the radio. If the CA had entered earlier they might've been able to land, though most of the passengers would've still died unfortunately.)
One of the more reasonable theories for MH370 is similar to the Germanwings case. Pilots can refuse access even if the person outside knows the access codes for the cockpit doors.
Unfortunately (as with everything else), even obvious improvements have potential downsides.
[1]: https://en.m.wikipedia.org/wiki/Helios_Airways_Flight_522 [2]: https://www.youtube.com/watch?v=YaOvtL6qYpc
1> At 11:49, flight attendant Andreas Prodromou entered the cockpit and sat down in the captain's seat, having remained conscious by using a portable oxygen supply.
Yes, however it's not clear how they entered and why it took them so long (they entered a few minutes before the plane crashed due to fuel exhaustion -- the left engine shut down 50 seconds after he was seen entering the cockpit). It stands to reason that if the door was unlocked they may have been able to enter much earlier, which could've resulted in a very different outcome.
That's why I said "If the CA had entered earlier".
If you can sneak in armed to a jump seat in the cockpit, better cockpit doors are actually in your favour.
> I believe the biggest increase in security since 9/11, is that passengers are no longer expected to sit down and behave.
While that may be a factor, there's never any news about this happening, except maybe shortly after 9/11 with shoe or underwear bombs.
The would-be attackers know it too. The Game Theory changed.
Underwear bomber was 2009, and if you search for 'aircraft passengers restrain' you'll find many other stories about passengers acting against dangers on flights.
Hijackings used to be common, they're not anymore post 9/11. There were 27 hijackings in 2000 worldwide. There were none in 2017, 1 in 2018, etc.
> zero difficulty replaying 911.
The attacks of September 11th 2001 are fundamentally not reproducible irrespective of whether there is _any_ security screening at airports.
The default assumption before that morning was that a hijacked plane would fly around for a bit, then land. The default assumption afterwards is that it will be crashed if a hijacker is allowed to gain control, so the calculus on passenger intervention is quite different.
> The attacks of September 11th 2001 are fundamentally not reproducible irrespective of whether there is _any_ security screening at airports.
How so? The delay between the hijacking and the crashes in the buildings for both planes were around 40 minutes... even if there were jet fighters ready to go at the time, the lack of knowledge of the hijacking being in progress for much of this time and the short delay make this kind of attack still feasible.
What was actually improved our chances to avoid such attacks are the limited access to the cockpit and processes pilots must follow in case of hijacking.
The measures at the airport are to limit the risks of hijackings to begin with.
The passengers on UA93 attacked the hijackers because they learned what happened to the other planes. The hijackers primary goal was thwarted as a result, likely saving the lives of thousands of people in the US Capitol building.
Passengers have intervened in several other terrorists attacks and now regularly intervene for other (non-terrorist) threat passengers.
It is extremely easy to get weapons into the boarding area, people do it accidentally every day all over the country and the TSA's own testing show that their screening misses the majority. Doors and procedures absolutely help as does the passenger response. Airport screening, OTOH, is primarily security theater.
We'll never have another golden age of hijacks thanks to 9/11.
Maybe I am a naive idiot, but I would assume that other agencies like the FBI provide some protection even if TSA is not great. I occasionally see notable examples, like the CIA being responsible for discovering planned attacks on the recent Taylor Swift concert in Vienna that was then canceled.
Not to mention international cooperation, like the Dutch secret service having agents or contacts in Ukraine after MH17 that tipped off the CIA about a possible attack on the Nord Stream pipelines.
The real reason is that people make mistakes all the time. There is no shortage of potential mass murderers, are there are plenty of successful ones. But if their plans are too ambitious or involve too many people, they tend to fail due to stupid mistakes. And when those stupid mistakes happen, security agencies (and even ordinary police) have a good chance of catching them.
> The reason there aren't more terrorist attacks isn't because various security agencies around the world protect us from them. It's because there are extremely few terrorists.
There's plenty of terrorists, but destabilisation of Middle East diverted them away from continental US. Wasn't that the whole point of Afghanistan and Iraq wars?
>destabilisation of Middle East diverted them away from continental US
I put on my critical thinking hat and look at the timeline of "US meddling in the Middle East" and "first terror attack in the US by a middle eastern".
I then notice that the years are 1948 and 1993 respectively and that wet roads actually do not cause rain after all.
I assume by 1948 you mean Israel’s declaration and subsequent war of independence. The US had nothing to do with Israel forming beyond being part of the UN vote - Britain was the architect of this part of the Middle East and is responsible for every border drawn by all nations there. This was fallout of the Ottoman Empire choosing to go to war against Western Europe and being defeated (after hundreds of years of incompetent leadership). [0]
The US did not supply Israel in any way until 2 decades later, and it was Eastern European arms dealers first, France second. The first weapons sold to Israel by the US were in 1962 (anti air missiles), followed by some tanks and aircraft later in the decade. Things ramped up considerably after 1967 due to Arab states aligning with the USSR. [1]
RFK was assassinated by a Palestinian terrorist in 1968. [2]
0. https://en.m.wikipedia.org/wiki/Partition_of_the_Ottoman_Emp...
1. https://en.m.wikipedia.org/wiki/Israel%E2%80%93United_States...
2. https://en.m.wikipedia.org/wiki/Assassination_of_Robert_F._K...
> The US had nothing to do with Israel forming beyond being part of the UN vote
I put on my history hat and check the books
> Liberia's Ambassador to the United States complained that the US delegation threatened aid cuts to several countries.
> After a phone call from Washington, the representative was recalled and the Philippines' vote changed.
> After considering the danger of American aid being withheld, France finally voted in favour of it. So, too, did France's neighbours, Belgium, Luxembourg, and the Netherlands.
> [......]
Mind you that I am not calling foul play here, this is par for the course for politics. This is just to refute the quoted point above, unless you consider bribery and threats of sanctions a "nothing".
Overt U.S. meddling began (and in a very significant way) in 1956 with the Suez Crisis.
The US had nothing to do with Israel forming beyond being part of the UN vote
True for the U.S. at the government -- but not for the U.S. as a country. One of the earliest major Zionist associations (the Federation of Zionist Societies - a forerunner of the modern ZOA) was formed in New York in 1897. The movement would continue to receive key funding from American backers, and held one of its key meetings in New York in 1942:
https://en.wikipedia.org/wiki/Biltmore_Conference
The movement's ideological (some would even say "spiritual") underpinnings can be traced to the mid-19th century writings of this American playwright and utopian activist - said to be the originator of the idea of resettling Jews in Palestine, predating the efforts Herzl himself by half a century:
https://en.wikipedia.org/wiki/Mordecai_Manuel_Noah
So American meddling in the region goes back quite far indeed.
Not that it changes your point much, but you could probably look back to 1990. One of the WTC conspirators had assassinated a rabbi (an American who, to put it very lightly, had personally meddled in the middle east). Coincidentally since so many folks upthread are talking about jury nullification, the resulting trial is sometimes considered an example.
It’s also just one of those hard things to prove: is TSA actually stopping attacks like 9/11? The simple presence of them might be enough of a deterrent or we might just be extremely lucky. Seems these days the real threat is drunk passengers attacking flight attendants.
> The simple presence of them might be enough of a deterrent
The planning for 9/11 took several years, $500k in financing, and had a lot of moving parts between recruiting, research, travel/visas, flight training etc. It's hard to believe that people motivated at that level would truly be deterred by what you see happening at the typical American airport these days.
Well, the TSA has been tested for their ability to detect weapons being brought through security screenings, and they were absolutely horrible at it. Can't grab a link at the moment, but if you search for it, you'll easily find the report published... by the TSA.
So are they stopping anything serious? It's a safe bet they're not.
Thing is, terrorism makes people afraid, even if no attack actually happened; one theory I have is that foiled plots are not reported on. Maybe in 20-50 years some of the records will be unsealed and we'll hear about loads of foiled plots.
But the counterpoint to that is that a gunman almost succeeded in killing Trump despite showing the behaviours online and offline of your stereotypical amateur assassin.
Have they caught and arrested any would-be bad guys? Should be pretty easy to verify.
Well Guantanamo Bay still exists.
From https://en.m.wikipedia.org/wiki/Guantanamo_Bay_detention_cam...:
> As of August 2024, at least 780 persons from 48 countries have been detained at the camp since its creation, of whom 740 had been transferred elsewhere, 9 died in custody, and 30 remain; only 16 detainees have ever been charged by the U.S. with criminal offenses.
Given what we do know about the secretive and illegal activities of the federal government during the War on Terror I don’t think it’s a reasonable assumption that everyone accused of terrorist activity got their day in court.
780 persons - 740 persons transferred - 9 persons dead = 31 persons that should remain. Oh wiki.
They foiled these guys: https://www.youtube.com/watch?v=IHfiMoJUDVQ
But how many were caught by TSA?
I hate the TSA with every ounce of my being and these articles reinforce why. Incompetent and useless agency that only serves to waste people's time. Can't believe it still exists; 9/11 and the Bush administration really did a number on this country.
It doesn't seem particularly unique to TSA. Flying elsewhere in the world has essentially identical security screening, with all the same stupidity.
I'm a little butthurt right now, in particular, about the security at Heathrow. They confiscated a bottle of whisky that we got in Edinburgh. After 10 minutes of head-scratching and consulting with a supervisor, they concluded that "it does not say 100ml" (it had "10cl" cast into the glass) and "even then, that is just the size of the bottle, not the liquid inside it." What an incredible demonstration of intelligence there.
They gave us a receipt and said we could have it shipped. We checked when we got home. 130 GBP with shipping. Ended up just buying a 700ml bottle from an importer, cost about half as much.
The problem boils down to two issues:
1. Ok, security is bad, what are you going to do? Go to different, competing security?
2. Nobody wants to be the politician that relaxes the security right before an accident, even if the accident wouldn't be prevented with tighter security anyway.
> 1. Ok, security is bad, what are you going to do? Go to different, competing security?
Amazingly, you can do that. SFO doesn't use the TSA, for example.
You can only do that if there are competing airports that are equally usable for where you want to go. Perhaps SFO vs SJC if you're going to the peninsula, JFK vs EWR or LGA, or the various Los Angeles airports but that's pretty much it that I can think of.
Does it not? I fly out of SFO all the time and the experience is very similar. I guess I never checked if it was officially the TSA, but I never noticed any difference.
SFO security is run by some company "under contract" to TSA -- probably required to follow all the same procedures, so it's not clear the business arrangement makes that much difference to the passengers. I've been through there a few times, and haven't found it any more organized or pleasant...
https://www.flysfo.com/about/airport-operations/safety-secur...
>It doesn't seem particularly unique to TSA. Flying elsewhere in the world has essentially identical security screening, with all the same stupidity.
That's largely due to the US and 9/11. In fact, the US even pressures other countries into creating a separate mini TSA at their boarding gate for flights that fly into the US.
You are confusing TSA with CBP.
Some countries allow you to clear CBP on the boarding side, skipping it at the destination.
It's like Ireland/Dublin, Aruba and a few others.
I don't mean TSA or CBP literally. I am aware of the programs you are talking about. I'm talking about unofficial/soft-power policy that adds additional barriers pre-boarding for flights that fly into the US. You won't see this in the west/EU. I suspect it's more widespread in the rest of the world.
What other countries do a mini-TSA? Is it only countries who don't have a normal security screening that is comparable to TSA?
No, it's just more theatre. They'll have more stooges at the gate where they'll run your bag through a scanner and do this (https://x.com/VCBrags/status/1595473294878048257). They do it in India, only for US bound flights.
We as a civilization are terrible at getting over things, it seems.
Oh it gets even more amusing. By the logic of the GP, Bush must have impersonated every member of the house and senate because they're not aware of how the TSA came into existence/how a law is created. The Aviation and Transportation Act garnered broad bipartisan support.
It was referring more to the time period and general power grab that the federal government was involved in (Patriot Act, Protect America Act, etc..)
Also, Bush had to sign the ASTA into law (checks and balances) which he did so he's part of the problem.
He certainly was part of the problem, but I think that the way it was phrased originally implied he was the majority of the problem. In truth, these measures had broad support from not only our elected representatives, but from the people themselves. Turns out that people do not actually give a shit about civil liberties, and our representative democracy acted accordingly.
They're one of the most seemingly incompetent agencies I am forced to deal with every year.
For one, why does is it that every TSA checkpoint feels like it was scrambled together? 9/11 was a long time ago. There's no reason why checkpoints can't have better signage, clearer instructions for what should or shouldn't go on a conveyor belt, an efficient system for returning containers (I've lost count of how many times the line was held up because employees didn't feel like bringing over a stack of containers in clear view), and so on. The checkpoints do seem to go a bit faster than they used to a long time ago, but it's still a frustrating process that makes me feel like an imbecile every time I use it. I do my best to follow directions, but directions are often lacking so I have to use my best judgment from past experience, and often get yelled at anyway. Do does the TSA want to be hated?
Secondly, there's been multiple occasions where I've made it through the security checkpoint with items that should obviously set off red flags. I recently made it through with a humongous center punch which, while not sharp like a knife, could do some serious damage to another person if used as a weapon. Got it through with no questions asked. I've also gotten through with scissors, knives, strangely shaped electronics, a custom build electronic device that a naive person could see as suspicious, and so on. Never have I been stopped for those things.
But laptops and e-readers? I'd better not forget one of them in my carry-on bag or I'm gonna get shouted at and be forced to re-run the bag through the scanner again. I can get through with sharp metallic tools and weird unlabeled boxes with wires hanging out of them, but I can't leave my kindle in my backpack? And what about the humongous battery packs I carry? No problem having 2 or 3 of those in my bag. I guess my Macbook Air or my e-reader possess uniquely dangerous powers I don't comprehend. Even if I try to comply with the "laptops out of your bag" rule, I might still get shouted at if I place it in a container instead of right on the conveyor belt... or if I place it in a container with some other belongings next to it.
Maybe the TSA stops terrorists that are as stupid as they are, which I guess is a good thing. But how good can stupid people be at catching other stupid people? Is it really worth it to waste everyone else's time and to treat them like crap in the process?
Yup, not surprised that the TSA also reacts with as much stupidity to cybersecurity flaws. If I became supreme leader overnight, I would work to completely dismantle the TSA and rebuild it from scratch. There doesn't appear to be any value in that agency that can't be easily replaced with something better.
> I can get through with sharp metallic tools and weird unlabeled boxes with wires hanging out of them, but I can't leave my kindle in my backpack?
Because all airport security is reactionary. They don't try to anticipate what an attacker might do, and how they could prevent that. They simply add one more item to a check-list of "no good" items or of "must be separately screened" items.
Therefore, because, one time, someone tried to ignite their shoes, there's now a checkbox that says: "shoes must be scanned separately".
As well, because, one time, someone purportedly tried to mix together two liquids into an explosive that they brought on board in bottles, you are now limited to 100ml max in any bottle, but you can freely walk in with a 7-11 64oz Big Gulp cup and they won't blink an eye. The "bottles" are on the check-list, but the check-list has no entry (yet) for "64oz 7-11 Big Gulp".
TSA is a $10.4B [1] security theater and mistake born out of fear.
Out of that multibillion dollar budget, TSA allocates $10.4M for “cybersecurity staffing, as well as the development and implementation of enhanced cybersecurity-related measures to improve cyber resiliency across the U.S. Transportation Systems Sector.”
Glad to see our tax dollars working so effectively! \s
What a joke of a country this is
[1] https://www.tsa.gov/news/press/testimony/2023/03/29/fiscal-y...
> Now that we are an administrator of Air Transport International...
LOL
> Unfortunately, our test user was now approved to use both KCM and CASS
smh...
Xnxnxnkzjzmxnnzcskdyxk buenos días amor cómo amaneciste mi cielo bello como te fue en el estudio shdtdhdc te e dicho algo y me avisas cuando llegues a tu casa para ti gracias a Dios por tu salud te amo mucho en el trabajo de dgd Je je pero no sé dónde es eso de las cosas y te sientes por usted es que no me avisas cuando te e udbgzdh si te amo más extremo de