[ Target Audience: Our InfoSec industry… ]
Yes, I know we have been inundated with the discussion on Chris Roberts’ saga. Feel free to read the thousands (closing in on a million as I write this) of links about the whole situation to catch up. FBI affidavits, ISS, “sideways” (yaw?), NASA, … I particularly liked Violet Blue’s summary of the recent history of airplane security. Another very interesting post is Wendy Nather’s, here.
Yet I think a critical point is being lost in the debate of whether he was able to do what he did or not.
I don’t care whether he was actually able to interfere with avionics. Being uninformed about it, I prefer the heuristic of believing the aviation experts that have, in great numbers, called out ‘B.S.’ on the claims.
What I *do* care about is the alleged pattern of behaviour of trying this with disregard for the possible consequences to the public.
I am NOT against security research, holding those responsible to task, responsible disclosure, “sunlight is the best disinfectant”, … I think all those doing responsible research on car hacking, medical devices, avionics (read Violet Blue’s excellent summary), etc… deserve our gratitude and support.
What I AM strongly against is the apparent complete disregard for the well-being of fellow passengers. It is alleged that this was done ’15 or 20 times’ on several flights. I don’t know if the flights were mid-air or not. I don’t know if anyone noticed, or should have noticed. What I do know is that the consequences of those security tests could have affected innocent bystanders. That is NOT ok.
“Oh, but if he couldn’t really affect the plane, it’s ok, right?” NO, it is not. What if there were adverse consequences? What if the pilots noticed something and – being safety conscious – decided to divert flights?
Some might say – “ok, that is the price we must pay for security”. It was not his call to make, was it?
As an industry, we can’t carry around this sense of entitlement and be seen in good light by the broader public.
He has apparently shown poor judgement in other occasions – talking to the FBI on his own without legal representation is another example, but that just affects him.
That being said, I echo Bill Brenner’s sentiment on moving forward. I’ve never met Chris (hope to one day) and I wish that he is able to learn from this debacle and grow as a professional.
For the broader industry, let’s look at the mess this has created and learn a few lessons too…