The FBI seized equipment from noted security researcher Chris Roberts on Wednesday, alleging that Roberts may have tampered with the systems aboard a United flight to Chicago. Roberts denies the claim.
Chris Roberts (a.k.a sidragon1), a leading researcher delving into the security of airplanes, was pulled off a plane in Syracuse, New York, on Wednesday by the FBI and questioned, apparently over concerns that he attempted to hack into critical systems aboard a United flight earlier in the day.
His laptop and a variety of external storage devices were confiscated by the FBI, which said it wanted to determine whether Roberts, an authority on security vulnerabilities in modern aircraft, may have accessed sensitive systems on a flight from Colorado to Chicago earlier in the day.
Roberts is the founder and Chief Technology Officer of One World Labs, a security research firm.
In response to mentions of his earlier research on Twitter, Roberts, using the @sidragon1 handle, had tweeted about his ability to hack into in-cabin control systems on the Boeing 737.
“Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? :)”
(Score: 2, Interesting) by anubi on Sunday April 19 2015, @04:31AM
Would they rather some hostile nation get into stuff and not tell anybody until the day of surprise?
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 5, Interesting) by anubi on Sunday April 19 2015, @05:44AM
The more I look at this, the more I think Chris should be working with avionics equipment suppliers to probe vulnerabilities. An in-flight airliner is not a safe place to be running vulnerability scans.
Being I have had the "pleasure" of working around aerospace management types before, I am quite aware of the old adage that it is better to beg for forgiveness rather than beg for permission; as one who spends his days begging for permission gets little done and warrants being laid off for being non productive.
I think I see whats going on here... Chris seems like one of these guys too bright to work in a corporate arena, where he supposed to be under control of some manager whose skills are in controlling people, not systems analysis. So he has to run alone and do his own thing. I have seen a lot of people who "have issues" working for others trained in "leadership" skills.
But the more I think of this, I would not want to be riding on a live flight knowing someone is deliberately trying to test system security, no more than I would like someone monkeying around with the computer controlling the heart-lung machine during an operation being performed on me.
Maybe confiscation of his stuff was the only way to stop him from doing his thing?
I respect drive in someone to get something done, and I hate like the dickens to try to kill it off - we already have plenty of management skills that are really good at doing just that. A live flight is not the place or time for system penetration testing.
But come down hard on him for it? I would much rather have the two working together. In the open. We already have way too much stuff sequestered in various war chests awaiting the day they are needed, and having yet more tricks to cause havoc kept in someone's secret trick warehouse is not what we need. I do not want to shoot the messenger... he's gonna do far more good .. but please penetrate-test where no harm can possibly come from a failed attempt.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2, Insightful) by Anonymous Coward on Sunday April 19 2015, @06:30AM
What about the next guy who is not a famous security researcher? The focus should be the planes, not the guy.
But it's all simple economics. Airlines don't give a shit about security or transporting people or anything else but profit. If flaming planes come down every day, no matter as long as people keep using their services. Capitalism at work.
(Score: 5, Interesting) by frojack on Sunday April 19 2015, @06:56AM
But come down hard on him for it? I would much rather have the two working together.
Hard? He walked away. His gear is getting the once over. Not so much as a wrist slap.
Doesn't sound anything like Hard to me.
What I would be really pissed about is if the authorities DIDN'T seize his gear, and dig into it deeply. Make him explain every line of code. He already tweeted about it, and was apparently on the FBI's radar already. Guy had means and opportunity, and tweeted a motive.
Why is it that everybody here completely believes in Boston Brakes. But let the guy be a self professed "hacker" and suddenly he can do no wrong?
Let him go find someone who will let him play with an airplane on the ground. If he can't sell it to some private fleet company that typically has planes sitting around waiting for customers.
No, you are mistaken. I've always had this sig.
(Score: 1) by anubi on Sunday April 19 2015, @07:20AM
Yeh... looking back at the article and thinking it over more - you have a far saner take on it than I did at first reading.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1, Insightful) by Anonymous Coward on Sunday April 19 2015, @07:33AM
Yes, how horrible it would be if government thugs didn't seize his gear. The bogeymen might get us!
(Score: 1) by anubi on Sunday April 19 2015, @08:09AM
Like Frojack just said... I am pleased they did interfere.
From what I read, I would think there is no criminal intent. Just curiosity. And a desire to develop saleable knowledge.
The most important elements are already in place: no criminal intent and curiosity. Given permission and opportunity, knowledge quite helpful to "our side" is likely.
Denied permission and opportunity, none of us will benefit from his studies.
Curiosity seems so rare in us these days... seems most us are far more interested in "the game" or what the latest celebrity fad is doing. I know my most useful things came out of someone else's curiosity and research. Nothing I have of any value came from "the game".
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by kaszz on Sunday April 19 2015, @09:44AM
What do you mean by "the game" ..?
(Score: 1) by anubi on Sunday April 19 2015, @10:14AM
Mostly sports. Seems everytime I see someone getting excited about something, its something to do with sports scores. If its not that, its some celebrity.
Very seldom do I see someone's "entertainment" originating from within themselves. It seems like we have been trained to expect others to entertain us.
Sitting in a noisy stadium for several hours would be pure torture for me. I'd rather take a nice long walk.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by kaszz on Sunday April 19 2015, @10:49AM
I'd rather be in a room filled with computers than one filled with bat crazy "fans" .. ;)
(Score: 0) by Anonymous Coward on Sunday April 19 2015, @11:59PM
It's like that Eminem song 'Rap Game' only it's about the assinine 'security scene' amd manuevering around in it. Alternately it is about 'outsmarting' but that's not a fair interpretation anymore - like bringing nukes to a shootout and your own camera crew. Nice attempt at a cover but I had to say it like it is. Almost everybody now seems to be in it for 'the game', which often also means inventing bigger and worse enemies out of thin air these days.
(Score: 3, Insightful) by bziman on Sunday April 19 2015, @02:31PM
I'm much more afraid of unlimited government power than I am of security researchers.
Airline, network, and most other security remains a joke, and the only reason that it hasn't been exploited on a large scale is that there just isn't a serious threat. You'll get the ocassional crazy, but most of them fail because of their own stupidity and the rest get through... it's not worth destroying our way of life so you can feel safe from this imaginary threat.
(Score: 1) by anubi on Monday April 20 2015, @01:21AM
As far as security goes, nearly everything I have seen is pure and simple theater. Illusion.
Its all sorts of armed guards flashing big guns guarding grass huts. While others have cans of gasoline, matches, and are sneaky.
Of course, I am referring to our computational infrastructure, laced with back doors only one *thinks* he is the only one privy too. Not thinking that the mere existence of universal back doors on a monogenomic computational infrastructure is about the most non-resilient architecture imaginable. Its just waiting for a prankster to set it on fire, just for the fun of watching it burn.
I write of this meme often here. I have my reasons. They are time and date stamped entries. And I intend to refer to them when it happens. Others who see this monster growing in the nursery will probably refer to them as well.
People holding high places and entrusted with making law will need to explain why they did it.
I hate to sacrifice a free nation just to keep people from trying to copy a song.
Trying to "own" knowledge is like trying to claim ownership of a gust of wind.... you can't make it public and expect to retain it. Only people I know of that got away with this is the early priests, who held "sacred knowledge" to themselves. Gutenberg did away with that meme with the invention and use of the printing press. I am sure there were a lot of priests that would have like to have seen Gutenberg crucified for what he did, but are the rest of us any better or worse for Gutenberg's works?
The internet is just the next level from the printed word, and just as instrumental in the development of humanity.
I just hope soon we realize that the only thing we have that's worth a damn is our collection of knowledge and wisdom. Knowledge and wisdom is in infinite supply, and all we do by throttling back the feedback loops is just slowing our own development. If we fail, we either relegate ourselves back to a sub-existence or perish like yeast in a petri dish.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Sunday April 19 2015, @04:50PM
Except that the way they're handling this is terrible, as they're treating him like an enemy.
(Score: 3, Interesting) by LoRdTAW on Monday April 20 2015, @08:19AM
If he was making a threat to sell his "proprietary" information back to the manufacturer then he is an idiot. That is black mail. But that isn't the case here (or doesn't appear to me as such). He has every right to call it proprietary and request a warrant because the FBI can and did confiscate the information without a warrant. Boeing is a defense contractor, the second largest in the world. You think they don't work directly with three letter agencies? When it comes to national security they can and will steal your property to cover up and save face.
They took his gear and have yet to return it. So you should still be pissed because they aren't making him explain anything. How much you want to bet he will get his equipment back with the drives wiped or missing? The copied data safe in a secure Boeing lab. Sounds tin foil hat-ish but I can't help but picture this scenario.
Using words like opportunity and motive make him sound like a criminal. From the article he is trying to HELP by exposing crap security that airlines and manufactures lie about. Sure he was cocky about it and wasn't very professional (And a bit stupid). But why does that make him a bad guy? Why are you upset about someone who is actively concerned about peoples well being?
If the authorities were truly interested in our security, then they should be interested in his tools. But why confiscate them and not have him demonstrate them? Instead they just took his equipment and left. If the FBI was actually interested in vulnerabilities then they would hopefully say something along the lines of "okay son, we want to know how exactly someone can hack into an aircraft's avionics. Please show us so we can do something to fix this" Then the FBI should turn around and have the manufacture explain why their planes are a threat to national security. Then maybe throw the kid a reward. In an ideal world of course. Instead we criminalize the whistle blowers and make examples of them.
Why are you accusing everyone here of being a conspiracy theorist? Why is exposing a potentially deadly security hole in aircraft wrong?
You make it sound so easy.
"Doh! Sorry folks. Looks like some guy named frojack discovered that our multimillion dollar aircraft built by multibillion dollar aerospace/defense contractors are vulnerable to terrorist attack via their in flight entertainment and wifi. We are sorry for any inconvenience caused by deployment of oxygen masks, rapid decompression or crash. We will fix those problems right away. Honest! Thanks for flying with us!"
How many times do we have to hear stories about a concerned person demonstrating how shitty security really is only to be arrested and charged with computer crimes? Meanwhile the people who are in charge of said security get to shake the hands of the stooges who silenced a rabble rouser so their stock prices don't take a dive. It's all about money. Money is a higher priority of national security than human life.
(Score: 2) by Yog-Yogguth on Tuesday April 21 2015, @05:34AM
For anyone who has never heard the term “Boston Brakes” before here's a page [veteranstoday.com] about it (rather than CSI TV stuff).
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 0) by Anonymous Coward on Sunday April 19 2015, @06:39AM
Yes. That would justify the DHS, TSA, FBI, NSA, and CIA past and future budgets for many years.
(Score: 3, Informative) by bziman on Sunday April 19 2015, @04:37AM
I hope they at least got a warrant. If not, then that's just theft.
(Score: 4, Insightful) by MichaelDavidCrawford on Sunday April 19 2015, @05:12AM
Even if you don't commit violence, it is commonly the case that it is unlawful to threaten it.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Informative) by wonkey_monkey on Sunday April 19 2015, @08:04AM
Unless you end the threat with a winky face. This guy's mistake was to use a standard smiley face.
systemd is Roko's Basilisk
(Score: 1, Interesting) by Anonymous Coward on Sunday April 19 2015, @04:38PM
This was no different than smiling while you tell the TSA you have a bomb in your suitcase. The guy is an idiot for what he did and deserves a kick in the ass.
(Score: 0) by Anonymous Coward on Sunday April 19 2015, @04:47PM
Exactly.
(Score: 3, Troll) by Anonymous Coward on Sunday April 19 2015, @06:02AM
He was a priority target, it seems. He was being watched 24/7. They probably had an agent following him. All securities researchers, (white-hat or black-hat practitioners) are priority targets, so be careful. Do learn all you can, but stay under cover, or you might have an unfortunate "accident". Remember: Either you are working _for_ them, or _against_ them.
Today, all humans are being watched, whether they are connected to the internet or not. They have satellites in orbit they never told you about, will not tell you about, because its a security issue. If security requires that I be shafted daily (or once in my life), then hell with that security, and hell with these "politicians" (read: puppets), and hell with democracy that brings slavery in large or small quantities.
Its only a matter of short time until all communications are gathered, all voice communications translated, sorted, and actions taken within seconds (if not milliseconds). In the near future, a satellite (or another object/technology by whatever name) will send a beam and burn you up if you are not nice to your masters, or have become a problem, or are starting to have "ideas" of your own, or are listening to ideas they consider harmful to themselves.
Don't you miss the time when the masters did not know what we all were doing, who we were friends with, who we interacted with, what ideologies we subscribed to... and so on.
(Score: 2) by LoRdTAW on Monday April 20 2015, @06:47AM
All securities researchers, (white-hat or black-hat practitioners) are priority targets, for hiring. FTFY.
(Score: 1) by Fauxlosopher on Sunday April 19 2015, @08:29AM
Did Chris Roberts have current backups for the data on his stolen gear? Will this have a negative impact on the development timeline of his very important work in progress [robertsspaceindustries.com]?
(Score: 0) by Anonymous Coward on Sunday April 19 2015, @04:05PM
Schwartz, the original author of O'Reilly's popular "Learning Perl" book, was arrested for using Crack to harvest passwords on Intel's intranet while he was teaching Perl classes there. Schwartz claimed he was doing ad hoc research on the quality of user passwords within corporations. Intel, which is pretty paranoid about security, pressed charges, and Schwartz was convicted of a felony. Much later, the charges were dropped:
http://news.cnet.com/2100-7350_3-6164113.html [cnet.com]
(Score: 0) by Anonymous Coward on Sunday April 19 2015, @04:45PM
I guess you're ok with me pentesting your grandparents pacemakers while they're helping their heart beat. Or your parents' insulin pumps. After all they are vulnerable and why should I even let you know I am going to do it? Better yet I should tweet it.
This is nothing like Schwartz's case. Schwartz technically was given some access. He probably did overstep ethical bounds but aside from that, no. Roberts was grossly unethical and irresponsible whether he even accessed the systems or not. And I would say it was probably illegal if he didn't (but somewhat on the fence) and definitely 100% illegal if he had any access at all.
You want no police state but you people never seem to get that it takes a responsible citizenry to show that it deserves better. Why doesm't everyone just tweet that stuff? He had means and motive and perhaps access. The FBI would have been derelict not to at least investigate this. And if he did access systems he shouldn't have then he should be charged as such. The potential for great harm existed if he did access those systems. What gives him the right? Extreme hubris? Being a "whitehat"? Shouting wasn't enough, so let's post a maybe joke tweet that if accurate could have actually gotten people killed (turbulence never made you accidentally mistype?)
It was at a minimum worthy of investigation, and possibly worthy of more if there was even a whiff of access.
I am grossly displeased with the EFF for misrepresenting his case - and for representing it in the first place at this stage. I want my donations to go towards helping people who are actual victims of overreach not protecting asshats with no sense of ethics who want fame and a pulpit.
(Score: 0) by Anonymous Coward on Monday April 20 2015, @06:45AM
"Enough is ENOUGH! I have had it with these motherhugging hackers on this motherhugging plane!"