Box Cutter Tests
Nathaniel Heatwole, a 20-year-old college student who told authorities he placed box cutters and other banned items aboard two airliners to test security was charged Monday with taking a dangerous weapon aboard an aircraft. He faces up to 10 years in prison on federal charges. (interesting trivia: apparently Heatwole has received an amateur radio scholarship).
What’s interesting is that the article notes:
The discoveries prompted the TSA and the Department of Homeland Security to order security inspections of all U.S. commercial airliners.
The discovery being Heatwole’s email to the TSA about his accomplishments.
There is a long history in the hacker world of testing security measures to see if they work, and if they don’t either notifying the people responsible or leaving some sort of indication that you’ve been there. This sort of activity has never been well received by the powers that be, and is now subject to increasingly harsh criminal sanctions.
It seems to me that the arguments for permitting this sort of “white hat” hacking (vs. cracking) are just as good when applied to real world physical security as to computer and Internet security. After all, Heatwole’s actions did provoke an investigation. If someone had just called the TSA and said, “hey, are you sure nobody can bring box cutters on board?” there would likely have been no response. Demonstrating a “proof of concept” as here may ultimately result in improved security for all of us.
Interestingly, federal prosecutors recently they made a mistake when they obtained the conviction of a computer administrator who exposed flaws in his employer’s computer system to customers. The prosecutors are actually seeking an appeal to reverse the conviction that they themselves got. Although you would hope they would have thought this through before prosecuting the guy, it’s something of a testament to their honesty that now they’re trying to get him out.