Every response to this I've seen from "the infosec community" (my connection to that community tends sharply towards vulnerability researchers, since that's my background) has been critical of this guy. I can't think of anyone I've seen cheerleading him. I've even seen rare glimmers of people criticizing EFF for trying to make a cause celebre of him.
But you're taking things too far by casting aspersions on all of "stunt hacking".
The problem with this idiotic tweet is that, if there is a vulnerability in the electronics of an airplane, this is exactly the thing you'd expect to see before some moron accidentally forced an emergency landing by tinkering with it. Vulnerability researchers disrupt and disable systems all the time without trying to.
The same is not true of people using logic analyzers on car CANbus systems (the archetypical example of stunt hacking).
The real criticism I've seen of stunt hacking is that (a) we don't learn all that much from it and (b) it's not particularly difficult ("look at this debugger debugging", as a friend of mine summarizes most stunt hacking talks).
I've seen a lot of people cheering for him. I've seen the man in person at various cons, and I think he's brilliant. The problem is, what are we supposed to do? Responsible disclosure: companies don't give a shit and will hide it. Full disclosure: you get sued and thrown in jail. Stunt hacking disclosure: people get scared even though it's easy to do. People demand something be done about it. The person who did the disclosure is alternatively viewed as a hero or a villain, but the thing is people are talking about the issue.
What's going to get people talking about security? "Target got hacked" "Oh, what a shame, I'll replace my card then go shopping at Target again". Or what about "I can bring down a plane while it is flying without needing a bomb. I can shut down hydroelectric dams from my living room and flood the entire state of Washington". Now you've got people talking.
"It's not particularly difficult" is the precise problem. It should be difficult. People should be demanding that gaining access to flight control and SCADA systems be made impossible by the general public. Dismissing a hack as "easy" means you're forgetting that it's a hack. It's not supposed to be possible, let alone trivial.
>>The person who did the disclosure is alternatively viewed as a hero or a villain, but the thing is people are talking about the issue.
This is what I have concerns with. It's this "ends justify the means" argument that disregards some important consequences.
There are many ways to breach these topics. You can go to the FAA. You can go to the individual companies. You can post on mailing lists. Ultimately, it may be a grind. But going the press route with inflammatory statements has consequences that exceed your own experiences with law enforcement. The legislators want to regulate infosec. It won't be pretty when they do.
We need people to understand that a successful disclosure doesn't require headlines in arstechnica. You have to be empathetic to interactions with large organizations. Flashy press may get attention to your issue, but it can also have disastrous consequences for the rest of the community. Is it worth it?
How about this: don't publish a message to the world on Twitter saying that you are tinkering with what you believe to be flight control systems on an actual aircraft in transit?
The problem is, he's done it before. And reported it to the airlines. And they've done nothing about it.
I've heard him talk for years. Same thing every year. So seeing what I saw on Twitter was no surprise. He's not publishing an exploit on Twitter, he's making a joke to the followers he has that all know what he's done. He's making the joke that this year, again, the flight control systems are still vulnerable to literally anyone with a laptop and an ethernet cable.
It's not that he's saying he's tinkering with what he believes to be flight control systems on an actual flight in transit. Of course he wouldn't do that... again. He's already done it once, years ago. Why was there no outrage then?
(a) There is no real flaw here, other than the potential for maybe sending scary messages to people's In Flight Entertainment screens, and so the disruption he's causing by suggesting that there might be a flaw has no upside.
(b) There is a real flaw here, for instance a message he can send across in-flight wireless that would deploy an oxygen mask, and his broadcast that he intended to tinker with that system is actually threatening.
"I've even seen rare glimmers of people criticizing EFF for trying to make a cause celebre of him."
Perhaps it's entirely possible that the EFF is just like any other organization that needs to find ways to justify their existence. The same with security researchers cloaking many of the things that they do in some quest for the greater good (the "if it wasn't for us" argument).
You know locksmith tools are available for purchase over the internet. But that's not enough! We should teach lock picking in schools so that people develop new and better ways to prevent their own locks from being picked and invest in more security against people that have been trained to pick locks. Because disclosure and transparency makes everything better and nobody thinks there is any value at all in obscurity or making things a bit more difficult by not being so out in the open.
Pretending that finding some security flaw is not about capturing the flag and all about saving humanity really bothers me to no end.
With physical locks you are exposed to the few people that can walk up to the lock without attracting attention. With digital security, you are potentially exposed to every connected system on the planet. An invisible attacker can't pick your lock, but could hack your security system. That is why digital security is paramount.
Robots are not going door to door picking locks, but that is exactly what happens every second of every day to every system on the Internet. It only takes one, and there are lot of disenfranchised smart people around the globe.
But you're taking things too far by casting aspersions on all of "stunt hacking".
The problem with this idiotic tweet is that, if there is a vulnerability in the electronics of an airplane, this is exactly the thing you'd expect to see before some moron accidentally forced an emergency landing by tinkering with it. Vulnerability researchers disrupt and disable systems all the time without trying to.
The same is not true of people using logic analyzers on car CANbus systems (the archetypical example of stunt hacking).
The real criticism I've seen of stunt hacking is that (a) we don't learn all that much from it and (b) it's not particularly difficult ("look at this debugger debugging", as a friend of mine summarizes most stunt hacking talks).