Perhaps the biggest lesson to learn from the Chris Roberts plane hacking story is the seemingly ever-present failure of responsible disclosure.
I’m not an expert on the story, and I’m not sure anyone is, but we do know that we had a guy talking about this issue since 2011. Vocally. On Twitter. And it appears that the FBI was monitoring his account for this reason.
So, two questions:
- Why didn’t Roberts just go to them directly and tell them this was a problem? Maybe he did, and he was ignored, or worse. So then he went public. Not sure, but that should have been the first step.
- Why didn’t the FBI go to him directly, in a friendly way, when he was talking about this issue back in 2011? Maybe they did, and maybe they were told to piss off, which would definitely justify an arrest if he kept a) doing this stuff, and b) tweeting about it.
My problem is that it seems neither of these happened, or if they did they didn’t work the way they should have. Here’s how this is supposed to work:
- Good guy hacker plugs into entertainment system, gets a bit curious and starts looking around (which is on the line for sure)
- He finds out he can pivot to sensitive systems
- He very gently takes a quick inventory of a couple of things he saw, and definitely does not issue commands to the engines
- He goes to the FBI or FAA or whoever and gives them a list of the issues, and then offers to do more testing in a safe environment
- The authorities thank him for being cautious, and for being a good hacker, and expresses that the U.S. needs more people like him, and give him some sort of reward
Wouldn’t that be nice?
Question is, where did it go wrong? What part of this process broke down? And how can we keep it from doing so in the future?