Gary McGraw [mailto:[EMAIL PROTECTED] writes:

> The main thing I wonder is, what do you think? When you have a hot
> demonstration of an exploit, how do you responsibly release it?

This isn't so much about that, in the usual sense. This was, as you say, a 
well-known vulnerability, one screamingly obvious to anybody who bothered to 
think about how to get around the No-Fly List. Bruce Schneier wrote about it on 
his blog long ago, as did many others.

> What role do such demonstrations play in moving software security forward?

It could help dramatically. Not so much because of the demo itself, which will 
of course be ignored by the Powers that Be, but the publicity around it. That 
might possibly eventually make enough of a dent in the public consciousness, to 
wake them up to the fact that what the PTBs have been doing is almost all just 
security THEATER.

However, it depends how much the media gives background. Unfortunately, even a 
brief blurb like "this flaw in the No-Fly List concept has been well known for 
several years" is unlikely to be aired or printed, since it takes valuable 
time/space away from the latest scandals of skanky "socialites" and other such 
much more important news. Without this little bit of trivia, the sheeple will 
just ass-u-me that the demo-giver was, as the PTBs will insinuate, a malefactor 
in league with $ENEMY[$YEAR], and deserves to be shipped off to the Git-lag.


Dave Aronson
"Specialization is for insects." -Heinlein

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -

Reply via email to