Asiatraveler15

He was on Fox again 5 minutes ago.

No expression when he spoke whatsoever. It was all about him. He definitely looks "off" to me.
Obviously the FBI felt the same. The FBI does not waste time on nobodies.
Good thing this guy is banned from flying on UA!!

WineCountryUA

There are responsible avenues for this kind of activity and twitter is not one of them. Neither is experimenting on a plane in flight unknown to UA and the pilots.

LarryJ

I'm not sure what to think about this guy. His Tweet said something about being on a B737-800 and setting off some EICAS messages? 737s don't have EICAS.

JakiChan

And he didn't. He tweeted.

Actually, when someone doesn't respond to your vulnerabilities, then yeah twitter is a way to do it. He's tried to talk to the various agencies in the past but they weren't interested in talking to him. Bet they are now.

Meanwhile, they stole his property without a warrant. But hey, don't let rights get in the way of the infosec boogyman.

So, you're all good with your 4th amendment rights being violated? I'll be right over for your computers, then.

It's called Aspergers. Very common in technical fields. If anyone looks "off" to me it's the jack-booted FBI thugs. They aren't to be trusted one iota.

Don't worry. I'm sure we've all learned our lesson. Keep quite and sell those zero-days straight to ISIS.

For a more rational take on the subject:

https://www.eff.org/deeplinks/2015/0...twork-security

TomMM

Well, the FBI did yank him off of a flight. I guess they could have done that quick enough to not delay their departure.

JBord

I'm not sure how this is any more rational than UA's stated reasons for not allowing him to board. The organization defending Roberts has one view, the company whose computers he claims he can hack has another.

Roberts may be right, that's not the point. Airlines should handle technical issues like this through contracted services, not by allowing people the opportunity to experiment on one of their flights which is full of customers.

Mr. Roberts' behavior appears to me to be irresponsible, immature, and unprofessional. How could I, or UA, trust him to act ethically on a flight when this is the behavior we have to judge him by?

That's really the crux of this issue. There's no reason to debate in this forum if he's right or wrong, or whether or not UA is addressing technical issues. We don't have all the facts. What we can debate is Roberts' words and behavior. If someone tweeted a partial instruction on how to damage a company you owned, why would you give them the opportunity to test it?

MattR23

^

JakiChan

And the "contracted services" are unlikely to find the issues. Search for the term "bug bounty". Very few of the recent vulnerabilities were found by the people responsible for the software or platforms they were found on. ("heartbleed", etc).

Based on that standard the vast majority of people should not be flying, then. I have no reason to trust you, for example. You could very well be planning something, right?

https://www.schneier.com/essays/arch...ll_disclo.html

He's tried talking to the airlines. They don't care. Now that it's in the news they do, however. Hrm....

mduell

He made a claim about a system that did not exist on the aircraft he was on. It's clearly FUD and not an actual vulnerability as described. I bet ISIS would be pretty pissed when they found out their zero-day was bunk.

JBord

Sure, I could. But I haven't tweeted about how I would go about causing damage. And if you don't trust me, it's your choice not to fly with me. I have given UA no reason not to trust me.

There's always risk in running a business. You take calculated risks like allowing harmless people like me to fly on your plane. You make rational decisions to not allow people to fly who are, for all practical purposes, bragging about how they could harm your plane. That's just smart business.

And just to say it, of ALL the available media to make a point in a professional manner, Twitter has to be just about the least appropriate. How about getting your research published in a respectable trade journal? I'm not in the IT or security business, but I am a long-time professional in my industry, and tweeting about stuff like this just comes across as childish.

JakiChan

Yeah, it doesn't work that way in information security. You know why? Because "publishing" always makes someone look bad. That's why many companies often go out of their way to gag security researchers. In fact they often use the DMCA to do so.

I.e.:

http://www.computerworld.com/article...-in-court.html

http://www.slate.com/articles/techno..._research.html

https://threatpost.com/proposed-cfaa...esearch/110463


This guy was on his way to one of the most respectable forums to discuss such things, actually.

https://www.rsaconference.com/events...rity-hopscotch

He's given multiple talks. I wonder why United didn't take him seriously before? Here's one from 2011...

https://www.youtube.com/watch?v=zOwKk7Cwc0k

Garten

He's on a plane and he tweets about sabotaging aircraft systems. This isn't much different from joking about having a bomb. It's wildly disruptive and can easily lead to the plane being diverted, etc. I don't want that happening on any flight that I'm on.

docbert

Because anyone with half a clue about aircraft can pick no end of mistakes in his claims...

Exterous

While there are supposed to be appropriate avenues for reporting this many go ignored until they are brought to public light. Twitter has been used before to report bugs that have gone ignored for extended periods of time despite being submitted through approved processes. It was only when social pressure and notice was exerted via social media that the issues were addressed.

I am not saying that his idea was a good one or that he should or should not have been barred from flying just that social media is becoming a common place to post this sort of information due to a persistent business culture of ignoring issues until the pressure overcomes business as usual inertia\cost of fixing the issue.

(As a side note I don't think he actually did anything to the plane so I am not sure 'experimenting' is the appropriate adjective)

LaserSailor

If you call on the telephone and leave a bomb threat it is a federal crime.

Posting alarmist innuendo on social media should suffer the same fate.

Free speech ends at the crowded movie theater when it impacts others.