Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Ex-Microsoft Bug Bounty dev forced to decrypt laptop for Paris airport official

Airside Clouseau in search of something, anything

Paris airport security went one step further than simply asking a security expert to power up her laptop - they requested she type in her password to decrypt her hard drive and log into the machine.

Katie Moussouris, chief policy officer at HackerOne, and best known as the woman behind Microsoft's Bug Bounty Program, was en route back to the US from the CCC hacking conference. She complied with the request in order not to miss her flight.

The computer never left her possession and the security agent never fully explained the request, according to Moussouris, and there's no question that HackerOne customers' vulnerability reports were exposed - no exploits were stored on the device.

Nonetheless, the incident at Charles de Gaulle airport has sparked a lively debate among privacy and security advocates. Moussouris has put together a blog post explaining her experience:

CDG airport personnel asked to search my bag, after I had cleared security, when I was about to board the flight. I had, in fact, already had my boarding pass checked by the gate attendant when a uniformed security agent diverted me to a small table, right before I was to enter the boarding tunnel.

The security agent at the gate had me pull out my laptop, turn it on, and further asked me to type in my password, which decrypted the full disk encryption of the drive, even after she saw that it did boot up.

It was clear there was a language barrier issue, but I was trying to show her that the login screen was there, the laptop did power up. I have had to power on my laptop and phone once before, in Brussels on my way back to the US, but I had never been required to unlock any devices, nor had I heard about friends having to do so - this was very unusual in my experience.

When it was clear she wanted me to type in my password, I asked her why. The agent said it was "regulation", and so I complied so I would not miss my flight, or suffer other consequences, given that it was in the middle of boarding.

She did not make me turn on or unlock my phone, and waved me through after she saw my desktop pop up with a browser window open to my Twitter feed on top. She didn't touch my laptop after I unlocked it, and none of my devices left my sight during the search.

Moussouris attributes the whole "unsettling" experience to an "Inspector Clouseau" type official exceeding her authority in checking that a computer was operational rather than anything more sinister.

However in a follow-up discussion privacy types said the incident illustrated the utility of guest accounts and hidden encrypted volumes in protecting sensitive data from the eyes of over-eager officialdom.

Anecdotal evidence suggests the requests to type in passwords are not unique to Paris airports or particular airlines.

HackerOne specialises in managing vulnerability coordination and bug bounty programs for its clients. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like