Ex-Microsoft Bug Bounty dev forced to decrypt laptop for Paris airport official
Airside Clouseau in search of something, anything
Paris airport security went one step further than simply asking a security expert to power up her laptop - they requested she type in her password to decrypt her hard drive and log into the machine.
Katie Moussouris, chief policy officer at HackerOne, and best known as the woman behind Microsoft's Bug Bounty Program, was en route back to the US from the CCC hacking conference. She complied with the request in order not to miss her flight.
The computer never left her possession and the security agent never fully explained the request, according to Moussouris, and there's no question that HackerOne customers' vulnerability reports were exposed - no exploits were stored on the device.
Nonetheless, the incident at Charles de Gaulle airport has sparked a lively debate among privacy and security advocates. Moussouris has put together a blog post explaining her experience:
CDG airport personnel asked to search my bag, after I had cleared security, when I was about to board the flight. I had, in fact, already had my boarding pass checked by the gate attendant when a uniformed security agent diverted me to a small table, right before I was to enter the boarding tunnel.
The security agent at the gate had me pull out my laptop, turn it on, and further asked me to type in my password, which decrypted the full disk encryption of the drive, even after she saw that it did boot up.
It was clear there was a language barrier issue, but I was trying to show her that the login screen was there, the laptop did power up. I have had to power on my laptop and phone once before, in Brussels on my way back to the US, but I had never been required to unlock any devices, nor had I heard about friends having to do so - this was very unusual in my experience.
When it was clear she wanted me to type in my password, I asked her why. The agent said it was "regulation", and so I complied so I would not miss my flight, or suffer other consequences, given that it was in the middle of boarding.
She did not make me turn on or unlock my phone, and waved me through after she saw my desktop pop up with a browser window open to my Twitter feed on top. She didn't touch my laptop after I unlocked it, and none of my devices left my sight during the search.
Moussouris attributes the whole "unsettling" experience to an "Inspector Clouseau" type official exceeding her authority in checking that a computer was operational rather than anything more sinister.
However in a follow-up discussion privacy types said the incident illustrated the utility of guest accounts and hidden encrypted volumes in protecting sensitive data from the eyes of over-eager officialdom.
Anecdotal evidence suggests the requests to type in passwords are not unique to Paris airports or particular airlines.
HackerOne specialises in managing vulnerability coordination and bug bounty programs for its clients. ®