Hello, welcome to the Wednesday, December 28, 2016 edition of the Sands and Storm Center's Stormcast. My name is Johannes Ulrich and the I'm recording from Jacksonville, Florida.

Each year between Christmas and New Year, the Chaos Computer Club in Germany is having its annual conference, which is very big, lots of talks

comparable to DevCon in the US. And all the talks are not just live streamed, but you can

also listen to recordings of these talks. So if you have some time this week, I recommend you take a look at the site. I'll link

to the respective site of the conference and the live streams in the show notes. But one talk

that sort of has been picked up by the press is a talk about airlines. Now in this case it's not about

in-flight entertainment systems, but instead about the backend systems that sort of process your

tickets. If you ever booked a ticket, you probably realized that you can review your record,

even make changes to your booking as long as you have your

last name, and a six-digit code, the record locator. Now, for changes, what's not about

in-flight entertainment system and hacking planes, but sort of the more boring part of airline

operations, and that's the back-end ticket systems.

The main issue here is you only need the last name and a record locator, which typically is a

six-digit string. Now, you would think there are enough combinations with six letters and

numbers, but it turns out these are not assigned

randomly sometimes they're assigned in a sequence and more importantly the backend

systems do actually not have a rate limit enabled so it's pretty straightforward

with a simple script to send millions of requests trying to

prude force that record locator.

So not as exciting as changing the throttle of an airplane, but there's something that's quite

difficult to fix given all the stakeholders that have to work together to really make these

back-end systems work.

...