Judge Still Keeps MIT Students Gagged Over Subway Hacking Presentation
from the keep-quiet dept
The EFF tried to get the gag order lifted off the three MIT students who had planned a presentation on how Boston’s subway system was vulnerable to some hacks. However, a judge has left the gag order in place, saying that it will be discussed at a hearing next Tuesday. He also ordered the students to hand over more information.
There’s been a long debate in the security community about what is proper “disclosure.” There are some who believe that you should wait until a vulnerability is fixed before disclosing it, while others believe that only by disclosing it are people really motivated to fix the vulnerability. However, most of those debates haven’t taken place in court — so this particular case should be quite interesting for those who are involved in security research, no matter which side of the “disclosure” debate you fall on.
Filed Under: boston, disclosure, gag rule, hacking, mit, subway
Comments on “Judge Still Keeps MIT Students Gagged Over Subway Hacking Presentation”
So now we will have to wait for the hackers to exploit these flaws before this fool judge will admit they exist. He is probably still using a quill and inkwell to write his decisions. Do you think we can survive a president that can’t quite grasp the concept of browser?
the
I don’t think these guys, or their advisor Prof. Rivest, should be getting a lot of credit here. When someone publishes an exploit for Windows, Oracle, or DNS, they can (and generally do) claim that bad guys could’ve figured out the same hack independently, and done untold damage without anyone realizing it. Of course, it’s quite debatable whether public exposure of the flaw is justifiable, but at least there are two sides to the argument.
With these subway cards, sure someone criminal mind could’ve figured out how to hack them, but how could they have monetized it on a scale to make it worthwhile? They would’ve had to set up a black market – at about $5 a shot – and hoped that none of their customers or prospects would snitch.
That’s perhaps why the MBTA didn’t worry too much about making the system absolutely secure. They must’ve figured that a few people might quietly crack it and take advantage, but they could write that off as cost of doing business.
Now it’s different. Now, college kids and others might suspect that paying to ride the T is for chumps, like paying to buy recorded music. And the MBTA can’t afford to give out free rides – their trains are packed these days.
Re: the
“Now it’s different. Now, college kids and others might suspect that paying to ride the T is for chumps, like paying to buy recorded music. And the MBTA can’t afford to give out free rides – their trains are packed these days.”
Im not sure I get your arguement? It seems to be that criminals dont bother exploiting this subway exploit becuase there is not enough money in it for the hassle, but college students are riskier becuase they will somehow “crash the system” financially by using it so much?
Re: Re: the
Some background: the MBTA is in serious financial difficulty, and students make up a substantial proportion of their customer base (many Boston college students don’t own cars). So the majority of stolen rides resulting from this publicity would likely be instead of, not in addition to, paid rides. And the T can’t afford it; they couldn’t even afford to run their system as it is.
Of course, I wouldn’t be surprised to hear some of the file-sharing rationalizations getting recycled to justify ride-swiping: the MBTA doesn’t deserve their money, they’re a bunch of greedy hacks, it doesn’t cost anything to add one rider to a train, if they had to pay they would’ve walked instead, sometimes they actually pay full fare on the way back so the T ends up getting more business not less, etc.
Yeah, the hell with the 1st amendment. Who needs it anyway, huh?
Thought judges were supposed to uphold the law, not twist it to their own devices.
Um bit late isn’t it ?
I thought that there info was already released (At least I recall reading how to hack the system with there instructions)
Disclosure
I’d say you should disclose the security weakness to the vulnerable party, test if it’s been fixed within a reasonable amount of time, and if not, disclose to the general public, especially if the weakness puts the public’s security at risk.
well, if you don’t plan to disclose it to whoever’s vulnerable first, then the obvious only way is to tell everyone at the same time without any prior notice due to BS like this
Prior Notice practice is nonsense
Why do software companies expect such a courtesy? The products they sell are excluded from merchantability. They even claim said right in their dubious, at best, EULAsTOSetc.
If you agree with the practice of prior notice then you’ve either have a biased viewpoint, or you’re not too bright.
Should contaminated pharmaceuticals or tainted food get such unrealistic protections.
Apparently, too many of you enjoy your blissful ignorance and seem to feel that bliss should be forced on everyone else. Or perhaps you might be benefiting from the practice of selling flawed software products and don’t find the idea of having it’s flaws exposed very palatable.
Re: Prior Notice practice is nonsense
i disagree. in a lot of circumstances, the job a piece of software is [supposed to be] performing is more important than the vendors that ship it, like DNS.
a security flaw that has not been disclosed is a powerful weapon in the wrong hands. keeping it secret only gives it more power.
this is the unintended consequence of security by obscurity: the 0day exploit.
disclosure pressures the vendor into fixing, and robs malicious attackers of yet another tool.
discovering a flaw that hasn’t been disclosed doesn’t mean that you are the only one that’s aware of the bug. bugs are not mutually exclusive and bugs don’t compete with each other.
in the case of dan kaminsky’s DNS bug and the debian random number bug, the two bugs combined pretty much nullified internet security as we know it (ssl/ssh/ipsec, certificate authorities, authoritative DNS, password resets via email, etc.) which is why it was so important for patches to be available (not necessarily applied) at the time of disclosure.
some wankers find bugs and try to sell the info to the vendor or a competitor (or a criminal organization) for money. if no one buys, they disclose with the intent to embarrass the vendor.
Security through obscurity does not work. Even if these students never told anyone and went straight to those who control the Boston subway system they still would have been prosecuted. It’s the same problem with the voting machines and the very reason Linux is more secure then Windows. If everyone knows your flaws you are more inclined to take them seriously. I’m also not sure what good a gag order will do, the PDF was already leaked on Digg. Warcarting rulez!
Re: Re:
Actually all the information had already been released to the attendees…Nothing was leaked there sparky, every attendee was given materials at the beginning of the show, including the MBTA hack presentation.