Judge Still Keeps MIT Students Gagged Over Subway Hacking Presentation

from the keep-quiet dept

The EFF tried to get the gag order lifted off the three MIT students who had planned a presentation on how Boston’s subway system was vulnerable to some hacks. However, a judge has left the gag order in place, saying that it will be discussed at a hearing next Tuesday. He also ordered the students to hand over more information.

There’s been a long debate in the security community about what is proper “disclosure.” There are some who believe that you should wait until a vulnerability is fixed before disclosing it, while others believe that only by disclosing it are people really motivated to fix the vulnerability. However, most of those debates haven’t taken place in court — so this particular case should be quite interesting for those who are involved in security research, no matter which side of the “disclosure” debate you fall on.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Judge Still Keeps MIT Students Gagged Over Subway Hacking Presentation”

Subscribe: RSS Leave a comment
nonuser says:


I don’t think these guys, or their advisor Prof. Rivest, should be getting a lot of credit here. When someone publishes an exploit for Windows, Oracle, or DNS, they can (and generally do) claim that bad guys could’ve figured out the same hack independently, and done untold damage without anyone realizing it. Of course, it’s quite debatable whether public exposure of the flaw is justifiable, but at least there are two sides to the argument.

With these subway cards, sure someone criminal mind could’ve figured out how to hack them, but how could they have monetized it on a scale to make it worthwhile? They would’ve had to set up a black market – at about $5 a shot – and hoped that none of their customers or prospects would snitch.

That’s perhaps why the MBTA didn’t worry too much about making the system absolutely secure. They must’ve figured that a few people might quietly crack it and take advantage, but they could write that off as cost of doing business.

Now it’s different. Now, college kids and others might suspect that paying to ride the T is for chumps, like paying to buy recorded music. And the MBTA can’t afford to give out free rides – their trains are packed these days.

Anonymous Coward says:

Re: the

“Now it’s different. Now, college kids and others might suspect that paying to ride the T is for chumps, like paying to buy recorded music. And the MBTA can’t afford to give out free rides – their trains are packed these days.”

Im not sure I get your arguement? It seems to be that criminals dont bother exploiting this subway exploit becuase there is not enough money in it for the hassle, but college students are riskier becuase they will somehow “crash the system” financially by using it so much?

nonuser says:

Re: Re: the

Some background: the MBTA is in serious financial difficulty, and students make up a substantial proportion of their customer base (many Boston college students don’t own cars). So the majority of stolen rides resulting from this publicity would likely be instead of, not in addition to, paid rides. And the T can’t afford it; they couldn’t even afford to run their system as it is.

Of course, I wouldn’t be surprised to hear some of the file-sharing rationalizations getting recycled to justify ride-swiping: the MBTA doesn’t deserve their money, they’re a bunch of greedy hacks, it doesn’t cost anything to add one rider to a train, if they had to pay they would’ve walked instead, sometimes they actually pay full fare on the way back so the T ends up getting more business not less, etc.

Clueby4 says:

Prior Notice practice is nonsense

Why do software companies expect such a courtesy? The products they sell are excluded from merchantability. They even claim said right in their dubious, at best, EULAsTOSetc.

If you agree with the practice of prior notice then you’ve either have a biased viewpoint, or you’re not too bright.

Should contaminated pharmaceuticals or tainted food get such unrealistic protections.

Apparently, too many of you enjoy your blissful ignorance and seem to feel that bliss should be forced on everyone else. Or perhaps you might be benefiting from the practice of selling flawed software products and don’t find the idea of having it’s flaws exposed very palatable.

chris (profile) says:

Re: Prior Notice practice is nonsense

i disagree. in a lot of circumstances, the job a piece of software is [supposed to be] performing is more important than the vendors that ship it, like DNS.

a security flaw that has not been disclosed is a powerful weapon in the wrong hands. keeping it secret only gives it more power.

this is the unintended consequence of security by obscurity: the 0day exploit.

disclosure pressures the vendor into fixing, and robs malicious attackers of yet another tool.

discovering a flaw that hasn’t been disclosed doesn’t mean that you are the only one that’s aware of the bug. bugs are not mutually exclusive and bugs don’t compete with each other.

in the case of dan kaminsky’s DNS bug and the debian random number bug, the two bugs combined pretty much nullified internet security as we know it (ssl/ssh/ipsec, certificate authorities, authoritative DNS, password resets via email, etc.) which is why it was so important for patches to be available (not necessarily applied) at the time of disclosure.

some wankers find bugs and try to sell the info to the vendor or a competitor (or a criminal organization) for money. if no one buys, they disclose with the intent to embarrass the vendor.

inc says:

Security through obscurity does not work. Even if these students never told anyone and went straight to those who control the Boston subway system they still would have been prosecuted. It’s the same problem with the voting machines and the very reason Linux is more secure then Windows. If everyone knows your flaws you are more inclined to take them seriously. I’m also not sure what good a gag order will do, the PDF was already leaked on Digg. Warcarting rulez!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...