Technology Review
Experts say disclosing bugs prevents security flaws from festering.
Efforts to censor three MIT students who found security flaws in the Boston subway's payment system have been roundly criticized by experts, who argue that suppressing such research could ultimately make the system more vulnerable.
The students were served with a temporary restraining order this weekend at the Defcon security conference in Las Vegas, preventing them from giving their planned talk on Boston subway's payment system.
According to slides submitted before the conference, which have also been posted online, their presentation "Anatomy of a Subway Hack" would have revealed ways to forge or copy both the old magnetic-stripe passes and the newer radio-frequency identification (RFID) cards used on Boston's subway, making it possible to travel for free. The restraining order was filed on behalf of the Massachusetts Bay Transportation Authority (MBTA), which spent more than $180 million to install the system, according to court documents. The MBTA has also brought a larger lawsuit accusing the students of violating the Computer Fraud and Abuse Act and accusing MIT of being negligent in its supervision of them.
One of the students involved, Zack Anderson, says his team had never intended to give real attackers an advantage. "We left out some details in the work we did, because we didn't want anyone to be able to attack the ticketing system; we didn't want people to be able to circumvent the system and get free fares," he says.
Marcia Hoffman, staff attorney with the Electronic Frontier Foundation, a digital-rights group that is assisting the MIT team with its defense, argues that researchers need to be protected as they investigate these types of flaws. "It's extremely rare for a court to bar anyone from speaking before that person has even had a chance to speak," she says. "We think this sets a terrible precedent that's very dangerous for security research."
The MBTA says it isn't trying to stop research, just buy time to deal with whatever flaws the students might have found. The agency also expressed skepticism about whether the MIT students had indeed found real flaws. "They are telling a terrific tale of widespread security problems, but they still have not provided the MBTA with credible information to support such a claim," says Joe Pesaturo, a spokesman for the MBTA. "It's that simple."
RFID chips in U.S. passport cards and some driver's licenses are at risk of being counterfeited or tracked, researchers say.
Based upon the article, the researchers omitted details to protect the public entity from fraud, while also providing some details to show there is a credible security flaw that needs to be addressed. That sounds to me like they were being responsible researchers. How about the public entity or the third party firm (a) pay the researchers for further details on the security flaws, (b) pay the researchers for information on how to detect when these security flaws are compromised, and (c) pay these researchers also to help to close down those security holes? Alternatively, perhaps these researchers will create and license some new technology with better security to competing firms, or start their own firm, since these existing entities are so prone to sue those who'd help them. It seems the researchers want to have the flaw resolved. If these public entities sue anyone who would be willing to help them out, likely they'll lose a lot more money when others instead move to secretly exploit various security flaws that could have been remediated.
I agree that the public entity and the third party supplier should be paying the researchers instead of enjoining them. Paying for the details of the hack is spot-on. I'm more skeptical about the proposal to pay them for closing the security hole.
Creating a security system and cracking it are two different talents. Yes, they require the same sort of technical knowledge. And there are people who can do both well. But most crackers are not good creators, and vice versa. I have no idea whether these particular researchers are as good at creating as at cracking.
Bottom line: The notion of "security through obscurity" has been discredited repeatedly over the years. Probably close to a century, in fact. Punishing the messenger is stupid, and the courts' facilitating the punishment is unconscionable.
Makes so much more sense to reward "Black Hats" who find the cracks and don't publish.
Versus not knowing, until the circumvention is detected in wide use!
No reward?
No reason not to publish.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
zig158
64 Comments
“"They are telling a terrific tale of widespread security problems, but they still have not provided the MBTA with credible information to support such a claim," says Joe Pesaturo”
If this is true, then why are they trying to shut them up?
"It's extremely rare for a court to bar anyone from speaking before that person has even had a chance to speak," sounds to me like a blatant violation of the first amendment. Why does that not surprise me in today’s America?
Sieg Heil!
Reply
elkay3000
1 Comment
Re:
I'm by no means a security expert, but in business terms this situation resembles the Music industry's shut down of file sharing sites in the early part of this decade because they couldn't understand it and they couldn't control it. In doing so they lost bazillions of dollars and alienated the very people they should have been trying to bring into their mix.
When will these old timers learn that it's a new world out there now? Being paranoid, secretive and trying to control everything on the internet is not the way to go.
It's ironic that this article about clamping down and restricting is in the same issue as the article about Barack Obama's facillitation and openess web strategy. Who came out on top?
Reply