How (Not) to Fix a Flaw

Comments

• [no subject] zig158 on 08/14/2008 at 12:53 AM

  Posts: 64 Avg Rating:

  “"They are telling a terrific tale of widespread security problems, but they still have not provided the MBTA with credible information to support such a claim," says Joe Pesaturo” If this is true, then why are they trying to shut them up? "It's extremely rare for a court to bar anyone from speaking before that person has even had a chance to speak," sounds to me like a blatant violation of the first amendment. Why does that not surprise me in today’s America? Sieg Heil! Rate this comment: (Reply)

  • Re: elkay3000 on 08/19/2008 at 2:57 PM

    Posts: 1

    I'm by no means a security expert, but in business terms this situation resembles the Music industry's shut down of file sharing sites in the early part of this decade because they couldn't understand it and they couldn't control it.  In doing so they lost bazillions of dollars and alienated the very people they should have been trying to bring into their mix. When will these old timers learn that it's a new world out there now?  Being paranoid, secretive and trying to control everything on the internet is not the way to go. It's ironic that this article about clamping down and restricting is in the same issue as the article about Barack Obama's facillitation and openess web strategy.  Who came out on top? Rate this comment: (Reply)

• Responsible Researchers carlii on 08/14/2008 at 5:43 AM

  Posts: 25 Avg Rating:

  Based upon the article, the researchers omitted details to protect the public entity from fraud, while also providing some details to show there is a credible security flaw that needs to be addressed.  That sounds to me like they were being responsible researchers.  How about the public entity or the third party firm (a) pay the researchers for further details on the security flaws, (b) pay the researchers for information on how to detect when these security flaws are compromised, and (c) pay these researchers also to help to close down those security holes?  Alternatively, perhaps these researchers will create and license some new technology with better security to competing firms, or start their own firm, since these existing entities are so prone to sue those who'd help them.  It seems the researchers want to have the flaw resolved.  If these public entities sue anyone who would be willing to help them out, likely they'll lose a lot more money when others instead move to secretly exploit various security flaws that could have been remediated. Rate this comment: (Reply)

  • Re: Responsible Researchers dtutelman on 08/14/2008 at 10:20 AM

    Posts: 23 Avg Rating:

    I agree that the public entity and the third party supplier should be paying the researchers instead of enjoining them. Paying for the details of the hack is spot-on. I'm more skeptical about the proposal to pay them for closing the security hole. Creating a security system and cracking it are two different talents. Yes, they require the same sort of technical knowledge. And there are people who can do both well. But most crackers are not good creators, and vice versa. I have no idea whether these particular researchers are as good at creating as at cracking. Bottom line: The notion of "security through obscurity" has been discredited repeatedly over the years. Probably close to a century, in fact. Punishing the messenger is stupid, and the courts' facilitating the punishment is unconscionable. Rate this comment: (Reply)

    • 	Pay fault finders nekote on 08/25/2008 at 12:20 PM
      Posts: 122 Avg Rating:	Makes so much more sense to reward "Black Hats" who find the cracks and don't publish. Versus not knowing, until the circumvention is detected in wide use! No reward? No reason not to publish. Rate this comment: (Reply)