Judge Still Keeps MIT Students Gagged Over Subway Hacking Presentation

from the keep-quiet dept

The EFF tried to get the gag order lifted off the three MIT students who had planned a presentation on how Boston's subway system was vulnerable to some hacks. However, a judge has left the gag order in place, saying that it will be discussed at a hearing next Tuesday. He also ordered the students to hand over more information.

There's been a long debate in the security community about what is proper "disclosure." There are some who believe that you should wait until a vulnerability is fixed before disclosing it, while others believe that only by disclosing it are people really motivated to fix the vulnerability. However, most of those debates haven't taken place in court -- so this particular case should be quite interesting for those who are involved in security research, no matter which side of the "disclosure" debate you fall on.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: boston, disclosure, gag rule, hacking, mit, subway


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Gan, 14 Aug 2008 @ 7:07pm

    So now we will have to wait for the hackers to exploit these flaws before this fool judge will admit they exist. He is probably still using a quill and inkwell to write his decisions. Do you think we can survive a president that can't quite grasp the concept of browser?

    link to this | view in chronology ]

  • identicon
    nonuser, 14 Aug 2008 @ 7:18pm

    the

    I don't think these guys, or their advisor Prof. Rivest, should be getting a lot of credit here. When someone publishes an exploit for Windows, Oracle, or DNS, they can (and generally do) claim that bad guys could've figured out the same hack independently, and done untold damage without anyone realizing it. Of course, it's quite debatable whether public exposure of the flaw is justifiable, but at least there are two sides to the argument.

    With these subway cards, sure someone criminal mind could've figured out how to hack them, but how could they have monetized it on a scale to make it worthwhile? They would've had to set up a black market - at about $5 a shot - and hoped that none of their customers or prospects would snitch.

    That's perhaps why the MBTA didn't worry too much about making the system absolutely secure. They must've figured that a few people might quietly crack it and take advantage, but they could write that off as cost of doing business.

    Now it's different. Now, college kids and others might suspect that paying to ride the T is for chumps, like paying to buy recorded music. And the MBTA can't afford to give out free rides - their trains are packed these days.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Aug 2008 @ 7:40am

      Re: the

      "Now it's different. Now, college kids and others might suspect that paying to ride the T is for chumps, like paying to buy recorded music. And the MBTA can't afford to give out free rides - their trains are packed these days."

      Im not sure I get your arguement? It seems to be that criminals dont bother exploiting this subway exploit becuase there is not enough money in it for the hassle, but college students are riskier becuase they will somehow "crash the system" financially by using it so much?

      link to this | view in chronology ]

      • identicon
        nonuser, 15 Aug 2008 @ 3:22pm

        Re: Re: the

        Some background: the MBTA is in serious financial difficulty, and students make up a substantial proportion of their customer base (many Boston college students don't own cars). So the majority of stolen rides resulting from this publicity would likely be instead of, not in addition to, paid rides. And the T can't afford it; they couldn't even afford to run their system as it is.

        Of course, I wouldn't be surprised to hear some of the file-sharing rationalizations getting recycled to justify ride-swiping: the MBTA doesn't deserve their money, they're a bunch of greedy hacks, it doesn't cost anything to add one rider to a train, if they had to pay they would've walked instead, sometimes they actually pay full fare on the way back so the T ends up getting more business not less, etc.

        link to this | view in chronology ]

  • identicon
    Overcast, 14 Aug 2008 @ 8:02pm

    Yeah, the hell with the 1st amendment. Who needs it anyway, huh?

    Thought judges were supposed to uphold the law, not twist it to their own devices.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Aug 2008 @ 8:24pm

    Um bit late isn't it ?
    I thought that there info was already released (At least I recall reading how to hack the system with there instructions)

    link to this | view in chronology ]

  • identicon
    NSMike, 14 Aug 2008 @ 8:24pm

    Disclosure

    I'd say you should disclose the security weakness to the vulnerable party, test if it's been fixed within a reasonable amount of time, and if not, disclose to the general public, especially if the weakness puts the public's security at risk.

    link to this | view in chronology ]

  • identicon
    cc, 14 Aug 2008 @ 9:04pm

    well, if you don't plan to disclose it to whoever's vulnerable first, then the obvious only way is to tell everyone at the same time without any prior notice due to BS like this

    link to this | view in chronology ]

  • identicon
    Clueby4, 14 Aug 2008 @ 10:06pm

    Prior Notice practice is nonsense

    Why do software companies expect such a courtesy? The products they sell are excluded from merchantability. They even claim said right in their dubious, at best, EULAsTOSetc.

    If you agree with the practice of prior notice then you've either have a biased viewpoint, or you're not too bright.

    Should contaminated pharmaceuticals or tainted food get such unrealistic protections.

    Apparently, too many of you enjoy your blissful ignorance and seem to feel that bliss should be forced on everyone else. Or perhaps you might be benefiting from the practice of selling flawed software products and don't find the idea of having it's flaws exposed very palatable.

    link to this | view in chronology ]

    • icon
      chris (profile), 15 Aug 2008 @ 6:40am

      Re: Prior Notice practice is nonsense

      i disagree. in a lot of circumstances, the job a piece of software is [supposed to be] performing is more important than the vendors that ship it, like DNS.

      a security flaw that has not been disclosed is a powerful weapon in the wrong hands. keeping it secret only gives it more power.

      this is the unintended consequence of security by obscurity: the 0day exploit.

      disclosure pressures the vendor into fixing, and robs malicious attackers of yet another tool.

      discovering a flaw that hasn't been disclosed doesn't mean that you are the only one that's aware of the bug. bugs are not mutually exclusive and bugs don't compete with each other.

      in the case of dan kaminsky's DNS bug and the debian random number bug, the two bugs combined pretty much nullified internet security as we know it (ssl/ssh/ipsec, certificate authorities, authoritative DNS, password resets via email, etc.) which is why it was so important for patches to be available (not necessarily applied) at the time of disclosure.

      some wankers find bugs and try to sell the info to the vendor or a competitor (or a criminal organization) for money. if no one buys, they disclose with the intent to embarrass the vendor.

      link to this | view in chronology ]

  • identicon
    inc, 15 Aug 2008 @ 5:25am

    Security through obscurity does not work. Even if these students never told anyone and went straight to those who control the Boston subway system they still would have been prosecuted. It's the same problem with the voting machines and the very reason Linux is more secure then Windows. If everyone knows your flaws you are more inclined to take them seriously. I'm also not sure what good a gag order will do, the PDF was already leaked on Digg. Warcarting rulez!

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Aug 2008 @ 9:08am

      Re:

      Actually all the information had already been released to the attendees...Nothing was leaked there sparky, every attendee was given materials at the beginning of the show, including the MBTA hack presentation.

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.