Google, Microsoft And Yahoo Sued In India For Not Preventing Sex Selection Ads

Judge Still Keeps MIT Students Gagged Over Subway Hacking Presentation

from the keep-quiet dept

Thu, Aug 14th 2008 5:37pm — Mike Masnick

The EFF tried to get the gag order lifted off the three MIT students who had planned a presentation on how Boston's subway system was vulnerable to some hacks. However, a judge has left the gag order in place, saying that it will be discussed at a hearing next Tuesday. He also ordered the students to hand over more information.

There's been a long debate in the security community about what is proper "disclosure." There are some who believe that you should wait until a vulnerability is fixed before disclosing it, while others believe that only by disclosing it are people really motivated to fix the vulnerability. However, most of those debates haven't taken place in court -- so this particular case should be quite interesting for those who are involved in security research, no matter which side of the "disclosure" debate you fall on.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: boston, disclosure, gag rule, hacking, mit, subway

12 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Gan, 14 Aug 2008 @ 7:07pm

So now we will have to wait for the hackers to exploit these flaws before this fool judge will admit they exist. He is probably still using a quill and inkwell to write his decisions. Do you think we can survive a president that can't quite grasp the concept of browser?
[ link to this | view in chronology ]
nonuser, 14 Aug 2008 @ 7:18pm

the
I don't think these guys, or their advisor Prof. Rivest, should be getting a lot of credit here. When someone publishes an exploit for Windows, Oracle, or DNS, they can (and generally do) claim that bad guys could've figured out the same hack independently, and done untold damage without anyone realizing it. Of course, it's quite debatable whether public exposure of the flaw is justifiable, but at least there are two sides to the argument.

With these subway cards, sure someone criminal mind could've figured out how to hack them, but how could they have monetized it on a scale to make it worthwhile? They would've had to set up a black market - at about $5 a shot - and hoped that none of their customers or prospects would snitch.

That's perhaps why the MBTA didn't worry too much about making the system absolutely secure. They must've figured that a few people might quietly crack it and take advantage, but they could write that off as cost of doing business.

Now it's different. Now, college kids and others might suspect that paying to ride the T is for chumps, like paying to buy recorded music. And the MBTA can't afford to give out free rides - their trains are packed these days.
[ link to this | view in chronology ]
- Anonymous Coward, 15 Aug 2008 @ 7:40am
  
  Re: the
  "Now it's different. Now, college kids and others might suspect that paying to ride the T is for chumps, like paying to buy recorded music. And the MBTA can't afford to give out free rides - their trains are packed these days."
  
  Im not sure I get your arguement? It seems to be that criminals dont bother exploiting this subway exploit becuase there is not enough money in it for the hassle, but college students are riskier becuase they will somehow "crash the system" financially by using it so much?
  [ link to this | view in chronology ]
  - nonuser, 15 Aug 2008 @ 3:22pm
    
    Re: Re: the
    Some background: the MBTA is in serious financial difficulty, and students make up a substantial proportion of their customer base (many Boston college students don't own cars). So the majority of stolen rides resulting from this publicity would likely be instead of, not in addition to, paid rides. And the T can't afford it; they couldn't even afford to run their system as it is.
    
    Of course, I wouldn't be surprised to hear some of the file-sharing rationalizations getting recycled to justify ride-swiping: the MBTA doesn't deserve their money, they're a bunch of greedy hacks, it doesn't cost anything to add one rider to a train, if they had to pay they would've walked instead, sometimes they actually pay full fare on the way back so the T ends up getting more business not less, etc.
    [ link to this | view in chronology ]
Overcast, 14 Aug 2008 @ 8:02pm

Yeah, the hell with the 1st amendment. Who needs it anyway, huh?

Thought judges were supposed to uphold the law, not twist it to their own devices.
[ link to this | view in chronology ]
Anonymous Coward, 14 Aug 2008 @ 8:24pm

Um bit late isn't it ?
I thought that there info was already released (At least I recall reading how to hack the system with there instructions)
[ link to this | view in chronology ]
NSMike, 14 Aug 2008 @ 8:24pm

Disclosure
I'd say you should disclose the security weakness to the vulnerable party, test if it's been fixed within a reasonable amount of time, and if not, disclose to the general public, especially if the weakness puts the public's security at risk.
[ link to this | view in chronology ]
cc, 14 Aug 2008 @ 9:04pm

well, if you don't plan to disclose it to whoever's vulnerable first, then the obvious only way is to tell everyone at the same time without any prior notice due to BS like this
[ link to this | view in chronology ]
Clueby4, 14 Aug 2008 @ 10:06pm

Prior Notice practice is nonsense
Why do software companies expect such a courtesy? The products they sell are excluded from merchantability. They even claim said right in their dubious, at best, EULAsTOSetc.

If you agree with the practice of prior notice then you've either have a biased viewpoint, or you're not too bright.

Should contaminated pharmaceuticals or tainted food get such unrealistic protections.

Apparently, too many of you enjoy your blissful ignorance and seem to feel that bliss should be forced on everyone else. Or perhaps you might be benefiting from the practice of selling flawed software products and don't find the idea of having it's flaws exposed very palatable.
[ link to this | view in chronology ]
- chris (profile), 15 Aug 2008 @ 6:40am
  
  Re: Prior Notice practice is nonsense
  i disagree. in a lot of circumstances, the job a piece of software is [supposed to be] performing is more important than the vendors that ship it, like DNS.
  
  a security flaw that has not been disclosed is a powerful weapon in the wrong hands. keeping it secret only gives it more power.
  
  this is the unintended consequence of security by obscurity: the 0day exploit.
  
  disclosure pressures the vendor into fixing, and robs malicious attackers of yet another tool.
  
  discovering a flaw that hasn't been disclosed doesn't mean that you are the only one that's aware of the bug. bugs are not mutually exclusive and bugs don't compete with each other.
  
  in the case of dan kaminsky's DNS bug and the debian random number bug, the two bugs combined pretty much nullified internet security as we know it (ssl/ssh/ipsec, certificate authorities, authoritative DNS, password resets via email, etc.) which is why it was so important for patches to be available (not necessarily applied) at the time of disclosure.
  
  some wankers find bugs and try to sell the info to the vendor or a competitor (or a criminal organization) for money. if no one buys, they disclose with the intent to embarrass the vendor.
  [ link to this | view in chronology ]
inc, 15 Aug 2008 @ 5:25am

Security through obscurity does not work. Even if these students never told anyone and went straight to those who control the Boston subway system they still would have been prosecuted. It's the same problem with the voting machines and the very reason Linux is more secure then Windows. If everyone knows your flaws you are more inclined to take them seriously. I'm also not sure what good a gag order will do, the PDF was already leaked on Digg. Warcarting rulez!
[ link to this | view in chronology ]
- Anonymous Coward, 16 Aug 2008 @ 9:08am
  
  Re:
  Actually all the information had already been released to the attendees...Nothing was leaked there sparky, every attendee was given materials at the beginning of the show, including the MBTA hack presentation.
  [ link to this | view in chronology ]