Judge Still Keeps MIT Students Gagged Over Subway Hacking Presentation
from the keep-quiet dept
The EFF tried to get the gag order lifted off the three MIT students who had planned a presentation on how Boston's subway system was vulnerable to some hacks. However, a judge has left the gag order in place, saying that it will be discussed at a hearing next Tuesday. He also ordered the students to hand over more information.There's been a long debate in the security community about what is proper "disclosure." There are some who believe that you should wait until a vulnerability is fixed before disclosing it, while others believe that only by disclosing it are people really motivated to fix the vulnerability. However, most of those debates haven't taken place in court -- so this particular case should be quite interesting for those who are involved in security research, no matter which side of the "disclosure" debate you fall on.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: boston, disclosure, gag rule, hacking, mit, subway
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
the
With these subway cards, sure someone criminal mind could've figured out how to hack them, but how could they have monetized it on a scale to make it worthwhile? They would've had to set up a black market - at about $5 a shot - and hoped that none of their customers or prospects would snitch.
That's perhaps why the MBTA didn't worry too much about making the system absolutely secure. They must've figured that a few people might quietly crack it and take advantage, but they could write that off as cost of doing business.
Now it's different. Now, college kids and others might suspect that paying to ride the T is for chumps, like paying to buy recorded music. And the MBTA can't afford to give out free rides - their trains are packed these days.
[ link to this | view in thread ]
Thought judges were supposed to uphold the law, not twist it to their own devices.
[ link to this | view in thread ]
I thought that there info was already released (At least I recall reading how to hack the system with there instructions)
[ link to this | view in thread ]
Disclosure
[ link to this | view in thread ]
[ link to this | view in thread ]
Prior Notice practice is nonsense
If you agree with the practice of prior notice then you've either have a biased viewpoint, or you're not too bright.
Should contaminated pharmaceuticals or tainted food get such unrealistic protections.
Apparently, too many of you enjoy your blissful ignorance and seem to feel that bliss should be forced on everyone else. Or perhaps you might be benefiting from the practice of selling flawed software products and don't find the idea of having it's flaws exposed very palatable.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Prior Notice practice is nonsense
a security flaw that has not been disclosed is a powerful weapon in the wrong hands. keeping it secret only gives it more power.
this is the unintended consequence of security by obscurity: the 0day exploit.
disclosure pressures the vendor into fixing, and robs malicious attackers of yet another tool.
discovering a flaw that hasn't been disclosed doesn't mean that you are the only one that's aware of the bug. bugs are not mutually exclusive and bugs don't compete with each other.
in the case of dan kaminsky's DNS bug and the debian random number bug, the two bugs combined pretty much nullified internet security as we know it (ssl/ssh/ipsec, certificate authorities, authoritative DNS, password resets via email, etc.) which is why it was so important for patches to be available (not necessarily applied) at the time of disclosure.
some wankers find bugs and try to sell the info to the vendor or a competitor (or a criminal organization) for money. if no one buys, they disclose with the intent to embarrass the vendor.
[ link to this | view in thread ]
Re: the
Im not sure I get your arguement? It seems to be that criminals dont bother exploiting this subway exploit becuase there is not enough money in it for the hassle, but college students are riskier becuase they will somehow "crash the system" financially by using it so much?
[ link to this | view in thread ]
Re: Re: the
Of course, I wouldn't be surprised to hear some of the file-sharing rationalizations getting recycled to justify ride-swiping: the MBTA doesn't deserve their money, they're a bunch of greedy hacks, it doesn't cost anything to add one rider to a train, if they had to pay they would've walked instead, sometimes they actually pay full fare on the way back so the T ends up getting more business not less, etc.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]