IT securityLegal skirmish over Defcon talk shows divide on disclosing security flaws
Gag order slapped on MIT students who prepared a talk about Boston transit authority security flaw reignites debate over what “responsible disclosure” of security flaw means
We wrote last week about a court order which put a stop to a planned presentation at the Defcon hackers convention by three MIT students who found security flaws in the electronic ticketing system used by the mass transit authority in Boston. The ruling only reopened the schism in the IT security community over the issue of how vulnerabilities should be publicly disclosed. Computerworld’s Jaikumar Vijayan writes that critics of the temporary restraining order issued Saturday 9 August by a federal judge in Boston have labeled it an infringement of the students’ First Amendment rights and an example of “prior restraint” on free speech. Many said such actions leave vulnerable systems open to attackers and put a chill on security research, driving legitimate researchers underground. Others, though, see the case involving the students and the Massachusetts Bay Transportation Authority (MBTA) as another example of publicity-hungry security researchers driven more by ego and the desire for fame than by any sincere interest in improving security.
The always-simmering disclosure debate boiled over again after the MBTA obtained the 10-day gag order barring the MIT undergrads — Zack Anderson, Russell “RJ” Ryan, and Alessandro Chiesa — from publicly disclosing information about the flaws in its e-ticketing system. The order was handed down the day before a scheduled Defcon session in which the students planned to detail the holes, which they say they found during independent penetration testing. In an affidavit, the MBTA claimed that the students did not give it sufficient information about the vulnerabilities beforehand. The transit authority added that it wasn’t trying to permanently gag the students and that it just wanted some time to determine the validity and seriousness of the flaws and a course of action for addressing them.
The Electronic Frontier Foundation (EFF), a high-tech civil rights group which is representing the three students in court, contended that the gag order was unconstitutional and wholly unnecessary. Some of the material that the students planned to present had been previously published elsewhere, the EFF noted. It said that the students had told the MBTA that they wouldn’t release technical details that hackers could use to take advantage of the flaws. Bruce Schneier, chief security technology officer at BT Group PLC, joined ten computer science professors and researchers in signing a letter opposing the restraining
