Legal skirmish over Defcon talk shows divide on disclosing security flaws

order that the EFF included as part of a motion to reconsider the decision (download PDF). Schneier said this week that publicly disclosing vulnerabilities is often the only way to prod businesses to address them. “Companies won’t make [their systems] better by themselves,” Schneier said. MBTA officials, he claimed, “are counting on the legal system to protect their shoddy work” on IT security. Schneier agreed that it’s good practice in general to give organizations some advance notice before publicly disclosing flaws in their systems. But, he said, it’s often hard to determine exactly what might be construed as “reasonable disclosure” and what might not be.

Steven Bellovin, a computer science professor at Columbia University who also signed the letter, said it is a fallacy to assume that a security problem goes away or remains hidden from view “simply because you don’t talk about it” in public. “I’m not saying the first thing you do when you find a vulnerability is to post it on your blog,” Bellovin said. “But getting injunctions against people is like saying [to them], ‘If you didn’t find it, this problem wouldn’t exist.’”

As long as the students did not plan to use what they had discovered for malicious purposes, they had every right to talk about it, asserted Jim Kirby, a senior network engineer at DataWare Services, an IT services firm in Sioux Falls, South Dakota. “Anyone who says otherwise is invited to read the Constitution,” Kirby said, adding that the restraining order was an effort “to enforce security by obscurity.” Other critics pointed out that much of the information has already become public anyway, since the students’ slides were included on a CD given to Defcon attendees. In fact, the MBTA this week asked the court to modify the gag order so it covered only “nonpublic” information. A hearing on that motion, and one by the EFF seeking a reconsideration of the restraining order, was held on Thursday by a different judge in U.S. District Court in Boston, but he declined to take any action on the motions.

On the other side of the disclosure debate, David Jordan, chief information security officer for Virginia’s Arlington County, said the reasonable course of action would have been for the students to help the MBTA address the flaws before disclosing them publicly. When you discover major flaws in a system that society relies on, you go to the people who own the system and work with them,” Jordan said “You don’t stand up on a podium and say, ‘Look how clever I am.’” He added that in such cases, the goal of security researchers often seems to be to further their own agendas instead of helping others fix problems. “It’s all about improving one’s own self-absorbed ego,” Jordan said.

The students did meet with an MBTA police officer and an FBI agent on 4 August and then delivered a short report on their findings to the MBTA prior to Defcon, according to a court document filed by the EFF (download PDF). Gartner Inc. analyst John Pescatore said, however, that the MBTA was not given a reasonable amount of time before the scheduled Defcon presentation to fix the problems or develop work-arounds for them. The intent of disclosing flaws should be to make software and systems more secure, “not to make headlines or sell tickets to security conferences,” Pescatore said. In this case, he added, “the students went for publicity.” In doing so, they did not follow well-understood principles of responsible disclosure, according to Pescatore. “Responsible vulnerability disclosure really does clean up the software equivalent of dead wood,” he said. “But releasing vulnerability info for sport or publicity does not.”