Last weekend, a federal judge issued an injunction blocking some MIT students from explaining to a Defcon audience how to hack the RFID-based fare card system used by the Massachusetts Bay Transportation System (MBTA).
In one account, one student said he was now "afraid."
Good.
Judging from what I've read, that seems to be the minority view.
My colleague Adam Gaffin pointed out the MIT students included a lengthy list of all the ways you can hack the system without any equipment at all, apparently not even a jimmy: walking through unattended fare gates; unprotected and even unlocked network switch rooms; and so on.
NW Columnist Scott Bradner, with Olympian assurance, explained that the MBTA understood neither publicity nor security. Suing the hackers just called more attention to the problem, he says. And "The MBTA defaulted to the common but dumb idea that if security flaws are hidden they will not be exploited. This never works in the long run...."
Actually, the MBTA defaulted to the not-so-dumb-idea that if you make available detailed information about how to exploit a hidden security flaw, in this case including source code posted on one student's Website but later removed, it sure makes it a lot easier for the exploiters. In a touch of unintended hilarity, the MIT hackers originally included a Powerpoint slide that warned "THIS IS VERY ILLEGAL! So the following material is for educational use only." Right.
In a nice touch, the MBTA's suit quoted from the "MITnet Rules of Use" which warn students against messing with the integrity of the system by, among other things, "attempting to capture or crack passwords or encryption...."
The Electronic Frontier Foundation, the cyber-ACLU, found yet another reason to harp about how publicly revealing ways to violate computer security is not only a Public Service but a constitutionally protected Public Service. "We believe that this is a protected speech activity. When you discuss security issues, if you are telling the truth, that is something that should be protected," according to an EFF staff attorney. I guess that means if the MIT hackers stood up at Defcon and said "the MBTA system is hackproof" then EFF would be demanding that authorities prosecute the hell out of them.
The MBTA, like every government agency, by definition deserves humiliation, since that is the only sure and certain method of quality improvement in the public sector. Unlocked network switching rooms? Heads should roll. Except, being a state civil service agency, even in the utterly unlikely chance that were to happen, the MBTA would have to keep the headless corpse in place and pay it disability.
Most of the "physical hacks" such as sneaking past a dozing MBTA employee are by definition individual acts. But the original text of the MIT hackers promised "free subway rides for life" -- the prospect of fraud on a grand scale.
But how likely is that? Some security folks argue the risk is minimal: as far as we know, it hasn't been done despite the fact the Mifare Classic vulnerabilities were exposed a year ago. But the recent federal indictments against a ring of hackers, charging them with subverting network security at 9 major US retailers show something else: how a small, highly motivated group of people exploited network vulnerabilities, compromised the online identity of hundreds of thousands of consumers, and looted millions. Their scheme only began to unravel when they tried attacking an as-yet unnamed retailer who had crafted a security system that actually worked.
There's an appealing simplicity in the smug conviction of dumb (MBTA), dumber (the judge), and dumbest (NXP,the RFID card maker). A Slashdotter wondered whether "Dutch openness" (a Dutch court recently refused to block researchers from disclosing Mifare Classic bugs) or "Soviet-style secrecy" (MIT students snatched from the campus at midnight by men in fedoras and dark overcoats, whisked away in a black Mariah to a cellar in Dorchester) would ultimately prevail at Defcon.
But security and publicity, like life, are never that simple. I haven't looked in detail at the specific legal arguements advanced in the MBTA's suit, or by the Electronic Frontier Foundation. But UCLA law prof Eugene Volokh has some preliminary thoughts on his blog, identifying two key issues: is such speech consitutionally protected, and even if not, can it be restricted? He also notes that the MBTA argued in its filing that the students obtained the information they were going to disclose illegally, in violation of the Computer Fraud and Abuse Act. "So this is a pretty complex legal question...," he concludes. No kidding.
It's certainly true that as a result of the MBTA's court suit, a lot more people than otherwise now know that the MBTA fare system can be hacked.
But they also know one more thing: do it, and you face legal action.
Works for me.
Cox is a senior editor at Network World.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
Read the constitution, will you?
Amendment I
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.
What this means is that it's perfectly legal to tell people about things that it's illegal to do.
Read the constitution, will you?
@ LordKano
You cannot yell "Fire" in a theater, nor make public threats against officials.
The issue is not "free speech" - though people want to make it that. It's just easier to understand and is more inflammatory of an issue to bring the uneducated to your side.
State & Federal Laws do place controls on the distribution of classes of information and for very good reasons. Just because you learn a state secret (say the identity of secret agents) doesn't automatically enable you to tell the world without some type of legal recourse.
The issue is control of proprietary information that could result, worse case, in failure of a public system. Yes, the MBTA is a public system funded by the taxpayers of Massachusetts and the riders who pay a fee to use it.
Isn't public transportation categorized as "critical infrastructure"? We wouldn't want a secret on how to cause a meltdown of a nuclear reactor publicly discussed at a hacker conference, would we?
The flagrant display of "free rides for life" is a direct attempt to undermine the viability (economic) of a public transportation system. Someone has to pay the bills - are the authors suggesting that the tax payers pickup the burden? That would leave a lot fewer dollars available for student loans and public education.
The real issue is "responsible disclosure". From reports in the press - the MIT hackers did not provide or attempt responsible disclosure to MBTA officials or even the city mayor or governor's offices. They chose to pursue the "fame" route and attempt to make a grand announcement for personal gain (cred') at a hacker convention.
I'm all for holding public officials to a line of conduct - these systems should be repaired etc., but I cannot condone the actions of these individuals and would prefer to see them prosecuted to the fullest extent of the law.
I don't want to stifle discovery and education - I want to put an end to irresponsible disclosure. In this case - the defendants may just have well yelled "Fire" in a public place and then sat back and watch people trample each other for their own amusement.
With responsible disclosure - don't expect a system of the size and complexity of the MBTA to be fixed overnight. With complex systems, sometimes the cure is worse than the disease. Patches require time to test and deploy - especially with a system of this scale.
It is the responsibility of the person discovering the issue (legally or illegally) to hold the government agency's feet to the fire. If met with resistance to adopt measures, go up the food chain. If that doesn't work - engage the press, but don't release the technical details to "who ever wants to know". Think about who is getting hurt by your words - the citizens that are paying higher fees because of losses from theft of service.
The more we seek to work together to fix problems, the better this rock will be. That is for both sides - not just the twits being prosecuted.
Re: Read the Constitution
@ Anon-e-mouse
The first half sentence of your note is correct, but the rest falls down. It's true, you can't yell fire... But you can make public threats against public officials, except the President, as long as they're not "fighting words", which would lead a reasonable person to believe that there's an imminent threat of actual violence.
As far as responsible disclosure of security problems is concerned, we'll never know what the MIT students were going to say - they were enjoined from speaking at the conference.
However, the *MTBA*, in their request for an injunction, put into their court filing - a public record - a four page summary of the security flaws, with details for carrying out the attack.
You can read the details on Groklaw (http://www.groklaw.net/article.php?story=20080811193752264)
speak no evil...
Why not simply shut down the web entirely? no web = no security problems. Tho I guess, one could still disseminate information via other means - TV, Radio, smoke signals - to name just a few.
The point is, security thru obfuscation or repression is a losing game.
It has been shown over and over that the ONLY way to get some (most?) entities off the dime security-wise is to embarrass them into it and the best way to do that is to detail their stupidity, laziness, cheapness or whatever and do whatever it takes to overcome their inertia.
I've said it before and I'll say it again: Throw a couple of CEO's and CIO's of companies that suffer data breaches in jail for a few years and security will get the funding it deserves and the breaches will stop or at least be slowed down to a trickle.
Until the downside of doing nothing about security outweighs costs of implementing a decent security program there is no reason for a company or government agency to spend a dime on it - security, that is.
supreme court says talking about illegal acts is okay
but apparently networkworld only wants vendor approved security research to see the light of day.
imagine if Oracle could shut up David Litchfield (and always could). Imagine if Cisco was able to stop all further public discussion of their security vulnerabilities (a much bigger deal than a simple subway hack). imagine if the SCADA vendors were allowed to silence every researcher that (rightfully) claimed that our physical infrastructure is at risk due to poor software implementation and deployment.
is networkworld really in favor of this position?
i assume they are equally comfortable in honoring the (probably illegal and unenforceable) EULA that prevents discussing database performance (last I checked Oracle and MS had such clauses).
if networkworld is uncomfortable with the first amendment, i suggest they do the honorable thing - shut their doors.
(sure, prosecure people that break laws, commit fraud, thats a no brainer).
"Supreme court says talking about...."
John W. Cox senior editor Network World
As I think I mentioned, I'm not a constitional scholar. But I'm pretty sure the Supreme Court did NOT say "talking about illegal acts is okay."
Talking about 9-11, an illegal act, is itself legal -- protected speech.
Talking about plans to enact another 9-11 attack is not -- it's a criminal conspiracy.
Talking about air traffic network security vulnerabilities that would make another 9-11 attack easier....may or may not be protected speech. It's what constitutes a gray area, and the First Amendment has plenty of them.
Fortunately, of course, the MBTA CharlieCard hack controversy doesn't rise to the same level of urgency. But I think the principles are the same.
Network World doesn't have a company position on the First Amendment, beyond the obvious one of thinking it's a good idea, since we're in publishing. And we've printed or posted plenty of embarrassing if not humliating stories of vendors prevaricating, obfuscating, chiseling, ducking responsibility, acting irresponsibly, and so on, including security issues.
So if we hold vendors to that standard, it seems logical to hold "security researchers" -- if you want to dignify a group of MIT undergrads with that title -- to similar standards of accountability, responsibility, truthfulness, and the public good.
Post new comment