Just a little background: a group of MIT students hacked the MBTA's (known as the "T") "CharlieCard" stored-value RFID system and attempted to publish a paper on their findings at the recent DEFCON event. They were slapped with an injunction/lawsuit, and MIT was also named in the suit. The injunction was lifted yesterday, with the judge citing misapplication of a computer fraud law as the reason. So the students are free, for the moment, anyway, to proceed.
How one comes down on this issue depends upon one's view of the role of the hacker in society. Hackers, to use the term loosely, are nerds who experiment with a given technology, probing its limits. "Ethical hackers" seek out flaws in security and other elements, reporting their findings to those who employ them so as to fix the problems before they reach the scale of the MBTA case. The MIT students were not employed by the T, and so it is their ethics that are ultimately in question here.
My personal view is that anyone finding a security flaw in any system should report the flaw to the system's operator so that such can be repaired. Once the repair is complete, the finder of flaw should have the right to publish, and get the credit for the discovery. This kind of recognition is really all that most hackers crave anyway, separating themselves from the much-more-dangerous professional information thieves, who have no ethics and are purely in it for the money. So, hackers can play a useful role and should be stifled only to protect others (like us taxpayers) from their otherwise unchecked over-exuberance - and information thieves deserve the recognition they will get with other thieves, in prison.
The problem here is that the MIT students positioned their discovery not as a flaw to be fixed, but rather as a way to get free rides on Boston's subway system. That would be theft, putting them - and anyone using the knowledge they generated to steal from the MBTA - into the category of thieves. Now, having been a college student myself, I think it's safe to say that this class of hacker doesn't always see the ethical dilemma here. Being perpetually just this side of broke moderates the very definition of theft, especially from a big government bureaucracy.
And it is with that bureaucracy that the problem really lies. The MiFare Classic contactless smart card at the heart of the MBTA's RFID system has known security problems. It should never have been deployed, at least not in its present form - sure, there's no such thing as absolute security, wired or wireless, but there's also no excuse to spend hundreds of millions of dollars of the taxpayer's money on half-baked solutions that don't work, period. While, again, stealing is of course ethically wrong, the MBTA IT staff thus has no one to blame but themselves for the current state of affairs.
I'd lecture the MIT kids on ethics, but otherwise let them go. They'll be paying massive taxes on their huge incomes in the future, truly the best punishment of all. And I'd bet they'll be building really good wireless security systems for us someday, or perhaps even running the MBTA. And they won't make the mistakes that the current management team should have foreseen.
Mathias is a principal at Farpoint Group, a wireless advisory firm in Ashland, Mass.
|
|
Punishment to fit the crime
Mr. Mathias,
While I agree with some of your opinions, such as anyone finding a flaw in a system should report it, not exploit it, I think you're being too lenient in what form punishment should take of these young adults.
Instead of doing what would be considered the proper thing by most, reporting the flaw(s) to the appropriate personnel, the students chose to exploit it for personal use, AND, help others do the same. This isn't something that should be justified by their current status as students, being broke, etc.
These aren't "kids", these are adults, and if we as a society wish to see our future leaders have at least some semblance of ethical behavior, this type of situation is a very good place to start. When you state "this class of hacker doesn't always see the ethical dilemma ...", I think of this as an opportunity. I'm not suggesting that this illegal activity will lead them down the road to damnation and they'll end up as criminal hackers bilking old ladies out of millions, but it certainly is a good place to teach some folks about right and wrong. Stealing is stealing, and we're not talking about these students not having enough money to buy food!
Instead of a lecture, offer them a plea bargain. Those with immediate knowledge of the flaw(s) cannot disclose any information that relates to how it was discovered, how to utilize, and everything associated. Let the punishment be 100 hours community service, and that service to be to help repair the system to minimize and if possible, (we do need to be practical in expectation here) eliminate current and future vulnerabilities.
To me this seems to be fair to the offenders and society, and everyone ultimately benefits.
An Excellent Suggestion!
I think I could support your recommendation here. Yes, absolutely, they should not get off with some form of punishment. They can get the publicity they desire, but with a warning that such behavior won't be tolerated further.
But, really, they are kids, and they're smart kids, and we need smart kids, so a measured response is appropriate.
Thank you for the note.
Craig.
Post new comment