It is really difficult to hold the positions that I do in the face of specific examples like this recent MBTA vs. MIT bugfinder fiasco.The fundamental security design flaws are outrageous and I am not sure who to be madder at – the MBTA or the card vendor.
I get how maddening that is, and it is even more maddening for me because I have to defend the MBTA's right to protect itself against the exposure of this insecure junk, and that includes this silliness around exposing even more information during the protection phase.
So, I don't want to do it, but it seems clear that the MIT presentation was going to increase the MBTA's risk (keep in mind that this is slightly different than a general computing bug that affects many end-users) by making attacks easier/cheaper and putting the spotlight on this system. And of course the court disclosure information increased the risk even more, though a successful case against the researchers will contribute to the growing costs associated with bugfinding, resulting in a likely long-term decrease in risk.
I don't really know what the legal implications of any of this are, but I suspect in the long run things won't work out for the MBTA.
it seems a shame, then, that the mbta exposed more information in their court documents than the mit students were going to expose in their presentation…
as i understand it, the students had no intention of revealing sufficient details to help people mount an attack and if mbta had made it clear that they wanted to see a copy of the presentation at an earlier date then a lot of nonsense that’s occurred since wouldn’t have happened and the confidential document the students prepared for the mbta that DID contain sufficient detail to help an attacker wouldn’t have found it’s way into mbta’s public court documents…
i too think the mbta should have the right to keep secret certain details that could have cost them a lot of money, but i think they’ve handled the issue in a completely incompetent manner…
Pete,
The question here isn’t one of harm. The worst harm the MBTA is claiming is some financial damage. The first amendment is quite clear on this point, as is supreme court case law. The constitution is the controlling legal document, not the CFAA, and the judge mistakenly said, and the MBTA claimed.
I’m hoping that this doesn’t need to turn into a protracted legal battle.
For a nice read on previous first amendment cases I recommend “Speaking Freely” by Floyd Abrams.
None of this deals with whether the students could/should have disclosed responsibly. Since they didn’t commit a crime, they can’t be prosecuted and as such, we can wish all day for how they could have done this differently, we simply shouldn’t ask the government to step in and enforce that viewpoint.
@Andy -
While I agree that the legal issues are interesting, that wasn’t really the focus of this post. My intention was to comment on the immediate and near-term impact on risk, even under distasteful circumstances.
Pete,
It was the phrase “I get how maddening that is, and it is even more maddening for me because I have to defend the MBTA’s right to protect itself against the exposure of this insecure junk” that I took issue with. I don’t believe they have a right to protect themselves in this circumstance, at least not as they have done.
Perhaps I’m just misinterpreting what you wrote.
Response to Schneier on Full Disclosure
As I mentioned in a previous post, the MBTA v. MIT scenario is extremely distasteful to me. I do believe the MIT students have a “right” to disclose the information they had. I also believe they increase risk in the process.