Skip the navigation

3 takeaways from security-flaw legal flap between MBTA, MIT students

Why muzzling vulnerability disclosures in court is a bad idea, and other lessons learned

August 22, 2008 12:00 PM ET

Computerworld - Earlier this week, a federal judge in Boston lifted a gag order that had blocked three MIT students from publicly discussing security flaws they discovered in the fare-payment system used by the city's mass-transit agency.

The temporary restraining order was issued Aug. 9, one day before the MIT students were scheduled to present a research paper detailing the flaws during a session at the Defcon hacker convention in Las Vegas. In asking for the gag order to be imposed, the Massachusetts Bay Transportation Authority (MBTA) claimed that it hadn't been given enough time or sufficient information prior to Defcon to assess the flaws and figure out a plan for fixing them.

The case reignited the debate over responsible disclosure of vulnerabilities, sparking outrage within some parts of the security community that saw the gag order as a violation of the students' First Amendment rights, while other people said they thought the students should have given the MBTA more time to address the flaws before going public with them.

This week's ruling is likely to quiet that debate, at least temporarily. But there are some takeaways for IT and security managers from the entire episode:

1. There's still little agreement on what constitutes responsible disclosure.

The Boston subway-hack case demonstrated that despite all the talk about the need for responsible-disclosure practices in the security industry, sharp differences remain on what exactly that means. The three MIT undergrads and their supporters appeared to believe that the four-day notice the MBTA was given about the vulnerabilities before Defcon was reasonable enough — and that in any case, it wasn't obligatory.

On the other hand, the MBTA and those aligned with its point of view argued that the students should have given the agency more notice. In fact, at Tuesday's court hearing, the MBTA asked U.S. District Judge George O'Toole to keep the gag order in place for five months — the amount of time that the agency said it will take to fix the flaws.

Similar differences of opinion have been voiced over responsible disclosure for years now. Microsoft Corp., whose products are the ones most targeted by hackers because of their widespread use, has tried to convince security researchers to give it at advance notice of at least 30 days on flaws in return for a promise to fix the vulnerabilities within a reasonable period of time and to acknowledge the researchers who discover them. The Organization for Internet Safety, a multivendor group that includes Microsoft and Symantec Corp., proposed similar guidelines five years ago.

Some security researchers have abided by such guidelines, while others have ignored them, arguing that giving vendors advance notice is futile because many tend to ignore the information or sit on it for far too long. To help sweeten the pot, security vendors such as VeriSign Inc.'s iDefense Labs unit have pushed the idea of paying researchers for vulnerability information on the condition that they don't disclose information about the flaws until a fix is ready — an approach that most companies shy away from because of concerns that they could be held hostage by bug hunters demanding to be paid before they hand over information.



Our Commenting Policies