3 takeaways from security-flaw legal flap between MBTA, MIT students
Why muzzling vulnerability disclosures in court is a bad idea, and other lessons learned
Computerworld - Earlier this week, a federal judge in Boston lifted a gag order that had blocked three MIT students from publicly discussing security flaws they discovered in the fare-payment system used by the city's mass-transit agency.
The temporary restraining order was issued Aug. 9, one day before the MIT students were scheduled to present a research paper detailing the flaws during a session at the Defcon hacker convention in Las Vegas. In asking for the gag order to be imposed, the Massachusetts Bay Transportation Authority (MBTA) claimed that it hadn't been given enough time or sufficient information prior to Defcon to assess the flaws and figure out a plan for fixing them.
The case reignited the debate over responsible disclosure of vulnerabilities, sparking outrage within some parts of the security community that saw the gag order as a violation of the students' First Amendment rights, while other people said they thought the students should have given the MBTA more time to address the flaws before going public with them.
This week's ruling is likely to quiet that debate, at least temporarily. But there are some takeaways for IT and security managers from the entire episode:
1. There's still little agreement on what constitutes responsible disclosure.
The Boston subway-hack case demonstrated that despite all the talk about the need for responsible-disclosure practices in the security industry, sharp differences remain on what exactly that means. The three MIT undergrads and their supporters appeared to believe that the four-day notice the MBTA was given about the vulnerabilities before Defcon was reasonable enough — and that in any case, it wasn't obligatory.
On the other hand, the MBTA and those aligned with its point of view argued that the students should have given the agency more notice. In fact, at Tuesday's court hearing, the MBTA asked U.S. District Judge George O'Toole to keep the gag order in place for five months — the amount of time that the agency said it will take to fix the flaws.
Similar differences of opinion have been voiced over responsible disclosure for years now. Microsoft Corp., whose products are the ones most targeted by hackers because of their widespread use, has tried to convince security researchers to give it at advance notice of at least 30 days on flaws in return for a promise to fix the vulnerabilities within a reasonable period of time and to acknowledge the researchers who discover them. The Organization for Internet Safety, a multivendor group that includes Microsoft and Symantec Corp., proposed similar guidelines five years ago.
Some security researchers have abided by such guidelines, while others have ignored them, arguing that giving vendors advance notice is futile because many tend to ignore the information or sit on it for far too long. To help sweeten the pot, security vendors such as VeriSign Inc.'s iDefense Labs unit have pushed the idea of paying researchers for vulnerability information on the condition that they don't disclose information about the flaws until a fix is ready — an approach that most companies shy away from because of concerns that they could be held hostage by bug hunters demanding to be paid before they hand over information.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts