Flap Over Transit Flaws Exposes Disclosure Divide

A court order stopped a Defcon presentation, reigniting the debate over responsible security disclosures. The verdict: still no common ground.

A court order put a stop to a planned presentation at the Defcon hackers convention by three MIT students who found security flaws in the electronic ticketing system used by the mass transit authority in Boston. But the ruling reopened the schism in the IT security community over the issue of how vulnerabilities should be publicly disclosed.

Critics of the temporary restraining order, issued on Aug. 9, by a federal judge in Boston, labeled it an infringement of the students' First Amendment rights and an example of prior restraint on free speech. Many said such actions leave vulnerable systems open to attackers and put a chill on security research, driving legitimate researchers underground.

Others, though, saw the case involving the students and the Massachusetts Bay Transportation Authority (MBTA) as another example of publicity-hungry security researchers driven more by ego and the desire for fame than by any sincere interest in improving security.

The disclosure debate boiled over again after the MBTA obtained the 10-day order barring the MIT undergrads -- Zack Anderson, Russell "RJ" Ryan and Alessandro Chiesa -- from publicly disclosing information about the flaws in its e-ticketing system. The gag order was handed down the day before a scheduled Defcon session in which the students planned to detail the holes, which they said they found during independent penetration testing.

In an affidavit, the MBTA claimed that the students didn't give it sufficient information about the vulnerabilities beforehand. The transit authority added that it wasn't trying to permanently gag the students, but that it wanted some time to determine the validity and seriousness of the flaws and a course of action for addressing them.

But the Electronic Frontier Foundation (EFF), a high-tech civil rights group that is defending the three students, contended that the gag order was unconstitutional and wholly unnecessary. Some of the material that the students planned to present had been previously published elsewhere, the EFF noted. And, it said, the students had told the MBTA that they wouldn't release technical details that hackers could use to take advantage of the flaws.

Bruce Schneier, chief security technology officer at BT Group PLC, joined 10 computer science professors and researchers in signing a letter opposing the restraining order that the EFF included as part of a motion to reconsider the decision. Schneier said last week that publicly disclosing vulnerabilities is often the only way to prod businesses to address them.

"Companies won't make [their systems] better by themselves," Schneier said. MBTA officials, he claimed, "are counting on the legal system to protect their shoddy work" on IT security.

As long as the students didn't plan to use what they had discovered for malicious purposes, they had every right to talk about it, asserted Jim Kirby, a senior network engineer at DataWare Services, an IT services firm in Sioux Falls, S.D. "Anyone who says otherwise is invited to read the Constitution," Kirby said, adding that the restraining order was an effort "to enforce security by obscurity."

Other critics pointed out that much of the information had already become public, since the students' slides were included on a CD given to Defcon attendees. In fact, the MBTA asked the court to modify the gag order so it covered only "nonpublic" information. A hearing was held on Thursday, but the order was left in place as is. On the other side of the debate, David Jordan, chief information security officer for Virginia's Arlington County, said the reasonable course of action would have been for the students to help the MBTA address the flaws before disclosing them.

"When you discover major flaws in a system, you go to the people who own the system and work with them," he said. "You don't stand up on a podium and say, 'Look how clever I am.'"

The students did meet with an MBTA police officer and FBI agent on Aug. 4 and then delivered a short report on their findings to the MBTA prior to Defcon, according to the EFF.

But Gartner Inc. analyst John Pescatore said the MBTA wasn't given a reasonable amount of time to fix the problems or develop work-arounds for them. The intent of disclosing flaws should be to make systems more secure, "not to make headlines or sell tickets to security conferences," he added. "The students went for publicity."

This version of this story originally appeared in Computerworld's print edition.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon