digg

Facebook Connect Join Digg About

Gag Order Slapped on MIT Students for Finding Security Flaws

computerworld.com — A court order put a stop to a planned presentation at the Defcon hackers convention by three MIT students who found security flaws in the electronic ticketing system used by the mass transit authority in Boston. But the ruling reopened the schism in the IT security community over the issue of how vulnerabilities should be publicly disclosed.

Who dugg this? Made popular Aug 18, 2008

submitted by

inactive Aug 17, 2008

1057 diggs
digg

63 Comments

xOKxWhy, on 08/18/2008, -1/+67Or you know, they could just fix the vulnerabilities and leave the MIT students alone.
gemlarin, on 08/18/2008, -0/+49Too late. Can't gag the web.

(Unless your in China)

http://thepiratebay.org/search/mit%20defcon/0/99/0
Zippo, on 08/18/2008, -0/+34I hate how companies always see hackers as a threat instead of a valuable asset. As far as I'm concerned, Boston's MTA should have politely asked them to not publicly discuss the exploits, then ask them to help fix the flaws, and compensate them for their help.
AmyVernon, on 08/18/2008, -1/+35Interesting. In a way, I can see the reasoning behind the court order, but without a public discussion of these flaws, how can they be properly addressed?
nikothefinn, on 08/18/2008, -0/+27So the students are being penalized for being good at the subject they are paying tens of thousands of dollars to study? Rough.
Airforcefalco, on 08/18/2008, -0/+27It is easier to mess with MIT students.
mikelieman, on 08/18/2008, -0/+23The guy who should be in court? The guy who authorized the purchase of an known-insecure system.

The real problem here is that the City of Boston brought a piece of ***** system which is quite easy to rip-off. Stored value cards without centralized tracking? Laughable.

This is a well known problem, and is the reason NYC spent the money on a secure system.

Boston went for the CHEAP solution, and now their public failure is exposed for all the world to see.

They're EMBARRASSED, pure and simple, and are apparently willing to abuse the legal system to conceal their gross negligence and/or incompetence.
phatphil, on 08/18/2008, -0/+18There is an easily-found torrent floating around w/ the presentation.
adidos, on 08/18/2008, -0/+17Or http://digg.com/security/MIT_student_newspaper_pub ...
kgreen69er, on 08/18/2008, -0/+14Novel idea: Hire the MIT students to fix the problem.
philosophiste, on 08/18/2008, -0/+13At least once more. No one has put it up with the header 'MARTIAL LAW IN USA!!!' yet.
naner, on 08/18/2008, -0/+13(Unless my what in China?)
cgibbo, on 08/18/2008, -1/+12How many times is this going to be posted?
spammishking, on 08/18/2008, -0/+11http://www-tech.mit.edu/V128/N30/subway/Defcon_Pre ... You don't need the pirate bay in this case, the original is still up
mikelieman, on 08/18/2008, -1/+12"The Problem" is that the City of Boston chose the cheap route and brought a known-insecure system. ( Stored-value cards without centralized tracking )

"The Solution" is to go buy the good system, with centralized tracking of the individual cards.

Have fun paying for it twice, Bostonians!
robobeau, on 08/18/2008, -1/+11Greetings Digg. Welcome to a week ago.
Br3ach, on 08/18/2008, -0/+10No kidding, they could even start just by locking the doors on their data closets...
Airforcefalco, on 08/18/2008, -0/+8they would have to find the key first.

Maybe it's location is found in the research done by those students?
AmazingSteve, on 08/18/2008, -0/+7LOL! A Gag order. In the age of the internet. Yeah good luck with that. Why fix problems when you can just hide them? After all NOBODY can possibly stumble across them again. My guess is none of it will get fixed. My reasoning? Almost 15 years of using a redbox to get free phone calls using an exploit that old Ma Bell could have fixed quite easily before they finally decided to make it a LITTLE harder. Your tax dollars at work folks.

The "confidential paper" is here: http://thepiratebay.org/search/mit%20defcon/0/99/0

Spread it far and wide kids.
ogarro, on 08/18/2008, -0/+7In what way can you see the reasoning? I would imagine that they have contacted the responsible authorities right? Surely if they found the problem they must know and should have put forward a solution to the vulnerability.
leerayIG88, on 08/18/2008, -0/+6Admin abuse!
allengeer, on 08/18/2008, -0/+5wow they put a gag order on obvious hacks to an obviously insecure system.
erohen, on 08/18/2008, -2/+7How does a story that is almost 2 weeks old hit the front page?????
identitymatrix, on 08/18/2008, -0/+5"Surely if they found the problem they must know and should have put forward a solution to the vulnerability."

Yeah thats what they did - they gave the NYT their vulnerability assessment report before anything was publicly disclosed. The report explained what both of the vulnerabilities were - forgery and cloning, and also put forth several detailed solutions how to fix the vulnerability - ranging from the most cost-efficient way to mitigate the problem, to the most secure way to redesign the system using cryptographic signatures if cost wasn't an issue.

The vulnerability assessment report is here: http://i.i.com.com/cnwk.1d//i/ne/p/2008/10_2.pdf
qxrt, on 08/18/2008, -2/+6It takes time to fix the vulnerabilities...this isn't magic land where fixes just fall out of the sky one day; during the time it takes to fix the vulnerability, hackers could exploit the flaw, especially if it's publicly disclosed. From what I understand, the gag order is only in place while the company fixes the flaws.

In short, most commenters on this article seem to be misunderstanding the role of the gag order. Far easier to just stick it to the big corporation and praise the underdogs rather than take the time to understand the consequences of not running such an order, huh?
DrPh0bius, on 08/18/2008, -0/+4Ahhh, the always successful "security through obscurity."

It works out so well for Microsoft, huh?
inactive, on 08/18/2008, -0/+3gag order? doesn't the first amendment make this unconstitutional and hence null and void?
Airforcefalco, on 08/18/2008, -0/+3to protect the obvious from the oblivious?
jserio, on 08/18/2008, -0/+3From a PDF linked to from he article:

----------
"The students presented their research to technical representatives of the MBTA and to the FBI a few days before the conference. They also provided a confidential paper detailing the problems they found and proposed solutions."

"We are aware that both the slides for the intended presentation AND THE CONFIDENTIAL PAPER HAVE NOW BEEN MADE WIDELY PUBLICLY AVAILABLE, both through the conference materials submitted prior to the filing of the lawsuit and through filings in the public docket in this case by the MBTA."
----------

Has anyone seen this "confidential paper?"
Rikkochet, on 08/18/2008, -0/+3Articles like this are always vague on how much time was given, and in fact what the grads had implied they were going to release.
If they announced a week before the conference that they were going to "blow the whole Boston ticketing system open", well, I can see why there might be some panic to halt this.
Even if they were going for a fully professional and reasonable disclosure, who's to say they (or someone) didn't hype it up as more than that?
Airforcefalco, on 08/18/2008, -2/+5Or Italy
Airforcefalco, on 08/18/2008, -0/+3Reminds me of some huge security holes in Windows and how they were brought up to Microsoft only to have Microsoft say that they will be patched during the next service pack.

The individuals who found the flaw released it to the internet and vola, a patch!
InfiniteNothing, on 08/19/2008, -0/+3WTF why is intent or ego or whatever even relevant?

The intent of disclosing flaws should be to make software and systems more secure, "not to make headlines or sell tickets to security conferences,"

Lesson here kids is publish first, then use plausible deniability to deny any malicious intent. There's no incentive to even try and cooperate. What are they going to do sue the college students for their top ramen noodles?
chrisduser, on 08/18/2008, -0/+3A story that is two weeks old will hit the front so long as it is new(s) to enough people. Hope that clears up the misconception that any news stories on the front page has been viewed by all Digg users.
UltraDavid, on 08/18/2008, -0/+2"Others, though, see the case involving the students and the Massachusetts Bay Transportation Authority (MBTA) as another example of publicity-hungry security researchers driven more by ego and the desire for fame than by any sincere interest in improving security."

Why is this important? Who cares whether their motives are selfish or beneficent? The issue is whether they have freedom of speech, not whether they have freedom of speech to use for nice reasons.
Airforcefalco, on 08/18/2008, -0/+2because people clicked on the "digg it" button.
UltraDavid, on 08/18/2008, -0/+2Please don't bury this guy.
Black6x, on 08/19/2008, -0/+2Court ordered gag-order:

Using tax payer dollars and abusing the legal system in order to cover up a mistake created with tax payer dollars, rather than fixing it.
jserio, on 08/18/2008, -0/+2The open letter to the Court mentions a "confidential paper" that contains additional information not in the "public presentation" (to ensure people could not reproduce the exploit). However, it goes on to say that the confidential paper has been made public. Has anyone seen this?
mithrasinvictus, on 08/19/2008, -0/+2They shouldn't have bought the system in the first place. Similar systems have already been proven insecure, the company has had ample time to diagnose and fix the security on its own.
Because of gag orders like this there will simply be no disclosure up front next time, they'll just have to learn about it from the press conference. Would you prefer that?
Suriyawong, on 08/19/2008, -0/+1Interesting stuff if you actually read the vulnerability assessment. One of the most surprising things to me was that employees were leaving what should be secured rooms completely unlocked, as well as leaving the turn stations unlocked as well. I wouldn't think it'd be that difficult to make a hacking device to let you in for free every time if you could get access to one of those turn stations. On top of that, leaving a wiring closet door unlocked is just asking for a hacker to steal confidential information. Being in Boston, what with all the MIT students there, they should be more aware of simple security techniques.
Tiak, on 08/19/2008, -0/+1It will keep being posted until they stop referring to Bruce Schneier as "hief security technology officer at BT Group PLC". Bruce Schneier is a god.

http://geekz.co.uk/schneierfacts/
widgetmaker, on 08/19/2008, -0/+1Some of digg, the powerpoint was on here a week or so ago.
yingjai, on 08/19/2008, -0/+1another duplicate post on frontpage. yay!
harlowsmonkeys, on 08/19/2008, -0/+1Buried, because this was extensively covered EVERYWHERE last week, when it was actually news.
nmckinlay, on 08/19/2008, -0/+1***** the RIAA!
jserio, on 08/19/2008, -0/+1The PowerPoint was not the confidential paper discussed. It was in addition to that.
JonForTheWin, on 08/19/2008, -0/+1Security issues should be disclosed in the harshest way possible.
jserio, on 08/19/2008, -0/+1Found it. Someone was kind enough to post it above.
inactive, on 08/19/2008, -0/+1the pdf is already on the net, haha
Show 51 - 63 of 63 discussions
Add a Comment

Login or register to comment!
Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.