[Infowarrior] - Fare's fair for hackers?
Richard Forno
rforno at infowarrior.org
Sun Aug 17 15:46:39 UTC 2008
Published online 15 August 2008 | Nature | doi:10.1038/news.2008.1044
http://www.nature.com/news/2008/080815/full/news.2008.1044.html
News
Fare's fair for hackers?
Researchers warn of ‘devastating effect’ of computer-science gagging
order.
Daniel Cressey
A legal ruling on a student project in the United States has thrown
the computer science community into a battle over the line between
legitimate research and illegal hacking. The disagreement turns on the
principle of "responsible disclosure", which governs decisions by
computer security researchers over when and how to make public
weaknesses in commercial systems.
Eleven top-level computer scientists have publicly come out in support
of a group of students from the Massachusetts Institute of Technology
(MIT). The protest comes after the Massachusetts Bay Transportation
Authority sought and received an order from the district court
restraining the students from delivering a presentation to the annual
DEFCON conference in Las Vegas. The undergraduates' talk was to be on
alleged shortcomings in the security of ‘smart-card’ electronic
tickets used by the MBTA.
Broderick in War GamesNext step: responsible disclosurePunchstock
According to documents the MBTA filed to the court, the students
claimed to have circumvented security on e-tickets, offered “free
subway rides for life” and “plan to allow others to duplicate their
claimed ‘breaking’”.
In a letter sent in support of the students, the computer scientists
say the court order is unfair and could have a devastating impact on
future research.
“I find the court's decision troubling,” said David Wagner, a computer
scientist at the University of California Berkeley and one of the
signatories to the letter, in an email to Nature. “If the decision is
upheld, it could have a profound chilling effect on scientific
research into the security of information technology.”
Time to take stock
Experts in the area say the strategy of responsible disclosure is
widely accepted for research on security topics. This involves quietly
informing a product’s manufacturer and users when a security issue is
discovered and giving them a set period of time before you publish
your findings.
“If all you do is report quietly it just gets buried and forgotten
about,” says Ross Anderson, a researcher at the University of
Cambridge with much experience in the area. “There’s been quite some
debate and we’ve settled on responsible disclosure. This is widely
accepted in the computer industry.”
Exactly how much time you give the relevant companies and users is
variable, says Bart Jacobs, a researcher at Radboud University
Nijmegen, in the Netherlands. For a problem with a widely used
software product where companies already have the intrastructure for
updates, researchers might give a month. For something like a
smartcard, a longer period might be necessary.
Jacobs was on the receiving end of a similar court case earlier this
year when Dutch company NXP asked for an injunction to stop the
publication of research on security of its Mifare Classic smartcards.
These are used as Oyster cards for transport on London’s trains and
buses.
The injunction was refused: Jacobs plans to publish his findings later
this year. “You give the manufacturer reasonable time to patch things
and at the same time you put the company under pressure to really fix
the problem,” he says.
Indecent disclosure?
In the American case, there is disagreement between the MBTA and the
MIT students over what information was provided and when.
In a statement, the students say they initially contacted the MBTA as
they “wanted to let the MBTA know what they found and wanted to
provide some ideas about how to fix the system”. They also say their
presentation would not have included crucial information needed to
actually hack the fare system and that it contained less information
than documents that the MBTA’s court filing has now made available to
the public.
An MBTA spokesman told Nature, “The MBTA received no pertinent
information from the students before 4.30am on Saturday [the court
order was granted at 1.30pm on Saturday]. We did ask for the
information, and time, and got nothing.” MIT declined to comment.
Yesterday, another judge at the district court ruled the restraining
order — which bars the students from providing “program, information,
software code, or command” that would help compromise the MBTA’s fare
media system – should stand. A decision is expected on Tuesday 19
August about whether it will be amended or withdrawn.
“One thing is clear — the Boston transit authority’s [MBTA] actions
backfired, big time,” says Wagner. “The technical details are all over
the Internet now. The lesson: trying to censor something just draws
even more attention to it.”
More information about the Infowarrior
mailing list