Gag Order Fuels Responsible Disclosure Debate 113
jvatcw writes "The Boston subway hack case has exposed a familiar rift in the security industry over responsible disclosure standards. Many see the temporary restraining order preventing three MIT undergrads from publicly discussing vulnerabilities they discovered in Boston's mass transit system as a violation of their First Amendment rights. Others, though, see the entire episode as yet another example of irresponsible, publicity-hungry security researchers trying to grab a few headlines."
We discussed the temporary restraining order last weekend, and later the EFF's plans to fight it. CNet reports that another judge has reviewed the order and left it intact. Reader canuck57 contributes a related story about recent comments by Linus Torvalds concerning his frustration over the issue of security disclosure.
This all, can be defeated... (Score:4, Interesting)
...How? You may ask.
By letting Russian hackers release the info. The problem for the authorities is to prove that those under the gag order had a hand in this.The Russians get the information using no traceable medium. That includes the internet, post, fax etc.
Proving that the students had a hand in this, would be hard if not impossible. After all, the system was open to usage to everyone as long as they paid up -- including the Russians we are talking about.
Re:IMO, this is really a simple issue (Score:3, Interesting)
Linus manages to be right, arrogent and stupid in the same statement.
He seems to have now discovered that in order to improve security you have to try to fix all bugs. This is right. A bug is a place where the software doesn't do what the "educated" user expects. That can almost certainly lead to a security situation.
He's competely stupid, however, to compare a random bug with a demonstration of exploitability. When someone has an exploit, that's something they can sell for money to cause harm to your users. Some exploit finders do. Someone who chooses to tell the software designer directly is doing the designer a big favour. Someone who chooses to tell the users directly is doing them a big favour. An exploitable bug like in Boston is always the tip of a huge ice berg. It's a sign for a software author/designer to go and review their entire design and start looking for ways of doing it more solidly and with better protection on place. It's a sign for users to change to a more secure system.
Finally, Linus is arrogent because his new discovery, that fixing bugs is a good idea for security, is exactly what the OpenBSD group has been preaching for ages. Despite not having a hundredth of the resources Linus has at his disposal, they have demonstrated much better commitment to delivering quality software than he has. He could just have said "thank you".
Re:The Boston system is really dumb (Score:5, Interesting)
"You can store the value on the card. You just have to combine it with salt and encrypt it against a big enough private key. Shouldn't be hard in this day and age."
How does that help? If you can copy the data to another card or prevent the reader from updating the value, then you have infinite amounts of money available.
We used to have stored value cards at university back in the 80s, and it wasn't long before someone discovered how to prevent the automated readers from writing the value back to the card after they subtracted money from it so it never went down. There was also a bug where in some cases the reader would add $100 to the card rather than deducting $0.25...
Re:The Boston system is really dumb (Score:1, Interesting)
That is such a primitive way of looking at things. Call-home systems suffer from all kinds of issues that a PKI system with localized validation could laugh at with both PCI busses tied behind its back. For crying out loud, this is NOT the 1970s! You could store tens of millions of private keys on each and every single card reader and not even notice the change in costs. A smart card that stores just one side of the asymmetric key pair and a value (ie: a card that is read-only EXCEPT to an authorized machine) - Mondo Cards have been around for 15-20 years - is infinitely more secure than any bank and is infinitely more private. The only reason Swansea didn't stick with them is that 15-20 years ago the tech was too primitive. It was damn good, but too early. And that wasn't for any damn light rail, people were putting real money onto those cards. And they worked, and you don't hear of anyone going to a black hat conference wanting to talk about security holes in them. I trust proven technology and proven results. Banks offer neither. I use them because they're still one or two rungs up the ladder from the pond scum that run the credit card system.
Re:IMO, this is really a simple issue (Score:3, Interesting)
Re:IMO, this is really a simple issue (Score:3, Interesting)
The gag order may be appropriate (Score:3, Interesting)
Temporary restraining orders of all different kinds are often issued at the beginning of a legal case. The idea is that a party might be doing another party harm, and you shouldn't have to wait for the conclusion of a court case (which can take years in some cases) to get the harm to stop. The other party can, of course, argue that the restraining order would cause them harm and thus shouldn't be granted.
Take, for example, a case of someone slandering you. The make knowingly false statements about you with the intent to harm you. This is a matter in which you can take legal action against them, so you do. However, they are a rich prick, so they lawyer up and basically work to drag the lawsuit out as long as possible. They know they'll lose, they just want it to take forever. So should they be allowed to continue while the case is going on? Should you continue to have to endure this for months, maybe years? No, so you'd try to get the judge to issue a temporary restraining order to make them shut up until the case was settled.
Now I'm not saying that it was a good idea for the city to bring a case against these students, however that isn't really for the judge to decide at this point. The question basically comes down to: Could the respondents (the students) cause the plaintiff (the city) harm through their actions? Would it cause the respondents hard to have to cease their action? Well yes, it would cause the city harm if the students revealed their information. You can argue the city deserves it, but all the same. However it won't really cause the students any harm to have to keep quiet about it until the case is settled.
Hence you can see why the judge would grant the order. It isn't a permanent order or anything, it is basically just saying "You have to keep your mouths shut until we've had a chance to examine the case in court." If the EFF lawyers make a good argument (I wouldn't count on it, the EFF has a poor courtroom record) as to why the gag order should be lifted, the judge will do that.
You see this kind of thing in patent cases all the time. A party will sue over a patent and request an injunction to prevent the other party from selling the allegedly infringing product. These often get granted, then removed shortly after when counter arguments are made.
It even applies to personal restraining orders. If you want a restraining order against someone, you go to a judge and present your case. If they find it compelling, one is granted. The person it was against can then challenge it, but it is granted before they can challenge it. Happened to a friend of mine. A girl he knew liked to use them as weapons against people and he pissed her off, so she got one on him. He then went to court and argued why it was bullshit. The judge agreed, dismissed the order and barred her from getting another one against him for a couple years.
So while you can get mad at the city, the legal system appears to be working as it should.
Prior Restraint is UNCONSTITUTIONAL!!! (Score:5, Interesting)
They have a RIGHT to speak. They can exercise discretion and do people a favor, or they can exercise a different kind of discretion and do a different group of people a favor, or they can lack discretion and get themselves arrested for illegal speech, which does happen sometimes... but only AFTER they say it! There is no such law as "conspiracy to say something harmful or offensive"!
Regardless of whether it is right or responsible or moral for them to do what they want to do, they have a RIGHT to speak. And you can't mess with that right without messing up a hell of a lot more than just the "security" of one sorry municipality or corporation.
Prior restraint amounts to a legal attempt to read someone's mind. Sorry, but "thought crimes" STILL do not exist in this country. Because prior restraint would open up a whole nightmarish can of worms and, effectively legitimize the concept of "thought crime", it should never be tolerated even a little bit, EVER.
Free subway rides: worse than blowing up the world (Score:1, Interesting)
The judge upheld the gag order because he realized that riding the subway for free is a bigger threat to civilization than blowing up the world. That's why the MTA was entitled to prior restraint against the subway hackers, when the US government was not able to restrain The Progressive magazine from publishing the secret of the H-bomb in the 1980's.
For more info, google "morland progressive" or see the first hit:
http://www.fas.org/sgp/eprint/cardozo.html
Re:The gag order may be appropriate -- Not (Score:3, Interesting)
You appear to be overlooking the critical point that the students' planned presentation did not Reveal All -- critical information needed to actually exploit the flaw was left out. MBTA was told this and sued anyway. The only "harm" the city would have suffered is well-deserved acute embarrassment.