Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Missouri Dept of Revenue Sued (Under DPPA) For Releasing PII That Was Posted for Sale on the Internet | Main | How Do You Use Social Security Numbers? »

What Happens On The Internet Stays On The Internet...No Matter What A Judge Says!

For those of you that weren't aware, this past weekend the long-running Defcon convention (historically started with only "hard core" hackers in attendance, but now huge numbers of information security pros and law enforcement attend) was held in Las Vegas.

Some MIT students, Zack Anderson, R.J. Ryan and Alessandro Chiesa, were scheduled to talk about "Anatomy of a Subway Hack," detailing a school project they did, and received an "A" on, that showed how the Massachusetts Bay Transportation Authority (MBTA) cards could be hacked to basically change a $1.25 MBTA fare card to a $100 fare card.

Well, the MBTA got wind of this...actually the MIT students contacted them in July to tell them about this security flaw, as well as let them know they were giving a presentation about it...and filed an injunction last Friday to keep the MIT students from giving their presentation on Sunday.

But guess what? Yep...I bet you can see this coming...

Of course, the electronic presentation had been distributed by Friday...

And as soon as the MBTA complaint was made, the complaint was, of course, made part of the public record...

And soon the MIT presentation...all 87-slides...were widely posted on various Internet sites...

Yes, what happens on the Internet stays on the Internet...no matter what a judge says!

What is important to point out, again, is that the MIT students reportedly contacted the MBTA to let them know about the security flaws in their system in July!

"The senior said they contacted transit authority officials in late July. The purpose of the meeting was to educate them about the system's flaws and present them with possible solutions. Early last week, Anderson said, the students met with the transportation officials. After walking representatives through their presentation, the students thought they had allayed the transit authority's fears. But on Aug. 8, they were notified that a federal lawsuit had been filed against them."

There has been much discussion about this, as there should be.

Were the students breaking a law by making a public presentation about the security vulnerabilities within the MBTA system?

Was reporting the security problems to the MBTA, and offering to help them fix the security problems, something that the MBTA should have taken them up on in July instead of waiting until right before their scheduled presentation?

All important and compelling discussions. However, I'm not going to re-hash all that here.

But one point I do want to make is the futility of the court system thinking that they could prevent the spread of an electronic presentation, that had already been distributed, through issuing an injunction that they knew was going to be entered into the public record for anyone to see.

By issuing the the injunction the court exacerbated the situation and actually pulled the trigger on having everyone who now read about it searching their way through Internet sites to find, and make copies of, the gag-ordered presentation.

It's kinda like pointing in the air and yelling, "DON'T LOOK!!!" at the Iowa State Fair and then having everyone within earshot, of course, jerking their heads up to look!

The powers that be within our law enforcement and legal systems really need to think through what their actions should be for addressing publications of security flaws.

But then again, would any of this have happened if the MBTA had actually done something to fix the security problems back in July as soon as the MIT students told them about the security flaws?

Tags:                      
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on August 12, 2008 8:21 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/784

Comments

Several of the flaws in the system are not new either. Amsterdam uses the same card system. Those particular flaws had been previously known and disclosed.

The MIT students went further than just the card system, however. And only a subset of people would ever hear about it had the MBTA not taken such dramatic measures to stop the presentation.

In any case, we're slowly pounding the heads of the mainstream masses to start rethinking how we handle issues like this. The MBTA has security issues. Someone found them out. The knee-jerk reaction is to try to gag and hide the proof. Shouldn't the reaction be to weigh the economics of fixing the problems rather than wasting time and money crying about it?

Twenty years ago something like this could be easily supressed and never fixed. The ability to widely and easily share information has changed that whole ability... Of course, on one hand we start laying bare accountability for these things, but on the other we also foster a no-compromise mentality, which flies in the face of economics. :( It's insecure (even though it might cost tons to fix what is otherwise a small risk)!

Posted by: Michael Dickey | August 15, 2008 12:38 PM

Michael, thanks for your comments. You have some great points, and I completely agree.

I think it would have been great if the MBTA would have immediately worked with the MIT folks back in July when they were contacted, worked 24x7 to fix the vulnerabilities, or at least close the ability to do the exploits until everything was fixed appropriately, and then went went to Defcon with the MIT folks to jointly talk about the vulnerabilities, how they were discovered, and how they were open to fixing them as soon as possible upon discovery. A great opportunity lost.

Rebecca

Posted by: Rebecca | August 15, 2008 2:27 PM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.