Slashdot Mirror
Gag Order Fuels Responsible Disclosure Debate
jvatcw writes "The Boston subway hack case has exposed a familiar rift in the security industry over responsible disclosure standards. Many see the temporary restraining order preventing three MIT undergrads from publicly discussing vulnerabilities they discovered in Boston's mass transit system as a violation of their First Amendment rights. Others, though, see the entire episode as yet another example of irresponsible, publicity-hungry security researchers trying to grab a few headlines."
We discussed the temporary restraining order last weekend, and later the EFF's plans to fight it. CNet reports that another judge has reviewed the order and left it intact. Reader canuck57 contributes a related story about recent comments by Linus Torvalds concerning his frustration over the issue of security disclosure.
You said gag.
Linus is dead on right. If you find it, tell the author(s). If they don't respond? Tell the world. Software makers should credit those that find the bugs as well. This will eventually lead to credit where credit is due, and subsequent reputation building in a reasonable manner.
Gag orders just make things worse. This is where I believe the law should take a stand. If someone makes reasonable due diligence to report the vulnerability to the author(s) and nothing happens in response to the report, then the authors have no recourse on what happens when it is made public. This is in line with the intent of our legal framework now, and would not IMO violate legal values.
"Unsafe at any speed" was not exactly something the auto industry wanted to deal with, but they had to. Those lessons are very applicable here. Those who don't play nice and disclose to the public too soon should be penalized if actual damages can be shown. Restraint and respect. These two things have no dependency on reciprocal action.
I read Linus' rant and he's absolutely correct. The bigger the flame war over vulnerabilities, the more security companies make off of unwarranted fears etc. It's just a game, and where the law is concerned, we have prior examples to look at... and goddamnit, they are about cars! No analogy needed here
Support NYCountryLawyer RIAA vs People
However...
"...yet another example of irresponsible, publicity-hungry security researchers trying to grab a few headlines" <-- this does not invalidate this --> "First Amendment rights" ...no matter what the neo-cons or lobbyists might say.
What part of the First Amendment don't you understand?
Mea navis aericumbens anguillis abundat
...How? You may ask.
By letting Russian hackers release the info. The problem for the authorities is to prove that those under the gag order had a hand in this.The Russians get the information using no traceable medium. That includes the internet, post, fax etc.
Proving that the students had a hand in this, would be hard if not impossible. After all, the system was open to usage to everyone as long as they paid up -- including the Russians we are talking about.
Comment removed based on user account deletion
The MTA is trying to cover up the fact that their system design is very weak. The value of the card is actually stored on the card, and there's no central validation. That's embarrassing, considering that the MTA implemented fare cards quite late, long after other cities.
The NYC MetroCard system, in comparison, is totally paranoid. Cards have unique serial numbers and are validated by the entry gate, the station computer, and central servers at MetroCard HQ. Creating new cards with new IDs won't work. Duplicating cards is possible, but is detected the second time the card is used. NYC is so paranoid that equipment maintenance is performed by an outside company, but NYC employees handle the money and blank cards, so that no single party has full access. The New York City subway system was losing about $20 million a year to token fraud, and when the new system went in, they were determined that would stop. They had some fraud back in 1995, when someone stole a supply of blank cards and was able to encode them, but it turned out to be a rip-off for buyers - the cards only worked once, then were invalidated.
The first fare card system, San Francisco's BART, isn't that secure, but has an big advantage - BART has exit gates. So, while it doesn't have real-time validation against a central database, gate info is being transmitted in background to a central system, and if centralized analysis indicates something funny going on, central control can flag the card, trap the user at the exit gate, and alert station security to check the card.
I am glad this judge has put a gag order on the MIT students, because now there is no exploit, and we are all safe from the terrorists/etc.
As we all know, if we all don't talk about it, it doesn't exist... right?
Okay, so sarcasm aside, this is the most ridiculous idea I have ever heard. Attempting to fix a problem by stopping people from hearing about the problem?
I know I am over simplifying the matter to get my point across, but I'm doing this to point how ridiculous it is.
Additionally by saying "He added that in such cases, the goal of security researchers often seems to be to further their own agendas instead of helping others fix problems." shows a complete lack of understanding of market forces. Yes he is furthering his own agenda, and in the process, he benefits us. It's the market you commie bastard, it isn't evil, we all win, get over it.
This is my footer. There are many like it, but this one is mine.
"If anyone else knows, you must disclose."
Cool! Amazing Toys.
"Many see the temporary restraining order preventing three MIT undergrads from publicly discussing vulnerabilities they discovered in Boston's mass transit system as a violation of their First Amendment rights. Others, though, see the entire episode as yet another example of irresponsible, publicity-hungry security researchers trying to grab a few headlines."
Well, how about both? It can be a restriction of their first amendment rights *and* a publicity hungry "researcher" trying to grab headlines. They two things are not mutually exclusive.
Doing the Right Thing has not been in vogue for many years now, it is all about making some form of a statement.
It would be interesting to see the fingers being pointed if said system was attacked by terrorist and the only people killed were the family of the two sides. My guess is that the other sides point of view would become immediately obvious and they would both then point fingers at each other in an attempt to make themselves feel better.
However in this particular case I can see why the courts would give a gag order until the case is heard - that is not a violation of your first amendment rights. It has generally been established that whilst things are being litigated that the more restrictive side is somewhat enforced until the case is decided. That really only makes sense - otherwise why even have the courts have some type of decision in this case as one side is the de facto winner?
Ah well, what do I know? It's worth our deaths to tell everything yet of we kept all flaws secret then all would be well. We can't do something reasonable like, say, not tell people bent on killing us how to do it and when we are informed of a problem fix said thing. Nope, too hard to do and it may show that we aren't the Saviors of the World we think we are. Heck we may even have to look at the other side as Not Crazy and wanting to live free and with little threat of death - how bad would that be?
------- Sorry about the spelling, I suffer from two problems. Dyslexia makes it difficult to spell well, lazy makes it
Yes he is furthering his own agenda, and in the process, he benefits us. It's the market you commie bastard, it isn't evil, we all win, get over it.
The market is neither evil, nor good, it merely is.
But, as we've seen time and time again, without regulation, markets tend towards imperfect competition.
That said, what you and many other people generally fail to point out is exactly how security researchers contribute towards the free market. Their contribution is information. Complete information (in this case) is when everyone has knowledge that an exploit exists. Perfect information is when everyone has knowledge of how the exploit works.
But economics and markets are never that simple and it isn't very hard to argue that the net harm from releasing the information is greater than the net good.
[Fuck Beta]
o0t!
Post it to wiki:
http://wikileaks.org/
Then, if some moron complains, point him/her to this article. No good deed goes unpunished, so to hell with them.
The Tech leaked these slides days ago.
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
It really covers absolutely everything you care about. If you're willing to, you can do all of this from the comfort of your bedroom.
Now, I'm not in Boston, but next time I am...
My thoughts:
First amendmend rights are a red herring. The fact that you have a right to say something doesn't make it a good idea to say it.
Publicity-hungry researchers trying to grab a few headlines also aren't the issue here.
The issue here is security. And that raises the question of who we are trying to protect. As far as I am concerned, we _should_ be trying to maximize overall security. I think the best way to do that is to protect the users of products. So, the question then becomes: What kind of disclosure yields the best security for users?
Unfortunately, the answer to that question depends on a variety of factors. I think the three most important ones are:
1. How will the vendor react to being informed of the vulnerability?
2. How will the users react to being informed of the vulnerability?
3. How will the black hats (bad guys) react to being informed of the vulnerability?
None of these questions can be answered generally. In particular, in general, you cannot know how the black hats will react, because you cannot know if the black hats were already aware of the vulnerability. If they weren't, you have just given them a new attack vector. This is a Bad Thing, and one of the most common arguments against full disclosure. On the other hand, if they were already aware of the vulnerability, you have just told them nothing they didn't already know. Since you can't know, in general, if the black hats already know of a vulnerability, it seems that full disclosure is a bad idea, overally. But that's if you only consider point 3.
Once you factor in points 1 and 2, the picture changes. The fact that you found a vulnerability is always interesting news to the vendor and the users. If they didn't know about it already, the vendor now knows that they have a problem that affects their users and that they need to fix, and the users know they have a problem that the vendor hasn't fixed yet, and that they should protect themselves against. If the vendor or the users did know about the vulnerability, they now know that _another_ person has found it, and that, perhaps, more priority should be given to fixing it and protecting against it. In case of full disclosure, everybody now knows for sure that the black hats know about the vulnerability, that they _will_ use it to attack systems, and that it _must_ be protected against and fixed as soon as possible.
Now, I am going to say a couple of things that aren't really factual, but that seem reasonable to me.
First of all, protecting yourself from vulnerabilities and getting them fixed is _always_ the right way to deal with vulnerabilities. Doing so as soon as possible minimizes the time you are vulnerable, and thus is a Good Thing. Not everyone realizes the importance of this. But, once a vulnerability has been announced publicly, you _know_ that the black hats know about it, so it is clearly risky to not protect yourself against it.
Secondly, in general, you will never make all users aware of a vulnerability. It may seem that a vendor could inform the users of their product of a vulnerability. However, vendors are notoriously reluctant to provide their users with information about vulnerabilities. If they provide information at all, it is usually not detailed enough to allow users to take protective measures, or comes long after the black hats have already started exploiting the vulnerability. Moreover, even the vendor will not know everyone who uses a product. And nobody can exclude the possibility that some of these users may be black hats, or that the information may leak to the black hats. Public disclosure at least gives every user of the product the possibility to inform themselves of a vulnerability.
Thirdly, historically, vendors have been reluctant to fix vulnerabilities unless they were publicly known. This is a Bad Thing, because the fact that a vulnerability is not publicly known does not mean it is not being exploited. Now, of course, vendors could change. And some of them have changed. But, hi
Please correct me if I got my facts wrong.
Temporary restraining orders of all different kinds are often issued at the beginning of a legal case. The idea is that a party might be doing another party harm, and you shouldn't have to wait for the conclusion of a court case (which can take years in some cases) to get the harm to stop. The other party can, of course, argue that the restraining order would cause them harm and thus shouldn't be granted.
Take, for example, a case of someone slandering you. The make knowingly false statements about you with the intent to harm you. This is a matter in which you can take legal action against them, so you do. However, they are a rich prick, so they lawyer up and basically work to drag the lawsuit out as long as possible. They know they'll lose, they just want it to take forever. So should they be allowed to continue while the case is going on? Should you continue to have to endure this for months, maybe years? No, so you'd try to get the judge to issue a temporary restraining order to make them shut up until the case was settled.
Now I'm not saying that it was a good idea for the city to bring a case against these students, however that isn't really for the judge to decide at this point. The question basically comes down to: Could the respondents (the students) cause the plaintiff (the city) harm through their actions? Would it cause the respondents hard to have to cease their action? Well yes, it would cause the city harm if the students revealed their information. You can argue the city deserves it, but all the same. However it won't really cause the students any harm to have to keep quiet about it until the case is settled.
Hence you can see why the judge would grant the order. It isn't a permanent order or anything, it is basically just saying "You have to keep your mouths shut until we've had a chance to examine the case in court." If the EFF lawyers make a good argument (I wouldn't count on it, the EFF has a poor courtroom record) as to why the gag order should be lifted, the judge will do that.
You see this kind of thing in patent cases all the time. A party will sue over a patent and request an injunction to prevent the other party from selling the allegedly infringing product. These often get granted, then removed shortly after when counter arguments are made.
It even applies to personal restraining orders. If you want a restraining order against someone, you go to a judge and present your case. If they find it compelling, one is granted. The person it was against can then challenge it, but it is granted before they can challenge it. Happened to a friend of mine. A girl he knew liked to use them as weapons against people and he pissed her off, so she got one on him. He then went to court and argued why it was bullshit. The judge agreed, dismissed the order and barred her from getting another one against him for a couple years.
So while you can get mad at the city, the legal system appears to be working as it should.
And for good reason!!!
They have a RIGHT to speak. They can exercise discretion and do people a favor, or they can exercise a different kind of discretion and do a different group of people a favor, or they can lack discretion and get themselves arrested for illegal speech, which does happen sometimes... but only AFTER they say it! There is no such law as "conspiracy to say something harmful or offensive"!
Regardless of whether it is right or responsible or moral for them to do what they want to do, they have a RIGHT to speak. And you can't mess with that right without messing up a hell of a lot more than just the "security" of one sorry municipality or corporation.
Prior restraint amounts to a legal attempt to read someone's mind. Sorry, but "thought crimes" STILL do not exist in this country. Because prior restraint would open up a whole nightmarish can of worms and, effectively legitimize the concept of "thought crime", it should never be tolerated even a little bit, EVER.
...remains intact if the theatre is actually on fire and the manager refuses to pull the alarm.
"Free speech means the right to shout 'theatre' in a crowded fire."
...about 15 minutes after word of the gag-order hit the streets.
Others, though, see the entire episode as yet another example of irresponsible, publicity-hungry security researchers trying to grab a few headlines."
Let me add another, somewhat more cynical voice to the debate...
Why should security researchers disclose their discoveries to the original author first? That would only make sense if we assume all security researchers do what they do for the sake of improving software for which have no financial incentive to improve, out of pure benevolence. While such people might exist, only a fool would naively expect that as the majority, much less all of them.
So, why do security researchers do their thing? Two words: "fame" and "money". And even such "noble" goals still leave out the true blackhats, who do it for the sake of finding new, unpatched exploits they can use.
Considering that, does it make any sense to talk about a mythical "obligation" to disclose vulnerabilities to the right people? IMO, not at all. If we want to have a sensible conversation on this topic, we should instead focus on how best to shift the motivation to more on the money and less on the fame. Which sounds more motivating, "bounties for bugs" or "report it to the proper channels"?
The situations of the Linux kernel and the Boston subway are completely different. In the case of the Linux kernel, people need to know because it's their security that's at stake. In the case of the Boston subway, it all comes down to the economics of fare evasion and doesn't affect anybody's security (and you can be certain that the Boston subway knew about this and accepted it when they bought the system).
Now, I think the MIT students have a first amendment right to disclose this. However, I also think that these kinds of antics deserve reproach: people should point out that this was a stupid thing to do.
Even months after the problems with the Mifare classic chip were first revealed, ongoing projects to deploy Mifare classic in the Netherlands were not stopped. The people responsible for those projects at TLS (Trans Link Systems) intend to wait until signs of systematic exploitation of the vulnerabilities force them to switch to the revised chip. Their analysts expect the system to last two years. Who's irresponsible here?
This is really CYA on behalf of the incompetent people running the Boston system.
They made the cheap choice ( unvalidated stored value cards w/ crappy encryption of the data ) and it bit them on the ass.
So now, someone else discovers the OBVIOUS FLAWS, and publicises the incompetence of the administration responsible.
Here's a little secret: The researchers are surely not the FIRST people to discover this. They're just pointing it out. I'm sure others are already exploiting the flaws even before the announcement.
Technology -- No Place For Wimps! Grateful Dead and Jerry Garcia Chatroom -- http://www.wemissjerry.org
The judge upheld the gag order because he realized that riding the subway for free is a bigger threat to civilization than blowing up the world. That's why the MTA was entitled to prior restraint against the subway hackers, when the US government was not able to restrain The Progressive magazine from publishing the secret of the H-bomb in the 1980's.
For more info, google "morland progressive" or see the first hit:
http://www.fas.org/sgp/eprint/cardozo.html
There have been plenty of stories about disclosure responsible or otherwise, that isn't what makes this one special. The fact that multiple courts decided that prior restraint was fine and dandy is what stands out here ... so no, it's not a red herring.
Others, though, see the entire episode as yet another example of irresponsible, publicity-hungry security researchers trying to grab a few headlines.
See, this is exactly why one should always announce security problems anonymously, via one of the security lists that supply anonymity. That way, you don't get labelled publicly with such epithets. Then, when the fuss has died down and it's only the security geeks talking, you can let them know that you were the source of that "leak". That way, you get the credit (if they believe you ;-), without all the usual approbation that follows being a messenger carrying bad news.
The public in general, and specifically the people in power, don't want to hear about such things, and are going to want to punish you for telling them about it. Until they come to their senses, which won't happen soon, you're much better off working anonymously, known to only a few co-workers.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
In a related story it appears the Judge's home was broken into and ransacked and several irreplaceable articles were stolen and destroyed without anyone knowing even though it has an activated alarm and security locking system. It appears that there was a flaw in the system that enabled the perpetrators bypass it. This flaw was know to security researchers however they were under a gag order and were not permitted to release this information to the general public. The gag order was applied for by the company because âoeif the general public knew about the flaw it would impact our revenue streamâ.
Undetectable Steganography? Yep, there's an app fo
The information was presented to the MBTA in a manner that was available to the students. Being a Boston resident myself, I know that I can't just walk into North Station (essentially the hub of the T) and speak to their security techs. Even then, I doubt the MBTA is receiving very much mail about their security issues (or at least they weren't before this). Their failure to act on information that was in all essence handed to them, is their own fault.
On another note, these security researchers seeking something other than pats on the back and shaken hands are perfectly fine. Try feeding your kids with pats on the back, breast milk only gets you so far.
Something witty.
Haven't you guys heard of the recent changes to the 1st amendment. They added "unless driven by ego" to the end of it.
Quote: "It MAY be prior restraint days from now, but now it is simply "keep your pants on a minute."
Not so. It is prior restraint NOW. As you point out, it could theoretically turn out to be one of those rare exceptions of legal prior restraint when it gets to court, but the chances of that happening in this particular case are about the same as a snowball in Hell. This is CLEARLY a case of ILLEGAL prior restraint.
By the way, I do not recall any acceptable "exceptions" to prior restraint prohibition when it comes to speech. I would be interested in some examples. The classic example of prohibited speech is yelling "fire" in a crowded theater. Yet is is still not legally permissible to restrain someone from going to the theater, based on mere speculation that they might do such a thing. More to the point in the case at hand, it is not permissible to restrain someone from giving a speech in which they tell people that the fire exits at the theater have serious flaws... even if the theater company think that he plans to disclose that information to others, to its detriment or theirs.
Quote: "For starters, I do not think there's any doubt that these people were going to talk about this. It is entirely possible that they had already planned out every word of what they were going to say..."
In this case, the speakers had already stated that they did not intend to disclose the full details of defeating the flawed system. So there is even less justification for prior restraint. So what if they had planned what they were going to say? Most people who plan to give a presentation do exactly that. But a powerpoint slide does not reveal everything -- and sometimes reveals almost nothing -- about the accompanying spoken words. Once again, prior restraint, when it comes to speech, is an assumption that you know what someone is going to say before they say it... and there is no rational basis for that assumption.
Quote: "You are contradicting yourself. A right is something you can do free of legal consequence."
That is not even remotely true. They DO have a right to speak. However, as I pointed out, they do NOT have a right to say absolutely anything they want. There ARE legal limits. But it is not permissible to restrain someone prior to their speech because you "believe they might intend" to say something you do not like. That is an attempt to read someone's mind... which, again, is not allowed. I also have a RIGHT to own and even discharge a firearm. This was recently decided in so many words by the Supreme Court. But that does not mean that I have a right to discharge it in the direction of my neighbors, except in self-defense. There is no contradiction in that, nor in my original statement.
In your final paragraph you convey your inability to understand why I should label this "thought crime". Yet your own analogy gives it away: parents saying "Don't even think about it." They are ASSUMING they know what someone is going to do before they do it. Also, it is not true that you can only be restrained from doing something that you had planned to do in the first place! It is possible -- as in this case -- be restrained from doing perfectly LEGAL things, on the basis that someone SUSPECTS that you were about to do something illegal. That is, in fact, what Prior Restraint is all about. When it comes to free speech, it is not possible to know what someone will say until they say it. THEN they might have committed a crime... but it is very definitely NOT permissible to prevent them from speaking. If it were I could prevent you, for example, from speaking in public merely because I suspected that you were going to commit slander against me. Obviously, such a situation would be ridiculous.
They were NOT restrained merely from saying something that might damage or injure a company or a municipality or the passengers. They were restrained from speaking at all... including all of the perfectly legal things they were going to say!
are new slogan:
America...even our constitution has small print
Curious people may want to read the list of papers and articles about security bug disclosure policy (no longer maintained but full of interesting stuff).
You appear to be overlooking the critical point that the students' planned presentation did not Reveal All -- critical information needed to actually exploit the flaw was left out. MBTA was told this and sued anyway. The only "harm" the city would have suffered is well-deserved acute embarrassment.
Nuff said.
"It doesn't cost enough, and it makes too much sense."
There are always ten thousand arguments for restraining free speech and they supposedly are all backed by dire need.
At the bottom of it all we have settled it over two centuries ago. Free speech is not up for debate. Whether it harms individuals, groups or the whole world is simply not an issue. What is sick is allowing endless court cases over restraint of free speech. These cases should be dismissed without even being looked at.
One of the biggest areas of misunderstanding with the first amendment is the expression of apolitical artistic thoughts in an unfamiliar, offensive form. The preceding post as a description of one such potential example.
What an awful law! Have you tried parsing through the monstrous law that the MTBA invoked in their complaint? I had no idea such a law existed.
Basically, it says that if a hack could obtain anything of value or cause damage/DoS to the hacked computer, you may not tell anyone how to do it. It also says that you owe the computer owner compensation for anything damaged or taken (e.g. unpaid subway fares) as a result of your telling. The law pretends to be limited to important computers, but is so fuzzy that most large computer systems that anyone might want to hack can probably qualify.
I don't envy the EFF their task in defending this case. They may be stuck trying invalidate the law on 1st Amendment grounds. There ain't much sympathy these days for invalidating laws that can claim to keep safe people's health records, bank accounts, and national security data (which is what other parts of this law try to do).
If you want to be appalled, read sections (f) and (g), which say the law doesn't apply to government or to manufacturers of the computers in question. So, not everyone is a criminal, just people.