Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gag Order Fuels Responsible Disclosure Debate

Posted by Soulskill on from the excellent-use-of-judicial-resources dept.

jvatcw writes "The Boston subway hack case has exposed a familiar rift in the security industry over responsible disclosure standards. Many see the temporary restraining order preventing three MIT undergrads from publicly discussing vulnerabilities they discovered in Boston's mass transit system as a violation of their First Amendment rights. Others, though, see the entire episode as yet another example of irresponsible, publicity-hungry security researchers trying to grab a few headlines." We discussed the temporary restraining order last weekend, and later the EFF's plans to fight it. CNet reports that another judge has reviewed the order and left it intact. Reader canuck57 contributes a related story about recent comments by Linus Torvalds concerning his frustration over the issue of security disclosure.

5 of 113 comments (clear)

  1. This all, can be defeated... by bogaboga · · Score: 3, Interesting

    ...How? You may ask.

    By letting Russian hackers release the info. The problem for the authorities is to prove that those under the gag order had a hand in this.The Russians get the information using no traceable medium. That includes the internet, post, fax etc.

    Proving that the students had a hand in this, would be hard if not impossible. After all, the system was open to usage to everyone as long as they paid up -- including the Russians we are talking about.

  2. Re:IMO, this is really a simple issue by Anonymous Coward · · Score: 3, Interesting

    Linus manages to be right, arrogent and stupid in the same statement.

    He seems to have now discovered that in order to improve security you have to try to fix all bugs. This is right. A bug is a place where the software doesn't do what the "educated" user expects. That can almost certainly lead to a security situation.

    He's competely stupid, however, to compare a random bug with a demonstration of exploitability. When someone has an exploit, that's something they can sell for money to cause harm to your users. Some exploit finders do. Someone who chooses to tell the software designer directly is doing the designer a big favour. Someone who chooses to tell the users directly is doing them a big favour. An exploitable bug like in Boston is always the tip of a huge ice berg. It's a sign for a software author/designer to go and review their entire design and start looking for ways of doing it more solidly and with better protection on place. It's a sign for users to change to a more secure system.

    Finally, Linus is arrogent because his new discovery, that fixing bugs is a good idea for security, is exactly what the OpenBSD group has been preaching for ages. Despite not having a hundredth of the resources Linus has at his disposal, they have demonstrated much better commitment to delivering quality software than he has. He could just have said "thank you".

  3. Re:The Boston system is really dumb by 0123456 · · Score: 4, Interesting

    "You can store the value on the card. You just have to combine it with salt and encrypt it against a big enough private key. Shouldn't be hard in this day and age."

    How does that help? If you can copy the data to another card or prevent the reader from updating the value, then you have infinite amounts of money available.

    We used to have stored value cards at university back in the 80s, and it wasn't long before someone discovered how to prevent the automated readers from writing the value back to the card after they subtracted money from it so it never went down. There was also a bug where in some cases the reader would add $100 to the card rather than deducting $0.25...

  4. Prior Restraint is UNCONSTITUTIONAL!!! by Jane+Q.+Public · · Score: 4, Interesting

    And for good reason!!!

    They have a RIGHT to speak. They can exercise discretion and do people a favor, or they can exercise a different kind of discretion and do a different group of people a favor, or they can lack discretion and get themselves arrested for illegal speech, which does happen sometimes... but only AFTER they say it! There is no such law as "conspiracy to say something harmful or offensive"!

    Regardless of whether it is right or responsible or moral for them to do what they want to do, they have a RIGHT to speak. And you can't mess with that right without messing up a hell of a lot more than just the "security" of one sorry municipality or corporation.

    Prior restraint amounts to a legal attempt to read someone's mind. Sorry, but "thought crimes" STILL do not exist in this country. Because prior restraint would open up a whole nightmarish can of worms and, effectively legitimize the concept of "thought crime", it should never be tolerated even a little bit, EVER.

  5. Re:The gag order may be appropriate -- Not by SpammersAreScum · · Score: 3, Interesting

    Could the respondents (the students) cause the plaintiff (the city) harm through their actions? Would it cause the respondents hard to have to cease their action? Well yes, it would cause the city harm if the students revealed their information.

    You appear to be overlooking the critical point that the students' planned presentation did not Reveal All -- critical information needed to actually exploit the flaw was left out. MBTA was told this and sued anyway. The only "harm" the city would have suffered is well-deserved acute embarrassment.