There is never a dull moment in the security industry. Something interesting, bizarre or downright silly is always happening. The current legal battle between three Massachusetts Institute of Technology (MIT) students who found a raft of security vulnerabilities in Boston's subway fare card system and the bureaucratic overlords of that system fits all three of those descriptions.
The fact that we're still seeing government agencies use the courts to stop the publication of security research is absurd. This was the ace in the hole for the government and private companies looking to prevent the disclosure of security vulnerabilities in the 1990s and the early part of this decade. Some lone hacker found a crippling flaw in your software package? No problem. Just threaten him with legal action and watch the problem magically disappear.
This strategy received a huge boost with the passage in 1998 of the Digital Millennium Copyright Act (DMCA) a misbegotten and consistently misapplied law designed to prevent people from getting around digital rights management (DRM) technologies. Technology vendors have wielded the DMCA hammer in dozens of cases in the last 10 years, with the most famous example being the Recording Industry Association of America's and Secure Digital Music Initiative's threat to use the
About Behind the Firewall:
Security data lapses hamper researchersLike MLB scouts, IT security pros are turning to metrics
Security measures pose risk of government control of cyberspace
Hannaford breach illustrates dangerous compliance mentality
The whole thing seems silly in retrospect, and we can look back on it and see the futility of what the RIAA and SDMI were trying to do. But now, seven years later, we have the same silliness, only this time it's gone beyond absurdity to borderline criminal. The Massachusetts Bay Transit Authority, which runs the subway system in Boston, got a court injunction to prevent the MIT students from presenting their research at the Defcon conference in Las Vegas earlier this month. And they're continuing their court fight in Boston now. All of this is in the hopes of preventing the students from being able to speak publicly about the flaws they found in the MBTA's Charlie Card fare collection system.
The only problem with this strategy is that the work is already public. The CharlieCard attack slides were included in the handout materials for the Defcon conference and have been posted in a number of places online. This is the very definition of an exercise in futility. The slides have been posted and mirrored in so many places, there is exactly zero chance of the MBTA being able to pull them all down, with or without a court order. Once it's on BitTorrent, it's game over.
The complete absurdity of this court case is overshadowed by the fact that the MBTA is going after the wrong people. The agency, which spent millions of dollars revamping the fare collection system in recent years, should be aiming their lawyers at the companies that developed the CharlieTicket and CharlieCard system. Chris Wysopal, a longtime security researcher and CTO at Veracode Inc., summed it up perfectly in a blog post on the MIT CharlieCard system case. "Security problems go away by mandating independent security testing before a product is accepted, not by trying to get security researchers to be quiet. This is a good example of how the reactive approach doesn't work. The flaws are still in the system and suing researchers has just shined a bright light on them," he wrote.
If the MBTA chose to work with the MIT students to address the problems in the CharlieCard system and brought the findings to the vendor, the agency would be on the way to fixing the vulnerabilities rather than in the middle of an ugly and ultimately futile court fight. No matter what the outcome of the case is, the MBTA has already lost.