For those of you that weren’t aware, this past weekend the long-running Defcon convention (historically started with only “hard core” hackers in attendance, but now huge numbers of information security pros and law enforcement attend) was held in Las Vegas.
Some MIT students, Zack Anderson, R.J. Ryan and Alessandro Chiesa, were scheduled to talk about “Anatomy of a Subway Hack,” detailing a school project they did, and received an “A” on, that showed how the Massachusetts Bay Transportation Authority (MBTA) cards could be hacked to basically change a $1.25 MBTA fare card to a $100 fare card.
Well, the MBTA got wind of this…actually the MIT students contacted them in July to tell them about this security flaw, as well as let them know they were giving a presentation about it…and filed an injunction last Friday to keep the MIT students from giving their presentation on Sunday.
But guess what? Yep…I bet you can see this coming…
Of course, the electronic presentation had been distributed by Friday…
And as soon as the MBTA complaint was made, the complaint was, of course, made part of the public record…
And soon the MIT presentation…all 87-slides…were widely posted on various Internet sites…
Yes, what happens on the Internet stays on the Internet…no matter what a judge says!
What is important to point out, again, is that the MIT students reportedly contacted the MBTA to let them know about the security flaws in their system in July!
“The senior said they contacted transit authority officials in late July. The purpose of the meeting was to educate them about the system’s flaws and present them with possible solutions. Early last week, Anderson said, the students met with the transportation officials. After walking representatives through their presentation, the students thought they had allayed the transit authority’s fears. But on Aug. 8, they were notified that a federal lawsuit had been filed against them.”
There has been much discussion about this, as there should be.
Were the students breaking a law by making a public presentation about the security vulnerabilities within the MBTA system?
Was reporting the security problems to the MBTA, and offering to help them fix the security problems, something that the MBTA should have taken them up on in July instead of waiting until right before their scheduled presentation?
All important and compelling discussions. However, I’m not going to re-hash all that here.
But one point I do want to make is the futility of the court system thinking that they could prevent the spread of an electronic presentation, that had already been distributed, through issuing an injunction that they knew was going to be entered into the public record for anyone to see.
By issuing the the injunction the court exacerbated the situation and actually pulled the trigger on having everyone who now read about it searching their way through Internet sites to find, and make copies of, the gag-ordered presentation.
It’s kinda like pointing in the air and yelling, “DON’T LOOK!!!” at the Iowa State Fair and then having everyone within earshot, of course, jerking their heads up to look!
The powers that be within our law enforcement and legal systems really need to think through what their actions should be for addressing publications of security flaws.
But then again, would any of this have happened if the MBTA had actually done something to fix the security problems back in July as soon as the MIT students told them about the security flaws?
Tags: awareness and training, Defcon, Information Security, IT compliance, IT training, MBTA, MIT, policies and procedures, privacy training, risk management, security training