After a federal judge in Boston lifted a gag order that had blocked three MIT students from publicly discussing security flaws they discovered in the fare-payment system used by the city's mass-transit agency, more questions are being asked about the concept of "responsible disclosure"
The temporary restraining order was issued August 9, one day before the MIT students were scheduled to present a research paper detailing the flaws during a session at the Defcon hacker convention, in Las Vegas. In asking for the gag order to be imposed, the Massachusetts Bay Transportation Authority (MBTA) claimed that it hadn't been given enough time or sufficient information prior to Defcon to assess the flaws and figure out a plan for fixing them.
The case reignited the debate over responsible disclosure of vulnerabilities, sparking outrage within some parts of the security community that saw the gag order as a violation of the students' First Amendment rights, while other people said they thought the students should have given the MBTA more time to address the flaws before going public with them.
This week's ruling is likely to quiet that debate, at least temporarily. But there are some takeaways for IT and security managers from the entire episode:
1) There's still little agreement on what constitutes responsible disclosure.
The Boston subway-hack case demonstrated that despite all the talk about the need for responsible-disclosure practices in the security industry, sharp differences remain on what that means. The three MIT undergrads and their supporters appeared to believe that the four-day notice the MBTA was given about the vulnerabilities before Defcon was reasonable enough and that in any case, it wasn't obligatory.
On the other hand, the MBTA and those aligned with its point of view argued that the students should have given the agency more notice. In fact, at the court hearing, the MBTA asked US district judge George O'Toole to keep the gag order in place for five months — the amount of time that the agency said it will take to fix the flaws.
Similar differences of opinion have been voiced over responsible disclosure for years now. Microsoft, whose products are the ones most targeted by hackers because of their widespread use, has tried to convince security researchers to give it advance notice of at least 30 days on flaws in return for a promise to fix the vulnerabilities within a reasonable period of time and to acknowledge the researchers who discover them. The Organisation for Internet Safety, a multivendor group that includes Microsoft and Symantec proposed similar guidelines five years ago.
Some security researchers have abided by such guidelines, while others have ignored them, arguing that giving vendors advance notice is futile because many tend to ignore the information or sit on it for far too long. To help sweeten the pot, security vendors such as VeriSign's iDefense Labs unit have pushed the idea of paying researchers for vulnerability information on the condition that they don't disclose information about the flaws until a fix is ready — an approach that most companies shy away from because of concerns that they could be held hostage by bug hunters demanding to be paid before they hand over information.
2) Trying to muzzle vulnerability disclosures via court order is a bad idea.
The MBTA had hoped that the restraining order on the MIT students would limit disclosures about the flaws in its system. Instead, the gag order had precisely the opposite effect and only resulted in more attention being drawn to the flaws than there likely would have been if the students had been allowed to present their paper at Defcon as scheduled.
"What they managed to do was turn a presentation that probably wouldn't have been noticed outside of a small community of people into something that everybody knows about," said David Farber, a professor of computer science and public policy at Carnegie Mellon University's School of Computer Science. Farber was one of 11 computer science professors and security researchers who signed a letter in support of the students that was submitted in court by the Electronic Frontier Foundation, which is representing the trio.
And in the MBTA's case, the gag order was largely useless because the 87 slides prepared by the students for their Defcon presentation were included on a CD given to conference attendees. As a result, many of the details that the MBTA was desperately trying to keep a lid on were already publicly available, even though the three students were prevented from publicly speaking about the flaws.
3) The fall-out from such disclosures can be big — and costly.
In addition to enduring the embarrassing scrutiny of its security controls (or lack thereof), the MBTA likely will have to invest considerable resources to fix the security holes — especially now that they have been highlighted so publicly.
The students found "serious endemic flaws" in the MBTA's fare-payment system, said Marcus Ranum, chief of security at Tenable Network Security, which makes security monitoring tools. That means the MBTA "will need to spend a hell of a lot of money" on fixes, Ranum said. "That money will come out of taxpayers' and subway riders' pockets, no matter how you slice it."
Not speaking about the flaws wouldn't have made them just go away, Ranum acknowledged. But the public disclosure has dramatically increased the chances that the flaws will be exploited, he said.
"If subway fares doubled for a year to replace the card systems," he added, "I think most people would not vote the hackers a big'Thank you.'"