[funsec] Hacking and free speech

Thomas Raef traef at ebasedsecurity.com
Thu Aug 14 18:46:05 CDT 2008

When Sa'ud had first conquered his Kingdom, many people traveled vast distances to pay omage to the new King.  One day a man was traveling a common route to the King's city when he came upon a bag that had fallen off another travelers camel.  The man, desiring to return the belongings to the owner, picked up the bag and took it with him.  At the conclusion of the man's visit with the King, which went very well, he informed the King that he had found the bag and identified to whom the bag belonged.  The King asked how he came up on this bag and how he knew the owner.  The man said he found the bag, looked inside and identified the belongings.  He had brought it to the King because he knew the King would return it.  The King immediately called his securirty in and ordered the men to cut the man's hand off for stealing the bag.  The man pleaded that he did not steal the bag and asked for mercy.  The man's hand was removed.  The King told the man that the bag should've been left were it was.  It didn't belong to him and therefore it shouldn't have been touched by anyone except the owner who was probably looking for it.
Wow!  What a story...and it is true.  I guess what I'm saying is that nobody should go sniffing, poking, proding, snooping, borrowing, etc without the direct knowledge of the owner.  Does my analogy apply here?  I guess they shouldn't have been probing the system in the first place.  Had they NOT, they wouldn't have been in any legal trouble.  Working with a class (even MIT) is unimportant.


That’s just my opinion.

Thomas J. Raef

e-Based Security, LLC


traef at ebasedsecurity.com



From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org] On Behalf Of Richard M. Smith
Sent: Thursday, August 14, 2008 4:37 PM
To: funsec at linuxbox.org
Subject: [funsec] Hacking and free speech



THREE MIT students claim to have identified ways of hacking the MBTA's automated fare-collection system, and they could have spared themselves some trouble had they notified the transit agency of any security flaws right away. The T found out about their work only after they made plans to describe their discoveries last Sunday at DEFCON, a conference for hackers. On Saturday, the agency persuaded US District Judge Douglas Wood-lock to issue a temporary restraining order against the undergrads.

But what the students should have done out of moral obligation and what they have the right to do under the First Amendment are two different questions. For good reason, US courts have long been highly skeptical of prior restraints on what may be said in a public forum. Woodlock strayed into dangerous territory by restricting what the students could disclose at the conference. At a hearing today, Judge George O'Toole will hear motions to modify or lift the order. He ought to lift it.

The order had its intended effect, for the students did not give their talk. But it would be a mistake to regard them merely as mischief-makers bent on helping scofflaws ride for free. Finding security breaches in electronic systems is a legitimate, even vital, line of inquiry. The students began looking into the T's CharlieCards and CharlieTickets in conjunction with an MIT class.

The T says it wants to enforce the principle of "responsible disclosure" - the notion that a security researcher who finds a flaw in an electronic system should notify the owner and give sufficient time to fix the breach before going public.

The students and T officials met for the first time about a week before DEFCON. The transit agency argues that the students did not offer enough information to judge whether they would behave responsibly at the conference. But should the T be the arbiter of what constitutes responsible disclosure? The students' lawyer says they met the standard, because they planned to withhold from their talk key information necessary to cheat the fare collection system.

In any case, responsible disclosure, while a valuable ethical standard, is not enshrined in federal statutes, and should not trump First Amendment rights. Such rights aren't absolute; if the students were to incite others to commit crimes, they could face civil and criminal penalties. But if expression can lead to penalties after the fact, that is one more reason not to block it in advance.

The MIT undergrads and others in this field surely need to learn that, even if they have a First Amendment right to disclose their work at their discretion, it doesn't mean they always should. But the MBTA should recognize that security flaws are a design problem, not a legal one. 



No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 270.6.3/1611 - Release Date: 8/14/2008 6:20 AM

No virus found in this outgoing message.
Checked by AVG. 
Version: 7.5.524 / Virus Database: 270.6.3/1611 - Release Date: 8/14/2008 6:20 AM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxbox.org/pipermail/funsec/attachments/20080814/e383316f/attachment-0001.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 49 bytes
Desc: image001.gif
Url : http://linuxbox.org/pipermail/funsec/attachments/20080814/e383316f/attachment-0001.gif 

More information about the funsec mailing list