funsec mailing list archives
Re: Hacking and free speech
From: "Thomas Raef" <traef () ebasedsecurity com>
Date: Thu, 14 Aug 2008 18:46:05 -0500
When Sa'ud had first conquered his Kingdom, many people traveled vast distances to pay omage to the new King. One day a man was traveling a common route to the King's city when he came upon a bag that had fallen off another travelers camel. The man, desiring to return the belongings to the owner, picked up the bag and took it with him. At the conclusion of the man's visit with the King, which went very well, he informed the King that he had found the bag and identified to whom the bag belonged. The King asked how he came up on this bag and how he knew the owner. The man said he found the bag, looked inside and identified the belongings. He had brought it to the King because he knew the King would return it. The King immediately called his securirty in and ordered the men to cut the man's hand off for stealing the bag. The man pleaded that he did not steal the bag and asked for mercy. The man's hand was removed. The King told the man that the bag should've been left were it was. It didn't belong to him and therefore it shouldn't have been touched by anyone except the owner who was probably looking for it. Wow! What a story...and it is true. I guess what I'm saying is that nobody should go sniffing, poking, proding, snooping, borrowing, etc without the direct knowledge of the owner. Does my analogy apply here? I guess they shouldn't have been probing the system in the first place. Had they NOT, they wouldn't have been in any legal trouble. Working with a class (even MIT) is unimportant. That’s just my opinion. Thomas J. Raef e-Based Security, LLC http://www.ebasedsecurity.com traef () ebasedsecurity com 1-888-251-5803 From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Richard M. Smith Sent: Thursday, August 14, 2008 4:37 PM To: funsec () linuxbox org Subject: [funsec] Hacking and free speech http://www.boston.com/bostonglobe/editorial_opinion/editorials/articles/2008/08/14/hacking_and_free_speech/ THREE MIT students claim to have identified ways of hacking the MBTA's automated fare-collection system, and they could have spared themselves some trouble had they notified the transit agency of any security flaws right away. The T found out about their work only after they made plans to describe their discoveries last Sunday at DEFCON, a conference for hackers. On Saturday, the agency persuaded US District Judge Douglas Wood-lock to issue a temporary restraining order against the undergrads. But what the students should have done out of moral obligation and what they have the right to do under the First Amendment are two different questions. For good reason, US courts have long been highly skeptical of prior restraints on what may be said in a public forum. Woodlock strayed into dangerous territory by restricting what the students could disclose at the conference. At a hearing today, Judge George O'Toole will hear motions to modify or lift the order. He ought to lift it. The order had its intended effect, for the students did not give their talk. But it would be a mistake to regard them merely as mischief-makers bent on helping scofflaws ride for free. Finding security breaches in electronic systems is a legitimate, even vital, line of inquiry. The students began looking into the T's CharlieCards and CharlieTickets in conjunction with an MIT class. The T says it wants to enforce the principle of "responsible disclosure" - the notion that a security researcher who finds a flaw in an electronic system should notify the owner and give sufficient time to fix the breach before going public. The students and T officials met for the first time about a week before DEFCON. The transit agency argues that the students did not offer enough information to judge whether they would behave responsibly at the conference. But should the T be the arbiter of what constitutes responsible disclosure? The students' lawyer says they met the standard, because they planned to withhold from their talk key information necessary to cheat the fare collection system. In any case, responsible disclosure, while a valuable ethical standard, is not enshrined in federal statutes, and should not trump First Amendment rights. Such rights aren't absolute; if the students were to incite others to commit crimes, they could face civil and criminal penalties. But if expression can lead to penalties after the fact, that is one more reason not to block it in advance. The MIT undergrads and others in this field surely need to learn that, even if they have a First Amendment right to disclose their work at their discretion, it doesn't mean they always should. But the MBTA should recognize that security flaws are a design problem, not a legal one. No virus found in this incoming message. Checked by AVG. Version: 7.5.524 / Virus Database: 270.6.3/1611 - Release Date: 8/14/2008 6:20 AM No virus found in this outgoing message. Checked by AVG. Version: 7.5.524 / Virus Database: 270.6.3/1611 - Release Date: 8/14/2008 6:20 AM
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Hacking and free speech Richard M. Smith (Aug 14)
- Re: Hacking and free speech Valdis . Kletnieks (Aug 14)
- Re: Hacking and free speech Richard M. Smith (Aug 14)
- Re: Hacking and free speech der Mouse (Aug 14)
- Re: Hacking and free speech Richard M. Smith (Aug 14)
- Re: Hacking and free speech Richard M. Smith (Aug 14)
- Re: Hacking and free speech Valdis . Kletnieks (Aug 14)
- <Possible follow-ups>
- Re: Hacking and free speech Thomas Raef (Aug 14)