Re: Hacking and free speech

["Thomas Raef" <traef () ebasedsecurity com>]

When Sa'ud had first conquered his Kingdom, many people traveled vast distances to pay omage to the new King.  One day 
a man was traveling a common route to the King's city when he came upon a bag that had fallen off another travelers 
camel.  The man, desiring to return the belongings to the owner, picked up the bag and took it with him.  At the 
conclusion of the man's visit with the King, which went very well, he informed the King that he had found the bag and 
identified to whom the bag belonged.  The King asked how he came up on this bag and how he knew the owner.  The man 
said he found the bag, looked inside and identified the belongings.  He had brought it to the King because he knew the 
King would return it.  The King immediately called his securirty in and ordered the men to cut the man's hand off for 
stealing the bag.  The man pleaded that he did not steal the bag and asked for mercy.  The man's hand was removed.  The 
King told the man that the bag should've been left were it was.  It didn't belong to him and therefore it shouldn't 
have been touched by anyone except the owner who was probably looking for it.
 
Wow!  What a story...and it is true.  I guess what I'm saying is that nobody should go sniffing, poking, proding, 
snooping, borrowing, etc without the direct knowledge of the owner.  Does my analogy apply here?  I guess they 
shouldn't have been probing the system in the first place.  Had they NOT, they wouldn't have been in any legal trouble. 
 Working with a class (even MIT) is unimportant.

 

That’s just my opinion.



Thomas J. Raef

e-Based Security, LLC

http://www.ebasedsecurity.com

traef () ebasedsecurity com

1-888-251-5803

 

From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Richard M. Smith
Sent: Thursday, August 14, 2008 4:37 PM
To: funsec () linuxbox org
Subject: [funsec] Hacking and free speech

 

http://www.boston.com/bostonglobe/editorial_opinion/editorials/articles/2008/08/14/hacking_and_free_speech/

THREE MIT students claim to have identified ways of hacking the MBTA's automated fare-collection system, and they could 
have spared themselves some trouble had they notified the transit agency of any security flaws right away. The T found 
out about their work only after they made plans to describe their discoveries last Sunday at DEFCON, a conference for 
hackers. On Saturday, the agency persuaded US District Judge Douglas Wood-lock to issue a temporary restraining order 
against the undergrads.

But what the students should have done out of moral obligation and what they have the right to do under the First 
Amendment are two different questions. For good reason, US courts have long been highly skeptical of prior restraints 
on what may be said in a public forum. Woodlock strayed into dangerous territory by restricting what the students could 
disclose at the conference. At a hearing today, Judge George O'Toole will hear motions to modify or lift the order. He 
ought to lift it.

The order had its intended effect, for the students did not give their talk. But it would be a mistake to regard them 
merely as mischief-makers bent on helping scofflaws ride for free. Finding security breaches in electronic systems is a 
legitimate, even vital, line of inquiry. The students began looking into the T's CharlieCards and CharlieTickets in 
conjunction with an MIT class.

The T says it wants to enforce the principle of "responsible disclosure" - the notion that a security researcher who 
finds a flaw in an electronic system should notify the owner and give sufficient time to fix the breach before going 
public.

The students and T officials met for the first time about a week before DEFCON. The transit agency argues that the 
students did not offer enough information to judge whether they would behave responsibly at the conference. But should 
the T be the arbiter of what constitutes responsible disclosure? The students' lawyer says they met the standard, 
because they planned to withhold from their talk key information necessary to cheat the fare collection system.

In any case, responsible disclosure, while a valuable ethical standard, is not enshrined in federal statutes, and 
should not trump First Amendment rights. Such rights aren't absolute; if the students were to incite others to commit 
crimes, they could face civil and criminal penalties. But if expression can lead to penalties after the fact, that is 
one more reason not to block it in advance.

The MIT undergrads and others in this field surely need to learn that, even if they have a First Amendment right to 
disclose their work at their discretion, it doesn't mean they always should. But the MBTA should recognize that 
security flaws are a design problem, not a legal one. 

 

 

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 270.6.3/1611 - Release Date: 8/14/2008 6:20 AM


No virus found in this outgoing message.
Checked by AVG. 
Version: 7.5.524 / Virus Database: 270.6.3/1611 - Release Date: 8/14/2008 6:20 AM

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.