Today U.S. District justice George O’Toole, Jr. threw out a gag order against a group of students from Massachusets Institute of Technology who had discovered security holes in the Massachusetts Bay Transportation Authority’s smart cards.  The students had wanted to present their findings at DEFCON 16 two weeks ago, but were prevented from doing so by the gag order.

One of the students, Zack Anderson, emphasized that the group wasn’t trying to teach others how to rip off the MBTA: “Despite what’s happened, and the animosity the MBTA has brought toward us, we don’t want people to defraud them.”

Despite the gag order, their slides were available on the Web.

I see the value of allowing these students to make their research public.  It reminds me of something security expert Bruce Schneier once said:

“It takes the cryptographic community, working over years, to properly vet a system. Almost all secure cryptographic systems were developed with public and published algorithms and protocols. I can’t think of a single cryptographic system developed in secret that, when eventually disclosed to the public, didn’t have flaws discovered by the cryptographic community.”

Or, as the Open Source community would say, “Given enough eyeballs, all bugs are shallow.”

Update, August 21: Schneier weighs in on the MBTA case:

“The benefits of responsibly publishing attacks greatly outweigh the potential harm. Disclosure encourages companies to build security properly rather than relying on shoddy design and secrecy, and discourages them from promising security based on their ability to threaten researchers. It’s how we learn about security, and how we improve future security.”

Submitted by: Dan Giancaterino, Education Services Manager
on August 19, 2008 - 3:40 pm

Comments (1) | More Privacy/Security Posts