alexander Posted August 15, 2008 Report Share Posted August 15, 2008 This I have been following pretty closely lately, a group of MIT students, for a class project, wrote up a 30 page vulnerability assessment report on Massachussets Bay Transportation Authority Payment and Card Systems, and were planning to present it at this year's Defcon (last weekend). Unfortunately for the MBTA, copies of the presentation slides were sent out to conference attendees before they were able to file a restraining order for information disclosure. MBTA is worried sick about their system being attacked, reasonable, i guess, but they should have tested and thought of those things prior to putting the system in place. EFF (Electronic Frontier Organization) on the other hand is defending the publishing right of the researchers, saying that it is unconstitutional to have a government agency to review what you want to say, before you say it... I'm on the MIT kids side, let's hope 1st Appeals court will see what i see here... MIT Students Submit 30-Page Report; Judge Lets Gag Order Stand -- UPDATED | Threat Level from Wired.com Quote Link to comment Share on other sites More sharing options...
freeztar Posted August 15, 2008 Report Share Posted August 15, 2008 I agree that they have the right to publish and disseminate their research. Nonetheless, I think it would have been morally appropriate for the students to disclose their findings to MBTA before releasing the info to the public (common courtesy). It's like Dan Kaminsky's DNS find. He kept it secret until patches could be made. He worked with all major vendors to help them identify and patch the holes. I'm not aware of any legal motivation (though there could be one) for him to do this, it was out of morality. Quote Link to comment Share on other sites More sharing options...
alexander Posted August 15, 2008 Author Report Share Posted August 15, 2008 Here's the problem i have with that, I think they didn't very much care to disclose their finds to the MBTA, problem was that MBTA wanted to sensor their material and disallow public release of large parts of the research... It's like Dan Kaminsky's DNS find.or like Zero Day Initiative, as well as 95% of all the security wholes found. Problem is, i think MIT kids would have released the "preview" for the board, have they not just gotten up and went to the court for the restraining order against the release of the info. Especially a few days before a big conf like Defcon... And lastly its MBTA's failure to secure the system that is to blame to begin with, so, i'd say they brought it on themselves... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.