Hacking and free speech

["Richard M. Smith" <rms () computerbytesman com>]

http://www.boston.com/bostonglobe/editorial_opinion/editorials/articles/2008
/08/14/hacking_and_free_speech/

THREE MIT students claim to have identified ways of hacking the MBTA's
automated fare-collection system, and they could have spared themselves some
trouble had they notified the transit agency of any security flaws right
away. The T found out about their work only after they made plans to
describe their discoveries last Sunday at DEFCON, a conference for hackers.
On Saturday, the agency persuaded US District Judge Douglas Wood-lock to
issue a temporary restraining order against the undergrads.

But what the students should have done out of moral obligation and what they
have the right to do under the First Amendment are two different questions.
For good reason, US courts have long been highly skeptical of prior
restraints on what may be said in a public forum. Woodlock strayed into
dangerous territory by restricting what the students could disclose at the
conference. At a hearing today, Judge George O'Toole will hear motions to
modify or lift the order. He ought to lift it.

The order had its intended effect, for the students did not give their talk.
But it would be a mistake to regard them merely as mischief-makers bent on
helping scofflaws ride for free. Finding security breaches in electronic
systems is a legitimate, even vital, line of inquiry. The students began
looking into the T's CharlieCards and CharlieTickets in conjunction with an
MIT class.

The T says it wants to enforce the principle of "responsible disclosure" -
the notion that a security researcher who finds a flaw in an electronic
system should notify the owner and give sufficient time to fix the breach
before going public.

The students and T officials met for the first time about a week before
DEFCON. The transit agency argues that the students did not offer enough
information to judge whether they would behave responsibly at the
conference. But should the T be the arbiter of what constitutes responsible
disclosure? The students' lawyer says they met the standard, because they
planned to withhold from their talk key information necessary to cheat the
fare collection system.

In any case, responsible disclosure, while a valuable ethical standard, is
not enshrined in federal statutes, and should not trump First Amendment
rights. Such rights aren't absolute; if the students were to incite others
to commit crimes, they could face civil and criminal penalties. But if
expression can lead to penalties after the fact, that is one more reason not
to block it in advance.

The MIT undergrads and others in this field surely need to learn that, even
if they have a First Amendment right to disclose their work at their
discretion, it doesn't mean they always should. But the MBTA should
recognize that security flaws are a design problem, not a legal
one.http://cache.boston.com/bonzai-fba/File-Based_Image_Resource/dingbat_sto
ry_end_icon.gif

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.