Boston Court's Meddling With 'Full Disclosure' Is Unwelcome

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/politics/security/commentary/securitymatters/2008/08/securitymatters_0821

By Bruce Schneier
Security Matters
Wired.com
August 20, 2008

In eerily similar cases in the Netherlands and the United States, courts 
have recently grappled with the computer-security norm of "full 
disclosure," asking whether researchers should be permitted to disclose 
details of a fare-card vulnerability that allows people to ride the 
subway for free.

The "Oyster card" used on the London Tube was at issue in the Dutch 
case, and a similar fare card used on the Boston "T" was the center of 
the U.S. case. The Dutch court got it right, and the American court, in 
Boston, got it wrong from the start -- despite facing an open-and-shut 
case of First Amendment prior restraint.

The U.S. court has since seen the error of its ways -- but the damage is 
done. The MIT security researchers who were prepared to discuss their 
Boston findings at the DefCon security conference were prevented from 
giving their talk.

The ethics of full disclosure are intimately familiar to those of us in 
the computer-security field. Before full disclosure became the norm, 
researchers would quietly disclose vulnerabilities to the vendors -- who 
would routinely ignore them. Sometimes vendors would even threaten 
researchers with legal action if they disclosed the vulnerabilities.

[...]


__________________________________________________      
Register now for HITBSecConf2008 - Malaysia! With 
a new triple-track conference featuring 4 keynote 
speakers and over 35 international experts, this 
is the largest network security event in Asia and 
the Middle East! 
http://conference.hackinthebox.org/hitbsecconf2008kl/