As usual,a company attempted to stop the disclosure of weaknesses at a security conference. This time, Massachusetts Bay Transportation Authority seeked to restrain Zack Anderson, R.J. Ryan and Alessandro Chiesa, students at MIT, to present a paper about the weaknesses of the RFID and magnetic stripes card. The targeted conference was Defcon, one of the great hacking conference. Nothing especially new.
The interesting fact is that the District judge Douglas Woodlock granted such temporary restrain. He backed up his decision with the Computer Fraud and Abuse Act. This law targets hackers who “knowingly causes the transmission of a program, information, code, or command to a computer or computer system.” In other words, according to this judge, presenting a paper disclosing weaknesses is equivalent to using a software to penetrate a system.
Obviously, Electronic Frontier Foundation (EFF) immediately fought back invoking the first amendment about free speech. Once more, we have this legal battle between academic researchers who find a flaw and a company that doe not want this flaw to be disclosed. One of the first example was the Felten versus RIAA case (#CVB-01-2669 (GEB)) about SDMI. The team of Ed Felten broke the watermarks scheme proposed by SDMI in an open challenge. RIAA attempted Ed to restrain to disclose it at Information Hiding 2000. Finally, RIAA withdrew its objection and the paper was presented at ICASP2001.
Once more, this case highlights the same questions and remarks
- What should be done when discovering a security flaw? Typical ethical procedure is to inform the company abut the flaw, give them sometimes to react and then publish. The problem is often on the definition of the reaction time.
- What is the right reaction of the company? Often they react badly. In believe it is more beneficial to have been informed by white hats who disclose the weakness than to attacked by black hats who will keep it secret. Once informed, you may at least monitor to find eventual attackers. I prefer a flaw in my product that everybody is aware of (and myself) then one present that I am not aware.
- Are judges sufficiently prepared to deal with high technological issues? Should there not be a special type of technological judge? They rely on experts, but do they understand what experts are explaining. We have even sometimes difficulty to understand our peer experts!
In any case, it is mandatory that researchers continue to look for weaknesses and disclose them. No security by obscurity.