[SecurityRatty] tag: gag

Mythbusters Episode on RFID Security Nixed

Wed, 10 Sep 2008 10:34:45 +0000

Seems that the idea was killed by lawyers under pressure from the credit card industry. Or maybe not; the person who started this rumor has retracted his comments. Or maybe those same lawyers made him retract his comments.

Don't they know that security by gag order never works, except temporarily?

Judge Lifts Gag Order on Flaw-Finding MIT Students

Mon, 25 Aug 2008 00:30:56 +0000

A federal judge lifted a gag order against three MIT students, freeing them to publicly discuss security flaws that they found in the ticketing system of Boston's mass-transit agency.

3 takeaways from MBTA, MIT student legal flap

Fri, 22 Aug 2008 20:00:00 +0000

Earlier this week, a federal judge in Boston lifted a gag order that had blocked three MIT students them from publicly discussing security flaws they discovered in the fare-payment system used by the city's mass-transit agency.

MBTA Hacking Injunction Lifted

Wed, 20 Aug 2008 01:49:55 +0000

Earlier today, the US District Court dealt a victory to the MBTA hackers and the EFF, lifting the injunction issued on August 9th to prevent the three MIT students from presenting their findings at DEFCON 16. In summary:

The lawsuit claimed that the students’ planned presentation would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares. A different federal judge, meeting in a special Saturday session, ordered the trio not to disclose for ten days any information that could be used by others to get free subway rides.

“The judge today correctly found that it was unlikely that the CFAA would apply to security researchers giving an academic talk,” said EFF Staff Attorney Marcia Hofmann. “A presentation at a security conference is not some sort of computer intrusion. It’s protected speech and vital to the free flow of information about computer security vulnerabilities. Silencing researchers does not improve security — the vulnerability was there before the students discovered it and would remain in place regardless of whether the students publicly discussed it or not.”

This sets a good precedent for future cases, and perhaps next time a similar situation arises, a judge will not be so quick to issue a gag order. It’s not a happy ending yet though, as the original lawsuit is still in effect.

As Chris Wysopal pointed out last week, the MBTA’s ire is misdirected. Rather than suing the vendor who sold them the defective system, they sued and attempted to silence the students who discovered the weakness. This is 2008, not 1988 — did they honestly think a gag order would prevent the information from reaching the general public? The DEFCON presentation was already available on the Intertubes prior to the injunction being issued, and the MBTA attorneys included a copy of the confidential whitepaper with their filing, thereby making it public.

I guess you wouldn’t expect that a transit authority would have paid any attention to theCiscogate fiasco from a few years ago. That presentation never got out either, did it? All that taxpayer money the MBTA spent on ridiculous lawsuits and restraining orders could have been put toward fixing the security flaws. What a concept.

Gag order against MIT students dissolved by judge

Tue, 19 Aug 2008 09:00:00 +0000

A federal judge lifted a restraining order that had blocked three MIT students from publicly discussing security flaws they found in the Boston-area transit agency's ticketing system.

Gag order against MIT students gets another day in court

Mon, 18 Aug 2008 20:00:00 +0000

A federal judge in Boston will decide on Tuesday whether to extend or let expire a restraining order enjoining three students at MIT from publicly speaking about security flaws they discovered in the electronic fare-payment system used by the city's mass transit agency.

Judge dissolves gag order against MIT students

Mon, 18 Aug 2008 20:00:00 +0000

A U.S. District court judge on Tuesday dissolved a gag order against a trio of MIT students who say they found flaws in the Massachusetts transit authority's ticketing system.

Judge disolves gag order against MIT students

Mon, 18 Aug 2008 20:00:00 +0000

A U.S. District Court judge on Tuesday dissolved a gag order against a trio of MIT students who said they found flaws in the Massachusetts transit authority's ticketing system.

Gag Order Slapped on MIT Students for Finding Security Flaws

Mon, 18 Aug 2008 18:40:25 +0000

A court order put a stop to a planned presentation at the Defcon hackers convention by three MIT students who found security flaws in the electronic ticketing system used by the mass transit authority in Boston. But the ruling reopened the schism in the IT security community over the issue of how vulnerabilities should be publicly disclosed.

Judge refuses to lift gag order on MIT students in Boston subway-hack case

Thu, 14 Aug 2008 09:00:00 +0000

A federal judge left in place a temporary restraining order barring three MIT students from publicly discussing details of security flaws they found in the e-ticketing system used by Boston's mass transit authority.