Defcon

MIT Students Now Helping MBTA- Like They Always Should Have

By Rich

Remember our guest post from Jesse Krembs on the MIT students put under a gag order during DefCon this year for hacking the rail system? And I quote:

Please grow up; in the connected world there are very few ogres in caves any more, and they don't let you ride their trains. The difference between black hats and white hats is a line, and it's a gray one. But occasionally it gets a little contrast. When you treat the person or organization with a security problem like a victim or an enemy, then you're the bad guy. You're basically fucking them over, sometimes hard, sometimes gently, but it's still a screw job. When you treat them like a partner, then everyone wins. Sure, sometimes they don't want partners, and sometimes you have to go public because they put the rest of the world at risk, but you don't know that until you try talking to them. Finally I should note that in the end the only people winning in this case are the lawyers; the kids won't win in the way they want, nor will the MBTA. The lawyers, on the other hand, always get paid

Looks like Superman just spun the Earth backwards and turned back time (sort of):

The announcement brings to a close a high profile case that pitted the rights of security researchers to freely discuss their findings against the concerns of one of the country's largest transit systems, which worried that this type of information could lead to widespread ticket fraud. "I'm really glad to have it behind me. I think this is really what should have happened from the start," said Zack Anderson, one of the students sued by the MBTA. ... The settlement ends the matter in an amicable way. "For professional reasons and for public interest reasons, the students wanted to help the MBTA," said Jennifer Granick, a lawyer with the Electronic Frontier Foundation who represents the students. The case against the three was finally settled on Oct. 7, but this was not publicly announced until Monday, because it took two months for all parties to schedule a public announcement of the settlement, Granick said. The researchers met with MBTA technical staff on Oct. 21 to discuss their findings and are working to improve the transit authority's fare collection system, she added.

And all is good in the world again.

–Rich

Guest Editorial- The MBTA/MIT Disclosure Failure

By Rich

Securosis Guest Editorial

On occasion we invite some of our non-blogging friends to steal our thunder. Jesse Krembs, known as Agent X to those of us at DefCon, is a network engineer at undisclosed locations out East. He's one of the guys who keeps the tubes running, and, on occasion, loves a good rant.

I couldn't sleep last night. I've been thinking about the MIT/MBTA hacking controversy lately.

Zack Anderson, RJ Ryan, & Alessandro Chiesa are not the victims of this saga, although that plays a lot better in the media. Truth is, the MBTA is the real victim here.

I can completely understand exactly where the MBTA is coming from, and why they ran to the lawyers. They are out of their depth, dealing with smart kids screwing with their systems (and livelihood) in a very public manner. The MBTA's not in the business of running secure systems- far from it, they are the business of moving people & making the trains run on time. This is a harrowing tasking, fraught with enough complications without some kids mucking around in the back office. The MBTA didn't request a security audit; they got audited, in the same way that a burglar cases a house before breaking in, or a mugger sizes up a mark. But unlike a burglar just looking for a single score, as far as the MBTA could tell these students were cracking the entire system and teaching the public how to do it themselves.

The worst part is this was 100% avoidable.

The big mistake that the MIT boys made was to treat the victim like the enemy instead of like a client. What they did is valuable; valuable enough to get an "A" from Ron Rivest, valuable enough to be presented to a crowd at Defcon 16. Valuable enough that the MBTA is willing to pay lawyers to shut them up and sort it out.

If the MIT students had disclosed what they had found to the MBTA first in an honest and forthright manner, I wouldn't be writing this. Had they done the responsible thing, everyone could win, the MIT kids could have had an awesome summer gig securing the MBTA, the MBTA & the people of Boston could be more secure. Maybe that sounds idealistic, but the MIT name carries enough weight the odds are they could have engaged in a real project, not an adversarial relationship. The baddies wouldn't know much more then they know now. The MIT boys could even have still given their talk at DefCon. Instead, with all the arrogance of youth & higher education, the boys from MIT sco ed contact with the MBTA. They made the MBTA the enemy; the ogre in the cave, without even giving them a chance. And let's be honest, it isn't like this was a security issue affecting the health and safety of the train-riding public; it targeted revenue generation, and releasing the vulnerability details didn't do anything to help the public at large. Well, the law-abiding public.

Please grow up; in the connected world there are very few ogres in caves any more, and they don't let you ride their trains. The difference between black hats and white hats is a line, and it's a gray one. But occasionally it gets a little contrast. When you treat the person or organization with a security problem like a victim or and enemy, then you're the bad guy. You're basically fucking them over, sometimes hard, sometimes gently, but it's still a screw job. When you treat them like a partner, then everyone wins. Sure, sometimes they don't want partners, and sometimes you have to go public because they put the rest of the world at risk, but you don't know that until you try talking to them. Finally I should note that in the end the only people winning in this case are the lawyers; the kids won't win in the way they want, nor will the MBTA. The lawyers, on the other hand, always get paid.

I understand the principle of free speech, but at the same time I also don't believe in yelling "FIRE!" in the movie theater. The right of free speech is a gift from our Founder Fathers; use it responsibly. Finally, when you start to hack the grown-up systems of the world, be prepared to behave like adults.

/rant

-Jesse

–Rich

Network Security Podcast, Episode 116 (With A Lot Of Bad Words)

By Rich

A bit of a different episode this week. Since Martin is traveling, rather than a guest host this week we're posting the last of the interviews recorded at DefCon- but this one is a doozy. David Mortman, Dave Maynor, Chris Hoff, Robert "Rsnake" Hanson, and Larry Pesce join us immediately after we all finished our DefCon panel. Martin, as the sober one, interviews us as we record what is our first clearly explicit podcast. Yes folks, we hit all 7 dirty words plus a few bonuses. Not to worry, we do include some content as we discuss what we covered in the panel and whatever other topics flew into our adult-beverage-addled brains. We had a heck of a lot of fun putting the DefCon back into DefCon, and we hope you enjoy this little slice of the unfiltered.

Yes, this really is an explicit episode, so consider yourselves warned.

Network Security Podcast, Episode 116

Length: 24:00 (or so)

–Rich

The Network Security Podcast Pwns Black Hat And DefCon!

By Rich

No, we didn't hack any networks or laptops, but we absolutely dominated when it comes to podcast coverage. This was our second series of microcasts since RSA, and we really like the format. Short, to the point interviews, posted nearly as fast as we can record them.

We have 9 (yes 9) microcasts up so far, with about 2-3 more to go. A few people also promised us phone interviews which we plan on finishing as soon as possible. Here's the list:

1. Our pre-show special; where we talk about or plans for coverage and what we'd like to see.
2. The first morning; our initial impressions before the main start of the show.
3. Mike Rothman of Security Incite, hot after Chris Hoff's virtualization presentation.
4. Tyler Regully of nCircle on web development and the learning curve of researchers.
5. Jeremiah Grossman from WhiteHat Security on what he's seen and what he talked about in his session.
6. Martin turns the tables on Jon Swartz of USA Today and the book, Zero Day Threat.
7. Martin and I close out Black Hat (don't worry, there's still DefCon).
8. Nate McFeters and Rob Carter talk with us about GIFARs and other client side fun.
9. Raffal Marty discusses security visualization, which he coincidentally wrote a book on.
10. I never saw Johnny Long, but Martin managed to snag an interview with him on his new hacker charity work.

Don't worry, there's more coming. Stay tuned to netsecpodcast.com for an interview with the slightly-not-sober panel I was on (Hoff, David Mortman, Rsnake, Dave Maynor, and Larry Pesce) and some other surprises.

–Rich

Must Be DefCon Time

By Rich

My kitchen table:

–Rich

Securosis Hits Black Hat and DefCon

By Rich

It won't come as a surprise to anyone, but Adrian and I will be out in Vegas for Black Hat and DefCon. I arrive Tuesday morning and Adrian arrives Tuesday night. He's there through Saturday morning, and I'm around to the bitter end.

I'm working the events on the speaker management team for Black Hat, and the speaker goon team for DefCon. Adrian gets to just hang out and drink. I'm also speaking at DefCon where I'll debut the new version of my Ultimate Evil Twin (which, thanks to being distracted by the recent DNS circus, isn't quite as ultimate as I originally planned).

Evenings are mostly full, but we have a couple lunch and break slots open still. Otherwise, we'll see you at the parties...

–Rich

Pre-Black Hat/DefCon SunSec And Inagural Phoenix Security Slam

By Rich

I've talked to some of the local crew, and we've decided to hold a special pre-BH/DefCon SunSec on July 31st (location TBD).

We're going to take a bit of a different approach on this one. A while back, Vinnie, Andre, myself, and a couple of others sat around a table trying to think of how to jazz up SunSec a bit. As much as we enjoy hanging out and having beers, we recognize the Valley of the Sun is pretty darn big, and some of you need a little more than just alcohol to get you out of the house on a Wednesday of Thursday night.

We came up with the idea of the Phoenix Security Slam (PiSS for short). We'll move to a venue where we can get a little private space, bring a projector, and have a little presentation free for all. Anyone who presents is limited to 10 minutes, followed by Q&A. Fast, to the point, and anything goes.

For this first run we'll be a little less formal. I'll bring my DefCon content, and Vinnie has some other materials to preview. I may also have some other good info about what's going down in Vegas the next week, and I'll share what I can. We'll limit any formal presentation time to an hour, and make sure the bar is open before I blather.

If you're in Phoenix, let me know what you think. If you're also presenting at BH/DC and want to preview your content, let me know.

Also, we could use ideas for a location. Some restaurant where we can take over a back room is ideal.

–Rich