Securosis Guest Editorial
On occasion we invite some of our non-blogging friends to steal our thunder. Jesse Krembs, known as Agent X to those of us at DefCon, is a network engineer at undisclosed locations out East. He’s one of the guys who keeps the tubes running, and, on occasion, loves a good rant.
I couldn’t sleep last night. I’ve been thinking about the MIT/MBTA hacking controversy lately.
Zack Anderson, RJ Ryan, & Alessandro Chiesa are not the victims of this saga, although that plays a lot better in the media. Truth is, the MBTA is the real victim here.
I can completely understand exactly where the MBTA is coming from, and why they ran to the lawyers. They are out of their depth, dealing with smart kids screwing with their systems (and livelihood) in a very public manner. The MBTA’s not in the business of running secure systems- far from it, they are the business of moving people & making the trains run on time. This is a harrowing tasking, fraught with enough complications without some kids mucking around in the back office. The MBTA didn’t request a security audit; they got audited, in the same way that a burglar cases a house before breaking in, or a mugger sizes up a mark. But unlike a burglar just looking for a single score, as far as the MBTA could tell these students were cracking the entire system and teaching the public how to do it themselves.
The worst part is this was 100% avoidable.
The big mistake that the MIT boys made was to treat the victim like the enemy instead of like a client. What they did is valuable; valuable enough to get an “A” from Ron Rivest, valuable enough to be presented to a crowd at Defcon 16. Valuable enough that the MBTA is willing to pay lawyers to shut them up and sort it out.
If the MIT students had disclosed what they had found to the MBTA first in an honest and forthright manner, I wouldn’t be writing this. Had they done the responsible thing, everyone could win, the MIT kids could have had an awesome summer gig securing the MBTA, the MBTA & the people of Boston could be more secure. Maybe that sounds idealistic, but the MIT name carries enough weight the odds are they could have engaged in a real project, not an adversarial relationship. The baddies wouldn’t know much more then they know now. The MIT boys could even have still given their talk at DefCon. Instead, with all the arrogance of youth & higher education, the boys from MIT sco ed contact with the MBTA. They made the MBTA the enemy; the ogre in the cave, without even giving them a chance. And let’s be honest, it isn’t like this was a security issue affecting the health and safety of the train-riding public; it targeted revenue generation, and releasing the vulnerability details didn’t do anything to help the public at large. Well, the law-abiding public.
Please grow up; in the connected world there are very few ogres in caves any more, and they don’t let you ride their trains. The difference between black hats and white hats is a line, and it’s a gray one. But occasionally it gets a little contrast. When you treat the person or organization with a security problem like a victim or and enemy, then you’re the bad guy. You’re basically fucking them over, sometimes hard, sometimes gently, but it’s still a screw job. When you treat them like a partner, then everyone wins. Sure, sometimes they don’t want partners, and sometimes you have to go public because they put the rest of the world at risk, but you don’t know that until you try talking to them. Finally I should note that in the end the only people winning in this case are the lawyers; the kids won’t win in the way they want, nor will the MBTA. The lawyers, on the other hand, always get paid.
I understand the principle of free speech, but at the same time I also don’t believe in yelling “FIRE!” in the movie theater. The right of free speech is a gift from our Founder Fathers; use it responsibly. Finally, when you start to hack the grown-up systems of the world, be prepared to behave like adults.
/rant
-Jesse
Reader interactions
2 Replies to “Guest Editorial- The MBTA/MIT Disclosure Failure”
Disclaimer: I’‘m not on either side of the fence with regards to how the MIT guys acted, but I don’‘t mind playing devil’s advocate a bit, especially on a topic that I don’‘t think has answers, only passionate opinions. 🙂 By the way, excellent editorial from Jesse!
I’‘m not sure I would go so far as to say the MIT guys demonized (ogre/enemy) the MBTA so much as they just didn’‘t care about the MBTA. They didn’‘t care enough to appraise them properly and work with them. With the exception of the lawsuit, it really may just be very little skin off their backs to expose the issues. (Although they may have done illegal things in their investigations that may come back to haunt them.)
Did they do this disclosure wrong? Probably, although how do you try to hold people up to a certain disclosure standard without being elitist? Is this an indication of our industry maturing? 🙂 I might posit there are too many variables here to ever make a blanket statement about disclosure ethics.
Did the MBTA react badly? Probably, but that’s how public and even private organizations react to such news. In fact, they would have gotten a heck of a lot less press had they just taken action on their issues rather than the students. I don’‘t know if it would have even made the Boston news rounds, let alone international. It was a kneejerk reaction that I think any of us familiar with security and Defcon would have predicted to be the wrong public move.
Should the MBTA have been running a tighter ship? I can’‘t really tell from the editorial above. 🙁 Are they justified in not securing their revenue generation? I guess so, but then again, if they were, they wouldn’‘t have tripped over themselves once this whole incident began, right? This is really the stressful rub in our field. We know what is insecure and secure, but getting someone to pony up for it when “no one will notice it” is the big gamble (enter risk mgmt!).
It also begets the question, “Would MBTA still move ahead insecurely per the status quo if the students hadn’‘t been able or decided not to disclose?” What if they worked with MBTA, MBTA patted them on the heads, sent them on their way, then did nothing? An unfair hypothetical, I know, but still a question to muse over. Until we can ensure how organizations will react, we can’‘t make guidelines on how researchers are to act?
If the boys were in the security industry and wanted to maintain a clean reputation, or the MBTA really was their client, you bet they should have remained on the MBTA’s side. But are they? …And that’s where the grey area sits.
If those students were pre-med students and they discovered these insecurities and disclosed at Defcon, is that really wrong? And what would they care whether the security industry thought it was wrong?
Oh well, this deserves an extra beer tonight, and I hope everyone keeps an open mind with regards to what is a somewhat religious debate (disclosure).
A-freaking-men.
/Hoff