Securosis Guest Editorial

On occasion we invite some of our non-blogging friends to steal our thunder. Jesse Krembs, known as Agent X to those of us at DefCon, is a network engineer at undisclosed locations out East. He’s one of the guys who keeps the tubes running, and, on occasion, loves a good rant.

I couldn’t sleep last night. I’ve been thinking about the MIT/MBTA hacking controversy lately.

Zack Anderson, RJ Ryan, & Alessandro Chiesa are not the victims of this saga, although that plays a lot better in the media. Truth is, the MBTA is the real victim here.

I can completely understand exactly where the MBTA is coming from, and why they ran to the lawyers. They are out of their depth, dealing with smart kids screwing with their systems (and livelihood) in a very public manner. The MBTA’s not in the business of running secure systems- far from it, they are the business of moving people & making the trains run on time. This is a harrowing tasking, fraught with enough complications without some kids mucking around in the back office. The MBTA didn’t request a security audit; they got audited, in the same way that a burglar cases a house before breaking in, or a mugger sizes up a mark. But unlike a burglar just looking for a single score, as far as the MBTA could tell these students were cracking the entire system and teaching the public how to do it themselves.

The worst part is this was 100% avoidable.

The big mistake that the MIT boys made was to treat the victim like the enemy instead of like a client. What they did is valuable; valuable enough to get an “A” from Ron Rivest, valuable enough to be presented to a crowd at Defcon 16. Valuable enough that the MBTA is willing to pay lawyers to shut them up and sort it out.

If the MIT students had disclosed what they had found to the MBTA first in an honest and forthright manner, I wouldn’t be writing this. Had they done the responsible thing, everyone could win, the MIT kids could have had an awesome summer gig securing the MBTA, the MBTA & the people of Boston could be more secure. Maybe that sounds idealistic, but the MIT name carries enough weight the odds are they could have engaged in a real project, not an adversarial relationship. The baddies wouldn’t know much more then they know now. The MIT boys could even have still given their talk at DefCon. Instead, with all the arrogance of youth & higher education, the boys from MIT sco ed contact with the MBTA. They made the MBTA the enemy; the ogre in the cave, without even giving them a chance. And let’s be honest, it isn’t like this was a security issue affecting the health and safety of the train-riding public; it targeted revenue generation, and releasing the vulnerability details didn’t do anything to help the public at large. Well, the law-abiding public.

Please grow up; in the connected world there are very few ogres in caves any more, and they don’t let you ride their trains. The difference between black hats and white hats is a line, and it’s a gray one. But occasionally it gets a little contrast. When you treat the person or organization with a security problem like a victim or and enemy, then you’re the bad guy. You’re basically fucking them over, sometimes hard, sometimes gently, but it’s still a screw job. When you treat them like a partner, then everyone wins. Sure, sometimes they don’t want partners, and sometimes you have to go public because they put the rest of the world at risk, but you don’t know that until you try talking to them. Finally I should note that in the end the only people winning in this case are the lawyers; the kids won’t win in the way they want, nor will the MBTA. The lawyers, on the other hand, always get paid.

I understand the principle of free speech, but at the same time I also don’t believe in yelling “FIRE!” in the movie theater. The right of free speech is a gift from our Founder Fathers; use it responsibly. Finally, when you start to hack the grown-up systems of the world, be prepared to behave like adults.