LWN.net Logo

Advertisement

ThinLinc Terminal Server

Advanced thin client solution for Linux, based on Open Source. Mix Windows and Linux, with hardware accelerated OpenGL!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Security

Injunction lifted against MIT students

By Jake Edge
August 20, 2008

Three MIT students won a victory in court this week, but it was a rather bittersweet one as the injunction that was overturned was, at best, dubious. The students had researched the security of the Massachusetts Bay Transportation Agency's (MBTA) tickets and pre-paid cards. They were planning to give a presentation about their findings at the DEFCON security conference when MBTA sued them. Even after the Electronic Frontier Foundation (EFF) stepped in to represent the students, MBTA was able to get a ten-day injunction that made the presentation impossible.

The judge who issued the injunction relied on the Computer Fraud and Abuse Act, a statute aimed at preventing computer intrusions, to make his decision. He ruled that speaking at a conference was a "transmission" of a computer program that could harm MBTA by allowing people to get free subway rides. The free speech rights of the students, Zack Anderson, RJ Ryan and Alessandro Chiesa, were completely ignored by the judge. Unfortunately, when a second judge lifted the injunction this week, he did it on narrow grounds, not considering the First Amendment issues either. He instead, ruled that MBTA was unlikely to succeed on the merits of its case.

While the injunction has been lifted, the suit continues. MBTA is likely to be the biggest loser in all of this for a number of reasons, not least of which is the "Streisand Effect". By trying to squelch discussion of their security problems, MBTA ensured that the story got much wider play than it would have as a report from DEFCON. As Barbara Streisand found out when she tried to remove aerial pictures of her Malibu estate from a California coastal survey, suing someone to stop information from flowing rarely works; in fact, on the internet, it generally backfires.

After getting an "A" in Professor Ron Rivest's—the R in RSA—class, the students met with MBTA to outline what they had found. They also provided a confidential report that included all of the details. They told MBTA that they planned to keep some of those details out of the DEFCON presentation to stop others from trivially exploiting the system. With no advance warning, 48 hours before the presentation, MBTA sued to get an injunction.

Had MBTA done its homework, it would have realized that the slides of the presentation [PDF] were already available, both on the net and on CDs given to the conference attendees. Worse still, MBTA entered the confidential report, with details left out of the presentation, into the open court record. For an agency that claimed that release of the information would cause harm, it did far more to harm to itself than the students did.

It is a common fallacy that security problems are somehow, magically kept at bay if they are not discussed. Time and again we see organizations try to stifle discussion of security problems rather than to actually address them. Any system that is likely to attract the attention of "white hat" security researchers is very likely to have attracted others as well. In fact, for a system like MBTA's, where large amounts of money can be made, the chances that someone of malicious intent isn't already looking for vulnerabilities are vanishingly small.

By treating the "MIT Three" as criminals, MBTA has done itself and the Boston-area taxpayers a disservice. The students are willing to work with the agency to identify and fix the problems, but not while they are being sued. The agency told the judge this week that it would take it five months to fix the problems identified—it is hard to see how that is expedited by spending time in court.

While the students were under a gag order, various MBTA officials were saying that there were no security problems. Because their First Amendment rights had been suspended, the students were unable to respond to defend their research. Only recently has the agency confessed that they do, indeed, have security problems. This is one of the reasons that "prior restraint" on free speech has been deemed unconstitutional in various cases, including the famous "Pentagon Papers" case.

It is hard to see how the students could have been more "responsible" with their disclosure. It is not as if these vulnerabilities came out of left field; similar types of problems had been reported for other transit systems. Had MBTA done its job, the students might not have been able to find any flaws to report on. But, instead of thanking them and, perhaps, hiring them, MBTA tried to bully them. The next time someone finds a flaw in their systems, they may decide to anonymously report it with full details—or exploit it for free subway rides.

Comments (none posted)

Security news

Federal Judge Throws Out Gag Order Against Boston Students in Subway Case (Wired)

Wired covers the lifting of an injunction against three MIT students regarding their research into Massachusetts Bay Transportation Authority (MBTA) security. The ruling comes just a tad late for the students to give their planned talk at DEFCON, but it does recognize some important legal points. "District Judge O'Toole, in vacating the restraining order this morning, essentially ruled that the Computer Fraud and Abuse Act does not apply to speech and that the MBTA had failed to supply sufficient proof to merit other claims with regard to the statute, to merit a restraining order or preliminary injunction." The Electronic Frontier Foundation (EFF) represented the students, so updates should be available soon at its website.

Comments (none posted)

New vulnerabilities

amarok: temporary file vulnerability

Package(s):amarok CVE #(s):CVE-2008-3699
Created:August 18, 2008 Updated:October 21, 2008
Description: Amarok (prior to version 1.4.10) suffers from a temporary file vulnerability which may enable a local attacker to overwrite files.
Alerts:
Mandriva MDVSA-2008:172 2008-08-15
Slackware SSA:2008-241-01 2008-08-29
Gentoo 200809-08 2008-09-08
Fedora FEDORA-2008-7719 2008-09-05
Fedora FEDORA-2008-7739 2008-09-05
Ubuntu USN-657-1 2008-10-21

Comments (none posted)

postfix: multiple vulnerabilities

Package(s):postfix CVE #(s):CVE-2008-2936 CVE-2008-2937
Created:August 14, 2008 Updated:October 16, 2008
Description: The postfix MTA has two vulnerabilities. From the SuSE alert: During a source code audit the SuSE Security-Team discovered a local privilege escalation bug (CVE-2008-2936) as well as a mailbox ownership problem (CVE-2008-2937) in postfix. The first bug allowed local users to execute arbitrary commands as root while the second one allowed local users to read other users mail.
Alerts:
Ubuntu USN-636-1 2008-08-19
Mandriva MDVSA-2008:171 2007-08-15
CentOS CESA-2008:0839 2008-08-15
Debian DSA-1629-2 2008-08-19
Debian DSA-1629-1 2008-08-18
Red Hat RHSA-2008:0839-01 2008-08-14
rPath rPSA-2008-0259-1 2008-08-20
Gentoo 200808-12 2008-08-14
SuSE SUSE-SA:2008:040 2008-08-14
Fedora FEDORA-2008-8593 2008-10-09
Fedora FEDORA-2008-8595 2008-10-09
rPath rPSA-2008-0294-1 2008-10-16

Comments (none posted)

yum-rhn-plugin: SSL certificate not verified

Package(s):yum-rhn-plugin CVE #(s):CVE-2008-3270
Created:August 14, 2008 Updated:August 20, 2008
Description: From the Red Hat alert: It was discovered that yum-rhn-plugin did not verify the SSL certificate for all communication with a Red Hat Network server. An attacker able to redirect the network communication between a victim and an RHN server could use this flaw to provide malicious repository metadata. This metadata could be used to block the victim from receiving specific security updates.
Alerts:
Red Hat RHSA-2008:0815-01 2008-08-14

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds