Thursday, August 14, 2008

MIT Hackers Suffer Another Blow to Their Right to Free Speech

It is a sad day for free speech as another clueless idiot judge lets the gag order stand against the hackers for MIT working for a project under Ron Rivest (the 'R' in RSA encryption) barring these guys from exposing a flaw they found in RFID and magstripe cards used in Boston's subway. Maybe George O'Toole will get it right on Tuesday. From another article, here is a letter signed by 11 Computer Science professors from across the country speaking out against this. Here is the article the letter is from:

http://blog.wired.com/27bstroke6/2008/08/computer-scient.html

And here is the letter (Bruce Schneier was one of the signers):

We write to express our firm belief that research on security vulnerabilities, and the sensible publication of the results of the research, are critical for scientific advancement, public safety and a robust market for secure technologies. Generally speaking, the norm in our field is that researchers take reasonable steps to protect the individuals using the systems studied. We understand that the student researchers took such steps with regard to their research, notably by planning not to present a critical element of a flaw they found. They did this so that their audience would be unable to exploit the security flaws they uncovered. . . .

The restraining order at issue in this case also fosters a dangerous information imbalance. In this case, for example, it allows the vendors of the technology and the MBTA to claim greater efficacy and security than their products warrant, then use the law to silence those who would reveal the technologies' flaws. In this case, the law gives the public a false sense of security, achieved through law, not technical effectiveness. Preventing researchers from discussing a technology's vulnerabilities does not make them go away - in fact, it may exacerbate them as more people and institutions use and come to rely upon the illusory protection. Yet the commercial purveyors of such technologies often do not want truthful discussions of their products' flaws, and will likely withhold the prior approval or deny researchers access for testing if the law supports that effort. . . .

Yet at the same time that researchers need to act responsibly, vendors should not be granted complete control of the publication of such information, as it appears MBTA sought here. As noted above, vendors and users of such technologies often have an incentive to hide the flaws in the system rather than come clean with the public and take the steps necessary to remedy them. Thus, while researchers often refrain from publishing the technical details necessary to exploit the flaw, a legal ban on discussion of security flaws, such as that contained in the temporary restraining order, is especially troubling.

No comments: