MBTA Shows MIT How Security Disclosure Really Works
The Massachusetts Bay Transit Authority (MBTA) had a problem last week – a group of students were prepared to deliver a presentation at Defcon, a high-profile security conference, on vulnerabilities they had identified in the transit card system employed by the MBTA. In a vain attempt to suppress this information, the MBTA filed anĀ injunction filed to stop the presentation. In doing so, the MBTA filed this document in their court documents, and provided far better disclosure of the vulnerabilities (see Exhibit 1) than would have been provided by any such presentation.
While I disagree with the actions of the MBTA, if they really wanted to quash the disclosure they could have at least tried to do it right. There can only be one of two possible conclusions: they didn’t really want to quash the disclosure but had to appear to do so for political reasons, or they’re incompetent. Does no one on the MBTA legal team realize that filed court documents are public records? And readily available on the Internet? No? OK then, you’re fired.
On a related note, I learned a new term: the Streisand Effect.
(Incidentally, I don’t see what the big deal is about this vulnerability. When I was in university, we were cloning our university the pre-paid printer stored value cards using only blank audio tape and a piece of Scotch tape. It’s not rocket science.)
This whole issue really weighs on my mind considering the industry ramfications. Jon Longoria wrote an interesting, albeit brief, article regarding the plausible thought process MBTA took going into this. You can check it out here: http://thereformed.org/2008/08/25/mbta-put-profit-before-security/