MBTA Shows MIT How Security Disclosure Really Works

The Massachusetts Bay Transit Authority (MBTA) had a problem last week – a group of students were prepared to deliver a presentation at Defcon, a high-profile security conference, on vulnerabilities they had identified in the transit card system employed by the MBTA. In a vain attempt to suppress this information, the MBTA filed an injunction filed to stop the presentation. In doing so, the MBTA filed this document in their court documents, and provided far better disclosure of the vulnerabilities (see Exhibit 1) than would have been provided by any such presentation.

While I disagree with the actions of the MBTA, if they really wanted to quash the disclosure they could have at least tried to do it right. There can only be one of two possible conclusions: they didn’t really want to quash the disclosure but had to appear to do so for political reasons, or they’re incompetent. Does no one on the MBTA legal team realize that filed court documents are public records? And readily available on the Internet? No? OK then, you’re fired.

On a related note, I learned a new term: the Streisand Effect.

(Incidentally, I don’t see what the big deal is about this vulnerability. When I was in university, we were cloning our university the pre-paid printer stored value cards using only blank audio tape and a piece of Scotch tape. It’s not rocket science.)

US Border Laptop Search Policies Are Scary

The Department of Homeland Security has revealed its laptop search policy. According to the Washington Post:

Federal agents may take a traveler’s laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed.

Also, officials may share copies of the laptop’s contents with other agencies and private entities for language translation, data decryption or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement.

I totally saw this coming once the Ninth Circuit ruled border searches of luggage legal – and the Canadian Border is following the DHS’ lead. It was only a matter of time, as I predicted, before they argue that they need the capability to copy or retain data.

This should scare the bejeezus out of Canadians and Americans alike. The border services are notoriously incompetent, and it is inevitable that laptops and data will be lost. As a result, sensitive corporate or customer data will be compromised, identities will be stolen, competitive advantage will be lost, and a host of other consequences will be incurred.

What I find mind-boggling is that Senator Feinstein “intends to introduce legislation soon that would require reasonable suspicion for border searches”. In other words, to re-affirm that the fourth amendment of the US Constitution does apply at the borders. Talk about cat and mouse.

There’s one additional implication for Canadian companies now that this policy has been clarified. Under PIPEDA, companies must safeguard Canadians’ personal data. This has lead to many services, such as those storing Canadians’ health data, to be moved off of US servers due to the wide-sweeping powers of investigation granted under the US Patriot Act. The implication of this new laptop policy is clear: companies operating in Canada must not carry Canadian customer or employee data on laptops to the US.