Thursday, August 14, 2008

Free speech not the only issue at heart of MBTA hacker scandal

A federal judge today ordered three MIT students to release more information on what they know about security flaws in the MBTA's electronic toll collection system.

In a hearing in a lawsuit brought by the MBTA, Jennifer Granick, an attorney for the students, told US District Judge George O'Toole that the students had already provided the court with the "entire universe of information" the students had developed about the system.

The students filed a 30-page sealed document with the court Wednesday detailing what they know. But the MBTA is seeking emails the students wrote to organizers of a hackers' conference last weekend in Las Vegas, as well as a copy of a paper they prepared for an MIT professor.

US District Judge Douglas Woodlock granted the transit authority a temporary restraining order on Saturday blocking the trio from publicly discussing their findings on the possible security flaws at a presentation at last weekend's DEFCON convention.


Most singular-minded thinkers will protest about how this violates free speech and the first amendment, but it goes deeper than that. How clueless does any government organization - and, subsequently, our own justice system - have to be, to make decisions like this?

Hackers & trolls exist for a variety of reasons, but some of the most important include:

  • to challenge morons on message boards arguing their one-dimensional arguments or supporting each other's viewpoints on trivial matters, making a usenet group or forum into some kind of circle jerk (trolls)
  • to challenge internet/technological security by finding ways around systems accepted by the masses (hackers)

Normally hacking ends up being a security lesson for folks at the corporation or government agency that was hacked, and many internet and technological security personnel are people who used to be - and in some cases still are - hackers of some sort.

Now that we have a society of "tolerance" - where everything is tolerated except the lack of tolerance of society - these organizations, and the people who provide these services to society (admittedly having a lot of fun while they're doing it) will be forced into a criminal element in the future. When some students (who were going to present their findings at a convention within days and make recommendations on how the MBTA could make their system safer) decide to show some flaws in systems used by our subtly totalitarian regime, that regime now decides the book will be thrown at anyone who dares show flaws in its systems. Effectively, free speech was limited here as the court barred the students from presenting findings and instead decided to accept the information in sealed court records.

Sound familiar? This is something that easily could have happened in modern-day China or Cold War Russia: no, we don't tolerate your games, hackers; we're going to force you underground by undermining the service you provide to society and treating you like common thugs.

Rather than criminalize this type of activity, it should be monitored and accepted by government agencies, taxpayer dollars shouldn't be wasted on court systems for these types of infractions, and hackers should simply be required to present their findings and make recommendations on how to make systems better. Prosecution (or the threat thereof) should be limited to the minority element which uses the information for profit and never discloses the flaw, but instead uses it for his or her own gain (credit card/identity thieves, etc.). Even then, government agencies should look at what happened with a self-critical eye. It's no wonder that our government is woefully incompetent to deliver information services to its constituency with precedents like this being set.

No comments: