Three MIT students who were scheduled to give a Defcon presentation on how easily they were able to hack Boston subway system smartcards were thrown from the train yesterday by a federal judge.
The braniacs were able to completely compromise the CharlieCard, an RFID card that the Mass Bay Transportation Authority uses on the Boston T subway line. The students were also scheduled to release card-hacking software as part of their gig.
Federal judge Douglas Woodlock ordered the three not to provide "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System."
The EFF claimed that the temporary restraining order ran contrary to First Amendment protections, and said a court order pre-emptively gagging security researchers was "unprecedented."
I guess we can file this under "security by obscurity." If a company develops an insecure product, yet does not permit either a review of their source code or independent evaluation of security effectiveness, or silences any attempts to make this information public instead of fixing their own faulty product, then they falsely believe they still have a measure of security. What they have, instead, is a head-in-the-sand approach to their software development lifecycle processes that leaves us with a false sense of security, and I think that's worse that not having any security at all.
Does this remind anyone of three years worth of electronic voting machine fiascos?
No comments:
Post a Comment
Please tell me what you think.