Yet Another “Silence the Security Researcher” Story
Posted by: Ross Del Duca in Security Forum
This time, it is some college students that dared to attempt to present their research findings at Black Hat…
As picked up by ABC News:
A federal court order that prevented three MIT students from telling a hackers conference how they were able to break into Boston’s subway fare collection system has backfired.
Hmmm. OK - that’s the major news organization’s headline. But we have to be very careful in how we interpret anything put together by our major news organizations these days. Really, you should go read their article before reading this post further.
Ok. Now that you’ve read it…
…Have you really read it?
Looks like the real question here is, did they do their research without breaking any laws? If so, case precedent would show that the students (specifically, Zack Anderson, “Rusty” Ryan, and the Italian Allessandro Chiesa) should have no direct legal threat from their opposition. On the face of the text presented in the article alone, this is left somewhat ambiguous. Consider the statement:
The injunction was meant to block discussion of how the students figured out how to evade the comuter system’s security to change a $1.25 fare card to a $100 fare card.
So which was it. Did they figure out how to do it? Or did they do it? While the distinction may be subtle, it is still huge. Figuring out how to do something is not a crime in and of itself. However, if they figured out how to do it by actually doing it we’ve got an entirely different legal landscape. Even more ambiguous, what if they did figure out how to do it by actually modifying their own card in some way? Have they committed a crime? What if they destroyed the card, without using it, after figuring out how? Are they committing a crime by telling others how it could be done? What if they tell how to do it, and encourage others to do the same thing and actually use them?
This is a steep, slippery slope. And unfortunately it is on that any security researcher finds themselves traversing all of the time. There are never clear-cut answers in our current legal environment where digital signals are continually shoe-horned into legal wording that treats them like physical property.
As an analogy to consider as a thought experiment, imagine an automobile manufacturer. They may make two different models of cars, one with a top speed of 90 MPH, and one with a top speed of 160 MPH.
So what happens if I use my knowledge of cars to modify my purchased 90 MPH model. I tweak on it, tune it, apply aftermarket parts until I figure out how to make it go 160 MPH. Have I deprived the auto manufacturer of their legal claim to the price differential between the 90 and 160 MPH cars?
Like I said - it is a crude analogy. Just think about it.
Or - if you are looking for a more direct analogy to consider, check out the original presentation materials - while you still can.
References & Links
Entries (RSS)