Monday, August 11, 2008

Free Rides on the MBTA: MIT Hackers and the Law

Does the principle of freedom to share technical information about computer system vulnerabilities mean that you can tell folks how to get free rides on Boston's MBTA? A federal judge doesn't think so. And the way all this came about raises some interesting questions in engineering ethics.

A bunch of students from the Massachusetts Institute of Technology spent some time finding security flaws in the subway system: things like doors and turnstile boxes left unlocked and ways to duplicate the magnetic-stripe and RFID cards to get a free ride. That they did so is not surprising: any time you put a lot of super-competitive technologically savvy kids in a pressure-cooker environment like MIT, they're going to seek recreational relief in activities that will showcase their expertise. But then they went further by documenting their exploits in an 87-slide PowerPoint presentation and entered it in the annual Defcon convention in Las Vegas.

Now I'll be frank that I've never attended a Defcon, but I can imagine the atmosphere: lots of under-30 guys trying to impress each other with their computer prowess amid the partying and general high jinks that Las Vegas encourages. A perfect place, you would think, to brag about hacking the MBTA. Well, the Defcon organizers thought so, because they put the MIT students' talk on the schedule and distributed it in the proceedings CD handed to all registrants. Then the MBTA lawyers found out about it and went to court to block the talk. The federal judge's restraining order did this, but the CD copies found their way to the Internet and the talk is now roaming freely in cyberspace.

According to a lawyer for the Electronic Frontiers Foundation, an organization defending the students, they planned to omit certain key information that would have made it easy for anyone hearing the talk to get free rides. Of course, what is key information to some people is a trivial exercise for others, but we'll never know now, because the talk scheduled for Sunday wasn't delivered.

Let's consider the students to be software engineers—they are acting that way, whether or not they have their degrees yet. As software engineers, they discovered numerous flaws and security breaches in the MBTA's system of controlling access to subways. What should they have done?

The MBTA claims that the students never gave the organization a chance to fix the problems. Instead, the students went straight to Defcon with their findings. You must admit the MBTA has a point, but on the other hand, if the students had shown MBTA officials their talk first and then waited until the problems were fixed to present it in public, it would have taken the edge off, to say the least. And large municipal outfits such as the MBTA are not well known for being able to turn on a dime. The students might have all graduated and gotten real jobs before it was completely safe to talk about what they did back in their young, free undergrad days, and by then it would be ancient software history, not current events.

Back thirty years or so when "computer security" only meant making sure the door to the mainframe computer room was locked, a computer firm approached students at my alma mater, Caltech, with a new operating system and asked them explicitly to try and hack it. The company figured that if the Caltech junior whizzes couldn't break the system, nobody else was likely to, either. Perhaps the MBTA should be grateful for the free consulting work the MIT students did, but not for the way they found out about it.

It's hard to think of a way this situation could have been handled that would have left everybody happy. If someone with diplomatic skills had approached the MBTA with an early copy of the talk and asked their help in tuning it so it wouldn't spill all the digital beans, but would still make the important points, MBTA might have refrained from calling out the lawyers. On the other hand, sometimes it takes the sting of surprise publicity and the ensuing embarrassment to prod sluggish bureaucracies into action. You can bet that copies of the talk are being studied by MBTA engineers already, whether or not they pursue the legal actions they've initiated.

Anyway, happiness isn't necessarily the goal of engineering ethics. And sending around instructions on how to get a free subway ride is not in the same league as, for example, propagating directions on how to blow up subway cars. Still, it seems that the students could have taken a little more care to consider how the MBTA was going to view things. And if they didn't do it this time, they'll have the experience to draw on later in life when they remember back in their wild undergrad days how they got the MBTA on their backs for a hack they tried to show at Defcon.

Sources: The San Jose Mercury-News carried an AP article about the incident at http://www.mercurynews.com/ci_10163740?source=rss. The Electronic Frontiers Foundation currently features the case prominently on its website at www.eff.org.

3 comments:

  1. It is an interesting question. There are many ways that they could have acted in a clearly unethical way, such as disseminating the information quietly and anonymously, or asking MBTA to pay them for the information.

    As you mention, the "best" way would probably have been to collaborate with MBTA, but bragging rights wouldn't have been quite the same then - but I suppose they wouldn't have to pay for their own lawyers bill then either.

    Regardless, I'm sure they have learnt a lot, and isn't that what university is about?

    ReplyDelete
  2. Of course it alctually turned out that the students DID go to the MBTA first, even had a talk with them and the FBI, almost a week before the MBTA thought- damn, we actually have a problem. lets sue.

    Then you get the blatant violation of the so-called "first amendment" you people in America have, and on free speech, as well as claiming " the students didn't follow the standard industry accepted protocol for reasonable disclosure." Not that there is actually a "standard" one.
    Or that the students should have been silenced for trying to address a problem that they didn't create.

    Of course the MBTA is a government owned body, so the government owned judge said "cease and desist." Screw human rights- kind of hypocritical when you view the governments stance on China and the olympics. HA HA HA.

    I'm so glad I dont live in the US of A, I just wish this country wasn't trying to be like them.
    Problem with that? SO SUE ME.

    The blog on the ethics, fair enough- I agree debate is needed. But not enough research has been done on the subject matter here, or you would have known about the fact that the MBTA are the ones doing the bullying here.

    ReplyDelete
  3. This whole issue really weighs on my mind considering the industry ramfications. Jon Longoria wrote an interesting, albeit brief, article regarding the plausible thought process MBTA took going into this. You can check it out here: http://thereformed.org/2008/08/25/mbta-put-profit-before-security/

    ReplyDelete