[130606] in cryptography@c2.net mail archive
Security by restraining order
daemon@ATHENA.MIT.EDU (Matt Blaze)
Wed Aug 13 15:43:50 2008
From: Matt Blaze <mab@crypto.com>
To: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <1787C85B-8B8B-45B6-BA4C-9230B3265F65@farber.net>
Date: Wed, 13 Aug 2008 14:42:25 -0400
The EFF yesterday filed a letter from a number of academic security =20
researchers
urging the judge in the MIT "Charlie Card" case to reverse the =20
restraining
order. It can be found on the EFF's case page, at
http://www.eff.org/cases/mbta-v-anderson/
As a security researcher (and one of the signers of the letter to the =20=
judge), I was
particularly struck by the ironic -- and very unfortunate -- message =20
that the court
order sends to our community: it's safer to irresponsibly blindside =20
users and vendors
by publishing about vulnerabilities without warning them first (thus =20
denying them
the opportunity to seek a pre-publication gag order).
Surely that's not what that the court or the MBTA seek to encourage =20
here.
I blog a bit more about this at
http://www.crypto.com/blog/security_through_restraining_orders/
-matt
On Aug 13, 2008, at 3:58, David Farber wrote:
> clipped from Steve Bellovin blog --
> The MBTA versus (Student) Security Researchers
> 12 August 2008
>
> As I'm sure many of you have heard, the MBTA (Massachusetts Bay =20
> Transportation Authority) has a very insecure fare payment system. =20
> Some students at MIT, working under the supervision of Ron Rivest =97 =20=
> yes, that Ron Rivest, the "R" in RSA =97 found many flaws and planned =20=
> a presentation at DEFCON on it. The MBTA sought and received an =20
> injunction barring the presentation, but not only were the slides =20
> already distributed, the MBTA's court filing included a confidential =20=
> report prepared by the students with more details than were in the =20
> talk...
>
> The Electronic Frontier Foundation is appealing the judge's order, =20
> and rightly so. Not only is this sort of prior restraint blatantly =20
> unconstitutional, it's bad public policy: we need this sort of =20
> security research to help us build better systems. I and a number of =20=
> other computer scientists have signed a letter supporting the =20
> appeal. You can find the complete EFF web page on the case here.
>
> djf --- Here's the letter:
>
> http://www.eff.org/files/filenode/MBTA_v_Anderson/letter081208.pdf
>
> The rest of the case files are here:
> http://www.eff.org/cases/mbta-v-anderson
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
