Tag Archives: security

Security & Freedom of Speech

I had a passing interest over the past few weeks about the MIT students who were planning to present their research in to the flaws associated with the Boston “T”‘s transit card that make it possible for someone to “hack” the system. It was disappointing to see the response of the transit authority, filing a lawsuit to try to block release of the information, as opposed to actively working to eliminate the flaws in the system. This is especially disappointing in light of the fact that the transit authority had advanced notice of the vulnerabilities in the system and of the presentation and waited until the last minute to sue to block the release.

Bruce Schneier, commenting in Wired, argues that “Full Disclosure” is the only real motivation for companies and groups to fix their vulnerabilities as opposed to trying to force secrecy on all those who discover them. As an avid techie, I fully believe that it is only full disclosure that makes software and security systems stronger. The only incentive companies have is the fear of losing customers and the liability that might exist should it be clear that the company knew that the vulnerability existed but instead decided to ignore it. Full disclosure makes it clear to everyone that the vulnerability exists, preventing the responsible party from hiding or shirking their duty to plug the hole. His historical write-up makes it clear that only fully disclosing the vulnerability spurs action; otherwise denials and complaints about potential losses abound.

And as Bruce notes, “[t]he Dutch court got it exactly right when it wrote: ‘Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.'”

Being “Watched”

Good news if you’re on the T(housands) S(tanding) A(round) watch list – an appeals court ruled recently that you, in fact, can sue to have your name removed from the list.

The issue was decided entirely on procedural grounds, though, from the reading of this passage in the article:

Kozinski, joined by James Otero, found instead that the TSA’s no-fly and selectee lists were compiled and maintained by another agency — the Terrorist Screening Center — that wasn’t protected, so the challenge can proceed. Judge Randy Smith dissented, saying Congress clearly wanted to protect the TSA from such suits.

I imagine there will either be some quick administrative consolidation or another law passed to rectify this loophole, since, as the TSA points out, “court reviews would destroy the watch lists and lead to another hijacking like 9/11“.