The EFF yesterday filed a letter from a number of academic security
researchers
urging the judge in the MIT "Charlie Card" case to reverse the
restraining
order. It can be found on the EFF's case page, at
http://www.eff.org/cases/mbta-v-anderson/
As a security researcher (and one of the signers of the letter to the
judge), I was
particularly struck by the ironic -- and very unfortunate -- message
that the court
order sends to our community: it's safer to irresponsibly blindside
users and vendors
by publishing about vulnerabilities without warning them first (thus
denying them
the opportunity to seek a pre-publication gag order).
Surely that's not what that the court or the MBTA seek to encourage
here.
I blog a bit more about this at
http://www.crypto.com/blog/security_through_restraining_orders/
-matt
On Aug 13, 2008, at 3:58, David Farber wrote:
clipped from Steve Bellovin blog --
The MBTA versus (Student) Security Researchers
12 August 2008
As I'm sure many of you have heard, the MBTA (Massachusetts Bay
Transportation Authority) has a very insecure fare payment system.
Some students at MIT, working under the supervision of Ron Rivest —
yes, that Ron Rivest, the "R" in RSA — found many flaws and planned
a presentation at DEFCON on it. The MBTA sought and received an
injunction barring the presentation, but not only were the slides
already distributed, the MBTA's court filing included a confidential
report prepared by the students with more details than were in the
talk...
The Electronic Frontier Foundation is appealing the judge's order,
and rightly so. Not only is this sort of prior restraint blatantly
unconstitutional, it's bad public policy: we need this sort of
security research to help us build better systems. I and a number of
other computer scientists have signed a letter supporting the
appeal. You can find the complete EFF web page on the case here.
djf --- Here's the letter:
http://www.eff.org/files/filenode/MBTA_v_Anderson/letter081208.pdf
The rest of the case files are here:
http://www.eff.org/cases/mbta-v-anderson
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]