Let them speak – or else!

August 15, 2008
Perhaps it's the writer in me, but I view a federal judge's decision to bar three MIT students from presenting research findings at the recent Defcon convention as a huge problem.

Not just from a free speech perspective, although, given that whole U.S. Constitution thing, that standpoint is a pretty darn valid one.

But what really grinds my gears - have I been watching too much Family Guy? -  is what this ruling might mean for security research in academia going forward.

As would have been clearly evidenced by the students' talk - in which they planned to detail ways to hack into Boston's subway payment system to enable free rides for life - there is some outstanding work coming out of colleges and universities across the world, specifically related to security vulnerabilities.

Time and time again, we have written stories about remarkable discoveries made by undergrads, graduates or Ph.D. students. Remember the cold-boot memory attack?

All too often, though, the legal community doesn't see the benefits that those in the security community surely do. Judges and prosecutors assume that when a band of T-shirt wearing, long-haired youths (OK I'm massively generalizing here) get together at some hacker con to talk, it must mean they're up to no good - and want more bad people to learn about it.

That couldn't be any further from the truth. Talks like the one dropped from the Defcon bill last weekend actually do the opposite. They get people thinking about security, especially agencies like the Massachusetts Bay Transportation Authority, which decided to think novelty first, security second - or third, or fourth...well you get the idea...when it designed its CharlieCard subway passes.

Yet the MBTA, instead of thanking the students for their research and hopping on the Neon Express to Vegas, they filed a motion for injunction. Great.

And the judge agreed. Now, it's difficult to say whether the judge, when making his decision, realized that the students weren't planning on giving away the hack blueprint - just some interesting observations. But that lack of technical awareness within the judicial community is another matter entirely.

What we should be especially concerned about is in this era of black markets, where folks like Dan Kaminsky could have netted in the hundreds of thousands for his DNS design bug, these discoveries could result in monster paydays.

But if you saw Kaminsky running around the Caesar's Palace convention center in Vegas, you could tell he was more than happy to be Black Hat's version of Brad Pitt for the week.

These MIT students weren't looking to make any cash on this discovery, either. They felt rewarded enough by getting an "A" from their professor and, barely old enough to gamble, address an audience in Vegas.

Not everyone will feel that way. Most will want to break the bank, much like the MIT students' classmates had done years earlier at the blackjack tables.

So let's not do anything to discourage the good people, while we still have them.

 
prestitial ad