Big Knob Radio

Big Knob Radio
This small AM/FM radio features an oversized tuning dial and a full complement of input and output jacks, allowing you to connect your CD player, iPod or other audio device. You’ll be amazed at the great sound you’ll get from this basic AM/FM three-knob radio. It’s small enough for your night table, your kitchen counter - […]

Legal flap over Defcon talk exposes divide on security flaws

A court order put a stop to a planned presentation at the Defcon hackers convention by three MIT students who found security flaws in the electronic ticketing system used by the mass transit authority in Boston. But the ruling reopened the schism in the IT security community over the issue of how vulnerabilities should be publicly disclosed.

Critics of the temporary restraining order issued last Saturday by a federal judge in Boston have labeled it an infringement of the students' First Amendment rights and an example of prior restraint on free speech. Many said such actions leave vulnerable systems open to attackers and put a chill on security research, driving legitimate researchers underground.

[ For more on Black Hat and Defcon 08, see InfoWorld's Special Report. And learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Others, though, see the case involving the students and the Massachusetts Bay Transportation Authority (MBTA) as another example of publicity-hungry security researchers driven more by ego and the desire for fame than by any sincere interest in improving security.

The always-simmering disclosure debate boiled over again after the MBTA obtained the 10-day gag order barring the MIT undergrads — Zack Anderson, Russell "RJ" Ryan, and Alessandro Chiesa — from publicly disclosing information about the flaws in its e-ticketing system. The order was handed down the day before a scheduled Defcon session in which the students planned to detail the holes, which they say they found during independent penetration testing.

In an affidavit, the MBTA claimed that the students didn't give it sufficient information about the vulnerabilities beforehand. The transit authority added that it wasn't trying to permanently gag the students, but that it wanted some time to determine the validity and seriousness of the flaws and a course of action for addressing them.

But the Electronic Frontier Foundation (EFF), a high-tech civil rights group that is representing the three students in court, contended that the gag order was unconstitutional and wholly unnecessary. Some of the information that the students planned to present had been previously published elsewhere, the EFF noted. And, it said, the students had told the MBTA that they wouldn't release technical details that could be used to take advantage of the flaws.

Bruce Schneier, chief security technology officer at BT Group PLC, joined 10 computer science professors and researchers in signing a letter opposing the restraining order that the EFF included as part of a motion to reconsider the decision (download PDF). Schneier said this week that publicly disclosing vulnerabilities often is the only way to prod businesses to address them.

"Companies won't make [their systems] better by themselves," Schneier said. MBTA officials, he claimed, "are counting on the legal system to protect their shoddy work" on IT security.

Schneier agreed that it's good practice in general to give organizations some advance notice before publicly disclosing flaws in their systems. But, he said, it's often hard to determine exactly what might be construed as "reasonable disclosure" and what might not be.

Steven Bellovin, a computer science professor at Columbia University who also signed the letter, said it's a fallacy to assume that a security problem goes away or remains hidden from view "simply because you don't talk about it" in public.

"I'm not saying the first thing you do when you find a vulnerability is to post it on your blog," Bellovin said. "But getting injunctions against people is like saying [to them], 'If you didn't find it, this problem wouldn't exist."

As long as the students didn't plan to use what they had discovered for malicious purposes, they had every right to talk about it, asserted Jim Kirby, a senior network engineer at DataWare Services, an IT services firm in Sioux Falls, S.D. "Anyone who says otherwise is invited to read the Constitution," Kirby said, adding that the restraining order was an effort "to enforce security by obscurity."

Other critics pointed out that much of the information has already become public anyway, since slides put together by the students were included on a CD given to Defcon attendees. In fact, the MBTA this week asked the court to modify the gag order so it covered only "non-public" info. A hearing on that motion, and one by the EFF seeking a reconsideration of the restraining order, was held on Thursday by a different judge in U.S. District Court in Boston. But he declined to take any action on the motions.

On the other side of the disclosure debate, David Jordan, chief information security officer for Virginia's Arlington County, said the reasonable course of action would have been for the students to help the MBTA address the flaws before disclosing them publicly.

"When you discover major flaws in a system that society relies on, you go to the people who own the system and work with them," Jordan said "You don't stand up on a podium and say, 'Look how clever I am.'"

He added that in such cases, the goal of security researchers often seems to be to further their own agendas instead of helping others fix problems. "It's all about improving one's own self-absorbed ego," Jordan said.

The students did meet with an MBTA police officer and an FBI agent on Aug. 4 and then delivered a short report on their findings to the MBTA prior to Defcon, according to a court document filed by the EFF (download PDF).

But Gartner analyst John Pescatore said the MBTA wasn't given a reasonable amount of time before the scheduled Defcon presentation to fix the problems or develop work-arounds for them.

The intent of disclosing flaws should be to make software and systems more secure, "not to make headlines or sell tickets to security conferences," Pescatore said. In this case, he added, "the students went for publicity."

In doing so, they didn't follow well-understood principles of responsible disclosure, according to Pescatore. "Responsible vulnerability disclosure really does clean up the software equivalent of dead wood," he said. "But releasing vulnerability info for sport or publicity does not."

Computerworld is an InfoWorld affiliate.

CD Holder Pockets Mini Scrapbook
Take the CD holder pockets from last week one step further with this mini scrapbook by designer Jennifer Schmidt. Each page of the album is made from a CD pocket….

Cooley: Personal Data Concerns (Security Risks)

Cooley: Personal Data Concerns (Security Risks)
Recently, I made the decision to update to XP Service Pack 2. In hindsight, I'm not sure what compelled me to that course of action. Somebody at work (tech support call center) mentioned it, and then I recalled how I have avoided downloading it since it's release because I heard it can cause problems.

Anyway, I wake up in the morning to get ready for work, and I see a couple of error messages and I knew something was going to be screwed up. So in my haste, what's the first thing I do? Why, restart the computer of course - that way I can see as soon as possible what the new status of the machine was. Obviously, it wouldn't boot. All I had on me was a Dell XP Reinstallation CD, and after running through that it still failed to boot up.

Fast forward a bit, a friend at work said I should just bring it in and we could work on it during downtime. We took out the hard drive hooked it up with an IDE to USB cable and plugged it into his laptop. It wasn't being detected, so we took the hard drive to another guy there who had a much newer laptop, and it showed up under Disk Management, but as being unrecognized. The main goal for me was to save the data I have on there, and later try the regular Windows repair install, since I now had access to it through a co-worker.

The guy with the newer laptop had a program called Easy Recovery Pro, ran it and then I saw all of my C: folders. I was excited, and he asked if he wanted me to have him back it up to his 100 GB hard drive, and then we could try the Windows repair and worse comes to worse, we could format my original drive, reinstall a fresh Windows, and then copy over my files.

This guy seems pretty cool, the first week I was there he modded my PSP for me with CFW free of charge. So I thought, okay lets back this stuff up and see what we can do. Yesterday, after appending some Program Files directories that I also wanted to have added to the backup - we came to realize that we wouldn't be able to finish this process by the end of the work day. So I recommended that he just take my hard drive home and finish backing it up during that time. He already had half of my files on his laptop to begin with, so what's the big deal. I'm already in a compromising position (which I never have been before).

Anyway, in hindsight, it seems that I probably panicked a little too much after this unfortunate series of events began to unfold. My files were still there, and I probably could have just taken my tower and hard drive back home after that first day and said, "ok, I can back up/recover this stuff on my own." Although, only having one computer in my possession (no laptop or anything), made me feel that going through with relying on this other guy was the best option. I had this computer and hard drive since 2002, and it was my first real, decent personal computer. I have a lot of personal files on there, mainly all in the My Documents folder, but also have many Notepad files with personal information, log-ins, and then all of my favorites and cookies, etc.

Do you think I made a bad decision? Should I have just taken everything back once I saw my files there, before anything was backed up to his drive? As I said, he's a co-worker, and someone that I've been cool with, albeit have only known for a little less than a month now. I've always been super smart and cautious when it comes to security and not divulging personal stuff that I have stored on this well-worn hard drive. Now thoughts are racing through my head about my hard drive being at someone's else house for a weekend, and how even after we delete the folder that all of my hard drive is stored on within his laptop - he could still just as easily use that same recovery software to pull everything back up and I would never even know. And unless a low-level format were performed, my data would always be there somewhere forever.

I know people do this all the time, bring their computers to have data backed up and everything. But I always thought I was like a lot of you, I'd imagine - "No, I wouldn't do that. I'd just do it myself." Guaranteed to be safe and secure, the most important thing to keep in mind when dealing with personal data/information.

This is less of a technical question, and more of a request for honest opinions from people who are more well versed with these sort of situations than I am.

I'm going to be talking to the guy and be straight with him about my concern, and whether or not he looked around or grabbed anything off my drive for his own storage. But that can only accomplish so much. In the end, I guess it's better to do this sort of thing with someone you work with in the professional field, than some service with people you're paying that have no face or name.

Anyway, should I be worried the way I am? What would you recommend that I do?

Consumer Home Piracy Research Findings July 2008
It used to be that counterfeit CD and DVD media originated from overseas and found its way onto popular auction websites. But in a wake of widespread technology developments, anyone is capable of creating completely indistinguishable copies of their favorite audio CD or movie DVD. Do most people still purchase the original content, or is everyone stealing from the artists? In this article, Benchmark Reviews offers a candid look into Consumer Home Piracy as we present the Research Findings for July 2008 as provided to us by Futuresource Consulting in partnership with Macrovision.

Dymo DiscPainter Review

Dymo DiscPainter Review
Today one of our forum moderators - SIME from Gtvone.com - reviews the Dymo DiscPainter. I don’t know if I’ve told you this before, but the one thing I hate about printing a design onto a CD or DVD is just that… Printing the Design! I have not, until now, come across a convenient, quick, no […]

Real Estate Seminars Are Dog and Pony Shows
If P. T. Barnum were alive today, he would be promoting real estate seminars and hawking books and CDs on the seminar circuit. Just when you think that all the…

Study Mandarin

Study Mandarin
Learning Chinese Books & CDs

CD Bowl 1

CD Bowl 1
This craft is featured in chapter 5 of the About.com Guide to Family Crafts book.

Arts, Briefly: Allman Brothers Sue Record Company
Members of the Allman Brothers Band have sued a record company over royalties from digital downloads and CD sales.

Music and the Environment
Digital music. Is it better for the environment to buy CDs or to download music to an i-Pod or MP3 player?

CD Bowl 1

CD Bowl 1
This craft is featured in chapter 5 of the About.com Guide to Family Crafts book.

CD Gate

CD Gate
CD Gate is a stand-alone Windows CD Player.

Kansas City gets 3-2 win over Chivas USA (AP)
Claudio Lopez and Davy Arnaud each had a goal and an assist and the Kansas City Wizards beat CD Chivas USA 3-2 on Saturday night. Sasha Victorine scored his first goal in almost a year for the Wizards, who broke a three-match winless streak. Carey Talley scored two late goals for Chivas USA, which has not won in more than a month.