MBTA flaw disclosure: The students speak up

Zack Anderson, one of three MIT students who successfully exploited flaws in the Massachusetts transit authority's ticketing system, says they were right to disclose the problem, but that miscommunication was an issue.

Bill Brenner (CSO (US))
Comments

So the pushback came from someone above the person you met with?

Yeah, and I think there was also a lack of communication within the organization. We probably should have spoken directly with the person at the top rather than leaving it be with the person they ended up sending out. That might have helped us to avert some issues. Given our relationship with the person we spoke to from the MBTA and the lawsuit that followed a few days later, it's clear that something was lost in translation within the organization.

Typically in the lead-up to Black Hat and Defcon a vendor or someone else tries to block at least one presentation that's on the agenda, and the MBTA incident has re-opened the debate over responsible disclosure. What's your position?

Responsible disclosure implies you're not going to create havoc for the vendor who legitimately wants to fix the problem but doesn't necessarily have the time. You want to give the vendor some time. In our case we gave them a little time but probably not enough for the fixes they needed to do. But the key point for us was that in our presentation we were going to leave out a few major details so someone couldn't go defraud the MBTA. On that basis, we felt that what we were doing was responsible disclosure. The key is to maintain a level of trust from the beginning and I think that's where it went wrong for us.

Now that the gag order has been lifted, what's the status?

Are they trying to fix the problem? Anderson: I think they do want to fix it. Now that it's public I think they have to. That's one of the things disclosure does. It forces a vendor to acknowledge and fix problems they really should fix.

What's your advice to other researchers so that they might be able to avoid the situation you found yourself in?

One key point if that you need to maintain a trust relationship with the vendor from the beginning. Contacting the vendor before even a vague public mention is pretty important. You want to speak to someone at the top. The bottom-up approach is not good because you can speak to someone who is fine with what you're showing them and will sign off on it but that doesn't mean everyone's going to be fine with it. So you really need to speak with someone at the top.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments
[]