I attended DefCon 16 this year. A presentation by 3 MIT students Zack Anderson, RJ Ryan, and Alessandro Chiesa on the last day of the conference was stopped by a federal court judge. The order is here, and more details can be found here. The slides to their presentation had already been published on the Defcon CD that is distributed to all attendees.
Defcon issued a twitter notification to all attendees immediately this morning to disseminate the news. The EFF in their scheduled time slot preempted what they had originally been presenting to first discuss this in a press release. The EFF will be representing the students. What disappointed me the most and the main reason I am blogging this was that during the press release it was discovered that the students did everything right. They had met with the Massachusetts Bay Transportation Authority MBTA) at their convenience prior to Defcon and discussed the vulnerability in detail with them. The impression was that the meeting was friendly, went well and there were no issues. Then on Friday and Saturday (the presentation was to be on Sunday), the MBTA managed to secure a temporary restraining order at the last minute. This makes me sad. It suggests that properly informing companies of the vulnerability before releasing the details may not be the right thing to do. Researchers in the future may very well look at this example and decide to just publish not bothering to inform companies. Everyone needs to play by the rules for responsible disclosure to work.
Vulnerabilities such as these are not new either. There was a presentation at Blackhat last week as well. The company Mifare chooses to try and cover these vulernabilities up and stop them from being published rather then fix the issues and learn to design secure software.
