I had a passing interest over the past few weeks about the MIT students who were planning to present their research in to the flaws associated with the Boston “T”‘s transit card that make it possible for someone to “hack” the system. It was disappointing to see the response of the transit authority, filing a lawsuit to try to block release of the information, as opposed to actively working to eliminate the flaws in the system. This is especially disappointing in light of the fact that the transit authority had advanced notice of the vulnerabilities in the system and of the presentation and waited until the last minute to sue to block the release.
Bruce Schneier, commenting in Wired, argues that “Full Disclosure” is the only real motivation for companies and groups to fix their vulnerabilities as opposed to trying to force secrecy on all those who discover them. As an avid techie, I fully believe that it is only full disclosure that makes software and security systems stronger. The only incentive companies have is the fear of losing customers and the liability that might exist should it be clear that the company knew that the vulnerability existed but instead decided to ignore it. Full disclosure makes it clear to everyone that the vulnerability exists, preventing the responsible party from hiding or shirking their duty to plug the hole. His historical write-up makes it clear that only fully disclosing the vulnerability spurs action; otherwise denials and complaints about potential losses abound.
And as Bruce notes, “[t]he Dutch court got it exactly right when it wrote: ‘Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.'”