In a quick post reflecting on Chris Wysopal’s commentary related to a article from our friends at Veracode, I would agree that their security model was flawed, but perhaps disagree from a business perspective in MBTA’s decision to attempt to silence the three MIT students exposing a gaping security flaw.
As Chris stated in his own article, “…Doesn’t this seem backwards to you? Shouldn’t the MBTA be suing the vendor who sold them the flawed system? Security problems go away by mandating independant security testing before a product is accepted, not by trying to get security researchers to be quiet. This is a good example of how the reactive approach doesn’t work. The flaws are still in the system and suing researchers has just shined a bright light on them…” - Unfortunately, in a typical bean-counter response to a threat to the profit model, this comes down to protecting an expensive investment and in a free market economy, the investment many times wins over blatant, slap-you-in-the-face logic.
Although to the observer it makes more sense to attack the source of the problem, profits reside in the path of the easiest hill to overcome. I would speculate that it was determined the three MIT researchers were the less likely candidates to put up any relevant fight equaling less expense long-term in costly litigation as opposed to a well-funded vendor who would be adamant and ferocious about protecting their own bottom-line. This means that from a budget perspective, the corporation will traditionally move towards the least cost initiative counting on their shark-like aggressiveness to payoff - they didn’t count on the MIT students to be resilient, spiny blowfish… ouch.
If MBTA had correctly accomplished this action, it could have bought some time for them to either bury the issue further or devise a way to correct their product and business model with as little impact on their ROI as possible. Fortunately for the rest of us, MBTA went about the execution of their argument all wrong and single-handedly under-minded the security through obscurity model by actually attracting more attention to the issue at hand.
Sometimes, money gets in the way of clear thinking. MBTA had a chance to become a leader amongst the clientele of the vendor utilizing this technology by challenging them in court armed with irrefutable proof-of-concept that the security of their licensed technology was readily capable of compromise to anyone with a little thought and know-how. Logic would have suggested that they could have utilized the research of the group in a significant suit that would have forced a change at the source. They failed to capitalize on this option and in doing so have lost in forms of industry credibility, money and have set the stage for further inquiry and litigation against them from watchdogs and government.
MBTA won’t be quick to express their concerns to the public and it shows here and here, where no mention is made to any negative issues, ongoing suit or any awareness campaigns on the security of their product.
Cool!