The annual Defcon computer security conference might be relabeled as the Woodstock of corporate paranoia.
It seems like almost every year one or more academic researchers gets in trouble with the law for presenting a paper that corporations contend will result in security breaches that will bring on Armageddon. A few days ago, a U.S. District Court in Massachusetts issued an injunction to prevent three MIT students from presenting “Anatomy of a Subway Hack” at Defcon in Las Vegas, a chronicle of how the students demonstrated numerous vulnerabilities in the Boston subway system that would enable, for instance, someone to change a $1.25 fare card to one worth $100.
The students notified the Massachusetts Bay Transportation Authority of their intention to present the paper (from Wired), and authority officials hit the panic button. What came next was just as predictable. By the time the injunction was issued, the offending PowerPoint presentations had already been distributed to conference attendees and were already up on the Internet.
The whole world could check whether the work of these MIT pointy heads could match the craft of Olympic gold medalists from Bulgaria, Moldavia and other former Soviet satellites where the economies seem to run on hacking in the same way that Humboldt County in northern California depends on a certain monoculture.
There is a better way. Known as the Johnson & Johnson defense in professional football (or in Tylenol marketing), the best riposte for the authority would have been to publish the presentation on its Web site, save lawyer costs (allowing officials to mouth perfunctory statements about keeping fares down and preventing climate change) and then hire the students who wrote the paper as security consultants. Judges, lawyers and chief executives need to take a half-day (or half-hour) course in which they are reminded that it is impossible to combat the nanopore leakiness of the Internet.