

Threatening Lawsuit, HBGary Federal Intimidates Aaron Barr Out of DEFCON Panel - TheloniusPhunk
http://threatpost.com/en_us/blogs/lawsuit-threat-pushes-former-hbgary-federal-ceo-out-defcon-072711

======
jxcole
I find this one the most worrying:

"In 2008, the Massachusetts Bay Transportation Authority (MBTA) obtained a
temporary restraining order to prevent a talk at DEFCON by three MIT students
who had uncovered physical and logical security holes in MBTA infrastructure."

I mean, the IOS guy worked for IOS, so he was divulging information that Cisco
paid him to obtain. HBGary paid Aaron Barr to research anonymous, so they have
a case for him doing the same thing. However, what kind of case could MBTA
possibly have against some kids who found problems with their infrastructure?
I fail how to see how such an injunction was anything but unconstitutional.

~~~
GHFigs
_However, what kind of case could MBTA possibly have against some kids who
found problems with their infrastructure?_

The flaws they found allowed them to obtain, according to their talk's
description, "free subway rides for life", which would deprive MBTA of an
unknown amount of revenue which was rightfully theirs. They wouldn't disclose
the vulnerability when MBTA approached them, although they changed the
description of the talk to no longer imply they would explain how to get free
rides.

You can read the MBTA complaint yourself:
<http://www.universalhub.com/images/2008/mbtamit.pdf>

~~~
famousactress
Really? I thumbed through the complaint (thanks for the link), but I'm still
really disturbed by this. It's presumably illegal to help yourself to free
subway rides. The law protects the MBTA. How is it a crime to talk about how
it could be done? The talk wouldn't deprive the MBTA of any revenue.. the
application of information in the talk by third parties committing illegal
acts would. It's akin to giving a talk on lock-picking, no?

------
rdl
I believe this falls into "doing it wrong".

Backing out because they _threaten_ to file an injunction is to capitulate too
soon. You're supposed to keep going until/unless they actually get an
injunction, and then challenge it (plus, civil lawsuit for loss of income due
to the injunction once it's rescinded).

BlackHat/BSidesLV/DEFCON is going to be really interesting this year, for a
change.

~~~
timwiseman
_You're supposed to keep going until/unless they actually get an injunction_

I do not know if you have ever been involved in a lawsuit, but they can be
enormously time consuming and ver expensive. In short, even if you are in the
right they can play absolute havoc with your life.

~~~
rdl
I think he's already past the point of deciding where he'll be involved in a
lawsuit or not -- holding out to force them to get a court order to bar the
talk wouldn't make that materially worse.

I agree in a lot of cases about (especially individuals, especially people who
aren't very wealthy) backing down from legal challenges, even if they have a
good chance to ultimately prevail, due to the cost.

For a startup, getting involved in a major lawsuit can be a huge distraction
too -- so even if it the startup wins the lawsuit, the company still is
stunted and dies.

------
djb_hackernews
Why would DEFCON want Aaron Barr on any sort of panel? The guy is at best a
hack of a security professional and at worst a complete idiot of a slime ball
who doesn't understand the first thing about technology.

~~~
jbooth
It's sort of like staring at a car wreck as you pass by. Doesn't mean you
approve of car wrecks or are glad they happen, but you can't help it.

~~~
artmageddon
I'm not at all a computer security professional(considering getting into the
field, though) but I can't help but wonder if this mars DEFCON's image by
having this guy there.

I see your car accident analogy, but Aaron's probably accepting money to be on
the panel. Why should they pay him when they know his reputation is tarnished?

------
pnathan
Kinda reminds me of this:

[http://news.infracritical.com/pipermail/scadasec/2011-May/01...](http://news.infracritical.com/pipermail/scadasec/2011-May/019934.html)

the more I see in the security world, the more I think full disclosure is the
only responsible way to work towards a more secure system.

~~~
16s
What geeks think of as "full disclosure" is thought of as "cyber crime" or
"cyber terror" by some companies and agencies. Things have changed a lot in
the last five or ten years.

So, be cautious and get legal advice if you do decide to disclose anything,
and understand that while geeks mainly just want to share what they found and
help fix it, that others may accuse you of being a criminal, or worse a
terrorist if you do that.

~~~
pnathan
_How_ is information a crime if you're not in the government service?

No, seriously!

