So how long is reasonable?
"What the MBTA probably wanted was just more time to evaluate the vulnerability and fix it"
This story has been kicking around for a while now. does anyone have any knowledge of whether the MBTA has yet:
* acknowledged the vulnerability exists
* investigated ways of fixing it
* actually done anything about it?
I suspect they haven't done much other than talk to their lawyers. So if the students had felt a need to be responsible in their disclosure how long would the MBTA have wanted them to wait? A week? A month? A year? Longer?
Then there's the actual vulnerability. It's so trivial that nobody really thinks these three guys were the first, or the last, to find it independantly. How often have large organisations exhibited this kind of ostrich-like behaviour when it comes to security vulnerablilities? They are just doing the corporate version of sticking their fingers in their ears and shouting "la la la la I can't hear you!" and hoping their lawyers will then frighten everyone away.
Finally, who pays? Does the MBTA get some sort of government subsidy for running the system? Do they make a profit? Are the customers going to have to pay increased fares to make up any shortfall? Of course increasing the fares would also make the hack more enticing for people with little or no money but some computer expertise (lots of teenagers).
Will any future losses, as with the music business, now be blamed upon hacking freetards?