×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Massachusetts Sues to Halt Defcon Subway Hacking Talk

timothy posted more than 5 years ago | from the this-has-not-been-cleared-with-upstairs dept.

Censorship 270

According to CNET, "The state of Massachusetts has asked a federal judge for a temporary restraining order preventing three MIT students from giving a presentation on Sunday about hacking smartcards used in the Boston subway system." It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas. Update: 08/09 20:57 GMT by T : "Too late," says reader Bluey: "Injunction was already granted."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

270 comments

oh good... let's all bury our heads... (4, Insightful)

pha7boy (1242512) | more than 5 years ago | (#24538821)

rather then make sure they have a techie in attendance so that they may learn something and find a workaround the issue, Boston's lawyers suggested that burying your head in the sand (or, alternatively, in the piles of garbage and crap in Boston) will solve the issue just as well. "As long as we don't let them say it publicly, it does not exist" one Boston official explained the position.

this is why I love government bureaucrats. They tend to be smarter then the average bear.

Re:oh good... let's all bury our heads... (3, Funny)

MindlessAutomata (1282944) | more than 5 years ago | (#24538899)

this is why I love government bureaucrats. They tend to be smarter then the average bear.

I was with you until right around... there.

Re:oh good... let's all bury our heads... (5, Funny)

Mix+Master+Nixon (1018716) | more than 5 years ago | (#24538913)

Boston is merely afraid that this information will end up in Lunar hands. Entirely reasonable given that city's sad recent history.

ROFLOLOL!!111 +5 Funny? Moderators on crack again (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24539219)

That is so fucking hilarious. Oh wait, actually, no it isn't. Lunar hands? You're modding up a nutjob who thinks there are inhabitants of the moon now?

Re:ROFLOLOL!!111 +5 Funny? Moderators on crack aga (0)

Anonymous Coward | more than 5 years ago | (#24539267)

How you can expect him to remember that Boston banned viewing of ATHF so no one from Boston would get that joke?

Re:oh good... let's all bury our heads... (1)

Buran (150348) | more than 5 years ago | (#24539513)

No, they're just lunatics. Nothing lives on the Moon, but that doesn't mean the Moon isn't going to their heads.

Re:oh good... let's all bury our heads... (5, Interesting)

CastrTroy (595695) | more than 5 years ago | (#24538919)

What I want to know is how a system like this is even possible. Why should the value available on a smart card actually be something that can be changed by the person holding the card. Shouldn't the card just have an ID, and that ID is tied to an account, which is tied to a person. Maybe put the amount on the card, so the bus doesn't have to call home every time someone steps on a bus, but at least keep all transactions in a database so they can check for fraud after the fact. It seems like the way they have it set up, would be the equivalent of having your bank account balance completely controllable by modifying the information on your bank card. Even retail stores have this figured out so that their gift cards only hold a number, and the actual value on the card is stored in some computer database.

Re:oh good... let's all bury our heads... (4, Insightful)

langelgjm (860756) | more than 5 years ago | (#24539089)

Maybe put the amount on the card, so the bus doesn't have to call home every time someone steps on a bus, but at least keep all transactions in a database so they can check for fraud after the fact.

I think you hit the nail on the head with this. I don't know about the Charlie card system, but the issue with many transit cards is that it's difficult or impossible for moving vehicles to always be able to check in with the network database to determine the value of an account. So the account value has to be stored on the card.

This is exactly like storing the value of your ATM or gift card on the card itself. But with ATMs and gift cards, the terminal where you use them is always going to have network access (or if it doesn't you probably won't be able to use the card).

Of course, even just storing an account number or identifier on a card doesn't make it fraud-proof. Magstripe cards are trivially easy to re-encode with only a few dollars worth of equipment. Copying these can mean defeating physical access systems, being able to use someone else's gift card balance, or worse.

Re:oh good... let's all bury our heads... (2, Informative)

dgatwood (11270) | more than 5 years ago | (#24539323)

I think you hit the nail on the head with this. I don't know about the Charlie card system, but the issue with many transit cards is that it's difficult or impossible for moving vehicles to always be able to check in with the network database to determine the value of an account. So the account value has to be stored on the card.

That's a pretty weak argument. All you need is a laptop with a cellular data connection. If you really have places where you can't get a cell signal, get the cell company to add a picocell at the bus stops or add a Wi-Fi hot spot. Odds are you won't have to add too many of them in any major metro area.

Of course, even just storing an account number or identifier on a card doesn't make it fraud-proof. Magstripe cards are trivially easy to re-encode with only a few dollars worth of equipment. Copying these can mean defeating physical access systems, being able to use someone else's gift card balance, or worse.

If you have access to somebody else's card, yes. Otherwise, if you are able to steal access, your number space is too small. Use a 256-bit number (or 1024-bit if you're really paranoid) and ensure that new numbers are assigned randomly within that space so that your odds of picking a valid number are remarkably close to zero.

Re:oh good... let's all bury our heads... (4, Insightful)

langelgjm (860756) | more than 5 years ago | (#24539441)

That's a pretty weak argument. All you need is a laptop with a cellular data connection. If you really have places where you can't get a cell signal, get the cell company to add a picocell at the bus stops or add a Wi-Fi hot spot. Odds are you won't have to add too many of them in any major metro area.

Well, I'm not the one making the argument, I'm just going by what I see being implemented in transit systems. Storing the value on the card means fast retrieval and processing, and no reliance on a network. What if the data links drops for some reason? What if it takes longer than usual to connect? Transit systems have schedules to keep (ideally!).

Furthermore, it's easy to say "get the cell company to add a picocell at the bus stops", but it's not as if a transit system can simply mandate that it be done. Who's going to pay for it? And at what point does the expense of ensuring reliable network connectivity become greater than simply expecting a certain percentage of fraud? After all, this is a transit system we're talking about, not a bank.

If you have access to somebody else's card, yes. Otherwise, if you are able to steal access, your number space is too small. Use a 256-bit number (or 1024-bit if you're really paranoid) and ensure that new numbers are assigned randomly within that space so that your odds of picking a valid number are remarkably close to zero.

I know. That's why I talked about copying. Plus, given that with things like gift cards, the identifier is often written on the card itself, sometimes you don't even need to have a card reader to get the information. Or, you have security leaks. When I was an undergrad, the University of Maryland inadvertently exposed the ID numbers of the entire university population through its LDAP entries. Those same IDs were used as identifiers on the magstripe cards that gave building access, and dining hall access.

Re:oh good... let's all bury our heads... (0)

Anonymous Coward | more than 5 years ago | (#24539827)

if access to the network is not always available then why not just keep a copy of all transit card information on each train and just phone home once a day or when access to the network becomes available?

Re:oh good... let's all bury our heads... (1)

Firehed (942385) | more than 5 years ago | (#24539779)

get the cell company to add a picocell at the bus stops

I doubt it's that simple, or else you'd find far fewer people bitching about not getting cell signal at home.

Alternately: where the hell can I get one?

Re:oh good... let's all bury our heads... (1)

mpe (36238) | more than 5 years ago | (#24539465)

I don't know about the Charlie card system, but the issue with many transit cards is that it's difficult or impossible for moving vehicles to always be able to check in with the network database to determine the value of an account.

It's just as well that people typically only get on and off buses which are stopped :) With trains there are often ticket operated barriers which never move.

Re:oh good... let's all bury our heads... (4, Interesting)

Jah-Wren Ryel (80510) | more than 5 years ago | (#24539181)

Why should the value available on a smart card actually be something that can be changed by the person holding the card. Shouldn't the card just have an ID, and that ID is tied to an account, which is tied to a person.

With a correct implementation - that uses good cryptography - it is quite possible to have secure stored value cards. One upside to stored value cards, especially to slashdot readers, is that they help to protect our right to travel because they can be just as anonymous as cash.

Re:oh good... let's all bury our heads... (3, Insightful)

mpe (36238) | more than 5 years ago | (#24539637)

With a correct implementation - that uses good cryptography - it is quite possible to have secure stored value cards.

However good the cryptography such a card would be vulnerable to a "known plaintext" attack. Since an attacker can see how the encrypted information changes as they alter the value of the card and compare several with the same value.
To make things easier these systems tend to use proprietary cryptography which equates to very poor cryptography. In the case of Mifare Classic this was described by Bruce Schneier as "kindergarten cryptography". Maybe they'd have done better to use something like the "Vigenere Cipher" which was at least considered unbreakable for 300 years.

Re:oh good... let's all bury our heads... (2, Insightful)

cobaltnova (1188515) | more than 5 years ago | (#24539785)

What exactly is the scheme you are envisioning? If the bus system is not reporting usage information, the value can be read off the card, and the value on the card can be changed, I see an unpatchable security hole.

Purchase a single card, with 10$ on it. Record the stored value, use the card, and then restore the old value. Viola. Broken card.

However, if the card could be made to increment a counter every time it was adjusted (in such a way that could not be undone) and each card had an immutable card ID, there would seem to be an effective solution: store the value on the card, and a hash of the value, a common secret, the counter, and the immutable ID. If there isn't a hash collision, you'd have a safe system.

Such a counter could be produced by a unerasable section of the card (akin to punching holes in a sheet of paper). To be useful, though, the card would have to allow many such "holes" to be punched. I know nothing about card technology; is there such a method? How is that effected?

Re:oh good... let's all bury our heads... (2, Insightful)

RossumsChild (941873) | more than 5 years ago | (#24539329)

Right, because my idea of a perfect society is one where I can't use the damn transit system unless I want to give up any shred of privacy about my destination, travel habits, and location.

Re:oh good... let's all bury our heads... (5, Insightful)

cayenne8 (626475) | more than 5 years ago | (#24539595)

"Right, because my idea of a perfect society is one where I can't use the damn transit system unless I want to give up any shred of privacy about my destination, travel habits, and location."

Well, that does seem to be the goal of the US govt. at this point. The RealID (national id) alone seems to be a huge step in that direction. They aren't gonna let you travel without one soon...within the US even.

Re:oh good... let's all bury our heads... (4, Insightful)

mpe (36238) | more than 5 years ago | (#24539387)

What I want to know is how a system like this is even possible. Why should the value available on a smart card actually be something that can be changed by the person holding the card.

Because the people designing these systems don't know what they are doing. This dosn't just apply to RFID systems. There was a case recently involving a magnetic strip card which could be "cloned" by the using nothing more sophisticated than scissors/knife together sticky tape/glue

Shouldn't the card just have an ID, and that ID is tied to an account, which is tied to a person.

Unless it's intended to also use the system to track specific individuals then you don't need any such tying. Just a method of ensuing that every ticket has a unique ID. That only one instance of a ticket with a given ID is in use at any time in the system and that a "never issued ID" or one reported lost/stolen cannot be used.

Maybe put the amount on the card, so the bus doesn't have to call home every time someone steps on a bus, but at least keep all transactions in a database so they can check for fraud after the fact.

A bus might well "call home" periodically anyway, for such things as uploading it's position/CCTV footage/etc at this point it can check the tickets which have recently been used. If it isn't possible to operate a data link all the time.

It seems like the way they have it set up, would be the equivalent of having your bank account balance completely controllable by modifying the information on your bank card.

IIRC at one time it was possible get around withdrawal limits by modifying/cloning cards since they used a read/write area to record this information on the card. So as to enable offline/batch operation of machines.

Even retail stores have this figured out so that their gift cards only hold a number, and the actual value on the card is stored in some computer database.

Probably only as a consequence of being exploited though :)

Re:oh good... let's all bury our heads... (0)

Anonymous Coward | more than 5 years ago | (#24539657)

Shouldn't the card just have an ID, and that ID is tied to an account, which is tied to a person...

Smart cards replaced tokens, and there are people like me who use the T once or twice a year. I don't need an account.

Re:oh good... let's all bury our heads... (1)

keithjr (1091829) | more than 5 years ago | (#24539677)

I thought about it myself when they first implemented it. The point of the CharlieCard is that it allows one to quickly board trains and buses at any point. Thus, if the card simply stored a pointer to the account, all the buses in town would have to be wirelessly networked to perform a lookup on the account, and the subsequent deduction if a fare is taken.

I guess that was a little to hard to implement, so they went with the simple solution of making the RFID chip read-writable and storing the data locally. The MBTA is ridiculously strapped for cash, so an expensive networking solution that would not make them any more money didn't appear to be worthwhile.

Re:oh good... let's all bury our heads... (3, Insightful)

Stan92057 (737634) | more than 5 years ago | (#24538979)

How is this burying there heads in the sand? There is a known problem,and they don't want criminals to abuse this problem until its fixed. Releasing exploits with out it being fixed is irresponsible, period end of store. I am sure 99% of the people here disagree with me, but after years of seeing exploits released to the public only to have criminals take advantage of theses exploits. Why should they try to figure out theses exploits when Black Hats do it for them time and time again. And another thing, what makes everyone thing they want or need help fixing the exploit from the public

Is MBTA actually going to do anything? (4, Insightful)

langelgjm (860756) | more than 5 years ago | (#24539031)

Is MBTA actually going to get the card system provider to fix the problem? Because from what I've seen, you'll have a hard time even getting the department and the contractor to admit that the problem exists. And even if they do admit it, is the solution going to be any more than "it's unlikely people will exploit this"?

That sort of attitude seems to be how Maryland feels about its AccuVote TS voting machines. Three independent reviews have all revealed flaws with them, but we're still using them, despite the fact that those flaws essentially mean that the contractor has violated its agreement with the State.

Furthermore, I doubt much criminal activity is going to result from releasing the information. Only a few people are going to have the time and patience to actually follow the exploit through, and if the system is well-designed (though apparently it may not be), modifying card data shouldn't be able to damage or disrupt the system.

Re:Is MBTA actually going to do anything? (2, Insightful)

Anonymous Coward | more than 5 years ago | (#24539325)

One of the problems is that the MBTA is losing money like crazy, in spite of vastly increased ridership because of gasoline prices. They can't afford to do basic mechanical maintenance and now they have to redo their smart card system too!? Of course one could argue that it would save them money in the long run, but only if people took advantage of this flaw.

As for the database system someone suggested, that would be expensive to implement and administer, and (worst of all) would mean that people would be waiting precious seconds for the transaction to go through while they can see and hear trains arriving and leaving. People are usually in a hurry when they enter the subway station, and I know from experience that that is a stressful moment. If the system had downtime, people's tension levels would skyrocket.
Let's NOT do it that way.

Re:oh good... let's all bury our heads... (2, Insightful)

Vukovar (1203574) | more than 5 years ago | (#24539069)

No one wants to admit there is an inherent flaw in their design no less expend the resources on fixing it if they don't have to. It's the Ford Pinto anology - we'd rather pay out the lawsuits for the deaths as opposed to what it would cost to correct the problem. If a handful of people hack their cards, they're willing to lose that revenue as opposed to fixing the problem. Making it public forces their hand and a third party doing it should help push them to fix it. If they find their own flaw, corporate greed kicks in - why fix it if only they know about it??

Re:oh good... let's all bury our heads... (1, Troll)

Original Replica (908688) | more than 5 years ago | (#24539139)

rather then make sure they have a techie in attendance so that they may learn something and find a workaround the issue, Boston's lawyers suggested that burying your head in the sand

Remember, it's Boston: the city that is terrified of Cartoon Network. [forbes.com] The city that went $8.6 billion over budget on "The Big Dig" which should have cost $6 billion, and it's a piece of crap. [wikipedia.org] Did you really expect competence from that government?

Re:oh good... let's all bury our heads... (0)

Anonymous Coward | more than 5 years ago | (#24539879)

While we're at it, we might as well throw down the thing about the MBTA having multiple train crashes on the same subway line a few months ago.

Sadly, when I Googled for a link [google.com] I got a whole bunch of articles related to derailments I wasn't actually referring to, including a "traffic page" that does nothing but track MBTA derailments to let commuters know which routes to avoid.

Really! [examiner.com]

Re:oh good... let's all bury our heads... (3, Informative)

cayenne8 (626475) | more than 5 years ago | (#24539563)

Not to mention, this should be an open and shut freedom of speech issue. I mean, you can publish how to make a silenced weapon, probably even how to make a nuclear device...how to assasinate someone even, things with are illegal to do for real in meatspace, but, printing HOW to do it so far, has been ruled as free speach.

I'd think giving a talk about it would be a slam dunk. If they rule against this, then it is really scary that our first amendment is gonna be in jeopardy. So far...describing how to do many things without inciting anyone to do it..as been protected speech.

Frist Amendment (4, Insightful)

Mordok-DestroyerOfWo (1000167) | more than 5 years ago | (#24538825)

Who needs free speech anyway?

Re:Frist Amendment (4, Funny)

thermian (1267986) | more than 5 years ago | (#24538877)

Who needs free speech anyway?

I can't say.

Re:Frist Amendment (0, Troll)

Stan92057 (737634) | more than 5 years ago | (#24539039)

What does free speech have to do with releasing software that will help people steal from the transit system?. It sound criminal to me, assisting people to steal.

Re:Frist Amendment (4, Insightful)

langelgjm (860756) | more than 5 years ago | (#24539251)

What does free speech have to do with releasing software that will help people steal from the transit system?. It sound criminal to me, assisting people to steal.

Right... because clearly that's what the MIT students are trying to do. Help people steal. That was their plan all along...

It couldn't have anything to do with revealing flaws in RFID-based transit card systems that are being increasingly adopted by state and local governments all across the nation, and for that matter, the world. It couldn't have anything to do with shaming a government agency into actually getting on the ball and working with its contractor to improve security of its system. It couldn't have anything to do with plain and simply academic curiosity.

What's it got to do with free speech? Maybe that we think they ought to have the freedom to not only do the work they've done, but talk about it as well?

Re:Frist Amendment (1)

Stan92057 (737634) | more than 5 years ago | (#24539629)

I think reveling flaws is one thing,providing tools to help exploit a flaw is quite another. Shaming? thats not helping in anyway except the egos of the MIT students.

Re:Frist Amendment (2, Insightful)

Anonymous Coward | more than 5 years ago | (#24539665)

Personally, seeing the direction that the govt. is headed, I really don't care if they choose to put their heads in the sand. It means free trips for anyone savvy enough (or with friends in the right places) to crack their pathetic systems. Not to rant on about how america is turning into a police state, but if I can hack my RealID or whatever bullshit congress dreams up next, and they refuse believe it can be hacked, then they don't DESERVE to know about security flaws.

Re:Frist Amendment (4, Interesting)

sabre86 (730704) | more than 5 years ago | (#24539379)

What does free speech have to do with releasing software that will help people steal from the transit system?. It sound criminal to me, assisting people to steal.

Everything. Perhaps because software, and more relevantly, the presentation, is expression and thus protected under the First Amendment? In a free society where participants are expected to take responsibility for both their own actions and the governance of that society, denying an individual information limits his freedom --knowledge really is power and thus important to freedom -- and destroys his ability to make good governing decisions. For any of us to actually be free, society has to make the fundamental assumption that the average individual will not use the powers given to them to commit criminal acts. You seem to be assuming the opposite. Even if you consider it from a "need to know" point of view (and you shouldn't): both the people who buy into this transportation system and the shareholders of the system, who I understand to be the public, have a right to know the strengths and weaknesses of this system. So they -- we -- the public, have a need to know this information to make the best decisions they can about this system. In fact, we the public have a need to know all things that occur in government, in government contracts and in the public life.

Also, I think you're a bit confused on what "assisting" means. There has to be stealing going on for anybody to assisting in it, and I've seen no evidence that there is. By what I infer your definition of assisting to be: "providing any tool or information used to complete a task" then other things that should sound criminal to you include (but aren't limited to): providing a drunk driver with an alcohol (before he was driving), selling a gun, knife, baseball bat, pencil or anything else to someone who then uses it in a violent crime, teaching anyone any sort of OS or computer security theory (if the students are criminal for providing the information to criminally hack the system, is the professor not criminal for assisting the "criminal" students by providing them with information needed to discover the hack?), etc, etc, etc.

Re:Frist Amendment (2, Interesting)

keithjr (1091829) | more than 5 years ago | (#24539723)

I'm against this gag order, but the case about First Amendment rights seems to be weak. Under your argument, it would be fine if I posted your Social Security and credit card numbers on the internet, as long as I'm not the one stealing anything from your accounts.

What I want to know is why these students didn't give a presentation to the MBTA itself or the MA state government. Seems like they're willing to pay attention.

Re:Frist Amendment (4, Insightful)

nurb432 (527695) | more than 5 years ago | (#24539675)

Even if that was the intent to show people how to steal ( which it wasn't ), its still a protected right to talk about it.

Now that said, It wouldn't be protected speech if you ordered people to try it themselves.

Much like its a protected to get up on your soapbox about hating a particular race/whatever and wishing them gone, but it wouldn't be protected if you were organizing a lynching.

I hope you see the difference and why its important to the foundation of freedom in our country.

Re:Frist Amendment (1)

Seraphim_72 (622457) | more than 5 years ago | (#24539425)

I hope they stand on stage and just give the finger for half an hour if this injunction gets granted.
Then I hope some lawyer who actually does love the law beats the people requesting this to death with the Liberty Bell.

"It tolls for YOU. [CLANG] It tolls for YOU. [CLANG] YOU! [CLANG] YOU!! [CLANG] YOU!!! [CLANG]"

Re:Frist Amendment (2, Funny)

snowraver1 (1052510) | more than 5 years ago | (#24539519)

Who's got a link to the presentation? It's called "Anatomy of a Subway Hack" and was distributed on the CDs that were handed out. There must be a copy on the Internet, I just can't find it.

Re:Frist Amendment (1)

AvitarX (172628) | more than 5 years ago | (#24539889)

Hackers, terrorists, commies, and un-americans.

everyone else should be perfectly happy saying only what they should.

FP (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#24538827)

Fr0sty P1ss

Re:FP (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24539027)

Loser pusswad.

Secrecy (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#24538837)

In Soviet Russia, style secrecy prevails you.

Eh (1, Interesting)

Anonymous Coward | more than 5 years ago | (#24538839)

constitutes a threat to public health or safety

How? Are people going to try and mug you with a CharlieTicket now that they might potentially be useless?

Re:Eh (1)

BlueStrat (756137) | more than 5 years ago | (#24539569)

constitutes a threat to public health or safety

How? Are people going to try and mug you with a CharlieTicket now that they might potentially be useless?

That's easy. If someone were to rob a bank or mug someone, then use a metro bus or the subway as their getaway vehicle using these cards, they might use a hacked card with false identification info. The police would be unable to identify the perpetrator without leaving the police station, interviewing witnesses, examining security camera records, dusting for fingerprints, etc.

In other words, the perpetrator would likely get away with his crime and wander the streets free to commit more crimes, as nobody in Boston would seriously expect the police there to go to those extremes, especially in the case of a crime like a mugging where the victim is not a bank, corporation, or the government itself.

Cheers!

Strat

Anyone have the code? (1)

blitzkrieg3 (995849) | more than 5 years ago | (#24538845)

From TFA:

On the other hand, the source code to the utilities -- not included on the CD -- was removed from web.mit.edu/zacka/www/subway/ by Saturday morning.

Anyone able to mirror this before it was taken down?

Re:Anyone have the code? (1)

snl2587 (1177409) | more than 5 years ago | (#24538895)

I hope so. It's Digg time!

Re:Anyone have the code? (2, Insightful)

Anonymous Coward | more than 5 years ago | (#24539061)

by "It's Digg time", do you mean "It's hit yourself in the head with a hammer until your IQ is reduced to double digits time"?

Re:Anyone have the code? (2, Informative)

snl2587 (1177409) | more than 5 years ago | (#24539743)

No, I mean it's time to do with this information what was done with the DVD key a while back. I believed this was a simple enough jump that it did not require an explanation. I had not planned on you and whoever modded you "insightful" not understanding the reference.

Re:Anyone have the code? (0)

Anonymous Coward | more than 5 years ago | (#24539001)

I hope so!

Just a point (2, Informative)

TubeSteak (669689) | more than 5 years ago | (#24538849)

temporary restraining order != permanent injunction

And as TFA has already pointed out, the power point presentation is already out in the open

Re:Just a point (1)

MindlessAutomata (1282944) | more than 5 years ago | (#24538905)

.....so?

Re:Just a point (1)

Jarjarthejedi (996957) | more than 5 years ago | (#24538961)

Exactly. All that proves is that the people suing are even stupider than they seem because they're trying to stop something that's already on the internet, and we all know how that goes.

Re:Just a point (3, Interesting)

mpe (36238) | more than 5 years ago | (#24539135)

All that proves is that the people suing are even stupider than they seem because they're trying to stop something that's already on the internet, and we all know how that goes.

It's actually even worst than that. By the action of suing they have drawn attention to the issue. As well as "confirming" the research.
Probably also ensuring that the relevent information will wind up being published in places it wasn't likely to end up before before. Note that the article mentions that thousands of people (not covered by the injunction) already have copies of the "paper". Some of those copies may be already out of the court's jurisdiction too.

Re:Just a point (3, Interesting)

whoever57 (658626) | more than 5 years ago | (#24538973)

And as TFA has already pointed out, the power point presentation is already out in the open

Which is exactly why an injunction should never have been granted.

Ron Rivest (4, Interesting)

surmak (1238244) | more than 5 years ago | (#24538893)

The article mentions that the authorities met with the students and Ron Rivest (e.g. the "R" in the RSA crypto system).

It would be interesting to see what his involvement with this project is.

Re:Ron Rivest (4, Informative)

Anonymous Coward | more than 5 years ago | (#24539237)

He was their professor. Their research was done as a part of a class taught by Rivest.

Chipped Transit is Bogus all over USA (1, Interesting)

Anonymous Coward | more than 5 years ago | (#24538903)

http://www.tc.umn.edu/~hause011/article/Bus_ride8.html

Expensive, does not work, only needs your work info, bank info, home info, photo and tracks your travels when it does work. Just chip the riders like dogs
and tattoo a bar code across their foreheads.

Too late (5, Informative)

Bluey (27101) | more than 5 years ago | (#24538949)

It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas.

Injuction was already granted [cnet.com]. Insert Soviet joke here.

Excellent! (2, Informative)

d34thm0nk3y (653414) | more than 5 years ago | (#24539097)

These guys are literally restricting free speech, as in "don't say that out loud." This will work as a way better example of US censorship than my usual 2600 DECSS example. Thanks MA for the forthcoming karma in other censorship articles.

Restraining Order FAIL!!! (0)

Anonymous Coward | more than 5 years ago | (#24539025)

Ummm.... the presentation is on the DEFCON disk...FAIL!!!

Treat it like the DNS flaw. (5, Insightful)

eggman9713 (714915) | more than 5 years ago | (#24539159)

Just do it the way that they tried to do it in regards to the recent DNS exploits. Tell the affected organization (Boston subway system authority) that there is a problem and you are willing to work with them to fix it. If they refuse, just leave them the information and say they have x number of days to fix it and if they refuse to do anything, you are going to the press, which technically is true since journalists are allowed in limited numbers at Defcon as far as I know. That way you give them the courtesy of warning them in advance, but you aren't needing to completely shut up about it or let the problem lie unfixed. As a white hat, this guy has a moral obligation to help get problems fixed before the black hats find out.

streisand effect (1)

areusche (1297613) | more than 5 years ago | (#24539207)

Let's post a copy of the powerpoint slide in as many places as possible. If it works for Barb and the MPAA it'll work for the Great State of Mass!

Heh. (0)

Anonymous Coward | more than 5 years ago | (#24539213)

The emperor has no clothes, the emperor has no clothes, the ...

Oh, I'm just shocked I tell you - shocked!

Do you mean that governmental authority has employed security to protect their revenue streams - us?

Yes. I'm shocked. It's only happened so many times before...

People's Republic, Soviet Style (1)

banished (911141) | more than 5 years ago | (#24539261)

It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas.

Having suffered under their government (Massachusetts', that is), this is a predictable reaction. I defected from there years ago.

Two problems (4, Insightful)

belmolis (702863) | more than 5 years ago | (#24539265)

I see two major problems with the application for the order. The first is that it claims that disclosure of how to hack the cards constitutes a danger to the public. How so? All these cards are good for is paying the fare. Hacking them allows people to ride the subway for free. That's petty larceny, not a danger to the public.

The second is that the application asked the court to forbid:

publicly stating or indicating that the security or integrity of the CharlieCard pass, the CharlieTicket pass, or the MBTA's Fare Media systems has been compromised.

There's no conceivable justification for that. Even if there is justification for forbidding disclosure of the details of the hack, stating that there is a problem is certainly constitutionally protected. (It is possible that the court did not include such language in the TRO; this is what Massachusetts asked for, but possibly not what they got. Anybody got a link to the actual TRO?).

What I want to know is... (4, Interesting)

strabes (1075839) | more than 5 years ago | (#24539287)

What I want to know is why Massachusetts is complaining about and interfering with a conference happening in my hometown, Las Vegas.

"Congress shall make no law..." (3, Insightful)

SonicSpike (242293) | more than 5 years ago | (#24539389)

"abridging the freedom of speech, or of the press;"

-US Constitution

Re:"Congress shall make no law..." (1, Insightful)

Tim C (15259) | more than 5 years ago | (#24539535)

Well, this is the State of Massachusetts, not Congress...

Re:"Congress shall make no law..." (4, Informative)

Wonko the Sane (25252) | more than 5 years ago | (#24539755)

Well, this is the State of Massachusetts, not Congress...

They already fixed that loophole [wikipedia.org]

"No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws."

Re:"Congress shall make no law..." (1)

eht (8912) | more than 5 years ago | (#24539763)

Actually even though it in no particular way different than a state, it's the Commonwealth of Massachusetts and for some reason the people that live there are always insisting on it being called that. I no longer live there thank goodness.

Re:"Congress shall make no law..." (1)

_xeno_ (155264) | more than 5 years ago | (#24539915)

Well, this is the State of Massachusetts, not Congress...

Note the part where it says "federal judge" in the summary? And if you followed the link to the article, you'd see that this is taking place in Los Vegas, which I'm pretty sure isn't in Massachusetts.

On a side note, when they first rolled out the CharlieCard system, I remember asking a coworker "I wonder how long it will take for someone to figure out how to hack the cards to get free rides?" The answer is "a little over a year and a half" - they were rolled out in December 2006.

ATHF Again? (1)

pembo13 (770295) | more than 5 years ago | (#24539421)

Isn't this the city that upped their threat level due to an Aqua Team Hunger Force marketing campaign? If so, this news isn't at all surprising.

PDF Posted (0)

Anonymous Coward | more than 5 years ago | (#24539491)

Note that the presentation is online at MIT's newspaper: http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf

MIT student newspaper published the banned slides (0)

Anonymous Coward | more than 5 years ago | (#24539587)

See them yourself at: http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf

If this happens, (4, Insightful)

nurb432 (527695) | more than 5 years ago | (#24539605)

Its one more strike against the first amendment and another step down the path of the government deciding what you are allowed to know.

Too late; do it anyway. (3, Insightful)

moxley (895517) | more than 5 years ago | (#24539715)

Fuck this.

They need to give their presentation regardless.

It's clearly a first amendment issue, and when people allow things like threats from the authorities or bullshit unconstitutional court injunctions to stop them from what they want to tell the masses it only serves to justify the actions of those who would try to stop people from expressing important matters.

From what i can tell this isn't about public safety at all, it's more about money. If it were about public safety, they would take it seriously and work with these guys to resolve the issues.

On top of that, when these sorts of uses for RFID were being planned and discussed years ago (things like this and passports, etc) many, many people warned that this would occur...

Someone needs to take that CD and quickly get the contents onto usenet. It's already in the public record anyway - once the cat is out of the bag it's out of the bag.

The PowerPoint was an excellent read. (3, Insightful)

base3 (539820) | more than 5 years ago | (#24539871)

Thanks, Judge! I'd have never know it existed had you not tried to censor it.

copy of the utilities and source code? (0)

Anonymous Coward | more than 5 years ago | (#24539895)

does someone have a copy of the utilities and source code that was posted on their website? please post it.

http://web.mit.edu/zacka/www/subway [mit.edu] has been removed.

judicial misconduct (1)

TRRosen (720617) | more than 5 years ago | (#24539903)

WOW preemptive limitation of free speech is almost unheard of. Usually asking a judge to stop someone from talking before the fact is met with ridicule by the judge.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...