Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

EFF To Appeal Court Order Vs. Subway Hack Demo

kdawson posted more than 5 years ago | from the tell-no-one dept.

Security 189

snydeq sends along InfoWorld coverage of the EFF's plans to appeal a US District Court order that kept three MIT students from presenting detailed flaws in the Massachusetts Bay Transportation Authority e-ticketing system at Defcon. And an anonymous reader points out that the MBTA, in addition to triggering the Streisand Effect, released in open court more information on vulnerabilities (PDF) than the students had any intention of presenting. See Exhibit 1 to this court filing.

cancel ×

189 comments

Frost piss. (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#24561051)

There, got that out of the way.

First amendment (3, Insightful)

Hatta (162192) | more than 5 years ago | (#24561077)

How can any such order be justified in the light of the first amendment protection of free speech?

Re:First amendment (1, Insightful)

Anonymous Coward | more than 5 years ago | (#24561105)

How can any such order be justified in the light of the first amendment protection of free speech?

obviously it cant. However that has not stopped people from trying and succeeding in the past.

Re:First amendment (2, Informative)

Free the Cowards (1280296) | more than 5 years ago | (#24561115)

Same way that slander and libel are actionable. Namely, the first amendment, in general, protects against criminal prosecution but not civil suits.

Re:First amendment (0)

Anonymous Coward | more than 5 years ago | (#24561347)

Same way that slander and libel are actionable. Namely, the first amendment, in general, protects against criminal prosecution but not civil suits.

I don't know how the hell you got modded informative! Prior restraint != civil suit.

Re:First amendment (0, Flamebait)

Free the Cowards (1280296) | more than 5 years ago | (#24561423)

Fuck off and stop being such an asshole just because you're anonymous.

The MBTA filed a lawsuit Friday seeking to stop three Massachusetts Institute of Technology students from giving the talk.

The action in question is clearly part of a civil suit. Just because you don't like it don't mean it ain't so.

Re:First amendment (4, Insightful)

sconeu (64226) | more than 5 years ago | (#24561637)

By a governmental (or quasi-governmental) agency, who is therefore bound by the First Amendment.

Re:First amendment (4, Informative)

Free the Cowards (1280296) | more than 5 years ago | (#24562031)

And hopefully that means that they will lose the case. (Actually, I'd hope that anyone bringing such a suit would lose, not just governmental entities.) But this is just an injunction. An injunction is temporary, and is only intended to prevent potential damage from being done until the true merits of the case can be assessed. An injunction doesn't require a good case, it just requires a case that has sufficient merit to go to court.

Personally I don't think this injunction should have been granted, but it's not nearly the slam dunk obvious thing that many people here think it is.

Re:First amendment (5, Insightful)

im_thatoneguy (819432) | more than 5 years ago | (#24561119)

If only there were some branch of the government whose job it was to ensure that people's constitutional rights were protected!

Re:First amendment (3, Insightful)

Anpheus (908711) | more than 5 years ago | (#24561651)

Thankfully there -isn't- a Department of Constitutional Rights. If such a thing existed, we could expect the same bureaucracy and red tape to drown any chance it has at reasonably protecting Americans against broad violations of their rights.

Additionally, you can bet that if such a department existed, laws like the USA PATRIOT Act would serve to maim or gag it in order to perpetuate even greater crimes while people are none the wiser.

No, I'm glad we live in a country where our rights are defended by regular people putting their time and money to organizations they deem valuable to the future of the nation. Is it the -best- way? Perhaps not, but it's certainly better than betting it all on responsible government.

I will insist, again, that I am glad I live in a country where we have the ACLU, the EFF, the NRA, the NAACP, etc. I am glad we have all of those. It doesn't bother me one bit that they at times disagree with one another, it doesn't bother me that these organizations can be overzealous. I am glad they are overzealously defending my rights. If that means the NRA makes it legal for me to own a bazooka without a permit, well, to quote Office Space, "Fuckin' A, man."

Re:First amendment (1)

Anonymous Coward | more than 5 years ago | (#24561695)

If only there were some branch of the government whose job it was to ensure that people's constitutional rights were protected!

Nice sarcasm. One thing we need to all remember though, is that those truely responsible for protecting our inalienable rights are described in the first three words of the Constitution. We are all on the soapbox here and while Slashdot is a good venue let's not forget to get this on the soapbox in as many public venues as possible. Educational research activities are a good thing and students and/or professors should be allowed to present their papers.

The loss of rights to the government is a process of erosion and such erosion should be halted anywhere it is found. If you think something related to such erosion is ok cause you think it don't effect you, then don't be suprised when you fall into a sinkhole. ( use of the word "you" here is generic and thus addressed to the public at large )

Re:First amendment (0)

Anonymous Coward | more than 5 years ago | (#24562651)

like the judicial branch?

Re:First amendment (1, Funny)

Daimanta (1140543) | more than 5 years ago | (#24561123)

Terrrism!!!1!

Re:First amendment (5, Insightful)

Opportunist (166417) | more than 5 years ago | (#24562489)

What bothers me about this comment isn't that you trivialize terrorism. Yes, it does exist (read on before you mod, please). It doesn't even bother me that it's modded funny.

What bothers me is the "cry wolf" tactics our media and politicians use whenever something happens they don't like. It's because of terrorism that people can't bring their own coke to a plane anymore (it's not that we want airlines to get additional revenue from selling their drinks). P2P fuels terrorism (not that we want to prop up an outdated business model). It's terrorism why we are forced to reliinquish our essential rights (not because our politicians don't want us to say things they don't want the public to know).

"Terrorism" has been abused as the catch all argument whenever something is imposed upon us that goes against the interests of our politicians and their cronies. And people start to see through the thinly veiled egoistic goals, and start to mock it. As you would mock anyone who cries wolf as soon as something happens he doesn't like.

What bothers me most is that when the terrorists strike, we'll get told "see? We told you, it's terrorism!" Instead of them learning that their wolfcrying creates nothing but contempt and ridicule, they will point at us and blame us for not taking it serious, when it has been abused time and again.

Terrorism is a real threat to the US and the "western" world. Abusing it to cry wolf about everything you want to do against your people is not going to make them take it serious. Quite the opposite.

As can be seen in the parent posting.

Daimanta, not trying to belittle you. You're just the one that speaks what everyone was thinking. "Ok, how long 'til they claim terrorism is the reason?" It's not against you, again. It's against those that abuse the terrorist card for everything that goes against their interests.

Re:First amendment (2, Insightful)

nurb432 (527695) | more than 5 years ago | (#24561135)

Its not the job of the first amendment to *prevent* this from happening.

its job is to protect us by striking it down once heard by the courts.

Re:First amendment (4, Informative)

Beryllium Sphere(tm) (193358) | more than 5 years ago | (#24561201)

Actually, under constitutional law, the preferred situation is to let the speech happen and hash out any legal issues later. The term for preventing a publication is "prior restraint", and it's very much frowned upon compared to going to court over speech that's already been published.

In this case the judge used a computer intrusion statute. I don't know the terms of it, but some such laws do prohibit trading in passwords or other access devices. Seems like a stretch, and I don't consider it justified, but that might be the reasoning. I'm not a lawyer, but if I were them I'd look out for the highly abusable conspiracy laws.

Re:First amendment (4, Informative)

MikeD83 (529104) | more than 5 years ago | (#24561431)

In this case the judge used a computer intrusion statute. I don't know the terms of it, but some such laws do prohibit trading in passwords or other access devices. Seems like a stretch, and I don't consider it justified, but that might be the reasoning.

According to the complaint [mit.edu] the MBTA is calling the CharlieCard and even the CharlieTicket a "computer." Understanding how the "computer" works and disseminating that information constitutes fraud.

According to the referenced US Code [cornell.edu] , a "computer" is:

the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;

Re:First amendment (2, Interesting)

Anonymous Coward | more than 5 years ago | (#24561817)

Thanks for the link to the legal definition of a computer.

I have a couple of issues with it.

1) By that definition, a test tube is a computer. It is optical, because sometimes the results of an experiment are verified visually. It is a data processing device, because mixing chemicals to find out what happens is a form of processing data. And it performs storage functions because you can store liquids or other substances in it if, for instance, the reaction is expected to take a long time. The "or's" in the definition mean that it doesn't have to satisfy all of the criteria, only some of them.

You could argue that it's not high speed, but the wording of the definition is ambiguous enough that that isn't necessarily a requirement.

2) How similar to a portable hand held calculator does a device need to be in order to be excluded? An HP48 graphing calculator? A PDA with a built-in calculator function? A cell phone? An EEE PC? A laptop?

Re:First amendment (2, Interesting)

memristance (1285036) | more than 5 years ago | (#24562107)

1) By that definition, a test tube is a computer. It is optical, because sometimes the results of an experiment are verified visually. It is a data processing device, because mixing chemicals to find out what happens is a form of processing data. And it performs storage functions because you can store liquids or other substances in it if, for instance, the reaction is expected to take a long time. The "or's" in the definition mean that it doesn't have to satisfy all of the criteria, only some of them.

You could argue that it's not high speed, but the wording of the definition is ambiguous enough that that isn't necessarily a requirement.

Though I'm guessing you were going for hyperbole here, you're mostly correct. [wikipedia.org]

Re:First amendment (1)

dshadowwolf (1132457) | more than 5 years ago | (#24561853)

the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;

With this definition on the books the ruling by the judge shouldn't be swayed by the MBTA argument that the CharlieCard and CharlieTicket are computers. If he was swayed by the claim that the "CharlieCard" and "CharlieTicket" are computers then there are some really good grounds for overturning the ruling. (note that I am assuming that both are nothing more complicated than a form of RFID tag)

Sadly this decision is not a good thing. If it is not struck down it opens the door for companies to quash the open reporting of any security vulnerability. Specifically, in this case, this move makes me think that there are only two motives

  1. the MBTA knew of the vulnerabilities that they found before the system was put into place
  2. that they don't want the details made public so there is no real reason for them to have to fix it.

If it is the former — and they presented the system as being "unbeatable", "unhackable" or similar — then they could face legal action. (Okay, legal action only if those claims were a big part of the reason the system was granted funding) If it is the latter Well What happens when the vulnerability is discovered by someone else and then published without them having a chance to block that action legally?

Re:First amendment (1)

dshadowwolf (1132457) | more than 5 years ago | (#24561939)

Replying to myself to make a correction: My assumptions are apparently faulty, because the information about the vulnerability is already in the wild. This means that they have to fix it anyway — though who knows how many people that received one of those CD's with the data have already used it for less than legal purposes.

In this case the #1 item above comes more into play, though it is still highly unlikely. The likely reason for this was a knee-jerk reaction to the release of the data with the MBTA not realizing that the data about the vulnerability was already released.

One thing that I have not yet heard is whether the researchers had informed the MBTA of this vulnerability before going ahead with the publication of the details. Doing such — and giving the company a chance to fix the hole — is one of the keys of "responsible reporting".

le sigh (2, Interesting)

SuperBanana (662181) | more than 5 years ago | (#24562713)

data processing device performing logical, arithmetic, or storage functions,

Note the "OR". The magstripe card is storage. The -card- does logical, arithmetic, AND storage functions- it's an intelligent device.

Furthermore, they openly admit to trespassing both physically (at stations, offices, AND networks they knew were private.)

Frankly, I'm astounded they're not sitting in a jail cell right now. Chances are that right now the MBTA are going through CCTV footage looking for them trespassing, and once they've found some- they'll be arrested.

It's one thing to play with the cards (and ride the coat-tails of other researchers who published all of this 8 months ago). It's another to wander into offices and plug into internal networks you know you don't belong to (in fact, the very definition of trespassing in some states is "you're somewhere you know you don't belong.")

Re:First amendment (0)

Anonymous Coward | more than 5 years ago | (#24561409)

Oh please, dear! For your information, the Supreme Court has roundly rejected prior restraint.

Re:First amendment (3, Interesting)

Intrinsic (74189) | more than 5 years ago | (#24561161)

Maybe im not understand the situation, but if you attempt to release information that can cause harm to a business or person or society. that speech can definitely be limited. Its like calling fire in a building with no fire and someone getting hurt. It seems like in this case, if this information got mass attention there might be some way to construe harm. I mean I can think of allot of ways to fabricate the perception of harm, even though it is unlikely.

Im trying to put myself in their shoes, someone or someones do not want to have to deal with this if people start mass circumventing the system... money loss, reputations, and the like are surely involved. it doesn't matter if it has been done before, this particular event makes stuff like this a hot topic, because people that build or manage insecure systems look really, really stupid to the professional community.

Re:First amendment (4, Insightful)

MDMurphy (208495) | more than 5 years ago | (#24561365)

A couple comments:

First, the information was already released. The entire presentation was handed out on CDs at the beginning of the conference. All the court order did was prevent a true dialog about the hack.

Second, it could be construed that not releasing the information also has a negative cost. As a public entitiy, the transit agency has a duty to look after the system. The hack points out a flaw in the system. Was the system design opened to public scrutiny prior to its use in an attempt to prevent such a hack? If the hack were not widely known would the agency be working dilligently to fix the flaws?

This is not much different than the "print your own bogus boarding pass" hack. The big worry wasn't really that loved ones could see you off at the gate, but that "bad guys" could go through security, metal detectors and such only to swap tickets with someone who wasn't on the no-fly list. What the release of that hack did was point out a flaw that already existed and provide incentive to fix it, or to drop the whole boarding pass as security sham in the first place.

As to the yelling Fire! in the theater analogy: If there's really a fire, it's Ok to yell.

This is another situation the 1st ammendment was designed to protect. Annoying, painful, expensive, dangerous speech might need to be protected.

Re:First amendment (2, Interesting)

Intrinsic (74189) | more than 5 years ago | (#24561615)

Im with you on that, im just saying that their is a difference between reality (which we know what that is) and the perceived reality. And the perception is that its possible the transit authority probably has some people that manage or have a stake in creating that system and are trying to do damage control. Its not based in reality, but its better to know what you are dealing with, because the people involved in the insecure transit system are not going to think like rational people if heads are going to roll.

I was going to say something else but I forgot what it was.. basicley im not arguing either way, im just trying to put all the cards on the table.

Re:First amendment (2, Insightful)

MDMurphy (208495) | more than 5 years ago | (#24562305)

The sad thing is that judges are always supposed to be rational people, or at least hand down rational decisions while on the clock. The judge should have called them on this, but didn't, and issued the order. I at least hope they had to shop around to several judges before they found one their lawyers could snooker.

Re:First amendment (4, Insightful)

corsec67 (627446) | more than 5 years ago | (#24561439)

Then would you also like to allow the people who said "some toys in Wal-Mart have lead in them" to also have their speech limited?

The critical part of rights like the freedom of speech is that if it excludes stuff you don't like, then it is worthless.

"You can say whatever you want, as long as nobody is offended" doesn't really work.

Personally I don't see how any possible exclusions to freedom of speech can be obtained from "Congress shall make no law ... or abridging the freedom of speech, or of the press;", and so libel and slander can't be made illegal as the first amendment is currently written. Neither do I think that it should be possible to make obscene or offensive speech, books, or printings illegal.

Re:First amendment (1)

Tuoqui (1091447) | more than 5 years ago | (#24561501)

The right to free speech is useless without the right to offend.

This should be publicized and they should get the hell off their asses and FIX THE PROBLEM!

And they should stop trotting out bullshit 'NATIONAL SECURITY' excuses for some minor public transit crap as an excuse to shut people up.

Re:First amendment (0)

Anonymous Coward | more than 5 years ago | (#24561173)

How can you justify the hack? Showing people how to ripoff the subway would seem to be a criminal act.

Re:First amendment (1, Insightful)

Anonymous Coward | more than 5 years ago | (#24561241)

By hack I assume you mean the person or persons responsible for attempting to use the courts to implement security through obscurity.

Re:First amendment (4, Insightful)

NFN_NLN (633283) | more than 5 years ago | (#24561289)

How can you justify the hack? Showing people how to ripoff the subway would seem to be a criminal act.

No... RIPPING OFF THE SUBWAY is the criminal act.

By your logic everyone in the military should go to jail for teaching or learning how to kill.

Re:First amendment (1)

TehZorroness (1104427) | more than 5 years ago | (#24562815)

We have a couple of options. A: Make the exploit publicly known - ensuring that it will either get fixed, or the company that provided the garbage implementation gets replaced (win, win). B: Let them know secretly, letting them get away with ignorance, doing their job (that they get paid handsomely for) for them. C: keep it a secret. let it be exploited for years.

Re:First amendment (4, Insightful)

sribe (304414) | more than 5 years ago | (#24561293)

How can any such order be justified in the light of the first amendment protection of free speech?

The judge is an idiot. Prior restraint is unconstitutional. This will not survive the appeal.

Re:First amendment (5, Insightful)

ObsessiveMathsFreak (773371) | more than 5 years ago | (#24561307)

Because; "You have the right to freedom of speech as long as your not dumb enough to use it".

Freedom of speech, like just about all our supposed freedoms, is only available to those that can afford to defend it in court. The contrapositive of this fact is of course that the ability to take away freedoms from someone is available to those that can afford to attack them in court.

Companies, etc, apply for injunctions and by Gods they get them. Do you think if you, whatever your grievance, applied for an injunction against a major company that it would be awarded? Money talks. Judges listen. It's not necessarily something as base as bribes. Just high class laywers gaming a system that puts up with being gamed.

These three hackers should not have appealed this order. They should have ignored it. Defcon should have ignored it. Why obey an order that is going to be struck down anyway? Threat of censure? The court can only censure you if it's oder was legal in the first place.

If more people stood up to, and openly defied the courts; we'd have a better court system.

Re:First amendment (3, Interesting)

Caboosian (1096069) | more than 5 years ago | (#24561815)

If more people stood up to, and openly defied the courts; we'd have a better court system.

If more people stood up to, and openly defied the courts, we'd have more people in jail - and a court system with less credibility. If an average citizen can shrug off a court order, what use do are the courts? No, instead, the companies/corporations gaming the system should be held responsible. Honestly, I don't have a solution for this problem, but I can't find a justification for destroying the credibility of our judicial institution - what good could come of that?

Re:First amendment (1)

mishehu (712452) | more than 5 years ago | (#24562387)

If you didn't follow through on the injuction, would the judge not find you in contempt and still prevent you from participating in the presentation? I may be wrong, but it sounds like what usually happens when one defies a judge's order.

How? (2, Informative)

DesScorp (410532) | more than 5 years ago | (#24561379)

How can any such order be justified in the light of the first amendment protection of free speech?

Because all speech isn't protected. The First Ammendment isn't a blanket guarantee to say or do anything. There are limits on speech, and always have been, from the time the Constitution was ratified to today.

You can argue on technical grounds that "security by obscurity" is a stupid idea, but I think the EFF lost here for a reason... we've always balanced speech that can have a direct impact on public safety against the relative risks of that speech. You can't email classified blueprints of an AEGIS radar system to Vladimir Putin, for instance, or a list of undercover NYPD officers to some guy named Sal in Sicily, and then claim free speech protection. If you don't want to get in legal trouble, you go to court and get such things made de-classified or stripped of confidential status first, then you can reveal whatever you like. The students first step should have been getting a court order to strip protection from the MBTA information, because MBTA actually has some legal precedent on their side here.

The students may even be in the right here, but they were pleading their case in a way that almost assured their defeat in court. And in this case, EFF was thinking like hackers, not lawyers.

Re:How? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#24562393)

Because all speech isn't protected.

Completely irrelevant.

The First Ammendment isn't a blanket guarantee to say or do anything.

No, but it is a blanket guarantee to say anything that is true, and that's what's so appalling here.

What's even more appalling is that there are idiots like you who think it's perfectly reasonable to prevent people from telling the truth, simply because it might hurt some corporations's bottom line.

Re:How? (2, Interesting)

PlusFiveTroll (754249) | more than 5 years ago | (#24562811)

If you don't want to get in legal trouble, you go to court and get such things made de-classified or stripped of confidential status first, then you can reveal whatever you like. The students first step should have been getting a court order to strip protection from the MBTA information, because MBTA actually has some legal precedent on their side here.

Really, instead of going thru all that bullshit, the students should have released all the information first (before the court order). Two times this has happened at DEFCON, and it's easy to do because the offense knows what date you're going to speak and can put a stop to it right before it happens. Not enough time to defend yourself and get the motion dropped. Drop the whitepaper (blackpaper?) on the net a week before the talk, and let them close the barndoors after the horse is already gone.

Re:First amendment (3, Informative)

belmolis (702863) | more than 5 years ago | (#24561529)

For commentary by an expert on First Amendment law, see Eugene Volokh's post [volokh.com] .

Responsibility? (4, Insightful)

XanC (644172) | more than 5 years ago | (#24561101)

It seems that the people who are bringing flaws to light are cast as the villains, while nobody even considers blaming or even questioning the people who selected a poorly-implemented system to run an entire city's public transit.

Re:Responsibility? (5, Insightful)

ckthorp (1255134) | more than 5 years ago | (#24561165)

Or, even more importantly, nobody considers blaming the vendor who sold the faulty system to the city.

Re:Responsibility? (2, Interesting)

MistaE (776169) | more than 5 years ago | (#24561169)

So a poorly implemented system justifies individuals giving a presentation to everyone else on how to fuck with the system?

I'm all for free speech, but it seems like there are quite a few other alternatives other than basically making public the flaws in a massive public transportation system. If they really care about security, they should take measures to improve the security with the appropriate authorities.

Now, of course, if they've already tried this and they ignored these students, then I would argue this is the next step to grab their attention, but still.

Re:Responsibility? (4, Insightful)

Adambomb (118938) | more than 5 years ago | (#24561295)

I would agree with you, had the MBTA actually taken the initiative to work on solving these issues. Instead their rep stated that if its not known, its not a problem.

Then they go and release more sensitive details in their court documents which are public record than the original presentation was to discuss.

Had the MBTA stated that "they are currently working on resolving the issues, and would want the talk delayed until they are solved" then you would be exactly correct that the presentation should wait. In the end, this is more about pointing out that the MBTA bureaucracy is being incredibly stupid as well as dangerous in their processes.

Re:Responsibility? (5, Funny)

FatdogHaiku (978357) | more than 5 years ago | (#24561765)

...Then they go and release more sensitive details in their court documents which are public record than the original presentation was to discuss.

It's not often you get to see someone step on their own pecker with both feet, while advertising the fact.

Re:Responsibility? (1)

cdrguru (88047) | more than 5 years ago | (#24561869)

Why the heck should they spend time and money on a working system? If nobody uses this information, the system works fine and it is not a problem. If they spend a huge amount of money "solving" this non-existent problem, who does that benefit?

The solution is to make sure the system is not exploited in this manner, not to make sure that it cannot be.

Re:Responsibility? (1)

Adambomb (118938) | more than 5 years ago | (#24562135)

If they're complaining about the vulnerabilities, then it would benefit them to make sure they are removed from the system so that those exploiting it are no longer impacting their bottom line. By leaving the flaws and saying "because no one talks about it, no one knows about it" they have absolutely NO WAY of verifying how many unauthorized passengers their system is carrying and how much revenue they might be missing out on.

The solution is to have a solution, say "well because the court order says they cant tell people, no one will know!" and all you have your head in the sand.

Re:Responsibility? (1)

Adambomb (118938) | more than 5 years ago | (#24562159)

Gah, yes theres a missing "is" in there. Where I leave to you.

preempt! preempt! preempt!

Re:Responsibility? (2, Insightful)

adamchou (993073) | more than 5 years ago | (#24562181)

clearly you didn't read the court order that was submitted by the MBTA. It says that they evaluated it and said they found nothing new in there. What was submitted to them was an old hack that they were already aware of and had already implemented additional security measure to fix. This further led them to believe that there was additional information that was being withheld from them, especially since the MIT students legal counsel advised them to not give additional information to the MBTA. They never gave the MBTA a chance to fix anything.

I'm all for free speech, but when you use it irresponsibly as these kids appear to be doing, I think you should suffer the consequences. What if this is used by some terrorist organization to mount an attack? Will everyone here defending free speech really still advocate the right for these students to disclose this information?

Re:Responsibility? (1)

Adambomb (118938) | more than 5 years ago | (#24562235)

In addition, what looked like a black-and-white faxed copy of the entire presentation was entered as evidence in publicly available court records available on the Web on Saturday, meaning any attempt to limit its distribution further will encounter an additional hurdle.

You were saying? [cnet.com]

Re:Responsibility? (1)

adamchou (993073) | more than 5 years ago | (#24562725)

Again, if you RTFA, the MTBA attempted to get all the documents from them on August 8th, one day before this was made available. Besides that, if you actually RTFA, the way the students worded their email, it seemed as if though they had additional information that they weren't disclosing. I really don't feel like typing everything out, but if you RTFA, you'll see why the MTBA came to that conclusion and if I were in that guys position, I would have came to the same conclusion. I don't know about the whole FBI thing, but its hard not to freak out when there is the possibility that a bunch of undergrad students have knowledge of a potential security hole that they won't disclose to you that could cause the MTBA to be defrauded and even possibly threaten public safety.

Re:Responsibility? (1)

Dhalka226 (559740) | more than 5 years ago | (#24562313)

Hypothetically, let's assume they are working on making fixes and want this talk enjoined until they're implemented. And that it would take several years. Reasonable?

This is a public transit card we're talking about. On top of being government contractors who would be designing new systems at ridiculous cost, there is a ton of equipment that would need to be re-programmed or replaced, as well as a massive outreach program that would have to be mounted in order to let citizens know that their transit cards are about to stop working if they don't get a new one. Assuming it would cost millions would be an underestimate, I'd think. And the fix would probably be on the order of months or years.

I simply don't see "we were idiots" as a justifiable reason to delay exposing somebody's idiocy for that long involuntarily.

Re:Responsibility? (1)

Adambomb (118938) | more than 5 years ago | (#24562385)

You just combined a whole set of hairy issues that have nothing to do with the MIT talk. If government contractors design systems at ridiculous cost, thats a separate problem that i wish would be addressed ever. If theres a ton of equipment thats a bitch to patch, thats the original developers problem as they should not have sold it with the flaws in the first place, or at least started working on FIXING it as soon as all this came to light.

If they were willing to have MIT POSTPONE this talk for a reasonable amount of time instead of the aggression they encountered, i would be more sympathetic. From the sounds of their representative in the previous article [cnet.com] their intent is to NOT bother fixing anything (IE: not until they make a brand new system).

There's a big difference between saying "we know its broken but refuse to fix it" as opposed to "Give us a chance. You know what its like dealing with government crap, but we'll get to it". Personally i applaud MIT for making the public aware that the paying customers may be subsidizing those who are riding for free on a known flaw. If the cost of the system is proportioned to volume in terms of pricing it will raise prices artificially for those who ARE legit to make up for those who aren't.

This is what they don't want their customers thinking about as its definitely FAR less overhead for them to simply increase the standard fares to make up for the costs of the system until those paying balance it out than to try to fix the system.

Basically, its like people who do friggan nothing at work getting the same wage because you get dumped with all their slackage. One group gets the value, but an entirely different group gets the cost.

Re:Responsibility? (2, Insightful)

jd (1658) | more than 5 years ago | (#24561399)

I wouldn't agree to it being right to present how to break the system (except under special circumstances such as those you outlined), but I think it could be rather fun to make it illegal for either a government body or quango to set up or maintain a system in such a state that it poses undue burden on users, taxpayers, security, etc. Illegal as in prison illegal, not slap-on-the-wrist-see-you-at-golf-tomorrow illegal.

Governments are like all other organizations in that they will do the least possible to survive at a level comfortable to them. In the case of a democracy, this means buying off the other branches of government and the media. (This differs from a theocracy, where instead they buy off the media and the other branches of government. Dictatorships, on the other hand, only need to buy off CowboyNeil.)

The sovereign immunity enjoyed by the Government in America is probably one of the largest factors behind its corruption. I can understand the need to not have distractions, though I suspect Olmert can understand it better, but there are other ways of achieving that goal that still provide adequate accountability. The ballot box doesn't provide accountability for wrongdoing, it only provides accountability for unpopular doings, right or wrong, and frankly I doubt enough people care about mass transit computer systems to make gross negligence punishable via an election, regardless of any potential consequences. (Joe Bubba is very unlikely to think too far ahead, and there are simply more Joe Bubba voters in America than any other single group.)

Re:Responsibility? (1)

repvik (96666) | more than 5 years ago | (#24561855)

In the case of a democracy, this means buying off the other branches of government and the media. (This differs from a theocracy, where instead they buy off the media and the other branches of government.

Huh?

Re:Responsibility? (2, Insightful)

Anonymous Coward | more than 5 years ago | (#24561415)

I don't agree.

It is not their job to coordinate with the authorities and doing so without first going public might cause them problems with those authorities. Who gets to the press first matters here. If the first thing the press hears is that these guys were hacking the subway system, the authorities hold all the cards. The system may or may not get fixed and their message will almost certainly never be heard.

Secondly, they are not responsible for the behaviors of others. Someone said something about yelling "fire" in a theater, but the analogy is inapt. In this case there actually is a fire in the theater, and they are just pointing it out. They are not responsible if people trample each other trying to escape a real fire.

the public (2, Insightful)

Phantom of the Opera (1867) | more than 5 years ago | (#24561571)

"Hi, I'm the public. Do I have a right to know about these flaws?"

"No"

Re:Responsibility? (1, Insightful)

cdrguru (88047) | more than 5 years ago | (#24561831)

I would argue that it is the responsibility of the public to specifically not screw around with the system and that any security in place over the top of a fare collection system is there by accident. In other words, it should be treated as an "honor system" and what you are perceiving as "security" is merely validation to prevent errors.

I suppose you could then argue that disclosing the nature of these validations is meaningless in and of itself. However, doing so in a forum of the nature where it was to be presented clearly is offering it to individuals with the capabilities to take unfair advantage.

If I lived in Boston, or any other area where these sorts of disclosures have been made, I would object strenously to the transit authority making any changes whatsoever to "improve security". It wasn't intended to be secure from the beginning. However, I'd certainly agree with increasing penalties for anyone caught screwing the system to the point where nobody would ever want to be caught.

This is like turnstyle jumping in some ways, only it enables large numbers of people to do so without being observed by station attendents. I guess to some folks with a "grab all you can" mindset this sort of thing just begs to be exploited. Sadly, what it really means is everyone else suffers for the misdeeds of the exploiter.

Re:Responsibility? (1)

im_thatoneguy (819432) | more than 5 years ago | (#24561187)

It could be argued that as long as nobody knows about the flaws then the system wasn't poorly implemented. Most street hooligans aren't MIT trained computer scientists.

If nobody knows where a door is the lock on it doesn't matter.

Re:Responsibility? (3, Insightful)

Adambomb (118938) | more than 5 years ago | (#24561239)

If nobody knows where a door is the lock on it doesn't matter.

yes, maybe 99 times out of 100.

And then theres the other 1, like say when an idiot files more vulnerabilities in their court briefs which are public record than the original presentation was going to uncover.

Security through obscurity only works probabilistically, and given a long enough time frame it will always hit the P=1 where someone will have breached it and disseminated the information. This is exactly why security through obscurity is completely retarded when it involves systems intended to operate in any form of long term.

Re:Responsibility? (2, Funny)

NFN_NLN (633283) | more than 5 years ago | (#24561351)

Most street hooligans aren't MIT trained computer scientists./quote>

I blame the American education system. In India street hooligans must have at least a masters degree while ruffians and ne'er-do-wells have doctorates.

Re:Responsibility? (1)

d34thm0nk3y (653414) | more than 5 years ago | (#24562009)

Most street hooligans aren't MIT trained computer scientists

Tell that to MC Hawking. [mchawking.com]

Re:Responsibility? (1)

mishehu (712452) | more than 5 years ago | (#24562443)

s/villians/criminals. There, i fixed that for you. If you embarrass somebody re a computer or computer program, they try to get you put in jail...

Re:Responsibility? (1)

SimonBelmont (1089255) | more than 5 years ago | (#24562575)

Except that the attackers also chose not to disclose the vulnerability to the MTBA before giving the talk, and even refused to disclose their materials when the MTBA found out about the talk anyway.

And that there was apparently significant social engineering involved. Security should be robust when its implementation is widely known, but certain things like private keys have to remain secret. If I just con someone out of their sensitive information, it doesn't really mean a system that uses it is flawed.

And then, I'm not really sure why they went after this system in the first place. It's not a system whose flaws could endanger the public (as opposed to banking or military systems, for example). If it was a regular paper ticket system, we would just call someone who forges tickets a criminal, and a rather petty one at that. So we have a group of people who used dubious methods to break into a system, who in doing so could not have helped anyone other than the owners of the system, and who chose not to disclose to them. Not exactly whitehat. I don't see any problem with calling these people criminals.

Isn't the hack old news? (2, Informative)

Anonymous Coward | more than 5 years ago | (#24561141)

Isn't this the same hack which was described in detail in c't #8/2008 [heise.de] ? Mifare classic, uses Crypto1, a flawed pseudo random number generator and salts which only depend on the power on time, which is under the control of the attacker. Flaws were discovered by slicing the chip and inspecting the layers with a microscope.

Remove that link at once! (3, Funny)

Random BedHead Ed (602081) | more than 5 years ago | (#24561175)

I say, this is intolerable! You Slashdottian ragamuffins should remove the hyperlink to that MIT-hosted court document post haste, or I shall be forced to request that these truckless tubes be cleansed of it ... in court! (There, that will put a decisive end to their meddling.)

Re:Remove that link at once! (1)

Random BedHead Ed (602081) | more than 5 years ago | (#24561197)

Bat's breath! I forgot to include this in my backwards, Victorian-eque Interweb rant: get off my lawn!

Them again? (1, Funny)

Anonymous Coward | more than 5 years ago | (#24561185)

Why is it that every time I read about the EFF or Lesig I hear about how they are going down in flames in once case or another? Are we taking about the Washington generals here? Whats it going to take for them to actually win something for a change.

Re:Them again? (5, Informative)

Random BedHead Ed (602081) | more than 5 years ago | (#24561257)

Why is it that every time I read about the EFF or Lesig I hear about how they are going down in flames in once case or another? Are we taking about the Washington generals here? Whats it going to take for them to actually win something for a change.

http://www.eff.org/victories [eff.org]

Re:Them again? (1)

nomadic (141991) | more than 5 years ago | (#24561935)

http://www.eff.org/victories

Too bad they don't list their defeats; they've lost a lot of cases. And a lot of the cases on their victories page appear to be ones where they didn't actually represent the winning side, but merely filed amicus curiae briefs. Which sometimes help, but sometimes have no effect.

This reminds me of... (4, Insightful)

Paul Pierce (739303) | more than 5 years ago | (#24561223)

The two students at Georgia Tech that hacked the campus Blackboard swipe system (http://www.theregister.co.uk/2003/07/15/student_hackers_we_didnt_defeat/).The general idea was that it didn't matter how secure the encryption-system was, if the physical system was easy to get to. You don't have to figure out what information is being sent to the machine, all they had to do was 'capture' a 'yes-there-is-enough-money-on-the-card' response, then duplicate. Hey free snacks!!

You know what would rock, an infinite gift card to Wendy's.

Re:This reminds me of... (2, Funny)

davec727 (1263298) | more than 5 years ago | (#24561425)

I actually had a potentially infinite Hardee's gift card for a while. I put $20 on it, and I would estimate I got around $60 worth of food out of it, because the vast majority of the drive-thru monkeys at this particular Hardee's unintentionally (I assume) rang up the purchase as "gift" instead of "gift card.

I also effectively had an infinite gift card to Taco Bell, while I was working there. However, be careful what you wish for; infinite fast food has hefty consequences.

Link to DefCon presentation (5, Informative)

AgentPhunk (571249) | more than 5 years ago | (#24561299)

MIT's student newspaper "The Tech" includes the full DefCon presentation on their site:
http://www-tech.mit.edu/V128/N30/subway/ [mit.edu]

Direct link to the presentation PDF:
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf [mit.edu]

Re:Link to DefCon presentation (1)

Amamdouh (1130747) | more than 5 years ago | (#24562389)

Aren't you breaking the law by doing so?

Not that impressive (4, Informative)

langelgjm (860756) | more than 5 years ago | (#24561303)

At least from what's in the linked PDF, the undergrads' work is not all that impressive. They look at both the CharlieTicket (magstripe) and the CharlieCard (RFID).

Hacking the CharlieTicket sounds fairly trivial. Magstripe cards are extremely easy to read and write to, and documentation on how to do this with homemade equipment is all over the Internet. The undergrads' work essentially consists of figuring out how the 6-bit checksum is being calculated (though it's not disclosed in the linked documents). This is probably the most difficult thing that they did.

Hacking the CharlieCard, which is a MiFare Classic, is more involved, but the undergrads used a previously known attack, simply duplicating it. (Some might call that the behavior of a "script kiddie"?) There's hardly anything novel about this.

Re:Not that impressive (1)

Gat0r30y (957941) | more than 5 years ago | (#24561457)

There's hardly anything novel about this.

If true, one would think the MBTA would have little to back up an injunction.

Re:Not that impressive (2, Interesting)

langelgjm (860756) | more than 5 years ago | (#24561513)

If true, one would think the MBTA would have little to back up an injunction.

I'd tend to agree. Though MBTA's argument is that the undergrads aren't disclosing everything, so MBTA can't assess the true threat to their systems, thus why they sought the injunction.

I'm kind of surprised the undergrads have not disclosed everything to the MBTA. Why wouldn't they? If they are truly interested in improving MBTA's security, they ought to.

On the other hand, they might be reluctant to do so because of the risk of legal action. I don't have a Charlie Card on me (haven't been in Boston recently), but a lot of similar cards have statements saying they are the property of whoever issues them, and that tampering with them is illegal.

Re:Not that impressive (1)

Lunatrik (1136121) | more than 5 years ago | (#24562425)

Grabbed a charlieticket I had laying around, all it says is:

Subject to applicable tariff regulations and conditions of use. Ticket may be confiscated for misuse. Not replaceable if lost or stolen. Non-refundable.

Wonder what the "terms of use" are, and where one would ever, ever find them?

Life imitating art. (3, Informative)

fredklein (532096) | more than 5 years ago | (#24561361)

Which is from Cory Doctorow's "Little Bother", and which from the court documents in this case?

"Just flash the firmware on a ten-dollar Radio Shack reader/writer and you're done. What we do is go around and randomly swap the tags on people, overwriting their Fast Passes and FasTraks with other people's codes. That'll make everyone skew all weird and screwy, and make everyone look guilty. Then: total gridlock."

vs.:

"An attacker uses RFID equipment purchased online to sniff communications between a legitimate CharlieCard and a turnstile. He takes the data back home and executes one of several attacks that exploit the weak Crypto-1 cipher to recover a key. Armed with this key, a high-gain antenna, and RFID equipment, he walks down a crowded street in boston remotely copying the CharlieCards in people's pockets."

Please, check out 'Little Brother'. FREE for download at http://craphound.com/littlebrother/download/ [craphound.com] , or available at fine bookstores everywhere.

Re:Life imitating art. (0)

Anonymous Coward | more than 5 years ago | (#24561791)

First of all the two situations are very different in pretty much all aspects except that they both involve remote access to transit token in public. Second of all, life does not imitate art when the art was written probably a decade (2008) or more after such attacks were talked about. Hell anyone with a dozen brain cells and a couple hours to think can come up with these ideas and they have a long time ago. Reading data remotely is pretty much the main concern about all these systems and has been for quite some time. Writing remotely is pretty much infeasible unless you go to extreme length (ie: rfid won't flash wirelessly asfaik).

Re:Life imitating art. (1)

fredklein (532096) | more than 5 years ago | (#24562419)

the two situations are very different in pretty much all aspects except that they both involve remote access to transit token in public

So, they're different, except where they're the same? Brilliant insight.

rfid won't flash wirelessly

Depends on the type. And, even in the case where it's not, it's perfectly possible to READ the RFID, and have a box that 'repeats' that RFID upon demand. Maybe I can't 'swap' your RFID, but I can clone it and use it.

ANYWAY, you obviously missed my point.

Exhibit A (3, Interesting)

Thomas Charron (1485) | more than 5 years ago | (#24561367)

The guy who put the report in Exhibit A, along with his email address, it could be added, really, REALLY underestimated the issue I think. Did he really think the public court records wouldn't get out?

    Exhibit A will, I suspect, lead to many, MANY more compromises now then would have happened had they given their presentation.

    What HE released had the specific vulnerabilities they found. He didn't want that data out, and then published it himself!

Re:Exhibit A (1)

corsec67 (627446) | more than 5 years ago | (#24561865)

Is it the Streisand effect [wikipedia.org] when the people trying to conceal the information personally publish it in a way that gets more publicity?

The lawsuit itself would probably lead to a Streisand effect on its own, though.

Re:Exhibit A (1)

langelgjm (860756) | more than 5 years ago | (#24561907)

Exhibit A will, I suspect, lead to many, MANY more compromises now then would have happened had they given their presentation.

You really think so? (Also, I assume you're talking about "Exhibit 1", not "A"). But really, there's nothing that exciting in those few pages. They say they know the algorithm for calculating the checksum on the Charlie Tickets, but they don't disclose it. Then, they discuss a previously known flaw in MiFare Classic.

I'd say anyone intelligent enough to use the information in that document would have been intelligent enough to find it elsewhere.

Has Boston's water supply been hacked? (3, Funny)

Anonymous Coward | more than 5 years ago | (#24561453)

Given the number of security idiocies committed publicly by the Boston authorities, I hope somebody is checking the water supplies in city buildings for some additive that induces mass stupidity.

Six-bit checksum, huh. Brilliant. (1, Insightful)

Anonymous Coward | more than 5 years ago | (#24561473)

Shouldn't the 'project manager' guy be like curling up in a shame-ball under his desk instead of pestering these kids?

Moot now (0)

Anonymous Coward | more than 5 years ago | (#24561549)

Watch, the appeals court won't overrule it - they'll decline to decide the matter because now it's moot.

Not Exactly Accurate Summary (warning, legalese) (4, Informative)

Wrath0fb0b (302444) | more than 5 years ago | (#24561643)

The court issued a 'temporary restraining order', which is legal-jargon for "don't do anything until we can get a decent hearing". It does not mean that the court has accepted the MBTA's position or even jurisdiction over the case. It is merely a tool* to ensure that neither party can unilaterally change the status-quo just because the courts do not operate 24/7 and are sort of slow (making sure everyone has a chance to speak generally doesn't allow for fast decision making). Rarely does a TRO last more than a week until a preliminary hearing can be held.

IMO, therefore, even if the MBTA has no case whatsoever (almost certainly true) they are entitled to a TRO for a few days until the court can read (and almost certainly deny) their application for a permanent injunction. I don't see any major damage from having a presentation delayed for all of 72 hours either (note, if we were talking permanent injunction, it would be totally bogus -- that's a different matter entirely).

* Yes, I'm aware the information was already published on the internet and that it cannot effectively be "recalled". That is not the point -- the MBTA, as any other litigant, has the right to have a court hear their case -- even if they really don't have one.

Re:Not Exactly Accurate Summary (warning, legalese (1)

Chirs (87576) | more than 5 years ago | (#24562285)

If the presentation is delayed long enough that it cannot be held during a security conference, the damage could be quite major.

Mile high fence (1)

someara (1342897) | more than 5 years ago | (#24561677)

I'm surprised they didn't mention the fact that anyone can "hack" their way into the MBTA subways by simply sticking their arm between the doors and activating the "exit" side censors.

Vague titles for security talks (2, Insightful)

Deagol (323173) | more than 5 years ago | (#24561729)

There have been a number of presentations lately that have been silenced by private companies before a conference, either by injunction or under the table (I'm thinking of Apple here). How long before we see conference talks being titled as clearly as most software patents? "Some Group Discusses Some Weakness In Some Company's Software" Tuesday at Defcon. If this gets out of hand, I wouldn't be too surprised if we start seeing some subtle obfuscation of what the true nature of some talks are about.

Five Dollar Foot Longs (1, Funny)

Anonymous Coward | more than 5 years ago | (#24562029)

I just hope the courts don't take away that excellent Five Dollar Foot Long deal.

This case presents an example of pure censorship. (1)

MarkvW (1037596) | more than 5 years ago | (#24562203)

The Transit Authority's position seems to boil down to this quote from their expert:

"In these circumstances, without solid assurance that the MIT Undergrads' activities do not pose an immediate threat to the Fare Media System's integrity and security, the required course in my opinion is to conclude that the activities do pose an immediate threat, and to act, as the MBTA is, to mitigate that threat through direct Court intervention."

The Transit Authority's position seems to be this: We think that we're secure, but we are not absolutely sure that we're secure. These people say that we are not secure. We asked them to tell us how we're not secure. They wouldn't tell us. We don't know if they're for real or not, so we need a judge to make them stop because they might be for real.

If I've got it right, this is pretty far out. The transit authority cannot even establish a factual predicate sufficient to show that the presenters have knowledge that would or could damage the transit authority. This would seem to present a really big causal gap in their case.

The trial judge must have had a brain-lapse. This case is about hard-core censorship. The presenters can only defend themselves if they come out with their information before the censor (i.e., the tribunal). This shouldn't have to be their burden. The plaintiffs should have to prove that the presenters have something really bad and dangerous.

The temporary injunction in this case is offensive in this case because it appears to be based only on this set of facts: Four dudes are going to talk in some unknown way about Transit Authority security.

If I develop a method sufficient to allow me unilateral control of the entire US nuclear missile arsenal (or the Transit Authority's bank accounts), I would surely hope that some federal judge would slap a prior restraint on me to keep me from blabbing it to the world.

Re:This case presents an example of pure censorshi (2, Insightful)

nomadic (141991) | more than 5 years ago | (#24562315)

If I've got it right, this is pretty far out. The transit authority cannot even establish a factual predicate sufficient to show that the presenters have knowledge that would or could damage the transit authority. This would seem to present a really big causal gap in their case.

"We're going to give a presentation on how to crack the MBTA passes" seems like a pretty good factual predicate.

Re:This case presents an example of pure censorshi (1)

russotto (537200) | more than 5 years ago | (#24562333)

If I develop a method sufficient to allow me unilateral control of the entire US nuclear missile arsenal (or the Transit Authority's bank accounts), I would surely hope that some federal judge would slap a prior restraint on me to keep me from blabbing it to the world.

Not a chance. In the latter case, the Transit Authority won't be able to afford a lawyer. In the former case, the judge can be easily convinced that the security of his hometown against nuclear missiles depends on ruling in your favor.

Mike D (1)

dalrympm (633053) | more than 5 years ago | (#24562721)

I just want to say that having read Exhibit 1, I applaud the authors for writing a very succinct and readable account of the vulnerabilities of the MBTA system. It seem implausible to me that anyone (even the pointy hair types) could read that assessment and not fully comprehend the situation at hand. It makes me wonder who Zack Anderson, Russell Ryan and Alessandro Chiesa work for. I'm sure Google will tell me.

Re:Mike D (1)

dalrympm (633053) | more than 5 years ago | (#24562747)

Oh, I guess I should read more thoroughly. They were the three students that were going to present at Defcon. Well, they should get A's for the clarity of their report.

the real purpose (0)

Anonymous Coward | more than 5 years ago | (#24562735)

the goal of the transit authority is only to tie this up in court till the conference is over. at that point, presenting the research at the conference will be a moot point.

is Captain Crunch still in jail? (0)

Anonymous Coward | more than 5 years ago | (#24562797)

For doing the same thing trying to fix commuter train ticket vulnerabilities?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...