Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MIT Students' Gag Order Lifted

kdawson posted more than 6 years ago | from the common-sense-descends dept.

The Courts 160

mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days. "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."

cancel ×

160 comments

Sorry! There are no comments related to the filter you selected.

They never signed a non disclosure contract (4, Insightful)

neoform (551705) | more than 6 years ago | (#24663019)

Why would exposing the MBTA's secrets be against the law? Realistically, that's all they've done, they put together a presentation on flaws in their system, security firms do this all the time. Nice to see a judge make the right decision.

Re:They never signed a non disclosure contract (4, Insightful)

geogob (569250) | more than 6 years ago | (#24663131)

I think the idea was that the information will create prejudice and loss of income for the MBTA. And that hypothesis will probably turn out to be true if they don't don anything about the problem.

Not doing anything about the problem is the most likely course of action at this point. Nice to see that a judge won't be giving out a gag order so easily on someone based on the fact that someone else is not going to do its job (or do it correctly).

Re:They never signed a non disclosure contract (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24663357)

The Niggers are givin slashdot bitch-boys a gag order in their mouths. Da Crew will be conductinating drive by rapings at a quarter past 7pm. We be running a train to far up in that ass you be shitting sperm out for the week. Bring your tears cause the only lube will be yah fear.

Signed,
the Niggers

Re:They never signed a non disclosure contract (5, Insightful)

macdaddy (38372) | more than 6 years ago | (#24663775)

Because it's embarrassing to somebody in power. Simple as that.

Re:They never signed a non disclosure contract (1)

fishbowl (7759) | more than 6 years ago | (#24663853)

>Because it's embarrassing to somebody in power. Simple as that.

Somebody without sufficient power to persuade the government agency he works for to become embroiled in a First Amendment case that would take years and cost millions of dollars.

They can't hold their talk now, can they? (0)

Anonymous Coward | more than 6 years ago | (#24663033)

How is the MBTA going to correct that mistake?

Re:They can't hold their talk now, can they? (4, Insightful)

Ukab the Great (87152) | more than 6 years ago | (#24663105)

No clue. Litigation tends to be the last refuge of the incompetent.

Re:They can't hold their talk now, can they? (1)

pilgrim23 (716938) | more than 6 years ago | (#24663133)

Query: What exactly was the flaw under dicussion?

Re:They can't hold their talk now, can they? (3, Funny)

Anonymous Coward | more than 6 years ago | (#24663303)

Query: What exactly was the flaw under dicussion?

Question: Why do you prefix your questions with query?
Statement : I find it sorta redundant.

Re:They can't hold their talk now, can they? (-1, Troll)

corsec67 (627446) | more than 6 years ago | (#24663347)

I find people saying "Can I ask you a question?" is worse.

My response is often "You just did."

Re:They can't hold their talk now, can they? (5, Funny)

Anonymous Coward | more than 6 years ago | (#24663669)

I find people saying "Can I ask you a question?" is worse.

My response is often "You just did."

And of course they immediately say "Can I ask you another question?" to which you reply "You just did."

Finally they say "Can I ask you 2 questions?"

And having already identified yourself as a jerk you say "No."

Re:They can't hold their talk now, can they? (0)

Anonymous Coward | more than 6 years ago | (#24663973)

It's just another way of saying, "Can I pick your brain?" or "Do you have time to discuss something?"

Re:They can't hold their talk now, can they? (0)

Anonymous Coward | more than 6 years ago | (#24664141)

In Spanish, they use the upside down question mark for this purpose.

Re:They can't hold their talk now, can they? (0)

Anonymous Coward | more than 6 years ago | (#24664679)

Maybe he's been playing too much KOTOR:

http://en.wikiquote.org/wiki/HK-47

Re:They can't hold their talk now, can they? (5, Informative)

Anonymous Coward | more than 6 years ago | (#24663431)

Both the magnetic stripe card and the chip card used for electronic payment of public transport fares in Boston are flawed and allow several types of attacks which result in free rides. The hack of the chip card is an implementation of an older, less exploitative hack of the Mifare classic chip which is used in many public transport systems and other prepaid applications all over the world.

Re:They can't hold their talk now, can they? (1)

pilgrim23 (716938) | more than 6 years ago | (#24664055)

Thank You.
Media contained much hullabaloo about the flaw, but no clear explanation of what was the nature of the flaw...till now.
And to the other posters: I considered my way of phrasing the interrogative clear and unmistakable English. If it was not, then I apologize for any confusion.

Re:They can't hold their talk now, can they? (4, Funny)

Tenebrousedge (1226584) | more than 6 years ago | (#24664363)

Your English is both clear and unmistakable. That may have been your problem. Next time, consider adding in an inane meme, such as:

"Imagine a beowulf cluster of MBTAs!"

or

"The MBTA is not a big truck. It's a series of tubes!"

Also, consider to add several speling and/or grammatical error. This will lend to the impression that you are either a caffeine-soaked systems engineer who has been sitting in front of a terminal for eighty straight hours, or a semi-literate American of the species cellarcola nerdus, both of which are held in high regard here.

Accordingly, the dialect best suited to effective communication on slashdot is lolspeak. [speaklolspeak.com]

Re:They can't hold their talk now, can they? (3, Insightful)

PopeRatzo (965947) | more than 6 years ago | (#24664057)

Litigation tends to be the last refuge of the incompetent.

Here is evidence that a low UID does not insure a clear mind.

Maybe you should have said "frivolous" litigation is the last refuge of the incompetent"?

Litigation is one of pillars which holds up a Rule of Law and provides some path to fairness and justice in a free society. Considering the startling consolidation of social power in the hands of corporate ownership and authoritarian fanatics, you may yet see what it's like to live in a society without litigation. I guarantee you're not gonna like it, Ukab.

Re:They can't hold their talk now, can they? (1)

geobeck (924637) | more than 6 years ago | (#24664357)

Litigation is one of pillars which holds up a Rule of Law and provides some path to fairness and justice in a free society... Considering the startling consolidation of social power in the hands of corporate ownership and authoritarian fanatics, you may yet see what it's like to live in a society without litigation.

Protracted litigation is only possible with enough money. And who has that kind of money besides corporate owners and authoritarian fanatics?

Re:They can't hold their talk now, can they? (1)

recharged95 (782975) | more than 6 years ago | (#24664723)

And that's why Justice is blind. The incompetent actually does have rights! Unfortunately.

the terrorists have won (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24663037)

Are you going to vote Barack Hussein Osama into the white house?

Re:the terrorists have won (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24663153)

Spork. It's not just for breakfast anymore.

Re:the terrorists have won (0, Interesting)

Anonymous Coward | more than 6 years ago | (#24663273)

They did win, they hated our freedom, so we limited it. I think you're right, though. Obama will help reverse some of that.

good (1)

dmitrygr (736758) | more than 6 years ago | (#24663059)

About time! The whole idea was crazy. If i were them i'd "accidentally" leak it if this did not happen... This sort of information should be freely available to encourage the system being fixed...

Re:good (4, Informative)

Dogun (7502) | more than 6 years ago | (#24663171)

Actually, if you had access to PACER, you could read the version of the presentation the students gave to the MBTA, including the secret key and a few other details that the MIT students were intending to leave out of the DEFCON presentation.

IOW, the information is already leaked, and it was the MBTA that leaked it.

I use the past tense above because I don't have access to PACER and I very much hope they got around to censoring that bit of info from the MBTA's submissions.

Working As Intended (4, Funny)

_Sprocket_ (42527) | more than 6 years ago | (#24663075)

Of course, this is a victory for the MBTA. They've managed to derail the conference presentation. Objective met.

We all know this will effectively bury the information. Bureaucrats understand that communication is impossible outside of face-to-face meetings. There's nothing that could possibly allow dissemination of this potentially damaging (read: embarassing) information now that the conference is over. Situation handled. Bullet dodged.

Re:Working As Intended (1)

neoform (551705) | more than 6 years ago | (#24663147)

I'm not so sure about that. The conference was "derailed", but all the information that was going to be presented was made available to everyone. Not only that, but there was a tremendous Streisand effect.

Re:Working As Intended (4, Insightful)

rootofevil (188401) | more than 6 years ago | (#24663463)

agreed on the streisand effect.

i even heard a well written and clearly informed piece on NPR, that discussed the potential constitutional issues and the chilling effect this would have on any security research.

granted NPR doesnt have the distribution of fox or cnn, but its still more mainstream than /.

Re:Working As Intended (3, Informative)

postbigbang (761081) | more than 6 years ago | (#24663697)

Umm, actually, NPR is heard in more places in the US and on Earth than Fox and CNN. It can also be streamed easily. NPR is also sent through transulator sites to remote parts of the US that extend the reach where no one else goes, like rural Nevada, California, and so on.

AFR and AFN also carry a lot of NPR, and news feeds also extend to the CBC, BBC, RCI, and other sites/broadcasters as well. The news is out. As it should be.

Re:Working As Intended (4, Funny)

jacquesm (154384) | more than 6 years ago | (#24663529)

*whoosh*...

Re:Working As Intended (0, Offtopic)

_Sprocket_ (42527) | more than 6 years ago | (#24663559)

You're not thinking like a bureaucrat.

Re:Working As Intended (2, Funny)

Shadow Wrought (586631) | more than 6 years ago | (#24663235)

Yep. They needed this result before the conference. Unfortunately, the Courts work at their own pace, and since the MBTA published everything in court documents already public, they will have only themselves to blame if anything nefarious happens.

Of course if there had been an Ignignokt [wikipedia.org] slide they would've all been shot.

Re:Working As Intended (0)

Anonymous Coward | more than 6 years ago | (#24663817)

Of course if there had been an Ignignokt slide they would've all been shot.

Congratulations! You are the first person to make such a joke. I think you are too smart for Slashdot. Have you tried Fark.com?

PS - No, I am not from Boston, so a reply such as "wow I touched a nerve" or some other such nonsense is not applicable.

Good Call (5, Insightful)

maz2331 (1104901) | more than 6 years ago | (#24663087)

It looks like the judge made a pretty good call in this case. What he really rejected was the MTBA lawyers' assertion that it was an act prohibited by the law, and not exposing the agency's incompetence.

Really, bugs aren't fixed by just hiding them.

FTA:

MBTA said in documents filed with the court said that fixing the security flaws would take five months. ("Students have the ability to cause significant harm to the CharlieTicket system, during the roughly five-month window that remedial actions will require.")

Actually, the fact that they implemented a seriously flawed system is the problem, and the students' bringing it to light may suck for MBTA. The proper solution is for them to fix their system and, if necessary, sue the vendor for the costs.

Re:Good Call (2, Insightful)

Hatta (162192) | more than 6 years ago | (#24663247)

And the judge before him quite plainly made a bad call. A gag order in this situation is quite plainly unconstitutional, yet there's no recourse for the victims of that ruling. This is a fundamental problem with our system.

Speak Anyway (1)

autocracy (192714) | more than 6 years ago | (#24663759)

I think they should have just gone ahead with the presentation. Contempt of an invalid order doesn't stand, does it?

Re:Speak Anyway (1)

NeoSkandranon (515696) | more than 6 years ago | (#24663953)

If you're willing to gamble that it will later be found invalid...

Re:Speak Anyway (2, Informative)

harlows_monkeys (106428) | more than 6 years ago | (#24664423)

It wasn't an invalid order.

Re:Good Call (1)

Atlantis-Rising (857278) | more than 6 years ago | (#24663913)

In what way is it unconstitutional?

Re:Good Call (1)

tinkerghost (944862) | more than 6 years ago | (#24664111)

First amendment grounds, the problem is that they issued an order that engaged in prior restraint. You can sue someone for something afterwards, but you generally can't require them to not say it at all. This judge issued the TRO so he had time to look at the facts - the MBTA was arguing something novel, when he looked at the facts, he tossed the MBTA's argument out the door. The problem is that the TRO became a defacto RO because the conference is already over.

Re:Good Call (2, Insightful)

Hatta (162192) | more than 6 years ago | (#24664139)

Prior restraint is a violation of the first amendment protection of free speech.

Re:Good Call (1)

iminplaya (723125) | more than 6 years ago | (#24664197)

For starters it violated the 1st, 9th, and the 14th(section 1) amendments.

Re:Good Call (1)

MarkvW (1037596) | more than 6 years ago | (#24664277)

The question of constitutionality was NOT ADDRESSED.
The judge held that pleaded statute did not support the injunction.

You can't just walk into court and enjoin somebody from doing something. To get an injunction, you have to establish two things:
(1) The law authorizes the injunction based on the facts you have; and
(2) The constitution does not bar you from getting that injunction.

The MBTA lost because they could not prove the first thing.

Now we'll see if MBTA wants to torture these three students with a full-blown lawsuit.

Re:Good Call (1)

Hatta (162192) | more than 6 years ago | (#24664889)

You can't just walk into court and enjoin somebody from doing something.

Apparently you can, because the MBTA did. DEFCON is over and the damage is done.

To get an injunction, you have to establish two things:
(1) The law authorizes the injunction based on the facts you have; and
(2) The constitution does not bar you from getting that injunction.

Yet the judge issued the injunction without either, and like I said, there's absolutely no recourse against this incompetent judge.

Section 1983 can provide recourse (2, Interesting)

vrimj (750402) | more than 6 years ago | (#24664839)

There is a way to get the decision reviewed, because the MBTA is a state agency the students can use 1983 to claim that in seeking a protective order under these conditions it deprived them of constitutionally protected rights.

They could counter-claim if the MBTA keeps up its suit or file on their own if it is dismissed.

Sure is it just cash damages (including attorneys fess) but it is recourse

Re:Good Call (1)

dontPanik (1296779) | more than 6 years ago | (#24663405)

The proper solution is for them to fix their system and, if necessary, sue the vendor for the costs.

But won't a hacker always find some sort of way to get around a security system?
Your solution is very idealist and to ask the MBTA to fix every problem that a hacker finds is asking alot.
Anyways, do you really want companies sueing contractors every time a hacker finds a bug in their system?
I know I don't want to keep fueling our bloated legal system.

Re:Good Call (4, Interesting)

Lobster Quadrille (965591) | more than 6 years ago | (#24663671)

In this case, yes.

The vendor has been selling a flawed system, both in design and implementation. Car manufacturers can't use incompetence as an excuse when their cars explode, and the vendor can't either.

In fact, the vendor has known about the flaws for quite some time, but has not fixed them (nor disclosed them).

It sounds to me like they deserve to be sued for damages.

You're right that we evil hackers are going to find ways around it anyways, but in this case, the vendor is grossly negligent, and the MBTA is trying to blame the people who found the problem, rather than the ones that created it.

Re:Good Call (5, Interesting)

_xeno_ (155264) | more than 6 years ago | (#24663447)

MBTA said in documents filed with the court said that fixing the security flaws would take five months.

I'd love to know how they plan on fixing it. The problem is that, rather than paying for the MIFARE cards with working encryption (3DES or AES) they went with the cheapest system which uses custom 48-bit encryption.

Short of replacing every single CharlieCard in existence, there is no fix.

What the MIT students did that went beyond cracking the MIFARE encryption was to reverse engineer what data was stored on the card.

Which means, knowing the T, that the "solution" will likely be to rearrange the data and continue using the same weak encryption, while lobbying for a new state law that makes reverse engineering illegal.

Card Cost? (1)

maz2331 (1104901) | more than 6 years ago | (#24663613)

Replacing all of the cards should be a minimal cost compared to, say, paying for one day's worth of fuel or employee health insurance.

Re:Good Call (1)

Fulcrum of Evil (560260) | more than 6 years ago | (#24664087)

I wonder if they'll clue in to the fact that reverse engineering is a fundamental part of their high tech industry.

Nah...

Re:Good Call (1)

jellomizer (103300) | more than 6 years ago | (#24664091)

The real question is how many people will bother getting a magnetic card writer de-encrypt the card, and rewrite their card just to ride the T. Unlike say an internet vulnerability you can get a small group of people causing huge problems, Unless they start selling these things on ebay or whatnot it is rather labor intensive and expensive to be to a dangerous level.

The bigger issue... (4, Interesting)

Asmor (775910) | more than 6 years ago | (#24664367)

The bigger issue here is how they're going to determine which Charlie cards are legit and which aren't. They can't exactly tell someone with, say, $20 on a charlie card that their money's gone.

Someone could easily get a bunch of charlie cards, put random amounts of money between, say, $20 and $25 (random so that there's no clear pattern which cards are faked and which legit) and then sell to people on the street. $5 for a charlie card with at least $20 on it.

Heck, it probably wouldn't be that hard to convince the buyers that it was legit. "Hey man, my niece was staying here last week and put too much money on this card... It's got over $20 on it, I'll give it to you for $5."

Re:The bigger issue... (1)

Free the Cowards (1280296) | more than 6 years ago | (#24664637)

Selling lots of cards below cost is a good way to attract the attention of the police and get put in jail.

This recently happened in Washington, DC. Some clever people figured out how to replicate fare cards. The way they did it, it would have been essentially impossible to catch them. But they didn't want free travel, they wanted cash, so they started selling the replicated cards. At that point the police caught on to what they were doing and now they're in prison.

48-bit card also deployed/cracked in Holland (2, Informative)

Anonymous Coward | more than 6 years ago | (#24664613)

Funny this came up. EXACTLY the same debacle has unfolded here in the Netherlands with the card
scheme for the nationwide metro/train/tram system intended to replace the paper ticket system still
in use today. (company NS - www.ns.nl).

Suffering from the universal upper management tendeny toward self-harm through compulsive
obsession with the bottom-line, they ignored whitepapers signed by the senior technical staff
begging them to go with 3DES and AES. A couple of weeks after the (limited) trial roll out the
card was cracked and an infinitely loadable version created and demoed by white/grey hats.

This is somewhat ironic as the Netherlands is one of the world largest suppliers of smart card
technology, and in Europe this is (was?) considered a "specialty" of theirs...

It also doesn't help that the company NS (Nederlandse Spoorweg or "Dutch Platform") is
made of epic fail, but that's a rather long & distinctly boring story.

Sorry for the AC, posting from friend house
can't remember passwd (y i let ffox remeber
it for me v bad i know..)

Re:Good Call (1)

geekoid (135745) | more than 6 years ago | (#24664807)

The article I read said 6 bit encryption... 64 possibilities.

6 bit encryption (2, Funny)

DragonHawk (21256) | more than 6 years ago | (#24664865)

The article I read said 6 bit encryption... 64 possibilities.

64 possibilities ought to be enough for anyone.

What?

Re:Good Call (1)

PMuse (320639) | more than 6 years ago | (#24664201)

It looks like the judge made a pretty good call in this case. What he really rejected was the MTBA lawyers' assertion that it was an act prohibited by the law . . .

Interesting that the judge waited this long. He could have lifted the TRO days ago when the EFF lawyers first appeared in court. The judge really gave MBTA every opportunity to come up with something.

And they had nada.

Re:Good Call (0)

Anonymous Coward | more than 6 years ago | (#24664739)

No. The judge made the wrong call. DEFCON is now over. The students' audience is gone. MTBA have shut them up for as long as they need to, there's no real reason for them to try and keep the lid on this any longer.

The correct call would have been the settle the question quickly enough that the temporary order would (if appropriate) be lifted in time for the students to still give their presentation to their intended audience. This has played entirely into the MTBAs hands. Now all they have to do is wait until the MIT students organise another appropriate audience, bamboozle another judge into giving them a short-term (but long enough to last until the audience is dispersed) gagging order, rinse & repeat.

It's the whole free-speech-zones thing again, it's just the free-speech-zone is defined in time rather than space. If you can be shut up until the person you actual want to talk to is no longer in a position to listen, you don't have free speech.

HA! (5, Funny)

AndGodSed (968378) | more than 6 years ago | (#24663111)

the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses.

Yeah - real successful law that.

Re:HA! (1)

snarkh (118018) | more than 6 years ago | (#24664269)

That's why we don't have worms and viruses any longer.

Bad Lawyers? (5, Funny)

TheNecromancer (179644) | more than 6 years ago | (#24663155)

Lawyers for the MBTA claimed Tuesday they had proof the students had violated the law, but stopped short of specifying what they did.

Wow, I can just see these lawyers:

Lawyer: "They broke the law. We have the proof."
Judge: "What is your proof?"
Lawyer: "Um, they...uh, yeah, they just broke the law."

Re:Bad Lawyers? (1, Funny)

Anonymous Coward | more than 6 years ago | (#24663265)

Not much different from a typical RIAA file-sharing case, then.

Re:Bad Lawyers? (1)

daveschroeder (516195) | more than 6 years ago | (#24663931)

Well, the third slide of their presentation [mit.edu] jokes about hoping their talk isn't "evidence in court", and the fifth slide proudly trumpets, "AND THIS IS VERY ILLEGAL!"

I realize that here on slashdot, its fashionable to always err on the side of disclosure in the face of any other concerns, and I can certainly argue myself for the benefits of talking about such issues instead of sweeping them under the rug and pretending they don't exist; the notion that if these students can figure it out, anyone can.* Indeed, many compelling such arguments can be made.

However, there is a balance; namely, that entities, even (especially?) public entities providing infrastructure and transportation services, don't like their vulnerabilities paraded around for all to see. Security through obscurity isn't security on its own, but security through obscurity is a time-tested and reliable component to any system of security, and it is always balanced with cost, difficulty, technical issues, and other concerns.

It's easy to sit here and say that because they were so "cheap", they are getting what they "deserve" by having heroic, bright, geeky MIT students humorously show how they can own them. Has anyone ever considered that public agencies are pulled in n different directions -- including financially and technically -- and sometimes the solution that comes out at the end is simply making the best of what imperfect resources they've got?

When the presenters themselves are not even hiding the questionable legality of what they demonstrate -- even though it's just "talk", like "talking" about how to kill someone with poison, as opposed to doing it -- speech has consequences, and sometimes those consequences will result in things like temporary injunctions, and agencies who serve at the pleasure of the people trying to protect what semblance of security they're able to hold together.

Yes, this is all fun, and clever, and interesting. But why does this seem to be viewed, here, as the MIT students being 100% in the right, and the MBTA being 100% in the wrong?

* This is acually debatable. These are very bright people, and just because they can figure something out, it doesn't at all mean "anyone can". It means people with the means, time, expertise, and will may be able to duplicate what they have done...and will be able to do so a LOT easier when the work has already been done for them.

Re:Bad Lawyers? (1)

ceejayoz (567949) | more than 6 years ago | (#24664129)

Well, the third slide of their presentation jokes about hoping their talk isn't "evidence in court", and the fifth slide proudly trumpets, "AND THIS IS VERY ILLEGAL!"

None of which establishes that they did anything illegal.

"Here's how to grow marijuana - remember, it's illegal!" is VERY different from "I grew marijuana".

Re:Bad Lawyers? (2, Interesting)

MarkvW (1037596) | more than 6 years ago | (#24664795)

It ALL depends on the context. If I tell somebody how to grow marijuana (even with the silly disclaimer), and I have the intent to help them grow marijuana, then I have committed the crime of growing marijuana under an accomplice theory (assuming that it is a crime).

Another example: If I'm standing in a crowd telling one person how to kill another person, and I intend for the killing to happen, and if the killing does in fact happen, then I committed murder under an accomplice theory. Mob bosses have considerable trouble with this kind of theory all the time. Saying "I told him HOW to kill the victim" instead of "I told him to kill the victim." will NOT shield the speaker if the speaker had the intent to cause the victim to be killed. The speaker is still an accomplice.

So, if I'm standing outside the MBTA and I'm handing out "Here's How to Cheat the MBTA and Get A Free Ride" information and I have the intent to help people cheat the MBTA, then I will be committing the crime of theft (or larceny, and who knows what else) if somebody does actually use my information to steal a free ride.

You ask "how can intent be proven?" The answer is simple: A jury of your peers gets to decide, based on the evidence presented. Intent + Assistance + Commission of the Crime by Another is enough to prove a crime under the law of most states.

The Constitution is the final level of defense for the three students, but that's too much to write about here. Think about the "Hitman" book and the court battles it spawned.

Re:Bad Lawyers? (1)

Fulcrum of Evil (560260) | more than 6 years ago | (#24664149)

However, there is a balance; namely, that entities, even (especially?) public entities providing infrastructure and transportation services, don't like their vulnerabilities paraded around for all to see.

Sucks to be them; I don't like paying my mortgage, but I like living in a house.

Has anyone ever considered that public agencies are pulled in n different directions -- including financially and technically -- and sometimes the solution that comes out at the end is simply making the best of what imperfect resources they've got?

It's occurred to me that this is Boston, and they're probably just cheap.

When the presenters themselves are not even hiding the questionable legality of what they demonstrate -- even though it's just "talk", like "talking" about how to kill someone with poison, as opposed to doing it -- speech has consequences, and sometimes those consequences will result in things like temporary injunctions, and agencies who serve at the pleasure of the people trying to protect what semblance of security they're able to hold together.

Why would you grant an injunction (prior restraint) for something trivial like this when publishing bomb plans and advice on how to get away with murder is protected speech?

just because they can figure something out, it doesn't at all mean "anyone can".

Fine, substitute 'any group of 10,000 people has someone who can'. We have 30,000 of those in this country.

Re:Bad Lawyers? (1)

bob_herrick (784633) | more than 6 years ago | (#24664259)

This seems a bit harsh:

It's occurred to me that this is Boston, and they're probably just cheap.

Last I looked, municipalities have limited abilities to raise funds. If they need more money it means spending less somewhere else (which will gore some oxen) or raise taxes and fees (which will gore others). I know I don't vote to approve every bond issue, sales tax increase, or property tax surcharge that gets proposed in my city, and I imagine that might just be true for a majority of voters in Boston.

Everyone works under fiscal constaints, and constraints always mean compromises. While I can understand that the message from the GP post may be unpalatable, it is a legitimate point of view.

Re:Bad Lawyers? (1)

Fulcrum of Evil (560260) | more than 6 years ago | (#24664457)

After the lite brite fiasco, I'm not willing to cut them any slack.

Should Doctors Not Talk About Medicine? (4, Insightful)

EgoWumpus (638704) | more than 6 years ago | (#24664411)

You actually make a really good point; what about poison? If one were to discover a poison or pathogen that might kill a human, were it to be utilized or delivered, along with the reasons why and the possible delivery methods, no one would object to sharing that information with doctors.

Further, no one would claim that you were doing something illegal by spreading that information. Ironically, nor would anyone blame the human body for having that weakness; it wasn't planned for, developed around, whatever.

The fact of the matter is that the system is there, it's vulnerable, and we know how it's vulnerable. There is no convincing reason to try and quash that knowledge - if that is even possible. It is immaterial that it took bright people to figure it out. It is immaterial that without a fix money might be lost. What is material is recognizing things for what they are and reacting to the truth of the situation, not trying to maintain a status quo.

And that is why it's perceived that the MBTA is in error here; they're trying to live in a world where the exploit doesn't exist. But that world itself does not exist.

Re:Bad Lawyers? (1)

Mansing (42708) | more than 6 years ago | (#24664215)

Lawyer: "They broke the law. We have the proof."
Judge: "What is your proof?"
Lawyer: "Well, thinking about breaking the law is a KIND of proof ...."

Re:Bad Lawyers? (0)

Anonymous Coward | more than 6 years ago | (#24664789)

you mean they "pulled a SCO"?

$5000 worth of damages? (5, Insightful)

Ramses0 (63476) | more than 6 years ago | (#24663343)

That's an interesting argument...

Does a mechanic cause $5000 worth of damage when he points out that your axle is broken and needs replacement?

Can you cause damage to a system that has intrinsic vulnerabilities?

Obviously people taking advantage of disclosed vulnerabilities should be punished under applicable laws (as with simple copyright violation) for whatever damages they caused, but I tend to agree that you can't really pin damages on the discloser.

Now some other b.s. charge about reckless endangerment or speech issues, but probably not damages.

--Robert

Re:$5000 worth of damages? (0)

Anonymous Coward | more than 6 years ago | (#24663449)

Obviously people taking advantage of disclosed vulnerabilities should be punished under applicable laws

Then I guess they should be punished, since the document they distributed admits to defrauding the system. The damages were far less than $5000 from what I saw.

Re:$5000 worth of damages? (2, Interesting)

WiredNut (1287460) | more than 6 years ago | (#24663601)

> Does a mechanic cause $5000 worth of damage when he points out that your axle is broken and needs replacement? Not analogous. How about a mechanic who holds a press conference and explains how to break into your car? Or a locksmith explaining how to break into your house? Not that these situations should be or are illegal, but they are a better analogy if you really want to compare this to consumer product repair or maintenance. Which I don't. But did I guess I did anyway. Damn /.

Re:$5000 worth of damages? (1)

multisync (218450) | more than 6 years ago | (#24663847)

How about a mechanic who holds a press conference and explains how to break into your car?

I think a better analogy would be writing a book [wikipedia.org] that exposes the reluctance of the auto industry to invest in the safety of their product and their complicity in the deaths of tens of thousands of motorists.

Re:$5000 worth of damages? (3, Interesting)

plutoXL (1314421) | more than 6 years ago | (#24663663)

Does a mechanic cause $5000 worth of damage when he points out that your axle is broken and needs replacement?

Well, how about if your car had a very bad and insecure locking and starting mechanism, and your mechanic told all your neighbours how to get in and start your car?

Don't get me wrong, I think the gag order was probably stupid - I don't know the whole whole story...

But I do think your analogy is somewhat flawed. :/

Re:$5000 worth of damages? (2, Insightful)

Vegeta99 (219501) | more than 6 years ago | (#24664189)

His analogy may be flawed, but yours is too!

If your mechanic said your axle was broken and you refused to fix it, in PA, he would refuse to give you an inspection sticker - thus telling everyone in the public that you're too much of a tool to fix your broken stuff. Same principal.

Re:$5000 worth of damages? (1)

plutoXL (1314421) | more than 6 years ago | (#24664759)

Well, not the same principle. In his analogy publishing the information tells everyone that you're a tool.
In mine it makes the exploit of your toolnes public knowledge.

The point of the case is not just that those guys pointed to an unfixed security hole, but that they were about to publish a way to abuse that security hole.

Note that I'm not getting into rights and wrongs here. :)

Re:$5000 worth of damages? (2, Funny)

cwAllenPoole (1228672) | more than 6 years ago | (#24663705)

Does a mechanic cause $5000 worth of damage when he points out that your axle is broken and needs replacement?

Only if he hurts your axle's feelings.

Re:$5000 worth of damages? (0)

Anonymous Coward | more than 6 years ago | (#24663753)

> Does a mechanic cause $5000 worth of damage when he points out that your axle is broken and needs replacement?

SHOOT THE MESSENGER!

Win the battle but lose the war! (4, Interesting)

Newer Guy (520108) | more than 6 years ago | (#24663519)

Even though the judge let the gag order expire, by issuing it in the first place, the MBTA essentially got what rhey wanted-to keep the information from those participating in Defcon.

Win the battle, lose the war

Re:Win the battle but lose the war! (2, Interesting)

Lobster Quadrille (965591) | more than 6 years ago | (#24663751)

Except the information still got out, through several means, got more press attention that it would have received otherwise, and made them look like morons.

They lost the battle, the war, and a fair amount of blood.

Re:Win the battle but lose the war! (2, Insightful)

Sylver Dragon (445237) | more than 6 years ago | (#24663757)

Of course, by suing, they have probably created far more interest in the problem than a presentation at Defcon would have. The presentation would have been one of several interesting presentations, but would probably not have gained wide internet fame. Now, there are a bunch of people following it, and when the information hits the internet more people will look at it.
I'd say that this is more the other way around: Lose the battle, but win the war.

Re:Win the battle but lose the war! (2, Insightful)

mr_mischief (456295) | more than 6 years ago | (#24663861)

If only there was some way to disseminate information to a technical audience across long distances electronically...

Re:Win the battle but lose the war! (0)

Anonymous Coward | more than 6 years ago | (#24664435)

the MBTA essentially got what rhey wanted-to keep the information from those participating in Defcon.

Win the battle, lose the war

Not really. Those who are interested in the info will still get it. In the end, nothing was accomplished by this legal nonsense.

Re:Win the battle but lose the war! (1)

geekoid (135745) | more than 6 years ago | (#24664837)

too bad those neophytes that go to Defcon have no way to communicate with computers~

Re:Win the battle but lose the war! (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24664869)

I'd say they were subject to the Streisand Effect.

Their goal of keeping the information out of the mainstream 'publics' eye, backfired.

Actually, I'd like to thank the MBTA for the amount of press this has garnered, and the added curiosity it's given me. I probably would have only skimmed over the information before, instead of going to great lengths to review the much more in depth background of the subject.

Thank again, MBTA!

When did we stop being people? (1)

howardd21 (1001567) | more than 6 years ago | (#24663571)

I like this from the article:
On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people,...

Wasn't this a presentation planned for the DefCon conference, with a lot of /. like geeks?

Re:When did we stop being people? (1)

eat here_get gas (907110) | more than 6 years ago | (#24663837)

yes, but as was pointed out in earlier comment (i didn't RTFA), they were going to leave out the critical details already published by the MBTA....

Re:When did we stop being people? (2, Informative)

gnarlyhotep (872433) | more than 6 years ago | (#24664711)

For the love of Aphrodite's heaving bosom, do you read entire sentences?

meant to be delivered to people, and was not a computer-to-computer 'transmission.'

The failed point was that the communicaiton in question was from one person to another, and not from one computer to another.

Where can I find a copy? (0)

Anonymous Coward | more than 6 years ago | (#24663807)

Okay, so where can I get a copy of the presentation?

Re:Where can I find a copy? (1)

multisync (218450) | more than 6 years ago | (#24664685)

Okay, so where can I get a copy of the presentation?

I think they should go ahead and give their presentation and include the events of the past week in it. In 2006, Steve Rambam was arrested by the FBI minutes before he was to give his "Privacy is Dead" presentation at the HOPE conference. Of course, the charges were dropped - after the conference was over.

He went ahead and gave his presentation [hopenumbersix.net] a couple of months later.

I am also reminded of the Russian hacker Dmitri Sklyarov [wikipedia.org] , who was prevented (by way of arrest) from giving a presentation at the 2001 DefCon titled "eBook's Security -- Theory and Practice." According to the Wiki page I linked to, "On December 18, 2002 following a two-week trial in San Jose, California, a jury found that Elcomsoft (the company Sklyarov worked for) had not wilfully violated the U.S. law."

So the tactic seems to be abuse the law in order to suppress speech you don't like, since there are apparently no consequences for doing so.

Another possible example of this tactic occurred last week when the IOC attempted to use the DMCA to force YouTube to take down a video about a Tibetan protest at the Chinese consulate in New York. This one may have been a mistake, as the title of the video was apparently "Beijing Olympics Opening Ceremony." But that would make it Trademark - not copyright - infringement, so the DMCA take-down notice was entirely inappropriate and sure gave the impression that their motive was to prevent embarrassment to China, not protect their brand.

Hope and Change ... Change and Hope! (0)

Anonymous Coward | more than 6 years ago | (#24664045)

-- Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. --

Uhm, I suppose those "many" would be people who have no idea what the First Amendment means and that wear tin foil hats and vote for a vague promise of hope and change.

Courts and the Constitution (0)

Anonymous Coward | more than 6 years ago | (#24664425)

When you go into any courtroom today the last thing the judge wants to hear about is "the Constitution". If you have a decent argument, can afford to go through the appeals process, get your case heard at the Federal district level, and are lucky enough to get the Supreme Court to agree to hear the case, THEN you get to address the Constitutional issues.

This is ass backwards. The Constitution should be the FIRST thing that's addressed in a case like this. Constitutional considerations should trump every law that's ever been passed. You'd avoid messy "precedents", which governs 90% of what happens in the courts, whereby "since so-and-so violated the Constitution 25 years ago and it was OK then, so it's OK now" are allowed to happen.

Every judge in every courtroom in America should have to memorize the Constitution word-for-word and recite it verbatim every morning on-the-record to the court reporter. If they can't do it they shouldn't be judges.

wicked (0)

Anonymous Coward | more than 6 years ago | (#24664427)

Judge O'Toole KNOWS his tools! ;D
(they teach law at MIT? if not you got someone to hire)

Incredibly dumb (3, Insightful)

cdrguru (88047) | more than 6 years ago | (#24664547)

The general tone here seems to be that the only security that is worth anything is unbreakable and it is the responsibility of the implementer to make sure any system is secure against attacks. Well, sorry but your front door lock is clearly defective by those standards. As is every single door lock the world over.

See, the security really only needs to be "good enough". What is that? Well, for a front door lock it is enough to keep homeless people out of your house. A determined thief might be able to defeat it in less than a minute but it isn't intended for that - the really determined thief might use a chainsaw to get in just as easily.

The transit system was designed to validate cards and the so-called "security" is probably more of a validation measure rather than a defense against attacks. The idea that attacking the transit system should not be done and should be illegal seems to have gotten lost. What has happened is now the door is open for anyone to duplicate this work and ride free.

So what is the transit system supposed to do? Revamp the entire system at a cost in the millions? Ignore it and hope nobody ever uses this information? I suspect neither is going to happen, but the most sensible outcome would be to replace automation with human ticket agents. Unlikely to happen. I'd guess that millions of dollars will be spent to implement an utterly new, slightly more secure, different system that requires every single piece of hardware and software to be replaced. Which will then be "cracked" within a few months and the details made available to everyone that wants to ride free. The endgame is probably closing the transit system because by its nature it cannot be made completely secure.

I doubt there is an attack-proof and cost-effective solution to the "problem" that is user-friendly and reasonable for a transit system. Why are we so hell-bent on breaking down society that we can't have people just use and pay for a transit system?

Re:Incredibly dumb (3, Insightful)

Free the Cowards (1280296) | more than 6 years ago | (#24664683)

Guess what? If you give a presentation about how vulnerable standard front door locks are, and exactly how you can defeat them, nobody is going to put a gag order on you.

You are entirely within your rights to deploy an insecure system. But other people are entirely within their rights to talk about just how insecure your system is, and what its vulnerabilities are.

You don't get better locks by burying the information about how bad the existing ones are.

Free Security Analysis (2, Funny)

kmankmankman2001 (567212) | more than 6 years ago | (#24664731)

Gee, the MBTA had the students turn over not only their slide deck but a 30 page analysis of the security flaws. Most firms would end up paying something approaching the 6 figure range for a detailed security vulnerability analysis like that, they get it for free. AND sue the students. It's a win-win for incompetent government bureaucracy!

   

without the gag order i'd never seen it (3, Insightful)

thc4k (951561) | more than 6 years ago | (#24664749)

The funny thing is, without the gag order, it might not have appeared on /., the presentation might not have been posted in the comments and i would have never read it. So this kind of "gag" orders are fine with me, as long as it's "no talking" only. I can read myself :-)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?