Slashdot Log In
Massachusetts Sues to Halt Defcon Subway Hacking Talk
Posted by
timothy
on Sat Aug 09, 2008 01:59 PM
from the this-has-not-been-cleared-with-upstairs dept.
from the this-has-not-been-cleared-with-upstairs dept.
According to CNET, "The state of Massachusetts has asked a federal judge for a temporary restraining order preventing three MIT students from giving a presentation on Sunday about hacking smartcards used in the Boston subway system." It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas. Update: 08/09 20:57 GMT by T : "Too late," says reader Bluey: "Injunction was already granted."
Related Stories
[+]
Hardware: Hacked Oyster Card System Crashes Again 95 comments
Barence sends along PcPro coverage of the second crash of London's Oyster card billing system in two weeks. Transport for London was forced to open the gates and allow free travel for all. "There is currently a technical problem with Oyster readers at London Underground stations which is affecting Oyster pay as you go cards only," explains the TfL website. This follows the first crash two weeks ago, which left 65,000 Oyster cards permanently corrupted. Speculation is increasing that the crashes may be related to the hacking of the Oyster card system by Dutch researchers from Radboud University, though TfL denies any link. Plans to publish details of the hack were briefly halted when the makers of the chip used in the system sued the group, although a judge ruled earlier this week that the researchers could go ahead. During the court action, details briefly leaked on website Wikileaks.
[+]
IT: EFF To Appeal Court Order Vs. Subway Hack Demo 189 comments
snydeq sends along InfoWorld coverage of the EFF's plans to appeal a US District Court order that kept three MIT students from presenting detailed flaws in the Massachusetts Bay Transportation Authority e-ticketing system at Defcon. And an anonymous reader points out that the MBTA, in addition to triggering the Streisand Effect, released in open court more information on vulnerabilities (PDF) than the students had any intention of presenting. See Exhibit 1 to this court filing.
[+]
IT: Gag Order Fuels Responsible Disclosure Debate 113 comments
jvatcw writes "The Boston subway hack case has exposed a familiar rift in the security industry over responsible disclosure standards. Many see the temporary restraining order preventing three MIT undergrads from publicly discussing vulnerabilities they discovered in Boston's mass transit system as a violation of their First Amendment rights. Others, though, see the entire episode as yet another example of irresponsible, publicity-hungry security researchers trying to grab a few headlines."
We discussed the temporary restraining order last weekend, and later the EFF's plans to fight it. CNet reports that another judge has reviewed the order and left it intact. Reader canuck57 contributes a related story about recent comments by Linus Torvalds concerning his frustration over the issue of security disclosure.
[+]
MIT Students' Gag Order Lifted 160 comments
mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days. "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."
[+]
Hardware: Interview With MIT Subway Hacker Zack Anderson 113 comments
longacre writes "In his most extensive interview since the DefCon controversy emerged, MIT subway hacker Zack Anderson talks with Popular Mechanics about what's wrong with the Charlie Card, what happened at DefCon, and what it's like to tango with the FBI and the MBTA. The interview comes on the heels of Tuesday's court ruling denying motions by the MBTA to issue a preliminary injunction aimed at keeping the students quiet for a further five months."
[+]
IT: California's Wireless Road Tolls Easily Hackable 354 comments
An anonymous reader writes "Nate Lawson, a researcher at RootLabs, has found a way to clone the wireless transponders used by the Bay Area FasTrak road toll system. This means you can copy the ID of another driver onto your own device and, as a result, travel for free while others foot the bill. Lawson also raises the interesting point of using the FasTrak system to create false alibis, by overwriting one's own ID onto another driver's device before committing a crime. Luckily, Lawson wasn't sued before he could reveal his research, unlike those pesky MIT students."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
oh good... let's all bury our heads... (Score:5, Insightful)
rather then make sure they have a techie in attendance so that they may learn something and find a workaround the issue, Boston's lawyers suggested that burying your head in the sand (or, alternatively, in the piles of garbage and crap in Boston) will solve the issue just as well. "As long as we don't let them say it publicly, it does not exist" one Boston official explained the position.
this is why I love government bureaucrats. They tend to be smarter then the average bear.
Re:oh good... let's all bury our heads... (Score:4, Funny)
this is why I love government bureaucrats. They tend to be smarter then the average bear.
I was with you until right around... there.
Parent
Re: (Score:3, Insightful)
Re:oh good... let's all bury our heads... (Score:5, Funny)
Boston is merely afraid that this information will end up in Lunar hands. Entirely reasonable given that city's sad recent history.
Parent
Re: (Score:3, Funny)
http://www.boston.com/news/globe/ideas/brainiac/2007/01/attack_of_the_m.html [boston.com]
This should answer your confusion.
Re:oh good... let's all bury our heads... (Score:5, Interesting)
Parent
Re:oh good... let's all bury our heads... (Score:5, Insightful)
Maybe put the amount on the card, so the bus doesn't have to call home every time someone steps on a bus, but at least keep all transactions in a database so they can check for fraud after the fact.
I think you hit the nail on the head with this. I don't know about the Charlie card system, but the issue with many transit cards is that it's difficult or impossible for moving vehicles to always be able to check in with the network database to determine the value of an account. So the account value has to be stored on the card.
This is exactly like storing the value of your ATM or gift card on the card itself. But with ATMs and gift cards, the terminal where you use them is always going to have network access (or if it doesn't you probably won't be able to use the card).
Of course, even just storing an account number or identifier on a card doesn't make it fraud-proof. Magstripe cards are trivially easy to re-encode with only a few dollars worth of equipment. Copying these can mean defeating physical access systems, being able to use someone else's gift card balance, or worse.
Parent
Re: (Score:3, Informative)
That's a pretty weak argument. All you need is a laptop with a cellular data connection. If you really have places where you can't get a cell signal, get the cell company to add
Re:oh good... let's all bury our heads... (Score:5, Insightful)
That's a pretty weak argument. All you need is a laptop with a cellular data connection. If you really have places where you can't get a cell signal, get the cell company to add a picocell at the bus stops or add a Wi-Fi hot spot. Odds are you won't have to add too many of them in any major metro area.
Well, I'm not the one making the argument, I'm just going by what I see being implemented in transit systems. Storing the value on the card means fast retrieval and processing, and no reliance on a network. What if the data links drops for some reason? What if it takes longer than usual to connect? Transit systems have schedules to keep (ideally!).
Furthermore, it's easy to say "get the cell company to add a picocell at the bus stops", but it's not as if a transit system can simply mandate that it be done. Who's going to pay for it? And at what point does the expense of ensuring reliable network connectivity become greater than simply expecting a certain percentage of fraud? After all, this is a transit system we're talking about, not a bank.
If you have access to somebody else's card, yes. Otherwise, if you are able to steal access, your number space is too small. Use a 256-bit number (or 1024-bit if you're really paranoid) and ensure that new numbers are assigned randomly within that space so that your odds of picking a valid number are remarkably close to zero.
I know. That's why I talked about copying. Plus, given that with things like gift cards, the identifier is often written on the card itself, sometimes you don't even need to have a card reader to get the information. Or, you have security leaks. When I was an undergrad, the University of Maryland inadvertently exposed the ID numbers of the entire university population through its LDAP entries. Those same IDs were used as identifiers on the magstripe cards that gave building access, and dining hall access.
Parent
Re:oh good... let's all bury our heads... (Score:5, Interesting)
Why should the value available on a smart card actually be something that can be changed by the person holding the card. Shouldn't the card just have an ID, and that ID is tied to an account, which is tied to a person.
With a correct implementation - that uses good cryptography - it is quite possible to have secure stored value cards. One upside to stored value cards, especially to slashdot readers, is that they help to protect our right to travel because they can be just as anonymous as cash.
Parent
Re:oh good... let's all bury our heads... (Score:4, Insightful)
However good the cryptography such a card would be vulnerable to a "known plaintext" attack. Since an attacker can see how the encrypted information changes as they alter the value of the card and compare several with the same value.
To make things easier these systems tend to use proprietary cryptography which equates to very poor cryptography. In the case of Mifare Classic this was described by Bruce Schneier as "kindergarten cryptography". Maybe they'd have done better to use something like the "Vigenere Cipher" which was at least considered unbreakable for 300 years.
Parent
Re:oh good... let's all bury our heads... (Score:5, Insightful)
Because the people designing these systems don't know what they are doing. This dosn't just apply to RFID systems. There was a case recently involving a magnetic strip card which could be "cloned" by the using nothing more sophisticated than scissors/knife together sticky tape/glue
Shouldn't the card just have an ID, and that ID is tied to an account, which is tied to a person.
Unless it's intended to also use the system to track specific individuals then you don't need any such tying. Just a method of ensuing that every ticket has a unique ID. That only one instance of a ticket with a given ID is in use at any time in the system and that a "never issued ID" or one reported lost/stolen cannot be used.
Maybe put the amount on the card, so the bus doesn't have to call home every time someone steps on a bus, but at least keep all transactions in a database so they can check for fraud after the fact.
A bus might well "call home" periodically anyway, for such things as uploading it's position/CCTV footage/etc at this point it can check the tickets which have recently been used. If it isn't possible to operate a data link all the time.
It seems like the way they have it set up, would be the equivalent of having your bank account balance completely controllable by modifying the information on your bank card.
IIRC at one time it was possible get around withdrawal limits by modifying/cloning cards since they used a read/write area to record this information on the card. So as to enable offline/batch operation of machines.
Even retail stores have this figured out so that their gift cards only hold a number, and the actual value on the card is stored in some computer database.
Probably only as a consequence of being exploited though
Parent
Re:oh good... let's all bury our heads... (Score:5, Insightful)
Well, that does seem to be the goal of the US govt. at this point. The RealID (national id) alone seems to be a huge step in that direction. They aren't gonna let you travel without one soon...within the US even.
Parent
Re:oh good... let's all bury our heads... (Score:4, Insightful)
Parent
Re:oh good... let's all bury our heads... (Score:4, Informative)
I'd think giving a talk about it would be a slam dunk. If they rule against this, then it is really scary that our first amendment is gonna be in jeopardy. So far...describing how to do many things without inciting anyone to do it..as been protected speech.
Parent
Re:oh good... let's all bury our heads... (Score:5, Informative)
Parent
Re:oh good... let's all bury our heads... (Score:5, Insightful)
I don't agree with the Massachusetts decision to attempt to stifle the presentation. This was foolish on a number of levels, not the least of which was it will probably help draw far more attention to the hack than it otherwise would have obtained.
That being said, it is perfectly reasonable to not "fix" a system if the cost of the fix is more than the cost of fare evasion. Look - in many cities "evading the fare" is as simple as getting on the bus and choosing not to pay. These systems depend on users for the most part obeying an honor system with periodic random enforcement by transit personnel checking for passes / ticket validation. This is done across Europe and in a number of cities in Canada (not sure about the USA). Why do this? For starters most people aren't jerks, and pay their fares. Second, there will ALWAYS be a way to evade a fare system without massive (expensive) enforcement that would cost far more than the added fare revenue. You would not get on one of the systems where there is no ticket check on entry and then crow about how you evaded the system (or you wouldn't without looking like a complete dork).
It's worth noting that this injunction is not analogous to software companies hiding known exploits in their systems where their customers may suffer the consequences. Boston IS the end user.
Moving people from place to place should always be the highest priority of transit authorities. In general most people are good about paying their fares. Dealing with smalltime one-off thieves is a waste of their resources.
If you use the system without paying, you are a thief and you are doing a tremendous disservice to your fellow citizens.
Parent
Is MBTA actually going to do anything? (Score:5, Insightful)
Is MBTA actually going to get the card system provider to fix the problem? Because from what I've seen, you'll have a hard time even getting the department and the contractor to admit that the problem exists. And even if they do admit it, is the solution going to be any more than "it's unlikely people will exploit this"?
That sort of attitude seems to be how Maryland feels about its AccuVote TS voting machines. Three independent reviews have all revealed flaws with them, but we're still using them, despite the fact that those flaws essentially mean that the contractor has violated its agreement with the State.
Furthermore, I doubt much criminal activity is going to result from releasing the information. Only a few people are going to have the time and patience to actually follow the exploit through, and if the system is well-designed (though apparently it may not be), modifying card data shouldn't be able to damage or disrupt the system.
Parent
Re:Is MBTA actually going to do anything? (Score:5, Insightful)
One of the problems is that the MBTA is losing money like crazy, in spite of vastly increased ridership because of gasoline prices. They can't afford to do basic mechanical maintenance and now they have to redo their smart card system too!?
They were somehow able to "afford" the many, many millions of dollars required to install this slow, unreliable, and annoying smart card system. That expense was how they were able to justify the fare increase. I would be fine with an increased fare if it was used to improve service, but instead the service is now significantly worse than before, the smart card machines are terrible (every month I have to wrestle with it to get it to recognize my credit card to buy a pass, and I know others who have the same problem), and they haven't even accomplished the original goal.
And, of course, they voluntarily installed this terrible smart card system even after New York tried installing the same system, and it ended up so terrible that they voluntarily ate the lost money and went with another contractor. I never quite heard the rationale for failing to learn from their mistake...
So, yes, they are losing money like crazy, but my sympathy is limited. They've consistently shown that they don't really know what they're doing.
As for the card vulnerability: it's another demonstration of how worthless the system is, but it hardly matters. Part of the justification for the system was to make sure people paid their fares. It has been a dreadful failure at that, but whatever. The number of people who will go to all the trouble of counterfeiting their MBTA passes is dwarfed by the number that will simply trail someone else through the gates or hop on the green line without paying. This has always been the case. It's not a new or surprising point that secure cryptography cannot prevent social engineering. The fact that it turns out to be insecure cryptography just makes the whole thing more pathetic...
Parent
Frist Amendment (Score:5, Insightful)
Re:Frist Amendment (Score:5, Funny)
Who needs free speech anyway?
I can't say.
Parent
Re: (Score:3, Funny)
Re: (Score:3, Insightful)
The dissonance between your post and your sig is making my brain hurt.
Re:Frist Amendment (Score:5, Insightful)
What does free speech have to do with releasing software that will help people steal from the transit system?. It sound criminal to me, assisting people to steal.
Right... because clearly that's what the MIT students are trying to do. Help people steal. That was their plan all along...
It couldn't have anything to do with revealing flaws in RFID-based transit card systems that are being increasingly adopted by state and local governments all across the nation, and for that matter, the world. It couldn't have anything to do with shaming a government agency into actually getting on the ball and working with its contractor to improve security of its system. It couldn't have anything to do with plain and simply academic curiosity.
What's it got to do with free speech? Maybe that we think they ought to have the freedom to not only do the work they've done, but talk about it as well?
Parent
Re:Frist Amendment (Score:5, Interesting)
What does free speech have to do with releasing software that will help people steal from the transit system?. It sound criminal to me, assisting people to steal.
Everything. Perhaps because software, and more relevantly, the presentation, is expression and thus protected under the First Amendment? In a free society where participants are expected to take responsibility for both their own actions and the governance of that society, denying an individual information limits his freedom --knowledge really is power and thus important to freedom -- and destroys his ability to make good governing decisions. For any of us to actually be free, society has to make the fundamental assumption that the average individual will not use the powers given to them to commit criminal acts. You seem to be assuming the opposite. Even if you consider it from a "need to know" point of view (and you shouldn't): both the people who buy into this transportation system and the shareholders of the system, who I understand to be the public, have a right to know the strengths and weaknesses of this system. So they -- we -- the public, have a need to know this information to make the best decisions they can about this system. In fact, we the public have a need to know all things that occur in government, in government contracts and in the public life.
Also, I think you're a bit confused on what "assisting" means. There has to be stealing going on for anybody to assisting in it, and I've seen no evidence that there is. By what I infer your definition of assisting to be: "providing any tool or information used to complete a task" then other things that should sound criminal to you include (but aren't limited to): providing a drunk driver with an alcohol (before he was driving), selling a gun, knife, baseball bat, pencil or anything else to someone who then uses it in a violent crime, teaching anyone any sort of OS or computer security theory (if the students are criminal for providing the information to criminally hack the system, is the professor not criminal for assisting the "criminal" students by providing them with information needed to discover the hack?), etc, etc, etc.
Parent
Re: (Score:3, Interesting)
What I want to know is why these students didn't give a presentation to the MBTA itself or the MA state government. Seems like they're willing to pay attention.
Re:Frist Amendment (Score:4, Insightful)
"personal information"=="software flaw"
is valid.
It seems like the 4th Amendment could be seen as creating a distinction.
However, I am not a lawyer, just someone applying common sense.
TFA:
That could be difficult to enforce. Every one of the thousands of people here who registered for Defcon received a CD with the students' 87-page presentation titled "Anatomy of a Subway Hack." It recounts, in detail, how they wrote code to generate fake magcards. Also, it describes how they were able to use software they developed and $990 worth of hardware to read and clone the RFID-based CharlieCards.
Seems like the MA government could or should already have all of the relevant material.
The injunction amounts to a fart in a thunderstorm, and feckless as the RFID cards in question.
Parent
Re:Frist Amendment (Score:5, Insightful)
Even if that was the intent to show people how to steal ( which it wasn't ), its still a protected right to talk about it.
Now that said, It wouldn't be protected speech if you ordered people to try it themselves.
Much like its a protected to get up on your soapbox about hating a particular race/whatever and wishing them gone, but it wouldn't be protected if you were organizing a lynching.
I hope you see the difference and why its important to the foundation of freedom in our country.
Parent
Just a point (Score:3, Informative)
temporary restraining order != permanent injunction
And as TFA has already pointed out, the power point presentation is already out in the open
Re:Just a point (Score:4, Interesting)
Which is exactly why an injunction should never have been granted.
Parent
Re:Just a point (Score:4, Interesting)
It's actually even worst than that. By the action of suing they have drawn attention to the issue. As well as "confirming" the research.
Probably also ensuring that the relevent information will wind up being published in places it wasn't likely to end up before before. Note that the article mentions that thousands of people (not covered by the injunction) already have copies of the "paper". Some of those copies may be already out of the court's jurisdiction too.
Parent
Anonymous Coward (Score:3, Insightful)
Barbra Streisand seen fleeing the scene.
Ron Rivest (Score:4, Interesting)
The article mentions that the authorities met with the students and Ron Rivest (e.g. the "R" in the RSA crypto system).
It would be interesting to see what his involvement with this project is.
Re:Ron Rivest (Score:4, Informative)
He was their professor. Their research was done as a part of a class taught by Rivest.
Parent
Too late (Score:5, Informative)
It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas.
Injuction was already granted [cnet.com]. Insert Soviet joke here.
Excellent! (Score:3, Informative)
Treat it like the DNS flaw. (Score:5, Insightful)
Re: (Score:3, Informative)
Two problems (Score:5, Insightful)
I see two major problems with the application for the order. The first is that it claims that disclosure of how to hack the cards constitutes a danger to the public. How so? All these cards are good for is paying the fare. Hacking them allows people to ride the subway for free. That's petty larceny, not a danger to the public.
The second is that the application asked the court to forbid:
There's no conceivable justification for that. Even if there is justification for forbidding disclosure of the details of the hack, stating that there is a problem is certainly constitutionally protected. (It is possible that the court did not include such language in the TRO; this is what Massachusetts asked for, but possibly not what they got. Anybody got a link to the actual TRO?).
Re: (Score:3, Informative)
Anybody got a link to the actual TRO?).
the actual TRO [eff.org]
What I want to know is... (Score:5, Interesting)
"Congress shall make no law..." (Score:4, Insightful)
"abridging the freedom of speech, or of the press;"
-US Constitution
Re:"Congress shall make no law..." (Score:5, Informative)
Well, this is the State of Massachusetts, not Congress...
They already fixed that loophole [wikipedia.org]
"No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws."
Parent
If this happens, (Score:5, Insightful)
Its one more strike against the first amendment and another step down the path of the government deciding what you are allowed to know.
Too late; do it anyway. (Score:4, Insightful)
Fuck this.
They need to give their presentation regardless.
It's clearly a first amendment issue, and when people allow things like threats from the authorities or bullshit unconstitutional court injunctions to stop them from what they want to tell the masses it only serves to justify the actions of those who would try to stop people from expressing important matters.
From what i can tell this isn't about public safety at all, it's more about money. If it were about public safety, they would take it seriously and work with these guys to resolve the issues.
On top of that, when these sorts of uses for RFID were being planned and discussed years ago (things like this and passports, etc) many, many people warned that this would occur...
Someone needs to take that CD and quickly get the contents onto usenet. It's already in the public record anyway - once the cat is out of the bag it's out of the bag.
Re:Too late; do it anyway. (Score:4, Insightful)
I realize that it's easier for me to say it than it is for them to do it. That goes without saying. My entire point is that if people down start saying "damn the consequences, fuck this, I believe I have the right" then you might as well give up completely on having rights at all when you come up against any organization (corporate or governmental) that wants to stop what you are saying.
I didn't say anything in my post about "taking up arms and shooting down the government" - I didn't even allude to such a thingm in the slightest, so I don't know where that even came from.
Was that an attempt to raise an objection to something I didn't even say?
Yes, I know it's out there; hence "public record" and "the cat is out of the bag."
Parent
The PowerPoint was an excellent read. (Score:3, Insightful)
If I tell you how to hack the DC transit system... (Score:5, Informative)
In the DC system, you have to scan your card to get into and out of every station. Rather than having standard boarding fares like NY, it actually takes into account where you scanned in and where you scanned out and then deducts the appropriate amount for the fare between those two points at the time you scan out.
But say you leave the same station you entered. Maybe you missed your train and decided to take a cab, or forgot something, or got a call and changed your plans, or just want to rip off the DC transit system. Whatever. You always have to scan a card to get out, and if you scan the same card, it doesn't let you out for free, but charges you a minor fee. I think it was $0.25.
So, say you have a standard commute to work and back every day on the DC transit system:
Go into your point of departure and buy two cards, one with the appropriate fare to your destination. Swipe both of them in.
Ride to your point of departure. Swipe the exact fare card out and throw it away.
Go about your business at your destination. When you return:
Buy a new card and swipe it in.
Ride to your point of origin and Swipe OUT the card you only swiped IN at the same point earlier. You just rode there for $0.25.
The next day, swipe that same card in at the same station. Ride to your point of departure, and swipe out with the card you bought at that point yesterday. Another $0.25 trip.
Always continue to scan in and out at the same station using the same card. Every trip between those stations will be $0.25.
There is no expiration on how much time may pass between swiping in and out of the same station for the minimum fee. There is nothing set up to catch that one card is swiped in and out of the same station every day about 9 hours apart, while another card is swept in and out of another station about 15 hours apart. At least, not unless they've fixed it in the past few years.
Obviously, buy the cards you use for this with cash, not a credit card.
If you really want to be a cheap skate, quadruple your money [schneier.com] also. Then all repeat rides in the system will be priced at approximately $0.07 each.
Re: (Score:3, Insightful)
*mumbles something about Guantanamo Bay*
Re: (Score:3, Informative)