Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Censorship Security Transportation United States

Massachusetts Sues to Halt Defcon Subway Hacking Talk 270

Posted by timothy
from the this-has-not-been-cleared-with-upstairs dept.
According to CNET, "The state of Massachusetts has asked a federal judge for a temporary restraining order preventing three MIT students from giving a presentation on Sunday about hacking smartcards used in the Boston subway system." It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas. Update: 08/09 20:57 GMT by T : "Too late," says reader Bluey: "Injunction was already granted."
This discussion has been archived. No new comments can be posted.

Massachusetts Sues to Halt Defcon Subway Hacking Talk

Comments Filter:
  • Just a point (Score:3, Informative)

    by TubeSteak (669689) on Saturday August 09, 2008 @02:07PM (#24538849) Journal

    temporary restraining order != permanent injunction

    And as TFA has already pointed out, the power point presentation is already out in the open

  • Too late (Score:5, Informative)

    by Bluey (27101) on Saturday August 09, 2008 @02:23PM (#24538949) Homepage

    It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas.

    Injuction was already granted [cnet.com]. Insert Soviet joke here.

  • Excellent! (Score:3, Informative)

    by d34thm0nk3y (653414) on Saturday August 09, 2008 @02:44PM (#24539097)
    These guys are literally restricting free speech, as in "don't say that out loud." This will work as a way better example of US censorship than my usual 2600 DECSS example. Thanks MA for the forthcoming karma in other censorship articles.
  • Re:Ron Rivest (Score:4, Informative)

    by Anonymous Coward on Saturday August 09, 2008 @03:04PM (#24539237)

    He was their professor. Their research was done as a part of a class taught by Rivest.

  • by dgatwood (11270) on Saturday August 09, 2008 @03:13PM (#24539323) Journal

    I think you hit the nail on the head with this. I don't know about the Charlie card system, but the issue with many transit cards is that it's difficult or impossible for moving vehicles to always be able to check in with the network database to determine the value of an account. So the account value has to be stored on the card.

    That's a pretty weak argument. All you need is a laptop with a cellular data connection. If you really have places where you can't get a cell signal, get the cell company to add a picocell at the bus stops or add a Wi-Fi hot spot. Odds are you won't have to add too many of them in any major metro area.

    Of course, even just storing an account number or identifier on a card doesn't make it fraud-proof. Magstripe cards are trivially easy to re-encode with only a few dollars worth of equipment. Copying these can mean defeating physical access systems, being able to use someone else's gift card balance, or worse.

    If you have access to somebody else's card, yes. Otherwise, if you are able to steal access, your number space is too small. Use a 256-bit number (or 1024-bit if you're really paranoid) and ensure that new numbers are assigned randomly within that space so that your odds of picking a valid number are remarkably close to zero.

  • by cayenne8 (626475) on Saturday August 09, 2008 @03:39PM (#24539563) Homepage Journal
    Not to mention, this should be an open and shut freedom of speech issue. I mean, you can publish how to make a silenced weapon, probably even how to make a nuclear device...how to assasinate someone even, things with are illegal to do for real in meatspace, but, printing HOW to do it so far, has been ruled as free speach.

    I'd think giving a talk about it would be a slam dunk. If they rule against this, then it is really scary that our first amendment is gonna be in jeopardy. So far...describing how to do many things without inciting anyone to do it..as been protected speech.

  • by crl620 (743475) on Saturday August 09, 2008 @03:48PM (#24539625)
    MIT's student newspaper put the "banned" slides online: http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf [mit.edu]
  • by snl2587 (1177409) on Saturday August 09, 2008 @04:06PM (#24539743)
    No, I mean it's time to do with this information what was done with the DVD key a while back. I believed this was a simple enough jump that it did not require an explanation. I had not planned on you and whoever modded you "insightful" not understanding the reference.
  • by Wonko the Sane (25252) * on Saturday August 09, 2008 @04:08PM (#24539755) Journal

    Well, this is the State of Massachusetts, not Congress...

    They already fixed that loophole [wikipedia.org]

    "No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws."

  • by Anonymous Coward on Saturday August 09, 2008 @04:37PM (#24539925)
    If I tell you how to hack the DC transit system right here in this post, will DC issue an injunction to have slashdot remove the post? Let's find out!

    In the DC system, you have to scan your card to get into and out of every station. Rather than having standard boarding fares like NY, it actually takes into account where you scanned in and where you scanned out and then deducts the appropriate amount for the fare between those two points at the time you scan out.

    But say you leave the same station you entered. Maybe you missed your train and decided to take a cab, or forgot something, or got a call and changed your plans, or just want to rip off the DC transit system. Whatever. You always have to scan a card to get out, and if you scan the same card, it doesn't let you out for free, but charges you a minor fee. I think it was $0.25.

    So, say you have a standard commute to work and back every day on the DC transit system:
    Go into your point of departure and buy two cards, one with the appropriate fare to your destination. Swipe both of them in.
    Ride to your point of departure. Swipe the exact fare card out and throw it away.
    Go about your business at your destination. When you return:
    Buy a new card and swipe it in.
    Ride to your point of origin and Swipe OUT the card you only swiped IN at the same point earlier. You just rode there for $0.25.
    The next day, swipe that same card in at the same station. Ride to your point of departure, and swipe out with the card you bought at that point yesterday. Another $0.25 trip.
    Always continue to scan in and out at the same station using the same card. Every trip between those stations will be $0.25.

    There is no expiration on how much time may pass between swiping in and out of the same station for the minimum fee. There is nothing set up to catch that one card is swiped in and out of the same station every day about 9 hours apart, while another card is swept in and out of another station about 15 hours apart. At least, not unless they've fixed it in the past few years.

    Obviously, buy the cards you use for this with cash, not a credit card.

    If you really want to be a cheap skate, quadruple your money [schneier.com] also. Then all repeat rides in the system will be priced at approximately $0.07 each.
  • by AK Marc (707885) on Saturday August 09, 2008 @04:53PM (#24540035)
    My understanding is that this was something that was mentioned to them (the lax security of the system) more than a year ago from multiple sources. I'm not sure what offers there were to release the findings to them, but from what I've seen, they would have not worked with anyone to do anything about it, other than sue them to shut them up. You can't work with someone that won't work with you. So you release it when they don't work with you.
  • by Trerro (711448) on Saturday August 09, 2008 @05:05PM (#24540101)

    The current system is designed to allow for anonymity. You simply ask a T employee for a 0 balance card, and one is handed to you, no questions asked. As many of us would prefer to not have our every movement stored in a database and linked to us, this is a GOOD thing if you value privacy.

    So sure, a central DB system would solve this security problem easily, but at a significant cost to privacy, especially when the database inevitably gets leaked and everyone can see where you go.

  • Re:Two problems (Score:3, Informative)

    by gv250 (897841) on Saturday August 09, 2008 @06:49PM (#24540945)

    Anybody got a link to the actual TRO?).

    the actual TRO [eff.org]

  • by Anonymous Coward on Saturday August 09, 2008 @08:39PM (#24541781)

    In Europe, there are around 50 countries with firearms laws that vary wildly.

Brain damage is all in your head. -- Karl Lehenbauer

Working...