Massachusetts Sues to Halt Defcon Subway Hacking Talk 270
According to CNET, "The state of Massachusetts has asked a federal judge for a temporary restraining order preventing three MIT students from giving a presentation on Sunday about hacking smartcards used in the Boston subway system." It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas. Update: 08/09 20:57 GMT by T : "Too late," says reader Bluey: "Injunction was already granted."
Just a point (Score:3, Informative)
temporary restraining order != permanent injunction
And as TFA has already pointed out, the power point presentation is already out in the open
Too late (Score:5, Informative)
It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas.
Injuction was already granted [cnet.com]. Insert Soviet joke here.
Excellent! (Score:3, Informative)
Re:Ron Rivest (Score:4, Informative)
He was their professor. Their research was done as a part of a class taught by Rivest.
Re:oh good... let's all bury our heads... (Score:3, Informative)
That's a pretty weak argument. All you need is a laptop with a cellular data connection. If you really have places where you can't get a cell signal, get the cell company to add a picocell at the bus stops or add a Wi-Fi hot spot. Odds are you won't have to add too many of them in any major metro area.
If you have access to somebody else's card, yes. Otherwise, if you are able to steal access, your number space is too small. Use a 256-bit number (or 1024-bit if you're really paranoid) and ensure that new numbers are assigned randomly within that space so that your odds of picking a valid number are remarkably close to zero.
Re:oh good... let's all bury our heads... (Score:4, Informative)
I'd think giving a talk about it would be a slam dunk. If they rule against this, then it is really scary that our first amendment is gonna be in jeopardy. So far...describing how to do many things without inciting anyone to do it..as been protected speech.
Re:oh good... let's all bury our heads... (Score:5, Informative)
Re:Anyone have the code? (Score:3, Informative)
Re:"Congress shall make no law..." (Score:5, Informative)
Well, this is the State of Massachusetts, not Congress...
They already fixed that loophole [wikipedia.org]
"No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws."
If I tell you how to hack the DC transit system... (Score:5, Informative)
In the DC system, you have to scan your card to get into and out of every station. Rather than having standard boarding fares like NY, it actually takes into account where you scanned in and where you scanned out and then deducts the appropriate amount for the fare between those two points at the time you scan out.
But say you leave the same station you entered. Maybe you missed your train and decided to take a cab, or forgot something, or got a call and changed your plans, or just want to rip off the DC transit system. Whatever. You always have to scan a card to get out, and if you scan the same card, it doesn't let you out for free, but charges you a minor fee. I think it was $0.25.
So, say you have a standard commute to work and back every day on the DC transit system:
Go into your point of departure and buy two cards, one with the appropriate fare to your destination. Swipe both of them in.
Ride to your point of departure. Swipe the exact fare card out and throw it away.
Go about your business at your destination. When you return:
Buy a new card and swipe it in.
Ride to your point of origin and Swipe OUT the card you only swiped IN at the same point earlier. You just rode there for $0.25.
The next day, swipe that same card in at the same station. Ride to your point of departure, and swipe out with the card you bought at that point yesterday. Another $0.25 trip.
Always continue to scan in and out at the same station using the same card. Every trip between those stations will be $0.25.
There is no expiration on how much time may pass between swiping in and out of the same station for the minimum fee. There is nothing set up to catch that one card is swiped in and out of the same station every day about 9 hours apart, while another card is swept in and out of another station about 15 hours apart. At least, not unless they've fixed it in the past few years.
Obviously, buy the cards you use for this with cash, not a credit card.
If you really want to be a cheap skate, quadruple your money [schneier.com] also. Then all repeat rides in the system will be priced at approximately $0.07 each.
Re:Treat it like the DNS flaw. (Score:3, Informative)
Re:oh good... let's all bury our heads... (Score:2, Informative)
The current system is designed to allow for anonymity. You simply ask a T employee for a 0 balance card, and one is handed to you, no questions asked. As many of us would prefer to not have our every movement stored in a database and linked to us, this is a GOOD thing if you value privacy.
So sure, a central DB system would solve this security problem easily, but at a significant cost to privacy, especially when the database inevitably gets leaked and everyone can see where you go.
Re:Two problems (Score:3, Informative)
Anybody got a link to the actual TRO?).
the actual TRO [eff.org]
Re:oh good... let's all bury our heads... (Score:1, Informative)
In Europe, there are around 50 countries with firearms laws that vary wildly.