Forgot your password?
typodupeerror
Censorship Security Transportation United States

Massachusetts Sues to Halt Defcon Subway Hacking Talk 270

Posted by timothy
from the this-has-not-been-cleared-with-upstairs dept.
According to CNET, "The state of Massachusetts has asked a federal judge for a temporary restraining order preventing three MIT students from giving a presentation on Sunday about hacking smartcards used in the Boston subway system." It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas. Update: 08/09 20:57 GMT by T : "Too late," says reader Bluey: "Injunction was already granted."
This discussion has been archived. No new comments can be posted.

Massachusetts Sues to Halt Defcon Subway Hacking Talk

Comments Filter:
  • by pha7boy (1242512) on Saturday August 09, 2008 @03:03PM (#24538821)

    rather then make sure they have a techie in attendance so that they may learn something and find a workaround the issue, Boston's lawyers suggested that burying your head in the sand (or, alternatively, in the piles of garbage and crap in Boston) will solve the issue just as well. "As long as we don't let them say it publicly, it does not exist" one Boston official explained the position.

    this is why I love government bureaucrats. They tend to be smarter then the average bear.

    • by MindlessAutomata (1282944) on Saturday August 09, 2008 @03:13PM (#24538899)

      this is why I love government bureaucrats. They tend to be smarter then the average bear.

      I was with you until right around... there.

      • Oh, I'm willing to buy Boston bureaucrats being smarter than a bear. Not by much, mind you.
        • Re: (Score:3, Insightful)

          by hairyfeet (841228)
          Um,if you've ever seen a bear crack open a SUV to get the sandwiches inside,they are actually pretty smart critters. A better analogy would be the opossum that tried to fool the Mac truck about to hit it by playing dead or hissing at it,which is why here in the south you see dead ones by the side of the road all the time. Instead of fixing the problem they hissed at the presenters while ignoring the fact that the web doesn't follow injunctions. We should have a "Wow,you are a dumbass!" award that we can giv
    • by Mix+Master+Nixon (1018716) on Saturday August 09, 2008 @03:14PM (#24538913)

      Boston is merely afraid that this information will end up in Lunar hands. Entirely reasonable given that city's sad recent history.

    • by CastrTroy (595695) on Saturday August 09, 2008 @03:16PM (#24538919) Homepage
      What I want to know is how a system like this is even possible. Why should the value available on a smart card actually be something that can be changed by the person holding the card. Shouldn't the card just have an ID, and that ID is tied to an account, which is tied to a person. Maybe put the amount on the card, so the bus doesn't have to call home every time someone steps on a bus, but at least keep all transactions in a database so they can check for fraud after the fact. It seems like the way they have it set up, would be the equivalent of having your bank account balance completely controllable by modifying the information on your bank card. Even retail stores have this figured out so that their gift cards only hold a number, and the actual value on the card is stored in some computer database.
      • by langelgjm (860756) on Saturday August 09, 2008 @03:43PM (#24539089) Journal

        Maybe put the amount on the card, so the bus doesn't have to call home every time someone steps on a bus, but at least keep all transactions in a database so they can check for fraud after the fact.

        I think you hit the nail on the head with this. I don't know about the Charlie card system, but the issue with many transit cards is that it's difficult or impossible for moving vehicles to always be able to check in with the network database to determine the value of an account. So the account value has to be stored on the card.

        This is exactly like storing the value of your ATM or gift card on the card itself. But with ATMs and gift cards, the terminal where you use them is always going to have network access (or if it doesn't you probably won't be able to use the card).

        Of course, even just storing an account number or identifier on a card doesn't make it fraud-proof. Magstripe cards are trivially easy to re-encode with only a few dollars worth of equipment. Copying these can mean defeating physical access systems, being able to use someone else's gift card balance, or worse.

        • Re: (Score:3, Informative)

          by dgatwood (11270)

          I think you hit the nail on the head with this. I don't know about the Charlie card system, but the issue with many transit cards is that it's difficult or impossible for moving vehicles to always be able to check in with the network database to determine the value of an account. So the account value has to be stored on the card.

          That's a pretty weak argument. All you need is a laptop with a cellular data connection. If you really have places where you can't get a cell signal, get the cell company to add

          • by langelgjm (860756) on Saturday August 09, 2008 @04:24PM (#24539441) Journal

            That's a pretty weak argument. All you need is a laptop with a cellular data connection. If you really have places where you can't get a cell signal, get the cell company to add a picocell at the bus stops or add a Wi-Fi hot spot. Odds are you won't have to add too many of them in any major metro area.

            Well, I'm not the one making the argument, I'm just going by what I see being implemented in transit systems. Storing the value on the card means fast retrieval and processing, and no reliance on a network. What if the data links drops for some reason? What if it takes longer than usual to connect? Transit systems have schedules to keep (ideally!).

            Furthermore, it's easy to say "get the cell company to add a picocell at the bus stops", but it's not as if a transit system can simply mandate that it be done. Who's going to pay for it? And at what point does the expense of ensuring reliable network connectivity become greater than simply expecting a certain percentage of fraud? After all, this is a transit system we're talking about, not a bank.

            If you have access to somebody else's card, yes. Otherwise, if you are able to steal access, your number space is too small. Use a 256-bit number (or 1024-bit if you're really paranoid) and ensure that new numbers are assigned randomly within that space so that your odds of picking a valid number are remarkably close to zero.

            I know. That's why I talked about copying. Plus, given that with things like gift cards, the identifier is often written on the card itself, sometimes you don't even need to have a card reader to get the information. Or, you have security leaks. When I was an undergrad, the University of Maryland inadvertently exposed the ID numbers of the entire university population through its LDAP entries. Those same IDs were used as identifiers on the magstripe cards that gave building access, and dining hall access.

          • by Firehed (942385)

            get the cell company to add a picocell at the bus stops

            I doubt it's that simple, or else you'd find far fewer people bitching about not getting cell signal at home.

            Alternately: where the hell can I get one?

        • by mpe (36238)
          I don't know about the Charlie card system, but the issue with many transit cards is that it's difficult or impossible for moving vehicles to always be able to check in with the network database to determine the value of an account.

          It's just as well that people typically only get on and off buses which are stopped :) With trains there are often ticket operated barriers which never move.
      • by Jah-Wren Ryel (80510) on Saturday August 09, 2008 @03:55PM (#24539181)

        Why should the value available on a smart card actually be something that can be changed by the person holding the card. Shouldn't the card just have an ID, and that ID is tied to an account, which is tied to a person.

        With a correct implementation - that uses good cryptography - it is quite possible to have secure stored value cards. One upside to stored value cards, especially to slashdot readers, is that they help to protect our right to travel because they can be just as anonymous as cash.

        • by mpe (36238) on Saturday August 09, 2008 @04:49PM (#24539637)
          With a correct implementation - that uses good cryptography - it is quite possible to have secure stored value cards.

          However good the cryptography such a card would be vulnerable to a "known plaintext" attack. Since an attacker can see how the encrypted information changes as they alter the value of the card and compare several with the same value.
          To make things easier these systems tend to use proprietary cryptography which equates to very poor cryptography. In the case of Mifare Classic this was described by Bruce Schneier as "kindergarten cryptography". Maybe they'd have done better to use something like the "Vigenere Cipher" which was at least considered unbreakable for 300 years.
          • However good the cryptography such a card would be vulnerable to a "known plaintext" attack.

            AES is believed to be resistant to known plaintext attacks.

        • Re: (Score:2, Insightful)

          by cobaltnova (1188515)
          What exactly is the scheme you are envisioning? If the bus system is not reporting usage information, the value can be read off the card, and the value on the card can be changed, I see an unpatchable security hole.

          Purchase a single card, with 10$ on it. Record the stored value, use the card, and then restore the old value. Viola. Broken card.

          However, if the card could be made to increment a counter every time it was adjusted (in such a way that could not be undone) and each card had an immutable card
          • by plover (150551) *

            Simple smart card technology can include some write-once memory that burns a fusible link, preventing it from being rewritten. Old pay-as-you-go stored value telephone cards used to use this. They were for use in pay phones. The routine was simple: one bit equaled one unit of value. As the value was used, the pay phone would signal the card to burn out the next bit. Once the bits were all burnt, the card had no value.

            Of course this was defeated by hackers, who replaced the card with a computer contr

      • Re: (Score:2, Insightful)

        by RossumsChild (941873)
        Right, because my idea of a perfect society is one where I can't use the damn transit system unless I want to give up any shred of privacy about my destination, travel habits, and location.
      • by mpe (36238) on Saturday August 09, 2008 @04:18PM (#24539387)
        What I want to know is how a system like this is even possible. Why should the value available on a smart card actually be something that can be changed by the person holding the card.

        Because the people designing these systems don't know what they are doing. This dosn't just apply to RFID systems. There was a case recently involving a magnetic strip card which could be "cloned" by the using nothing more sophisticated than scissors/knife together sticky tape/glue

        Shouldn't the card just have an ID, and that ID is tied to an account, which is tied to a person.

        Unless it's intended to also use the system to track specific individuals then you don't need any such tying. Just a method of ensuing that every ticket has a unique ID. That only one instance of a ticket with a given ID is in use at any time in the system and that a "never issued ID" or one reported lost/stolen cannot be used.

        Maybe put the amount on the card, so the bus doesn't have to call home every time someone steps on a bus, but at least keep all transactions in a database so they can check for fraud after the fact.

        A bus might well "call home" periodically anyway, for such things as uploading it's position/CCTV footage/etc at this point it can check the tickets which have recently been used. If it isn't possible to operate a data link all the time.

        It seems like the way they have it set up, would be the equivalent of having your bank account balance completely controllable by modifying the information on your bank card.

        IIRC at one time it was possible get around withdrawal limits by modifying/cloning cards since they used a read/write area to record this information on the card. So as to enable offline/batch operation of machines.

        Even retail stores have this figured out so that their gift cards only hold a number, and the actual value on the card is stored in some computer database.

        Probably only as a consequence of being exploited though :)
      • by keithjr (1091829)
        I thought about it myself when they first implemented it. The point of the CharlieCard is that it allows one to quickly board trains and buses at any point. Thus, if the card simply stored a pointer to the account, all the buses in town would have to be wirelessly networked to perform a lookup on the account, and the subsequent deduction if a fare is taken.

        I guess that was a little to hard to implement, so they went with the simple solution of making the RFID chip read-writable and storing the data lo
      • Re: (Score:2, Informative)

        by Trerro (711448)

        The current system is designed to allow for anonymity. You simply ask a T employee for a 0 balance card, and one is handed to you, no questions asked. As many of us would prefer to not have our every movement stored in a database and linked to us, this is a GOOD thing if you value privacy.

        So sure, a central DB system would solve this security problem easily, but at a significant cost to privacy, especially when the database inevitably gets leaked and everyone can see where you go.

        • by CastrTroy (595695) on Saturday August 09, 2008 @09:40PM (#24541797) Homepage
          You could still do it anonymously. And even without a computer network. Have an ID written onto every card. The value is also on the card. The bus scans the card, and if there are sufficient funds on the card, you can ride the bus. When the bus is done for the day, it returns to the garage, and dumps the stored data onto the system, which will scan for inconsistencies on the cards. Since you should only be able to add value with valid machines, and money should only be taken off by the bus, these two values could easily be checked by a computer system to ensure they balance out. If invalid information is found on a card (the balance doesn't equal the deposits minus the debits), then the card could be flagged. Options for flagged cards include just disabling it so it isn't accepted the next time the person tries to board the bus, or even letting the person on, and alerting transit cops so, if they are in the vicinity, can pick the guy up at the next stop. I think it would even be appropriate for there to be a camera where you enter the bus, so that a picture could be taken of those using invalid cards. You'd probably want the system to have a secret key so that it could at least sign the information on the card, so that people couldn't make up fake account numbers and store those on the card.
    • Re: (Score:2, Insightful)

      by Stan92057 (737634)
      How is this burying there heads in the sand? There is a known problem,and they don't want criminals to abuse this problem until its fixed. Releasing exploits with out it being fixed is irresponsible, period end of store. I am sure 99% of the people here disagree with me, but after years of seeing exploits released to the public only to have criminals take advantage of theses exploits. Why should they try to figure out theses exploits when Black Hats do it for them time and time again. And another thing, wha
      • by langelgjm (860756) on Saturday August 09, 2008 @03:36PM (#24539031) Journal

        Is MBTA actually going to get the card system provider to fix the problem? Because from what I've seen, you'll have a hard time even getting the department and the contractor to admit that the problem exists. And even if they do admit it, is the solution going to be any more than "it's unlikely people will exploit this"?

        That sort of attitude seems to be how Maryland feels about its AccuVote TS voting machines. Three independent reviews have all revealed flaws with them, but we're still using them, despite the fact that those flaws essentially mean that the contractor has violated its agreement with the State.

        Furthermore, I doubt much criminal activity is going to result from releasing the information. Only a few people are going to have the time and patience to actually follow the exploit through, and if the system is well-designed (though apparently it may not be), modifying card data shouldn't be able to damage or disrupt the system.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          One of the problems is that the MBTA is losing money like crazy, in spite of vastly increased ridership because of gasoline prices. They can't afford to do basic mechanical maintenance and now they have to redo their smart card system too!? Of course one could argue that it would save them money in the long run, but only if people took advantage of this flaw.

          As for the database system someone suggested, that would be expensive to implement and administer, and (worst of all) would mean that people would be

          • by Garse Janacek (554329) on Saturday August 09, 2008 @05:46PM (#24539987)

            One of the problems is that the MBTA is losing money like crazy, in spite of vastly increased ridership because of gasoline prices. They can't afford to do basic mechanical maintenance and now they have to redo their smart card system too!?

            They were somehow able to "afford" the many, many millions of dollars required to install this slow, unreliable, and annoying smart card system. That expense was how they were able to justify the fare increase. I would be fine with an increased fare if it was used to improve service, but instead the service is now significantly worse than before, the smart card machines are terrible (every month I have to wrestle with it to get it to recognize my credit card to buy a pass, and I know others who have the same problem), and they haven't even accomplished the original goal.

            And, of course, they voluntarily installed this terrible smart card system even after New York tried installing the same system, and it ended up so terrible that they voluntarily ate the lost money and went with another contractor. I never quite heard the rationale for failing to learn from their mistake...

            So, yes, they are losing money like crazy, but my sympathy is limited. They've consistently shown that they don't really know what they're doing.

            As for the card vulnerability: it's another demonstration of how worthless the system is, but it hardly matters. Part of the justification for the system was to make sure people paid their fares. It has been a dreadful failure at that, but whatever. The number of people who will go to all the trouble of counterfeiting their MBTA passes is dwarfed by the number that will simply trail someone else through the gates or hop on the green line without paying. This has always been the case. It's not a new or surprising point that secure cryptography cannot prevent social engineering. The fact that it turns out to be insecure cryptography just makes the whole thing more pathetic...

    • Re: (Score:2, Troll)

      rather then make sure they have a techie in attendance so that they may learn something and find a workaround the issue, Boston's lawyers suggested that burying your head in the sand

      Remember, it's Boston: the city that is terrified of Cartoon Network. [forbes.com] The city that went $8.6 billion over budget on "The Big Dig" which should have cost $6 billion, and it's a piece of crap. [wikipedia.org] Did you really expect competence from that government?
    • by cayenne8 (626475) on Saturday August 09, 2008 @04:39PM (#24539563) Homepage Journal
      Not to mention, this should be an open and shut freedom of speech issue. I mean, you can publish how to make a silenced weapon, probably even how to make a nuclear device...how to assasinate someone even, things with are illegal to do for real in meatspace, but, printing HOW to do it so far, has been ruled as free speach.

      I'd think giving a talk about it would be a slam dunk. If they rule against this, then it is really scary that our first amendment is gonna be in jeopardy. So far...describing how to do many things without inciting anyone to do it..as been protected speech.

      • by bendodge (998616)

        If they rule against this, then it is really scary that our first amendment is gonna be in jeopardy.

        That's why we keep our second amendment handy.

      • Making a silenced weapon is perfectly legal. In Europe, it's mandatory for hunting rifles.
    • by crl620 (743475) on Saturday August 09, 2008 @04:48PM (#24539625)
      MIT's student newspaper put the "banned" slides online: http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf [mit.edu]
    • by JohnnyGTO (102952)
      HOW DARE YOU! smearing the good name of bears. If more people would simply go out in the woods and strike up a conversation with a Grizzly this sort of unfair attacks would stop!
    • by Obasan (28761) on Saturday August 09, 2008 @10:14PM (#24541983)

      I don't agree with the Massachusetts decision to attempt to stifle the presentation. This was foolish on a number of levels, not the least of which was it will probably help draw far more attention to the hack than it otherwise would have obtained.

      That being said, it is perfectly reasonable to not "fix" a system if the cost of the fix is more than the cost of fare evasion. Look - in many cities "evading the fare" is as simple as getting on the bus and choosing not to pay. These systems depend on users for the most part obeying an honor system with periodic random enforcement by transit personnel checking for passes / ticket validation. This is done across Europe and in a number of cities in Canada (not sure about the USA). Why do this? For starters most people aren't jerks, and pay their fares. Second, there will ALWAYS be a way to evade a fare system without massive (expensive) enforcement that would cost far more than the added fare revenue. You would not get on one of the systems where there is no ticket check on entry and then crow about how you evaded the system (or you wouldn't without looking like a complete dork).

      It's worth noting that this injunction is not analogous to software companies hiding known exploits in their systems where their customers may suffer the consequences. Boston IS the end user.

      Moving people from place to place should always be the highest priority of transit authorities. In general most people are good about paying their fares. Dealing with smalltime one-off thieves is a waste of their resources.

      If you use the system without paying, you are a thief and you are doing a tremendous disservice to your fellow citizens.

  • Frist Amendment (Score:5, Insightful)

    by Mordok-DestroyerOfWo (1000167) on Saturday August 09, 2008 @03:03PM (#24538825)
    Who needs free speech anyway?
    • by thermian (1267986) on Saturday August 09, 2008 @03:11PM (#24538877)

      Who needs free speech anyway?

      I can't say.

    • I hope they stand on stage and just give the finger for half an hour if this injunction gets granted.
      Then I hope some lawyer who actually does love the law beats the people requesting this to death with the Liberty Bell.

      "It tolls for YOU. [CLANG] It tolls for YOU. [CLANG] YOU! [CLANG] YOU!! [CLANG] YOU!!! [CLANG]"
    • Re: (Score:3, Funny)

      by snowraver1 (1052510)
      Who's got a link to the presentation? It's called "Anatomy of a Subway Hack" and was distributed on the CDs that were handed out. There must be a copy on the Internet, I just can't find it.
  • Just a point (Score:3, Informative)

    by TubeSteak (669689) on Saturday August 09, 2008 @03:07PM (#24538849) Journal

    temporary restraining order != permanent injunction

    And as TFA has already pointed out, the power point presentation is already out in the open

    • .....so?

      • Exactly. All that proves is that the people suing are even stupider than they seem because they're trying to stop something that's already on the internet, and we all know how that goes.

        • Re:Just a point (Score:4, Interesting)

          by mpe (36238) on Saturday August 09, 2008 @03:49PM (#24539135)
          All that proves is that the people suing are even stupider than they seem because they're trying to stop something that's already on the internet, and we all know how that goes.

          It's actually even worst than that. By the action of suing they have drawn attention to the issue. As well as "confirming" the research.
          Probably also ensuring that the relevent information will wind up being published in places it wasn't likely to end up before before. Note that the article mentions that thousands of people (not covered by the injunction) already have copies of the "paper". Some of those copies may be already out of the court's jurisdiction too.
    • Re:Just a point (Score:4, Interesting)

      by whoever57 (658626) on Saturday August 09, 2008 @03:26PM (#24538973) Journal

      And as TFA has already pointed out, the power point presentation is already out in the open

      Which is exactly why an injunction should never have been granted.

    • by Tuoqui (1091447)

      If the injunction lasts longer than the duration of Defcon it might as well be a permanent injunction.

      1st Amendment Right should trump this easily. I'm sure they could try twisting it into some 'National Security' issue but please... Some bus ticketing system isn't gonna bomb the White House.

  • by N8F8 (4562)

    Soviets would have just hauled your ass off to Siberia. Get a grip.

  • Anonymous Coward (Score:3, Insightful)

    by Anonymous Coward on Saturday August 09, 2008 @03:11PM (#24538881)

    Barbra Streisand seen fleeing the scene.

  • Ron Rivest (Score:4, Interesting)

    by surmak (1238244) on Saturday August 09, 2008 @03:12PM (#24538893)

    The article mentions that the authorities met with the students and Ron Rivest (e.g. the "R" in the RSA crypto system).

    It would be interesting to see what his involvement with this project is.

  • Too late (Score:5, Informative)

    by Bluey (27101) on Saturday August 09, 2008 @03:23PM (#24538949) Homepage

    It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas.

    Injuction was already granted [cnet.com]. Insert Soviet joke here.

    • by Enleth (947766)

      In Soviet Russia, the government controls the buttheaded bureaucrats.

    • Excellent! (Score:3, Informative)

      by d34thm0nk3y (653414)
      These guys are literally restricting free speech, as in "don't say that out loud." This will work as a way better example of US censorship than my usual 2600 DECSS example. Thanks MA for the forthcoming karma in other censorship articles.
  • by eggman9713 (714915) <{eggman97132007} {at} {mac.com}> on Saturday August 09, 2008 @03:52PM (#24539159)
    Just do it the way that they tried to do it in regards to the recent DNS exploits. Tell the affected organization (Boston subway system authority) that there is a problem and you are willing to work with them to fix it. If they refuse, just leave them the information and say they have x number of days to fix it and if they refuse to do anything, you are going to the press, which technically is true since journalists are allowed in limited numbers at Defcon as far as I know. That way you give them the courtesy of warning them in advance, but you aren't needing to completely shut up about it or let the problem lie unfixed. As a white hat, this guy has a moral obligation to help get problems fixed before the black hats find out.
    • Re: (Score:3, Informative)

      by AK Marc (707885)
      My understanding is that this was something that was mentioned to them (the lax security of the system) more than a year ago from multiple sources. I'm not sure what offers there were to release the findings to them, but from what I've seen, they would have not worked with anyone to do anything about it, other than sue them to shut them up. You can't work with someone that won't work with you. So you release it when they don't work with you.
  • Two problems (Score:5, Insightful)

    by belmolis (702863) <billposer@nOSpam.alum.mit.edu> on Saturday August 09, 2008 @04:07PM (#24539265) Homepage

    I see two major problems with the application for the order. The first is that it claims that disclosure of how to hack the cards constitutes a danger to the public. How so? All these cards are good for is paying the fare. Hacking them allows people to ride the subway for free. That's petty larceny, not a danger to the public.

    The second is that the application asked the court to forbid:

    publicly stating or indicating that the security or integrity of the CharlieCard pass, the CharlieTicket pass, or the MBTA's Fare Media systems has been compromised.

    There's no conceivable justification for that. Even if there is justification for forbidding disclosure of the details of the hack, stating that there is a problem is certainly constitutionally protected. (It is possible that the court did not include such language in the TRO; this is what Massachusetts asked for, but possibly not what they got. Anybody got a link to the actual TRO?).

  • by strabes (1075839) on Saturday August 09, 2008 @04:09PM (#24539287)
    What I want to know is why Massachusetts is complaining about and interfering with a conference happening in my hometown, Las Vegas.
  • by SonicSpike (242293) on Saturday August 09, 2008 @04:18PM (#24539389) Homepage Journal

    "abridging the freedom of speech, or of the press;"

    -US Constitution

    • Re: (Score:2, Insightful)

      by Tim C (15259)

      Well, this is the State of Massachusetts, not Congress...

      • by Wonko the Sane (25252) * on Saturday August 09, 2008 @05:08PM (#24539755) Journal

        Well, this is the State of Massachusetts, not Congress...

        They already fixed that loophole [wikipedia.org]

        "No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws."

      • by eht (8912)

        Actually even though it in no particular way different than a state, it's the Commonwealth of Massachusetts and for some reason the people that live there are always insisting on it being called that. I no longer live there thank goodness.

      • by _xeno_ (155264)

        Well, this is the State of Massachusetts, not Congress...

        Note the part where it says "federal judge" in the summary? And if you followed the link to the article, you'd see that this is taking place in Los Vegas, which I'm pretty sure isn't in Massachusetts.

        On a side note, when they first rolled out the CharlieCard system, I remember asking a coworker "I wonder how long it will take for someone to figure out how to hack the cards to get free rides?" The answer is "a little over a year and a half" - they were rolled out in December 2006.

    • Well, in their defense this is just judicial fiat, not a law. So, you know, it's just some cocksucker judge imposing his will illegally - that makes it much better, after all.
  • Isn't this the city that upped their threat level due to an Aqua Team Hunger Force marketing campaign? If so, this news isn't at all surprising.
  • If this happens, (Score:5, Insightful)

    by nurb432 (527695) on Saturday August 09, 2008 @04:45PM (#24539605) Homepage Journal

    Its one more strike against the first amendment and another step down the path of the government deciding what you are allowed to know.

  • by moxley (895517) on Saturday August 09, 2008 @05:01PM (#24539715)

    Fuck this.

    They need to give their presentation regardless.

    It's clearly a first amendment issue, and when people allow things like threats from the authorities or bullshit unconstitutional court injunctions to stop them from what they want to tell the masses it only serves to justify the actions of those who would try to stop people from expressing important matters.

    From what i can tell this isn't about public safety at all, it's more about money. If it were about public safety, they would take it seriously and work with these guys to resolve the issues.

    On top of that, when these sorts of uses for RFID were being planned and discussed years ago (things like this and passports, etc) many, many people warned that this would occur...

    Someone needs to take that CD and quickly get the contents onto usenet. It's already in the public record anyway - once the cat is out of the bag it's out of the bag.

  • by base3 (539820) on Saturday August 09, 2008 @05:26PM (#24539871)
    Thanks, Judge! I'd have never know it existed had you not tried to censor it.
  • WOW preemptive limitation of free speech is almost unheard of. Usually asking a judge to stop someone from talking before the fact is met with ridicule by the judge.

  • by Anonymous Coward on Saturday August 09, 2008 @05:37PM (#24539925)
    If I tell you how to hack the DC transit system right here in this post, will DC issue an injunction to have slashdot remove the post? Let's find out!

    In the DC system, you have to scan your card to get into and out of every station. Rather than having standard boarding fares like NY, it actually takes into account where you scanned in and where you scanned out and then deducts the appropriate amount for the fare between those two points at the time you scan out.

    But say you leave the same station you entered. Maybe you missed your train and decided to take a cab, or forgot something, or got a call and changed your plans, or just want to rip off the DC transit system. Whatever. You always have to scan a card to get out, and if you scan the same card, it doesn't let you out for free, but charges you a minor fee. I think it was $0.25.

    So, say you have a standard commute to work and back every day on the DC transit system:
    Go into your point of departure and buy two cards, one with the appropriate fare to your destination. Swipe both of them in.
    Ride to your point of departure. Swipe the exact fare card out and throw it away.
    Go about your business at your destination. When you return:
    Buy a new card and swipe it in.
    Ride to your point of origin and Swipe OUT the card you only swiped IN at the same point earlier. You just rode there for $0.25.
    The next day, swipe that same card in at the same station. Ride to your point of departure, and swipe out with the card you bought at that point yesterday. Another $0.25 trip.
    Always continue to scan in and out at the same station using the same card. Every trip between those stations will be $0.25.

    There is no expiration on how much time may pass between swiping in and out of the same station for the minimum fee. There is nothing set up to catch that one card is swiped in and out of the same station every day about 9 hours apart, while another card is swept in and out of another station about 15 hours apart. At least, not unless they've fixed it in the past few years.

    Obviously, buy the cards you use for this with cash, not a credit card.

    If you really want to be a cheap skate, quadruple your money [schneier.com] also. Then all repeat rides in the system will be priced at approximately $0.07 each.
  • In capitalist America company sell you.
  • IANAL, but slide 5 of the presentation says "AND THIS IS VERY ILLEGAL". Maybe they are getting their rocks off, testing and exposing security weaknesses - whatever. public good, harming society, doesn't matter. if we follow free speech and assembly, the talk should not have been stopped, for ANY reason. when ever and where ever we go down the road of "illegal information" tyranny is sure to follow.

    it would seem that a much better approach would have been to allow the speech to continue, but indict and

  • I have to wonder who in their right mind would be represented by the EFF these days. Their track record is like wearing a sign on your back that says "please laugh me out of court."

In order to dial out, it is necessary to broaden one's dimension.

Working...