Forgot your password?
typodupeerror
Security The Courts

EFF To Appeal Court Order Vs. Subway Hack Demo 189

Posted by kdawson
from the tell-no-one dept.
snydeq sends along InfoWorld coverage of the EFF's plans to appeal a US District Court order that kept three MIT students from presenting detailed flaws in the Massachusetts Bay Transportation Authority e-ticketing system at Defcon. And an anonymous reader points out that the MBTA, in addition to triggering the Streisand Effect, released in open court more information on vulnerabilities (PDF) than the students had any intention of presenting. See Exhibit 1 to this court filing.
This discussion has been archived. No new comments can be posted.

EFF To Appeal Court Order Vs. Subway Hack Demo

Comments Filter:
  • Re:First amendment (Score:2, Informative)

    by Free the Cowards (1280296) on Monday August 11, 2008 @06:21PM (#24561115)

    Same way that slander and libel are actionable. Namely, the first amendment, in general, protects against criminal prosecution but not civil suits.

  • by Anonymous Coward on Monday August 11, 2008 @06:23PM (#24561141)

    Isn't this the same hack which was described in detail in c't #8/2008 [heise.de]? Mifare classic, uses Crypto1, a flawed pseudo random number generator and salts which only depend on the power on time, which is under the control of the attacker. Flaws were discovered by slicing the chip and inspecting the layers with a microscope.

  • Re:First amendment (Score:5, Informative)

    by Beryllium Sphere(tm) (193358) on Monday August 11, 2008 @06:28PM (#24561201) Homepage Journal

    Actually, under constitutional law, the preferred situation is to let the speech happen and hash out any legal issues later. The term for preventing a publication is "prior restraint", and it's very much frowned upon compared to going to court over speech that's already been published.

    In this case the judge used a computer intrusion statute. I don't know the terms of it, but some such laws do prohibit trading in passwords or other access devices. Seems like a stretch, and I don't consider it justified, but that might be the reasoning. I'm not a lawyer, but if I were them I'd look out for the highly abusable conspiracy laws.

  • Re:Them again? (Score:5, Informative)

    by Random BedHead Ed (602081) on Monday August 11, 2008 @06:33PM (#24561257) Homepage Journal

    Why is it that every time I read about the EFF or Lesig I hear about how they are going down in flames in once case or another? Are we taking about the Washington generals here? Whats it going to take for them to actually win something for a change.

    http://www.eff.org/victories [eff.org]

  • by AgentPhunk (571249) on Monday August 11, 2008 @06:38PM (#24561299)
    MIT's student newspaper "The Tech" includes the full DefCon presentation on their site:
    http://www-tech.mit.edu/V128/N30/subway/ [mit.edu]

    Direct link to the presentation PDF:
    http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf [mit.edu]

  • Not that impressive (Score:5, Informative)

    by langelgjm (860756) on Monday August 11, 2008 @06:38PM (#24561303) Journal

    At least from what's in the linked PDF, the undergrads' work is not all that impressive. They look at both the CharlieTicket (magstripe) and the CharlieCard (RFID).

    Hacking the CharlieTicket sounds fairly trivial. Magstripe cards are extremely easy to read and write to, and documentation on how to do this with homemade equipment is all over the Internet. The undergrads' work essentially consists of figuring out how the 6-bit checksum is being calculated (though it's not disclosed in the linked documents). This is probably the most difficult thing that they did.

    Hacking the CharlieCard, which is a MiFare Classic, is more involved, but the undergrads used a previously known attack, simply duplicating it. (Some might call that the behavior of a "script kiddie"?) There's hardly anything novel about this.

  • Life imitating art. (Score:4, Informative)

    by fredklein (532096) on Monday August 11, 2008 @06:44PM (#24561361)

    Which is from Cory Doctorow's "Little Bother", and which from the court documents in this case?

    "Just flash the firmware on a ten-dollar Radio Shack reader/writer and you're done. What we do is go around and randomly swap the tags on people, overwriting their Fast Passes and FasTraks with other people's codes. That'll make everyone skew all weird and screwy, and make everyone look guilty. Then: total gridlock."

    vs.:

    "An attacker uses RFID equipment purchased online to sniff communications between a legitimate CharlieCard and a turnstile. He takes the data back home and executes one of several attacks that exploit the weak Crypto-1 cipher to recover a key. Armed with this key, a high-gain antenna, and RFID equipment, he walks down a crowded street in boston remotely copying the CharlieCards in people's pockets."

    Please, check out 'Little Brother'. FREE for download at http://craphound.com/littlebrother/download/ [craphound.com] , or available at fine bookstores everywhere.

  • How? (Score:3, Informative)

    by DesScorp (410532) <DesScorp@[ ]il.com ['Gma' in gap]> on Monday August 11, 2008 @06:46PM (#24561379) Homepage Journal

    How can any such order be justified in the light of the first amendment protection of free speech?

    Because all speech isn't protected. The First Ammendment isn't a blanket guarantee to say or do anything. There are limits on speech, and always have been, from the time the Constitution was ratified to today.

    You can argue on technical grounds that "security by obscurity" is a stupid idea, but I think the EFF lost here for a reason... we've always balanced speech that can have a direct impact on public safety against the relative risks of that speech. You can't email classified blueprints of an AEGIS radar system to Vladimir Putin, for instance, or a list of undercover NYPD officers to some guy named Sal in Sicily, and then claim free speech protection. If you don't want to get in legal trouble, you go to court and get such things made de-classified or stripped of confidential status first, then you can reveal whatever you like. The students first step should have been getting a court order to strip protection from the MBTA information, because MBTA actually has some legal precedent on their side here.

    The students may even be in the right here, but they were pleading their case in a way that almost assured their defeat in court. And in this case, EFF was thinking like hackers, not lawyers.

  • Re:First amendment (Score:5, Informative)

    by MikeD83 (529104) on Monday August 11, 2008 @06:51PM (#24561431)

    In this case the judge used a computer intrusion statute. I don't know the terms of it, but some such laws do prohibit trading in passwords or other access devices. Seems like a stretch, and I don't consider it justified, but that might be the reasoning.

    According to the complaint [mit.edu] the MBTA is calling the CharlieCard and even the CharlieTicket a "computer." Understanding how the "computer" works and disseminating that information constitutes fraud.

    According to the referenced US Code [cornell.edu], a "computer" is:

    the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;

  • Re:First amendment (Score:4, Informative)

    by belmolis (702863) <billposer@alum.miPARISt.edu minus city> on Monday August 11, 2008 @07:02PM (#24561529) Homepage

    For commentary by an expert on First Amendment law, see Eugene Volokh's post [volokh.com].

  • by Wrath0fb0b (302444) on Monday August 11, 2008 @07:14PM (#24561643)

    The court issued a 'temporary restraining order', which is legal-jargon for "don't do anything until we can get a decent hearing". It does not mean that the court has accepted the MBTA's position or even jurisdiction over the case. It is merely a tool* to ensure that neither party can unilaterally change the status-quo just because the courts do not operate 24/7 and are sort of slow (making sure everyone has a chance to speak generally doesn't allow for fast decision making). Rarely does a TRO last more than a week until a preliminary hearing can be held.

    IMO, therefore, even if the MBTA has no case whatsoever (almost certainly true) they are entitled to a TRO for a few days until the court can read (and almost certainly deny) their application for a permanent injunction. I don't see any major damage from having a presentation delayed for all of 72 hours either (note, if we were talking permanent injunction, it would be totally bogus -- that's a different matter entirely).

    * Yes, I'm aware the information was already published on the internet and that it cannot effectively be "recalled". That is not the point -- the MBTA, as any other litigant, has the right to have a court hear their case -- even if they really don't have one.

  • Re:First amendment (Score:5, Informative)

    by Free the Cowards (1280296) on Monday August 11, 2008 @07:58PM (#24562031)

    And hopefully that means that they will lose the case. (Actually, I'd hope that anyone bringing such a suit would lose, not just governmental entities.) But this is just an injunction. An injunction is temporary, and is only intended to prevent potential damage from being done until the true merits of the case can be assessed. An injunction doesn't require a good case, it just requires a case that has sufficient merit to go to court.

    Personally I don't think this injunction should have been granted, but it's not nearly the slam dunk obvious thing that many people here think it is.

  • Re:First amendment (Score:5, Informative)

    by mxs (42717) on Monday August 11, 2008 @10:18PM (#24563041)

    Maybe im not understand the situation, but if you attempt to release information that can cause harm to a business or person or society. that speech can definitely be limited.

    That is a pretty general, and pretty wrong, statement. I can voice my opinion on a business all day long, even if that harms the business. I can voice my opinion on public figures all day long, even if their polling numbers decline as a result.
    There are certain limitations, sure, but merely bringing an undesired effect to the affected party is not enough.

    Its like calling fire in a building with no fire and someone getting hurt.

    No, it's not. These students are not putting people's life in jeopardy.

    It seems like in this case, if this information got mass attention there might be some way to construe harm.

    There is ALWAYS some way to construe harm. The question is whether it's reasonable.

    I mean I can think of allot of ways to fabricate the perception of harm, even though it is unlikely.

    And this is the kicker. The MBTA is trying to sweep this under the carpet by claiming outlandish claims of public safety and harm -- when it is plain to see that this presentation poses no such threat.

    Im trying to put myself in their shoes, someone or someones do not want to have to deal with this if people start mass circumventing the system...

    Too freaking bad, use a more secure system. The undergrads even made suggestions as to how to go about it (which they are not obligated to), and are generally behaving responsibly enough (they are not / were not going to release the checksum algorithm or the keys they found).

    money loss, reputations, and the like are surely involved.

    And rightly so. You see, it's not the undergrads' fault that the system is shoddy. They did not make it shoddy, they did not do the evaluation before buying it, they were not the implementers, and they do not leave network switches unattended behnind open doors. Somebody else is doing that. The undergrads are just pointing out that somebody else is doing that. If that somebody else loses money, reputation, and the like over this incident, then it is their own fault.

    it doesn't matter if it has been done before, this particular event makes stuff like this a hot topic, because people that build or manage insecure systems look really, really stupid to the professional community.

    This is no reason, at all, to curtail the freedom of speech of these undergrads. Don't like the criticism ? Don't fuck up like that. If you do, take the criticism.

    The whole handling of the matter reeks of incompetence, anyway. Apparently these people never heard of the Streisand-effect (seriously, how many more people now know about these weaknesses, in detail, since the MBTA began to sue ?), have never heard about court documents being on the public record (everything they submit as "evidence" is forever in the public eye), have not even researched whether the materials they are trying to suppress have already been circulated (hint: yes, they have), and likely just encouraged others to re-engineer the reverse-engineering. Those others may not be as responsible as these undergrads and release full details, including encryption keys, checksumming algorithms, ready-made software, etc.

    A+.

  • Correct, and the (more public) stance both court and plaintiff are taking now (post-TRO) would seem to indicate that both f*cked up in spades, and are actually beginning to appreciate that -- plaintiff by not thinking things through and actually talking to someone who could understand and explain the technical aspects of things, and the court for believing the plaintiff.

    As pointed out, the purpose of a TRO is (was) to *temporarily* freeze the situation until the court can be briefed fully, and make a more reasoned decision.

    But we're running on Internet time now, and Plaintiff did what defendant couldn't have done, which was to disseminate even more information to a wider forum, and generate orders of magnitude more interest in this information than defendant could have done on their own...

    The other thing plaintiffs did in this action -- going for a TRO takes cojones, and a good reputation with the court. As plaintiff, you're going to the court asking them to act preemptively -- to restrain someone who has not yet acted. If the court doesn't believe you, they'll say, "Nah, if you're damaged, you can bring suit." Here, plaintiffs not only didn't understand the situation, but in their filings, they did orders of magnitude more damage to themselves than the action they got the court to enjoin.

    Courts and judges tend to have long memories -- and in this case, they'll most likely remember that these guys were bozos, and evaluate their arguments accordingly.
  • Re:First amendment (Score:4, Informative)

    by NewYorkCountryLawyer (912032) * <ray@NOspam.beckermanlegal.com> on Monday August 11, 2008 @11:26PM (#24563505) Homepage Journal

    How can any such order be justified in the light of the first amendment protection of free speech?

    Because it is not absolute. It has never been absolute. It is balanced against other interests. A prior restraint of speech is legal if it is a proportionate response to a "clear and present danger". I can assure you that much less threatening 'speech' has been held to represent a "clear and present danger".

  • Re:First amendment (Score:3, Informative)

    by omeomi (675045) on Tuesday August 12, 2008 @12:47AM (#24564087) Homepage
    If they were to violate the court order preventing them from presenting their findings, the contempt of court charge would pretty clearly be a criminal matter, though.
  • Re:First amendment (Score:4, Informative)

    by hey! (33014) on Tuesday August 12, 2008 @09:21AM (#24567129) Homepage Journal

    There is a branch of government that is in charge of this. It's called the judicial branch. In fact private civil rights organizations only exist to bring problems the courts' attention.

    Now with respect to government being dysfunctional -- it is only so to the degree we tolerate it and even require it to be so.

    The reason for bureaucracy and red tape is because we the people insist upon it. In the private sector if I hire my cousin Vinny to do a job, if this gets the job done fast at a reasonable price, my boss is happy. And this is right, because the company probably saves money in the end. In the public sector, my department pays more than the private sector does to get the job done, because of the documentation needed to show that I'm not hiring Vinny because he's my cousin, and that other vendors in Vinny's business got a fair shot at the job. And Vinny has to charge more because he has to prove that he isn't charging Uncle Sam more than private sector customers, although this is usually solved by spinning off groups that only sell to Uncle Sam. Uncle Sam ends up buying from vendors who specialize in meeting his unique contracting process needs.

    And most of this is right too. Private enterprise is all about private benefit. People make deals and if the deals are profitable then there are no questions asked. Public enterprise is more ethically complicated. For one thing it is not voluntarily funded. You don't have a personal choice about how much tax and how much public benefit you're going to receive this year. This means things like fairness are a lot more important. And time consuming.

    Nonetheless, government can do things effectively, if people care enough about them. It just can't do them without employing more red tape than the private sector would. The US military is a case in point. The US has a military that can kick the crap out of any other military in the world. It's highly effective, but it's not particularly financially efficient or red-tape free. The reason is that we the people care about assuring successful military outcomes. In fact we care enough that we're not exactly sharp consumers when it comes to military systems.

    It's not so clear that we care about achieving successful outcomes when it comes to our legal and civil rights.

    The main problem with the judicial branch is that it can't initiate anything. You have to have money and time to get it moving on a problem, which means that the courts are only for those who have money and time on their hands: the wealthy and organizations like ACLU.

    The Justice Department should safeguard American citizens who don't have the money or power to insist upon their rights as individuals. But if we elect a President who thinks he has the power to detain and torture anybody based on suspicion, and let him appoint SC justices that are deferential to these claims, the JD is not much use. I'd say that this is because we the people don't really care about our rights.

I am not now, nor have I ever been, a member of the demigodic party. -- Dennis Ritchie

Working...