Forgot your password?
typodupeerror
Security The Courts

EFF To Appeal Court Order Vs. Subway Hack Demo 189

Posted by kdawson
from the tell-no-one dept.
snydeq sends along InfoWorld coverage of the EFF's plans to appeal a US District Court order that kept three MIT students from presenting detailed flaws in the Massachusetts Bay Transportation Authority e-ticketing system at Defcon. And an anonymous reader points out that the MBTA, in addition to triggering the Streisand Effect, released in open court more information on vulnerabilities (PDF) than the students had any intention of presenting. See Exhibit 1 to this court filing.
This discussion has been archived. No new comments can be posted.

EFF To Appeal Court Order Vs. Subway Hack Demo

Comments Filter:
  • First amendment (Score:4, Insightful)

    by Hatta (162192) on Monday August 11, 2008 @06:15PM (#24561077) Journal

    How can any such order be justified in the light of the first amendment protection of free speech?

  • Responsibility? (Score:5, Insightful)

    by XanC (644172) on Monday August 11, 2008 @06:18PM (#24561101)

    It seems that the people who are bringing flaws to light are cast as the villains, while nobody even considers blaming or even questioning the people who selected a poorly-implemented system to run an entire city's public transit.

  • Re:First amendment (Score:1, Insightful)

    by Anonymous Coward on Monday August 11, 2008 @06:19PM (#24561105)

    How can any such order be justified in the light of the first amendment protection of free speech?

    obviously it cant. However that has not stopped people from trying and succeeding in the past.

  • Re:First amendment (Score:5, Insightful)

    by im_thatoneguy (819432) on Monday August 11, 2008 @06:21PM (#24561119)

    If only there were some branch of the government whose job it was to ensure that people's constitutional rights were protected!

  • Re:First amendment (Score:3, Insightful)

    by nurb432 (527695) on Monday August 11, 2008 @06:22PM (#24561135) Homepage Journal

    Its not the job of the first amendment to *prevent* this from happening.

    its job is to protect us by striking it down once heard by the courts.

  • Re:Responsibility? (Score:5, Insightful)

    by ckthorp (1255134) on Monday August 11, 2008 @06:24PM (#24561165)
    Or, even more importantly, nobody considers blaming the vendor who sold the faulty system to the city.
  • by Paul Pierce (739303) on Monday August 11, 2008 @06:30PM (#24561223) Homepage
    The two students at Georgia Tech that hacked the campus Blackboard swipe system (http://www.theregister.co.uk/2003/07/15/student_hackers_we_didnt_defeat/).The general idea was that it didn't matter how secure the encryption-system was, if the physical system was easy to get to. You don't have to figure out what information is being sent to the machine, all they had to do was 'capture' a 'yes-there-is-enough-money-on-the-card' response, then duplicate. Hey free snacks!!

    You know what would rock, an infinite gift card to Wendy's.
  • Re:Responsibility? (Score:4, Insightful)

    by Adambomb (118938) on Monday August 11, 2008 @06:32PM (#24561239) Journal

    If nobody knows where a door is the lock on it doesn't matter.

    yes, maybe 99 times out of 100.

    And then theres the other 1, like say when an idiot files more vulnerabilities in their court briefs which are public record than the original presentation was going to uncover.

    Security through obscurity only works probabilistically, and given a long enough time frame it will always hit the P=1 where someone will have breached it and disseminated the information. This is exactly why security through obscurity is completely retarded when it involves systems intended to operate in any form of long term.

  • Re:First amendment (Score:1, Insightful)

    by Anonymous Coward on Monday August 11, 2008 @06:32PM (#24561241)

    By hack I assume you mean the person or persons responsible for attempting to use the courts to implement security through obscurity.

  • Re:First amendment (Score:5, Insightful)

    by NFN_NLN (633283) on Monday August 11, 2008 @06:36PM (#24561289)

    How can you justify the hack? Showing people how to ripoff the subway would seem to be a criminal act.

    No... RIPPING OFF THE SUBWAY is the criminal act.

    By your logic everyone in the military should go to jail for teaching or learning how to kill.

  • Re:First amendment (Score:5, Insightful)

    by sribe (304414) on Monday August 11, 2008 @06:37PM (#24561293)

    How can any such order be justified in the light of the first amendment protection of free speech?

    The judge is an idiot. Prior restraint is unconstitutional. This will not survive the appeal.

  • Re:Responsibility? (Score:5, Insightful)

    by Adambomb (118938) on Monday August 11, 2008 @06:37PM (#24561295) Journal

    I would agree with you, had the MBTA actually taken the initiative to work on solving these issues. Instead their rep stated that if its not known, its not a problem.

    Then they go and release more sensitive details in their court documents which are public record than the original presentation was to discuss.

    Had the MBTA stated that "they are currently working on resolving the issues, and would want the talk delayed until they are solved" then you would be exactly correct that the presentation should wait. In the end, this is more about pointing out that the MBTA bureaucracy is being incredibly stupid as well as dangerous in their processes.

  • Because; "You have the right to freedom of speech as long as your not dumb enough to use it".

    Freedom of speech, like just about all our supposed freedoms, is only available to those that can afford to defend it in court. The contrapositive of this fact is of course that the ability to take away freedoms from someone is available to those that can afford to attack them in court.

    Companies, etc, apply for injunctions and by Gods they get them. Do you think if you, whatever your grievance, applied for an injunction against a major company that it would be awarded? Money talks. Judges listen. It's not necessarily something as base as bribes. Just high class laywers gaming a system that puts up with being gamed.

    These three hackers should not have appealed this order. They should have ignored it. Defcon should have ignored it. Why obey an order that is going to be struck down anyway? Threat of censure? The court can only censure you if it's oder was legal in the first place.

    If more people stood up to, and openly defied the courts; we'd have a better court system.

  • Re:First amendment (Score:5, Insightful)

    by MDMurphy (208495) on Monday August 11, 2008 @06:45PM (#24561365)

    A couple comments:

    First, the information was already released. The entire presentation was handed out on CDs at the beginning of the conference. All the court order did was prevent a true dialog about the hack.

    Second, it could be construed that not releasing the information also has a negative cost. As a public entitiy, the transit agency has a duty to look after the system. The hack points out a flaw in the system. Was the system design opened to public scrutiny prior to its use in an attempt to prevent such a hack? If the hack were not widely known would the agency be working dilligently to fix the flaws?

    This is not much different than the "print your own bogus boarding pass" hack. The big worry wasn't really that loved ones could see you off at the gate, but that "bad guys" could go through security, metal detectors and such only to swap tickets with someone who wasn't on the no-fly list. What the release of that hack did was point out a flaw that already existed and provide incentive to fix it, or to drop the whole boarding pass as security sham in the first place.

    As to the yelling Fire! in the theater analogy: If there's really a fire, it's Ok to yell.

    This is another situation the 1st ammendment was designed to protect. Annoying, painful, expensive, dangerous speech might need to be protected.

  • Re:Responsibility? (Score:3, Insightful)

    by jd (1658) <imipak&yahoo,com> on Monday August 11, 2008 @06:48PM (#24561399) Homepage Journal

    I wouldn't agree to it being right to present how to break the system (except under special circumstances such as those you outlined), but I think it could be rather fun to make it illegal for either a government body or quango to set up or maintain a system in such a state that it poses undue burden on users, taxpayers, security, etc. Illegal as in prison illegal, not slap-on-the-wrist-see-you-at-golf-tomorrow illegal.

    Governments are like all other organizations in that they will do the least possible to survive at a level comfortable to them. In the case of a democracy, this means buying off the other branches of government and the media. (This differs from a theocracy, where instead they buy off the media and the other branches of government. Dictatorships, on the other hand, only need to buy off CowboyNeil.)

    The sovereign immunity enjoyed by the Government in America is probably one of the largest factors behind its corruption. I can understand the need to not have distractions, though I suspect Olmert can understand it better, but there are other ways of achieving that goal that still provide adequate accountability. The ballot box doesn't provide accountability for wrongdoing, it only provides accountability for unpopular doings, right or wrong, and frankly I doubt enough people care about mass transit computer systems to make gross negligence punishable via an election, regardless of any potential consequences. (Joe Bubba is very unlikely to think too far ahead, and there are simply more Joe Bubba voters in America than any other single group.)

  • Re:Responsibility? (Score:2, Insightful)

    by Anonymous Coward on Monday August 11, 2008 @06:49PM (#24561415)

    I don't agree.

    It is not their job to coordinate with the authorities and doing so without first going public might cause them problems with those authorities. Who gets to the press first matters here. If the first thing the press hears is that these guys were hacking the subway system, the authorities hold all the cards. The system may or may not get fixed and their message will almost certainly never be heard.

    Secondly, they are not responsible for the behaviors of others. Someone said something about yelling "fire" in a theater, but the analogy is inapt. In this case there actually is a fire in the theater, and they are just pointing it out. They are not responsible if people trample each other trying to escape a real fire.

  • Re:First amendment (Score:5, Insightful)

    by corsec67 (627446) on Monday August 11, 2008 @06:52PM (#24561439) Homepage Journal

    Then would you also like to allow the people who said "some toys in Wal-Mart have lead in them" to also have their speech limited?

    The critical part of rights like the freedom of speech is that if it excludes stuff you don't like, then it is worthless.

    "You can say whatever you want, as long as nobody is offended" doesn't really work.

    Personally I don't see how any possible exclusions to freedom of speech can be obtained from "Congress shall make no law ... or abridging the freedom of speech, or of the press;", and so libel and slander can't be made illegal as the first amendment is currently written. Neither do I think that it should be possible to make obscene or offensive speech, books, or printings illegal.

  • by Anonymous Coward on Monday August 11, 2008 @06:56PM (#24561473)

    Shouldn't the 'project manager' guy be like curling up in a shame-ball under his desk instead of pestering these kids?

  • the public (Score:3, Insightful)

    by Phantom of the Opera (1867) on Monday August 11, 2008 @07:07PM (#24561571) Homepage

    "Hi, I'm the public. Do I have a right to know about these flaws?"

    "No"

  • Re:First amendment (Score:5, Insightful)

    by sconeu (64226) on Monday August 11, 2008 @07:13PM (#24561637) Homepage Journal

    By a governmental (or quasi-governmental) agency, who is therefore bound by the First Amendment.

  • Re:First amendment (Score:3, Insightful)

    by Anpheus (908711) on Monday August 11, 2008 @07:14PM (#24561651)

    Thankfully there -isn't- a Department of Constitutional Rights. If such a thing existed, we could expect the same bureaucracy and red tape to drown any chance it has at reasonably protecting Americans against broad violations of their rights.

    Additionally, you can bet that if such a department existed, laws like the USA PATRIOT Act would serve to maim or gag it in order to perpetuate even greater crimes while people are none the wiser.

    No, I'm glad we live in a country where our rights are defended by regular people putting their time and money to organizations they deem valuable to the future of the nation. Is it the -best- way? Perhaps not, but it's certainly better than betting it all on responsible government.

    I will insist, again, that I am glad I live in a country where we have the ACLU, the EFF, the NRA, the NAACP, etc. I am glad we have all of those. It doesn't bother me one bit that they at times disagree with one another, it doesn't bother me that these organizations can be overzealous. I am glad they are overzealously defending my rights. If that means the NRA makes it legal for me to own a bazooka without a permit, well, to quote Office Space, "Fuckin' A, man."

  • by Deagol (323173) on Monday August 11, 2008 @07:21PM (#24561729) Homepage
    There have been a number of presentations lately that have been silenced by private companies before a conference, either by injunction or under the table (I'm thinking of Apple here). How long before we see conference talks being titled as clearly as most software patents? "Some Group Discusses Some Weakness In Some Company's Software" Tuesday at Defcon. If this gets out of hand, I wouldn't be too surprised if we start seeing some subtle obfuscation of what the true nature of some talks are about.
  • Re:Responsibility? (Score:2, Insightful)

    by cdrguru (88047) on Monday August 11, 2008 @07:36PM (#24561831) Homepage

    I would argue that it is the responsibility of the public to specifically not screw around with the system and that any security in place over the top of a fare collection system is there by accident. In other words, it should be treated as an "honor system" and what you are perceiving as "security" is merely validation to prevent errors.

    I suppose you could then argue that disclosing the nature of these validations is meaningless in and of itself. However, doing so in a forum of the nature where it was to be presented clearly is offering it to individuals with the capabilities to take unfair advantage.

    If I lived in Boston, or any other area where these sorts of disclosures have been made, I would object strenously to the transit authority making any changes whatsoever to "improve security". It wasn't intended to be secure from the beginning. However, I'd certainly agree with increasing penalties for anyone caught screwing the system to the point where nobody would ever want to be caught.

    This is like turnstyle jumping in some ways, only it enables large numbers of people to do so without being observed by station attendents. I guess to some folks with a "grab all you can" mindset this sort of thing just begs to be exploited. Sadly, what it really means is everyone else suffers for the misdeeds of the exploiter.

  • Re:Responsibility? (Score:2, Insightful)

    by adamchou (993073) on Monday August 11, 2008 @08:16PM (#24562181)

    clearly you didn't read the court order that was submitted by the MBTA. It says that they evaluated it and said they found nothing new in there. What was submitted to them was an old hack that they were already aware of and had already implemented additional security measure to fix. This further led them to believe that there was additional information that was being withheld from them, especially since the MIT students legal counsel advised them to not give additional information to the MBTA. They never gave the MBTA a chance to fix anything.

    I'm all for free speech, but when you use it irresponsibly as these kids appear to be doing, I think you should suffer the consequences. What if this is used by some terrorist organization to mount an attack? Will everyone here defending free speech really still advocate the right for these students to disclose this information?

  • Re:First amendment (Score:3, Insightful)

    by MDMurphy (208495) on Monday August 11, 2008 @08:31PM (#24562305)

    The sad thing is that judges are always supposed to be rational people, or at least hand down rational decisions while on the clock. The judge should have called them on this, but didn't, and issued the order. I at least hope they had to shop around to several judges before they found one their lawyers could snooker.

  • If I've got it right, this is pretty far out. The transit authority cannot even establish a factual predicate sufficient to show that the presenters have knowledge that would or could damage the transit authority. This would seem to present a really big causal gap in their case.

    "We're going to give a presentation on how to crack the MBTA passes" seems like a pretty good factual predicate.
  • Re:How? (Score:1, Insightful)

    by Anonymous Coward on Monday August 11, 2008 @08:42PM (#24562393)

    Because all speech isn't protected.

    Completely irrelevant.

    The First Ammendment isn't a blanket guarantee to say or do anything.

    No, but it is a blanket guarantee to say anything that is true, and that's what's so appalling here.

    What's even more appalling is that there are idiots like you who think it's perfectly reasonable to prevent people from telling the truth, simply because it might hurt some corporations's bottom line.

  • Re:First amendment (Score:5, Insightful)

    by Opportunist (166417) on Monday August 11, 2008 @08:56PM (#24562489)

    What bothers me about this comment isn't that you trivialize terrorism. Yes, it does exist (read on before you mod, please). It doesn't even bother me that it's modded funny.

    What bothers me is the "cry wolf" tactics our media and politicians use whenever something happens they don't like. It's because of terrorism that people can't bring their own coke to a plane anymore (it's not that we want airlines to get additional revenue from selling their drinks). P2P fuels terrorism (not that we want to prop up an outdated business model). It's terrorism why we are forced to reliinquish our essential rights (not because our politicians don't want us to say things they don't want the public to know).

    "Terrorism" has been abused as the catch all argument whenever something is imposed upon us that goes against the interests of our politicians and their cronies. And people start to see through the thinly veiled egoistic goals, and start to mock it. As you would mock anyone who cries wolf as soon as something happens he doesn't like.

    What bothers me most is that when the terrorists strike, we'll get told "see? We told you, it's terrorism!" Instead of them learning that their wolfcrying creates nothing but contempt and ridicule, they will point at us and blame us for not taking it serious, when it has been abused time and again.

    Terrorism is a real threat to the US and the "western" world. Abusing it to cry wolf about everything you want to do against your people is not going to make them take it serious. Quite the opposite.

    As can be seen in the parent posting.

    Daimanta, not trying to belittle you. You're just the one that speaks what everyone was thinking. "Ok, how long 'til they claim terrorism is the reason?" It's not against you, again. It's against those that abuse the terrorist card for everything that goes against their interests.

  • No. No it's not (Score:2, Insightful)

    by Anonymous Coward on Monday August 11, 2008 @09:46PM (#24562819)

    "Terrorism is a real threat to the US and the "western" world."

    Not really. If looked at rationally, terrorism on 9/11 was tiny irritant to life in the united states.

    Think it through.

  • Re:No. No it's not (Score:5, Insightful)

    by Opportunist (166417) on Monday August 11, 2008 @10:14PM (#24563019)

    Basically, it doesn't even matter whether the threat is real or imagined. Personally, I think 3000 people in 7 years (and counting) is peanuts. When that's what you're scared about, you shouldn't drive anymore or have an operation. The chances to die in a car accident or on the OP table are significantly higher.

    If it is real, it would even increase the mark of shame on our politicians and media. If it's fake, they're just causing a hype to push their agenda. If it's real, they're crying wolf and abuse the "terrism" hype so far until nobody takes it serious anymore.

    It's basically like it was in my school. We had fire drills every month or so. Net result? People didn't even bothing going out anymore when the alarm rang. It was known to be fake, so why bother listening to it?

    When you overdo drills or abuse a warning system, people will stop taking them serious. It will just be another drill or another hype when you ring the alarm. And that could backfire badly should the threat be real one day again.

    I predict a disaster should another terrorist strike happen one day. We'll then get to hear that some "threat level indicator" was at some nice, warm color anyway and "we warned you", but we won't hear that that indicator was about the same nice, warm color for years and we've been blitzed with fake warnings almost at a daily base. Warnings cease to create an elevated level of caution when they happen too often, especially if those warnings are abused to push completely unrelated agendas, just because "terrists" are a comfortable reason to abolish civil rights.

    People aren't dumb. They see through it, and they will (and as you can see, do) ridicule those "warnings". It's way harder, though, to actually discriminate a real threat from one of those agenda-pushing fakes when you get told the same old lies over and over. Should a real threat be discovered and actually published, the first reaction most people have won't be "how can I avoid it?" but rather "what are they trying to do to my rights this time?"

  • Re:First amendment (Score:3, Insightful)

    by beaverbrother (586749) on Monday August 11, 2008 @11:34PM (#24563565)
    There is no evidence (at least in the presentation) that they illegally accessed the subway. They just showed an image of some computer showing their updated account balance. They could have just done that and not actually gotten a free ride.
  • Re:First amendment (Score:2, Insightful)

    by Anonymous Coward on Monday August 11, 2008 @11:57PM (#24563735)

    Terrorism is a real threat to the US and the "western" world.

    I was with you until that bit. The damage directly from terrorism is practically nil compared to the damage caused by so many other things in the world today. I would be ecstatic if, say, climate change caused only as much damage as terrorism. I would be overjoyed to see only as many people killed in Iraq as have been killed in terrorism attacks.

  • Re:First amendment (Score:5, Insightful)

    by hey! (33014) on Tuesday August 12, 2008 @08:42AM (#24566619) Homepage Journal

    The First Amendment doesn't mean that the government can't regulate speech, particularly the timing and method of speech, but even in some cases the content of the speech. However, such regulations must be narrowly tailored to fulfill a legitimate public purpose, such as national defense.

    Addressing the vulnerabilities before they become widely exploited is obviously a legitimate public purpose. A restraining order delaying temporarily the release of the details of the vulnerabilities (not the fact of their existence) while they do this would be narrowly tailored to serve that purpose.

    I'm not saying it's right, but you should know what your rights actually are. They don't include the right to say whatever you want, whenever you want, however you want without fear of punishment, and they never have.

    The important points to remember are (a) legitimate public purpose and (b) narrow tailoring. The narrow tailoring requirement is probably the tougher of the two requirements to meet. In this case, since the details of the problems are in the wild, in part because of the authority's own actions (although this doesn't really matter), any further restriction doesn't serve the purpose of allowing the authority to respond in a timely fashion.

  • Re:Responsibility? (Score:3, Insightful)

    by KenSeymour (81018) on Tuesday August 12, 2008 @09:59AM (#24567705)

    It seems that the people who are bringing flaws to light are cast as the villains, while nobody even considers blaming or even questioning the people who selected a poorly-implemented system to run an entire city's public transit.

    I love how so many people act as though the ticket vending machines are equivalent to "the entire city's public transit." Having the TVMs hackable until they patch the code will only impact revenue slightly. Note you can accomplish the same thing by jumping over the turnstyles.
    In the San Francisco Bay Area, they give everybody free rides when the air quality gets too bad.

    There are not that many vendors of TVMs and each transit system has custom requirements.

    Security researchers are in a catch 22. If they don't publish vulnerabilities publicly, they
    never get fixed. If they do, they never get thanked. It goes with the territory.
    You will only get the admiration of your fellow geeks, not the population as a whole.

  • Re:First amendment (Score:3, Insightful)

    by tehcyder (746570) on Tuesday August 12, 2008 @10:56AM (#24568681) Journal

    These three hackers should not have appealed this order. They should have ignored it. Defcon should have ignored it. Why obey an order that is going to be struck down anyway? Threat of censure? The court can only censure you if it's oder was legal in the first place.

    I don't know if US law is different from the UK, but here it doesn't matter what the final outocme is, if you deliberately break a court's injunction or order, you will quite rightly go to prison.

Our informal mission is to improve the love life of operators worldwide. -- Peter Behrendt, president of Exabyte

Working...