Forgot your password?
typodupeerror
Security The Courts

EFF To Appeal Court Order Vs. Subway Hack Demo 189

Posted by kdawson
from the tell-no-one dept.
snydeq sends along InfoWorld coverage of the EFF's plans to appeal a US District Court order that kept three MIT students from presenting detailed flaws in the Massachusetts Bay Transportation Authority e-ticketing system at Defcon. And an anonymous reader points out that the MBTA, in addition to triggering the Streisand Effect, released in open court more information on vulnerabilities (PDF) than the students had any intention of presenting. See Exhibit 1 to this court filing.
This discussion has been archived. No new comments can be posted.

EFF To Appeal Court Order Vs. Subway Hack Demo

Comments Filter:
  • Re:First amendment (Score:4, Interesting)

    by Intrinsic (74189) on Monday August 11, 2008 @06:24PM (#24561161) Homepage

    Maybe im not understand the situation, but if you attempt to release information that can cause harm to a business or person or society. that speech can definitely be limited. Its like calling fire in a building with no fire and someone getting hurt. It seems like in this case, if this information got mass attention there might be some way to construe harm. I mean I can think of allot of ways to fabricate the perception of harm, even though it is unlikely.

    Im trying to put myself in their shoes, someone or someones do not want to have to deal with this if people start mass circumventing the system... money loss, reputations, and the like are surely involved. it doesn't matter if it has been done before, this particular event makes stuff like this a hot topic, because people that build or manage insecure systems look really, really stupid to the professional community.

  • Re:Responsibility? (Score:3, Interesting)

    by MistaE (776169) on Monday August 11, 2008 @06:24PM (#24561169) Homepage
    So a poorly implemented system justifies individuals giving a presentation to everyone else on how to fuck with the system?

    I'm all for free speech, but it seems like there are quite a few other alternatives other than basically making public the flaws in a massive public transportation system. If they really care about security, they should take measures to improve the security with the appropriate authorities.

    Now, of course, if they've already tried this and they ignored these students, then I would argue this is the next step to grab their attention, but still.
  • Exhibit A (Score:4, Interesting)

    by Thomas Charron (1485) <twaffle@gmail. c o m> on Monday August 11, 2008 @06:45PM (#24561367) Homepage

    The guy who put the report in Exhibit A, along with his email address, it could be added, really, REALLY underestimated the issue I think. Did he really think the public court records wouldn't get out?

        Exhibit A will, I suspect, lead to many, MANY more compromises now then would have happened had they given their presentation.

        What HE released had the specific vulnerabilities they found. He didn't want that data out, and then published it himself!

  • by langelgjm (860756) on Monday August 11, 2008 @07:00PM (#24561513) Journal

    If true, one would think the MBTA would have little to back up an injunction.

    I'd tend to agree. Though MBTA's argument is that the undergrads aren't disclosing everything, so MBTA can't assess the true threat to their systems, thus why they sought the injunction.

    I'm kind of surprised the undergrads have not disclosed everything to the MBTA. Why wouldn't they? If they are truly interested in improving MBTA's security, they ought to.

    On the other hand, they might be reluctant to do so because of the risk of legal action. I don't have a Charlie Card on me (haven't been in Boston recently), but a lot of similar cards have statements saying they are the property of whoever issues them, and that tampering with them is illegal.

  • Re:First amendment (Score:3, Interesting)

    by Intrinsic (74189) on Monday August 11, 2008 @07:11PM (#24561615) Homepage

    Im with you on that, im just saying that their is a difference between reality (which we know what that is) and the perceived reality. And the perception is that its possible the transit authority probably has some people that manage or have a stake in creating that system and are trying to do damage control. Its not based in reality, but its better to know what you are dealing with, because the people involved in the insecure transit system are not going to think like rational people if heads are going to roll.

    I was going to say something else but I forgot what it was.. basicley im not arguing either way, im just trying to put all the cards on the table.

  • Re:First amendment (Score:3, Interesting)

    by Caboosian (1096069) on Monday August 11, 2008 @07:34PM (#24561815)

    If more people stood up to, and openly defied the courts; we'd have a better court system.

    If more people stood up to, and openly defied the courts, we'd have more people in jail - and a court system with less credibility. If an average citizen can shrug off a court order, what use do are the courts? No, instead, the companies/corporations gaming the system should be held responsible. Honestly, I don't have a solution for this problem, but I can't find a justification for destroying the credibility of our judicial institution - what good could come of that?

  • Re:First amendment (Score:2, Interesting)

    by Anonymous Coward on Monday August 11, 2008 @07:34PM (#24561817)

    Thanks for the link to the legal definition of a computer.

    I have a couple of issues with it.

    1) By that definition, a test tube is a computer. It is optical, because sometimes the results of an experiment are verified visually. It is a data processing device, because mixing chemicals to find out what happens is a form of processing data. And it performs storage functions because you can store liquids or other substances in it if, for instance, the reaction is expected to take a long time. The "or's" in the definition mean that it doesn't have to satisfy all of the criteria, only some of them.

    You could argue that it's not high speed, but the wording of the definition is ambiguous enough that that isn't necessarily a requirement.

    2) How similar to a portable hand held calculator does a device need to be in order to be excluded? An HP48 graphing calculator? A PDA with a built-in calculator function? A cell phone? An EEE PC? A laptop?

  • Re:First amendment (Score:2, Interesting)

    by memristance (1285036) on Monday August 11, 2008 @08:06PM (#24562107)

    1) By that definition, a test tube is a computer. It is optical, because sometimes the results of an experiment are verified visually. It is a data processing device, because mixing chemicals to find out what happens is a form of processing data. And it performs storage functions because you can store liquids or other substances in it if, for instance, the reaction is expected to take a long time. The "or's" in the definition mean that it doesn't have to satisfy all of the criteria, only some of them.

    You could argue that it's not high speed, but the wording of the definition is ambiguous enough that that isn't necessarily a requirement.

    Though I'm guessing you were going for hyperbole here, you're mostly correct. [wikipedia.org]

  • le sigh (Score:3, Interesting)

    by SuperBanana (662181) on Monday August 11, 2008 @09:35PM (#24562713)

    data processing device performing logical, arithmetic, or storage functions,

    Note the "OR". The magstripe card is storage. The -card- does logical, arithmetic, AND storage functions- it's an intelligent device.

    Furthermore, they openly admit to trespassing both physically (at stations, offices, AND networks they knew were private.)

    Frankly, I'm astounded they're not sitting in a jail cell right now. Chances are that right now the MBTA are going through CCTV footage looking for them trespassing, and once they've found some- they'll be arrested.

    It's one thing to play with the cards (and ride the coat-tails of other researchers who published all of this 8 months ago). It's another to wander into offices and plug into internal networks you know you don't belong to (in fact, the very definition of trespassing in some states is "you're somewhere you know you don't belong.")

  • Re:How? (Score:3, Interesting)

    by PlusFiveTroll (754249) on Monday August 11, 2008 @09:45PM (#24562811) Homepage

    If you don't want to get in legal trouble, you go to court and get such things made de-classified or stripped of confidential status first, then you can reveal whatever you like. The students first step should have been getting a court order to strip protection from the MBTA information, because MBTA actually has some legal precedent on their side here.

    Really, instead of going thru all that bullshit, the students should have released all the information first (before the court order). Two times this has happened at DEFCON, and it's easy to do because the offense knows what date you're going to speak and can put a stop to it right before it happens. Not enough time to defend yourself and get the motion dropped. Drop the whitepaper (blackpaper?) on the net a week before the talk, and let them close the barndoors after the horse is already gone.

  • Screw the MBTA. (Score:4, Interesting)

    by schmiddy (599730) on Tuesday August 12, 2008 @12:17AM (#24563891) Homepage Journal

    So, I actually have a little bit of sympathy for whichever public servant's ass is on the line right now, worrying he's going to get fired over this flap. Whatever idiots actually implemented the existing Charlie Card system we're stuck with right now might be long gone by now, along with the consultants that actually put this system in place.

    However, as a Boston resident, it's pretty obvious the MBTA has been brought down recently by especially bad mismanagement. We switched 2 years or so ago from plain tokens (one token == one subway ride) to an overly complicated mix of magstripe cards (CharlieTickets) and RFID cards (CharlieCards).

    There was a news story a while back in one of the little free Boston newspapers telling the cost of implementing this new system.. I think it was well into the hundreds of millions of dollars. Enough to pay the existing salaries of the MBTA staff for several years.

    To top it off, the new cards are really just a drag on everyone's time. Anyone who's had to wait 2 minutes in line while getting on a bus for some fool to fumble around trying to load up value onto one of the stored-value CharlieCards knows what I'm talking about.

    I also have a sneaking suspicion that a "feature" of this horrendously expensive, overly complicated system was not only that it would save money through nebulous efficiency improvements (the Charlie Card machines are broken half the time for some reason...) but that it would allow them to make more money by more effectively manipulating the currency. You see, previously, when they would hike up the subway rates, they couldn't stop people from buying $100 of tokens at the old rates just before the rate switch. Now, they can jack up the rates and everyone's forced to pay the new rate.

    So anyway, a little long-winded.. but I can see exactly why the MBTA officials are so worried about this. In addition to being stuck with this crazily complicated, expensive system that's run horrendously overbudget (in addition to the MBTA itself being $100M+ in the red every year somehow, despite having a government-funded monopoly and all sorts of advertising revenue flowing in..), they are now faced with the possibility of college students in Boston buying hacked Charlie Cards and not paying any fare. They're probably scared shitless of this. For the people that said they should just fix their system... I honestly doubt they could, even if they wanted to. We're talking about a system that cost several hundred million $ to put in place, with very little thought about security put in at the beginning. And these are government officials, using god-knows-who for contracting out the maintenance of this system. Working for an agency that's severely in the red, year after year. They don't have a snowball's chance in hell of fixing the system the right way, so they're abusing the courts to keep from being ridiculed in public and fired over the whole fiasco.

  • Re:First amendment (Score:3, Interesting)

    by jc42 (318812) on Tuesday August 12, 2008 @11:03AM (#24568829) Homepage Journal

    Prior restraint is unconstitutional. This will not survive the appeal.

    Um, so what? The court order succeeded; it prevented the MIT guys from giving their talk. If the appeal says the order was unconstitutional, that won't retroactively result in the talk having been given (unless someone has a working time machine that we don't know about). The judge may get a stern talking-to by the appeals court, but there will be no punishment.

    As with many such violations of rights, the deed is done and can't be undone. When there is no punishment for the perpetrators (primarily the judge), a later decision that it was wrong doesn't mean much, and does nothing to prevent such court orders in the future.

    Of course, the fact that the MIT guys have released all the info and the Tech has published it online does make the court (and the MBTA bureaucrats) seem sorta foolish. It most produced a Streisand Effect, bringing public attention to something that only a few geeks would have noticed (and maybe fixed) if there had been no court order.

Mathemeticians stand on each other's shoulders while computer scientists stand on each other's toes. -- Richard Hamming

Working...