Forgot your password?
typodupeerror
Security The Courts

EFF To Appeal Court Order Vs. Subway Hack Demo 189

Posted by kdawson
from the tell-no-one dept.
snydeq sends along InfoWorld coverage of the EFF's plans to appeal a US District Court order that kept three MIT students from presenting detailed flaws in the Massachusetts Bay Transportation Authority e-ticketing system at Defcon. And an anonymous reader points out that the MBTA, in addition to triggering the Streisand Effect, released in open court more information on vulnerabilities (PDF) than the students had any intention of presenting. See Exhibit 1 to this court filing.
This discussion has been archived. No new comments can be posted.

EFF To Appeal Court Order Vs. Subway Hack Demo

Comments Filter:
  • First amendment (Score:4, Insightful)

    by Hatta (162192) on Monday August 11, 2008 @06:15PM (#24561077) Journal

    How can any such order be justified in the light of the first amendment protection of free speech?

    • Re: (Score:2, Informative)

      Same way that slander and libel are actionable. Namely, the first amendment, in general, protects against criminal prosecution but not civil suits.

    • Re:First amendment (Score:5, Insightful)

      by im_thatoneguy (819432) on Monday August 11, 2008 @06:21PM (#24561119)

      If only there were some branch of the government whose job it was to ensure that people's constitutional rights were protected!

      • Re: (Score:3, Insightful)

        by Anpheus (908711)

        Thankfully there -isn't- a Department of Constitutional Rights. If such a thing existed, we could expect the same bureaucracy and red tape to drown any chance it has at reasonably protecting Americans against broad violations of their rights.

        Additionally, you can bet that if such a department existed, laws like the USA PATRIOT Act would serve to maim or gag it in order to perpetuate even greater crimes while people are none the wiser.

        No, I'm glad we live in a country where our rights are defended by regular

        • Re:First amendment (Score:4, Informative)

          by hey! (33014) on Tuesday August 12, 2008 @09:21AM (#24567129) Homepage Journal

          There is a branch of government that is in charge of this. It's called the judicial branch. In fact private civil rights organizations only exist to bring problems the courts' attention.

          Now with respect to government being dysfunctional -- it is only so to the degree we tolerate it and even require it to be so.

          The reason for bureaucracy and red tape is because we the people insist upon it. In the private sector if I hire my cousin Vinny to do a job, if this gets the job done fast at a reasonable price, my boss is happy. And this is right, because the company probably saves money in the end. In the public sector, my department pays more than the private sector does to get the job done, because of the documentation needed to show that I'm not hiring Vinny because he's my cousin, and that other vendors in Vinny's business got a fair shot at the job. And Vinny has to charge more because he has to prove that he isn't charging Uncle Sam more than private sector customers, although this is usually solved by spinning off groups that only sell to Uncle Sam. Uncle Sam ends up buying from vendors who specialize in meeting his unique contracting process needs.

          And most of this is right too. Private enterprise is all about private benefit. People make deals and if the deals are profitable then there are no questions asked. Public enterprise is more ethically complicated. For one thing it is not voluntarily funded. You don't have a personal choice about how much tax and how much public benefit you're going to receive this year. This means things like fairness are a lot more important. And time consuming.

          Nonetheless, government can do things effectively, if people care enough about them. It just can't do them without employing more red tape than the private sector would. The US military is a case in point. The US has a military that can kick the crap out of any other military in the world. It's highly effective, but it's not particularly financially efficient or red-tape free. The reason is that we the people care about assuring successful military outcomes. In fact we care enough that we're not exactly sharp consumers when it comes to military systems.

          It's not so clear that we care about achieving successful outcomes when it comes to our legal and civil rights.

          The main problem with the judicial branch is that it can't initiate anything. You have to have money and time to get it moving on a problem, which means that the courts are only for those who have money and time on their hands: the wealthy and organizations like ACLU.

          The Justice Department should safeguard American citizens who don't have the money or power to insist upon their rights as individuals. But if we elect a President who thinks he has the power to detain and torture anybody based on suspicion, and let him appoint SC justices that are deferential to these claims, the JD is not much use. I'd say that this is because we the people don't really care about our rights.

    • Re: (Score:2, Funny)

      by Daimanta (1140543)

      Terrrism!!!1!

      • Re:First amendment (Score:5, Insightful)

        by Opportunist (166417) on Monday August 11, 2008 @08:56PM (#24562489)

        What bothers me about this comment isn't that you trivialize terrorism. Yes, it does exist (read on before you mod, please). It doesn't even bother me that it's modded funny.

        What bothers me is the "cry wolf" tactics our media and politicians use whenever something happens they don't like. It's because of terrorism that people can't bring their own coke to a plane anymore (it's not that we want airlines to get additional revenue from selling their drinks). P2P fuels terrorism (not that we want to prop up an outdated business model). It's terrorism why we are forced to reliinquish our essential rights (not because our politicians don't want us to say things they don't want the public to know).

        "Terrorism" has been abused as the catch all argument whenever something is imposed upon us that goes against the interests of our politicians and their cronies. And people start to see through the thinly veiled egoistic goals, and start to mock it. As you would mock anyone who cries wolf as soon as something happens he doesn't like.

        What bothers me most is that when the terrorists strike, we'll get told "see? We told you, it's terrorism!" Instead of them learning that their wolfcrying creates nothing but contempt and ridicule, they will point at us and blame us for not taking it serious, when it has been abused time and again.

        Terrorism is a real threat to the US and the "western" world. Abusing it to cry wolf about everything you want to do against your people is not going to make them take it serious. Quite the opposite.

        As can be seen in the parent posting.

        Daimanta, not trying to belittle you. You're just the one that speaks what everyone was thinking. "Ok, how long 'til they claim terrorism is the reason?" It's not against you, again. It's against those that abuse the terrorist card for everything that goes against their interests.

        • No. No it's not (Score:2, Insightful)

          by Anonymous Coward

          "Terrorism is a real threat to the US and the "western" world."

          Not really. If looked at rationally, terrorism on 9/11 was tiny irritant to life in the united states.

          Think it through.

          • Re:No. No it's not (Score:5, Insightful)

            by Opportunist (166417) on Monday August 11, 2008 @10:14PM (#24563019)

            Basically, it doesn't even matter whether the threat is real or imagined. Personally, I think 3000 people in 7 years (and counting) is peanuts. When that's what you're scared about, you shouldn't drive anymore or have an operation. The chances to die in a car accident or on the OP table are significantly higher.

            If it is real, it would even increase the mark of shame on our politicians and media. If it's fake, they're just causing a hype to push their agenda. If it's real, they're crying wolf and abuse the "terrism" hype so far until nobody takes it serious anymore.

            It's basically like it was in my school. We had fire drills every month or so. Net result? People didn't even bothing going out anymore when the alarm rang. It was known to be fake, so why bother listening to it?

            When you overdo drills or abuse a warning system, people will stop taking them serious. It will just be another drill or another hype when you ring the alarm. And that could backfire badly should the threat be real one day again.

            I predict a disaster should another terrorist strike happen one day. We'll then get to hear that some "threat level indicator" was at some nice, warm color anyway and "we warned you", but we won't hear that that indicator was about the same nice, warm color for years and we've been blitzed with fake warnings almost at a daily base. Warnings cease to create an elevated level of caution when they happen too often, especially if those warnings are abused to push completely unrelated agendas, just because "terrists" are a comfortable reason to abolish civil rights.

            People aren't dumb. They see through it, and they will (and as you can see, do) ridicule those "warnings". It's way harder, though, to actually discriminate a real threat from one of those agenda-pushing fakes when you get told the same old lies over and over. Should a real threat be discovered and actually published, the first reaction most people have won't be "how can I avoid it?" but rather "what are they trying to do to my rights this time?"

        • by The Grim Reefer2 (1195989) on Monday August 11, 2008 @10:50PM (#24563257)

          It's because of terrorism that people can't bring their own coke to a plane anymore

          I'm pretty sure that was illegal prior to 9-11.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Terrorism is a real threat to the US and the "western" world.

          I was with you until that bit. The damage directly from terrorism is practically nil compared to the damage caused by so many other things in the world today. I would be ecstatic if, say, climate change caused only as much damage as terrorism. I would be overjoyed to see only as many people killed in Iraq as have been killed in terrorism attacks.

        • by squizzar (1031726)

          Whilst I agree with your comments that blaming everything on terrorism is counter productive and see an irony in the use of 'terrorism' to force through laws that seek to reduce our freedoms, I can't agree with the idea that terrorism is a 'real threat to the US and the western world'. I'm not denying that it is possible, or that it is a terrible thing that causes suffering and misery, but it is not a 'real threat' to the western way of life, or any others unless we allow it to be.

          Contrast terrorism to any

    • Re: (Score:3, Insightful)

      by nurb432 (527695)

      Its not the job of the first amendment to *prevent* this from happening.

      its job is to protect us by striking it down once heard by the courts.

      • Re:First amendment (Score:5, Informative)

        by Beryllium Sphere(tm) (193358) on Monday August 11, 2008 @06:28PM (#24561201) Homepage Journal

        Actually, under constitutional law, the preferred situation is to let the speech happen and hash out any legal issues later. The term for preventing a publication is "prior restraint", and it's very much frowned upon compared to going to court over speech that's already been published.

        In this case the judge used a computer intrusion statute. I don't know the terms of it, but some such laws do prohibit trading in passwords or other access devices. Seems like a stretch, and I don't consider it justified, but that might be the reasoning. I'm not a lawyer, but if I were them I'd look out for the highly abusable conspiracy laws.

        • Re:First amendment (Score:5, Informative)

          by MikeD83 (529104) on Monday August 11, 2008 @06:51PM (#24561431)

          In this case the judge used a computer intrusion statute. I don't know the terms of it, but some such laws do prohibit trading in passwords or other access devices. Seems like a stretch, and I don't consider it justified, but that might be the reasoning.

          According to the complaint [mit.edu] the MBTA is calling the CharlieCard and even the CharlieTicket a "computer." Understanding how the "computer" works and disseminating that information constitutes fraud.

          According to the referenced US Code [cornell.edu], a "computer" is:

          the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;

          • Re: (Score:2, Interesting)

            by Anonymous Coward

            Thanks for the link to the legal definition of a computer.

            I have a couple of issues with it.

            1) By that definition, a test tube is a computer. It is optical, because sometimes the results of an experiment are verified visually. It is a data processing device, because mixing chemicals to find out what happens is a form of processing data. And it performs storage functions because you can store liquids or other substances in it if, for instance, the reaction is expected to take a long time. The "or's" in t

            • Re: (Score:2, Interesting)

              by memristance (1285036)

              1) By that definition, a test tube is a computer. It is optical, because sometimes the results of an experiment are verified visually. It is a data processing device, because mixing chemicals to find out what happens is a form of processing data. And it performs storage functions because you can store liquids or other substances in it if, for instance, the reaction is expected to take a long time. The "or's" in the definition mean that it doesn't have to satisfy all of the criteria, only some of them.

              You could argue that it's not high speed, but the wording of the definition is ambiguous enough that that isn't necessarily a requirement.

              Though I'm guessing you were going for hyperbole here, you're mostly correct. [wikipedia.org]

          • le sigh (Score:3, Interesting)

            by SuperBanana (662181)

            data processing device performing logical, arithmetic, or storage functions,

            Note the "OR". The magstripe card is storage. The -card- does logical, arithmetic, AND storage functions- it's an intelligent device.

            Furthermore, they openly admit to trespassing both physically (at stations, offices, AND networks they knew were private.)

            Frankly, I'm astounded they're not sitting in a jail cell right now. Chances are that right now the MBTA are going through CCTV footage looking for them trespassing, and o

    • Re:First amendment (Score:4, Interesting)

      by Intrinsic (74189) on Monday August 11, 2008 @06:24PM (#24561161) Homepage

      Maybe im not understand the situation, but if you attempt to release information that can cause harm to a business or person or society. that speech can definitely be limited. Its like calling fire in a building with no fire and someone getting hurt. It seems like in this case, if this information got mass attention there might be some way to construe harm. I mean I can think of allot of ways to fabricate the perception of harm, even though it is unlikely.

      Im trying to put myself in their shoes, someone or someones do not want to have to deal with this if people start mass circumventing the system... money loss, reputations, and the like are surely involved. it doesn't matter if it has been done before, this particular event makes stuff like this a hot topic, because people that build or manage insecure systems look really, really stupid to the professional community.

      • Re:First amendment (Score:5, Insightful)

        by MDMurphy (208495) on Monday August 11, 2008 @06:45PM (#24561365)

        A couple comments:

        First, the information was already released. The entire presentation was handed out on CDs at the beginning of the conference. All the court order did was prevent a true dialog about the hack.

        Second, it could be construed that not releasing the information also has a negative cost. As a public entitiy, the transit agency has a duty to look after the system. The hack points out a flaw in the system. Was the system design opened to public scrutiny prior to its use in an attempt to prevent such a hack? If the hack were not widely known would the agency be working dilligently to fix the flaws?

        This is not much different than the "print your own bogus boarding pass" hack. The big worry wasn't really that loved ones could see you off at the gate, but that "bad guys" could go through security, metal detectors and such only to swap tickets with someone who wasn't on the no-fly list. What the release of that hack did was point out a flaw that already existed and provide incentive to fix it, or to drop the whole boarding pass as security sham in the first place.

        As to the yelling Fire! in the theater analogy: If there's really a fire, it's Ok to yell.

        This is another situation the 1st ammendment was designed to protect. Annoying, painful, expensive, dangerous speech might need to be protected.

        • Re: (Score:3, Interesting)

          by Intrinsic (74189)

          Im with you on that, im just saying that their is a difference between reality (which we know what that is) and the perceived reality. And the perception is that its possible the transit authority probably has some people that manage or have a stake in creating that system and are trying to do damage control. Its not based in reality, but its better to know what you are dealing with, because the people involved in the insecure transit system are not going to think like rational people if heads are going to

          • Re: (Score:3, Insightful)

            by MDMurphy (208495)

            The sad thing is that judges are always supposed to be rational people, or at least hand down rational decisions while on the clock. The judge should have called them on this, but didn't, and issued the order. I at least hope they had to shop around to several judges before they found one their lawyers could snooker.

      • Re:First amendment (Score:5, Insightful)

        by corsec67 (627446) on Monday August 11, 2008 @06:52PM (#24561439) Homepage Journal

        Then would you also like to allow the people who said "some toys in Wal-Mart have lead in them" to also have their speech limited?

        The critical part of rights like the freedom of speech is that if it excludes stuff you don't like, then it is worthless.

        "You can say whatever you want, as long as nobody is offended" doesn't really work.

        Personally I don't see how any possible exclusions to freedom of speech can be obtained from "Congress shall make no law ... or abridging the freedom of speech, or of the press;", and so libel and slander can't be made illegal as the first amendment is currently written. Neither do I think that it should be possible to make obscene or offensive speech, books, or printings illegal.

      • by Tuoqui (1091447)

        The right to free speech is useless without the right to offend.

        This should be publicized and they should get the hell off their asses and FIX THE PROBLEM!

        And they should stop trotting out bullshit 'NATIONAL SECURITY' excuses for some minor public transit crap as an excuse to shut people up.

      • Re:First amendment (Score:5, Informative)

        by mxs (42717) on Monday August 11, 2008 @10:18PM (#24563041)

        Maybe im not understand the situation, but if you attempt to release information that can cause harm to a business or person or society. that speech can definitely be limited.

        That is a pretty general, and pretty wrong, statement. I can voice my opinion on a business all day long, even if that harms the business. I can voice my opinion on public figures all day long, even if their polling numbers decline as a result.
        There are certain limitations, sure, but merely bringing an undesired effect to the affected party is not enough.

        Its like calling fire in a building with no fire and someone getting hurt.

        No, it's not. These students are not putting people's life in jeopardy.

        It seems like in this case, if this information got mass attention there might be some way to construe harm.

        There is ALWAYS some way to construe harm. The question is whether it's reasonable.

        I mean I can think of allot of ways to fabricate the perception of harm, even though it is unlikely.

        And this is the kicker. The MBTA is trying to sweep this under the carpet by claiming outlandish claims of public safety and harm -- when it is plain to see that this presentation poses no such threat.

        Im trying to put myself in their shoes, someone or someones do not want to have to deal with this if people start mass circumventing the system...

        Too freaking bad, use a more secure system. The undergrads even made suggestions as to how to go about it (which they are not obligated to), and are generally behaving responsibly enough (they are not / were not going to release the checksum algorithm or the keys they found).

        money loss, reputations, and the like are surely involved.

        And rightly so. You see, it's not the undergrads' fault that the system is shoddy. They did not make it shoddy, they did not do the evaluation before buying it, they were not the implementers, and they do not leave network switches unattended behnind open doors. Somebody else is doing that. The undergrads are just pointing out that somebody else is doing that. If that somebody else loses money, reputation, and the like over this incident, then it is their own fault.

        it doesn't matter if it has been done before, this particular event makes stuff like this a hot topic, because people that build or manage insecure systems look really, really stupid to the professional community.

        This is no reason, at all, to curtail the freedom of speech of these undergrads. Don't like the criticism ? Don't fuck up like that. If you do, take the criticism.

        The whole handling of the matter reeks of incompetence, anyway. Apparently these people never heard of the Streisand-effect (seriously, how many more people now know about these weaknesses, in detail, since the MBTA began to sue ?), have never heard about court documents being on the public record (everything they submit as "evidence" is forever in the public eye), have not even researched whether the materials they are trying to suppress have already been circulated (hint: yes, they have), and likely just encouraged others to re-engineer the reverse-engineering. Those others may not be as responsible as these undergrads and release full details, including encryption keys, checksumming algorithms, ready-made software, etc.

        A+.

    • Re:First amendment (Score:5, Insightful)

      by sribe (304414) on Monday August 11, 2008 @06:37PM (#24561293)

      How can any such order be justified in the light of the first amendment protection of free speech?

      The judge is an idiot. Prior restraint is unconstitutional. This will not survive the appeal.

      • Re: (Score:3, Interesting)

        by jc42 (318812)

        Prior restraint is unconstitutional. This will not survive the appeal.

        Um, so what? The court order succeeded; it prevented the MIT guys from giving their talk. If the appeal says the order was unconstitutional, that won't retroactively result in the talk having been given (unless someone has a working time machine that we don't know about). The judge may get a stern talking-to by the appeals court, but there will be no punishment.

        As with many such violations of rights, the deed is done and can't be undon

    • Because; "You have the right to freedom of speech as long as your not dumb enough to use it".

      Freedom of speech, like just about all our supposed freedoms, is only available to those that can afford to defend it in court. The contrapositive of this fact is of course that the ability to take away freedoms from someone is available to those that can afford to attack them in court.

      Companies, etc, apply for injunctions and by Gods they get them. Do you think if you, whatever your grievance, applied for an injunction against a major company that it would be awarded? Money talks. Judges listen. It's not necessarily something as base as bribes. Just high class laywers gaming a system that puts up with being gamed.

      These three hackers should not have appealed this order. They should have ignored it. Defcon should have ignored it. Why obey an order that is going to be struck down anyway? Threat of censure? The court can only censure you if it's oder was legal in the first place.

      If more people stood up to, and openly defied the courts; we'd have a better court system.

      • Re: (Score:3, Interesting)

        by Caboosian (1096069)

        If more people stood up to, and openly defied the courts; we'd have a better court system.

        If more people stood up to, and openly defied the courts, we'd have more people in jail - and a court system with less credibility. If an average citizen can shrug off a court order, what use do are the courts? No, instead, the companies/corporations gaming the system should be held responsible. Honestly, I don't have a solution for this problem, but I can't find a justification for destroying the credibility of our judicial institution - what good could come of that?

      • Re: (Score:3, Insightful)

        by tehcyder (746570)

        These three hackers should not have appealed this order. They should have ignored it. Defcon should have ignored it. Why obey an order that is going to be struck down anyway? Threat of censure? The court can only censure you if it's oder was legal in the first place.

        I don't know if US law is different from the UK, but here it doesn't matter what the final outocme is, if you deliberately break a court's injunction or order, you will quite rightly go to prison.

    • How? (Score:3, Informative)

      by DesScorp (410532)

      How can any such order be justified in the light of the first amendment protection of free speech?

      Because all speech isn't protected. The First Ammendment isn't a blanket guarantee to say or do anything. There are limits on speech, and always have been, from the time the Constitution was ratified to today.

      You can argue on technical grounds that "security by obscurity" is a stupid idea, but I think the EFF lost here for a reason... we've always balanced speech that can have a direct impact on public safety against the relative risks of that speech. You can't email classified blueprints of an AEGIS radar

      • Re: (Score:3, Interesting)

        by PlusFiveTroll (754249)

        If you don't want to get in legal trouble, you go to court and get such things made de-classified or stripped of confidential status first, then you can reveal whatever you like. The students first step should have been getting a court order to strip protection from the MBTA information, because MBTA actually has some legal precedent on their side here.

        Really, instead of going thru all that bullshit, the students should have released all the information first (before the court order). Two times this has happened at DEFCON, and it's easy to do because the offense knows what date you're going to speak and can put a stop to it right before it happens. Not enough time to defend yourself and get the motion dropped. Drop the whitepaper (blackpaper?) on the net a week before the talk, and let them close the barndoors after the horse is already gone.

      • by cayenne8 (626475)
        "You can argue on technical grounds that "security by obscurity" is a stupid idea, but I think the EFF lost here for a reason... we've always balanced speech that can have a direct impact on public safety against the relative risks of that speech. You can't email classified blueprints of an AEGIS radar system to Vladimir Putin, for instance, or a list of undercover NYPD officers to some guy named Sal in Sicily, and then claim free speech protection."

        Well, the classified information is one of the few examp

        • it isn't like this situation posed a danger to anything other than the pocketbooks of the system being discussed

          Well if the system that provides for public safety has its money ripped off, that would definitely endanger public safety.

    • Re:First amendment (Score:4, Informative)

      by belmolis (702863) <billposer@alum. m i t .edu> on Monday August 11, 2008 @07:02PM (#24561529) Homepage

      For commentary by an expert on First Amendment law, see Eugene Volokh's post [volokh.com].

    • by speedtux (1307149)

      How can any such order be justified in the light of the first amendment protection of free speech?

      There are lots of things you can't disclose publicly without consequences: nuclear launch codes, secret passages into the Pentagon, how to make anthrax, Google's secret sauce, Microsoft Windows Vista source code, etc. The judge may reasonably conclude that this falls into the same category.

    • How can any such order be justified in the light of the first amendment protection of free speech?

      Because it is not absolute. It has never been absolute. It is balanced against other interests. A prior restraint of speech is legal if it is a proportionate response to a "clear and present danger". I can assure you that much less threatening 'speech' has been held to represent a "clear and present danger".

  • Responsibility? (Score:5, Insightful)

    by XanC (644172) on Monday August 11, 2008 @06:18PM (#24561101)

    It seems that the people who are bringing flaws to light are cast as the villains, while nobody even considers blaming or even questioning the people who selected a poorly-implemented system to run an entire city's public transit.

    • Re:Responsibility? (Score:5, Insightful)

      by ckthorp (1255134) on Monday August 11, 2008 @06:24PM (#24561165)
      Or, even more importantly, nobody considers blaming the vendor who sold the faulty system to the city.
    • Re: (Score:3, Interesting)

      by MistaE (776169)
      So a poorly implemented system justifies individuals giving a presentation to everyone else on how to fuck with the system?

      I'm all for free speech, but it seems like there are quite a few other alternatives other than basically making public the flaws in a massive public transportation system. If they really care about security, they should take measures to improve the security with the appropriate authorities.

      Now, of course, if they've already tried this and they ignored these students, then I would arg
      • Re:Responsibility? (Score:5, Insightful)

        by Adambomb (118938) on Monday August 11, 2008 @06:37PM (#24561295) Journal

        I would agree with you, had the MBTA actually taken the initiative to work on solving these issues. Instead their rep stated that if its not known, its not a problem.

        Then they go and release more sensitive details in their court documents which are public record than the original presentation was to discuss.

        Had the MBTA stated that "they are currently working on resolving the issues, and would want the talk delayed until they are solved" then you would be exactly correct that the presentation should wait. In the end, this is more about pointing out that the MBTA bureaucracy is being incredibly stupid as well as dangerous in their processes.

        • by FatdogHaiku (978357) on Monday August 11, 2008 @07:27PM (#24561765)

          ...Then they go and release more sensitive details in their court documents which are public record than the original presentation was to discuss.

          It's not often you get to see someone step on their own pecker with both feet, while advertising the fact.

          • Re: (Score:3, Funny)

            by zippthorne (748122)

            If you were physically capable of doing that, I doubt you'd have any particular inclination to keep it a secret.

        • by cdrguru (88047)

          Why the heck should they spend time and money on a working system? If nobody uses this information, the system works fine and it is not a problem. If they spend a huge amount of money "solving" this non-existent problem, who does that benefit?

          The solution is to make sure the system is not exploited in this manner, not to make sure that it cannot be.

          • by Adambomb (118938)

            If they're complaining about the vulnerabilities, then it would benefit them to make sure they are removed from the system so that those exploiting it are no longer impacting their bottom line. By leaving the flaws and saying "because no one talks about it, no one knows about it" they have absolutely NO WAY of verifying how many unauthorized passengers their system is carrying and how much revenue they might be missing out on.

            The solution is to have a solution, say "well because the court order says they ca

          • by Adambomb (118938)

            Gah, yes theres a missing "is" in there. Where I leave to you.

            preempt! preempt! preempt!

        • Re: (Score:2, Insightful)

          by adamchou (993073)

          clearly you didn't read the court order that was submitted by the MBTA. It says that they evaluated it and said they found nothing new in there. What was submitted to them was an old hack that they were already aware of and had already implemented additional security measure to fix. This further led them to believe that there was additional information that was being withheld from them, especially since the MIT students legal counsel advised them to not give additional information to the MBTA. They never g

          • by Adambomb (118938)

            In addition, what looked like a black-and-white faxed copy of the entire presentation was entered as evidence in publicly available court records available on the Web on Saturday, meaning any attempt to limit its distribution further will encounter an additional hurdle.

            You were saying? [cnet.com]

          • by Software (179033)

            What if this is used by some terrorist organization to mount an attack?

            What kind of terrorist organization is that - one that can't afford to buy its own fare cards? That's the only kind of group which would be affected by the ruling. You can buy a fare card for cash in every bus/train/subway system that I've been on, including the T [mbta.com].

        • by Dhalka226 (559740)

          Hypothetically, let's assume they are working on making fixes and want this talk enjoined until they're implemented. And that it would take several years. Reasonable?

          This is a public transit card we're talking about. On top of being government contractors who would be designing new systems at ridiculous cost, there is a ton of equipment that would need to be re-programmed or replaced, as well as a massive outreach program that would have to be mounted in order to let citizens know that their transit ca

          • by Adambomb (118938)

            You just combined a whole set of hairy issues that have nothing to do with the MIT talk. If government contractors design systems at ridiculous cost, thats a separate problem that i wish would be addressed ever. If theres a ton of equipment thats a bitch to patch, thats the original developers problem as they should not have sold it with the flaws in the first place, or at least started working on FIXING it as soon as all this came to light.

            If they were willing to have MIT POSTPONE this talk for a reasonabl

      • Re: (Score:3, Insightful)

        by jd (1658)

        I wouldn't agree to it being right to present how to break the system (except under special circumstances such as those you outlined), but I think it could be rather fun to make it illegal for either a government body or quango to set up or maintain a system in such a state that it poses undue burden on users, taxpayers, security, etc. Illegal as in prison illegal, not slap-on-the-wrist-see-you-at-golf-tomorrow illegal.

        Governments are like all other organizations in that they will do the least possible to s

        • by repvik (96666)

          In the case of a democracy, this means buying off the other branches of government and the media. (This differs from a theocracy, where instead they buy off the media and the other branches of government.

          Huh?

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        I don't agree.

        It is not their job to coordinate with the authorities and doing so without first going public might cause them problems with those authorities. Who gets to the press first matters here. If the first thing the press hears is that these guys were hacking the subway system, the authorities hold all the cards. The system may or may not get fixed and their message will almost certainly never be heard.

        Secondly, they are not responsible for the behaviors of others. Someone said something about yelli

      • the public (Score:3, Insightful)

        "Hi, I'm the public. Do I have a right to know about these flaws?"

        "No"

      • Re: (Score:2, Insightful)

        by cdrguru (88047)

        I would argue that it is the responsibility of the public to specifically not screw around with the system and that any security in place over the top of a fare collection system is there by accident. In other words, it should be treated as an "honor system" and what you are perceiving as "security" is merely validation to prevent errors.

        I suppose you could then argue that disclosing the nature of these validations is meaningless in and of itself. However, doing so in a forum of the nature where it was to

    • It could be argued that as long as nobody knows about the flaws then the system wasn't poorly implemented. Most street hooligans aren't MIT trained computer scientists.

      If nobody knows where a door is the lock on it doesn't matter.

      • Re:Responsibility? (Score:4, Insightful)

        by Adambomb (118938) on Monday August 11, 2008 @06:32PM (#24561239) Journal

        If nobody knows where a door is the lock on it doesn't matter.

        yes, maybe 99 times out of 100.

        And then theres the other 1, like say when an idiot files more vulnerabilities in their court briefs which are public record than the original presentation was going to uncover.

        Security through obscurity only works probabilistically, and given a long enough time frame it will always hit the P=1 where someone will have breached it and disseminated the information. This is exactly why security through obscurity is completely retarded when it involves systems intended to operate in any form of long term.

      • Re: (Score:3, Funny)

        by NFN_NLN (633283)

        Most street hooligans aren't MIT trained computer scientists./quote>

        I blame the American education system. In India street hooligans must have at least a masters degree while ruffians and ne'er-do-wells have doctorates.

    • Re: (Score:3, Insightful)

      by KenSeymour (81018)

      It seems that the people who are bringing flaws to light are cast as the villains, while nobody even considers blaming or even questioning the people who selected a poorly-implemented system to run an entire city's public transit.

      I love how so many people act as though the ticket vending machines are equivalent to "the entire city's public transit." Having the TVMs hackable until they patch the code will only impact revenue slightly. Note you can accomplish the same thing by jumping over the turnstyles.
      In

  • by Anonymous Coward

    Isn't this the same hack which was described in detail in c't #8/2008 [heise.de]? Mifare classic, uses Crypto1, a flawed pseudo random number generator and salts which only depend on the power on time, which is under the control of the attacker. Flaws were discovered by slicing the chip and inspecting the layers with a microscope.

    • by blueg3 (192743)

      That's the RFID vulnerability. They also disclose a magnetic stripe card vulnerability and various physical vulnerabilities.

      • The clone hack has been around since at less late '70s. Yes the 70's!!! It was done to BART cards using a cassette tape recorder. Since the card carried all information - like today - you copy it once and return the value every few days. With a commute being the cost daily, the machine just keep over typing. BART stationed people to look at the cards as the popped out of ticket machine (they popped straight up) looking for heavy over printing.

        The value hack is again simple. If you ever read credit car

        • by blueg3 (192743)

          What you're describing is a class of attack that is not necessarily shared among all systems of the same type. (It's possible to make magstripe systems that aren't vulnerable to replay attacks.)

          Typical vulnerability disclosures are the details of how a particular system is vulnerable to a particular attack. Not "this system is probably vulnerable to some kind of replay attack", but how the system works and how the attack is applied to that system.

  • by Random BedHead Ed (602081) on Monday August 11, 2008 @06:25PM (#24561175) Homepage Journal
    I say, this is intolerable! You Slashdottian ragamuffins should remove the hyperlink to that MIT-hosted court document post haste, or I shall be forced to request that these truckless tubes be cleansed of it ... in court! (There, that will put a decisive end to their meddling.)
  • by Paul Pierce (739303) on Monday August 11, 2008 @06:30PM (#24561223) Homepage
    The two students at Georgia Tech that hacked the campus Blackboard swipe system (http://www.theregister.co.uk/2003/07/15/student_hackers_we_didnt_defeat/).The general idea was that it didn't matter how secure the encryption-system was, if the physical system was easy to get to. You don't have to figure out what information is being sent to the machine, all they had to do was 'capture' a 'yes-there-is-enough-money-on-the-card' response, then duplicate. Hey free snacks!!

    You know what would rock, an infinite gift card to Wendy's.
    • Re: (Score:2, Funny)

      by davec727 (1263298)
      I actually had a potentially infinite Hardee's gift card for a while. I put $20 on it, and I would estimate I got around $60 worth of food out of it, because the vast majority of the drive-thru monkeys at this particular Hardee's unintentionally (I assume) rang up the purchase as "gift" instead of "gift card.

      I also effectively had an infinite gift card to Taco Bell, while I was working there. However, be careful what you wish for; infinite fast food has hefty consequences.
  • by AgentPhunk (571249) on Monday August 11, 2008 @06:38PM (#24561299)
    MIT's student newspaper "The Tech" includes the full DefCon presentation on their site:
    http://www-tech.mit.edu/V128/N30/subway/ [mit.edu]

    Direct link to the presentation PDF:
    http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf [mit.edu]

  • Not that impressive (Score:5, Informative)

    by langelgjm (860756) on Monday August 11, 2008 @06:38PM (#24561303) Journal

    At least from what's in the linked PDF, the undergrads' work is not all that impressive. They look at both the CharlieTicket (magstripe) and the CharlieCard (RFID).

    Hacking the CharlieTicket sounds fairly trivial. Magstripe cards are extremely easy to read and write to, and documentation on how to do this with homemade equipment is all over the Internet. The undergrads' work essentially consists of figuring out how the 6-bit checksum is being calculated (though it's not disclosed in the linked documents). This is probably the most difficult thing that they did.

    Hacking the CharlieCard, which is a MiFare Classic, is more involved, but the undergrads used a previously known attack, simply duplicating it. (Some might call that the behavior of a "script kiddie"?) There's hardly anything novel about this.

    • by Gat0r30y (957941)

      There's hardly anything novel about this.

      If true, one would think the MBTA would have little to back up an injunction.

      • Re: (Score:3, Interesting)

        by langelgjm (860756)

        If true, one would think the MBTA would have little to back up an injunction.

        I'd tend to agree. Though MBTA's argument is that the undergrads aren't disclosing everything, so MBTA can't assess the true threat to their systems, thus why they sought the injunction.

        I'm kind of surprised the undergrads have not disclosed everything to the MBTA. Why wouldn't they? If they are truly interested in improving MBTA's security, they ought to.

        On the other hand, they might be reluctant to do so because of the risk of legal action. I don't have a Charlie Card on me (haven't been in Boston recentl

        • by _xeno_ (155264)

          The CharlieCard (other poster is talking about the paper mag-stripe CharlieTicket) says on the back, and I'll quote:

          • DO NOT PUNCH HOLES IN THIS CARD.
          • Subject to applicable tariff regulations and conditions of use.
          • May be confiscated for misuse.

          Schedule & Fare Information: 617-222-3200 www.mbta.com [mbta.com] ©MBTA

          And that's it. Nothing about them owning the card, although that very vague "subject to ... conditions of use" does seem to imply that they think they do. (What are the "conditions of use?" Who knows! [google.com])

          But whatever you do, do not punch holes in this card. To understand why, you can read this presentation by MIT students that shows what the inside of the card looks like...

  • Life imitating art. (Score:4, Informative)

    by fredklein (532096) on Monday August 11, 2008 @06:44PM (#24561361)

    Which is from Cory Doctorow's "Little Bother", and which from the court documents in this case?

    "Just flash the firmware on a ten-dollar Radio Shack reader/writer and you're done. What we do is go around and randomly swap the tags on people, overwriting their Fast Passes and FasTraks with other people's codes. That'll make everyone skew all weird and screwy, and make everyone look guilty. Then: total gridlock."

    vs.:

    "An attacker uses RFID equipment purchased online to sniff communications between a legitimate CharlieCard and a turnstile. He takes the data back home and executes one of several attacks that exploit the weak Crypto-1 cipher to recover a key. Armed with this key, a high-gain antenna, and RFID equipment, he walks down a crowded street in boston remotely copying the CharlieCards in people's pockets."

    Please, check out 'Little Brother'. FREE for download at http://craphound.com/littlebrother/download/ [craphound.com] , or available at fine bookstores everywhere.

  • Exhibit A (Score:4, Interesting)

    by Thomas Charron (1485) <twaffle@gmail. c o m> on Monday August 11, 2008 @06:45PM (#24561367) Homepage

    The guy who put the report in Exhibit A, along with his email address, it could be added, really, REALLY underestimated the issue I think. Did he really think the public court records wouldn't get out?

        Exhibit A will, I suspect, lead to many, MANY more compromises now then would have happened had they given their presentation.

        What HE released had the specific vulnerabilities they found. He didn't want that data out, and then published it himself!

    • by corsec67 (627446)

      Is it the Streisand effect [wikipedia.org] when the people trying to conceal the information personally publish it in a way that gets more publicity?

      The lawsuit itself would probably lead to a Streisand effect on its own, though.

    • by langelgjm (860756)

      Exhibit A will, I suspect, lead to many, MANY more compromises now then would have happened had they given their presentation.

      You really think so? (Also, I assume you're talking about "Exhibit 1", not "A"). But really, there's nothing that exciting in those few pages. They say they know the algorithm for calculating the checksum on the Charlie Tickets, but they don't disclose it. Then, they discuss a previously known flaw in MiFare Classic.

      I'd say anyone intelligent enough to use the information in that document would have been intelligent enough to find it elsewhere.

  • by Anonymous Coward on Monday August 11, 2008 @06:53PM (#24561453)

    Given the number of security idiocies committed publicly by the Boston authorities, I hope somebody is checking the water supplies in city buildings for some additive that induces mass stupidity.

  • by Wrath0fb0b (302444) on Monday August 11, 2008 @07:14PM (#24561643)

    The court issued a 'temporary restraining order', which is legal-jargon for "don't do anything until we can get a decent hearing". It does not mean that the court has accepted the MBTA's position or even jurisdiction over the case. It is merely a tool* to ensure that neither party can unilaterally change the status-quo just because the courts do not operate 24/7 and are sort of slow (making sure everyone has a chance to speak generally doesn't allow for fast decision making). Rarely does a TRO last more than a week until a preliminary hearing can be held.

    IMO, therefore, even if the MBTA has no case whatsoever (almost certainly true) they are entitled to a TRO for a few days until the court can read (and almost certainly deny) their application for a permanent injunction. I don't see any major damage from having a presentation delayed for all of 72 hours either (note, if we were talking permanent injunction, it would be totally bogus -- that's a different matter entirely).

    * Yes, I'm aware the information was already published on the internet and that it cannot effectively be "recalled". That is not the point -- the MBTA, as any other litigant, has the right to have a court hear their case -- even if they really don't have one.

    • If the presentation is delayed long enough that it cannot be held during a security conference, the damage could be quite major.

    • by mxs (42717)

      IMO, therefore, even if the MBTA has no case whatsoever (almost certainly true) they are entitled to a TRO for a few days until the court can read (and almost certainly deny) their application for a permanent injunction. I don't see any major damage from having a presentation delayed for all of 72 hours either (note, if we were talking permanent injunction, it would be totally bogus -- that's a different matter entirely).

      The damage is, of course, that DEFCON will be over by then. The students were robbed of their speech and presentation. So yes, the MBTA has unilaterally changed the status-quo -- there won't be a DEFCON speech about their vulnerabilities by virtue of the TRO.
      Of course, the information will now get much more widespread circulation, but the undergrads in this matter will never get to present their findings at this DEFCON.

    • Correct, and the (more public) stance both court and plaintiff are taking now (post-TRO) would seem to indicate that both f*cked up in spades, and are actually beginning to appreciate that -- plaintiff by not thinking things through and actually talking to someone who could understand and explain the technical aspects of things, and the court for believing the plaintiff.

      As pointed out, the purpose of a TRO is (was) to *temporarily* freeze the situation until the court can be briefed fully, and make a more reasoned decision.

      But we're running on Internet time now, and Plaintiff did what defendant couldn't have done, which was to disseminate even more information to a wider forum, and generate orders of magnitude more interest in this information than defendant could have done on their own...

      The other thing plaintiffs did in this action -- going for a TRO takes cojones, and a good reputation with the court. As plaintiff, you're going to the court asking them to act preemptively -- to restrain someone who has not yet acted. If the court doesn't believe you, they'll say, "Nah, if you're damaged, you can bring suit." Here, plaintiffs not only didn't understand the situation, but in their filings, they did orders of magnitude more damage to themselves than the action they got the court to enjoin.

      Courts and judges tend to have long memories -- and in this case, they'll most likely remember that these guys were bozos, and evaluate their arguments accordingly.
  • by Deagol (323173) on Monday August 11, 2008 @07:21PM (#24561729) Homepage
    There have been a number of presentations lately that have been silenced by private companies before a conference, either by injunction or under the table (I'm thinking of Apple here). How long before we see conference talks being titled as clearly as most software patents? "Some Group Discusses Some Weakness In Some Company's Software" Tuesday at Defcon. If this gets out of hand, I wouldn't be too surprised if we start seeing some subtle obfuscation of what the true nature of some talks are about.
  • I once saw a documentary about the amount of black box and white box testing which goes on with automated gambling machines in the state of Nevada. This is seriously methodical stuff, and the test plans are pretty much the same for any device.

    It amazes me that these ticket systems, Ohio voting machines, etc. all do not follow that model.

    It's almost as amazing that the state of Massachusetts contracts this out -- apparently without good specs for test requirements. Is the only point in outsourcing to get low

  • Screw the MBTA. (Score:4, Interesting)

    by schmiddy (599730) on Tuesday August 12, 2008 @12:17AM (#24563891) Homepage Journal

    So, I actually have a little bit of sympathy for whichever public servant's ass is on the line right now, worrying he's going to get fired over this flap. Whatever idiots actually implemented the existing Charlie Card system we're stuck with right now might be long gone by now, along with the consultants that actually put this system in place.

    However, as a Boston resident, it's pretty obvious the MBTA has been brought down recently by especially bad mismanagement. We switched 2 years or so ago from plain tokens (one token == one subway ride) to an overly complicated mix of magstripe cards (CharlieTickets) and RFID cards (CharlieCards).

    There was a news story a while back in one of the little free Boston newspapers telling the cost of implementing this new system.. I think it was well into the hundreds of millions of dollars. Enough to pay the existing salaries of the MBTA staff for several years.

    To top it off, the new cards are really just a drag on everyone's time. Anyone who's had to wait 2 minutes in line while getting on a bus for some fool to fumble around trying to load up value onto one of the stored-value CharlieCards knows what I'm talking about.

    I also have a sneaking suspicion that a "feature" of this horrendously expensive, overly complicated system was not only that it would save money through nebulous efficiency improvements (the Charlie Card machines are broken half the time for some reason...) but that it would allow them to make more money by more effectively manipulating the currency. You see, previously, when they would hike up the subway rates, they couldn't stop people from buying $100 of tokens at the old rates just before the rate switch. Now, they can jack up the rates and everyone's forced to pay the new rate.

    So anyway, a little long-winded.. but I can see exactly why the MBTA officials are so worried about this. In addition to being stuck with this crazily complicated, expensive system that's run horrendously overbudget (in addition to the MBTA itself being $100M+ in the red every year somehow, despite having a government-funded monopoly and all sorts of advertising revenue flowing in..), they are now faced with the possibility of college students in Boston buying hacked Charlie Cards and not paying any fare. They're probably scared shitless of this. For the people that said they should just fix their system... I honestly doubt they could, even if they wanted to. We're talking about a system that cost several hundred million $ to put in place, with very little thought about security put in at the beginning. And these are government officials, using god-knows-who for contracting out the maintenance of this system. Working for an agency that's severely in the red, year after year. They don't have a snowball's chance in hell of fixing the system the right way, so they're abusing the courts to keep from being ridiculed in public and fired over the whole fiasco.

Wherever you go...There you are. - Buckaroo Banzai

Working...