MIT Students' Gag Order Lifted 160
mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days. "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."
They never signed a non disclosure contract (Score:5, Insightful)
Why would exposing the MBTA's secrets be against the law? Realistically, that's all they've done, they put together a presentation on flaws in their system, security firms do this all the time. Nice to see a judge make the right decision.
Re:They never signed a non disclosure contract (Score:4, Insightful)
Not doing anything about the problem is the most likely course of action at this point. Nice to see that a judge won't be giving out a gag order so easily on someone based on the fact that someone else is not going to do its job (or do it correctly).
Re: (Score:2)
The question is, is there any way to fix the broken system that does not involve replacing the cards and/or equipment (which would be big $$$).
Re: (Score:2, Informative)
Fully correcting the problem is, as you point out, most likely difficult with the systems already in place. On the other hand a lot of corrective measures can be implemented to improve the current systems as well. Many ideas and suggestions were given [slashdot.org] to the MBTA administrators by the group of MIT students.
Simple things to improve physical security require only minimal investment (things like making sure employees lock the doors as they should). That was an important point of their presentation: It's not al
Re:They never signed a non disclosure contract (Score:5, Insightful)
Re:They never signed a non disclosure contract (Score:4, Insightful)
MBTA never contracted them to figure this stuff out neither did DHS provide them a waiver to violate the law. This is no different than any other hacker delivering a list of discovered security flaws to a corporation or government entity. There might be a large crowd of people here on /. (myself included) that believe we have a moral obligation to report vulnerabilities to security. However, the powers that be have deemed that looking is equivalent to exploiting, and/or being accessory to exploiting. This particular incident shouldn't come as a surprise to you.
Re:They never signed a non disclosure contract (Score:4, Insightful)
So the rational response is to simply take away the option of the agency's weak response in similar situations. Set up a system whereby such information can aggressively and anonymously be made public for anyone that is interested, and leak it anonymously to the parties in control of the situation with enough advance for them to reasonably address the issues at hand.
I think this kind of system would be best for several reasons. (1) We already have the technology required to make it happen (thanks EFF!). (2) If it was discovered by benevolent actors willing to give the authorities a heads-up, it's only a matter of time before bad actors discover it for themselves, and this system encourages swift but not unreasonable response times while trucking no BS. (3) If BS ensues anyway and agency-in-question remains paralyzed and unable to cope, the public is made aware of what is now a public safety concern stemming from a systemically broken agency, which requires a solution to deeper issues that the initial security concern.
Part 3 is really the key to making the whole system work—if the people pay government to do a job, and the government screws it up, then this is the part that holds the government accountable to the people. And not in a way that requires people to be proactive...all they have to do is respond rationally by noticing the ridiculous lapse of responsibility and taking action such as not using the compromised system, which will eventually, and organically, snowball into the problem being fixed. And hopefully with enough hullabaloo that we don't allow the new solution to degrade as completely as what it replaced.
Working As Intended (Score:5, Funny)
Of course, this is a victory for the MBTA. They've managed to derail the conference presentation. Objective met.
We all know this will effectively bury the information. Bureaucrats understand that communication is impossible outside of face-to-face meetings. There's nothing that could possibly allow dissemination of this potentially damaging (read: embarassing) information now that the conference is over. Situation handled. Bullet dodged.
Re: (Score:2)
I'm not so sure about that. The conference was "derailed", but all the information that was going to be presented was made available to everyone. Not only that, but there was a tremendous Streisand effect.
Re:Working As Intended (Score:5, Insightful)
agreed on the streisand effect.
i even heard a well written and clearly informed piece on NPR, that discussed the potential constitutional issues and the chilling effect this would have on any security research.
granted NPR doesnt have the distribution of fox or cnn, but its still more mainstream than /.
Re:Working As Intended (Score:4, Informative)
Umm, actually, NPR is heard in more places in the US and on Earth than Fox and CNN. It can also be streamed easily. NPR is also sent through transulator sites to remote parts of the US that extend the reach where no one else goes, like rural Nevada, California, and so on.
AFR and AFN also carry a lot of NPR, and news feeds also extend to the CBC, BBC, RCI, and other sites/broadcasters as well. The news is out. As it should be.
Re: (Score:2)
do you mean 'can be heard' or 'has more listeners'?
its distribution may be larger, but i suspect that the tv channels have a larger mindshare.
not being a radio/tv exec, i dont exactly have those numbers laying around.
Re: (Score:2)
TV channels don't necessarily have more 'mindshare', but we won't quibble. NPR has a wider reaching audience as it's radio. Fox and CNN aren't strongly into radio markets, rather TV. This major difference is the crux of my remark. Additionally, NPR's audience reach is farther. Demographically, it's also larger, and in terms of international radio broadcasters, it has a large reach largely due to AFN. VoA is somewhat different, of course-- as are its motives.
Re:Working As Intended (Score:5, Funny)
*whoosh*...
Re: (Score:2)
Yes, you are an idiot.
Re: (Score:3, Funny)
Of course if there had been an Ignignokt [wikipedia.org] slide they would've all been shot.
Good Call (Score:5, Insightful)
It looks like the judge made a pretty good call in this case. What he really rejected was the MTBA lawyers' assertion that it was an act prohibited by the law, and not exposing the agency's incompetence.
Really, bugs aren't fixed by just hiding them.
FTA:
MBTA said in documents filed with the court said that fixing the security flaws would take five months. ("Students have the ability to cause significant harm to the CharlieTicket system, during the roughly five-month window that remedial actions will require.")
Actually, the fact that they implemented a seriously flawed system is the problem, and the students' bringing it to light may suck for MBTA. The proper solution is for them to fix their system and, if necessary, sue the vendor for the costs.
Re: (Score:3, Insightful)
And the judge before him quite plainly made a bad call. A gag order in this situation is quite plainly unconstitutional, yet there's no recourse for the victims of that ruling. This is a fundamental problem with our system.
Speak Anyway (Score:2)
Re: (Score:2)
If you're willing to gamble that it will later be found invalid...
Re: (Score:3, Informative)
Re:Speak Anyway (Score:4, Informative)
The Federal courts have made it quite clear that you must obey an injunction, even if it is ultimately overturned on appeal.
Re:Speak Anyway (Score:4, Insightful)
So you essentially have no freedom at all. Great.
This is why the courts should never be allowed to hear aspects of cases which hinge around the extents of the court's authority.
What's the objective difference between an unlawful order and one which is based upon shakey facts which are later found to be untrue?
To put it another way:
There must be 'facts', and there must be a law which allows an injunction given those 'facts'. What's the difference between an order which is issued without any basis in law, and one which is issued wrongly because the 'facts' were wrong.
If judges are free to issue orders which are in defiance of the law, and have higher courts uphold contempt judgements against people for disobeying those orders, there is no rule of law. Just petty tyrants with essentially unlimited power.
An example. A judge orders you to stop breathing. This is clearly not a lawful order. You appeal to a higher court, and 24 hours later sucessfully overturn it. In the mean time (let's assume that you don't choose to asphyxiate yourself), you've breathed many hundreds of times. The first judge finds you in contempt. The higher court supports the contempt ruling because you must obey an injunction until it's overturned and you go to prison. Either you're wrong, or the system is very broken. I hope it's the former (nothing personal).
Re: (Score:2)
Well who else is going to do it? That's the first question a judge asks, "do I have subject matter jurisdiction here?"
If judges are free to issue orders which are in defiance of the law, and have higher courts uphold contempt judgements against people for disobeying those orders, there is no rule of law. Just petty tyrants with essentially unlimited power.
And if people ar
Re: (Score:2, Insightful)
I don't have an answer to the first question, but it's plain common sense that a person who has a vested interest in a decision going one particular direction should not be allowed to make that decision.
A judge may ask that question first, but there have been numerous examples where any objective observer will quickly conclude 'no', but the judge has decided 'yes' instead.
Re:Speak Anyway (Score:5, Insightful)
A judge has no vested interest in a decision going one particular direction or another. They're not paid by the case. If they find they don't have jurisdiction, they'll deny the application for the restraining order and move on to the next case.
I never said that they should be free to disregard them because they think they're unlawful, I say they should be free to disregardthem because they are unlawful. I agree that to allow someone to stand up and say "I didn't obey the order because I didn't think it was lawful" and have the appeal judge reply "oh, well, if you thought it was unlawful that's ok then" would be a nonsense. But for someone to be able to stand up and say "I didn't obey the order because it was unlawul, here's why..." and have the appeal judge reply "you're right, that was unlawful, no charge to answer" is plain common sense.
The Supreme Court addressed that issue in Walker v. City of Birmingham, holding that "in the fair administration of justice, no man can be judge in his own case, however exalted his station, however righteous his motives, and irrespective of his race, color, politics, or religion. This Court cannot hold that the petitioners were constitutionally free to ignore all the procedures of the law and carry their battle to the streets. One may sympathize with the petitioners' impatient commitment to their cause. But respect for judicial process is a small price to pay for the civilizing hand of law, which alone can give abiding meaning to constitutional freedom." In Howat v. Kansas the Court held "An injunction issued by a court of general jurisdiction and equity powers upon proper pleadings and served upon parties within the jurisdiction must be obeyed, even if erroneous and based upon an invalid statute, until set aside by orderly review."
And the law of the land, whether you agree with it or not, is that gag orders aren't automatically unconstitutional. You're always going to be able to come up with arguments as to why the injunction is invalid; it's up to the trial judge to decide how convincing those arguments are, and he or she is the one issuing the injunction. If you think you
It's a question of balancing; is it more important to promote the rule of law by requiring people to obey court orders until they're vacated, or is it more important to ensure that absolutely, positively nobody is ever imprisoned for a wrongful contempt charge. The courts pick the former, and I have to say I agree with them. You obviously believe in the latter, which is your right, and if you feel that strongly about it you should petition your representative to pass a law to fix the problem.
And though it may offend your sense of physics-like consistency, in City of Birmingham the Court implicitly recognized that where an injunction on its face is completely and transparently invalid (like your enjoined-from-breathing example), then you don't have to follow it.
I wasn't trying to argue that was in any sense a lawful order. Constitutional issues could get it overturned, but if defendant Smith is still bound to follow it until it's overturned, he's still going to prison or the morgue.
Or, far more likely, suffer a few fines. I think a Court is far more likely to find civil contempt in this case. And I'm not sure where you're getting the morgue from. But yes, in the end, it IS possible that someone may be briefly imprisoned due to the wrongful acts of an overbearing judge. Just like you may be briefly imprisoned due to the wrongful acts of an overbearing police officer. It's not a sign of a broken system unless you have no way to get out of jail. Fortunately, there are safeguards built into the system that will help you, for example habeas corpus writs. If you are enjoined from breathing, you may be
Re: (Score:2)
In what way is it unconstitutional?
Re: (Score:2)
Re: (Score:3, Insightful)
Prior restraint is a violation of the first amendment protection of free speech.
Re: (Score:2)
SCOTUS determined prior restraint unconstitutional a long time ago. Given the the case where they determined this involved the workings of a hydrogen bomb, exposing a flawed payment system doesn't even come close to justifying an override. And since MTBA is a government organization, the usual corporate protections don't apply.
That said, the first judge made the right decision, which is a very temporary restraining order to allow time to determine what is really going on. MTBA played the system by waitin
Re: (Score:2)
You can't just walk into court and enjoin somebody from doing something.
Apparently you can, because the MBTA did. DEFCON is over and the damage is done.
To get an injunction, you have to establish two things:
(1) The law authorizes the injunction based on the facts you have; and
(2) The constitution does not bar you from getting that injunction.
Yet the judge issued the injunction without either, and like I said, there's absolutely no recourse against this incompetent judge.
Section 1983 can provide recourse (Score:3, Interesting)
They could counter-claim if the MBTA keeps up its suit or file on their own if it is dismissed.
Sure is it just cash damages (including attorneys fess) but it is recourse
Re:Good Call (Score:5, Interesting)
MBTA said in documents filed with the court said that fixing the security flaws would take five months.
I'd love to know how they plan on fixing it. The problem is that, rather than paying for the MIFARE cards with working encryption (3DES or AES) they went with the cheapest system which uses custom 48-bit encryption.
Short of replacing every single CharlieCard in existence, there is no fix.
What the MIT students did that went beyond cracking the MIFARE encryption was to reverse engineer what data was stored on the card.
Which means, knowing the T, that the "solution" will likely be to rearrange the data and continue using the same weak encryption, while lobbying for a new state law that makes reverse engineering illegal.
Card Cost? (Score:2)
Replacing all of the cards should be a minimal cost compared to, say, paying for one day's worth of fuel or employee health insurance.
Re: (Score:2)
I wonder if they'll clue in to the fact that reverse engineering is a fundamental part of their high tech industry.
Nah...
Re: (Score:2)
The real question is how many people will bother getting a magnetic card writer de-encrypt the card, and rewrite their card just to ride the T. Unlike say an internet vulnerability you can get a small group of people causing huge problems, Unless they start selling these things on ebay or whatnot it is rather labor intensive and expensive to be to a dangerous level.
The bigger issue... (Score:5, Interesting)
The bigger issue here is how they're going to determine which Charlie cards are legit and which aren't. They can't exactly tell someone with, say, $20 on a charlie card that their money's gone.
Someone could easily get a bunch of charlie cards, put random amounts of money between, say, $20 and $25 (random so that there's no clear pattern which cards are faked and which legit) and then sell to people on the street. $5 for a charlie card with at least $20 on it.
Heck, it probably wouldn't be that hard to convince the buyers that it was legit. "Hey man, my niece was staying here last week and put too much money on this card... It's got over $20 on it, I'll give it to you for $5."
Re: (Score:2)
Selling lots of cards below cost is a good way to attract the attention of the police and get put in jail.
This recently happened in Washington, DC. Some clever people figured out how to replicate fare cards. The way they did it, it would have been essentially impossible to catch them. But they didn't want free travel, they wanted cash, so they started selling the replicated cards. At that point the police caught on to what they were doing and now they're in prison.
Re: (Score:2)
Not if you do it right. Find someone in college/schools, approach them to sell the cards for you, and split the difference.
You clearly have not sold drugs before?
Re: (Score:2)
48-bit card also deployed/cracked in Holland (Score:2, Informative)
Funny this came up. EXACTLY the same debacle has unfolded here in the Netherlands with the card
scheme for the nationwide metro/train/tram system intended to replace the paper ticket system still
in use today. (company NS - www.ns.nl).
Suffering from the universal upper management tendeny toward self-harm through compulsive
obsession with the bottom-line, they ignored whitepapers signed by the senior technical staff
begging them to go with 3DES and AES. A couple of weeks after the (limited) trial roll out the
car
Re: (Score:2)
The article I read said 6 bit encryption... 64 possibilities.
6 bit encryption (Score:3, Funny)
The article I read said 6 bit encryption... 64 possibilities.
64 possibilities ought to be enough for anyone.
What?
Re:Good Call (Score:5, Informative)
You were reading about the CharlieTicket, a paper card with a magnetic stripe. The data on them was found to be unencrypted and "protected" by a 6-bit checksum.
The CharlieCard, on the other hand, is a MIFARE Classic card [wikipedia.org]. It uses a shared secret key which the card and reader use to authenticate each other. This key was discovered to be 48 bits long.
Re: (Score:2)
It looks like the judge made a pretty good call in this case. What he really rejected was the MTBA lawyers' assertion that it was an act prohibited by the law . . .
Interesting that the judge waited this long. He could have lifted the TRO days ago when the EFF lawyers first appeared in court. The judge really gave MBTA every opportunity to come up with something.
And they had nada.
Re:Good Call (Score:5, Interesting)
In this case, yes.
The vendor has been selling a flawed system, both in design and implementation. Car manufacturers can't use incompetence as an excuse when their cars explode, and the vendor can't either.
In fact, the vendor has known about the flaws for quite some time, but has not fixed them (nor disclosed them).
It sounds to me like they deserve to be sued for damages.
You're right that we evil hackers are going to find ways around it anyways, but in this case, the vendor is grossly negligent, and the MBTA is trying to blame the people who found the problem, rather than the ones that created it.
Re: (Score:2)
Mod parent up.
While I dislike public money going to a bloated legal system, it's about time we lost the shield of protectionism around companies selling broken products to the government under false promises. A 1 billion dollar project should remain a 1 billion dollar project, not bloat out to 10 billion. A secure card system with fundamental known security flaws should not fall to the public to pay for.
We get milked out of countless dollars due to contractors making unrealistically lowball price quotes,
HA! (Score:5, Funny)
Yeah - real successful law that.
Re: (Score:2)
That's why we don't have worms and viruses any longer.
Bad Lawyers? (Score:5, Funny)
Lawyers for the MBTA claimed Tuesday they had proof the students had violated the law, but stopped short of specifying what they did.
Wow, I can just see these lawyers:
Lawyer: "They broke the law. We have the proof."
Judge: "What is your proof?"
Lawyer: "Um, they...uh, yeah, they just broke the law."
Re: (Score:2)
Well, the third slide of their presentation [mit.edu] jokes about hoping their talk isn't "evidence in court", and the fifth slide proudly trumpets, "AND THIS IS VERY ILLEGAL!"
I realize that here on slashdot, its fashionable to always err on the side of disclosure in the face of any other concerns, and I can certainly argue myself for the benefits of talking about such issues instead of sweeping them under the rug and pretending they don't exist; the notion that if these students can figure it out, anyone can.* Indee
Re: (Score:2)
Well, the third slide of their presentation jokes about hoping their talk isn't "evidence in court", and the fifth slide proudly trumpets, "AND THIS IS VERY ILLEGAL!"
None of which establishes that they did anything illegal.
"Here's how to grow marijuana - remember, it's illegal!" is VERY different from "I grew marijuana".
Re: (Score:2, Interesting)
It ALL depends on the context. If I tell somebody how to grow marijuana (even with the silly disclaimer), and I have the intent to help them grow marijuana, then I have committed the crime of growing marijuana under an accomplice theory (assuming that it is a crime).
Another example: If I'm standing in a crowd telling one person how to kill another person, and I intend for the killing to happen, and if the killing does in fact happen, then I committed murder under an accomplice theory. Mob bosses have con
Re: (Score:2)
So why aren't the editors of High Times under lock and key? Why do head shops even exist?
There's a limit to how close you can be and still be called an accomplice. There's a reason they didn't disclose the key (or rather, weren't going to in the public presentation). It's the difference between "Here's a lock, and here's how to pick it" and "Here's a lock, here's how to pick it, and here are the tools".
Re: (Score:2)
However, there is a balance; namely, that entities, even (especially?) public entities providing infrastructure and transportation services, don't like their vulnerabilities paraded around for all to see.
Sucks to be them; I don't like paying my mortgage, but I like living in a house.
Has anyone ever considered that public agencies are pulled in n different directions -- including financially and technically -- and sometimes the solution that comes out at the end is simply making the best of what imperfect resources they've got?
It's occurred to me that this is Boston, and they're probably just cheap.
When the presenters themselves are not even hiding the questionable legality of what they demonstrate -- even though it's just "talk", like "talking" about how to kill someone with poison, as opposed to doing it -- speech has consequences, and sometimes those consequences will result in things like temporary injunctions, and agencies who serve at the pleasure of the people trying to protect what semblance of security they're able to hold together.
Why would you grant an injunction (prior restraint) for something trivial like this when publishing bomb plans and advice on how to get away with murder is protected speech?
just because they can figure something out, it doesn't at all mean "anyone can".
Fine, substitute 'any group of 10,000 people has someone who can'. We have 30,000 of those in this country.
Re: (Score:2)
Last I looked, municipalities have limited abilities to raise funds. If they need more money it means spending less somewhere else (which will gore some oxen) or raise taxes and fees (which will gore others). I know I don't vote to approve every bond issue, sales tax increase, or property tax surcharge that gets proposed in my city, and I imagine that might just be true for a majority of voters in Boston.
Ev
Re: (Score:2)
Re: (Score:2)
I couldn't afford ethyl alcohol, so I just drank rubbing alcohol.
Sometimes doing the cheap thing is worse than doing nothing, and much worse than doing the correct thing.
Should Doctors Not Talk About Medicine? (Score:5, Insightful)
You actually make a really good point; what about poison? If one were to discover a poison or pathogen that might kill a human, were it to be utilized or delivered, along with the reasons why and the possible delivery methods, no one would object to sharing that information with doctors.
Further, no one would claim that you were doing something illegal by spreading that information. Ironically, nor would anyone blame the human body for having that weakness; it wasn't planned for, developed around, whatever.
The fact of the matter is that the system is there, it's vulnerable, and we know how it's vulnerable. There is no convincing reason to try and quash that knowledge - if that is even possible. It is immaterial that it took bright people to figure it out. It is immaterial that without a fix money might be lost. What is material is recognizing things for what they are and reacting to the truth of the situation, not trying to maintain a status quo.
And that is why it's perceived that the MBTA is in error here; they're trying to live in a world where the exploit doesn't exist. But that world itself does not exist.
Re: (Score:2)
These are very bright people, and just because they can figure something out, it doesn't at all mean "anyone can...
Branch corollary: Just because you can do something, doesn't mean you should.
Re: (Score:2)
Lawyer: "They broke the law. We have the proof." ...."
Judge: "What is your proof?"
Lawyer: "Well, thinking about breaking the law is a KIND of proof
$5000 worth of damages? (Score:5, Insightful)
That's an interesting argument...
Does a mechanic cause $5000 worth of damage when he points out that your axle is broken and needs replacement?
Can you cause damage to a system that has intrinsic vulnerabilities?
Obviously people taking advantage of disclosed vulnerabilities should be punished under applicable laws (as with simple copyright violation) for whatever damages they caused, but I tend to agree that you can't really pin damages on the discloser.
Now some other b.s. charge about reckless endangerment or speech issues, but probably not damages.
--Robert
Re: (Score:3, Interesting)
Does a mechanic cause $5000 worth of damage when he points out that your axle is broken and needs replacement?
Well, how about if your car had a very bad and insecure locking and starting mechanism, and your mechanic told all your neighbours how to get in and start your car?
:/
Don't get me wrong, I think the gag order was probably stupid - I don't know the whole whole story...
But I do think your analogy is somewhat flawed.
Re: (Score:3, Insightful)
His analogy may be flawed, but yours is too!
If your mechanic said your axle was broken and you refused to fix it, in PA, he would refuse to give you an inspection sticker - thus telling everyone in the public that you're too much of a tool to fix your broken stuff. Same principal.
Re: (Score:2)
Re: (Score:2, Funny)
Does a mechanic cause $5000 worth of damage when he points out that your axle is broken and needs replacement?
Only if he hurts your axle's feelings.
Re: (Score:2)
I think a better analogy would be writing a book [wikipedia.org] that exposes the reluctance of the auto industry to invest in the safety of their product and their complicity in the deaths of tens of thousands of motorists.
Win the battle but lose the war! (Score:5, Interesting)
Win the battle, lose the war
Re: (Score:3, Interesting)
Except the information still got out, through several means, got more press attention that it would have received otherwise, and made them look like morons.
They lost the battle, the war, and a fair amount of blood.
Re: (Score:3, Insightful)
I'd say that this is more the other way around: Lose the battle, but win the war.
Re: (Score:3, Insightful)
If only there was some way to disseminate information to a technical audience across long distances electronically...
Re: (Score:2)
too bad those neophytes that go to Defcon have no way to communicate with computers~
Re: (Score:2)
Hell, they even made it worse with their submission of their own checksums and attached to the court documents, placing them under public purview. That wouldn't have been released if they hadn't used the law as incompetently as they created their systems. It's like the Streisand Effect x2.
I wish criminals were as stupid as our politicians.
Incredibly dumb (Score:4, Insightful)
The general tone here seems to be that the only security that is worth anything is unbreakable and it is the responsibility of the implementer to make sure any system is secure against attacks. Well, sorry but your front door lock is clearly defective by those standards. As is every single door lock the world over.
See, the security really only needs to be "good enough". What is that? Well, for a front door lock it is enough to keep homeless people out of your house. A determined thief might be able to defeat it in less than a minute but it isn't intended for that - the really determined thief might use a chainsaw to get in just as easily.
The transit system was designed to validate cards and the so-called "security" is probably more of a validation measure rather than a defense against attacks. The idea that attacking the transit system should not be done and should be illegal seems to have gotten lost. What has happened is now the door is open for anyone to duplicate this work and ride free.
So what is the transit system supposed to do? Revamp the entire system at a cost in the millions? Ignore it and hope nobody ever uses this information? I suspect neither is going to happen, but the most sensible outcome would be to replace automation with human ticket agents. Unlikely to happen. I'd guess that millions of dollars will be spent to implement an utterly new, slightly more secure, different system that requires every single piece of hardware and software to be replaced. Which will then be "cracked" within a few months and the details made available to everyone that wants to ride free. The endgame is probably closing the transit system because by its nature it cannot be made completely secure.
I doubt there is an attack-proof and cost-effective solution to the "problem" that is user-friendly and reasonable for a transit system. Why are we so hell-bent on breaking down society that we can't have people just use and pay for a transit system?
Re:Incredibly dumb (Score:4, Insightful)
Guess what? If you give a presentation about how vulnerable standard front door locks are, and exactly how you can defeat them, nobody is going to put a gag order on you.
You are entirely within your rights to deploy an insecure system. But other people are entirely within their rights to talk about just how insecure your system is, and what its vulnerabilities are.
You don't get better locks by burying the information about how bad the existing ones are.
Re:Incredibly dumb (Score:5, Interesting)
Stop using the locked door analogy with computers, it doesn't work and shows a serious lack of understanding about computer systems. In short: you look like an idiot to everyone who knows better.
This security is not 'good enough' becasue it can be tried easily and repeatably many times in a night.
To use your own stupid ass analogy:
If a person could rob every house in one night, door security would need to be a hell of a lot tougher.
And if you claimed that the doors you sell where secure, then people should know when there not.
They can add a real layer of encryption on the card. You wouldn't need to replace the whole system for this.
You could go towards a cash despencer. You could go to an ATM card.
Funny thing is, this will probably turn out to be a non issue since most people won't do this, and anybody doing it for cash will get caught eventually. The few people who do it just to get themselves free rides won't amount to much.
The biggest person inconvenienced will be accountants when there books don't balance. Even then they will find an acceptable amount to chalk up to free rides and just apply it at the end of the accounting period.
"Why are we so hell-bent on breaking down society that we can't have people just use and pay for a transit system?"
We're not. What we want is to force corporation to have to take security seriously. This is a design flaw and the company the made it should be stuck with the bill to fix it.
Re: (Score:2)
Why are we so hell-bent on breaking down society that we can't have people just use and pay for a transit system?
Some people are too poor to pay for public transportation, like graduate students, and the homeless. They are the ones more likely to turn to this solution. For others, it is easier and less risky just to pay.
Nobody is "hell-bent" on breaking down society. They just behave in the ways that reward them.
You obviously don't think like an economist.
Re: (Score:2)
Why are we so hell-bent on breaking down society that we can't have people just use and pay for a transit system?
"We" aren't. Most people don't understand the attack involved, are too lazy to learn about it, and are honest (or fearful of prosecution) enough that they wouldn't exploit it even if they could.
What people are upset about is that the transit authority tried to suppress the students from announcing that the emperor had no clothes. If you want to go out naked, fine, but don't get sue-happy when som
Free Security Analysis (Score:2, Funny)
Gee, the MBTA had the students turn over not only their slide deck but a 30 page analysis of the security flaws. Most firms would end up paying something approaching the 6 figure range for a detailed security vulnerability analysis like that, they get it for free. AND sue the students. It's a win-win for incompetent government bureaucracy!
without the gag order i'd never seen it (Score:3, Insightful)
The funny thing is, without the gag order, it might not have appeared on /., the presentation might not have been posted in the comments and i would have never read it. So this kind of "gag" orders are fine with me, as long as it's "no talking" only. I can read myself :-)
There's a name for that . . . (Score:2)
The Streisand Effect [wikipedia.org].
Advertising-By-Litigation (Score:2)
Personally, I think that the judge should have commended the students for taking the initiative to test the security of a public sysem thanked them for bringing it to the publics attention. Plus, he should have laid into the MBTA for trying to sweep the whole thing under the rug.
This sort of thing is inevitable: Every time a human designs a system to the best of their abilities, they should always be open to the findings of other humans who test their system. Human systems are ever-evolving technologies tha
Re:They can't hold their talk now, can they? (Score:5, Insightful)
No clue. Litigation tends to be the last refuge of the incompetent.
Re: (Score:2)
Query: What exactly was the flaw under dicussion?
Re: (Score:3, Funny)
Query: What exactly was the flaw under dicussion?
Question: Why do you prefix your questions with query?
Statement : I find it sorta redundant.
Re:They can't hold their talk now, can they? (Score:5, Funny)
I find people saying "Can I ask you a question?" is worse.
My response is often "You just did."
And of course they immediately say "Can I ask you another question?" to which you reply "You just did."
Finally they say "Can I ask you 2 questions?"
And having already identified yourself as a jerk you say "No."
Re: (Score:2, Funny)
I tend to do the "You just did, and in doing so you have used up your quota for the day. Try again tomorrow."
I usually don't stick to it, unless they're really annoying.
In fairness, I'm adding a word... (Score:2)
Question: so what am I doing here?
What you just did.
Re: (Score:2)
How about: "I am not taking questions at this time, and furthermore, I demand reparations for the query already posed."
Re:They can't hold their talk now, can they? (Score:5, Informative)
Both the magnetic stripe card and the chip card used for electronic payment of public transport fares in Boston are flawed and allow several types of attacks which result in free rides. The hack of the chip card is an implementation of an older, less exploitative hack of the Mifare classic chip which is used in many public transport systems and other prepaid applications all over the world.
Re: (Score:2)
Thank You.
Media contained much hullabaloo about the flaw, but no clear explanation of what was the nature of the flaw...till now.
And to the other posters: I considered my way of phrasing the interrogative clear and unmistakable English. If it was not, then I apologize for any confusion.
Re:They can't hold their talk now, can they? (Score:5, Funny)
Your English is both clear and unmistakable. That may have been your problem. Next time, consider adding in an inane meme, such as:
"Imagine a beowulf cluster of MBTAs!"
or
"The MBTA is not a big truck. It's a series of tubes!"
Also, consider to add several speling and/or grammatical error. This will lend to the impression that you are either a caffeine-soaked systems engineer who has been sitting in front of a terminal for eighty straight hours, or a semi-literate American of the species cellarcola nerdus, both of which are held in high regard here.
Accordingly, the dialect best suited to effective communication on slashdot is lolspeak. [speaklolspeak.com]
Re:They can't hold their talk now, can they? (Score:4, Insightful)
Here is evidence that a low UID does not insure a clear mind.
Maybe you should have said "frivolous" litigation is the last refuge of the incompetent"?
Litigation is one of pillars which holds up a Rule of Law and provides some path to fairness and justice in a free society. Considering the startling consolidation of social power in the hands of corporate ownership and authoritarian fanatics, you may yet see what it's like to live in a society without litigation. I guarantee you're not gonna like it, Ukab.
Re: (Score:2)
Protracted litigation is only possible with enough money. And who has that kind of money besides corporate owners and authoritarian fanatics?
Re: (Score:2)
That's not a low UID. lol.
Re: (Score:2)
And that's why Justice is blind. The incompetent actually does have rights! Unfortunately.
Re:good (Score:5, Informative)
Actually, if you had access to PACER, you could read the version of the presentation the students gave to the MBTA, including the secret key and a few other details that the MIT students were intending to leave out of the DEFCON presentation.
IOW, the information is already leaked, and it was the MBTA that leaked it.
I use the past tense above because I don't have access to PACER and I very much hope they got around to censoring that bit of info from the MBTA's submissions.
Re:good (Score:5, Informative)
They did not.
http://government.zdnet.com/?p=3942 [zdnet.com]
Re: (Score:2)
I think they should go ahead and give their presentation and include the events of the past week in it. In 2006, Steve Rambam was arrested by the FBI minutes before he was to give his "Privacy is Dead" presentation at the HOPE conference. Of course, the charges were dropped - after the conference was over.
He went ahead and gave his presentation [hopenumbersix.net] a couple of months later.
I am also reminded of the Russian hacker Dmitri Sklyarov [wikipedia.org], who was prevented (by way of a
Re: (Score:2, Informative)
meant to be delivered to people, and was not a computer-to-computer 'transmission.'
The failed point was that the communicaiton in question was from one person to another, and not from one computer to another.