Forgot your password?
typodupeerror
The Courts Government Security News

MIT Students' Gag Order Lifted 160

Posted by kdawson
from the common-sense-descends dept.
mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days. "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."
This discussion has been archived. No new comments can be posted.

MIT Students' Gag Order Lifted

Comments Filter:
  • Re:good (Score:5, Informative)

    by Dogun (7502) on Tuesday August 19, 2008 @03:33PM (#24663171) Homepage

    Actually, if you had access to PACER, you could read the version of the presentation the students gave to the MBTA, including the secret key and a few other details that the MIT students were intending to leave out of the DEFCON presentation.

    IOW, the information is already leaked, and it was the MBTA that leaked it.

    I use the past tense above because I don't have access to PACER and I very much hope they got around to censoring that bit of info from the MBTA's submissions.

  • by Anonymous Coward on Tuesday August 19, 2008 @03:48PM (#24663431)

    Both the magnetic stripe card and the chip card used for electronic payment of public transport fares in Boston are flawed and allow several types of attacks which result in free rides. The hack of the chip card is an implementation of an older, less exploitative hack of the Mifare classic chip which is used in many public transport systems and other prepaid applications all over the world.

  • by postbigbang (761081) on Tuesday August 19, 2008 @04:05PM (#24663697)

    Umm, actually, NPR is heard in more places in the US and on Earth than Fox and CNN. It can also be streamed easily. NPR is also sent through transulator sites to remote parts of the US that extend the reach where no one else goes, like rural Nevada, California, and so on.

    AFR and AFN also carry a lot of NPR, and news feeds also extend to the CBC, BBC, RCI, and other sites/broadcasters as well. The news is out. As it should be.

  • Re:good (Score:5, Informative)

    by Ortega-Starfire (930563) on Tuesday August 19, 2008 @04:25PM (#24663987) Journal

    They did not.

    http://government.zdnet.com/?p=3942 [zdnet.com]

  • Re:Speak Anyway (Score:3, Informative)

    by harlows_monkeys (106428) on Tuesday August 19, 2008 @05:01PM (#24664423) Homepage
    It wasn't an invalid order.
  • by Anonymous Coward on Tuesday August 19, 2008 @05:16PM (#24664613)

    Funny this came up. EXACTLY the same debacle has unfolded here in the Netherlands with the card
    scheme for the nationwide metro/train/tram system intended to replace the paper ticket system still
    in use today. (company NS - www.ns.nl).

    Suffering from the universal upper management tendeny toward self-harm through compulsive
    obsession with the bottom-line, they ignored whitepapers signed by the senior technical staff
    begging them to go with 3DES and AES. A couple of weeks after the (limited) trial roll out the
    card was cracked and an infinitely loadable version created and demoed by white/grey hats.

    This is somewhat ironic as the Netherlands is one of the world largest suppliers of smart card
    technology, and in Europe this is (was?) considered a "specialty" of theirs...

    It also doesn't help that the company NS (Nederlandse Spoorweg or "Dutch Platform") is
    made of epic fail, but that's a rather long & distinctly boring story.

    Sorry for the AC, posting from friend house
    can't remember passwd (y i let ffox remeber
    it for me v bad i know..)

  • by gnarlyhotep (872433) on Tuesday August 19, 2008 @05:22PM (#24664711)
    For the love of Aphrodite's heaving bosom, do you read entire sentences?

    meant to be delivered to people, and was not a computer-to-computer 'transmission.'

    The failed point was that the communicaiton in question was from one person to another, and not from one computer to another.

  • Re:Speak Anyway (Score:4, Informative)

    by nomadic (141991) <nomadicworldNO@SPAMgmail.com> on Tuesday August 19, 2008 @05:39PM (#24664931) Homepage
    Contempt of an invalid order doesn't stand, does it?

    The Federal courts have made it quite clear that you must obey an injunction, even if it is ultimately overturned on appeal.
  • Re:Good Call (Score:5, Informative)

    by _xeno_ (155264) on Tuesday August 19, 2008 @06:34PM (#24665513) Homepage Journal

    You were reading about the CharlieTicket, a paper card with a magnetic stripe. The data on them was found to be unencrypted and "protected" by a 6-bit checksum.

    The CharlieCard, on the other hand, is a MIFARE Classic card [wikipedia.org]. It uses a shared secret key which the card and reader use to authenticate each other. This key was discovered to be 48 bits long.

  • by geogob (569250) on Wednesday August 20, 2008 @12:50AM (#24668871)

    Fully correcting the problem is, as you point out, most likely difficult with the systems already in place. On the other hand a lot of corrective measures can be implemented to improve the current systems as well. Many ideas and suggestions were given [slashdot.org] to the MBTA administrators by the group of MIT students.

    Simple things to improve physical security require only minimal investment (things like making sure employees lock the doors as they should). That was an important point of their presentation: It's not all about hacking the card system or equipment.

The universe does not have laws -- it has habits, and habits can be broken.

Working...