MIT Students' Gag Order Lifted 160
mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days. "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."
Re:good (Score:5, Informative)
Actually, if you had access to PACER, you could read the version of the presentation the students gave to the MBTA, including the secret key and a few other details that the MIT students were intending to leave out of the DEFCON presentation.
IOW, the information is already leaked, and it was the MBTA that leaked it.
I use the past tense above because I don't have access to PACER and I very much hope they got around to censoring that bit of info from the MBTA's submissions.
Re:They can't hold their talk now, can they? (Score:5, Informative)
Both the magnetic stripe card and the chip card used for electronic payment of public transport fares in Boston are flawed and allow several types of attacks which result in free rides. The hack of the chip card is an implementation of an older, less exploitative hack of the Mifare classic chip which is used in many public transport systems and other prepaid applications all over the world.
Re:Working As Intended (Score:4, Informative)
Umm, actually, NPR is heard in more places in the US and on Earth than Fox and CNN. It can also be streamed easily. NPR is also sent through transulator sites to remote parts of the US that extend the reach where no one else goes, like rural Nevada, California, and so on.
AFR and AFN also carry a lot of NPR, and news feeds also extend to the CBC, BBC, RCI, and other sites/broadcasters as well. The news is out. As it should be.
Re:good (Score:5, Informative)
They did not.
http://government.zdnet.com/?p=3942 [zdnet.com]
Re:Speak Anyway (Score:3, Informative)
48-bit card also deployed/cracked in Holland (Score:2, Informative)
Funny this came up. EXACTLY the same debacle has unfolded here in the Netherlands with the card
scheme for the nationwide metro/train/tram system intended to replace the paper ticket system still
in use today. (company NS - www.ns.nl).
Suffering from the universal upper management tendeny toward self-harm through compulsive
obsession with the bottom-line, they ignored whitepapers signed by the senior technical staff
begging them to go with 3DES and AES. A couple of weeks after the (limited) trial roll out the
card was cracked and an infinitely loadable version created and demoed by white/grey hats.
This is somewhat ironic as the Netherlands is one of the world largest suppliers of smart card
technology, and in Europe this is (was?) considered a "specialty" of theirs...
It also doesn't help that the company NS (Nederlandse Spoorweg or "Dutch Platform") is
made of epic fail, but that's a rather long & distinctly boring story.
Sorry for the AC, posting from friend house
can't remember passwd (y i let ffox remeber
it for me v bad i know..)
Re:When did we stop being people? (Score:2, Informative)
meant to be delivered to people, and was not a computer-to-computer 'transmission.'
The failed point was that the communicaiton in question was from one person to another, and not from one computer to another.
Re:Speak Anyway (Score:4, Informative)
The Federal courts have made it quite clear that you must obey an injunction, even if it is ultimately overturned on appeal.
Re:Good Call (Score:5, Informative)
You were reading about the CharlieTicket, a paper card with a magnetic stripe. The data on them was found to be unencrypted and "protected" by a 6-bit checksum.
The CharlieCard, on the other hand, is a MIFARE Classic card [wikipedia.org]. It uses a shared secret key which the card and reader use to authenticate each other. This key was discovered to be 48 bits long.
Re:They never signed a non disclosure contract (Score:2, Informative)
Fully correcting the problem is, as you point out, most likely difficult with the systems already in place. On the other hand a lot of corrective measures can be implemented to improve the current systems as well. Many ideas and suggestions were given [slashdot.org] to the MBTA administrators by the group of MIT students.
Simple things to improve physical security require only minimal investment (things like making sure employees lock the doors as they should). That was an important point of their presentation: It's not all about hacking the card system or equipment.