Slashdot Log In
MIT Students' Gag Order Lifted
Posted by
kdawson
on Tue Aug 19, 2008 03:22 PM
from the common-sense-descends dept.
from the common-sense-descends dept.
mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days. "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."
Related Stories
[+]
Massachusetts Sues to Halt Defcon Subway Hacking Talk 270 comments
According to CNET, "The state of Massachusetts has asked a federal judge for a temporary restraining order preventing three MIT students from giving a presentation on Sunday about hacking smartcards used in the Boston subway system." It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas. Update: 08/09 20:57 GMT by T : "Too late," says reader Bluey: "Injunction was already granted."
[+]
IT: EFF To Appeal Court Order Vs. Subway Hack Demo 189 comments
snydeq sends along InfoWorld coverage of the EFF's plans to appeal a US District Court order that kept three MIT students from presenting detailed flaws in the Massachusetts Bay Transportation Authority e-ticketing system at Defcon. And an anonymous reader points out that the MBTA, in addition to triggering the Streisand Effect, released in open court more information on vulnerabilities (PDF) than the students had any intention of presenting. See Exhibit 1 to this court filing.
[+]
Hardware: Interview With MIT Subway Hacker Zack Anderson 113 comments
longacre writes "In his most extensive interview since the DefCon controversy emerged, MIT subway hacker Zack Anderson talks with Popular Mechanics about what's wrong with the Charlie Card, what happened at DefCon, and what it's like to tango with the FBI and the MBTA. The interview comes on the heels of Tuesday's court ruling denying motions by the MBTA to issue a preliminary injunction aimed at keeping the students quiet for a further five months."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
They never signed a non disclosure contract (Score:5, Insightful)
Why would exposing the MBTA's secrets be against the law? Realistically, that's all they've done, they put together a presentation on flaws in their system, security firms do this all the time. Nice to see a judge make the right decision.
Re:They never signed a non disclosure contract (Score:4, Insightful)
Not doing anything about the problem is the most likely course of action at this point. Nice to see that a judge won't be giving out a gag order so easily on someone based on the fact that someone else is not going to do its job (or do it correctly).
Parent
Re:They never signed a non disclosure contract (Score:5, Insightful)
Parent
Working As Intended (Score:5, Funny)
Of course, this is a victory for the MBTA. They've managed to derail the conference presentation. Objective met.
We all know this will effectively bury the information. Bureaucrats understand that communication is impossible outside of face-to-face meetings. There's nothing that could possibly allow dissemination of this potentially damaging (read: embarassing) information now that the conference is over. Situation handled. Bullet dodged.
Re:Working As Intended (Score:5, Insightful)
agreed on the streisand effect.
i even heard a well written and clearly informed piece on NPR, that discussed the potential constitutional issues and the chilling effect this would have on any security research.
granted NPR doesnt have the distribution of fox or cnn, but its still more mainstream than /.
Parent
Re:Working As Intended (Score:4, Informative)
Umm, actually, NPR is heard in more places in the US and on Earth than Fox and CNN. It can also be streamed easily. NPR is also sent through transulator sites to remote parts of the US that extend the reach where no one else goes, like rural Nevada, California, and so on.
AFR and AFN also carry a lot of NPR, and news feeds also extend to the CBC, BBC, RCI, and other sites/broadcasters as well. The news is out. As it should be.
Parent
Re:Working As Intended (Score:5, Funny)
*whoosh*...
Parent
Good Call (Score:5, Insightful)
It looks like the judge made a pretty good call in this case. What he really rejected was the MTBA lawyers' assertion that it was an act prohibited by the law, and not exposing the agency's incompetence.
Really, bugs aren't fixed by just hiding them.
FTA:
MBTA said in documents filed with the court said that fixing the security flaws would take five months. ("Students have the ability to cause significant harm to the CharlieTicket system, during the roughly five-month window that remedial actions will require.")
Actually, the fact that they implemented a seriously flawed system is the problem, and the students' bringing it to light may suck for MBTA. The proper solution is for them to fix their system and, if necessary, sue the vendor for the costs.
Re:Good Call (Score:5, Interesting)
MBTA said in documents filed with the court said that fixing the security flaws would take five months.
I'd love to know how they plan on fixing it. The problem is that, rather than paying for the MIFARE cards with working encryption (3DES or AES) they went with the cheapest system which uses custom 48-bit encryption.
Short of replacing every single CharlieCard in existence, there is no fix.
What the MIT students did that went beyond cracking the MIFARE encryption was to reverse engineer what data was stored on the card.
Which means, knowing the T, that the "solution" will likely be to rearrange the data and continue using the same weak encryption, while lobbying for a new state law that makes reverse engineering illegal.
Parent
The bigger issue... (Score:5, Interesting)
The bigger issue here is how they're going to determine which Charlie cards are legit and which aren't. They can't exactly tell someone with, say, $20 on a charlie card that their money's gone.
Someone could easily get a bunch of charlie cards, put random amounts of money between, say, $20 and $25 (random so that there's no clear pattern which cards are faked and which legit) and then sell to people on the street. $5 for a charlie card with at least $20 on it.
Heck, it probably wouldn't be that hard to convince the buyers that it was legit. "Hey man, my niece was staying here last week and put too much money on this card... It's got over $20 on it, I'll give it to you for $5."
Parent
Re:Good Call (Score:5, Informative)
You were reading about the CharlieTicket, a paper card with a magnetic stripe. The data on them was found to be unencrypted and "protected" by a 6-bit checksum.
The CharlieCard, on the other hand, is a MIFARE Classic card [wikipedia.org]. It uses a shared secret key which the card and reader use to authenticate each other. This key was discovered to be 48 bits long.
Parent
Re:Good Call (Score:5, Interesting)
In this case, yes.
The vendor has been selling a flawed system, both in design and implementation. Car manufacturers can't use incompetence as an excuse when their cars explode, and the vendor can't either.
In fact, the vendor has known about the flaws for quite some time, but has not fixed them (nor disclosed them).
It sounds to me like they deserve to be sued for damages.
You're right that we evil hackers are going to find ways around it anyways, but in this case, the vendor is grossly negligent, and the MBTA is trying to blame the people who found the problem, rather than the ones that created it.
Parent
Re:Speak Anyway (Score:5, Insightful)
A judge has no vested interest in a decision going one particular direction or another. They're not paid by the case. If they find they don't have jurisdiction, they'll deny the application for the restraining order and move on to the next case.
I never said that they should be free to disregard them because they think they're unlawful, I say they should be free to disregardthem because they are unlawful. I agree that to allow someone to stand up and say "I didn't obey the order because I didn't think it was lawful" and have the appeal judge reply "oh, well, if you thought it was unlawful that's ok then" would be a nonsense. But for someone to be able to stand up and say "I didn't obey the order because it was unlawul, here's why..." and have the appeal judge reply "you're right, that was unlawful, no charge to answer" is plain common sense.
The Supreme Court addressed that issue in Walker v. City of Birmingham, holding that "in the fair administration of justice, no man can be judge in his own case, however exalted his station, however righteous his motives, and irrespective of his race, color, politics, or religion. This Court cannot hold that the petitioners were constitutionally free to ignore all the procedures of the law and carry their battle to the streets. One may sympathize with the petitioners' impatient commitment to their cause. But respect for judicial process is a small price to pay for the civilizing hand of law, which alone can give abiding meaning to constitutional freedom." In Howat v. Kansas the Court held "An injunction issued by a court of general jurisdiction and equity powers upon proper pleadings and served upon parties within the jurisdiction must be obeyed, even if erroneous and based upon an invalid statute, until set aside by orderly review."
And the law of the land, whether you agree with it or not, is that gag orders aren't automatically unconstitutional. You're always going to be able to come up with arguments as to why the injunction is invalid; it's up to the trial judge to decide how convincing those arguments are, and he or she is the one issuing the injunction. If you think you
It's a question of balancing; is it more important to promote the rule of law by requiring people to obey court orders until they're vacated, or is it more important to ensure that absolutely, positively nobody is ever imprisoned for a wrongful contempt charge. The courts pick the former, and I have to say I agree with them. You obviously believe in the latter, which is your right, and if you feel that strongly about it you should petition your representative to pass a law to fix the problem.
And though it may offend your sense of physics-like consistency, in City of Birmingham the Court implicitly recognized that where an injunction on its face is completely and transparently invalid (like your enjoined-from-breathing example), then you don't have to follow it.
I wasn't trying to argue that was in any sense a lawful order. Constitutional issues could get it overturned, but if defendant Smith is still bound to follow it until it's overturned, he's still going to prison or the morgue.
Or, far more likely, suffer a few fines. I think a Court is far more likely to find civil contempt in this case. And I'm not sure where you're getting the morgue from. But yes, in the end, it IS possible that someone may be briefly imprisoned due to the wrongful acts of an overbearing judge. Just like you may be briefly imprisoned due to the wrongful acts of an overbearing police officer. It's not a sign of a broken system unless you have no way to get out of jail. Fortunately, there are safeguards built into the system that will help you, for example habeas corpus writs. If you are enjoined from breathing, you may be
Parent
HA! (Score:5, Funny)
Yeah - real successful law that.
Bad Lawyers? (Score:5, Funny)
Lawyers for the MBTA claimed Tuesday they had proof the students had violated the law, but stopped short of specifying what they did.
Wow, I can just see these lawyers:
Lawyer: "They broke the law. We have the proof."
Judge: "What is your proof?"
Lawyer: "Um, they...uh, yeah, they just broke the law."
Should Doctors Not Talk About Medicine? (Score:5, Insightful)
You actually make a really good point; what about poison? If one were to discover a poison or pathogen that might kill a human, were it to be utilized or delivered, along with the reasons why and the possible delivery methods, no one would object to sharing that information with doctors.
Further, no one would claim that you were doing something illegal by spreading that information. Ironically, nor would anyone blame the human body for having that weakness; it wasn't planned for, developed around, whatever.
The fact of the matter is that the system is there, it's vulnerable, and we know how it's vulnerable. There is no convincing reason to try and quash that knowledge - if that is even possible. It is immaterial that it took bright people to figure it out. It is immaterial that without a fix money might be lost. What is material is recognizing things for what they are and reacting to the truth of the situation, not trying to maintain a status quo.
And that is why it's perceived that the MBTA is in error here; they're trying to live in a world where the exploit doesn't exist. But that world itself does not exist.
Parent
$5000 worth of damages? (Score:5, Insightful)
That's an interesting argument...
Does a mechanic cause $5000 worth of damage when he points out that your axle is broken and needs replacement?
Can you cause damage to a system that has intrinsic vulnerabilities?
Obviously people taking advantage of disclosed vulnerabilities should be punished under applicable laws (as with simple copyright violation) for whatever damages they caused, but I tend to agree that you can't really pin damages on the discloser.
Now some other b.s. charge about reckless endangerment or speech issues, but probably not damages.
--Robert
Win the battle but lose the war! (Score:5, Interesting)
Win the battle, lose the war
Re:They can't hold their talk now, can they? (Score:5, Insightful)
No clue. Litigation tends to be the last refuge of the incompetent.
Parent
Re:They can't hold their talk now, can they? (Score:5, Informative)
Both the magnetic stripe card and the chip card used for electronic payment of public transport fares in Boston are flawed and allow several types of attacks which result in free rides. The hack of the chip card is an implementation of an older, less exploitative hack of the Mifare classic chip which is used in many public transport systems and other prepaid applications all over the world.
Parent
Re:They can't hold their talk now, can they? (Score:5, Funny)
Your English is both clear and unmistakable. That may have been your problem. Next time, consider adding in an inane meme, such as:
"Imagine a beowulf cluster of MBTAs!"
or
"The MBTA is not a big truck. It's a series of tubes!"
Also, consider to add several speling and/or grammatical error. This will lend to the impression that you are either a caffeine-soaked systems engineer who has been sitting in front of a terminal for eighty straight hours, or a semi-literate American of the species cellarcola nerdus, both of which are held in high regard here.
Accordingly, the dialect best suited to effective communication on slashdot is lolspeak. [speaklolspeak.com]
Parent
Re:They can't hold their talk now, can they? (Score:5, Funny)
I find people saying "Can I ask you a question?" is worse.
My response is often "You just did."
And of course they immediately say "Can I ask you another question?" to which you reply "You just did."
Finally they say "Can I ask you 2 questions?"
And having already identified yourself as a jerk you say "No."
Parent
Re:good (Score:5, Informative)
Actually, if you had access to PACER, you could read the version of the presentation the students gave to the MBTA, including the secret key and a few other details that the MIT students were intending to leave out of the DEFCON presentation.
IOW, the information is already leaked, and it was the MBTA that leaked it.
I use the past tense above because I don't have access to PACER and I very much hope they got around to censoring that bit of info from the MBTA's submissions.
Parent
Re:good (Score:5, Informative)
They did not.
http://government.zdnet.com/?p=3942 [zdnet.com]
Parent
Re:Incredibly dumb (Score:5, Interesting)
Stop using the locked door analogy with computers, it doesn't work and shows a serious lack of understanding about computer systems. In short: you look like an idiot to everyone who knows better.
This security is not 'good enough' becasue it can be tried easily and repeatably many times in a night.
To use your own stupid ass analogy:
If a person could rob every house in one night, door security would need to be a hell of a lot tougher.
And if you claimed that the doors you sell where secure, then people should know when there not.
They can add a real layer of encryption on the card. You wouldn't need to replace the whole system for this.
You could go towards a cash despencer. You could go to an ATM card.
Funny thing is, this will probably turn out to be a non issue since most people won't do this, and anybody doing it for cash will get caught eventually. The few people who do it just to get themselves free rides won't amount to much.
The biggest person inconvenienced will be accountants when there books don't balance. Even then they will find an acceptable amount to chalk up to free rides and just apply it at the end of the accounting period.
"Why are we so hell-bent on breaking down society that we can't have people just use and pay for a transit system?"
We're not. What we want is to force corporation to have to take security seriously. This is a design flaw and the company the made it should be stuck with the bill to fix it.
Parent