MIT Students' Gag Order Lifted 160
mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days. "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."
Re:the terrorists have won (Score:0, Interesting)
Re:Good Call (Score:5, Interesting)
MBTA said in documents filed with the court said that fixing the security flaws would take five months.
I'd love to know how they plan on fixing it. The problem is that, rather than paying for the MIFARE cards with working encryption (3DES or AES) they went with the cheapest system which uses custom 48-bit encryption.
Short of replacing every single CharlieCard in existence, there is no fix.
What the MIT students did that went beyond cracking the MIFARE encryption was to reverse engineer what data was stored on the card.
Which means, knowing the T, that the "solution" will likely be to rearrange the data and continue using the same weak encryption, while lobbying for a new state law that makes reverse engineering illegal.
Win the battle but lose the war! (Score:5, Interesting)
Win the battle, lose the war
Re:$5000 worth of damages? (Score:1, Interesting)
Re:$5000 worth of damages? (Score:3, Interesting)
Does a mechanic cause $5000 worth of damage when he points out that your axle is broken and needs replacement?
Well, how about if your car had a very bad and insecure locking and starting mechanism, and your mechanic told all your neighbours how to get in and start your car?
:/
Don't get me wrong, I think the gag order was probably stupid - I don't know the whole whole story...
But I do think your analogy is somewhat flawed.
Re:Good Call (Score:5, Interesting)
In this case, yes.
The vendor has been selling a flawed system, both in design and implementation. Car manufacturers can't use incompetence as an excuse when their cars explode, and the vendor can't either.
In fact, the vendor has known about the flaws for quite some time, but has not fixed them (nor disclosed them).
It sounds to me like they deserve to be sued for damages.
You're right that we evil hackers are going to find ways around it anyways, but in this case, the vendor is grossly negligent, and the MBTA is trying to blame the people who found the problem, rather than the ones that created it.
Re:Win the battle but lose the war! (Score:3, Interesting)
Except the information still got out, through several means, got more press attention that it would have received otherwise, and made them look like morons.
They lost the battle, the war, and a fair amount of blood.
The bigger issue... (Score:5, Interesting)
The bigger issue here is how they're going to determine which Charlie cards are legit and which aren't. They can't exactly tell someone with, say, $20 on a charlie card that their money's gone.
Someone could easily get a bunch of charlie cards, put random amounts of money between, say, $20 and $25 (random so that there's no clear pattern which cards are faked and which legit) and then sell to people on the street. $5 for a charlie card with at least $20 on it.
Heck, it probably wouldn't be that hard to convince the buyers that it was legit. "Hey man, my niece was staying here last week and put too much money on this card... It's got over $20 on it, I'll give it to you for $5."
Re:Bad Lawyers? (Score:2, Interesting)
It ALL depends on the context. If I tell somebody how to grow marijuana (even with the silly disclaimer), and I have the intent to help them grow marijuana, then I have committed the crime of growing marijuana under an accomplice theory (assuming that it is a crime).
Another example: If I'm standing in a crowd telling one person how to kill another person, and I intend for the killing to happen, and if the killing does in fact happen, then I committed murder under an accomplice theory. Mob bosses have considerable trouble with this kind of theory all the time. Saying "I told him HOW to kill the victim" instead of "I told him to kill the victim." will NOT shield the speaker if the speaker had the intent to cause the victim to be killed. The speaker is still an accomplice.
So, if I'm standing outside the MBTA and I'm handing out "Here's How to Cheat the MBTA and Get A Free Ride" information and I have the intent to help people cheat the MBTA, then I will be committing the crime of theft (or larceny, and who knows what else) if somebody does actually use my information to steal a free ride.
You ask "how can intent be proven?" The answer is simple: A jury of your peers gets to decide, based on the evidence presented. Intent + Assistance + Commission of the Crime by Another is enough to prove a crime under the law of most states.
The Constitution is the final level of defense for the three students, but that's too much to write about here. Think about the "Hitman" book and the court battles it spawned.
Section 1983 can provide recourse (Score:3, Interesting)
They could counter-claim if the MBTA keeps up its suit or file on their own if it is dismissed.
Sure is it just cash damages (including attorneys fess) but it is recourse
Re:Incredibly dumb (Score:5, Interesting)
Stop using the locked door analogy with computers, it doesn't work and shows a serious lack of understanding about computer systems. In short: you look like an idiot to everyone who knows better.
This security is not 'good enough' becasue it can be tried easily and repeatably many times in a night.
To use your own stupid ass analogy:
If a person could rob every house in one night, door security would need to be a hell of a lot tougher.
And if you claimed that the doors you sell where secure, then people should know when there not.
They can add a real layer of encryption on the card. You wouldn't need to replace the whole system for this.
You could go towards a cash despencer. You could go to an ATM card.
Funny thing is, this will probably turn out to be a non issue since most people won't do this, and anybody doing it for cash will get caught eventually. The few people who do it just to get themselves free rides won't amount to much.
The biggest person inconvenienced will be accountants when there books don't balance. Even then they will find an acceptable amount to chalk up to free rides and just apply it at the end of the accounting period.
"Why are we so hell-bent on breaking down society that we can't have people just use and pay for a transit system?"
We're not. What we want is to force corporation to have to take security seriously. This is a design flaw and the company the made it should be stuck with the bill to fix it.
Surely it's the same as truth in libel cases? (Score:1, Interesting)
In suits for libel, public expression of the truth is a universal defence.
Why is it not so in this case as well? The students publicized a weakness, but it was the plain truth.
The fact that the plaintiff suffers from a public expression of the truth is the plaintiff's problem, not anyone else's. If they suffer financial losses from this then it's only because they were earning profits under a flawed business plan before, namely the use of cheap and cheerful (lousy) encryption.
They deserve the losses, and presumably will pass them on to their supplier by suing them in turn. This is how the system *SHOULD* work (in the disastrous lawyer-ridden US), otherwise crap companies are profiteering by supplying faulty goods.
The students were acting entirely in the public interest.