Slashdot Mirror

← Back to Stories (view on slashdot.org)

On Consequences Of Releasing Semi-Private Information...

Posted by Cliff on from the stuff-to-think-about dept.

bstream asks: "I have succssfully decoded the format for the mag cards used by my local city bus system for passes, transfers, etc. I would like to release this information (post it on my Web site and send a story to 2600) but I know it will harm sales for the already financially unstable bus system. What I've done doesn't reveal any flaws in the encoding scheme, just how it is put together. So is it still okay to release this information even though it can financially hurt something that a large number of people rely on daily (me included)?" Tough question. What would you do in this situation? Would sitting on the info be the right thing to do or should all information be free?

5 comments

  1. Weigh the issues. by Alik · · Score: 5

    How much will publishing this information really harm the bus company? Most people don't have the equipment to encode a new mag card. I suppose large-scale criminal operations might, but is there really profit in this for them? Bus passes, AFAIK, are cheap enough that there's not much room to undercut the market --- not enough reward/risk ratio for the people who'd have to sell the forgeries.

    You could always ask the company itself, although they'll probably say no and immediately start looking for a way to sue you. That may mean you don't want to publish it, since now your reward/risk is diminishing. (You're also likely to be sued by the company that makes the encoder/reader system.)

    There's also the question of what good exactly is done by publishing this. Who will be helped? The encoding method may well be patented, in which case nobody else could use it for a commercial product. (On the other hand, it may simply be kept as a nice trade secret.) Is there any amazing piece of art here which people designing magcard systems need to know? If so, why not just publish that part?

    From the tone of your question, it sounds like the main reason you want to publish is to show people how clever you are. (I must admit that this is something I probably couldn't do.) Well, now all of Slashdot knows that you did it. Will actually releasing the spec give you that much more fame?

    Basically, unless you can see some important thing that needs the data, why run risks by publishing? You can just state on your home page that you know the system, and can provide details on request. That'll make the data available to future developers without putting you at immediate risk.

  2. Good Detective Work! by InitZero · · Score: 3

    What you've just done is an excellent learning experiment. You're a better person for having done it.

    That said, I'd bet you a buck that the specification is already available if you ask the right people.

    I deal with country government on a regular basis. Everything they buy or develop is spec'ed out in painful detail. If any public money is flowing into the bus system, you could probably have called them and requested the specs.

    Some states are more open than others, however, so I can't tell you how easy it might have been. In Florida, where I function as a human being, I could file an FOIA and get the color of the mayor's underwear.

    If you want to publish the data, go for it. But you better be ready to have someone say 'dude, like, that is *so* old news'.

    The king has no clothes. Long live the king!

    InitZero

  3. Why release it? by Kefaa · · Score: 1

    I tend to agree with an earlier post that this information is probably listed in painful detail somewhere, however there is a bigger point you are making that is of great value.

    If the only real function served by listing information may cause harm, should we anyway?

    A credit card number, by itself cannot cause a problem. Providing it on your website would not be a crime but it may cause a financial burden for the person who owns it.

    It would be of value to compare the scheme to determine security flaws, etc. that could then be acted upon. However, that is not the intent here.

    Consider your willingness to respond with your credit card number, billing address and expiration date. We do not because that is not related to whether "XYZ" is the best method to use to validate the card.

    However, an RFC on a new security method, card reader design, etc. is well worth posting. As is an observation that the current readers have flaws. It is a fine line in some places, but I would hope the general rule falls to "do no harm".

    ---------------------

  4. Way to go! by TheNecromancer · · Score: 1
    Alright, now all you need to do is build a city bus to use the mag card with, and you're in business! :)

    --
    Attention all planets of the Solar Federation! We have assumed control! - Neil Peart
  5. Reverse engineering Good! by IO+ERROR · · Score: 2
    Go ahead and publish. It doesn't look like you're going to hurt the bus system; it would cost more to buy a year's worth of passes (for most people) than to try to put together an encoder to forge them. Besides, it might just provoke them into securing the system.

    Looks like you're getting plenty of practice in reverse engineering. This is good. I have a feeling we will need people like you in the very near future...
    ---

    --
    How am I supposed to fit a pithy, relevant quote into 120 characters?