Slashdot Mirror
Massachusetts Sues to Halt Defcon Subway Hacking Talk
According to CNET, "The state of Massachusetts has asked a federal judge for a temporary restraining order preventing three MIT students from giving a presentation on Sunday about hacking smartcards used in the Boston subway system." It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas. Update: 08/09 20:57 GMT by T : "Too late," says reader Bluey: "Injunction was already granted."
rather then make sure they have a techie in attendance so that they may learn something and find a workaround the issue, Boston's lawyers suggested that burying your head in the sand (or, alternatively, in the piles of garbage and crap in Boston) will solve the issue just as well. "As long as we don't let them say it publicly, it does not exist" one Boston official explained the position.
this is why I love government bureaucrats. They tend to be smarter then the average bear.
-- All this knowledge is giving me a raging brainer.
Who needs free speech anyway?
"Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
constitutes a threat to public health or safety
How? Are people going to try and mug you with a CharlieTicket now that they might potentially be useless?
Prior restraint, anyone?
Tag: censorship
On the other hand, the source code to the utilities -- not included on the CD -- was removed from web.mit.edu/zacka/www/subway/ by Saturday morning.
Anyone able to mirror this before it was taken down?
temporary restraining order != permanent injunction
And as TFA has already pointed out, the power point presentation is already out in the open
[Fuck Beta]
o0t!
Soviets would have just hauled your ass off to Siberia. Get a grip.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Barbra Streisand seen fleeing the scene.
The article mentions that the authorities met with the students and Ron Rivest (e.g. the "R" in the RSA crypto system).
It would be interesting to see what his involvement with this project is.
http://www.tc.umn.edu/~hause011/article/Bus_ride8.html
Expensive, does not work, only needs your work info, bank info, home info, photo and tracks your travels when it does work. Just chip the riders like dogs
and tattoo a bar code across their foreheads.
The only thing worse than being sued is not being sued.
It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas.
Injuction was already granted. Insert Soviet joke here.
Ummm.... the presentation is on the DEFCON disk...FAIL!!!
Is MBTA actually going to get the card system provider to fix the problem? Because from what I've seen, you'll have a hard time even getting the department and the contractor to admit that the problem exists. And even if they do admit it, is the solution going to be any more than "it's unlikely people will exploit this"?
That sort of attitude seems to be how Maryland feels about its AccuVote TS voting machines. Three independent reviews have all revealed flaws with them, but we're still using them, despite the fact that those flaws essentially mean that the contractor has violated its agreement with the State.
Furthermore, I doubt much criminal activity is going to result from releasing the information. Only a few people are going to have the time and patience to actually follow the exploit through, and if the system is well-designed (though apparently it may not be), modifying card data shouldn't be able to damage or disrupt the system.
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
These guys are literally restricting free speech, as in "don't say that out loud." This will work as a way better example of US censorship than my usual 2600 DECSS example. Thanks MA for the forthcoming karma in other censorship articles.
Just do it the way that they tried to do it in regards to the recent DNS exploits. Tell the affected organization (Boston subway system authority) that there is a problem and you are willing to work with them to fix it. If they refuse, just leave them the information and say they have x number of days to fix it and if they refuse to do anything, you are going to the press, which technically is true since journalists are allowed in limited numbers at Defcon as far as I know. That way you give them the courtesy of warning them in advance, but you aren't needing to completely shut up about it or let the problem lie unfixed. As a white hat, this guy has a moral obligation to help get problems fixed before the black hats find out.
Let's post a copy of the powerpoint slide in as many places as possible. If it works for Barb and the MPAA it'll work for the Great State of Mass!
The emperor has no clothes, the emperor has no clothes, the ...
Oh, I'm just shocked I tell you - shocked!
Do you mean that governmental authority has employed security to protect their revenue streams - us?
Yes. I'm shocked. It's only happened so many times before...
It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas.
Having suffered under their government (Massachusetts', that is), this is a predictable reaction. I defected from there years ago.
I see two major problems with the application for the order. The first is that it claims that disclosure of how to hack the cards constitutes a danger to the public. How so? All these cards are good for is paying the fare. Hacking them allows people to ride the subway for free. That's petty larceny, not a danger to the public.
The second is that the application asked the court to forbid:
There's no conceivable justification for that. Even if there is justification for forbidding disclosure of the details of the hack, stating that there is a problem is certainly constitutionally protected. (It is possible that the court did not include such language in the TRO; this is what Massachusetts asked for, but possibly not what they got. Anybody got a link to the actual TRO?).
How you can expect him to remember that Boston banned viewing of ATHF so no one from Boston would get that joke?
What I want to know is why Massachusetts is complaining about and interfering with a conference happening in my hometown, Las Vegas.
Its = possessive. It's = "it is"
"abridging the freedom of speech, or of the press;"
-US Constitution
Libertas in infinitum
Isn't this the city that upped their threat level due to an Aqua Team Hunger Force marketing campaign? If so, this news isn't at all surprising.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
http://www.boston.com/news/globe/ideas/brainiac/2007/01/attack_of_the_m.html
This should answer your confusion.
What's the value of information that you don't know?
Note that the presentation is online at MIT's newspaper: http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
See them yourself at: http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
Its one more strike against the first amendment and another step down the path of the government deciding what you are allowed to know.
---- Booth was a patriot ----
Fuck this.
They need to give their presentation regardless.
It's clearly a first amendment issue, and when people allow things like threats from the authorities or bullshit unconstitutional court injunctions to stop them from what they want to tell the masses it only serves to justify the actions of those who would try to stop people from expressing important matters.
From what i can tell this isn't about public safety at all, it's more about money. If it were about public safety, they would take it seriously and work with these guys to resolve the issues.
On top of that, when these sorts of uses for RFID were being planned and discussed years ago (things like this and passports, etc) many, many people warned that this would occur...
Someone needs to take that CD and quickly get the contents onto usenet. It's already in the public record anyway - once the cat is out of the bag it's out of the bag.
Thanks, Judge! I'd have never know it existed had you not tried to censor it.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
does someone have a copy of the utilities and source code that was posted on their website? please post it.
http://web.mit.edu/zacka/www/subway has been removed.
WOW preemptive limitation of free speech is almost unheard of. Usually asking a judge to stop someone from talking before the fact is met with ridicule by the judge.
If I tell you how to hack the DC transit system right here in this post, will DC issue an injunction to have slashdot remove the post? Let's find out!
In the DC system, you have to scan your card to get into and out of every station. Rather than having standard boarding fares like NY, it actually takes into account where you scanned in and where you scanned out and then deducts the appropriate amount for the fare between those two points at the time you scan out.
But say you leave the same station you entered. Maybe you missed your train and decided to take a cab, or forgot something, or got a call and changed your plans, or just want to rip off the DC transit system. Whatever. You always have to scan a card to get out, and if you scan the same card, it doesn't let you out for free, but charges you a minor fee. I think it was $0.25.
So, say you have a standard commute to work and back every day on the DC transit system:
Go into your point of departure and buy two cards, one with the appropriate fare to your destination. Swipe both of them in.
Ride to your point of departure. Swipe the exact fare card out and throw it away.
Go about your business at your destination. When you return:
Buy a new card and swipe it in.
Ride to your point of origin and Swipe OUT the card you only swiped IN at the same point earlier. You just rode there for $0.25.
The next day, swipe that same card in at the same station. Ride to your point of departure, and swipe out with the card you bought at that point yesterday. Another $0.25 trip.
Always continue to scan in and out at the same station using the same card. Every trip between those stations will be $0.25.
There is no expiration on how much time may pass between swiping in and out of the same station for the minimum fee. There is nothing set up to catch that one card is swiped in and out of the same station every day about 9 hours apart, while another card is swept in and out of another station about 15 hours apart. At least, not unless they've fixed it in the past few years.
Obviously, buy the cards you use for this with cash, not a credit card.
If you really want to be a cheap skate, quadruple your money also. Then all repeat rides in the system will be priced at approximately $0.07 each.
If this story should make it to local news outlets around here it will be pretty simple for the MBTA spin this and gain the support of Boston residents. Do a piece of "investigative journalism" that discovers how MIT students are conspiring to hack the CharlieCard system, and that by doing so these filthy nerds are going to end up RAISING YOUR TAXES due to lost revenue. That should wrap things up nicely - bonus points if a way can be found to fit in how the hack might HURT YOUR KIDS. The news story must also include some stock footage of sinister looking students "hacking" on computers, and a threatening graphic of a computer at MIT shooting out "RFID BEAMS" causing a Green Line train to simultaneously detonate and plunge off the Charles River Dam Bridge.
The Tech (MIT's student newspaper) is currently hosting a copy of the presentation slides (PDF).
. . . lawyers wind-up supporting them.
In capitalist America company sell you.
IANAL, but slide 5 of the presentation says "AND THIS IS VERY ILLEGAL". Maybe they are getting their rocks off, testing and exposing security weaknesses - whatever. public good, harming society, doesn't matter. if we follow free speech and assembly, the talk should not have been stopped, for ANY reason. when ever and where ever we go down the road of "illegal information" tyranny is sure to follow.
it would seem that a much better approach would have been to allow the speech to continue, but indict and serve the people (beforehand) who did illegal behavior ASAP, then use the speech to apprehend and prosecute those who did the illegal acts.
The state should warn them beforehand: "you will be prosecuted" for your illegal behavior X Y and Z (and BE SPECIFIC), and then at trial, public admissions make the situation worse. Gee, maybe law enforcement needs to get current, at least come into the 1990's.
this is the same discussion going on all around while the world ramps up the global communication streams: demonizing the information or talking about it after the illegal acts, instead of what works: calmly and very publicly bringing those who do criminal behaviors to justice.
Smarter than the average bear NOT smarter then the average bear!
I have to wonder who in their right mind would be represented by the EFF these days. Their track record is like wearing a sign on your back that says "please laugh me out of court."
Interested in open source engine management for your Subaru?
Man this sounds really familiar.
"Shouldn't the card just have an ID, and that ID is tied to an account, which is tied to a person."
The trouble with this approach is that you have to build highly redundant and available communications and infrastructure where none exists now, pushing up the cost of a implementation tremendously.
Almost all subway systems (metro, light rail, whatever you want to call them) evolved out of a system that relied on something you "owned" to prove that you were able to travel. A token, a ticket on special stock, something that you could show to a human and he would be reasonably sure that you had paid your money to travel. A token has the disadvantage of not allowing different fares based on distance traveled, but if done correctly, they're not easily counterfeited. It's an exercise to the reader to talk about the different methods of storing travel value and why you might choose one over the other.
The style a few years ago (DC and SF for example) was to print a mag stripe card that kept a value and an origin point of entry. This got around the previous problems, but it introduced the problem of having to scan each card (and rewrite the strip) on the way in and out. Less than ideal for anyone existing the subway on a busy stop.
Notice what all these methods have in common: They do *not* rely on a central authority to prove the value of something user owns. The token itself is the value.
Enter the "modern" age when people want smart cards, e-ticketing, paperless ticketing to use travel. They all rely on a central authority being consulted as to the value of a token. This is all good, all correct, and makes sense from an information architecture perspective, but it ignores two significant disadvantages of these systems:
1) They require significant expenditure in a real-time communications infrastructure. Now before you go off screaming about "build it in wi-fi! That's cheap" I want you to hold that thought overnight and consider why that wouldn't work. I'll get you started -- Remember, you have to have an infrastructure that has 6-nines of reliability, regardless of external factors. You don't want some kid with a radio jammer sitting outside of a major station shutting down every kiosk or entry/exit point. Oh, and if a backhoe takes out the fiber on one side of the station, you've still got to keep going. Now project that cost out over something the size of Boston. I predict you could be looking at a cost that would be in the high-eight to low-nine figures to build that infrastructure out. And then you have the continuing operating cost of that network which would be significant.
2) Similarly, it now requires a high-availability transactional system that must be able to review everyone's smart card when they enter and exit the station. You'd be looking at building a system out that looked something like Visa's infrastructure to approve credit card transactions. If you've never built such a system (and I assure you this is non-trivial), it would cost in low-eight figure range to build and test.
And after you spent the good money of the citizens of Boston, you don't get something appreciably better than what you have there. In fact, I'm guessing the people who run the subway in Boston did a calculation that showed fraud losses would be cheaper than building that infrastructure. And so they went with something less secure, but was something that could be delivered in budget.
I'll leave you with this thought. Building small information systems that don't interact in real time with the world is easy. A 1st year information science student could do that. Building a transactional/smart card system with almost military service levels requires money, time and significant experience.
All that said, I'm not supporting what the good people in Massachusetts are doing; if there's a flaw, find out and fix it. But in the end, information really *does* want to be free.
(and yes, I do design and build these types of systems)
Can't the students just go outside the jurisdiciton of U.S. law? I mean, an American gag order isn't legal in another country. It would be cool to have them give their presentation without fear of punishment in the faces of the MBTA, withthe MBTA completely helpless to do anything back.
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
Because regardless of whether these guys are allowed to point it out to the general public, the transit system "is not wearing any pants." If you stop them from pointing that out, it does not magically get pants, but *does* decrease the probability that the MBTA will feel any public pressure to buy it some damn pants.
Isn't this prima facie unconstitutional?
Denny Crane.
The post above yours goes into detail the issues related to central authorization/authentication of cards. That post only addresses the infrastructure issues; the software issues to implement that system would be significant as well.
But you've touched on the key point... most infrastructure today in the U.S. is running on empty precisely because in an effort to soothe voters, we spend money on a lot of political hotbutton issues (I won't list them, but it is related to illegals, aging U.S. population, etc.) and we've neglected our infrastructure for so long that we are unable to upgrade at a time when our infrastructure (particularly our transportation infrastructure) is woefully inadequate.
It predict this will become the significant issue for Americans over the next 4-8 years, regardless if it's McCain or Obama. The forces at work are the same.
"constitutes a threat to public health or safety."= Fail. First amendment, and they aren't inciting a riot.
Reverse engineering + DMCA = WIN.
Wonder if lawmakers are even aware of the laws they pass. Fortunately, the prosecution chose to fail outright.
Haven't seen any discussion of the actual presentation. For the actual SmartCard (rather than just the mag stripe paper ticket), it wasn't clear to me if they ever actually managed to break the key. They noted that it was a short key. Then they showed how they would build a key cracker using an FPGA. Then they wrote some code to reprogram the card once they had the key.
But did they ever manage to use all of these successfully (meaning, did they ever actually break a key with their FPGA or is it just an FPGA that theoretically could break a key?). And if so, how long did it take? And is that key specific to the card?
Maybe they did, it was powerpoint so there is some vagueness compared to a paper or something. The real question is how much effort is involved in forging a single card? This attack could be relatively harmless or utterly devastating based on that factor.
Early ATM machines worked on the end-of-day batch system. It didn't matter too much since most banks ran their own ATMs and there weren't that many per branch. You could theoretically start the day with a $100 bank balance then withdraw $100 from each ATM and not be caught until the end of the day, by which time you'd be in Mexico.
End-of-day reconciliation with just an account-identifier is very doable and low-risk with small-account things like transit cards. Every day, every bus or train's money computer has a list of valid transit cards with their amounts, plus a list of transit cards that could be issued that day.
Fraud would be possible if the amount remaining on a transit card was less than the cost of an all-day pass or if someone could buy a transit card with less than an all-day pass on it. In this case, taking a photograph of the person, requiring a thumb-print, or requiring an ID for anyone with a low balance who doesn't hand the driver cash should deter most people from fraud.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
If the card stores the card's unique ID, the current balance, a unique, time-coded transaction number for the last update, and a digital signature, and every morning the the smart-card readers get an updated list of all valid smart-cards and the timestamps of their last transactions, this trick would only work for the rest of the day.
As you used your smart-card, it would get updated, and tomorrow if you "backdated" it to Friday evening's total, then it would no longer match the "last used 3PM August 9" stamp and would be flagged as a possible clone.
In practical terms, the card-readers wouldn't even need to keep a list of all cards. Keeping only those used anywhere in the system in the last month would let clones or re-dated cards slip by but only if they had not been used in a month. 12 days a year of free transit rides is an acceptable loss. If it's not, then keep 2 month's worth of data, or a year, or whatever.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Here is the presentation:
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
Mirrors:
http://www.evernote.com/pub/ssulistyo/InfoSecStuff#07ff6ce9-1aa9-45e9-8bd2-10ce0805e534
https://dl.getdropbox.com/u/77164/anatomy%20of%20a%20subway%20hack.pdf
Also, a vulnerability assessment report:
http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf
So what I want to know is why is the government so inefficient that it can't provide public transportation services out of the tax revenue it collects and needs to resort to collecting fares?
Virtually all cities have fare-collecting public transport systems because that's the only way taxpayers are willing to pay for them.
Almost inevitably if you tried to switch to fully tax-funded transportation, you'd encounter a lot of resistance from people who didn't feel like they were getting a good deal. I.e., they pay taxes but don't use the system, or the system doesn't run near where they live, or they use it less than average but pay more taxes than average, or any number of other reasons. Alienate large sections of the voting public like that, and you'll be wiped out in the very next election. Not a good recipe for success if you're trying to pull off a large-scale, long-term infrastructure development project.
As a compromise, most public transportation systems have some funding coming from taxes (generally based on the argument that the presence of the transportation system increases property values and thus justifies the tax), and some directly from the users of the system via fares.
Also, because historically many public transportation systems were private enterprises attempting to turn a profit from fare collection, people have come to expect fares when they step onto a bus or train. It wouldn't make much sense to eliminate that source of funding -- which people seem mostly okay with -- in favor of raising taxes, which people tend to really hate and frequently oppose vigorously.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
SF's BART system has a workaround for this technique.
If you exit and leave the same station, it charges you an "Excursion Fare", which is $4.65.
It's about 50% of the maximum one way fare you can incur.
You do realize that the 14th Amendment was not actually properly ratified, right?
If it ever faced serious historical, legal, judicial, and most importantly Constitutional scrutiny, it would be null and void. That's very scary considering "due process" is derived from it.
Libertas in infinitum
Only one problem. The slides are already on the DEFCON CD
(distributed to only around 5000 of their colleagues),
and the filing (which is public record) includes a copy
of the presentation, and (what was not going to be presented
at DEFCON) the related reference paper that tells more of
the details of how to subvert the system.
http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf
Since CharlieCard *is* a Mifare Classic, everything you have seen relating to the Oyster card hack or any other Mifare hack is valid. So it does not matter that the talk is blocked - y'all already know how the CharlieCard can be hacked.
Let me get this right: there has been an injunction barring these people from talking, but not from publishing?
Duh, talk about drawing attention to a problem..
Insert
(1) State that you plan to completely fuck over the financial well-being of a business, individual, or government organization through theft, and encourage others to do so.
(2) Find yourself in legal trouble.
Conclusion: you must be in Soviet Russia.
If you want to have a copy of this presentation, the link below is one of the places you can download it:
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
...because both the students and the transit system are under the jurisdiction of Mass. law. The conference isn't a party to the legal action.
speaking as someone who has hacked the dc smartrip system, you cannot leave the same station you entered without paying a minimum fare of either 1.35 or 1.95 (reduced fare or rush hour fare). this is still cheaper than riding from, say, new carrelton to silver springs which is 2.35 off peak and 4.40 during rush hour.
Now, the students' confidential. detailed Vulnerability Assessment Report to the MBTA is out in public, thanks to the wise guys submitting it to the court (as "Exhibit A").
Apart from the fact that the MBTA would have normally paid five-figures to receive such a report from some risk-management firm, it also lists a few of the glaring shortcomings of the system.
Who in his right mind would store the (money-equivalent) value of a card on the card itself?
Even my university back in the 90s was smart enough not to do that for such a simple thing as a cafeteria-card (the card had a number on it - all data was stored on a PC in the backroom).
Hello, McFly - anybody at home?
It's no longer 1972, where you needed 30k of equipment to read and write data from a smart-card or swipe-card.
It's 21st century now. Fraudsters have made a business over stuff with much less profit than in this case.
And trying to keep the information about all this stuff secret has helped spread the news about the talk all over the web.
What a great achievement.
Windows 2000 - from the guys who brought us edlin
That isn't a great workaround. You could use nearby stations instead and save some money. Japan had this happen decades ago, so they actually log the time in and out and if it is too high (maybe a bit more than the time it takes to go from one end to the other, which on some lines isn't very great), then it won't let you out of the wicket. Then you have to have the person at the gate let you out unless they think you are frauding them. This definitely stops someone from doing it on their daily commute.
Funny, but that's also the only damages the RIAA members face from filesharing, yet they treat it as a national emergency demanding new laws, treaties, and 30,000+ lawsuits demanding damages far in excess of any actual losses. Overhype isn't limited to the MTA alone.
And, btw, this judge should be impeached for such a gross error of judgment in issuing this order. Hate to think of him deciding other cases given his obvious lack of understanding of the basics of the Constitution.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I agree somewhat; it may be that he has people telling him that "this will enable people to conduct a terror attack" or some other stuff and buys into this post 9/11 patriotact bullshit "everything is different now, even how we interpret the constitution" line of thinking. What's even more clear is that he doesn't seem to understand how technology and digital data work, the data was (and still is) on MIT's website - I am sure his injunction probably didn't cover that, and if it did, kudos to MIT: http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
So the contractors did shoddy work, supplied substandard materials, and it's the government's fault? Face it: any time there's a chance to cheap out on materials & workmanship, contractors will take it every single time to boost their profits.
It doesn't mean much now, it's built for the future.
I don't see anyone asking the obvious question:
How much does it cost to secure and collect transit fares, and how much are those fares? Has anyone seen definitive studies on this topic? If it turns out that the cost of administering fare collection is comparable to the fares collected, this leads to a corollary:
Why not simply make all ridership of public transit systems free? Then all the money spent to administer, collect, and verify the riders' payments could go directly to keeping the buses and trains running. I've seen some studies on this topic which suggest that the administration cost is comparable to the money collected from fares, but have no citations handy.
All transportation systems are government subsidized. The most subsidized transport system in history is the US road network. Public transit receives only a tiny fraction of the US roads budget. Fares typically only cover a small (but important) fraction of the cost of operating a public transit system.
If we were to open up what public transit systems we have, to everyone, for free, it would only improve the service. We already do this for automobile routes ... there's no use-fee for most roads! Let's provide the same level of service for public transit.
IMHO, the most effective way to do this would be to take the money from our (doomed to failure as a result of peak oil) automobile-based transportation system and re-allocate this money for public transit. This would have multiple positive effects: increased service and ridership of public transit; reduced road use (will happen anyway, voluntarily or not); less oil use; reduced emissions and pollution. What are the downsides of this approach?
I miss their tea parties.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
The thing is, there doesn't seem to be enough time for the MBTA to correct this problem (or if they have the money to). So they have to try to find a way to discourage it.
Free speech is not always a matter of being able to say whatever you want whenever you want. Sometimes you might have to wait to say things. For example, recently the OSS operatives list came out. These people were forbidden to say anything about their involvement with the OSS for 60+ years.
In this case, if the students really mean well, they should let them fix the problem or at least get started on it before they present their information.