Slashdot Mirror
Massachusetts Sues to Halt Defcon Subway Hacking Talk
According to CNET, "The state of Massachusetts has asked a federal judge for a temporary restraining order preventing three MIT students from giving a presentation on Sunday about hacking smartcards used in the Boston subway system." It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas. Update: 08/09 20:57 GMT by T : "Too late," says reader Bluey: "Injunction was already granted."
rather then make sure they have a techie in attendance so that they may learn something and find a workaround the issue, Boston's lawyers suggested that burying your head in the sand (or, alternatively, in the piles of garbage and crap in Boston) will solve the issue just as well. "As long as we don't let them say it publicly, it does not exist" one Boston official explained the position.
this is why I love government bureaucrats. They tend to be smarter then the average bear.
-- All this knowledge is giving me a raging brainer.
Who needs free speech anyway?
"Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
constitutes a threat to public health or safety
How? Are people going to try and mug you with a CharlieTicket now that they might potentially be useless?
Prior restraint, anyone?
Tag: censorship
On the other hand, the source code to the utilities -- not included on the CD -- was removed from web.mit.edu/zacka/www/subway/ by Saturday morning.
Anyone able to mirror this before it was taken down?
temporary restraining order != permanent injunction
And as TFA has already pointed out, the power point presentation is already out in the open
[Fuck Beta]
o0t!
Soviets would have just hauled your ass off to Siberia. Get a grip.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Barbra Streisand seen fleeing the scene.
The article mentions that the authorities met with the students and Ron Rivest (e.g. the "R" in the RSA crypto system).
It would be interesting to see what his involvement with this project is.
http://www.tc.umn.edu/~hause011/article/Bus_ride8.html
Expensive, does not work, only needs your work info, bank info, home info, photo and tracks your travels when it does work. Just chip the riders like dogs
and tattoo a bar code across their foreheads.
The only thing worse than being sued is not being sued.
It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas.
Injuction was already granted. Insert Soviet joke here.
Is MBTA actually going to get the card system provider to fix the problem? Because from what I've seen, you'll have a hard time even getting the department and the contractor to admit that the problem exists. And even if they do admit it, is the solution going to be any more than "it's unlikely people will exploit this"?
That sort of attitude seems to be how Maryland feels about its AccuVote TS voting machines. Three independent reviews have all revealed flaws with them, but we're still using them, despite the fact that those flaws essentially mean that the contractor has violated its agreement with the State.
Furthermore, I doubt much criminal activity is going to result from releasing the information. Only a few people are going to have the time and patience to actually follow the exploit through, and if the system is well-designed (though apparently it may not be), modifying card data shouldn't be able to damage or disrupt the system.
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
These guys are literally restricting free speech, as in "don't say that out loud." This will work as a way better example of US censorship than my usual 2600 DECSS example. Thanks MA for the forthcoming karma in other censorship articles.
Just do it the way that they tried to do it in regards to the recent DNS exploits. Tell the affected organization (Boston subway system authority) that there is a problem and you are willing to work with them to fix it. If they refuse, just leave them the information and say they have x number of days to fix it and if they refuse to do anything, you are going to the press, which technically is true since journalists are allowed in limited numbers at Defcon as far as I know. That way you give them the courtesy of warning them in advance, but you aren't needing to completely shut up about it or let the problem lie unfixed. As a white hat, this guy has a moral obligation to help get problems fixed before the black hats find out.
Let's post a copy of the powerpoint slide in as many places as possible. If it works for Barb and the MPAA it'll work for the Great State of Mass!
It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas.
Having suffered under their government (Massachusetts', that is), this is a predictable reaction. I defected from there years ago.
I see two major problems with the application for the order. The first is that it claims that disclosure of how to hack the cards constitutes a danger to the public. How so? All these cards are good for is paying the fare. Hacking them allows people to ride the subway for free. That's petty larceny, not a danger to the public.
The second is that the application asked the court to forbid:
There's no conceivable justification for that. Even if there is justification for forbidding disclosure of the details of the hack, stating that there is a problem is certainly constitutionally protected. (It is possible that the court did not include such language in the TRO; this is what Massachusetts asked for, but possibly not what they got. Anybody got a link to the actual TRO?).
What I want to know is why Massachusetts is complaining about and interfering with a conference happening in my hometown, Las Vegas.
Its = possessive. It's = "it is"
"abridging the freedom of speech, or of the press;"
-US Constitution
Libertas in infinitum
Isn't this the city that upped their threat level due to an Aqua Team Hunger Force marketing campaign? If so, this news isn't at all surprising.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
http://www.boston.com/news/globe/ideas/brainiac/2007/01/attack_of_the_m.html
This should answer your confusion.
What's the value of information that you don't know?
Its one more strike against the first amendment and another step down the path of the government deciding what you are allowed to know.
---- Booth was a patriot ----
Print and send a copy to the Mass government and the judge.
---- Booth was a patriot ----
Fuck this.
They need to give their presentation regardless.
It's clearly a first amendment issue, and when people allow things like threats from the authorities or bullshit unconstitutional court injunctions to stop them from what they want to tell the masses it only serves to justify the actions of those who would try to stop people from expressing important matters.
From what i can tell this isn't about public safety at all, it's more about money. If it were about public safety, they would take it seriously and work with these guys to resolve the issues.
On top of that, when these sorts of uses for RFID were being planned and discussed years ago (things like this and passports, etc) many, many people warned that this would occur...
Someone needs to take that CD and quickly get the contents onto usenet. It's already in the public record anyway - once the cat is out of the bag it's out of the bag.
Thanks, Judge! I'd have never know it existed had you not tried to censor it.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
WOW preemptive limitation of free speech is almost unheard of. Usually asking a judge to stop someone from talking before the fact is met with ridicule by the judge.
If I tell you how to hack the DC transit system right here in this post, will DC issue an injunction to have slashdot remove the post? Let's find out!
In the DC system, you have to scan your card to get into and out of every station. Rather than having standard boarding fares like NY, it actually takes into account where you scanned in and where you scanned out and then deducts the appropriate amount for the fare between those two points at the time you scan out.
But say you leave the same station you entered. Maybe you missed your train and decided to take a cab, or forgot something, or got a call and changed your plans, or just want to rip off the DC transit system. Whatever. You always have to scan a card to get out, and if you scan the same card, it doesn't let you out for free, but charges you a minor fee. I think it was $0.25.
So, say you have a standard commute to work and back every day on the DC transit system:
Go into your point of departure and buy two cards, one with the appropriate fare to your destination. Swipe both of them in.
Ride to your point of departure. Swipe the exact fare card out and throw it away.
Go about your business at your destination. When you return:
Buy a new card and swipe it in.
Ride to your point of origin and Swipe OUT the card you only swiped IN at the same point earlier. You just rode there for $0.25.
The next day, swipe that same card in at the same station. Ride to your point of departure, and swipe out with the card you bought at that point yesterday. Another $0.25 trip.
Always continue to scan in and out at the same station using the same card. Every trip between those stations will be $0.25.
There is no expiration on how much time may pass between swiping in and out of the same station for the minimum fee. There is nothing set up to catch that one card is swiped in and out of the same station every day about 9 hours apart, while another card is swept in and out of another station about 15 hours apart. At least, not unless they've fixed it in the past few years.
Obviously, buy the cards you use for this with cash, not a credit card.
If you really want to be a cheap skate, quadruple your money also. Then all repeat rides in the system will be priced at approximately $0.07 each.
. . . lawyers wind-up supporting them.
In capitalist America company sell you.
IANAL, but slide 5 of the presentation says "AND THIS IS VERY ILLEGAL". Maybe they are getting their rocks off, testing and exposing security weaknesses - whatever. public good, harming society, doesn't matter. if we follow free speech and assembly, the talk should not have been stopped, for ANY reason. when ever and where ever we go down the road of "illegal information" tyranny is sure to follow.
it would seem that a much better approach would have been to allow the speech to continue, but indict and serve the people (beforehand) who did illegal behavior ASAP, then use the speech to apprehend and prosecute those who did the illegal acts.
The state should warn them beforehand: "you will be prosecuted" for your illegal behavior X Y and Z (and BE SPECIFIC), and then at trial, public admissions make the situation worse. Gee, maybe law enforcement needs to get current, at least come into the 1990's.
this is the same discussion going on all around while the world ramps up the global communication streams: demonizing the information or talking about it after the illegal acts, instead of what works: calmly and very publicly bringing those who do criminal behaviors to justice.
I have to wonder who in their right mind would be represented by the EFF these days. Their track record is like wearing a sign on your back that says "please laugh me out of court."
Interested in open source engine management for your Subaru?
Can't the students just go outside the jurisdiciton of U.S. law? I mean, an American gag order isn't legal in another country. It would be cool to have them give their presentation without fear of punishment in the faces of the MBTA, withthe MBTA completely helpless to do anything back.
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
Because regardless of whether these guys are allowed to point it out to the general public, the transit system "is not wearing any pants." If you stop them from pointing that out, it does not magically get pants, but *does* decrease the probability that the MBTA will feel any public pressure to buy it some damn pants.
Isn't this prima facie unconstitutional?
Haven't seen any discussion of the actual presentation. For the actual SmartCard (rather than just the mag stripe paper ticket), it wasn't clear to me if they ever actually managed to break the key. They noted that it was a short key. Then they showed how they would build a key cracker using an FPGA. Then they wrote some code to reprogram the card once they had the key.
But did they ever manage to use all of these successfully (meaning, did they ever actually break a key with their FPGA or is it just an FPGA that theoretically could break a key?). And if so, how long did it take? And is that key specific to the card?
Maybe they did, it was powerpoint so there is some vagueness compared to a paper or something. The real question is how much effort is involved in forging a single card? This attack could be relatively harmless or utterly devastating based on that factor.
Early ATM machines worked on the end-of-day batch system. It didn't matter too much since most banks ran their own ATMs and there weren't that many per branch. You could theoretically start the day with a $100 bank balance then withdraw $100 from each ATM and not be caught until the end of the day, by which time you'd be in Mexico.
End-of-day reconciliation with just an account-identifier is very doable and low-risk with small-account things like transit cards. Every day, every bus or train's money computer has a list of valid transit cards with their amounts, plus a list of transit cards that could be issued that day.
Fraud would be possible if the amount remaining on a transit card was less than the cost of an all-day pass or if someone could buy a transit card with less than an all-day pass on it. In this case, taking a photograph of the person, requiring a thumb-print, or requiring an ID for anyone with a low balance who doesn't hand the driver cash should deter most people from fraud.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
If the card stores the card's unique ID, the current balance, a unique, time-coded transaction number for the last update, and a digital signature, and every morning the the smart-card readers get an updated list of all valid smart-cards and the timestamps of their last transactions, this trick would only work for the rest of the day.
As you used your smart-card, it would get updated, and tomorrow if you "backdated" it to Friday evening's total, then it would no longer match the "last used 3PM August 9" stamp and would be flagged as a possible clone.
In practical terms, the card-readers wouldn't even need to keep a list of all cards. Keeping only those used anywhere in the system in the last month would let clones or re-dated cards slip by but only if they had not been used in a month. 12 days a year of free transit rides is an acceptable loss. If it's not, then keep 2 month's worth of data, or a year, or whatever.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Here is the presentation:
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
Mirrors:
http://www.evernote.com/pub/ssulistyo/InfoSecStuff#07ff6ce9-1aa9-45e9-8bd2-10ce0805e534
https://dl.getdropbox.com/u/77164/anatomy%20of%20a%20subway%20hack.pdf
Also, a vulnerability assessment report:
http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf
So what I want to know is why is the government so inefficient that it can't provide public transportation services out of the tax revenue it collects and needs to resort to collecting fares?
Virtually all cities have fare-collecting public transport systems because that's the only way taxpayers are willing to pay for them.
Almost inevitably if you tried to switch to fully tax-funded transportation, you'd encounter a lot of resistance from people who didn't feel like they were getting a good deal. I.e., they pay taxes but don't use the system, or the system doesn't run near where they live, or they use it less than average but pay more taxes than average, or any number of other reasons. Alienate large sections of the voting public like that, and you'll be wiped out in the very next election. Not a good recipe for success if you're trying to pull off a large-scale, long-term infrastructure development project.
As a compromise, most public transportation systems have some funding coming from taxes (generally based on the argument that the presence of the transportation system increases property values and thus justifies the tax), and some directly from the users of the system via fares.
Also, because historically many public transportation systems were private enterprises attempting to turn a profit from fare collection, people have come to expect fares when they step onto a bus or train. It wouldn't make much sense to eliminate that source of funding -- which people seem mostly okay with -- in favor of raising taxes, which people tend to really hate and frequently oppose vigorously.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
SF's BART system has a workaround for this technique.
If you exit and leave the same station, it charges you an "Excursion Fare", which is $4.65.
It's about 50% of the maximum one way fare you can incur.
You do realize that the 14th Amendment was not actually properly ratified, right?
If it ever faced serious historical, legal, judicial, and most importantly Constitutional scrutiny, it would be null and void. That's very scary considering "due process" is derived from it.
Libertas in infinitum
exactly, gas prices aren't going down anytime soon. Those prices are eating into owning a car. Figure it's $300+ per month for required insurances and gas now... let alone "owning and repairing" the car. People are starting to realize that all they're doing by having their "own" car is to fund insurance and gas companies... you can't afford to drive "anywhere" anymore.
Let me get this right: there has been an injunction barring these people from talking, but not from publishing?
Duh, talk about drawing attention to a problem..
Insert
If you want to have a copy of this presentation, the link below is one of the places you can download it:
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
Now, the students' confidential. detailed Vulnerability Assessment Report to the MBTA is out in public, thanks to the wise guys submitting it to the court (as "Exhibit A").
Apart from the fact that the MBTA would have normally paid five-figures to receive such a report from some risk-management firm, it also lists a few of the glaring shortcomings of the system.
Who in his right mind would store the (money-equivalent) value of a card on the card itself?
Even my university back in the 90s was smart enough not to do that for such a simple thing as a cafeteria-card (the card had a number on it - all data was stored on a PC in the backroom).
Hello, McFly - anybody at home?
It's no longer 1972, where you needed 30k of equipment to read and write data from a smart-card or swipe-card.
It's 21st century now. Fraudsters have made a business over stuff with much less profit than in this case.
And trying to keep the information about all this stuff secret has helped spread the news about the talk all over the web.
What a great achievement.
Windows 2000 - from the guys who brought us edlin
That isn't a great workaround. You could use nearby stations instead and save some money. Japan had this happen decades ago, so they actually log the time in and out and if it is too high (maybe a bit more than the time it takes to go from one end to the other, which on some lines isn't very great), then it won't let you out of the wicket. Then you have to have the person at the gate let you out unless they think you are frauding them. This definitely stops someone from doing it on their daily commute.
Funny, but that's also the only damages the RIAA members face from filesharing, yet they treat it as a national emergency demanding new laws, treaties, and 30,000+ lawsuits demanding damages far in excess of any actual losses. Overhype isn't limited to the MTA alone.
And, btw, this judge should be impeached for such a gross error of judgment in issuing this order. Hate to think of him deciding other cases given his obvious lack of understanding of the basics of the Constitution.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Unless the information is declared illegal. THen *anyone* that possesses it is committing a crime.
Now we can debate how they can enforce it, but it still doesn't change the fact its illegal and anyone with the knowlege is subject to jailing.
Yet another sinister future of DRM "this file has been identified as containing forbidden knowledge and we are now contacting your local FBI".
Good thing they cant erase knowledge from our brains. Yet.
---- Booth was a patriot ----
I agree somewhat; it may be that he has people telling him that "this will enable people to conduct a terror attack" or some other stuff and buys into this post 9/11 patriotact bullshit "everything is different now, even how we interpret the constitution" line of thinking. What's even more clear is that he doesn't seem to understand how technology and digital data work, the data was (and still is) on MIT's website - I am sure his injunction probably didn't cover that, and if it did, kudos to MIT: http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
Every /.'er must see page 82 of the presentation for the "WarCart"!
That's some funny stuff.
So the contractors did shoddy work, supplied substandard materials, and it's the government's fault? Face it: any time there's a chance to cheap out on materials & workmanship, contractors will take it every single time to boost their profits.
It doesn't mean much now, it's built for the future.
I don't see anyone asking the obvious question:
How much does it cost to secure and collect transit fares, and how much are those fares? Has anyone seen definitive studies on this topic? If it turns out that the cost of administering fare collection is comparable to the fares collected, this leads to a corollary:
Why not simply make all ridership of public transit systems free? Then all the money spent to administer, collect, and verify the riders' payments could go directly to keeping the buses and trains running. I've seen some studies on this topic which suggest that the administration cost is comparable to the money collected from fares, but have no citations handy.
All transportation systems are government subsidized. The most subsidized transport system in history is the US road network. Public transit receives only a tiny fraction of the US roads budget. Fares typically only cover a small (but important) fraction of the cost of operating a public transit system.
If we were to open up what public transit systems we have, to everyone, for free, it would only improve the service. We already do this for automobile routes ... there's no use-fee for most roads! Let's provide the same level of service for public transit.
IMHO, the most effective way to do this would be to take the money from our (doomed to failure as a result of peak oil) automobile-based transportation system and re-allocate this money for public transit. This would have multiple positive effects: increased service and ridership of public transit; reduced road use (will happen anyway, voluntarily or not); less oil use; reduced emissions and pollution. What are the downsides of this approach?
I miss their tea parties.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?