Slashdot Mirror
Massachusetts Sues to Halt Defcon Subway Hacking Talk
According to CNET, "The state of Massachusetts has asked a federal judge for a temporary restraining order preventing three MIT students from giving a presentation on Sunday about hacking smartcards used in the Boston subway system." It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas. Update: 08/09 20:57 GMT by T : "Too late," says reader Bluey: "Injunction was already granted."
rather then make sure they have a techie in attendance so that they may learn something and find a workaround the issue, Boston's lawyers suggested that burying your head in the sand (or, alternatively, in the piles of garbage and crap in Boston) will solve the issue just as well. "As long as we don't let them say it publicly, it does not exist" one Boston official explained the position.
this is why I love government bureaucrats. They tend to be smarter then the average bear.
-- All this knowledge is giving me a raging brainer.
Who needs free speech anyway?
"Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
Barbra Streisand seen fleeing the scene.
The article mentions that the authorities met with the students and Ron Rivest (e.g. the "R" in the RSA crypto system).
It would be interesting to see what his involvement with this project is.
*mumbles something about Guantanamo Bay*
It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas.
Injuction was already granted. Insert Soviet joke here.
Which is exactly why an injunction should never have been granted.
The real "Libtards" are the Libertarians!
Is MBTA actually going to get the card system provider to fix the problem? Because from what I've seen, you'll have a hard time even getting the department and the contractor to admit that the problem exists. And even if they do admit it, is the solution going to be any more than "it's unlikely people will exploit this"?
That sort of attitude seems to be how Maryland feels about its AccuVote TS voting machines. Three independent reviews have all revealed flaws with them, but we're still using them, despite the fact that those flaws essentially mean that the contractor has violated its agreement with the State.
Furthermore, I doubt much criminal activity is going to result from releasing the information. Only a few people are going to have the time and patience to actually follow the exploit through, and if the system is well-designed (though apparently it may not be), modifying card data shouldn't be able to damage or disrupt the system.
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
All that proves is that the people suing are even stupider than they seem because they're trying to stop something that's already on the internet, and we all know how that goes.
It's actually even worst than that. By the action of suing they have drawn attention to the issue. As well as "confirming" the research.
Probably also ensuring that the relevent information will wind up being published in places it wasn't likely to end up before before. Note that the article mentions that thousands of people (not covered by the injunction) already have copies of the "paper". Some of those copies may be already out of the court's jurisdiction too.
Just do it the way that they tried to do it in regards to the recent DNS exploits. Tell the affected organization (Boston subway system authority) that there is a problem and you are willing to work with them to fix it. If they refuse, just leave them the information and say they have x number of days to fix it and if they refuse to do anything, you are going to the press, which technically is true since journalists are allowed in limited numbers at Defcon as far as I know. That way you give them the courtesy of warning them in advance, but you aren't needing to completely shut up about it or let the problem lie unfixed. As a white hat, this guy has a moral obligation to help get problems fixed before the black hats find out.
I see two major problems with the application for the order. The first is that it claims that disclosure of how to hack the cards constitutes a danger to the public. How so? All these cards are good for is paying the fare. Hacking them allows people to ride the subway for free. That's petty larceny, not a danger to the public.
The second is that the application asked the court to forbid:
There's no conceivable justification for that. Even if there is justification for forbidding disclosure of the details of the hack, stating that there is a problem is certainly constitutionally protected. (It is possible that the court did not include such language in the TRO; this is what Massachusetts asked for, but possibly not what they got. Anybody got a link to the actual TRO?).
What I want to know is why Massachusetts is complaining about and interfering with a conference happening in my hometown, Las Vegas.
Its = possessive. It's = "it is"
"abridging the freedom of speech, or of the press;"
-US Constitution
Libertas in infinitum
http://www.boston.com/news/globe/ideas/brainiac/2007/01/attack_of_the_m.html
This should answer your confusion.
What's the value of information that you don't know?
Its one more strike against the first amendment and another step down the path of the government deciding what you are allowed to know.
---- Booth was a patriot ----
Fuck this.
They need to give their presentation regardless.
It's clearly a first amendment issue, and when people allow things like threats from the authorities or bullshit unconstitutional court injunctions to stop them from what they want to tell the masses it only serves to justify the actions of those who would try to stop people from expressing important matters.
From what i can tell this isn't about public safety at all, it's more about money. If it were about public safety, they would take it seriously and work with these guys to resolve the issues.
On top of that, when these sorts of uses for RFID were being planned and discussed years ago (things like this and passports, etc) many, many people warned that this would occur...
Someone needs to take that CD and quickly get the contents onto usenet. It's already in the public record anyway - once the cat is out of the bag it's out of the bag.
Thanks, Judge! I'd have never know it existed had you not tried to censor it.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
If I tell you how to hack the DC transit system right here in this post, will DC issue an injunction to have slashdot remove the post? Let's find out!
In the DC system, you have to scan your card to get into and out of every station. Rather than having standard boarding fares like NY, it actually takes into account where you scanned in and where you scanned out and then deducts the appropriate amount for the fare between those two points at the time you scan out.
But say you leave the same station you entered. Maybe you missed your train and decided to take a cab, or forgot something, or got a call and changed your plans, or just want to rip off the DC transit system. Whatever. You always have to scan a card to get out, and if you scan the same card, it doesn't let you out for free, but charges you a minor fee. I think it was $0.25.
So, say you have a standard commute to work and back every day on the DC transit system:
Go into your point of departure and buy two cards, one with the appropriate fare to your destination. Swipe both of them in.
Ride to your point of departure. Swipe the exact fare card out and throw it away.
Go about your business at your destination. When you return:
Buy a new card and swipe it in.
Ride to your point of origin and Swipe OUT the card you only swiped IN at the same point earlier. You just rode there for $0.25.
The next day, swipe that same card in at the same station. Ride to your point of departure, and swipe out with the card you bought at that point yesterday. Another $0.25 trip.
Always continue to scan in and out at the same station using the same card. Every trip between those stations will be $0.25.
There is no expiration on how much time may pass between swiping in and out of the same station for the minimum fee. There is nothing set up to catch that one card is swiped in and out of the same station every day about 9 hours apart, while another card is swept in and out of another station about 15 hours apart. At least, not unless they've fixed it in the past few years.
Obviously, buy the cards you use for this with cash, not a credit card.
If you really want to be a cheap skate, quadruple your money also. Then all repeat rides in the system will be priced at approximately $0.07 each.