EFF To Appeal Court Order Vs. Subway Hack Demo

snydeq sends along InfoWorld coverage of the EFF's plans to appeal a US District Court order that kept three MIT students from presenting detailed flaws in the Massachusetts Bay Transportation Authority e-ticketing system at Defcon. And an anonymous reader points out that the MBTA, in addition to triggering the Streisand Effect, released in open court more information on vulnerabilities (PDF) than the students had any intention of presenting. See Exhibit 1 to this court filing.

First amendment

[Hatta]

How can any such order be justified in the light of the first amendment protection of free speech?

Re:First amendment

How can any such order be justified in the light of the first amendment protection of free speech?

obviously it cant. However that has not stopped people from trying and succeeding in the past.

Re:First amendment

[Free+the+Cowards]

Same way that slander and libel are actionable. Namely, the first amendment, in general, protects against criminal prosecution but not civil suits.

Re:First amendment

[im_thatoneguy]

If only there were some branch of the government whose job it was to ensure that people's constitutional rights were protected!

Re:First amendment

[Daimanta]

Terrrism!!!1!

Re:First amendment

[nurb432]

Its not the job of the first amendment to *prevent* this from happening.

its job is to protect us by striking it down once heard by the courts.

Re:First amendment

[Intrinsic]

Maybe im not understand the situation, but if you attempt to release information that can cause harm to a business or person or society. that speech can definitely be limited. Its like calling fire in a building with no fire and someone getting hurt. It seems like in this case, if this information got mass attention there might be some way to construe harm. I mean I can think of allot of ways to fabricate the perception of harm, even though it is unlikely.

Im trying to put myself in their shoes, someone or someones do not want to have to deal with this if people start mass circumventing the system... money loss, reputations, and the like are surely involved. it doesn't matter if it has been done before, this particular event makes stuff like this a hot topic, because people that build or manage insecure systems look really, really stupid to the professional community.

Re:First amendment

How can you justify the hack? Showing people how to ripoff the subway would seem to be a criminal act.

Re:First amendment

[Beryllium+Sphere(tm)]

Actually, under constitutional law, the preferred situation is to let the speech happen and hash out any legal issues later. The term for preventing a publication is "prior restraint", and it's very much frowned upon compared to going to court over speech that's already been published.

In this case the judge used a computer intrusion statute. I don't know the terms of it, but some such laws do prohibit trading in passwords or other access devices. Seems like a stretch, and I don't consider it justified, but that might be the reasoning. I'm not a lawyer, but if I were them I'd look out for the highly abusable conspiracy laws.

Re:First amendment

By hack I assume you mean the person or persons responsible for attempting to use the courts to implement security through obscurity.

Re:First amendment

[NFN_NLN]

How can you justify the hack? Showing people how to ripoff the subway would seem to be a criminal act.

No... RIPPING OFF THE SUBWAY is the criminal act.

By your logic everyone in the military should go to jail for teaching or learning how to kill.

Re:First amendment

[sribe]

How can any such order be justified in the light of the first amendment protection of free speech?

The judge is an idiot. Prior restraint is unconstitutional. This will not survive the appeal.

Re:First amendment

[ObsessiveMathsFreak]

Because; "You have the right to freedom of speech as long as your not dumb enough to use it".

Freedom of speech, like just about all our supposed freedoms, is only available to those that can afford to defend it in court. The contrapositive of this fact is of course that the ability to take away freedoms from someone is available to those that can afford to attack them in court.

Companies, etc, apply for injunctions and by Gods they get them. Do you think if you, whatever your grievance, applied for an injunction against a major company that it would be awarded? Money talks. Judges listen. It's not necessarily something as base as bribes. Just high class laywers gaming a system that puts up with being gamed.

These three hackers should not have appealed this order. They should have ignored it. Defcon should have ignored it. Why obey an order that is going to be struck down anyway? Threat of censure? The court can only censure you if it's oder was legal in the first place.

If more people stood up to, and openly defied the courts; we'd have a better court system.

Re:First amendment

Same way that slander and libel are actionable. Namely, the first amendment, in general, protects against criminal prosecution but not civil suits.

I don't know how the hell you got modded informative! Prior restraint != civil suit.

Re:First amendment

[MDMurphy]

A couple comments:

First, the information was already released. The entire presentation was handed out on CDs at the beginning of the conference. All the court order did was prevent a true dialog about the hack.

Second, it could be construed that not releasing the information also has a negative cost. As a public entitiy, the transit agency has a duty to look after the system. The hack points out a flaw in the system. Was the system design opened to public scrutiny prior to its use in an attempt to prevent such a hack? If the hack were not widely known would the agency be working dilligently to fix the flaws?

This is not much different than the "print your own bogus boarding pass" hack. The big worry wasn't really that loved ones could see you off at the gate, but that "bad guys" could go through security, metal detectors and such only to swap tickets with someone who wasn't on the no-fly list. What the release of that hack did was point out a flaw that already existed and provide incentive to fix it, or to drop the whole boarding pass as security sham in the first place.

As to the yelling Fire! in the theater analogy: If there's really a fire, it's Ok to yell.

This is another situation the 1st ammendment was designed to protect. Annoying, painful, expensive, dangerous speech might need to be protected.

Re:First amendment

Oh please, dear! For your information, the Supreme Court has roundly rejected prior restraint.

Re:First amendment

[Free+the+Cowards]

Fuck off and stop being such an asshole just because you're anonymous.

The MBTA filed a lawsuit Friday seeking to stop three Massachusetts Institute of Technology students from giving the talk.

The action in question is clearly part of a civil suit. Just because you don't like it don't mean it ain't so.

Re:First amendment

[MikeD83]

In this case the judge used a computer intrusion statute. I don't know the terms of it, but some such laws do prohibit trading in passwords or other access devices. Seems like a stretch, and I don't consider it justified, but that might be the reasoning.

According to the complaint the MBTA is calling the CharlieCard and even the CharlieTicket a "computer." Understanding how the "computer" works and disseminating that information constitutes fraud.

According to the referenced US Code, a "computer" is:

the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;

Re:First amendment

[corsec67]

Then would you also like to allow the people who said "some toys in Wal-Mart have lead in them" to also have their speech limited?

The critical part of rights like the freedom of speech is that if it excludes stuff you don't like, then it is worthless.

"You can say whatever you want, as long as nobody is offended" doesn't really work.

Personally I don't see how any possible exclusions to freedom of speech can be obtained from "Congress shall make no law ... or abridging the freedom of speech, or of the press;", and so libel and slander can't be made illegal as the first amendment is currently written. Neither do I think that it should be possible to make obscene or offensive speech, books, or printings illegal.

Re:First amendment

[Tuoqui]

The right to free speech is useless without the right to offend.

This should be publicized and they should get the hell off their asses and FIX THE PROBLEM!

And they should stop trotting out bullshit 'NATIONAL SECURITY' excuses for some minor public transit crap as an excuse to shut people up.

Re:First amendment

[belmolis]

For commentary by an expert on First Amendment law, see Eugene Volokh's post.

Re:First amendment

[Intrinsic]

Im with you on that, im just saying that their is a difference between reality (which we know what that is) and the perceived reality. And the perception is that its possible the transit authority probably has some people that manage or have a stake in creating that system and are trying to do damage control. Its not based in reality, but its better to know what you are dealing with, because the people involved in the insecure transit system are not going to think like rational people if heads are going to roll.

I was going to say something else but I forgot what it was.. basicley im not arguing either way, im just trying to put all the cards on the table.

Re:First amendment

[sconeu]

By a governmental (or quasi-governmental) agency, who is therefore bound by the First Amendment.

Re:First amendment

[Anpheus]

Thankfully there -isn't- a Department of Constitutional Rights. If such a thing existed, we could expect the same bureaucracy and red tape to drown any chance it has at reasonably protecting Americans against broad violations of their rights.

Additionally, you can bet that if such a department existed, laws like the USA PATRIOT Act would serve to maim or gag it in order to perpetuate even greater crimes while people are none the wiser.

No, I'm glad we live in a country where our rights are defended by regular people putting their time and money to organizations they deem valuable to the future of the nation. Is it the -best- way? Perhaps not, but it's certainly better than betting it all on responsible government.

I will insist, again, that I am glad I live in a country where we have the ACLU, the EFF, the NRA, the NAACP, etc. I am glad we have all of those. It doesn't bother me one bit that they at times disagree with one another, it doesn't bother me that these organizations can be overzealous. I am glad they are overzealously defending my rights. If that means the NRA makes it legal for me to own a bazooka without a permit, well, to quote Office Space, "Fuckin' A, man."

Re:First amendment

If only there were some branch of the government whose job it was to ensure that people's constitutional rights were protected!

Nice sarcasm. One thing we need to all remember though, is that those truely responsible for protecting our inalienable rights are described in the first three words of the Constitution. We are all on the soapbox here and while Slashdot is a good venue let's not forget to get this on the soapbox in as many public venues as possible. Educational research activities are a good thing and students and/or professors should be allowed to present their papers.

The loss of rights to the government is a process of erosion and such erosion should be halted anywhere it is found. If you think something related to such erosion is ok cause you think it don't effect you, then don't be suprised when you fall into a sinkhole. ( use of the word "you" here is generic and thus addressed to the public at large )

Re:First amendment

[Caboosian]

If more people stood up to, and openly defied the courts; we'd have a better court system.

If more people stood up to, and openly defied the courts, we'd have more people in jail - and a court system with less credibility. If an average citizen can shrug off a court order, what use do are the courts? No, instead, the companies/corporations gaming the system should be held responsible. Honestly, I don't have a solution for this problem, but I can't find a justification for destroying the credibility of our judicial institution - what good could come of that?

Re:First amendment

Thanks for the link to the legal definition of a computer.

I have a couple of issues with it.

1) By that definition, a test tube is a computer. It is optical, because sometimes the results of an experiment are verified visually. It is a data processing device, because mixing chemicals to find out what happens is a form of processing data. And it performs storage functions because you can store liquids or other substances in it if, for instance, the reaction is expected to take a long time. The "or's" in the definition mean that it doesn't have to satisfy all of the criteria, only some of them.

You could argue that it's not high speed, but the wording of the definition is ambiguous enough that that isn't necessarily a requirement.

2) How similar to a portable hand held calculator does a device need to be in order to be excluded? An HP48 graphing calculator? A PDA with a built-in calculator function? A cell phone? An EEE PC? A laptop?

Re:First amendment

[dshadowwolf]

the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;

With this definition on the books the ruling by the judge shouldn't be swayed by the MBTA argument that the CharlieCard and CharlieTicket are computers. If he was swayed by the claim that the "CharlieCard" and "CharlieTicket" are computers then there are some really good grounds for overturning the ruling. (note that I am assuming that both are nothing more complicated than a form of RFID tag)

Sadly this decision is not a good thing. If it is not struck down it opens the door for companies to quash the open reporting of any security vulnerability. Specifically, in this case, this move makes me think that there are only two motives

1. the MBTA knew of the vulnerabilities that they found before the system was put into place
2. that they don't want the details made public so there is no real reason for them to have to fix it.

If it is the former — and they presented the system as being "unbeatable", "unhackable" or similar — then they could face legal action. (Okay, legal action only if those claims were a big part of the reason the system was granted funding) If it is the latter Well What happens when the vulnerability is discovered by someone else and then published without them having a chance to block that action legally?

Re:First amendment

[dshadowwolf]

Replying to myself to make a correction: My assumptions are apparently faulty, because the information about the vulnerability is already in the wild. This means that they have to fix it anyway — though who knows how many people that received one of those CD's with the data have already used it for less than legal purposes.

In this case the #1 item above comes more into play, though it is still highly unlikely. The likely reason for this was a knee-jerk reaction to the release of the data with the MBTA not realizing that the data about the vulnerability was already released.

One thing that I have not yet heard is whether the researchers had informed the MBTA of this vulnerability before going ahead with the publication of the details. Doing such — and giving the company a chance to fix the hole — is one of the keys of "responsible reporting".

Re:First amendment

[Free+the+Cowards]

And hopefully that means that they will lose the case. (Actually, I'd hope that anyone bringing such a suit would lose, not just governmental entities.) But this is just an injunction. An injunction is temporary, and is only intended to prevent potential damage from being done until the true merits of the case can be assessed. An injunction doesn't require a good case, it just requires a case that has sufficient merit to go to court.

Personally I don't think this injunction should have been granted, but it's not nearly the slam dunk obvious thing that many people here think it is.

Re:First amendment

[memristance]

1) By that definition, a test tube is a computer. It is optical, because sometimes the results of an experiment are verified visually. It is a data processing device, because mixing chemicals to find out what happens is a form of processing data. And it performs storage functions because you can store liquids or other substances in it if, for instance, the reaction is expected to take a long time. The "or's" in the definition mean that it doesn't have to satisfy all of the criteria, only some of them.

You could argue that it's not high speed, but the wording of the definition is ambiguous enough that that isn't necessarily a requirement.

Though I'm guessing you were going for hyperbole here, you're mostly correct.

Re:First amendment

[MDMurphy]

The sad thing is that judges are always supposed to be rational people, or at least hand down rational decisions while on the clock. The judge should have called them on this, but didn't, and issued the order. I at least hope they had to shop around to several judges before they found one their lawyers could snooker.

Re:First amendment

[mishehu]

If you didn't follow through on the injuction, would the judge not find you in contempt and still prevent you from participating in the presentation? I may be wrong, but it sounds like what usually happens when one defies a judge's order.

Re:First amendment

[Opportunist]

What bothers me about this comment isn't that you trivialize terrorism. Yes, it does exist (read on before you mod, please). It doesn't even bother me that it's modded funny.

What bothers me is the "cry wolf" tactics our media and politicians use whenever something happens they don't like. It's because of terrorism that people can't bring their own coke to a plane anymore (it's not that we want airlines to get additional revenue from selling their drinks). P2P fuels terrorism (not that we want to prop up an outdated business model). It's terrorism why we are forced to reliinquish our essential rights (not because our politicians don't want us to say things they don't want the public to know).

"Terrorism" has been abused as the catch all argument whenever something is imposed upon us that goes against the interests of our politicians and their cronies. And people start to see through the thinly veiled egoistic goals, and start to mock it. As you would mock anyone who cries wolf as soon as something happens he doesn't like.

What bothers me most is that when the terrorists strike, we'll get told "see? We told you, it's terrorism!" Instead of them learning that their wolfcrying creates nothing but contempt and ridicule, they will point at us and blame us for not taking it serious, when it has been abused time and again.

Terrorism is a real threat to the US and the "western" world. Abusing it to cry wolf about everything you want to do against your people is not going to make them take it serious. Quite the opposite.

As can be seen in the parent posting.

Daimanta, not trying to belittle you. You're just the one that speaks what everyone was thinking. "Ok, how long 'til they claim terrorism is the reason?" It's not against you, again. It's against those that abuse the terrorist card for everything that goes against their interests.

Re:First amendment

like the judicial branch?

Re:First amendment

[TehZorroness]

We have a couple of options. A: Make the exploit publicly known - ensuring that it will either get fixed, or the company that provided the garbage implementation gets replaced (win, win). B: Let them know secretly, letting them get away with ignorance, doing their job (that they get paid handsomely for) for them. C: keep it a secret. let it be exploited for years.

Re:First amendment

[speedtux]

How can any such order be justified in the light of the first amendment protection of free speech?

There are lots of things you can't disclose publicly without consequences: nuclear launch codes, secret passages into the Pentagon, how to make anthrax, Google's secret sauce, Microsoft Windows Vista source code, etc. The judge may reasonably conclude that this falls into the same category.

Re:First amendment

[mxs]

Maybe im not understand the situation, but if you attempt to release information that can cause harm to a business or person or society. that speech can definitely be limited.

That is a pretty general, and pretty wrong, statement. I can voice my opinion on a business all day long, even if that harms the business. I can voice my opinion on public figures all day long, even if their polling numbers decline as a result.
There are certain limitations, sure, but merely bringing an undesired effect to the affected party is not enough.

Its like calling fire in a building with no fire and someone getting hurt.

No, it's not. These students are not putting people's life in jeopardy.

It seems like in this case, if this information got mass attention there might be some way to construe harm.

There is ALWAYS some way to construe harm. The question is whether it's reasonable.

I mean I can think of allot of ways to fabricate the perception of harm, even though it is unlikely.

And this is the kicker. The MBTA is trying to sweep this under the carpet by claiming outlandish claims of public safety and harm -- when it is plain to see that this presentation poses no such threat.

Im trying to put myself in their shoes, someone or someones do not want to have to deal with this if people start mass circumventing the system...

Too freaking bad, use a more secure system. The undergrads even made suggestions as to how to go about it (which they are not obligated to), and are generally behaving responsibly enough (they are not / were not going to release the checksum algorithm or the keys they found).

money loss, reputations, and the like are surely involved.

And rightly so. You see, it's not the undergrads' fault that the system is shoddy. They did not make it shoddy, they did not do the evaluation before buying it, they were not the implementers, and they do not leave network switches unattended behnind open doors. Somebody else is doing that. The undergrads are just pointing out that somebody else is doing that. If that somebody else loses money, reputation, and the like over this incident, then it is their own fault.

it doesn't matter if it has been done before, this particular event makes stuff like this a hot topic, because people that build or manage insecure systems look really, really stupid to the professional community.

This is no reason, at all, to curtail the freedom of speech of these undergrads. Don't like the criticism ? Don't fuck up like that. If you do, take the criticism.

The whole handling of the matter reeks of incompetence, anyway. Apparently these people never heard of the Streisand-effect (seriously, how many more people now know about these weaknesses, in detail, since the MBTA began to sue ?), have never heard about court documents being on the public record (everything they submit as "evidence" is forever in the public eye), have not even researched whether the materials they are trying to suppress have already been circulated (hint: yes, they have), and likely just encouraged others to re-engineer the reverse-engineering. Those others may not be as responsible as these undergrads and release full details, including encryption keys, checksumming algorithms, ready-made software, etc.

A+.

Re:First amendment

[The+Grim+Reefer2]

It's because of terrorism that people can't bring their own coke to a plane anymore

I'm pretty sure that was illegal prior to 9-11.

Re:First amendment

[NewYorkCountryLawyer]

How can any such order be justified in the light of the first amendment protection of free speech?

Because it is not absolute. It has never been absolute. It is balanced against other interests. A prior restraint of speech is legal if it is a proportionate response to a "clear and present danger". I can assure you that much less threatening 'speech' has been held to represent a "clear and present danger".

Re:First amendment

[beaverbrother]

There is no evidence (at least in the presentation) that they illegally accessed the subway. They just showed an image of some computer showing their updated account balance. They could have just done that and not actually gotten a free ride.

Re:First amendment

That be you and every one else!

Re:First amendment

It used to be "the jews", "the christians", "the barbarians", etc. And now it is "the terrorists". Fantastic propaganda to incite fear and/or loathing in the general public (GP). Something that the GP can remember and repeat without thinking. It's what all great and terrible movements are made.

If it wasn't so sad, it would be entertaining...

Re:First amendment

Terrorism is a real threat to the US and the "western" world.

I was with you until that bit. The damage directly from terrorism is practically nil compared to the damage caused by so many other things in the world today. I would be ecstatic if, say, climate change caused only as much damage as terrorism. I would be overjoyed to see only as many people killed in Iraq as have been killed in terrorism attacks.

Re:First amendment

In Soviet Russia, the government controls the commerce.

Omg, I love your sig.

Re:First amendment

I know what you meant, but I still want to respond to what you said.

I am in the military, and I neither teach people to kill nor know how to kill with any unique expertise. In fact, I am so far removed from the killing process, I would probably be in trouble if someone came at me with a sharp looking spoon.

Re:First amendment

[QuantumG]

That's why slander is a civil matter. You can say whatever you want and there's no law to stop you, but you have to live with the consequences.

Re:First amendment

[omeomi]

If they were to violate the court order preventing them from presenting their findings, the contempt of court charge would pretty clearly be a criminal matter, though.

Re:First amendment

[corsec67]

If you can be successfully sued for something you say in public, then that wouldn't be complete freedom of speech.

What you are saying is like "there is nothing stopping you from speeding, but you might have to pay tickets or lose your license."

Complete freedom of speech would mean that there couldn't be any legal consequences from any kind of speech.

Re:First amendment

[Opportunist]

I know for a fact (because I transported 12 cans of a beverage that's not available locally) that it was even after 9/11 no problem.

Re:First amendment

[Opportunist]

The threat is blown way out of proportion and compared to other threats we don't even think of doing anything against it is barely existant. But it exists. There is a nonzero chance that an attack may occur somewhere in the forseeable future.

That the countermeasures are in no relation to the threat is another matter. But simply saying it's not there (a stance which I actually attribute to the overblown hype that was generated around it) doesn't do it justice either.

It's arguable whether "preparing" for an attack does pay, or whether it would be smarter to continue your life without perpetual fear of something that has a lower chance of striking you than lightning, but saying it does not exist doesn't cut it either. Just saying it ain't there does not make it go away.

Re:First amendment

[Erie+Ed]

I know what you meant, but I still want to respond to what you said.

I am in the military, and I neither teach people to kill nor know how to kill with any unique expertise. In fact, I am so far removed from the killing process, I would probably be in trouble if someone came at me with a sharp looking spoon.

Guess what I'm also in the military and one way or another your actions no matter how small they are contribute to killing. I for example am a communications project manager for the air force. Now for example lets say there's a project for a new communications network for downrange warfighters...guess what that directly leads to troops being more effective in the war. Also even the people who serve you your food directly contribute to supporting the warfighter. So you may want to rethink your logic.

Re:First amendment

[QuantumG]

No...... what I'm saying is that a court should be able to order you to pay damages for slander, but they should not be able to order you to stop slandering someone. If you're happy to keep paying the damages, then you're free to keep saying what you like about the other person. At no point should the government be able to tell you to shut up, but this does not negate the fact that people who suffer damage by your statements can seek compensation for that damage.

Re:First amendment

[corsec67]

At no point should the government be able to tell you to shut up,

Agreed, especially in this case.

but this does not negate the fact that people who suffer damage by your statements can seek compensation for that damage.

I am not saying whether or not slander should be legal, but if you can be held liable for what you say, there isn't complete freedom of speech, and thus the freedom of speech is abridged. If what a person says (speech) could form the basis of a lawsuit, then there are legal penalties involved. It may not be the government getting the money, but it is the court system passing the judgment, and it is supposed to be a penalty, not something like a tax.

Re:First amendment

[QuantumG]

It's neither a penalty nor a tax. It's compensation for damages caused to a fellow citizen.

Re:First amendment

[squizzar]

Whilst I agree with your comments that blaming everything on terrorism is counter productive and see an irony in the use of 'terrorism' to force through laws that seek to reduce our freedoms, I can't agree with the idea that terrorism is a 'real threat to the US and the western world'. I'm not denying that it is possible, or that it is a terrible thing that causes suffering and misery, but it is not a 'real threat' to the western way of life, or any others unless we allow it to be.

Contrast terrorism to any large war in the last few years: Here people were actually occupied, countries invaded, sovereignty taken. How does two buildings getting destroyed compare to nightly bombing raids, napalm, gas raids? Tanks rolling through cities and villages? That is a credible threat to your way of life. That _will_ force a regime on you that you did not choose. That _will_ take your freedoms.

Do you seriously believe that a bunch of guys in a cave somewhere are going to destroy the society you value?

Re:First amendment

[Timosch]

Well, such a thing exists, although not exactly in the government. It is called a court.
However nowadays the courts shrink back from exercising this duty, and that really scares me...

Re:First amendment

[NoobHunter]

I am in complete agreement with you, Opportunist. When September 11 happened, almost 10 years ago now, the entire world (Well....almost) felt ill for the US. We in Canada held memorials and sent some of our finest men and women (police and firecrews) to assist.

Then....with every passing yesr....you could see it happen. Like a lame uncle that knew they could sucker you on the pity of having had a broken leg a few years before. "9-11, 9-11, 9.....11!" And with every time that one day in history was used over and over again to encite pity and assistance, the world grew sicker and sicker of hearing it. The UK hasn't milked that cow (the subway bombings...) and gods know that what's going on in Iraq right now is faaaaaaaaaar beyond what one isolated group of radicals plan for the US.

It's Time to move on. Beating the Dead Horse is not even close to what I would consider an analogy at this point....it's bones have been ground to dust!

Re:First amendment

[eam]

http://action.aclu.org/site/PageServer?pagename=FJ_donationhome

https://secure.eff.org/site/SPageServer?pagename=DON_splash

https://www.naacp.org/contribute/contribute.php ...and just in case those donations aren't enough to protect your rights,

http://membership.nrahq.org/

Re:First amendment

[hey!]

The First Amendment doesn't mean that the government can't regulate speech, particularly the timing and method of speech, but even in some cases the content of the speech. However, such regulations must be narrowly tailored to fulfill a legitimate public purpose, such as national defense.

Addressing the vulnerabilities before they become widely exploited is obviously a legitimate public purpose. A restraining order delaying temporarily the release of the details of the vulnerabilities (not the fact of their existence) while they do this would be narrowly tailored to serve that purpose.

I'm not saying it's right, but you should know what your rights actually are. They don't include the right to say whatever you want, whenever you want, however you want without fear of punishment, and they never have.

The important points to remember are (a) legitimate public purpose and (b) narrow tailoring. The narrow tailoring requirement is probably the tougher of the two requirements to meet. In this case, since the details of the problems are in the wild, in part because of the authority's own actions (although this doesn't really matter), any further restriction doesn't serve the purpose of allowing the authority to respond in a timely fashion.

Re:First amendment

Technically speaking, the US Judicial System is the "Department of Constitutional Rights". You do remember their job in the balance of powers, right? I will admit they don't always do a good job of it (current case is a prime example), but I think that is an issue with two things: 1) judicial positions have been politicized and 2) we are still human.

Re:First amendment

[hey!]

There is a branch of government that is in charge of this. It's called the judicial branch. In fact private civil rights organizations only exist to bring problems the courts' attention.

Now with respect to government being dysfunctional -- it is only so to the degree we tolerate it and even require it to be so.

The reason for bureaucracy and red tape is because we the people insist upon it. In the private sector if I hire my cousin Vinny to do a job, if this gets the job done fast at a reasonable price, my boss is happy. And this is right, because the company probably saves money in the end. In the public sector, my department pays more than the private sector does to get the job done, because of the documentation needed to show that I'm not hiring Vinny because he's my cousin, and that other vendors in Vinny's business got a fair shot at the job. And Vinny has to charge more because he has to prove that he isn't charging Uncle Sam more than private sector customers, although this is usually solved by spinning off groups that only sell to Uncle Sam. Uncle Sam ends up buying from vendors who specialize in meeting his unique contracting process needs.

And most of this is right too. Private enterprise is all about private benefit. People make deals and if the deals are profitable then there are no questions asked. Public enterprise is more ethically complicated. For one thing it is not voluntarily funded. You don't have a personal choice about how much tax and how much public benefit you're going to receive this year. This means things like fairness are a lot more important. And time consuming.

Nonetheless, government can do things effectively, if people care enough about them. It just can't do them without employing more red tape than the private sector would. The US military is a case in point. The US has a military that can kick the crap out of any other military in the world. It's highly effective, but it's not particularly financially efficient or red-tape free. The reason is that we the people care about assuring successful military outcomes. In fact we care enough that we're not exactly sharp consumers when it comes to military systems.

It's not so clear that we care about achieving successful outcomes when it comes to our legal and civil rights.

The main problem with the judicial branch is that it can't initiate anything. You have to have money and time to get it moving on a problem, which means that the courts are only for those who have money and time on their hands: the wealthy and organizations like ACLU.

The Justice Department should safeguard American citizens who don't have the money or power to insist upon their rights as individuals. But if we elect a President who thinks he has the power to detain and torture anybody based on suspicion, and let him appoint SC justices that are deferential to these claims, the JD is not much use. I'd say that this is because we the people don't really care about our rights.

Re:First amendment

[dogeatery]

Yes but this isn't causing a panic, and not a loss of revenue because people aren't going to stop riding the T. By the logic in your second paragraph, we shouldn't report about Wal-Mart shaving employees' hours because it would make them look bad to the professional community?

Re:First amendment

[swilde23]

And if they were to later kill some people we could prosecute them for murder, which is also a criminal matter. Point is... so what? The original court order had nothing to do with what they might do in the future.

Re:First amendment

[omeomi]

Because it constitutes prior restraint, and a lot of people would consider that a violation of the 1st amendment?

Re:First amendment

[tehcyder]

If you're happy to keep paying the damages, then you're free to keep saying what you like about the other person.

Yes it's always the best solution to ensure that the richer and more powerful you are, the more you are allowed to get away with.

Re:First amendment

[tehcyder]

These three hackers should not have appealed this order. They should have ignored it. Defcon should have ignored it. Why obey an order that is going to be struck down anyway? Threat of censure? The court can only censure you if it's oder was legal in the first place.

I don't know if US law is different from the UK, but here it doesn't matter what the final outocme is, if you deliberately break a court's injunction or order, you will quite rightly go to prison.

Re:First amendment

[jc42]

Prior restraint is unconstitutional. This will not survive the appeal.

Um, so what? The court order succeeded; it prevented the MIT guys from giving their talk. If the appeal says the order was unconstitutional, that won't retroactively result in the talk having been given (unless someone has a working time machine that we don't know about). The judge may get a stern talking-to by the appeals court, but there will be no punishment.

As with many such violations of rights, the deed is done and can't be undone. When there is no punishment for the perpetrators (primarily the judge), a later decision that it was wrong doesn't mean much, and does nothing to prevent such court orders in the future.

Of course, the fact that the MIT guys have released all the info and the Tech has published it online does make the court (and the MBTA bureaucrats) seem sorta foolish. It most produced a Streisand Effect, bringing public attention to something that only a few geeks would have noticed (and maybe fixed) if there had been no court order.

Re:First amendment

[jc42]

If more people stood up to, and openly defied the courts, we'd have more people in jail - and a court system with less credibility. If an average citizen can shrug off a court order, what use do are the courts?

Actually, probably not. We've already had a long history of such things, in the US and in many other countries. The results are hard to separate from the noise, but on balance are probably to our benefit.

There's a reasonable argument for the opposite conclusion. The legal term is "judicial review", the principal of law in the US and a few other countries that laws and other government actions can be declared invalid by the courts. In practice, to get a law, court order, or other government action decreed unconstitutional, you have to have "standing" to challenge it in court. The usual way you get such standing is by violating the law or order, and challenging the authorities to punish you. If you don't do this, you usually can't get a court test at all. And historically, judicial reviews have a record of deciding for the victim (probably because nobody presses such a case unless their lawyers say they have good reason to believe they'll succeed).

So openly violating court orders or laws are an important part of our legal system. It's what starts the process of judicial review that gets things declared unconstitutional. If nobody ever challenged laws or government orders, we'd have to obey every law or order, and the Constitution would be an irrelevant historic oddity.

Re:First amendment

[hcmtnbiker]

"You can say whatever you want, as long as nobody is offended" doesn't really work.

You're exactly right, if it was about not offending anyone then it would be worthless. Freedom of speech IS about pissing people off, it protects you from legal retaliation when you offend someone. Slander and and libel(in the US) are only prosecutable if the information was known to them as false but published it anyways, as brought about by the New York Times Co. v. Sullivan case. This is not slander this is not libel, this is simply spreading the truth, and imo since the MBTA must know this, they should be punished as well.

Re:First amendment

[ravenshrike]

Actually, if you found a CD with the MS code you could post it anywhere you wanted. Now, the person who made the CD is going to be in deep shit, but that's another matter entirely.

Re:First amendment

[steelfood]

This is correct. Civil disobedience requires that one follow the laws of the land. Which is to say, if the law demands a certain amount of jail time for a certain infraction, then the person being civil disobedient needs to serve that jail time after commiting the infraction. Otherwise, it's just blatant disregard for the presence of a legal system. And that's effectively anarchy, or the support of anarchy.

The caveat is that civil disobedience doesn't really apply to civil suits and corporations.

Re:First amendment

[Opportunist]

When 9/11 came (the one in 2001, not 1973. That was a Tuesday, too, wonder who gets the reference without having to click), the "western" world was in shock. That was horrible. And everyone was wondering what could be done.

In the meantime, we're sick of it. The "sick uncle" (the analogy works so well it almost hurts) is really going on our nerves, makes the life of every family member miserable since they now suffer from "having to prepare" for the same freak accident that hit him, and some already wish he'd have died in that accident. Some more are pondering whether there's a way to kill him quietly.

Re:First amendment

[nurb432]

Actually, under constitutional law, the preferred situation is to let the speech happen and hash out any legal issues later. The term for preventing a publication is "prior restraint", and it's very much frowned upon compared to going to court over speech that's already been published

Isnt that what i was saying? Just in simpler terms for the crowd around here.

Re:First amendment

[sm62704]

The reason for bureaucracy and red tape is because we the people insist upon it.

And we insist on it because people try (and very often succeed) to game the system. The rules and regulations and red tape are there to try (often unsucessfuly) to keep people from getting what they're not entitled to get.

Nobody wants to see a woman get out of a new Escalade and buy food with food stamps. When you see this happen, you can be pretty sure that it isn't her Escalade; it's her neighbor's, or her friend's, or her dad's, or her pimp's.

Or it's her Escalade but not her Link card; "her" link card and its PIN number was sold to her by a drug user for half its value, and she's probably the Link card owner's drug dealer.

THIS is why we have bureaucracy and red tape.

It's even worse when you have rich people and corporations in the mix; they're far better at gaming the system than poor or middle class people.

Re:First amendment

[sm62704]

I agree with the gist of your post, however we need to put it into perspective.

Terrorism is a real threat to the US and the "western" world.

There were fewer than 3,000 people killed by terrorists on American soil this century. Far more Americans were killed in combat in the Iraq war. In 2005 alone 4082 people were murdered by friends or acquaintences.

In 2003 42,643 people were killed in auto accidents.

Half a million Americans die of cancer every year, another half million die of heart disease. Personally, I'd like to see some of the "homeland security" money going to guard rails and cancer research (I'll probably be killed by the terrorists who own the tobacco companies; even though I gave up tobacco over eight years ago, I smoked cigarettes for thirty years and will likely die of lung cancer).

In Grandpa's day it was "we have nothing to fear but fear itself". Today it's OMG!!1! TEH TERRORISTS!!! WE MUST GIVE UP OUR RIGHTS!!!

Re:First amendment

[BitterOak]

If only there were some branch of the government whose job it was to ensure that people's constitutional rights were protected!

We have such a thing in Canada. It's called the Human Rights Commission. They protect people's constitutional rights largely by fining people for speech they deem offensive to others. You should be glad you have no such thing in America!

Re:First amendment

[hey!]

The important thing to remember, though, is that absolutely preventing people from gaming the system is financially inefficient.

In business, for example, it's all about making your net numbers. There is some attempt to contain agency costs, but like everything else business does, there is a diminishing return on a rising investment. A business will spend a dollar to save a dollar of fraudulent losses, but it won't spend more than a dollar. Government will readily spend two dollars to save a dollar.

Re:First amendment

I was bringing pop or coffee onboard planes all the time before that (here in Canada) in plain sight. Even after the WTC we were allowed to do that. They made me take a drink at the security check though to prove it wasn't poison or something.

It was the British liquids thing that caused all this pop hysteria.

Re:First amendment

[sm62704]

Not just financially inefficient but impossible. The system will be gamed; how badly is the question.

Responsibility?

[XanC]

It seems that the people who are bringing flaws to light are cast as the villains, while nobody even considers blaming or even questioning the people who selected a poorly-implemented system to run an entire city's public transit.

Re:Responsibility?

[ckthorp]

Or, even more importantly, nobody considers blaming the vendor who sold the faulty system to the city.

Re:Responsibility?

[MistaE]

So a poorly implemented system justifies individuals giving a presentation to everyone else on how to fuck with the system?

I'm all for free speech, but it seems like there are quite a few other alternatives other than basically making public the flaws in a massive public transportation system. If they really care about security, they should take measures to improve the security with the appropriate authorities.

Now, of course, if they've already tried this and they ignored these students, then I would argue this is the next step to grab their attention, but still.

Re:Responsibility?

[im_thatoneguy]

It could be argued that as long as nobody knows about the flaws then the system wasn't poorly implemented. Most street hooligans aren't MIT trained computer scientists.

If nobody knows where a door is the lock on it doesn't matter.

Re:Responsibility?

[Adambomb]

If nobody knows where a door is the lock on it doesn't matter.

yes, maybe 99 times out of 100.

And then theres the other 1, like say when an idiot files more vulnerabilities in their court briefs which are public record than the original presentation was going to uncover.

Security through obscurity only works probabilistically, and given a long enough time frame it will always hit the P=1 where someone will have breached it and disseminated the information. This is exactly why security through obscurity is completely retarded when it involves systems intended to operate in any form of long term.

Re:Responsibility?

[Adambomb]

I would agree with you, had the MBTA actually taken the initiative to work on solving these issues. Instead their rep stated that if its not known, its not a problem.

Then they go and release more sensitive details in their court documents which are public record than the original presentation was to discuss.

Had the MBTA stated that "they are currently working on resolving the issues, and would want the talk delayed until they are solved" then you would be exactly correct that the presentation should wait. In the end, this is more about pointing out that the MBTA bureaucracy is being incredibly stupid as well as dangerous in their processes.

Re:Responsibility?

[NFN_NLN]

Most street hooligans aren't MIT trained computer scientists./quote>

I blame the American education system. In India street hooligans must have at least a masters degree while ruffians and ne'er-do-wells have doctorates.

Re:Responsibility?

[jd]

I wouldn't agree to it being right to present how to break the system (except under special circumstances such as those you outlined), but I think it could be rather fun to make it illegal for either a government body or quango to set up or maintain a system in such a state that it poses undue burden on users, taxpayers, security, etc. Illegal as in prison illegal, not slap-on-the-wrist-see-you-at-golf-tomorrow illegal.

Governments are like all other organizations in that they will do the least possible to survive at a level comfortable to them. In the case of a democracy, this means buying off the other branches of government and the media. (This differs from a theocracy, where instead they buy off the media and the other branches of government. Dictatorships, on the other hand, only need to buy off CowboyNeil.)

The sovereign immunity enjoyed by the Government in America is probably one of the largest factors behind its corruption. I can understand the need to not have distractions, though I suspect Olmert can understand it better, but there are other ways of achieving that goal that still provide adequate accountability. The ballot box doesn't provide accountability for wrongdoing, it only provides accountability for unpopular doings, right or wrong, and frankly I doubt enough people care about mass transit computer systems to make gross negligence punishable via an election, regardless of any potential consequences. (Joe Bubba is very unlikely to think too far ahead, and there are simply more Joe Bubba voters in America than any other single group.)

Re:Responsibility?

I don't agree.

It is not their job to coordinate with the authorities and doing so without first going public might cause them problems with those authorities. Who gets to the press first matters here. If the first thing the press hears is that these guys were hacking the subway system, the authorities hold all the cards. The system may or may not get fixed and their message will almost certainly never be heard.

Secondly, they are not responsible for the behaviors of others. Someone said something about yelling "fire" in a theater, but the analogy is inapt. In this case there actually is a fire in the theater, and they are just pointing it out. They are not responsible if people trample each other trying to escape a real fire.

Re:Responsibility?

[FatdogHaiku]

...Then they go and release more sensitive details in their court documents which are public record than the original presentation was to discuss.

It's not often you get to see someone step on their own pecker with both feet, while advertising the fact.

Re:Responsibility?

[cdrguru]

I would argue that it is the responsibility of the public to specifically not screw around with the system and that any security in place over the top of a fare collection system is there by accident. In other words, it should be treated as an "honor system" and what you are perceiving as "security" is merely validation to prevent errors.

I suppose you could then argue that disclosing the nature of these validations is meaningless in and of itself. However, doing so in a forum of the nature where it was to be presented clearly is offering it to individuals with the capabilities to take unfair advantage.

If I lived in Boston, or any other area where these sorts of disclosures have been made, I would object strenously to the transit authority making any changes whatsoever to "improve security". It wasn't intended to be secure from the beginning. However, I'd certainly agree with increasing penalties for anyone caught screwing the system to the point where nobody would ever want to be caught.

This is like turnstyle jumping in some ways, only it enables large numbers of people to do so without being observed by station attendents. I guess to some folks with a "grab all you can" mindset this sort of thing just begs to be exploited. Sadly, what it really means is everyone else suffers for the misdeeds of the exploiter.

Re:Responsibility?

[repvik]

In the case of a democracy, this means buying off the other branches of government and the media. (This differs from a theocracy, where instead they buy off the media and the other branches of government.

Huh?

Re:Responsibility?

[cdrguru]

Why the heck should they spend time and money on a working system? If nobody uses this information, the system works fine and it is not a problem. If they spend a huge amount of money "solving" this non-existent problem, who does that benefit?

The solution is to make sure the system is not exploited in this manner, not to make sure that it cannot be.

Re:Responsibility?

[d34thm0nk3y]

Most street hooligans aren't MIT trained computer scientists

Tell that to MC Hawking.

Re:Responsibility?

[Adambomb]

If they're complaining about the vulnerabilities, then it would benefit them to make sure they are removed from the system so that those exploiting it are no longer impacting their bottom line. By leaving the flaws and saying "because no one talks about it, no one knows about it" they have absolutely NO WAY of verifying how many unauthorized passengers their system is carrying and how much revenue they might be missing out on.

The solution is to have a solution, say "well because the court order says they cant tell people, no one will know!" and all you have your head in the sand.

Re:Responsibility?

[Adambomb]

Gah, yes theres a missing "is" in there. Where I leave to you.

preempt! preempt! preempt!

Re:Responsibility?

[adamchou]

clearly you didn't read the court order that was submitted by the MBTA. It says that they evaluated it and said they found nothing new in there. What was submitted to them was an old hack that they were already aware of and had already implemented additional security measure to fix. This further led them to believe that there was additional information that was being withheld from them, especially since the MIT students legal counsel advised them to not give additional information to the MBTA. They never gave the MBTA a chance to fix anything.

I'm all for free speech, but when you use it irresponsibly as these kids appear to be doing, I think you should suffer the consequences. What if this is used by some terrorist organization to mount an attack? Will everyone here defending free speech really still advocate the right for these students to disclose this information?

Re:Responsibility?

[Adambomb]

In addition, what looked like a black-and-white faxed copy of the entire presentation was entered as evidence in publicly available court records available on the Web on Saturday, meaning any attempt to limit its distribution further will encounter an additional hurdle.

You were saying?

Re:Responsibility?

[Dhalka226]

Hypothetically, let's assume they are working on making fixes and want this talk enjoined until they're implemented. And that it would take several years. Reasonable?

This is a public transit card we're talking about. On top of being government contractors who would be designing new systems at ridiculous cost, there is a ton of equipment that would need to be re-programmed or replaced, as well as a massive outreach program that would have to be mounted in order to let citizens know that their transit cards are about to stop working if they don't get a new one. Assuming it would cost millions would be an underestimate, I'd think. And the fix would probably be on the order of months or years.

I simply don't see "we were idiots" as a justifiable reason to delay exposing somebody's idiocy for that long involuntarily.

Re:Responsibility?

[Adambomb]

You just combined a whole set of hairy issues that have nothing to do with the MIT talk. If government contractors design systems at ridiculous cost, thats a separate problem that i wish would be addressed ever. If theres a ton of equipment thats a bitch to patch, thats the original developers problem as they should not have sold it with the flaws in the first place, or at least started working on FIXING it as soon as all this came to light.

If they were willing to have MIT POSTPONE this talk for a reasonable amount of time instead of the aggression they encountered, i would be more sympathetic. From the sounds of their representative in the previous article their intent is to NOT bother fixing anything (IE: not until they make a brand new system).

There's a big difference between saying "we know its broken but refuse to fix it" as opposed to "Give us a chance. You know what its like dealing with government crap, but we'll get to it". Personally i applaud MIT for making the public aware that the paying customers may be subsidizing those who are riding for free on a known flaw. If the cost of the system is proportioned to volume in terms of pricing it will raise prices artificially for those who ARE legit to make up for those who aren't.

This is what they don't want their customers thinking about as its definitely FAR less overhead for them to simply increase the standard fares to make up for the costs of the system until those paying balance it out than to try to fix the system.

Basically, its like people who do friggan nothing at work getting the same wage because you get dumped with all their slackage. One group gets the value, but an entirely different group gets the cost.

Re:Responsibility?

[mishehu]

s/villians/criminals. There, i fixed that for you. If you embarrass somebody re a computer or computer program, they try to get you put in jail...

Re:Responsibility?

[SimonBelmont]

Except that the attackers also chose not to disclose the vulnerability to the MTBA before giving the talk, and even refused to disclose their materials when the MTBA found out about the talk anyway.

And that there was apparently significant social engineering involved. Security should be robust when its implementation is widely known, but certain things like private keys have to remain secret. If I just con someone out of their sensitive information, it doesn't really mean a system that uses it is flawed.

And then, I'm not really sure why they went after this system in the first place. It's not a system whose flaws could endanger the public (as opposed to banking or military systems, for example). If it was a regular paper ticket system, we would just call someone who forges tickets a criminal, and a rather petty one at that. So we have a group of people who used dubious methods to break into a system, who in doing so could not have helped anyone other than the owners of the system, and who chose not to disclose to them. Not exactly whitehat. I don't see any problem with calling these people criminals.

Re:Responsibility?

[adamchou]

Again, if you RTFA, the MTBA attempted to get all the documents from them on August 8th, one day before this was made available. Besides that, if you actually RTFA, the way the students worded their email, it seemed as if though they had additional information that they weren't disclosing. I really don't feel like typing everything out, but if you RTFA, you'll see why the MTBA came to that conclusion and if I were in that guys position, I would have came to the same conclusion. I don't know about the whole FBI thing, but its hard not to freak out when there is the possibility that a bunch of undergrad students have knowledge of a potential security hole that they won't disclose to you that could cause the MTBA to be defrauded and even possibly threaten public safety.

Re:Responsibility?

This system moves real money around. It absolutely has to be secure.

Re:Responsibility?

[Software]

What if this is used by some terrorist organization to mount an attack?

What kind of terrorist organization is that - one that can't afford to buy its own fare cards? That's the only kind of group which would be affected by the ruling. You can buy a fare card for cash in every bus/train/subway system that I've been on, including the T.

Re:Responsibility?

[adamchou]

Well besides evading paying the fare, if what they had previously not disclosed could have been used to forge identities of people, then who knows what those terrorist masterminds could have come up with? I'm not one to think of devious things like that.

Re:Responsibility?

[zippthorne]

If you were physically capable of doing that, I doubt you'd have any particular inclination to keep it a secret.

Re:Responsibility?

[KenSeymour]

It seems that the people who are bringing flaws to light are cast as the villains, while nobody even considers blaming or even questioning the people who selected a poorly-implemented system to run an entire city's public transit.

I love how so many people act as though the ticket vending machines are equivalent to "the entire city's public transit." Having the TVMs hackable until they patch the code will only impact revenue slightly. Note you can accomplish the same thing by jumping over the turnstyles.
In the San Francisco Bay Area, they give everybody free rides when the air quality gets too bad.

There are not that many vendors of TVMs and each transit system has custom requirements.

Security researchers are in a catch 22. If they don't publish vulnerabilities publicly, they
never get fixed. If they do, they never get thanked. It goes with the territory.
You will only get the admiration of your fellow geeks, not the population as a whole.

Re:Responsibility?

[steelfood]

Not if you had really stubby feet.

Re:Responsibility?

[sm62704]

If my legs were only six inches long I'd feel real bad about the fact ;)

But a Mojo Nixon song comes to mind: "I need a woman that's six feet ten, she's gotta be that tall so's I can get it all in"

Re:Responsibility?

[tkrotchko]

I don't understand your comment. You don't need to prove your identity to ride the subway. All mass transit in the world works the same way. You get on anonymously, you get off at your stop. If you were concerned about their ability to track you (presumably as a terrorist would be), then you would pay cash.

Isn't the hack old news?

Isn't this the same hack which was described in detail in c't #8/2008? Mifare classic, uses Crypto1, a flawed pseudo random number generator and salts which only depend on the power on time, which is under the control of the attacker. Flaws were discovered by slicing the chip and inspecting the layers with a microscope.

Re:Isn't the hack old news?

[blueg3]

That's the RFID vulnerability. They also disclose a magnetic stripe card vulnerability and various physical vulnerabilities.

Remove that link at once!

[Random+BedHead+Ed]

I say, this is intolerable! You Slashdottian ragamuffins should remove the hyperlink to that MIT-hosted court document post haste, or I shall be forced to request that these truckless tubes be cleansed of it ... in court! (There, that will put a decisive end to their meddling.)

Re:Remove that link at once!

[Random+BedHead+Ed]

Bat's breath! I forgot to include this in my backwards, Victorian-eque Interweb rant: get off my lawn!

Them again?

Why is it that every time I read about the EFF or Lesig I hear about how they are going down in flames in once case or another? Are we taking about the Washington generals here? Whats it going to take for them to actually win something for a change.

Re:Them again?

[Random+BedHead+Ed]

Why is it that every time I read about the EFF or Lesig I hear about how they are going down in flames in once case or another? Are we taking about the Washington generals here? Whats it going to take for them to actually win something for a change.

http://www.eff.org/victories

Re:Them again?

[nomadic]

http://www.eff.org/victories

Too bad they don't list their defeats; they've lost a lot of cases. And a lot of the cases on their victories page appear to be ones where they didn't actually represent the winning side, but merely filed amicus curiae briefs. Which sometimes help, but sometimes have no effect.

Re:Them again?

Care to point to a recent news story where this is the case? Or are you just repeating the same (inaccurate) troll story from the Register a few years back that keeps on being repeated, even though it's been repeatedly debunked as including cases they weren't involved with, cases that they actually won, and cases they later won on appeal?

This reminds me of...

[Paul+Pierce]

The two students at Georgia Tech that hacked the campus Blackboard swipe system (http://www.theregister.co.uk/2003/07/15/student_hackers_we_didnt_defeat/).The general idea was that it didn't matter how secure the encryption-system was, if the physical system was easy to get to. You don't have to figure out what information is being sent to the machine, all they had to do was 'capture' a 'yes-there-is-enough-money-on-the-card' response, then duplicate. Hey free snacks!!

You know what would rock, an infinite gift card to Wendy's.

Re:This reminds me of...

[davec727]

I actually had a potentially infinite Hardee's gift card for a while. I put $20 on it, and I would estimate I got around $60 worth of food out of it, because the vast majority of the drive-thru monkeys at this particular Hardee's unintentionally (I assume) rang up the purchase as "gift" instead of "gift card.

I also effectively had an infinite gift card to Taco Bell, while I was working there. However, be careful what you wish for; infinite fast food has hefty consequences.

Link to DefCon presentation

[AgentPhunk]

MIT's student newspaper "The Tech" includes the full DefCon presentation on their site:
http://www-tech.mit.edu/V128/N30/subway/

Direct link to the presentation PDF:
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf

Re:Link to DefCon presentation

[Amamdouh]

Aren't you breaking the law by doing so?

Re:Link to DefCon presentation

[mikesd81]

They were told not to actually give the presentation @ DefCon. Not that they couldn't post anything about it.

Not that impressive

[langelgjm]

At least from what's in the linked PDF, the undergrads' work is not all that impressive. They look at both the CharlieTicket (magstripe) and the CharlieCard (RFID).

Hacking the CharlieTicket sounds fairly trivial. Magstripe cards are extremely easy to read and write to, and documentation on how to do this with homemade equipment is all over the Internet. The undergrads' work essentially consists of figuring out how the 6-bit checksum is being calculated (though it's not disclosed in the linked documents). This is probably the most difficult thing that they did.

Hacking the CharlieCard, which is a MiFare Classic, is more involved, but the undergrads used a previously known attack, simply duplicating it. (Some might call that the behavior of a "script kiddie"?) There's hardly anything novel about this.

Re:Not that impressive

[Gat0r30y]

There's hardly anything novel about this.

If true, one would think the MBTA would have little to back up an injunction.

Re:Not that impressive

[langelgjm]

If true, one would think the MBTA would have little to back up an injunction.

I'd tend to agree. Though MBTA's argument is that the undergrads aren't disclosing everything, so MBTA can't assess the true threat to their systems, thus why they sought the injunction.

I'm kind of surprised the undergrads have not disclosed everything to the MBTA. Why wouldn't they? If they are truly interested in improving MBTA's security, they ought to.

On the other hand, they might be reluctant to do so because of the risk of legal action. I don't have a Charlie Card on me (haven't been in Boston recently), but a lot of similar cards have statements saying they are the property of whoever issues them, and that tampering with them is illegal.

Re:Not that impressive

[Lunatrik]

Grabbed a charlieticket I had laying around, all it says is:

Subject to applicable tariff regulations and conditions of use. Ticket may be confiscated for misuse. Not replaceable if lost or stolen. Non-refundable.

Wonder what the "terms of use" are, and where one would ever, ever find them?

Re:Not that impressive

[_xeno_]

The CharlieCard (other poster is talking about the paper mag-stripe CharlieTicket) says on the back, and I'll quote:

• DO NOT PUNCH HOLES IN THIS CARD.
• Subject to applicable tariff regulations and conditions of use.
• May be confiscated for misuse.

Schedule & Fare Information: 617-222-3200 www.mbta.com ©MBTA

And that's it. Nothing about them owning the card, although that very vague "subject to ... conditions of use" does seem to imply that they think they do. (What are the "conditions of use?" Who knows!)

But whatever you do, do not punch holes in this card. To understand why, you can read this presentation by MIT students that shows what the inside of the card looks like...

Re:Not that impressive

[Illserve]

I'm not impressed either. Regardless of whether or not they are legally allowed to publish this kind of information, they're assholes to do so.

It seems like a desperate attempt to grab as much attention as possible.

And taking pictures through open doors? Finding open locks? Buying stuff on Ebay? Meh. They didn't DO anything with it all.

And the war cart was the least impressive part of it all.

Life imitating art.

[fredklein]

Which is from Cory Doctorow's "Little Bother", and which from the court documents in this case?

"Just flash the firmware on a ten-dollar Radio Shack reader/writer and you're done. What we do is go around and randomly swap the tags on people, overwriting their Fast Passes and FasTraks with other people's codes. That'll make everyone skew all weird and screwy, and make everyone look guilty. Then: total gridlock."

vs.:

"An attacker uses RFID equipment purchased online to sniff communications between a legitimate CharlieCard and a turnstile. He takes the data back home and executes one of several attacks that exploit the weak Crypto-1 cipher to recover a key. Armed with this key, a high-gain antenna, and RFID equipment, he walks down a crowded street in boston remotely copying the CharlieCards in people's pockets."

Please, check out 'Little Brother'. FREE for download at http://craphound.com/littlebrother/download/ , or available at fine bookstores everywhere.

Re:Life imitating art.

First of all the two situations are very different in pretty much all aspects except that they both involve remote access to transit token in public. Second of all, life does not imitate art when the art was written probably a decade (2008) or more after such attacks were talked about. Hell anyone with a dozen brain cells and a couple hours to think can come up with these ideas and they have a long time ago. Reading data remotely is pretty much the main concern about all these systems and has been for quite some time. Writing remotely is pretty much infeasible unless you go to extreme length (ie: rfid won't flash wirelessly asfaik).

Re:Life imitating art.

[fredklein]

the two situations are very different in pretty much all aspects except that they both involve remote access to transit token in public

So, they're different, except where they're the same? Brilliant insight.

rfid won't flash wirelessly

Depends on the type. And, even in the case where it's not, it's perfectly possible to READ the RFID, and have a box that 'repeats' that RFID upon demand. Maybe I can't 'swap' your RFID, but I can clone it and use it.

ANYWAY, you obviously missed my point.

Exhibit A

[Thomas+Charron]

The guy who put the report in Exhibit A, along with his email address, it could be added, really, REALLY underestimated the issue I think. Did he really think the public court records wouldn't get out?

    Exhibit A will, I suspect, lead to many, MANY more compromises now then would have happened had they given their presentation.

    What HE released had the specific vulnerabilities they found. He didn't want that data out, and then published it himself!

Re:Exhibit A

[corsec67]

Is it the Streisand effect when the people trying to conceal the information personally publish it in a way that gets more publicity?

The lawsuit itself would probably lead to a Streisand effect on its own, though.

Re:Exhibit A

[langelgjm]

Exhibit A will, I suspect, lead to many, MANY more compromises now then would have happened had they given their presentation.

You really think so? (Also, I assume you're talking about "Exhibit 1", not "A"). But really, there's nothing that exciting in those few pages. They say they know the algorithm for calculating the checksum on the Charlie Tickets, but they don't disclose it. Then, they discuss a previously known flaw in MiFare Classic.

I'd say anyone intelligent enough to use the information in that document would have been intelligent enough to find it elsewhere.

How?

[DesScorp]

How can any such order be justified in the light of the first amendment protection of free speech?

Because all speech isn't protected. The First Ammendment isn't a blanket guarantee to say or do anything. There are limits on speech, and always have been, from the time the Constitution was ratified to today.

You can argue on technical grounds that "security by obscurity" is a stupid idea, but I think the EFF lost here for a reason... we've always balanced speech that can have a direct impact on public safety against the relative risks of that speech. You can't email classified blueprints of an AEGIS radar system to Vladimir Putin, for instance, or a list of undercover NYPD officers to some guy named Sal in Sicily, and then claim free speech protection. If you don't want to get in legal trouble, you go to court and get such things made de-classified or stripped of confidential status first, then you can reveal whatever you like. The students first step should have been getting a court order to strip protection from the MBTA information, because MBTA actually has some legal precedent on their side here.

The students may even be in the right here, but they were pleading their case in a way that almost assured their defeat in court. And in this case, EFF was thinking like hackers, not lawyers.

Re:How?

Because all speech isn't protected.

Completely irrelevant.

The First Ammendment isn't a blanket guarantee to say or do anything.

No, but it is a blanket guarantee to say anything that is true, and that's what's so appalling here.

What's even more appalling is that there are idiots like you who think it's perfectly reasonable to prevent people from telling the truth, simply because it might hurt some corporations's bottom line.

Re:How?

[PlusFiveTroll]

If you don't want to get in legal trouble, you go to court and get such things made de-classified or stripped of confidential status first, then you can reveal whatever you like. The students first step should have been getting a court order to strip protection from the MBTA information, because MBTA actually has some legal precedent on their side here.

Really, instead of going thru all that bullshit, the students should have released all the information first (before the court order). Two times this has happened at DEFCON, and it's easy to do because the offense knows what date you're going to speak and can put a stop to it right before it happens. Not enough time to defend yourself and get the motion dropped. Drop the whitepaper (blackpaper?) on the net a week before the talk, and let them close the barndoors after the horse is already gone.

Re:How?

[blueg3]

You mean like the presentation that's on the DEFCON CDs?

Re:How?

[PlusFiveTroll]

From my understanding that was only partial and is missing some key details.

Re:How?

[blueg3]

For the magstripe cards, I think all they're missing is how to compute the checksum.

Re:How?

[cayenne8]

"You can argue on technical grounds that "security by obscurity" is a stupid idea, but I think the EFF lost here for a reason... we've always balanced speech that can have a direct impact on public safety against the relative risks of that speech. You can't email classified blueprints of an AEGIS radar system to Vladimir Putin, for instance, or a list of undercover NYPD officers to some guy named Sal in Sicily, and then claim free speech protection."

Well, the classified information is one of the few examples that does hold up...there are specific laws against that...but, the undercover cop thing? You can do it...in fact there have been websites put up naming cops and giving other more detailed info on them. Nothing can be done about that..

Look at it this way...most all information, is protected. It is acting upon the info that is illegal.

There are plenty of websites and books published showing you in great detail how to make bombs, drugs, silenced weapons, and even how to assasinate someone...and that is perfectly legal in the US. This was discussed in the last story about this....

So, just printing how to hack this system, is just as legal as how to crack into a diebold voting machine, which you've seen out there. I think this ruling will be overturned pretty quick.

Besides...it isn't like this situation posed a danger to anything other than the pocketbooks of the system being discussed.

Re:How?

[NewYorkCountryLawyer]

it isn't like this situation posed a danger to anything other than the pocketbooks of the system being discussed

Well if the system that provides for public safety has its money ripped off, that would definitely endanger public safety.

Re:How?

and I'll give you 64 guesses how...

Re:How?

Well if the system that provides for public safety has its money ripped off, that would definitely endanger public safety.

Hum? It doesn't, unless you're lysdexic. The system provides for public *transportation*, not public safety. Actually, the latter is completely out-of-scope, unless you're a terrorism-mongering republicrat.

Re:How?

[genner]

You can't email classified blueprints of an AEGIS radar system to Vladimir Putin

Actually you can as long as you didn't sign a non disclosure agreement.I'm sure everyone who has access to those blueprints has but the point is there isn't a law on the books to handle this.

Re:How?

[idontgno]

No, but it is a blanket guarantee to say anything that is true, and that's what's so appalling here.

Not so much. There are a couple of areas in which prior restraint has been held by the Supreme Court as acceptable.

From the Massachusetts Bar Association page on Prior Restraint:

Riqht to a fair trial -- One area where a prior restraint on pure speech may be permissible is where the unfettered exercise of First Amendment protection of speech and the press threaten the right of the criminally accused to a fair trial as guaranteed by the Sixth Amendment. Gag orders imposed on trial participants are favored over restraints imposed on the press itself, but the Supreme Court has not foreclosed the possibility of such restraints.

National security -- A second basis for imposing a prior restraint on news which the courts recognize at least theoretically is national security. The famous "Pentagon Papers" case, New York Times Co. v. United States, demonstrates that the court has been similarly resistant to government efforts to censor speech allegedly jeopardizing national or military security interests. In that case, the court refused to enjoin The New York Times and The Washington Post from publishing the Pentagon Papers, notwithstanding that the papers contained classified information and that the Times' source had obtained them illegally and notwithstanding the government's vigorous contention that publication would gravely and irreparably jeopardize national security.

However, as these quotes indicate, even these explicit "enablers" of prior restraint are loaded with conditions and should be considered last resorts:

Regarding pre-trial publicity:

In Nebraska Press Assn. v. Stuart, Chief Justice Warren Burger articulated criteria for imposition of a ban on pre-trial publicity: the court must find that the nature and extent of pre-trial publicity would impair the defendant's right to a fair trial, that there are no alternative measures which could mitigate the effects of pre-trial publicity and that a prior restraint on publication would effectively prevent the threatened danger to the defendant's right to a fair trial.

Notwithstanding the theoretical possibility that a situation may someday call for a prior restraint to prevent pre-trial prejudice to a criminal defendant, most courts and commentators have interpreted Nebraska Press as virtually barring gag orders on the press not to report on criminal trials.

Regarding national security:

The court ruled that the government had failed to carry its "heavy burden of showing justification for the imposition of such a restraint." A majority of the court agreed that release of the paper harmful to the nation and suggested that prosecution for espionage might be warranted. Justice Stewart stated in that case that no prior restraint may be ordered unless it is proven that publication "will surely result in direct, immediate and irreparable damage to our nation or its people."

Sadly, neither condition seems to apply in the case being discussed now. And that's what's truly appalling.

Has Boston's water supply been hacked?

Given the number of security idiocies committed publicly by the Boston authorities, I hope somebody is checking the water supplies in city buildings for some additive that induces mass stupidity.

Re:Has Boston's water supply been hacked?

[Sun.Jedi]

You might be onto something here...

Us folks who live and work in and around Boston have long been aware that MBTA really stands for "Most Broken Trains Anywhere"... News that there is yet another problem with with the subway, and a dipshit official response is hardly noteworthy.

For reference; The Big Dig is an ongoing disaster. (any of the top 50 hits there is relevant)

What do you expect with this illiterate idiot^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H Honorable Mayor in charge of the City?

Let's not forget, that Massachusetts lemmings voted for Free 'em All Deval and continue to vote for this upstanding citizen.

It must be something in the the water.

----
Is it sarcasm if it's true?

Re:Has Boston's water supply been hacked?

[Sax+Maniac]

Yikes, if people drank from the Charles they would have a lot more problems than just the occasion stupid government mishap! You get water out of the Quabbin and Wachusset reservoirs, which are fed to Boston via a Big Freakin' Aqueduct (TM).

Six-bit checksum, huh. Brilliant.

Shouldn't the 'project manager' guy be like curling up in a shame-ball under his desk instead of pestering these kids?

Moot now

Watch, the appeals court won't overrule it - they'll decline to decide the matter because now it's moot.

the public

[Phantom+of+the+Opera]

"Hi, I'm the public. Do I have a right to know about these flaws?"

"No"

Not Exactly Accurate Summary (warning, legalese)

[Wrath0fb0b]

The court issued a 'temporary restraining order', which is legal-jargon for "don't do anything until we can get a decent hearing". It does not mean that the court has accepted the MBTA's position or even jurisdiction over the case. It is merely a tool* to ensure that neither party can unilaterally change the status-quo just because the courts do not operate 24/7 and are sort of slow (making sure everyone has a chance to speak generally doesn't allow for fast decision making). Rarely does a TRO last more than a week until a preliminary hearing can be held.

IMO, therefore, even if the MBTA has no case whatsoever (almost certainly true) they are entitled to a TRO for a few days until the court can read (and almost certainly deny) their application for a permanent injunction. I don't see any major damage from having a presentation delayed for all of 72 hours either (note, if we were talking permanent injunction, it would be totally bogus -- that's a different matter entirely).

* Yes, I'm aware the information was already published on the internet and that it cannot effectively be "recalled". That is not the point -- the MBTA, as any other litigant, has the right to have a court hear their case -- even if they really don't have one.

Mile high fence

[someara]

I'm surprised they didn't mention the fact that anyone can "hack" their way into the MBTA subways by simply sticking their arm between the doors and activating the "exit" side censors.

Vague titles for security talks

[Deagol]

There have been a number of presentations lately that have been silenced by private companies before a conference, either by injunction or under the table (I'm thinking of Apple here). How long before we see conference talks being titled as clearly as most software patents? "Some Group Discusses Some Weakness In Some Company's Software" Tuesday at Defcon. If this gets out of hand, I wouldn't be too surprised if we start seeing some subtle obfuscation of what the true nature of some talks are about.

Five Dollar Foot Longs

I just hope the courts don't take away that excellent Five Dollar Foot Long deal.

This case presents an example of pure censorship.

[MarkvW]

The Transit Authority's position seems to boil down to this quote from their expert:

"In these circumstances, without solid assurance that the MIT Undergrads' activities do not pose an immediate threat to the Fare Media System's integrity and security, the required course in my opinion is to conclude that the activities do pose an immediate threat, and to act, as the MBTA is, to mitigate that threat through direct Court intervention."

The Transit Authority's position seems to be this: We think that we're secure, but we are not absolutely sure that we're secure. These people say that we are not secure. We asked them to tell us how we're not secure. They wouldn't tell us. We don't know if they're for real or not, so we need a judge to make them stop because they might be for real.

If I've got it right, this is pretty far out. The transit authority cannot even establish a factual predicate sufficient to show that the presenters have knowledge that would or could damage the transit authority. This would seem to present a really big causal gap in their case.

The trial judge must have had a brain-lapse. This case is about hard-core censorship. The presenters can only defend themselves if they come out with their information before the censor (i.e., the tribunal). This shouldn't have to be their burden. The plaintiffs should have to prove that the presenters have something really bad and dangerous.

The temporary injunction in this case is offensive in this case because it appears to be based only on this set of facts: Four dudes are going to talk in some unknown way about Transit Authority security.

If I develop a method sufficient to allow me unilateral control of the entire US nuclear missile arsenal (or the Transit Authority's bank accounts), I would surely hope that some federal judge would slap a prior restraint on me to keep me from blabbing it to the world.

Re:Not Exactly Accurate Summary (warning, legalese

[Chirs]

If the presentation is delayed long enough that it cannot be held during a security conference, the damage could be quite major.

Re:This case presents an example of pure censorshi

[nomadic]

If I've got it right, this is pretty far out. The transit authority cannot even establish a factual predicate sufficient to show that the presenters have knowledge that would or could damage the transit authority. This would seem to present a really big causal gap in their case.

"We're going to give a presentation on how to crack the MBTA passes" seems like a pretty good factual predicate.

Re:This case presents an example of pure censorshi

[russotto]

If I develop a method sufficient to allow me unilateral control of the entire US nuclear missile arsenal (or the Transit Authority's bank accounts), I would surely hope that some federal judge would slap a prior restraint on me to keep me from blabbing it to the world.

Not a chance. In the latter case, the Transit Authority won't be able to afford a lawyer. In the former case, the judge can be easily convinced that the security of his hometown against nuclear missiles depends on ruling in your favor.

le sigh

[SuperBanana]

data processing device performing logical, arithmetic, or storage functions,

Note the "OR". The magstripe card is storage. The -card- does logical, arithmetic, AND storage functions- it's an intelligent device.

Furthermore, they openly admit to trespassing both physically (at stations, offices, AND networks they knew were private.)

Frankly, I'm astounded they're not sitting in a jail cell right now. Chances are that right now the MBTA are going through CCTV footage looking for them trespassing, and once they've found some- they'll be arrested.

It's one thing to play with the cards (and ride the coat-tails of other researchers who published all of this 8 months ago). It's another to wander into offices and plug into internal networks you know you don't belong to (in fact, the very definition of trespassing in some states is "you're somewhere you know you don't belong.")

Re:le sigh

[gknoy]

Frankly, I'm astounded they're not sitting in a jail cell right now. Chances are that right now the MBTA are going through CCTV footage looking for them trespassing, and once they've found some- they'll be arrested.

Does that invalidate their research? If a citizen commits a criminal act, and finds out information which shows smoeone else to have been incompetent (or even criminally negligent), does that mean that the information is no longer valid, or is tainted? I don't think it does.

If I break into my neighbor's house, and discover his marijuana plants, I will likely get in trouble for burglary, but he'll still get busted for drugs. If I break into his computer and prove that he's been embezzling millions from taxpayers, I am likely to go to prison for all sorts of crap, but I expect he'd still be prosecutable - and that what I found would be admissible (since it wasn't the government doing an "unreasonable search" ;)).

Whether this is prudent on the part of the person doing the tresspassing is another matter completely. (I'd suggest that it's highly imprudent to break the law.)

Mike D

[dalrympm]

I just want to say that having read Exhibit 1, I applaud the authors for writing a very succinct and readable account of the vulnerabilities of the MBTA system. It seem implausible to me that anyone (even the pointy hair types) could read that assessment and not fully comprehend the situation at hand. It makes me wonder who Zack Anderson, Russell Ryan and Alessandro Chiesa work for. I'm sure Google will tell me.

Re:Mike D

[dalrympm]

Oh, I guess I should read more thoroughly. They were the three students that were going to present at Defcon. Well, they should get A's for the clarity of their report.

the real purpose

the goal of the transit authority is only to tie this up in court till the conference is over. at that point, presenting the research at the conference will be a moot point.

is Captain Crunch still in jail?

For doing the same thing trying to fix commuter train ticket vulnerabilities?

No. No it's not

"Terrorism is a real threat to the US and the "western" world."

Not really. If looked at rationally, terrorism on 9/11 was tiny irritant to life in the united states.

Think it through.

Dude, are you stupid? Or just fearmongering

"What if this is used by some terrorist organization to mount an attack?"

If you had bothered to, y'know *READ THE F*CKING PRESENTATION* you'd realize the security at stake was the security of the card system. At best, this lets someone ride for free.

How the #$#@ do you think a terrorist would exploit this? You mean, the terrorist were going to use the subway to mount an attack, but they ran out of money to pay the #@$@ing fare, so they decided that walking was too $#@$#ing hard? But now, they can @#$@#ing clone $10 farcards with only $1,000 worth of equipment, so now the f@#$ing terrorist have f#$#@ing won??????? I mean, everybody is allowed to say something @#$#@ing stupid every now and then but you are abusing the @#$%ing privilege.

What's next? A serious talk on how if you have more than 5 ounces of fluid you can blow up the plane due to some new law of physics and chemistry? Or better yet, tell us that now that you remove your @#$#@ing shoes that you now feel safe.

Not everybody is a genius who posts on here, but hardly anybody is that dumb. And you just put yourself into elite f#@$ing terroritory.
   

Why don't these things follow the Las Vegas model?

[Sleepy]

I once saw a documentary about the amount of black box and white box testing which goes on with automated gambling machines in the state of Nevada. This is seriously methodical stuff, and the test plans are pretty much the same for any device.

It amazes me that these ticket systems, Ohio voting machines, etc. all do not follow that model.

It's almost as amazing that the state of Massachusetts contracts this out -- apparently without good specs for test requirements. Is the only point in outsourcing to get lower quality? Instead of farming the job to some random company with no track record, they should have given it to MIT in the FIRST PLACE. MIT has been working on secure open evoting systems since WAY before 2000... I'm sure they could handle this, and it would create local jobs to boot*.

*(An open system is nice that it's free, but we're not quite there where state agencies can support themselves. Look at Red Hat's successful model packaging and selling support. A free and open ticketing system could still drive a healthy development community around MIT, and cities all around would still want extensions and new features added. )

Re:No. No it's not

[Opportunist]

Basically, it doesn't even matter whether the threat is real or imagined. Personally, I think 3000 people in 7 years (and counting) is peanuts. When that's what you're scared about, you shouldn't drive anymore or have an operation. The chances to die in a car accident or on the OP table are significantly higher.

If it is real, it would even increase the mark of shame on our politicians and media. If it's fake, they're just causing a hype to push their agenda. If it's real, they're crying wolf and abuse the "terrism" hype so far until nobody takes it serious anymore.

It's basically like it was in my school. We had fire drills every month or so. Net result? People didn't even bothing going out anymore when the alarm rang. It was known to be fake, so why bother listening to it?

When you overdo drills or abuse a warning system, people will stop taking them serious. It will just be another drill or another hype when you ring the alarm. And that could backfire badly should the threat be real one day again.

I predict a disaster should another terrorist strike happen one day. We'll then get to hear that some "threat level indicator" was at some nice, warm color anyway and "we warned you", but we won't hear that that indicator was about the same nice, warm color for years and we've been blitzed with fake warnings almost at a daily base. Warnings cease to create an elevated level of caution when they happen too often, especially if those warnings are abused to push completely unrelated agendas, just because "terrists" are a comfortable reason to abolish civil rights.

People aren't dumb. They see through it, and they will (and as you can see, do) ridicule those "warnings". It's way harder, though, to actually discriminate a real threat from one of those agenda-pushing fakes when you get told the same old lies over and over. Should a real threat be discovered and actually published, the first reaction most people have won't be "how can I avoid it?" but rather "what are they trying to do to my rights this time?"

Re:Not Exactly Accurate Summary (warning, legalese

[mxs]

IMO, therefore, even if the MBTA has no case whatsoever (almost certainly true) they are entitled to a TRO for a few days until the court can read (and almost certainly deny) their application for a permanent injunction. I don't see any major damage from having a presentation delayed for all of 72 hours either (note, if we were talking permanent injunction, it would be totally bogus -- that's a different matter entirely).

The damage is, of course, that DEFCON will be over by then. The students were robbed of their speech and presentation. So yes, the MBTA has unilaterally changed the status-quo -- there won't be a DEFCON speech about their vulnerabilities by virtue of the TRO.
Of course, the information will now get much more widespread circulation, but the undergrads in this matter will never get to present their findings at this DEFCON.

Re:Not Exactly Accurate Summary (warning, legalese

[sillivalley]

Correct, and the (more public) stance both court and plaintiff are taking now (post-TRO) would seem to indicate that both f*cked up in spades, and are actually beginning to appreciate that -- plaintiff by not thinking things through and actually talking to someone who could understand and explain the technical aspects of things, and the court for believing the plaintiff.

As pointed out, the purpose of a TRO is (was) to *temporarily* freeze the situation until the court can be briefed fully, and make a more reasoned decision.

But we're running on Internet time now, and Plaintiff did what defendant couldn't have done, which was to disseminate even more information to a wider forum, and generate orders of magnitude more interest in this information than defendant could have done on their own...

The other thing plaintiffs did in this action -- going for a TRO takes cojones, and a good reputation with the court. As plaintiff, you're going to the court asking them to act preemptively -- to restrain someone who has not yet acted. If the court doesn't believe you, they'll say, "Nah, if you're damaged, you can bring suit." Here, plaintiffs not only didn't understand the situation, but in their filings, they did orders of magnitude more damage to themselves than the action they got the court to enjoin.

Courts and judges tend to have long memories -- and in this case, they'll most likely remember that these guys were bozos, and evaluate their arguments accordingly.

ignorance

[speedtux]

Subway systems know in detail how much fraud occurs, from rider statistics and revenues.

And why bother deploy a cryptographically secure system? Tokens were far easier to forge than magnetic stripes or RFID tags.

The only ignorance and incompetence here is on the part of the MIT students and people like you who simply don't understand economics and cost/benefit tradeoffs.

ALL OLD NEWS!!!

[jackb_guppy]

The clone hack has been around since at less late '70s. Yes the 70's!!! It was done to BART cards using a cassette tape recorder. Since the card carried all information - like today - you copy it once and return the value every few days. With a commute being the cost daily, the machine just keep over typing. BART stationed people to look at the cards as the popped out of ticket machine (they popped straight up) looking for heavy over printing.

The value hack is again simple. If you ever read credit cards normally, the logic and layout is simple. Designed for the 4bit world of Zon Jr. All that information is out there. The only hard part is mapping unknown track layouts. A couple identical value cards running the same stops - would show datetimes and other "changing" information.

To make this harder to crack would be two encryptions both with check sums, one over checksum is data to other. Even using 2 16bit independent CRCs, so the changing data changes all bits. Also if any one tries to change data, one of the two will catch the error, then writes back a bad data in the track fully re-encrypt, so the mapping process will cost. Will stop it completely - but really slows it down.

I love Mag Track but you have learn from the past!

Re:ALL OLD NEWS!!!

[blueg3]

What you're describing is a class of attack that is not necessarily shared among all systems of the same type. (It's possible to make magstripe systems that aren't vulnerable to replay attacks.)

Typical vulnerability disclosures are the details of how a particular system is vulnerable to a particular attack. Not "this system is probably vulnerable to some kind of replay attack", but how the system works and how the attack is applied to that system.

I sent this to the IT guy at MBTA

[grahamsaa]

Mr. Henderson, While I have no direct connection to you or to Mr. Anderson, I was disappointed to see the brief you filed before the court on August 9. As a systems and network administrator, I would have felt that Mr. Anderson had done me a great service by attaching his "Fare Collection Vulnerability Assessment Report," which the MBTA has included as "Exhibit A." As I'm sure you are now aware, this report is now available to the public, as it was submitted as part of a public civil proceeding. Mr. Anderson's presentation was also public, and was given to attendees in advance of the conference at which he intended to speak. At least until Saturday, it was also hosted by public servers at MIT. A bit of research would likely have led you to the report -- in fact, it is still public, and is now mirrored across the internet. Unfortunately for the MBTA, "Exhibit A," which your organization willfully made public, contains far more detailed and damaging information than Mr. Anderson's original presentation. Instead of trying to prevent this information from leaking out, it seems it would have made more sense to work with Mr. Anderson and his colleagues, or other qualified individuals, to address the vulnerabilities in your system. By seeking prior restraint, the MBTA has suggested that it is uninterested in taking any other corrective action -- at least, if such action is in progress, it is not mentioned in the documents presented to the court. What is also surprising to me is that you disparage Mr. Anderson's research as unoriginal, while at the same time the MBTA is requesting that this information be censored. If Mr. Anderson's research is unoriginal (and I agree with you on this point), how would the release of this report be damaging to the MBTA? How can prior restraint be justified for material that has already been released? Despite my objection to your position in this case, I am indebted to you, and to the MBTA, because by seeking prior restraint in this case, you've taught tens of thousands of people around the world a bit more about how your systems work, and you've demonstrated that prior restraint is quite unrealistic in the internet age. Chances are that relatively few people would have learned about the security flaws of the MBTA system if Mr. Anderson were permitted to give his presentation. As a result of the MBTA's legal challenge, many have taken notice, and have examined the information on vulnerabilities you intended to suppress, as well as the (more sensitive) information the MBTA has now brought to light. I don't expect a reply to this message, as I'm sure you're already quite busy with this matter, but if I were in your position, I would thank Mr. Anderson and his fellow students for a thorough security audit, which they did at no cost to you or to your employer. Of course, if you'd like to respond, you're welcome to do so -- I'd be curious to learn more about your position on this issue. Regards and best wishes! Disclaimer: I have no interest in exploiting the vulnerabilities in the MBTA's systems, and don't live in Massachusetts or anywhere near Boston. I have never ridden public transportation in Boston and at this time have no intention of doing so. Also, I am not a lawyer, and am not affiliated with any party in this case.

Re:I sent this to the IT guy at MBTA

[tehcyder]

I think some paragraph breaks might have made him take it more seriously. This has the whiff of virtual green ink about it.

Part of the Problem...

... is the DMCA - the Digital Millenium Copyright Act. This law turned traditional notions of constitutional rights on their head. The law protects shoddy security (like the MBTA's) by criminalizing the act of talking about it. Its like the Emperor's New Clothes, but in this version, the Emperor has the little boy killed and he keeps on marching, naked and stupid.

Screw the MBTA.

[schmiddy]

So, I actually have a little bit of sympathy for whichever public servant's ass is on the line right now, worrying he's going to get fired over this flap. Whatever idiots actually implemented the existing Charlie Card system we're stuck with right now might be long gone by now, along with the consultants that actually put this system in place.

However, as a Boston resident, it's pretty obvious the MBTA has been brought down recently by especially bad mismanagement. We switched 2 years or so ago from plain tokens (one token == one subway ride) to an overly complicated mix of magstripe cards (CharlieTickets) and RFID cards (CharlieCards).

There was a news story a while back in one of the little free Boston newspapers telling the cost of implementing this new system.. I think it was well into the hundreds of millions of dollars. Enough to pay the existing salaries of the MBTA staff for several years.

To top it off, the new cards are really just a drag on everyone's time. Anyone who's had to wait 2 minutes in line while getting on a bus for some fool to fumble around trying to load up value onto one of the stored-value CharlieCards knows what I'm talking about.

I also have a sneaking suspicion that a "feature" of this horrendously expensive, overly complicated system was not only that it would save money through nebulous efficiency improvements (the Charlie Card machines are broken half the time for some reason...) but that it would allow them to make more money by more effectively manipulating the currency. You see, previously, when they would hike up the subway rates, they couldn't stop people from buying $100 of tokens at the old rates just before the rate switch. Now, they can jack up the rates and everyone's forced to pay the new rate.

So anyway, a little long-winded.. but I can see exactly why the MBTA officials are so worried about this. In addition to being stuck with this crazily complicated, expensive system that's run horrendously overbudget (in addition to the MBTA itself being $100M+ in the red every year somehow, despite having a government-funded monopoly and all sorts of advertising revenue flowing in..), they are now faced with the possibility of college students in Boston buying hacked Charlie Cards and not paying any fare. They're probably scared shitless of this. For the people that said they should just fix their system... I honestly doubt they could, even if they wanted to. We're talking about a system that cost several hundred million $ to put in place, with very little thought about security put in at the beginning. And these are government officials, using god-knows-who for contracting out the maintenance of this system. Working for an agency that's severely in the red, year after year. They don't have a snowball's chance in hell of fixing the system the right way, so they're abusing the courts to keep from being ridiculed in public and fired over the whole fiasco.

Re:Screw the MBTA.

[Gazzonyx]

Right. Just remember that the guy with his job on the line is never the one who made the poor decision. His boss did after the poor guy argued against it for months only to be forced to implement said Bad Idea.

Should have used a speeling choker ...

[RockDoctor]

Bottom line of page 5 : "planed" instead of "planned".
Oh, sorry, a basic spelling checker wouldn't have caught that. He'd need one that can distinguish contexts between "carpentry" and "legalese".
Unfortunately, since this works machine doesn't have Firefox's spelling checker (in any language!), I'm bound to have shot myself in the foot.

Re:No. No it's not

[CrazedSanity]

Desensitizing people to alarms isn't a bad thing, provided there is a sane limit to the desensitization (when it's done to the extent that people don't even flinch at the alarm, it has gone too far).

For instance, let's take a fire alarm: if nobody has heard it before (i.e. they'd never gone through a fire drill at all), there could easily be mass panic and injuries/death due to hysteria; if people were aware of what to do in a fire drill (while not being completely desensitized), the relative calmness of the evacuation avoids hysteria, possibly even after those people realize it isn't a drill.

The moral of the story: using drugs in proper dose to limit pain is a good thing; taking enough drugs to make an elephant drowsy could cause you to be completely unaware of the alien ripping through your ribcage.

Re:No. No it's not

[Opportunist]

That you have to practice to take away the element of panic is a given. Here's actually where the analogy breaks, since that's exactly what does not happen, and is also appearantly not wanted. People don't stop panicking in the face of "terr'rism". The whole thing reeks of "we gotta do something. Dunno what, but something!", which is usually not really productive. And behold, it ain't.

Whooosshh....

[Tmack]

...the sound of the missed joke being snorted up your nose.

Tm

Re:Not Exactly Accurate Summary (warning, legalese

[Tmack]

I don't see any major damage from having a presentation delayed for all of 72 hours either

Excepting, as pointed out in another reply, that this caused a presentation at a conference to be "Restrained" past the end of the conference, thus causing great damage to both the conference itself (one less presentation, bunch of pissed-off people that came to see said presentation) and the presenters (missed opportunity for a large live audience to present to). Since DefCon lists the presentations ahead of time, the MBTA should have had plenty of time to issue their TRO, get the facts straight, and get on with life such that the presentation could go on. Instead they waited and filed the TRO just prior, in a successful attempt to quash the presentation. Looking back through pages, the wifi warcarting article was posted to Slashdot on the 5th, along with mention of the subway hack presentation, so given normal slashdot posting times, it must have been on the DefCon site since at least late July. And checking further, confirmation: "An MBTA vendor tipped off the authority on July 30 that the talk was scheduled"

The TRO was not filed until the 8th. They knew a permanent injunction would not hold up, so they waited until the last minute to request the temporary one. They had plenty of time, 9+ days, to work with the courts and the presenters and they didnt....

Tm

I was at Defcon and was going to see this demo

[kalislashdot]

I was wondering why the talk was changed at the last minute. It was put on by a guy and it was mainly about the list of events about the discovery of the flawed cards. They are well aware of the flawed cards but are going to deploy them anyways.