EFF To Appeal Court Order Vs. Subway Hack Demo

snydeq sends along InfoWorld coverage of the EFF's plans to appeal a US District Court order that kept three MIT students from presenting detailed flaws in the Massachusetts Bay Transportation Authority e-ticketing system at Defcon. And an anonymous reader points out that the MBTA, in addition to triggering the Streisand Effect, released in open court more information on vulnerabilities (PDF) than the students had any intention of presenting. See Exhibit 1 to this court filing.

Re:First amendment

[Intrinsic]

Maybe im not understand the situation, but if you attempt to release information that can cause harm to a business or person or society. that speech can definitely be limited. Its like calling fire in a building with no fire and someone getting hurt. It seems like in this case, if this information got mass attention there might be some way to construe harm. I mean I can think of allot of ways to fabricate the perception of harm, even though it is unlikely.

Im trying to put myself in their shoes, someone or someones do not want to have to deal with this if people start mass circumventing the system... money loss, reputations, and the like are surely involved. it doesn't matter if it has been done before, this particular event makes stuff like this a hot topic, because people that build or manage insecure systems look really, really stupid to the professional community.

Exhibit A

[Thomas+Charron]

The guy who put the report in Exhibit A, along with his email address, it could be added, really, REALLY underestimated the issue I think. Did he really think the public court records wouldn't get out?

    Exhibit A will, I suspect, lead to many, MANY more compromises now then would have happened had they given their presentation.

    What HE released had the specific vulnerabilities they found. He didn't want that data out, and then published it himself!

Re:First amendment

[Caboosian]

If more people stood up to, and openly defied the courts; we'd have a better court system.

If more people stood up to, and openly defied the courts, we'd have more people in jail - and a court system with less credibility. If an average citizen can shrug off a court order, what use do are the courts? No, instead, the companies/corporations gaming the system should be held responsible. Honestly, I don't have a solution for this problem, but I can't find a justification for destroying the credibility of our judicial institution - what good could come of that?

Screw the MBTA.

[schmiddy]

So, I actually have a little bit of sympathy for whichever public servant's ass is on the line right now, worrying he's going to get fired over this flap. Whatever idiots actually implemented the existing Charlie Card system we're stuck with right now might be long gone by now, along with the consultants that actually put this system in place.

However, as a Boston resident, it's pretty obvious the MBTA has been brought down recently by especially bad mismanagement. We switched 2 years or so ago from plain tokens (one token == one subway ride) to an overly complicated mix of magstripe cards (CharlieTickets) and RFID cards (CharlieCards).

There was a news story a while back in one of the little free Boston newspapers telling the cost of implementing this new system.. I think it was well into the hundreds of millions of dollars. Enough to pay the existing salaries of the MBTA staff for several years.

To top it off, the new cards are really just a drag on everyone's time. Anyone who's had to wait 2 minutes in line while getting on a bus for some fool to fumble around trying to load up value onto one of the stored-value CharlieCards knows what I'm talking about.

I also have a sneaking suspicion that a "feature" of this horrendously expensive, overly complicated system was not only that it would save money through nebulous efficiency improvements (the Charlie Card machines are broken half the time for some reason...) but that it would allow them to make more money by more effectively manipulating the currency. You see, previously, when they would hike up the subway rates, they couldn't stop people from buying $100 of tokens at the old rates just before the rate switch. Now, they can jack up the rates and everyone's forced to pay the new rate.

So anyway, a little long-winded.. but I can see exactly why the MBTA officials are so worried about this. In addition to being stuck with this crazily complicated, expensive system that's run horrendously overbudget (in addition to the MBTA itself being $100M+ in the red every year somehow, despite having a government-funded monopoly and all sorts of advertising revenue flowing in..), they are now faced with the possibility of college students in Boston buying hacked Charlie Cards and not paying any fare. They're probably scared shitless of this. For the people that said they should just fix their system... I honestly doubt they could, even if they wanted to. We're talking about a system that cost several hundred million $ to put in place, with very little thought about security put in at the beginning. And these are government officials, using god-knows-who for contracting out the maintenance of this system. Working for an agency that's severely in the red, year after year. They don't have a snowball's chance in hell of fixing the system the right way, so they're abusing the courts to keep from being ridiculed in public and fired over the whole fiasco.