Slashdot Mirror
EFF To Appeal Court Order Vs. Subway Hack Demo
snydeq sends along InfoWorld coverage of the EFF's plans to appeal a US District Court order that kept three MIT students from presenting detailed flaws in the Massachusetts Bay Transportation Authority e-ticketing system at Defcon. And an anonymous reader points out that the MBTA, in addition to triggering the Streisand Effect, released in open court more information on vulnerabilities (PDF) than the students had any intention of presenting. See Exhibit 1 to this court filing.
How can any such order be justified in the light of the first amendment protection of free speech?
Give me Classic Slashdot or give me death!
It seems that the people who are bringing flaws to light are cast as the villains, while nobody even considers blaming or even questioning the people who selected a poorly-implemented system to run an entire city's public transit.
Isn't this the same hack which was described in detail in c't #8/2008? Mifare classic, uses Crypto1, a flawed pseudo random number generator and salts which only depend on the power on time, which is under the control of the attacker. Flaws were discovered by slicing the chip and inspecting the layers with a microscope.
I say, this is intolerable! You Slashdottian ragamuffins should remove the hyperlink to that MIT-hosted court document post haste, or I shall be forced to request that these truckless tubes be cleansed of it ... in court! (There, that will put a decisive end to their meddling.)
The two students at Georgia Tech that hacked the campus Blackboard swipe system (http://www.theregister.co.uk/2003/07/15/student_hackers_we_didnt_defeat/).The general idea was that it didn't matter how secure the encryption-system was, if the physical system was easy to get to. You don't have to figure out what information is being sent to the machine, all they had to do was 'capture' a 'yes-there-is-enough-money-on-the-card' response, then duplicate. Hey free snacks!!
You know what would rock, an infinite gift card to Wendy's.
Why is it that every time I read about the EFF or Lesig I hear about how they are going down in flames in once case or another? Are we taking about the Washington generals here? Whats it going to take for them to actually win something for a change.
http://www.eff.org/victories
http://www-tech.mit.edu/V128/N30/subway/
Direct link to the presentation PDF:
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
At least from what's in the linked PDF, the undergrads' work is not all that impressive. They look at both the CharlieTicket (magstripe) and the CharlieCard (RFID).
Hacking the CharlieTicket sounds fairly trivial. Magstripe cards are extremely easy to read and write to, and documentation on how to do this with homemade equipment is all over the Internet. The undergrads' work essentially consists of figuring out how the 6-bit checksum is being calculated (though it's not disclosed in the linked documents). This is probably the most difficult thing that they did.
Hacking the CharlieCard, which is a MiFare Classic, is more involved, but the undergrads used a previously known attack, simply duplicating it. (Some might call that the behavior of a "script kiddie"?) There's hardly anything novel about this.
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
Which is from Cory Doctorow's "Little Bother", and which from the court documents in this case?
"Just flash the firmware on a ten-dollar Radio Shack reader/writer and you're done. What we do is go around and randomly swap the tags on people, overwriting their Fast Passes and FasTraks with other people's codes. That'll make everyone skew all weird and screwy, and make everyone look guilty. Then: total gridlock."
vs.:
"An attacker uses RFID equipment purchased online to sniff communications between a legitimate CharlieCard and a turnstile. He takes the data back home and executes one of several attacks that exploit the weak Crypto-1 cipher to recover a key. Armed with this key, a high-gain antenna, and RFID equipment, he walks down a crowded street in boston remotely copying the CharlieCards in people's pockets."
Please, check out 'Little Brother'. FREE for download at http://craphound.com/littlebrother/download/ , or available at fine bookstores everywhere.
The guy who put the report in Exhibit A, along with his email address, it could be added, really, REALLY underestimated the issue I think. Did he really think the public court records wouldn't get out?
Exhibit A will, I suspect, lead to many, MANY more compromises now then would have happened had they given their presentation.
What HE released had the specific vulnerabilities they found. He didn't want that data out, and then published it himself!
-- I'm the root of all that's evil, but you can call me cookie..
How can any such order be justified in the light of the first amendment protection of free speech?
Because all speech isn't protected. The First Ammendment isn't a blanket guarantee to say or do anything. There are limits on speech, and always have been, from the time the Constitution was ratified to today.
You can argue on technical grounds that "security by obscurity" is a stupid idea, but I think the EFF lost here for a reason... we've always balanced speech that can have a direct impact on public safety against the relative risks of that speech. You can't email classified blueprints of an AEGIS radar system to Vladimir Putin, for instance, or a list of undercover NYPD officers to some guy named Sal in Sicily, and then claim free speech protection. If you don't want to get in legal trouble, you go to court and get such things made de-classified or stripped of confidential status first, then you can reveal whatever you like. The students first step should have been getting a court order to strip protection from the MBTA information, because MBTA actually has some legal precedent on their side here.
The students may even be in the right here, but they were pleading their case in a way that almost assured their defeat in court. And in this case, EFF was thinking like hackers, not lawyers.
Life is hard, and the world is cruel
Given the number of security idiocies committed publicly by the Boston authorities, I hope somebody is checking the water supplies in city buildings for some additive that induces mass stupidity.
"Hi, I'm the public. Do I have a right to know about these flaws?"
"No"
The court issued a 'temporary restraining order', which is legal-jargon for "don't do anything until we can get a decent hearing". It does not mean that the court has accepted the MBTA's position or even jurisdiction over the case. It is merely a tool* to ensure that neither party can unilaterally change the status-quo just because the courts do not operate 24/7 and are sort of slow (making sure everyone has a chance to speak generally doesn't allow for fast decision making). Rarely does a TRO last more than a week until a preliminary hearing can be held.
IMO, therefore, even if the MBTA has no case whatsoever (almost certainly true) they are entitled to a TRO for a few days until the court can read (and almost certainly deny) their application for a permanent injunction. I don't see any major damage from having a presentation delayed for all of 72 hours either (note, if we were talking permanent injunction, it would be totally bogus -- that's a different matter entirely).
* Yes, I'm aware the information was already published on the internet and that it cannot effectively be "recalled". That is not the point -- the MBTA, as any other litigant, has the right to have a court hear their case -- even if they really don't have one.
There have been a number of presentations lately that have been silenced by private companies before a conference, either by injunction or under the table (I'm thinking of Apple here). How long before we see conference talks being titled as clearly as most software patents? "Some Group Discusses Some Weakness In Some Company's Software" Tuesday at Defcon. If this gets out of hand, I wouldn't be too surprised if we start seeing some subtle obfuscation of what the true nature of some talks are about.
Method of processing duck feet
If I've got it right, this is pretty far out. The transit authority cannot even establish a factual predicate sufficient to show that the presenters have knowledge that would or could damage the transit authority. This would seem to present a really big causal gap in their case.
"We're going to give a presentation on how to crack the MBTA passes" seems like a pretty good factual predicate.
data processing device performing logical, arithmetic, or storage functions,
Note the "OR". The magstripe card is storage. The -card- does logical, arithmetic, AND storage functions- it's an intelligent device.
Furthermore, they openly admit to trespassing both physically (at stations, offices, AND networks they knew were private.)
Frankly, I'm astounded they're not sitting in a jail cell right now. Chances are that right now the MBTA are going through CCTV footage looking for them trespassing, and once they've found some- they'll be arrested.
It's one thing to play with the cards (and ride the coat-tails of other researchers who published all of this 8 months ago). It's another to wander into offices and plug into internal networks you know you don't belong to (in fact, the very definition of trespassing in some states is "you're somewhere you know you don't belong.")
Please help metamoderate.
"Terrorism is a real threat to the US and the "western" world."
Not really. If looked at rationally, terrorism on 9/11 was tiny irritant to life in the united states.
Think it through.
Basically, it doesn't even matter whether the threat is real or imagined. Personally, I think 3000 people in 7 years (and counting) is peanuts. When that's what you're scared about, you shouldn't drive anymore or have an operation. The chances to die in a car accident or on the OP table are significantly higher.
If it is real, it would even increase the mark of shame on our politicians and media. If it's fake, they're just causing a hype to push their agenda. If it's real, they're crying wolf and abuse the "terrism" hype so far until nobody takes it serious anymore.
It's basically like it was in my school. We had fire drills every month or so. Net result? People didn't even bothing going out anymore when the alarm rang. It was known to be fake, so why bother listening to it?
When you overdo drills or abuse a warning system, people will stop taking them serious. It will just be another drill or another hype when you ring the alarm. And that could backfire badly should the threat be real one day again.
I predict a disaster should another terrorist strike happen one day. We'll then get to hear that some "threat level indicator" was at some nice, warm color anyway and "we warned you", but we won't hear that that indicator was about the same nice, warm color for years and we've been blitzed with fake warnings almost at a daily base. Warnings cease to create an elevated level of caution when they happen too often, especially if those warnings are abused to push completely unrelated agendas, just because "terrists" are a comfortable reason to abolish civil rights.
People aren't dumb. They see through it, and they will (and as you can see, do) ridicule those "warnings". It's way harder, though, to actually discriminate a real threat from one of those agenda-pushing fakes when you get told the same old lies over and over. Should a real threat be discovered and actually published, the first reaction most people have won't be "how can I avoid it?" but rather "what are they trying to do to my rights this time?"
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Correct, and the (more public) stance both court and plaintiff are taking now (post-TRO) would seem to indicate that both f*cked up in spades, and are actually beginning to appreciate that -- plaintiff by not thinking things through and actually talking to someone who could understand and explain the technical aspects of things, and the court for believing the plaintiff.
As pointed out, the purpose of a TRO is (was) to *temporarily* freeze the situation until the court can be briefed fully, and make a more reasoned decision.
But we're running on Internet time now, and Plaintiff did what defendant couldn't have done, which was to disseminate even more information to a wider forum, and generate orders of magnitude more interest in this information than defendant could have done on their own...
The other thing plaintiffs did in this action -- going for a TRO takes cojones, and a good reputation with the court. As plaintiff, you're going to the court asking them to act preemptively -- to restrain someone who has not yet acted. If the court doesn't believe you, they'll say, "Nah, if you're damaged, you can bring suit." Here, plaintiffs not only didn't understand the situation, but in their filings, they did orders of magnitude more damage to themselves than the action they got the court to enjoin.
Courts and judges tend to have long memories -- and in this case, they'll most likely remember that these guys were bozos, and evaluate their arguments accordingly.
So, I actually have a little bit of sympathy for whichever public servant's ass is on the line right now, worrying he's going to get fired over this flap. Whatever idiots actually implemented the existing Charlie Card system we're stuck with right now might be long gone by now, along with the consultants that actually put this system in place.
However, as a Boston resident, it's pretty obvious the MBTA has been brought down recently by especially bad mismanagement. We switched 2 years or so ago from plain tokens (one token == one subway ride) to an overly complicated mix of magstripe cards (CharlieTickets) and RFID cards (CharlieCards).
There was a news story a while back in one of the little free Boston newspapers telling the cost of implementing this new system.. I think it was well into the hundreds of millions of dollars. Enough to pay the existing salaries of the MBTA staff for several years.
To top it off, the new cards are really just a drag on everyone's time. Anyone who's had to wait 2 minutes in line while getting on a bus for some fool to fumble around trying to load up value onto one of the stored-value CharlieCards knows what I'm talking about.
I also have a sneaking suspicion that a "feature" of this horrendously expensive, overly complicated system was not only that it would save money through nebulous efficiency improvements (the Charlie Card machines are broken half the time for some reason...) but that it would allow them to make more money by more effectively manipulating the currency. You see, previously, when they would hike up the subway rates, they couldn't stop people from buying $100 of tokens at the old rates just before the rate switch. Now, they can jack up the rates and everyone's forced to pay the new rate.
So anyway, a little long-winded.. but I can see exactly why the MBTA officials are so worried about this. In addition to being stuck with this crazily complicated, expensive system that's run horrendously overbudget (in addition to the MBTA itself being $100M+ in the red every year somehow, despite having a government-funded monopoly and all sorts of advertising revenue flowing in..), they are now faced with the possibility of college students in Boston buying hacked Charlie Cards and not paying any fare. They're probably scared shitless of this. For the people that said they should just fix their system... I honestly doubt they could, even if they wanted to. We're talking about a system that cost several hundred million $ to put in place, with very little thought about security put in at the beginning. And these are government officials, using god-knows-who for contracting out the maintenance of this system. Working for an agency that's severely in the red, year after year. They don't have a snowball's chance in hell of fixing the system the right way, so they're abusing the courts to keep from being ridiculed in public and fired over the whole fiasco.
http://cltracker.net -- powerful craigslist multi-city search