Slashdot Mirror

← Back to Stories (view on slashdot.org)

MIT Students' Gag Order Lifted

Posted by kdawson on from the common-sense-descends dept.

mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days. "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."

5 of 160 comments (clear)

  1. Re:good by Dogun · · Score: 4, Informative

    Actually, if you had access to PACER, you could read the version of the presentation the students gave to the MBTA, including the secret key and a few other details that the MIT students were intending to leave out of the DEFCON presentation.

    IOW, the information is already leaked, and it was the MBTA that leaked it.

    I use the past tense above because I don't have access to PACER and I very much hope they got around to censoring that bit of info from the MBTA's submissions.

  2. Re:They can't hold their talk now, can they? by Anonymous Coward · · Score: 5, Informative

    Both the magnetic stripe card and the chip card used for electronic payment of public transport fares in Boston are flawed and allow several types of attacks which result in free rides. The hack of the chip card is an implementation of an older, less exploitative hack of the Mifare classic chip which is used in many public transport systems and other prepaid applications all over the world.

  3. Re:good by Ortega-Starfire · · Score: 5, Informative

    They did not.

    http://government.zdnet.com/?p=3942

    --
    ---- Liquid was a patriot ----
  4. Re:Speak Anyway by nomadic · · Score: 4, Informative

    Contempt of an invalid order doesn't stand, does it?

    The Federal courts have made it quite clear that you must obey an injunction, even if it is ultimately overturned on appeal.

  5. Re:Good Call by _xeno_ · · Score: 4, Informative

    You were reading about the CharlieTicket, a paper card with a magnetic stripe. The data on them was found to be unencrypted and "protected" by a 6-bit checksum.

    The CharlieCard, on the other hand, is a MIFARE Classic card. It uses a shared secret key which the card and reader use to authenticate each other. This key was discovered to be 48 bits long.

    --
    You are in a maze of twisty little relative jumps, all alike.