Slashdot Mirror
MIT Students' Gag Order Lifted
mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days. "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."
MBTA said in documents filed with the court said that fixing the security flaws would take five months.
I'd love to know how they plan on fixing it. The problem is that, rather than paying for the MIFARE cards with working encryption (3DES or AES) they went with the cheapest system which uses custom 48-bit encryption.
Short of replacing every single CharlieCard in existence, there is no fix.
What the MIT students did that went beyond cracking the MIFARE encryption was to reverse engineer what data was stored on the card.
Which means, knowing the T, that the "solution" will likely be to rearrange the data and continue using the same weak encryption, while lobbying for a new state law that makes reverse engineering illegal.
You are in a maze of twisty little relative jumps, all alike.
Win the battle, lose the war
Does a mechanic cause $5000 worth of damage when he points out that your axle is broken and needs replacement?
Well, how about if your car had a very bad and insecure locking and starting mechanism, and your mechanic told all your neighbours how to get in and start your car?
:/
Don't get me wrong, I think the gag order was probably stupid - I don't know the whole whole story...
But I do think your analogy is somewhat flawed.
In this case, yes.
The vendor has been selling a flawed system, both in design and implementation. Car manufacturers can't use incompetence as an excuse when their cars explode, and the vendor can't either.
In fact, the vendor has known about the flaws for quite some time, but has not fixed them (nor disclosed them).
It sounds to me like they deserve to be sued for damages.
You're right that we evil hackers are going to find ways around it anyways, but in this case, the vendor is grossly negligent, and the MBTA is trying to blame the people who found the problem, rather than the ones that created it.
"The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
The bigger issue here is how they're going to determine which Charlie cards are legit and which aren't. They can't exactly tell someone with, say, $20 on a charlie card that their money's gone.
Someone could easily get a bunch of charlie cards, put random amounts of money between, say, $20 and $25 (random so that there's no clear pattern which cards are faked and which legit) and then sell to people on the street. $5 for a charlie card with at least $20 on it.
Heck, it probably wouldn't be that hard to convince the buyers that it was legit. "Hey man, my niece was staying here last week and put too much money on this card... It's got over $20 on it, I'll give it to you for $5."
Stop using the locked door analogy with computers, it doesn't work and shows a serious lack of understanding about computer systems. In short: you look like an idiot to everyone who knows better.
This security is not 'good enough' becasue it can be tried easily and repeatably many times in a night.
To use your own stupid ass analogy:
If a person could rob every house in one night, door security would need to be a hell of a lot tougher.
And if you claimed that the doors you sell where secure, then people should know when there not.
They can add a real layer of encryption on the card. You wouldn't need to replace the whole system for this.
You could go towards a cash despencer. You could go to an ATM card.
Funny thing is, this will probably turn out to be a non issue since most people won't do this, and anybody doing it for cash will get caught eventually. The few people who do it just to get themselves free rides won't amount to much.
The biggest person inconvenienced will be accountants when there books don't balance. Even then they will find an acceptable amount to chalk up to free rides and just apply it at the end of the accounting period.
"Why are we so hell-bent on breaking down society that we can't have people just use and pay for a transit system?"
We're not. What we want is to force corporation to have to take security seriously. This is a design flaw and the company the made it should be stuck with the bill to fix it.
The Kruger Dunning explains most post on