MIT Students' Gag Order Lifted

mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days. "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."

Re:Good Call

[_xeno_]

MBTA said in documents filed with the court said that fixing the security flaws would take five months.

I'd love to know how they plan on fixing it. The problem is that, rather than paying for the MIFARE cards with working encryption (3DES or AES) they went with the cheapest system which uses custom 48-bit encryption.

Short of replacing every single CharlieCard in existence, there is no fix.

What the MIT students did that went beyond cracking the MIFARE encryption was to reverse engineer what data was stored on the card.

Which means, knowing the T, that the "solution" will likely be to rearrange the data and continue using the same weak encryption, while lobbying for a new state law that makes reverse engineering illegal.