Slashdot Mirror
MIT Students' Gag Order Lifted
mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days. "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."
Why would exposing the MBTA's secrets be against the law? Realistically, that's all they've done, they put together a presentation on flaws in their system, security firms do this all the time. Nice to see a judge make the right decision.
MABASPLOOM!
About time! The whole idea was crazy. If i were them i'd "accidentally" leak it if this did not happen... This sort of information should be freely available to encourage the system being fixed...
-------
1. Enjoy your job
2. Make lots of money
3. Work within the law
Choose any two.
Of course, this is a victory for the MBTA. They've managed to derail the conference presentation. Objective met.
We all know this will effectively bury the information. Bureaucrats understand that communication is impossible outside of face-to-face meetings. There's nothing that could possibly allow dissemination of this potentially damaging (read: embarassing) information now that the conference is over. Situation handled. Bullet dodged.
It looks like the judge made a pretty good call in this case. What he really rejected was the MTBA lawyers' assertion that it was an act prohibited by the law, and not exposing the agency's incompetence.
Really, bugs aren't fixed by just hiding them.
FTA:
MBTA said in documents filed with the court said that fixing the security flaws would take five months. ("Students have the ability to cause significant harm to the CharlieTicket system, during the roughly five-month window that remedial actions will require.")
Actually, the fact that they implemented a seriously flawed system is the problem, and the students' bringing it to light may suck for MBTA. The proper solution is for them to fix their system and, if necessary, sue the vendor for the costs.
No clue. Litigation tends to be the last refuge of the incompetent.
Yeah - real successful law that.
Seven Days with Ubuntu Unity
Query: What exactly was the flaw under dicussion?
- Minutus cantorum, minutus balorum, minutus carborata descendum pantorum.
Lawyers for the MBTA claimed Tuesday they had proof the students had violated the law, but stopped short of specifying what they did.
Wow, I can just see these lawyers:
Lawyer: "They broke the law. We have the proof."
Judge: "What is your proof?"
Lawyer: "Um, they...uh, yeah, they just broke the law."
Attention all planets of the Solar Federation! We have assumed control! - Neil Peart
Query: What exactly was the flaw under dicussion?
Question: Why do you prefix your questions with query?
Statement : I find it sorta redundant.
That's an interesting argument...
Does a mechanic cause $5000 worth of damage when he points out that your axle is broken and needs replacement?
Can you cause damage to a system that has intrinsic vulnerabilities?
Obviously people taking advantage of disclosed vulnerabilities should be punished under applicable laws (as with simple copyright violation) for whatever damages they caused, but I tend to agree that you can't really pin damages on the discloser.
Now some other b.s. charge about reckless endangerment or speech issues, but probably not damages.
--Robert
Both the magnetic stripe card and the chip card used for electronic payment of public transport fares in Boston are flawed and allow several types of attacks which result in free rides. The hack of the chip card is an implementation of an older, less exploitative hack of the Mifare classic chip which is used in many public transport systems and other prepaid applications all over the world.
Win the battle, lose the war
I like this from the article:
/. like geeks?
On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people,...
Wasn't this a presentation planned for the DefCon conference, with a lot of
no comment
Replacing all of the cards should be a minimal cost compared to, say, paying for one day's worth of fuel or employee health insurance.
I find people saying "Can I ask you a question?" is worse.
My response is often "You just did."
And of course they immediately say "Can I ask you another question?" to which you reply "You just did."
Finally they say "Can I ask you 2 questions?"
And having already identified yourself as a jerk you say "No."
I think they should have just gone ahead with the presentation. Contempt of an invalid order doesn't stand, does it?
SIG: HUP
Thank You.
Media contained much hullabaloo about the flaw, but no clear explanation of what was the nature of the flaw...till now.
And to the other posters: I considered my way of phrasing the interrogative clear and unmistakable English. If it was not, then I apologize for any confusion.
- Minutus cantorum, minutus balorum, minutus carborata descendum pantorum.
Here is evidence that a low UID does not insure a clear mind.
Maybe you should have said "frivolous" litigation is the last refuge of the incompetent"?
Litigation is one of pillars which holds up a Rule of Law and provides some path to fairness and justice in a free society. Considering the startling consolidation of social power in the hands of corporate ownership and authoritarian fanatics, you may yet see what it's like to live in a society without litigation. I guarantee you're not gonna like it, Ukab.
You are welcome on my lawn.
Protracted litigation is only possible with enough money. And who has that kind of money besides corporate owners and authoritarian fanatics?
Find environmentally and socially responsible products on http://buy-right.net
Your English is both clear and unmistakable. That may have been your problem. Next time, consider adding in an inane meme, such as:
"Imagine a beowulf cluster of MBTAs!"
or
"The MBTA is not a big truck. It's a series of tubes!"
Also, consider to add several speling and/or grammatical error. This will lend to the impression that you are either a caffeine-soaked systems engineer who has been sitting in front of a terminal for eighty straight hours, or a semi-literate American of the species cellarcola nerdus, both of which are held in high regard here.
Accordingly, the dialect best suited to effective communication on slashdot is lolspeak.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
The bigger issue here is how they're going to determine which Charlie cards are legit and which aren't. They can't exactly tell someone with, say, $20 on a charlie card that their money's gone.
Someone could easily get a bunch of charlie cards, put random amounts of money between, say, $20 and $25 (random so that there's no clear pattern which cards are faked and which legit) and then sell to people on the street. $5 for a charlie card with at least $20 on it.
Heck, it probably wouldn't be that hard to convince the buyers that it was legit. "Hey man, my niece was staying here last week and put too much money on this card... It's got over $20 on it, I'll give it to you for $5."
You actually make a really good point; what about poison? If one were to discover a poison or pathogen that might kill a human, were it to be utilized or delivered, along with the reasons why and the possible delivery methods, no one would object to sharing that information with doctors.
Further, no one would claim that you were doing something illegal by spreading that information. Ironically, nor would anyone blame the human body for having that weakness; it wasn't planned for, developed around, whatever.
The fact of the matter is that the system is there, it's vulnerable, and we know how it's vulnerable. There is no convincing reason to try and quash that knowledge - if that is even possible. It is immaterial that it took bright people to figure it out. It is immaterial that without a fix money might be lost. What is material is recognizing things for what they are and reacting to the truth of the situation, not trying to maintain a status quo.
And that is why it's perceived that the MBTA is in error here; they're trying to live in a world where the exploit doesn't exist. But that world itself does not exist.
[Ego]out
The general tone here seems to be that the only security that is worth anything is unbreakable and it is the responsibility of the implementer to make sure any system is secure against attacks. Well, sorry but your front door lock is clearly defective by those standards. As is every single door lock the world over.
See, the security really only needs to be "good enough". What is that? Well, for a front door lock it is enough to keep homeless people out of your house. A determined thief might be able to defeat it in less than a minute but it isn't intended for that - the really determined thief might use a chainsaw to get in just as easily.
The transit system was designed to validate cards and the so-called "security" is probably more of a validation measure rather than a defense against attacks. The idea that attacking the transit system should not be done and should be illegal seems to have gotten lost. What has happened is now the door is open for anyone to duplicate this work and ride free.
So what is the transit system supposed to do? Revamp the entire system at a cost in the millions? Ignore it and hope nobody ever uses this information? I suspect neither is going to happen, but the most sensible outcome would be to replace automation with human ticket agents. Unlikely to happen. I'd guess that millions of dollars will be spent to implement an utterly new, slightly more secure, different system that requires every single piece of hardware and software to be replaced. Which will then be "cracked" within a few months and the details made available to everyone that wants to ride free. The endgame is probably closing the transit system because by its nature it cannot be made completely secure.
I doubt there is an attack-proof and cost-effective solution to the "problem" that is user-friendly and reasonable for a transit system. Why are we so hell-bent on breaking down society that we can't have people just use and pay for a transit system?
Funny this came up. EXACTLY the same debacle has unfolded here in the Netherlands with the card
scheme for the nationwide metro/train/tram system intended to replace the paper ticket system still
in use today. (company NS - www.ns.nl).
Suffering from the universal upper management tendeny toward self-harm through compulsive
obsession with the bottom-line, they ignored whitepapers signed by the senior technical staff
begging them to go with 3DES and AES. A couple of weeks after the (limited) trial roll out the
card was cracked and an infinitely loadable version created and demoed by white/grey hats.
This is somewhat ironic as the Netherlands is one of the world largest suppliers of smart card
technology, and in Europe this is (was?) considered a "specialty" of theirs...
It also doesn't help that the company NS (Nederlandse Spoorweg or "Dutch Platform") is
made of epic fail, but that's a rather long & distinctly boring story.
Sorry for the AC, posting from friend house
can't remember passwd (y i let ffox remeber
it for me v bad i know..)
I think they should go ahead and give their presentation and include the events of the past week in it. In 2006, Steve Rambam was arrested by the FBI minutes before he was to give his "Privacy is Dead" presentation at the HOPE conference. Of course, the charges were dropped - after the conference was over.
He went ahead and gave his presentation a couple of months later.
I am also reminded of the Russian hacker Dmitri Sklyarov, who was prevented (by way of arrest) from giving a presentation at the 2001 DefCon titled "eBook's Security -- Theory and Practice." According to the Wiki page I linked to, "On December 18, 2002 following a two-week trial in San Jose, California, a jury found that Elcomsoft (the company Sklyarov worked for) had not wilfully violated the U.S. law."
So the tactic seems to be abuse the law in order to suppress speech you don't like, since there are apparently no consequences for doing so.
Another possible example of this tactic occurred last week when the IOC attempted to use the DMCA to force YouTube to take down a video about a Tibetan protest at the Chinese consulate in New York. This one may have been a mistake, as the title of the video was apparently "Beijing Olympics Opening Ceremony." But that would make it Trademark - not copyright - infringement, so the DMCA take-down notice was entirely inappropriate and sure gave the impression that their motive was to prevent embarrassment to China, not protect their brand.
I don't care why you're posting AC
And that's why Justice is blind. The incompetent actually does have rights! Unfortunately.
Gee, the MBTA had the students turn over not only their slide deck but a 30 page analysis of the security flaws. Most firms would end up paying something approaching the 6 figure range for a detailed security vulnerability analysis like that, they get it for free. AND sue the students. It's a win-win for incompetent government bureaucracy!
"The bigger the lie, the more they believe." - Det. Bunk
The funny thing is, without the gag order, it might not have appeared on /., the presentation might not have been posted in the comments and i would have never read it. So this kind of "gag" orders are fine with me, as long as it's "no talking" only. I can read myself :-)
They could counter-claim if the MBTA keeps up its suit or file on their own if it is dismissed.
Sure is it just cash damages (including attorneys fess) but it is recourse
The article I read said 6 bit encryption... 64 possibilities.
64 possibilities ought to be enough for anyone.
What?
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
In suits for libel, public expression of the truth is a universal defence.
Why is it not so in this case as well? The students publicized a weakness, but it was the plain truth.
The fact that the plaintiff suffers from a public expression of the truth is the plaintiff's problem, not anyone else's. If they suffer financial losses from this then it's only because they were earning profits under a flawed business plan before, namely the use of cheap and cheerful (lousy) encryption.
They deserve the losses, and presumably will pass them on to their supplier by suing them in turn. This is how the system *SHOULD* work (in the disastrous lawyer-ridden US), otherwise crap companies are profiteering by supplying faulty goods.
The students were acting entirely in the public interest.
That's not a low UID. lol.
-- I'm the root of all that's evil, but you can call me cookie..
The Streisand Effect.
I tend to do the "You just did, and in doing so you have used up your quota for the day. Try again tomorrow."
I usually don't stick to it, unless they're really annoying.
My blog. Good stuff (when I remember to update it). Read it.
How about: "I am not taking questions at this time, and furthermore, I demand reparations for the query already posed."
but have you considered the following argument: shut up.
I usually walk right out if I get the "You just did" response. Life is too short for this kind of aggravation.
Question: so what am I doing here?
The book is not Hitman, it is Hit Man, available only on the used market: http://www.amazon.com/Hit-Man-Technical-Independent-Contractors/dp/0873642767/ref=sr_1_6?ie=UTF8&s=books&qid=1219202282&sr=1-6
Maybe the competent try it earlier?
Np, litigation tends to be the FIRST refuge of the incompetent.
Personally, I think that the judge should have commended the students for taking the initiative to test the security of a public sysem thanked them for bringing it to the publics attention. Plus, he should have laid into the MBTA for trying to sweep the whole thing under the rug.
This sort of thing is inevitable: Every time a human designs a system to the best of their abilities, they should always be open to the findings of other humans who test their system. Human systems are ever-evolving technologies that another human will always be able to figure out and outsmart. They should be thankful that someone beat their system AND told them about it. If it was me, I'd have just kept my mouth shut, loaded up a bunch of cards for my buddies, and ridden the subway so much it would count as a job.
Just remember:
Every puzzle can be solved.
Every code can be broken.
Every device can be cheated.
These yuppie clowns are just being pissy because some students outsmarted a bunch of highly-paid managers and executives at their own game. I'd be pissed too, but at least I'd be nice about it and ask "How in the hell did you do that?". This turned into a case of "Advertising-By-Litigation"
Asking "How'd you do that"" it a whole hell of a lot more productinve that saying "Shut the fuck up, kid, or well throw you in jail!".
A word of advice: Never be rude to a guy with a straight razor or a guy who just out-smarted you, because they are equally dangerous.
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
Question: so what am I doing here?
What you just did.