Slashdot Mirror

← Back to Stories (view on slashdot.org)

MIT Students' Gag Order Lifted

Posted by kdawson on from the common-sense-descends dept.

mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days. "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."

9 of 160 comments (clear)

  1. Good Call by maz2331 · · Score: 5, Insightful

    It looks like the judge made a pretty good call in this case. What he really rejected was the MTBA lawyers' assertion that it was an act prohibited by the law, and not exposing the agency's incompetence.

    Really, bugs aren't fixed by just hiding them.

    FTA:

    MBTA said in documents filed with the court said that fixing the security flaws would take five months. ("Students have the ability to cause significant harm to the CharlieTicket system, during the roughly five-month window that remedial actions will require.")

    Actually, the fact that they implemented a seriously flawed system is the problem, and the students' bringing it to light may suck for MBTA. The proper solution is for them to fix their system and, if necessary, sue the vendor for the costs.

    1. Re:Good Call by _xeno_ · · Score: 5, Interesting

      MBTA said in documents filed with the court said that fixing the security flaws would take five months.

      I'd love to know how they plan on fixing it. The problem is that, rather than paying for the MIFARE cards with working encryption (3DES or AES) they went with the cheapest system which uses custom 48-bit encryption.

      Short of replacing every single CharlieCard in existence, there is no fix.

      What the MIT students did that went beyond cracking the MIFARE encryption was to reverse engineer what data was stored on the card.

      Which means, knowing the T, that the "solution" will likely be to rearrange the data and continue using the same weak encryption, while lobbying for a new state law that makes reverse engineering illegal.

      --
      You are in a maze of twisty little relative jumps, all alike.
  2. HA! by AndGodSed · · Score: 5, Funny

    the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses.

    Yeah - real successful law that.

    --

    Seven Days with Ubuntu Unity

  3. Bad Lawyers? by TheNecromancer · · Score: 5, Funny

    Lawyers for the MBTA claimed Tuesday they had proof the students had violated the law, but stopped short of specifying what they did.

    Wow, I can just see these lawyers:

    Lawyer: "They broke the law. We have the proof."
    Judge: "What is your proof?"
    Lawyer: "Um, they...uh, yeah, they just broke the law."

    --
    Attention all planets of the Solar Federation! We have assumed control! - Neil Peart
  4. $5000 worth of damages? by Ramses0 · · Score: 5, Insightful

    That's an interesting argument...

    Does a mechanic cause $5000 worth of damage when he points out that your axle is broken and needs replacement?

    Can you cause damage to a system that has intrinsic vulnerabilities?

    Obviously people taking advantage of disclosed vulnerabilities should be punished under applicable laws (as with simple copyright violation) for whatever damages they caused, but I tend to agree that you can't really pin damages on the discloser.

    Now some other b.s. charge about reckless endangerment or speech issues, but probably not damages.

    --Robert

  5. Re:They can't hold their talk now, can they? by Anonymous Coward · · Score: 5, Informative

    Both the magnetic stripe card and the chip card used for electronic payment of public transport fares in Boston are flawed and allow several types of attacks which result in free rides. The hack of the chip card is an implementation of an older, less exploitative hack of the Mifare classic chip which is used in many public transport systems and other prepaid applications all over the world.

  6. Re:They can't hold their talk now, can they? by Anonymous Coward · · Score: 5, Funny

    I find people saying "Can I ask you a question?" is worse.

    My response is often "You just did."

    And of course they immediately say "Can I ask you another question?" to which you reply "You just did."

    Finally they say "Can I ask you 2 questions?"

    And having already identified yourself as a jerk you say "No."

  7. Re:They never signed a non disclosure contract by macdaddy · · Score: 5, Insightful

    Because it's embarrassing to somebody in power. Simple as that.

  8. Re:good by Ortega-Starfire · · Score: 5, Informative

    They did not.

    http://government.zdnet.com/?p=3942

    --
    ---- Liquid was a patriot ----