Print 11 comment(s) - last by sevesteen.. on Aug 20 at 8:36 PM

Regardless, MBTA was still successful in stopping the DEF CON presentation

A federal judge lifted the temporary gag order placed on three MIT students Tuesday, who were originally set to give a presentation at DEF CON that outlined a number of security holes in the Massachusetts Bay Transportation Authority’s RFID-based fare infrastructure.

The MBTA originally sued the three student researchers earlier this month in an attempt to stop the trio from delivering their presentations. While its efforts were successful — the presentation was snuffed – the lawsuit was one day late. Slides of the presentation were already published in a CD-ROM handed to DEF CON attendees earlier in the day, and soon after posted online (PDF) by MIT student newspaper The Tech.

In his ruling, Federal Judge George O’Toole said that the chances of the MBTA prevailing on its claims under the Computer Fraud and Abuse Act was “minimal,” in which it tried to invoke the Act’s protections from “transmission” of a damaging computer program for the trio’s verbal presentation.

Critics feared the courts’ seemingly hasty decision had inadvertently attacked free speech, because the Act only prohibits the transmission of “code programs” in a computer, not damaging presentations. O’Toole’s interpretation equated free speech with computer hacking, feared some.

“So the attempt to stretch the Computer Fraud and Abuse Act has failed. Please read the statute for yourself, and ask yourself: do you want talking about computers and security to become a crime punishable by fines and imprisonment and subject to FBI and Secret Service oversight?” asks law and technology blog Groklaw. “That's what almost just happened.”

“At first glance, the issues at play may appear obscure, and of interest only to technical researchers and lawyers,” reads an EFF analysis of the situation. “But … the right to publish without pre-publication review is part of the purpose of the 1st amendment, and one of the reasons Americans fought the Revolutionary War.”

The MIT students were behaving as good citizens within this culture of security research. They met with the MBTA before the presentation. They never planned to expose the full details of their successful expose of the vulnerability of the MBTA's fare system … The free speech implications are even more important because showing faults with a government agency's systems is core political speech. The Boston Herald reports that an MBTA Advisory Council Member was concerned with the fare card payment systems (in light of this controversy), and noted that the ‘T gave a no-bid contract for CharlieCard services to a former government employee.’ This makes the public interest in this matter even stronger,” it reads.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Why Gag them?
By Ryanman on 8/20/2008 9:16:46 AM , Rating: 2
I'm sure the MBTA will say they don't want these "exploits" for the entire system ruining the infrastructure. I think that between hiding the flaws in this no-bid contract and trying to keep RFID a viable option lies a need to censor. RFID isn't for convenience... it's for power BECAUSE of that convenience. Anything that proves that it's other than perfect is up for deletion.

RE: Why Gag them?
By blaster5k on 8/20/2008 11:34:48 AM , Rating: 2
The MBTA has admitted to security problems the Charlie Ticket, which uses a magnetic strip. This is not to be confused with the RFID-based Charlie Card. It's less clear if the card actually suffers from any security issues.

According to the MBTA, fewer than a third of riders use the CharlieTicket - a paper ticket sold at most T stations. The card's magnetic strip is not encrypted and is possible to clone using easily available equipment, according to the MIT students.

The MBTA did not acknowledge any security flaws with the more popular plastic CharlieCard, used by 70 percent of riders, though the MIT students argue that the card may be vulnerable, too.

"We didn't do any proven attack on the CharlieCard, but there are definitely issues present," said Anderson, who conducted the research with Alessandro Chiesa and R.J. Ryan.

I recall reading elsewhere that the head of the MBTA claims they use a different encryption scheme from the MIFARE Classic one that was cracked months ago. The MBTA has been unable to find any vulnerabilities so far, but they're also somewhat incompetent, so who knows what the deal is.

Too late
By Smilin on 8/20/2008 12:37:44 PM , Rating: 3
Isn't that special. They lifted the gag order AFTER the conference was over.

Kinda like opening the barn door after the cows already ran into it and knocked themselves out.

For great justice!

I'm all for free speech...
By Beenthere on 8/20/08, Rating: -1
By onelittleindian on 8/20/2008 10:52:54 AM , Rating: 2
I wouldn't mind if they were charged with a direct hack. But preventing the free flow of information is very dangerous. There have times people have been charged just for discussing the fact that there might be a weakness in a large public system. Those sorts of acts have a terrible chilling effect.

RE: I'm all for free speech...
By Regs on 8/20/2008 11:09:38 AM , Rating: 2
more interested in publicity than in respecting existing laws

I think the whole point is to use publicity to make people aware not enough is being done.

RE: I'm all for free speech...
By Beenthere on 8/20/08, Rating: 0
RE: I'm all for free speech...
By blaster5k on 8/20/2008 12:46:21 PM , Rating: 2
I'm not sure I agree here. Having it out in the open provides added pressure to fix the problem ASAP. If it's not made public, they may choose to try hiding it instead of fixing it. In that case, people can potentially get ripped off without knowing (via cloning or whatever), which I think is even worse. The MBTA is rather cash-strapped, so I wouldn't be surprised to see them go the "hiding" route if they could.

RE: I'm all for free speech...
By Regs on 8/20/2008 2:53:58 PM , Rating: 2
That sounds reasonable to me. Though most of the time, no one wants to spend the money, resources, or time until it's to late anyway.

I can also see what you're getting at about the students ego clouding their judgements.

RE: I'm all for free speech...
By BeenThere2 on 8/20/2008 4:45:35 PM , Rating: 2
Responsible adults fix the problem and move on...

Whatever the reason, MBTA should not have tried to hide the research which uncovered the vulnerability, especially since the researchers discussed their findings with MBTA well before "going public." Instead of denying/discrediting, then employing legal means to stifle the research, I am curious why MBTA did not make use of this free research to verify the facts (scientific method works every time), then resolve any proved issues.

Seems to me that, under a cooperative agreement, the researchers would be more likely to postpone publication (without losing credit), MBTA would gain a "fixed" system, and the PR would be positive.

Except for the small victory of preventing publication at DEFCON, MBTA lost the war: MBTA comes off as a big government agency bullying the little guy(s). That's not exactly the kind of PR MBTA wants or needs...

RE: I'm all for free speech...
By sevesteen on 8/20/2008 8:36:51 PM , Rating: 2
How long do responsible adults wait before releasing damaging security information? Fairly often, the people with poor security would rather fight the disclosure instead of fix the problem. If one group can find a vulnerability, so can a less-honest group.

“And I don't know why [Apple is] acting like it’s superior. I don't even get it. What are they trying to say?” -- Bill Gates on the Mac ads
Related Articles

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki