backtop


Print 8 comment(s) - last by viper69.. on Sep 5 at 3:50 AM


  (Source: Wired's Threat Level)
MBTA tries to silence discussions on ticketing smartcards

The Electronic Frontier Foundation will appeal a temporary injunction entered against three MIT researchers, who were set to give a presentation Sunday on hacking the Massachusetts Bay Transportation Authority’s CharlieCard fare system at the DEF CON hacker and security convention in Las Vegas, Nevada.

The student researchers, Zack Anderson, R.J. Ryan, and Alessandro Chiesa, were originally scheduled to give a presentation called “The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems,” on Sunday.  Their talk would have revealed details on hacking Mifare Classic-brand RFID smartcards, which are frequently used in security and fare collection systems around the world, as specifically applied to the CharlieCard.

The MBTA filed suit against the trio in a federal court last Friday, where they sought a temporary restraining order to prevent details of the hack from being disclosed – either via a presentation at DEF CON or over the internet – citing the “irreparable harm” it would suffer.

While the MBTA succeeded in cancelling the researchers’ presentation, its actions proved to be too little too late. Conference CD-ROMs, containing copies of the all scheduled speakers’ slides, were already handed out to DEF CON attendees Friday morning. In the words of an unnamed DEF CON spokeswoman, “the MBTA was a day late.”

US District Judge Douglas P. Woodcock cited a federal computer intrusion statute in forbidding the researchers from “providing program, information, software code, or [commands] that would assist another in … [circumventing] the security of [the MBTA’s Fare System].”

The EFF says the statute that Woodcock cited applies to “code programs” in a computer, not someone who gives a presentation to humans. Some critics said the judge’s interpretation equates speech with computer hacking.

Anderson says that he and his team planned to leave out a critical detail in his presentation, which would prevent potential attackers from exploiting the MBTA’s system. “We wanted to share our academic work with the security community,” he said, “and had planned to withhold a key detail of our results so that a malicious attacker could not use our research for fraudulent purposes. We're disappointed that the court is preventing us from presenting our findings even with this safeguard.”

Court records reveal that the MBTA learned of the team’s plans on July 30, when it was pointed to a conference schedule at the DEF CON website; the description of the presentation began with “Want free subway rides for life?” Lawyers met with the researchers on August 5, but left empty-handed as the team refused to provide copies of the materials to be presented –though it appears that they succeeded, however, in redacting the description’s references to free subway rides and social engineering tactics.

A team of Dutch researchers at Radboud University previously disclosed details on hacking Mifare Classic smartcards late last June, after announcing that they had successfully hitched free rides on the London Underground and entered restricted areas of Dutch Interior Ministry buildings.

The EFF says it is using MBTA v. Anderson et al as a poster child for its new Coders’ Rights Project, which will work to shield software developers and hackers from legal threats hampering their work.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

By JKflipflop98 on 8/12/2008 7:41:33 PM , Rating: 2
The real problem here being that "the system" has no clue how to interpret these types of things. You've got some 50 year old judge who's only exposure to computing is his 18 year old son playing counter-strike:Source.

This guy has the ability to do anything he wants, even though he doesn't have a clue as to what he's talking about.

The system, ladies and gentlemen, is broken.




Details...
By JonnyDough on 8/13/2008 1:56:09 AM , Rating: 2
quote:
Anderson says that he and his team planned to leave out a critical detail in his presentation, which would prevent potential attackers from exploiting the MBTA’s system. “We wanted to share our academic work with the security community,” he said, “and had planned to withhold a key detail of our results so that a malicious attacker could not use our research for fraudulent purposes. We're disappointed that the court is preventing us from presenting our findings even with this safeguard.


Bullcrap. If it's a hacker convention I'm sure someone there will be able to "figure it out." What are these dopes trying to pull?

On the one hand you have freedom of speech. You should be able to show people how to make a pipe bomb. They are still responsible for their own actions, they don't HAVE to rig it to explode in a mailbox.

On the other hand you have aiding a criminal. If you have information that can be used for evil and you know this, then you are responsible for what you do with that information. Information is power. A weapon is power. If selling a nuclear bomb to a terrorist is illegal, then so should be giving away information that could harm someone.

This is no different than the freedom of privacy vs wiretapping thing. Where do you draw the line? If people just act in a responsible manner then they won't get their wires tapped and they won't have to deal with getting shot down by the authorities of a transportation system in court.

At the same time, those that are being wrongfully attacked by a government need a mass majority to fight big brother, so us that would be seemingly unaffected cannot be complacent when it comes to privacy issues and rights. What to do, what to do...

That's just my 2 cents.




This is CRAP
By viper69 on 9/5/2008 3:50:08 AM , Rating: 2
Freedom of Speech continues to go down the tubes in my country...This is a sad time for sure.

Evidently you are only guaranteed free speech if it doesn't conflict with any money hungry, profit making organizations.




“Want subsided subway rides for life?”
By gmyx on 8/12/08, Rating: -1
RE: “Want subsided subway rides for life?”
By Iger on 8/12/2008 10:53:19 AM , Rating: 5
It's stupid to achieve security by hiding the exploit from public. Their time and effort would better be spent improving the security or changing the provider of RFID - they will have to do that anyway. And the proof is already there:

http://www.schneier.com/blog/archives/2008/08/hack...

The same info was disclosed a few days ago...


By Zirconium on 8/12/2008 1:01:23 PM , Rating: 2
What is even stupider is how easy it was to hack the magnetic-strip cards. The paper is available online, so I'm not releasing any new information by saying this, but basically, your T Pass or Metro Card (and likely any other subway/bus card with a magnetic strip) contains the amount of money left on the card. That is where the info is stored. Not somewhere on the network. On the damn card. So all it takes is a card reader/writer, and you can spoof the amount of money on the card.


By jRaskell on 8/12/2008 1:13:25 PM , Rating: 2
Perhaps you should read the WHOLE article

1. The trio of MIT students specifically intended to leave out critical details that would prevent malicious attendees from using the exploit to their advantage. This was a case of exposing an exploit without handing over the ability to use it. The presentation would not have caused any loss of revenue for the MBTA, or any other service using these RFID systems.

2. The CDs were handed out on the Friday morning that the suit was filed. Without evidence to the contrary, it was just a mere coincidence, nothing more than what the spokeswoman stated. The MBTA was a day late. All sorts of bad things tend to occur when somebody tries putting words into the mouths of others.


By wvh on 8/12/2008 6:30:13 PM , Rating: 2
quote:
While I might get shot for this, I side with MBTA here. there wasn't event responsible disclosure. This has the possibility of stripping the MBTA of serious revenue. To attack an OS and have patch applied without much loss of funds (it does cost to make and apply the patch), it does not hamper the ability to make revenue. To attack a public service / buisness in a way to deprive it of revenue is just plain bad taste.


These are university security researchers trying to tell the world that those cards are not safe anymore. That's quite something else than a gang of thieves getting ready to set up some large scale illegal operation.

They would not have shared all the details, just the big lines so anybody relying on this technology could have had a clear view on the problem and on what needs to be addressed in future revisions of these cards and similar technologies.

We should be grateful that people releases these flaws to the public before the information falls into the hands of criminals, gangs, spammers, or anybody else who intends to use the information for less laudable purposes.


"We are going to continue to work with them to make sure they understand the reality of the Internet.  A lot of these people don't have Ph.Ds, and they don't have a degree in computer science." -- RIM co-CEO Michael Lazaridis

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki