A transit agency in New England has filed a federal lawsuit to stop three Massachusetts Institute of Technology undergraduates from publicly presenting research at Defcon demonstrating gaping security holes in two of the agency's electronic payment systems. The Massachusetts Bay Transit Authority (MBTA) also named MIT in the 17- …
why fix the problem....
when you can just sue people and pretend the problem does not exist.
Paris because she loves a good fixing
So tired of this kind of thing...
Researcher: Hey I found an exploit, want details / help fixing it?
Company: We have no exploits! / Fuck you / no response.
- Months Pass -
Researcher: I'm going to present that stuff now.
Company: Oh hell fuck no, it's far cheaper for us to sue you now than to fix our products months ago.
I'm sure it goes differently based on which side is doing the talking, but this system is so fucked. It just seems like protecting your profits by litigation instead of by making them worth purchasing is entirely backwards.
Someone needs to do something, but it probably won't be me.
So - MBTA is a business..
A correct action - "A Dutch judge rejected the request.", good for dutch! Any corporation that skimps in security should be responsible. It is not that it is difficult, expensive, or whatever, especially today, we have a technology for security, just don't go and buy from next guy who promises free air-miles or whatever perks, design it if you need it! Security is NOT a product, tool or toy - get real! The more the failures in security and other areas in IT are published, the better. It is not just RFID cards, look around - the corporations are slacking instead of working.
It doesn't make any sense to go around failing suits when the problem is in own house. A tiring subject - comes out more and more. I hope that MIT, etc fights this - there are problems and they have to be found. Lately it seems that corporations are not taking the business seriously - and the security is not the only one!
Maybe they should sue...
Maybe some of these authorities should think about taking action against the vendors of supposedly "secure" systems, mentioning no names, rather than action against the people who discover that the systems are insecure...
Amsuing turn of phrases
"Defcon A transit agency in New England ..."
"The Massachusetts Bay Transit Authority (MBTA) also named MIT ..."
gosh, you would think they would just be happy with MBTA.
Well, they really don't know how all of this works do they.
Now it has been mentioned, people will find the flaws, suing is no defence, it is just a way to paint a great big bull's eye on you.
Company's don't want to pay for IT security, it is that simple, stick up a website offering computer security, and watch no one will ask for your services. Unless they get compromised. You will have to approach, and pitch the fear of god into them.
It is because it is a new thing, and not something people cost into business.
You can get work, via insurance companies, but really it all centres around the compromise. Banks have it, but they prefer to keep in house. New innovation does not go through a security process, and you really have to mention it to clients for nearly any tech, and they will umm and ahh over it.
They think the police should protect them, that is what they pay their taxes for.
There will always be people interested in computer security, but I don't think it will ever have a bubble unless those same people are out compromising systems, which is a fairly risky business proposition. Forbidden knowledge really, I think most business owners would prefer no one ever knew about it, it can only cost unless used in industrial espionage, and that is illegal so not something you can really promote.
At some point the insurance companies, will put a figure on it, but even then you have the problem of the thing changing all the time, it is not quantifiable, it is not like a crash test dummy and a safety belt, or even a safe, it is far more complex. That's why people buy anti virus, sure they will kid themselves it does something, and to a degree it will protect, but deep down they know they do it so if they do get compromised then they can say they had some protection, and for 50 quid well it affords them that statement.
So, only way to make money in the game is to publish the exploit, then let all hell ensue, see if you can get paid to fix it. Yes you have to be a bastard about it, there are no really good guys in security who make money, it is all about fear and exploitation, whichever colour hat you think you are wearing.
...we had a thing called freedom of speech in this country. It's one thing when the government tries to censor, but for a corporation to try? Outrageous. They should be thankful they didn't already anonymously share all the details and tools to the world.
Dutch judge did the right thing.
Cures, diseases, stable doors, etc
One thing I have never understood about the US is that whenever someone is humiliated, they seem to try to find grounds to sue whoever has caused the upset. This generally results (a) in amplifying the original sense of humiliation and (b) getting laughed at by anyone who didn't hear the original story. In this case, MBTA have brought the integrity problem to a far larger audience than it would have had had the students just given the presentation.
I can see them now, sat around the MBTA boardroom, saying to each other "...and we would have gotten away with it too, if it wasn't for them pesky kids...."
This is nothing new
In a parallel story, lawyers acting on behalf of the king filed for an injunction preventing a small boy from publishing a revealing paper. In this paper, the small boy analyses the "Fine New Clothes" range, finding that far from providing the king with protection from the elements, these new clothes give no protection whatsoever, and that even a light shower will result in the king being wet through.
A spokeseman for the king issued a statement: "The grand parade has been organised to show the Fine New Clothes, provided to the king by A. Charlatan and co. which are clearly a central component. This mendacious attempt by a subversive individual to undermine the parade must be resisted, and the king will take all necessary steps".
There is an IT angle, but the story really is nothing new - it's just that nowadays the king sometimes get away with it.
Don't release it at Defcon
Release it on Sourceforge.
I don't know about Boston, but...
the transit system in my city is subsidized by the taxpayer around 40 percent. There's and old saying, taxpayer's money=nobody's money. For sure, it's nobody's money the way they waste it. The wrong people are being sued. I'm glad tokens are still used over here.
Sounds to me like the students were simply baiting the agency and that action finally got a response. Starting the paper with an invitation to illegal action is not the brightest idea. I suspect they were just out to get your attention, but it still was a childish comment.
Let the courts have their say, it doesn't matter. Data gets leaked all the time and if this is a true exploit sooner or later real crooks will use it and that will be that.
As far as the students..... If you're going to be dumb; you better be tough.
I know there are important issues at stake here but "ridership"? Did I have to be forced to see such a horrible word .... yours, cancelling subscription etc
Well the Transit Authority pooch-screwed this one.
I'd never heard of it, until now. Time to dust off those "diagnostics" programs? :D
free red Sox and Patriots tickets
I wonder how many free Red Sox and Patriots tickets the Charlie card vendors had to give to the MBTA IT "decision makers" to get their product in the door. >>Somewhere there is a cover up....
I like the tokens any way they were inflation proof, waterproof, and never left a 50 cent balance (which is not enough to ride)
FYI the MBTA is a very lucrative quasi-goverment agency and it is probably not subsidized at all...probably it turns a good profit.
Why paint a target?
When will BlackHat presenters learn to conceal the identity of the organization whose dirty laundry they are about to expose, until they actually deliver the presentation?
No advance notice, no prior restraint.
They should just ...
Use the standard gubmint dissemination method: Leave the exploits and tools in a tube train. Or mail the CD's.
RE: free red Sox and Patriots tickets
"FYI the MBTA is a very lucrative quasi-government agency and it is probably not subsidized at all.. probably it turns a good profit."
Haha! You are obviously not from Boston or else you would not know that the MBTA is struggling with massive debt. It currently has over $5 billion of debt and is looking for a bailout from the state. The majority of its revenue come from the state sales tax, of which it receives 1 penny on every dollar ( the tax altogether is 5 pennies on a dollar). The transit agency is already in a very tough financial situation so I can see how it would be worried about any further drop in revenues.
We could be heroes....
"We have no intention of releasing details that would allow someone to replicate the attacks that can be done."
Why the hell not? Public transport *should* be free. Don't see cartards directly paying for the use of the roads.
Clearly, this will end in tears...
...for the MBTA (known locally simply as “the T”) anyway.
In light of the Mifare incident, there's a good argument that much of information they're likely to present is already public knowledge. Then there's that pesky first amendment to the US constitution - you know, the one that guarantees freedom of speech – that the T's lawyers will have to somehow argue their way around. They'll have to argue that security by obscurity trumps freedom of speech. However, that dog doesn't hunt unless that speech can create a situation that puts public safety at risk. The classic example of this is yelling 'fire!' in a crowded theatre or nightclub. I doubt that they can come anywhere near that standard here.
I wouldn't be too worried about MIT and it's undergrads here. The suit is *alll* about pin headed high level transit authority bureaucrats – who, not coincidentally, are appointed by the Governor in that state – trying to cover their collective backsides.
As for the T being any kind of a business, it's not. It's a state authority, created by an act of the legislature of the Commonwealth of Massachusetts, and is subsidized by state taxes, as well as by levies paid by the taxpayers of the cities and towns it serves. To my knowledge, its revenues have never exceeded its operating costs. Any “losses” they might incur from the dissemination of this type of information would simply be made up by Massachusetts' taxpayers - who will, quite reasonably, ask “WTF did you tw@ts implement a system with security holes big enough to drive a bus through!??” Or a close approximation of that, in tone and meaning.
As for you MIT students: polish up your resumes guys! The T will be letting a consultancy contract on this stuff very soon. People will be calling you waving money. Be sure to ask for an outrageous sum - you only get one chance per contract - and you don't want the regret of having asked for too little.
This should be fun to watch.
um, I beg to differ: Fuel Taxes.
Secondly, unless you want "the state" to tell you how, where and when to do everything, including how much money they will let you have, said fees & taxes go to the running and maintaining of the public transit system and various roads.
Making it free increases the burden on everyone, not just the folks who use it.
I support the MIT Students!
I support the MIT students, and if there is a legal defense fund for them, I will contribute. Massachusetts Bay Transit Authority (MBTA) is an ostrich with their heads stuck up their asses. It is a state government organization being most likely union run and mafia-infected, so this approach of hiding the truth is a no surprise.
Look at their "About MBTA" (www.mbta.com) and access their financials. It states the following: "The documents contained in this section make "forward looking statements" by using forward-looking words such as "may", "will", "should", "expects", "believes", "anticipates", "estimates" or others. You are cautioned that forward-looking statements are subject to a variety of uncertainties that could cause actual results to differ from the projected results. Those risks and uncertainties include general economic and business conditions, receipt of funding grants, and various other factors that are beyond our control. Because we cannot predict all factors that may affect future decisions, actions, events, or financial circumstances, what actually happens may be different from what we include in forward-looking statements."
You think that means a forward-thing organization that wants to do things correctly? No. The only forward thing is covering their butts legally and intimidate through the courts.
"Don't see cartards directly paying for the use of the roads."
Umm, the Mass Turnpike? It's a *TOLL ROAD*. Where, the "cartards", ohh... you know... *directly pay for the use of the roads*. Wanker.
@Mark C. Ridership's a bad word, but it's used frequently in the US. Along with the horrible habit of big businesses telling us what they really think by referring to their customers as "consumers".
These guys should not be intimidated. They do have the right to free speech, they should fully disclose this security vulnerability. I recommend they don't comment "OK, now use it to get free rides!", but it's the transit authorities problem if they use insecure setups. These card vendors have had stronger cards all along, but "Oh no, they cost like $1.50 a card instead of $1" (versus the huge amounts of cash actually passing through these cards.)