A federal judge has refused to strike down an order gagging three Massachusetts Institute of Technology undergraduates from discussing gaping security holes in electronic payment systems used by Boston's transit agency. US District Judge George A. O'Toole Jr. let a previous order stand, despite arguments from Electronic Frontier …
MBTA to Destroy the Students Lives ... Forever
IMHO, Massachusetts Bay Transit Authority's tactic is to use the Digital protection act in their favor to totally destroy the MIT students' lives financially and from the business/employment standpoint, by demonstrating how evil they are. That is why they are demanding all documentation and code. MBTA is going to use the students to set an example for future students and hackers not to repeat this "intrusion."
Personally, I believe their tactic will backfire. I just not sure how...
There ARE alternatives.
Foreign countries, for example.
"Your honor, I can't control what others do with my work, especially if it is in a foreign country".
Of course, adding full details, like the checksum algorithm to increase the fare, and maybe kits for sale. Software to be added later with a download. Let the judge reach out over the ocean to quash THAT!
Isn't it easy to see how it'll backfire
I can almost guarantee a retalittory attack by the underground community by ensuring that a simple "Click to Add Credit" application for the cards will be released shortly - ensuring that the masses all rip-off the transport system.
If they'd let these guys speak at Defcon then they'd be in a better position now. The cards they're using are so flawed it's unbelievable - by keeping people in the dark all they're doing is burying their head in the sand....
This concept has already been proven in the Netherlands. And its release has been sanctioned by a righteous wigged one over here.
Any interested party who knows how to use Google Translate will already know the answers. You don't need to have some US judge's permission, because other teams have already publicly cracked the same technology.
MBTA: Not a smart move
If MBTA has any smarts at all they should dropp this case and hire these students to FIX the broken system.
IT WILL BACKFIRE:
This case wont get to trial and if it does ALL the information will become "Public Record" and do more damage to MBTA in the long run. With keys left in unlocked boxes, unattended security booth to documents left in public view MBTA will have more questions to answer than these students ever will.
This will hardly destroy any MIT students ability of anything in the future nor does it show how evil they are. In fact it shows how smart they are and being MIT students, will enhance the choices of employment in the future.
"...destroy the MIT students' lives financially and from the business/employment standpoint, by demonstrating how evil they are. That is why they are demanding all documentation and code. MBTA is going to use the students to set an example for future students and hackers..."
I would put money on the fact that MBTA will try to use the documents and code to fix the problems however if the students and EFF go all the way on this issue, they will FORBID MBTA to use the documents and code. YES they can do that and claim copyright on docs and code ( the documents I have show a copyright on them) thus legally claim damages for a real crime.
Typical management response
Instead of handing the problem over to their technical people they give it to technically illiterate lawyers.
Maybe instead of gagging the Students they should Fix the system so it can't be done anymore.
There's a hole in your fence!
"Know what should we do?"
"Er, fix it?"
"Nah, let's get a court order to stop anybody pointing at the hole. "
Its MBTA's Problem..
they should not be permitted access to the documents, the court should seal them. MBTA can pay a security professional to secure there system like they should have done in the first place! In fact no its MBTA's problem full stop. free speech should be permitted. as long as they dont use the hack there is no crime. this is not minority report!
This is one case
This is one case where I favour full, illustrated disclosure. preferably whith a means to clone the CEO of MBTA's card for personal use.
Note key words!
"temporary restraining order"
Not a total ban for ever. I would expect the Authority think they need time to see if they can solve the problem.
Stable door ajar
We must secure it quickly
The horse has bolted
Re: MBTA to Destroy the Students Lives ... Forever
That sounds like an awesome plan! A bunch of motivated, accomplished hackers who suddenly have a grudge and nothing to lose! I'm sure MBTA's security problems will just quietly fade into the background.
It's just like in the story.
'But the Emperor has got no clothes' said the young boy.
'Right that's it - I am arresting you for pointing out how incredibly stupid the Emperer has been' said the palace guard.
And no-one ever pointed out that the emporer had no clothes on again. They just laughed about what a complete idiot he was behind his back. The end.
Why didn't they just...
...go to Canada and webcast their presentation to Defcon from there? Get the hell out of reach of US judges!
Ah the good old days of CB radio. One-Nine-a-rig-check!
Yet Another Reason Why the USA is slipping behind
A gentleman above stated that in Europe that something like this is handled differently and an individual is obligated to bring forward their results. I totally agree with that mentality.
So I just read and downloaded the publicly available court documents in PDF. I wish to thank the MBTA for allowing me to read how to defraud their subway system online as well as drawing my attention to this via this very public court case. I mean I am in Toronto Canada I would not of hear this story otherwise. So now I know how to get free rides when I go to Boston. Since I know that your actions here clearly indicate you have no interest in fixing the security issues at hand.
As any business should pay for work completed. I believe the MBTA should be paying the MIT students for the code they wish to have a copy of. At the very least claim copyright to your own code and charge a licensing fee. I know a lot of people reading this think it is nuts what I am saying but these students put a lot of time and effort into their work. Not Only did they find out all of the details on what was wrong they even approached the MBTA and told them all of their findings and tried to help. Worse case scenario I suggest building a patenting a fix for the security holes found and begin to pitch this fix to the bulk of the major cities who are also using this same system. The research papers professionalism combined with this professors reputation and this public court case will most likely have at least one or more of the cities signing a contract with them.
Paris because at least she knows when to close her legs and hang her head in shame...unlike the MBTA.
Presentation was leaked to wikileaks anyway...
US judges can suck as much as they want, can't block THAT ^_^
@Anonymous coward / Note key words!
In the matter of copyright, the US Supreme Court has ruled that the word "limited" essentially means "unlimited".
It is the same with "temporary" restraining orders, which, in some cases, stay in effect for years.
Will that be the same Charliecard using Mifare classic as Oyster?
So this time it's been broken by undergrads not postgrads, but that's the only news in this story.
The most entertaining thing about your comment is the three different spellings of the word "Emporer"...
Death of the educational system
Yet more proof, if any were needed, of how low our educational systems are slipping. University used to be about teaching students how to think for themselves, and make rational judgements about scenarios that they had not (yet) read about in textbooks.
So: these guys found out something interesting, and the first thing they thought was "Cool! lets brag to everyone that will listen about how to get free rides for life" (I'm para-phrasing, but only slightly.) What the hell did they think would happen next??
The Dutch (or was it Belgian) researchers that discovered a similar flaw had a very hard time of things, and they were far more professional / academic about their findings.
Twats like these guys are the ones who are truly responsible for the ever increasing number of stupid laws we have. It is journo's jobs to report, it is politicians job to make new laws, and it students jobs to learn and stay out of trouble!
Does anyone know if they have presented the exploit to the MBTA? Have the MBTA been given any time to resolve the issue? How expensive will it be and how long will it take to fix?
I fully accept that they should be able to publish, but as the recent DNS weakness has been handled, allow people/companies who could be at risk of attacks to fix the problem (within reasnoble time limits) before you publish. Just going straight out and letting everyone know how to exploit a weakness is irresponsible.
Student's jobs to learn and stay out of trouble
Ummm what?! It's "twats" like you and those that will never advance science or society with that mentality.
Case in point examples:
-Leo da Vinci: concepts of flight
blah blah blah; there have been hundreds of brilliant, geniuses that have spent their lives learning and causing trouble because their beliefs (ie, now confirmed science) were controversial and/or heretical at the time.
And there is a collective sigh of relief...
From all the hackers that were exploiting this and expecting it to be shut down!
Now that the court has squashed publisizing the flaw, they can continue quietly hacking the system.
(What? you surely didn't think that the first ones to publicly talk about it were the first ones to find it, did you?)
This sounds to me like a few of the "higher-up" transit employees are trying to cover their own asses (not that they could have prevented an exploit). But would Massachusetts government employees really go through all this legal action to discredit others in order to save face?
Let's not forget the Boston area "Lite-Brite / Improvised Explosive Device" scare when the city flipped out over a few signs placed in areas with high foot traffic and on some bridges.
If you don't remember, an advertising company, contracted by Cartoon Network's daughter network [adult swim] to place several light up signs in Boston that had a "home made" appearance.
After the signs had been in place for a few WEEKS, Boston officials finally acted, by making arrests, and stating that the signs "...had all the components of an improvised explosive device, except the explosive..." (so does a clock radio).
So this major fowl up illustrated one of two things, Bostonian law enforcement are unable to identify I.E.D.s (if these signs did not resemble bombs), or that actual bombs could, in fact, be placed in Boston for weeks without detection (if the signs did resemble bombs).
So, yes, in Massachusetts, the city and other local governments will censor your Freedom of Speech if it makes them look ignorant.
But I think everything could be worked out if everyone would just get together and discuss it. Maybe over a cup of tea? It could be like a party. In Boston. They could call it The Boston Tea... Oh wait, that name is already taken.
Paris Hilton, because sometimes, Massachusetts is just as clueless.
:D I like a bit of variety!
padantic payne in teh ares!
- SMASH the Bash bug! Red Hat, Apple scramble for patch batches
- A BENDY iPhone 6, you say? Pah, warp claims are bent out of shape: Consumer Reports
- eXpat Files 'Could we please not have naked developers running around the office BEFORE 10pm?'
- CoTW Emma Watson should SHUT UP, all this abuse is HER OWN FAULT
- Vulture at the Wheel Renault Twingo: Small, sporty(ish), safe ... and it's a BACK-ENDER