Three Massachusetts Institute of Technology undergraduates are once again free to publicly discuss gaping security holes in the Boston subway system after a federal judge refused to renew a gag order requested by transportation officials. US District Judge George A. O'Toole rejected arguments by the Massachusetts Bay …
You're kidding me, right?
C'mon, MIT students being prosecuted for revealing the flaws that our nations government missed? MIT?! NOT HAPPENING! If they were to be prosecuted, it would reveal a much bigger picture that nobody in the upper sector, and I repeat nobody - wants the American people to see. What they need to do is let these guys off the hook early on, so as not to waste the tax payer dollars. What a load of bull. What a great idea! Punish smart people that undermine government authority with intelligence! What a joke. I love America...
Well I suppose..
that "Want free bus rides for life?" was pushing it slightly, even if they were just trying to gather some hype for their talk.
Welcome to the open barn, MBTA
...but where's the horses?
Paris 'cos even she's smarter than the MBTA.
Ego, nothing but ego
Somebody at MBTA made a mistake and their precious snowflake of an ego can't stand the prospect of that mistake being publicized.
This seems to be another one of the vices of modern management: no one can ever bring themselves to say "guess we fucked up, eh?"
Oddly enough, on the intertubes the people who say "I was wrong, you were right" end up with more credibility than the "I'm always right, even when I'm wrong" crowd. This may have something to do with the baleful influence of tabloid journalism <spit> on public manners and morals.
Don'tcha just love it?
Quote the Emperor:
"if you tell me I'm naked one more time, I'll have your head!"
It could take five months to fix the vulnerabilities
So? The problems with the Mifare card have been known since March.
Wouldn't common sense
demand that instead of being pricks about it, theat MBTA hire these three on as consultants for a while to fix the problem, rather than prosecute them and carry on as normal?
black helicopters because i'm talking sense again...
How about they spend the money....
on some decent security analysts instead of lawyers and fix their problem?
Or maybe I don't have any any grasp on the situation like the rest of the known world of potential customers!
Smiley cause I want to see the same with TFL and ride the tube for free!
Yeah! baby Yeah!
I wonder if they will ever learn
Using a big stick (expensive lawyers) is only going to cause confrontation – they could have got a lot less publicity for the problems with some quiet behind the scenes manipulation of the students egos
Over reaction but ...
Yes, the reaction by the MBTA is excessive, but, given that the students found a problem and rather than alert them to it decided to make the disclosure at DefCon, its understandable.
Yes there are egos involved, on both sides, but people have egos. It would have done the students more credit to have talked to the MBTA when they found the problem. It wouldn't have impacted their grades, or their presentation at DefCon.
students free to discuss gaping holes?
Is Lester in the office then?
You'd have thought MBTA would be grateful someone found a security flaw in their system, so they have the opportunity to close it and prevent themselves from losing money.
So MBTA are suing the undergraduates? Why? Have MBTA actually lost any money through the publication of the security loophole by the undergraduates?
No. So why are they suing? Are they suing because they might lose money in the future? In which case that wouldn't be a valid argument anyway.
These guys are muppets. But this is typical of the way government run organisations are run
Bury your heads
Surely good PR would dictate you openly work with them to fix the problem? Browny points all round. Burying your head in the sand just convinces the public that you either can't fix it, or can't be arsed to fix it.
And the man from MBTA says:
"And we'd have gotten away with it (our sloppy security), if it wasn't for them meddling (pen-testing) kids"...
Fools don't listen, then they crash
I tried to talk to a major bank about their security holes once. Were they interested? We get hundreds of calls a month like yours they said.... and wouldn't listen to my description of the problem, let alone a solution.
So card fraud is £500m a year, and could be a great deal less.
Online banking fraud is big bucks too, but they blame the customer!
They dare not admit they know nothing, the last shred of "credibility" is all that keeps them in a job at all.
The guys could have titled their talk:
'the MBTA are f***tards and should be milked for every penny they own, come here to see how to put $10000 charges on the CEO's transit card'
and they still shouldn't have been gagged. Of course they want a sensational title that will draw interest, and if they are ethical hackers, then they won't disclose enough information to actually make a working exploit. But disclosure should never be made illegal.
Finding a hole is no proof that these three are any good at coding - think about the time you spend telling professional sports men on TV what they are doing wrong, then ask yourself if your ability to spot mistakes makes you able to replace them!!
Anyway, the way that the talk was advertised means that I don't give these guys much credit for intelligence, just for being script kiddies on the right side of the law.
They should employee the three students to help fix the security holes, get them to sign NDA agreements and then sue them. duh.
Yeah right here you go - I have identified a flaw in security access to a type of entry system based on RFID cards. I go to the supplier who slaps a court gagging order on me and sues me to death to keep it quiet, they fix it (eventually) and no-one is the wiser. That is what will happen, all that has happened here is the notice was so short they couldn't react without publicly displaying their panic.
If Companies release insecure products or don't test them (including ongoing) then the "public" in the guise of MIT, Hackers, whomever will. Don't get a girly toot when they then publish a flaw you can't be arsed to fix in advance!
Cake and eat it pops to mind. If you are in the security business then you must be secure!
Blame Microsoft they introduced the strategy of public beta testing of their products! you break it we fix it! ...every Wednesday (ish)
Er, The Students Did try and report this to MBTA.
They where asked to come to a meeting at the MBTA HQ.
Now a company interested in patching the hole would have had a couple of their teckies at he the meeting. MBTA provided lawyers and the local plod.
is microsoft backing this action?
just curious - sounds like their sort of antics - "we know we're incompetent but don't tell anyone"
re: Over reaction but ...
the MBTA rection might understandable - but it is not very bright of the managementment. But then that is probably the reason they got into the problem in the first place and just ended up digging the hole they got themselves into deeper.
Got the wrong people
It seams that MBTA should have know about the vulnerabilities before now. as the artical made clear.
"The irony of the lawsuit is that most of the information about the vulnerabilities has already circulated widely."
So I think kids should not have been taken to court and for the same reson they should not have informed MBTA of what they could argue is public knwolage.
The MBTA should have been on top of this prior to the students presentation. If you read the presentation, these kids discovered absolutely nothing new. Every security flaw they discussed was already known about the systems & technology in place at the MBTA.
Best thing for the students to do is:
(1) don't go back in that state or federal district at all while there is a possibility of a lawsuit against them, and
(2) put the code into the hands of a third party to be released if they are arrested or further harassed by the tards or court.
They tried to do the right thing after finding the problem...yes, they were foolish with their talk headlines, but it was just to draw interest to the story line... As close as we are to a total police state, they need to fight the morons at every step.
Not the end of the world!
Youve got to ask yourself whqts the competition.
Tickets -- ie bits of paper with unreadable print.
pretty easy to forge but nobody bothers?
Bits of cardboard with mag stripes?
really easy to forge -- and someone found a way to monetise the New York Ciry system.
Metal disks --
People in NYC used to make a nice living selling metal slugs.
The Mifare system is "good enough" for a public transport ticketing system - just because there is some encryption involved it attracts hackers and publicity which tends to ignore the economics of issuing a couple of million travel passes worth a few dollers each.
Having said that the MBTA acted like complete dickheads, and, the lawyers who advised them should be sued for malpractice and incompetance. The students demonstrated good faith by contacting the MBTA, furthermore they intended to hold back some vital details of the hack from thier defcon presentation to give the MBTA some breathing room. All the students research and the results were placed into the public record as evidence in the case -- so now the complete hack is available to any script kiddy.
Is it just me?
Is it just me or am I the only one that keeps a close eye on blackhat/security research sites & blogs to see if someone has found a vulnerability into something I have written or something I'm using.
Surely MBTA have a geek somewhere doing the same so they can issue a fix before it comes out in the trade mags/site?, surely they have, really? ohhh I guess not.
Paris, because even she has someone monitoring her press.
MBTA's irresponsible implementation of this card system and failure to repair it in the 5 months since the initial publication of insecurities with the cards removes any notion of a requirement of 'responsible disclosure' of an insecurity that is publically known. The notion that only these guys knew of this issue is absurd and dangerous.
"The students demonstrated good faith by contacting the MBTA, furthermore they intended to hold back some vital details of the hack from thier defcon presentation to give the MBTA some breathing room."
The students were all Chinese midgets originally born on the Isle of Man. -- See, I can make stuff up too.
1) These "hackers" got an A grade for putting 1 + 1 together and coming up with 2. The info was well-established ... they just used it to put together a proof of concept. I wonder if their professor realized that they were doing that, or if he thought this was original work?
2) Remember ... Massachusetts is the state that brought us legislated health care (as in, "Everyone must buy an insurance policy ... no exceptions. See? Full coverage!") and legalized gay marriage ... no wait, no gay marriage ... hold on ... gay marriage but no gay divorces ... no wait ...
Responsible Disclosure my *#&+
The lesson here is the opposite. Don't inform the affected company at all, you'll just get sued. Publish anonymously instead.
What about the man who never returned? (M.T.A.)
The MTA (now MBTA) stil has HIM locked into a railcar, if the Kingston Trio was to be believed.
You can Google(tm) for the lyrics to M.T.A. to learn about it.
"He's the man Who never returned."