Slashdot Log In
EFF To Appeal Court Order Vs. Subway Hack Demo
Posted by
kdawson
on Mon Aug 11, 2008 06:09 PM
from the tell-no-one dept.
from the tell-no-one dept.
snydeq sends along InfoWorld coverage of the EFF's plans to appeal a US District Court order that kept three MIT students from presenting detailed flaws in the Massachusetts Bay Transportation Authority e-ticketing system at Defcon. And an anonymous reader points out that the MBTA, in addition to triggering the Streisand Effect, released in open court more information on vulnerabilities (PDF) than the students had any intention of presenting. See Exhibit 1 to this court filing.
Related Stories
[+]
Your Rights Online: Massachusetts Sues to Halt Defcon Subway Hacking Talk 270 comments
According to CNET, "The state of Massachusetts has asked a federal judge for a temporary restraining order preventing three MIT students from giving a presentation on Sunday about hacking smartcards used in the Boston subway system." It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas. Update: 08/09 20:57 GMT by T : "Too late," says reader Bluey: "Injunction was already granted."
[+]
Gag Order Fuels Responsible Disclosure Debate 113 comments
jvatcw writes "The Boston subway hack case has exposed a familiar rift in the security industry over responsible disclosure standards. Many see the temporary restraining order preventing three MIT undergrads from publicly discussing vulnerabilities they discovered in Boston's mass transit system as a violation of their First Amendment rights. Others, though, see the entire episode as yet another example of irresponsible, publicity-hungry security researchers trying to grab a few headlines."
We discussed the temporary restraining order last weekend, and later the EFF's plans to fight it. CNet reports that another judge has reviewed the order and left it intact. Reader canuck57 contributes a related story about recent comments by Linus Torvalds concerning his frustration over the issue of security disclosure.
[+]
Your Rights Online: MIT Students' Gag Order Lifted 160 comments
mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days. "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
First amendment (Score:4, Insightful)
How can any such order be justified in the light of the first amendment protection of free speech?
Re:First amendment (Score:5, Insightful)
If only there were some branch of the government whose job it was to ensure that people's constitutional rights were protected!
Parent
Re:First amendment (Score:4, Interesting)
Maybe im not understand the situation, but if you attempt to release information that can cause harm to a business or person or society. that speech can definitely be limited. Its like calling fire in a building with no fire and someone getting hurt. It seems like in this case, if this information got mass attention there might be some way to construe harm. I mean I can think of allot of ways to fabricate the perception of harm, even though it is unlikely.
Im trying to put myself in their shoes, someone or someones do not want to have to deal with this if people start mass circumventing the system... money loss, reputations, and the like are surely involved. it doesn't matter if it has been done before, this particular event makes stuff like this a hot topic, because people that build or manage insecure systems look really, really stupid to the professional community.
Parent
Re:First amendment (Score:5, Insightful)
A couple comments:
First, the information was already released. The entire presentation was handed out on CDs at the beginning of the conference. All the court order did was prevent a true dialog about the hack.
Second, it could be construed that not releasing the information also has a negative cost. As a public entitiy, the transit agency has a duty to look after the system. The hack points out a flaw in the system. Was the system design opened to public scrutiny prior to its use in an attempt to prevent such a hack? If the hack were not widely known would the agency be working dilligently to fix the flaws?
This is not much different than the "print your own bogus boarding pass" hack. The big worry wasn't really that loved ones could see you off at the gate, but that "bad guys" could go through security, metal detectors and such only to swap tickets with someone who wasn't on the no-fly list. What the release of that hack did was point out a flaw that already existed and provide incentive to fix it, or to drop the whole boarding pass as security sham in the first place.
As to the yelling Fire! in the theater analogy: If there's really a fire, it's Ok to yell.
This is another situation the 1st ammendment was designed to protect. Annoying, painful, expensive, dangerous speech might need to be protected.
Parent
Re:First amendment (Score:5, Insightful)
Then would you also like to allow the people who said "some toys in Wal-Mart have lead in them" to also have their speech limited?
The critical part of rights like the freedom of speech is that if it excludes stuff you don't like, then it is worthless.
"You can say whatever you want, as long as nobody is offended" doesn't really work.
Personally I don't see how any possible exclusions to freedom of speech can be obtained from "Congress shall make no law ... or abridging the freedom of speech, or of the press;", and so libel and slander can't be made illegal as the first amendment is currently written. Neither do I think that it should be possible to make obscene or offensive speech, books, or printings illegal.
Parent
Re:First amendment (Score:5, Informative)
Maybe im not understand the situation, but if you attempt to release information that can cause harm to a business or person or society. that speech can definitely be limited.
That is a pretty general, and pretty wrong, statement. I can voice my opinion on a business all day long, even if that harms the business. I can voice my opinion on public figures all day long, even if their polling numbers decline as a result.
There are certain limitations, sure, but merely bringing an undesired effect to the affected party is not enough.
Its like calling fire in a building with no fire and someone getting hurt.
No, it's not. These students are not putting people's life in jeopardy.
It seems like in this case, if this information got mass attention there might be some way to construe harm.
There is ALWAYS some way to construe harm. The question is whether it's reasonable.
I mean I can think of allot of ways to fabricate the perception of harm, even though it is unlikely.
And this is the kicker. The MBTA is trying to sweep this under the carpet by claiming outlandish claims of public safety and harm -- when it is plain to see that this presentation poses no such threat.
Im trying to put myself in their shoes, someone or someones do not want to have to deal with this if people start mass circumventing the system...
Too freaking bad, use a more secure system. The undergrads even made suggestions as to how to go about it (which they are not obligated to), and are generally behaving responsibly enough (they are not / were not going to release the checksum algorithm or the keys they found).
money loss, reputations, and the like are surely involved.
And rightly so. You see, it's not the undergrads' fault that the system is shoddy. They did not make it shoddy, they did not do the evaluation before buying it, they were not the implementers, and they do not leave network switches unattended behnind open doors. Somebody else is doing that. The undergrads are just pointing out that somebody else is doing that. If that somebody else loses money, reputation, and the like over this incident, then it is their own fault.
it doesn't matter if it has been done before, this particular event makes stuff like this a hot topic, because people that build or manage insecure systems look really, really stupid to the professional community.
This is no reason, at all, to curtail the freedom of speech of these undergrads. Don't like the criticism ? Don't fuck up like that. If you do, take the criticism.
The whole handling of the matter reeks of incompetence, anyway. Apparently these people never heard of the Streisand-effect (seriously, how many more people now know about these weaknesses, in detail, since the MBTA began to sue ?), have never heard about court documents being on the public record (everything they submit as "evidence" is forever in the public eye), have not even researched whether the materials they are trying to suppress have already been circulated (hint: yes, they have), and likely just encouraged others to re-engineer the reverse-engineering. Those others may not be as responsible as these undergrads and release full details, including encryption keys, checksumming algorithms, ready-made software, etc.
A+.
Parent
Re:First amendment (Score:5, Insightful)
How can any such order be justified in the light of the first amendment protection of free speech?
The judge is an idiot. Prior restraint is unconstitutional. This will not survive the appeal.
Parent
Re:First amendment (Score:5, Insightful)
Because; "You have the right to freedom of speech as long as your not dumb enough to use it".
Freedom of speech, like just about all our supposed freedoms, is only available to those that can afford to defend it in court. The contrapositive of this fact is of course that the ability to take away freedoms from someone is available to those that can afford to attack them in court.
Companies, etc, apply for injunctions and by Gods they get them. Do you think if you, whatever your grievance, applied for an injunction against a major company that it would be awarded? Money talks. Judges listen. It's not necessarily something as base as bribes. Just high class laywers gaming a system that puts up with being gamed.
These three hackers should not have appealed this order. They should have ignored it. Defcon should have ignored it. Why obey an order that is going to be struck down anyway? Threat of censure? The court can only censure you if it's oder was legal in the first place.
If more people stood up to, and openly defied the courts; we'd have a better court system.
Parent
Re:First amendment (Score:5, Informative)
Actually, under constitutional law, the preferred situation is to let the speech happen and hash out any legal issues later. The term for preventing a publication is "prior restraint", and it's very much frowned upon compared to going to court over speech that's already been published.
In this case the judge used a computer intrusion statute. I don't know the terms of it, but some such laws do prohibit trading in passwords or other access devices. Seems like a stretch, and I don't consider it justified, but that might be the reasoning. I'm not a lawyer, but if I were them I'd look out for the highly abusable conspiracy laws.
Parent
Re:First amendment (Score:5, Informative)
In this case the judge used a computer intrusion statute. I don't know the terms of it, but some such laws do prohibit trading in passwords or other access devices. Seems like a stretch, and I don't consider it justified, but that might be the reasoning.
According to the complaint [mit.edu] the MBTA is calling the CharlieCard and even the CharlieTicket a "computer." Understanding how the "computer" works and disseminating that information constitutes fraud.
According to the referenced US Code [cornell.edu], a "computer" is:
the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;
Parent
Re:First amendment (Score:5, Insightful)
How can you justify the hack? Showing people how to ripoff the subway would seem to be a criminal act.
No... RIPPING OFF THE SUBWAY is the criminal act.
By your logic everyone in the military should go to jail for teaching or learning how to kill.
Parent
Re:First amendment (Score:5, Insightful)
By a governmental (or quasi-governmental) agency, who is therefore bound by the First Amendment.
Parent
Re:First amendment (Score:5, Informative)
And hopefully that means that they will lose the case. (Actually, I'd hope that anyone bringing such a suit would lose, not just governmental entities.) But this is just an injunction. An injunction is temporary, and is only intended to prevent potential damage from being done until the true merits of the case can be assessed. An injunction doesn't require a good case, it just requires a case that has sufficient merit to go to court.
Personally I don't think this injunction should have been granted, but it's not nearly the slam dunk obvious thing that many people here think it is.
Parent
Re:First amendment (Score:5, Insightful)
The First Amendment doesn't mean that the government can't regulate speech, particularly the timing and method of speech, but even in some cases the content of the speech. However, such regulations must be narrowly tailored to fulfill a legitimate public purpose, such as national defense.
Addressing the vulnerabilities before they become widely exploited is obviously a legitimate public purpose. A restraining order delaying temporarily the release of the details of the vulnerabilities (not the fact of their existence) while they do this would be narrowly tailored to serve that purpose.
I'm not saying it's right, but you should know what your rights actually are. They don't include the right to say whatever you want, whenever you want, however you want without fear of punishment, and they never have.
The important points to remember are (a) legitimate public purpose and (b) narrow tailoring. The narrow tailoring requirement is probably the tougher of the two requirements to meet. In this case, since the details of the problems are in the wild, in part because of the authority's own actions (although this doesn't really matter), any further restriction doesn't serve the purpose of allowing the authority to respond in a timely fashion.
Parent
Re:First amendment (Score:5, Insightful)
What bothers me about this comment isn't that you trivialize terrorism. Yes, it does exist (read on before you mod, please). It doesn't even bother me that it's modded funny.
What bothers me is the "cry wolf" tactics our media and politicians use whenever something happens they don't like. It's because of terrorism that people can't bring their own coke to a plane anymore (it's not that we want airlines to get additional revenue from selling their drinks). P2P fuels terrorism (not that we want to prop up an outdated business model). It's terrorism why we are forced to reliinquish our essential rights (not because our politicians don't want us to say things they don't want the public to know).
"Terrorism" has been abused as the catch all argument whenever something is imposed upon us that goes against the interests of our politicians and their cronies. And people start to see through the thinly veiled egoistic goals, and start to mock it. As you would mock anyone who cries wolf as soon as something happens he doesn't like.
What bothers me most is that when the terrorists strike, we'll get told "see? We told you, it's terrorism!" Instead of them learning that their wolfcrying creates nothing but contempt and ridicule, they will point at us and blame us for not taking it serious, when it has been abused time and again.
Terrorism is a real threat to the US and the "western" world. Abusing it to cry wolf about everything you want to do against your people is not going to make them take it serious. Quite the opposite.
As can be seen in the parent posting.
Daimanta, not trying to belittle you. You're just the one that speaks what everyone was thinking. "Ok, how long 'til they claim terrorism is the reason?" It's not against you, again. It's against those that abuse the terrorist card for everything that goes against their interests.
Parent
Re:No. No it's not (Score:5, Insightful)
Basically, it doesn't even matter whether the threat is real or imagined. Personally, I think 3000 people in 7 years (and counting) is peanuts. When that's what you're scared about, you shouldn't drive anymore or have an operation. The chances to die in a car accident or on the OP table are significantly higher.
If it is real, it would even increase the mark of shame on our politicians and media. If it's fake, they're just causing a hype to push their agenda. If it's real, they're crying wolf and abuse the "terrism" hype so far until nobody takes it serious anymore.
It's basically like it was in my school. We had fire drills every month or so. Net result? People didn't even bothing going out anymore when the alarm rang. It was known to be fake, so why bother listening to it?
When you overdo drills or abuse a warning system, people will stop taking them serious. It will just be another drill or another hype when you ring the alarm. And that could backfire badly should the threat be real one day again.
I predict a disaster should another terrorist strike happen one day. We'll then get to hear that some "threat level indicator" was at some nice, warm color anyway and "we warned you", but we won't hear that that indicator was about the same nice, warm color for years and we've been blitzed with fake warnings almost at a daily base. Warnings cease to create an elevated level of caution when they happen too often, especially if those warnings are abused to push completely unrelated agendas, just because "terrists" are a comfortable reason to abolish civil rights.
People aren't dumb. They see through it, and they will (and as you can see, do) ridicule those "warnings". It's way harder, though, to actually discriminate a real threat from one of those agenda-pushing fakes when you get told the same old lies over and over. Should a real threat be discovered and actually published, the first reaction most people have won't be "how can I avoid it?" but rather "what are they trying to do to my rights this time?"
Parent
Responsibility? (Score:5, Insightful)
It seems that the people who are bringing flaws to light are cast as the villains, while nobody even considers blaming or even questioning the people who selected a poorly-implemented system to run an entire city's public transit.
Re:Responsibility? (Score:5, Insightful)
Parent
Re:Responsibility? (Score:5, Insightful)
I would agree with you, had the MBTA actually taken the initiative to work on solving these issues. Instead their rep stated that if its not known, its not a problem.
Then they go and release more sensitive details in their court documents which are public record than the original presentation was to discuss.
Had the MBTA stated that "they are currently working on resolving the issues, and would want the talk delayed until they are solved" then you would be exactly correct that the presentation should wait. In the end, this is more about pointing out that the MBTA bureaucracy is being incredibly stupid as well as dangerous in their processes.
Parent
Re:Responsibility? (Score:5, Funny)
...Then they go and release more sensitive details in their court documents which are public record than the original presentation was to discuss.
It's not often you get to see someone step on their own pecker with both feet, while advertising the fact.
Parent
Remove that link at once! (Score:4, Funny)
Link to DefCon presentation (Score:5, Informative)
http://www-tech.mit.edu/V128/N30/subway/ [mit.edu]
Direct link to the presentation PDF:
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf [mit.edu]
Not that impressive (Score:5, Informative)
At least from what's in the linked PDF, the undergrads' work is not all that impressive. They look at both the CharlieTicket (magstripe) and the CharlieCard (RFID).
Hacking the CharlieTicket sounds fairly trivial. Magstripe cards are extremely easy to read and write to, and documentation on how to do this with homemade equipment is all over the Internet. The undergrads' work essentially consists of figuring out how the 6-bit checksum is being calculated (though it's not disclosed in the linked documents). This is probably the most difficult thing that they did.
Hacking the CharlieCard, which is a MiFare Classic, is more involved, but the undergrads used a previously known attack, simply duplicating it. (Some might call that the behavior of a "script kiddie"?) There's hardly anything novel about this.
Not Exactly Accurate Summary (warning, legalese) (Score:5, Informative)
The court issued a 'temporary restraining order', which is legal-jargon for "don't do anything until we can get a decent hearing". It does not mean that the court has accepted the MBTA's position or even jurisdiction over the case. It is merely a tool* to ensure that neither party can unilaterally change the status-quo just because the courts do not operate 24/7 and are sort of slow (making sure everyone has a chance to speak generally doesn't allow for fast decision making). Rarely does a TRO last more than a week until a preliminary hearing can be held.
IMO, therefore, even if the MBTA has no case whatsoever (almost certainly true) they are entitled to a TRO for a few days until the court can read (and almost certainly deny) their application for a permanent injunction. I don't see any major damage from having a presentation delayed for all of 72 hours either (note, if we were talking permanent injunction, it would be totally bogus -- that's a different matter entirely).
* Yes, I'm aware the information was already published on the internet and that it cannot effectively be "recalled". That is not the point -- the MBTA, as any other litigant, has the right to have a court hear their case -- even if they really don't have one.
Re:Them again? (Score:5, Informative)
Why is it that every time I read about the EFF or Lesig I hear about how they are going down in flames in once case or another? Are we taking about the Washington generals here? Whats it going to take for them to actually win something for a change.
http://www.eff.org/victories [eff.org]
Parent