Boston Subway System Stops Defcon Talk; But Paints Security Target On Its Back

from the yeah,-that'll-work dept

You would think after years and years of it backfiring every time some scared organization tries to shut down a talk concerning their security vulnerabilities, that people wouldn't even bother any more. But never underestimate the short-sightedness of some execs. The Massachusetts Bay Transportation Authority uses a magnetic strip card system to access the subway system in Boston. That system is not particularly secure, and some enterprising MIT students planned to demonstrate just how weak the security was on the system this weekend at the Defcon conference... until the MBTA convinced a judge to ban the presentation and demand that all copies of the presentation not be released -- which is problematic since all attendees at the conference already obtained CDs with a copy of the presentation. Also, somewhat ironically, a copy of the presentation was entered in as evidence in the case, and that copy is now publicly available as part of the court records system. Oops.

Of course, even if the court had actually been able to stop the distribution of the presentation, it's silly to think that this would have stopped the dissemination of the methods for hacking the system. The truth is that the MBTA's system uses woefully weak security, and rather than doing anything to strengthen it, it has to threaten some bright MIT students and get a court order to pretend the such security vulnerabilities don't exist. And, of course, in doing this, all the MBTA has really done is painted a huge target on its back. Perhaps it should have just focused on making its system a bit more secure instead.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    bobbknight, Aug 11th, 2008 @ 3:14am

    I want one

    So, not having a pacer account, how can I get a copy of these court records?
    Just so I can say I have a copy.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    wasnt me!, Aug 11th, 2008 @ 3:55am

    is that what we call the ostrich defense?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Aug 11th, 2008 @ 4:41am

      Re:

      no - obviously they are using the Streisand effect to advertise their fine subway - using this talk to allow engineers and hackers to travel at new, subsidised prices. I wonder is it possible to get a refund on unused credit?

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Ferin (profile), Aug 11th, 2008 @ 4:58am

    What the hell?

    Standing aside from the usual idiocy of an agency trying to hide its crappy security, what is wrong with our law schools? Did these lawyers not realize any evidence entered into the court becomes public record?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 11th, 2008 @ 5:01am

    For those interested, here is the "controversial" MBTA presentation from DefCon this weekend (PDF), along with the MBTA's *public* court filings related to the TRO, and a copy of a 'confidential' report made to the MBTA by the same presenters that apparently is dated 8 August as shown on Wired's website late Friday and was also part of the court filing.

    http://infowarrior.org/users/rforno/mirror/

    More info:

    Wired's coverage:
    http://feeds.feedburner.com/~r/wired27b/~3/360219474/injunction-requ.html

    The Streissand Effect strikes again -- same stuff, different year.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    mediaempyre, Aug 11th, 2008 @ 5:01am

    Somewhere on the internet this can be found. Google is your friend.
    But why oh why does MBTA not hire the university for some low price to secure the whole damn thing?? Either they are really stupid, and those kids should have their jobs, or there's cronyism afoot and they're really really stupid and those kids should have their jobs.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Aug 11th, 2008 @ 5:31am

    I bet/hope those kids get better jobs than working for MBTA.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Blake, Aug 11th, 2008 @ 5:37am

    Interesting presentation, I enjoyed reading the documents

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    matt, Aug 11th, 2008 @ 6:20am

    You would think...

    That the T would be very interested in replacing their current IT professionals with these MIT students!

    Good point about the refund on unused credit; hadn't thought of that angle before!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Drew Snider, Aug 11th, 2008 @ 6:37am

    MTA Hackers

    I didn't see the background to this, but as a former journalist (OK ... former newscaster) and now Public Information Guy with Boston's counterpart in Vancouver BC, I some questions about the events leading up to this court injunction. Did the MTA and MIT students discuss this before it went public? Did any journalists involved try to act as a go-between before running with the story? There have been instances in Vancouver -- not involving my agency, happily -- where reporters have suddenly ambushed a local agency by running a story that information that could compromise security has been posted on the Internet or (worse) is actually obtainable through that agency's website. Proper course of action for the students: bring the concerns to the agency's attention, then give the agency a week, say, to commit to addressing them or else then, they go to the media -- or go public in some way. So my overall question is, are the MIT students acting in the public interest, or just a bunch of know-it-all kids trying to show off how much smarter they are than The Man?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      a, Aug 11th, 2008 @ 7:01am

      Re: MTA Hackers

      Prior restraints against speech or the press are most emphatically not in the public interest. Prior restraints are legally presumed to be unconstitional. In other words, the burden is on the party seeking the prior restraint to show that it comports with our constitutional scheme. The Supreme Court has never upheld a prior restraint.

      In legal circles Alexender v United States has been recognized for its explanation of prior restraints. From that opinion:

      The term "prior restraint" is used "to describe administrative and judicial orders forbidding certain communications when issued in advance of the time that such communications are to occur." Temporary restraining orders and permanent injunctions-i. e., court orders that actually forbid speech activities-are classic examples of prior restraints.

      (Citation omitted.)

      Remember the Pentagon Papers case.

      The public interest is best served by federal judges who uphold the Constition.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      silentsteel (profile), Aug 11th, 2008 @ 7:46am

      Re: MTA Hackers

      I could be wrong, but I think I read that the students contacted the MBTA regarding this presentation and all they got in return was that they had been reported to the FBI, and now were under investigation.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      John Wilson, Aug 12th, 2008 @ 5:09pm

      Re: MTA Hackers

      As has already been mentioned prior restraint, particularly on security issues whether or not they involve MTBA or TransLink, the agency I assume you work for is most definitely isn't in the public interest.

      It's rarely in the interest of the agency either.

      It's also been noted that the students ("know-it-all-kids") and their Prof at MIT notified the agency involved and of their intention to reveal the vulnerabilities at DEFCON.

      I don't know how many times it has to be said before people, be they lawyers or TransLink PR hacks understand the "security by obscurity" simply does not work. Ever.

      Exhibits A-Z and beyond on that point? Microsoft Windows and accompanying programs such as Outlook Express and Internet Explorer.

      ttfn

      John

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Phil, Aug 11th, 2008 @ 7:19am

    For all those stating the MtA should hire these students STFU.

    The companies supplying these card systems know all to well the vulnerabilities that exist. It is just too expensive to eliminate the threat entirely. Trade offs due to IC cards requiring power yet having no internal power supply (inductive coupling), PKI management, and the need for speed are just some of the issues at hand

    The MIT students didn't discover anything previously unknown, get over yourselves (as you obviously identify with the students).

    Presentation or not, very few people could reproduce this "hack" without significant know-how. And then, the system will catch pirated cards in short order and deactivate them.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      ChurchHatesTucker (profile), Aug 11th, 2008 @ 7:35am

      Re:

      "STFU, It's a known problem, it's not a problem."

      Well, no worries then, right?

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Esahc (profile), Aug 11th, 2008 @ 7:39am

      Re:

      "Presentation or not, very few people could reproduce this "hack" without significant know-how.""

      Um . . . All it would take would be a Google search, & a moderate level of intelligence to obtain the know-how.

      "And then, the system will catch pirated cards in short order and deactivate them."

      One time access is all a person needs too cause a large amount of damage.

      In any case Boston authorities have never been the brightest; do we all remember the Aqua Team Hunger Force incident?

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Phil, Aug 11th, 2008 @ 8:55am

    @ChuckHatesTucker
    Mifare has been around for over decade and is being phased out. It's not as if anyone is at risk except the MBTA, so what is your concern exactly? It's their loss.

    @Esahc
    I'm sure you already possess the required FPGA programming skills and cryptographic knowledge, but it may surprise you to know it is not widespread. Not as easy as you think.
    They:
    - bought a $1000 radio, with discrete component design
    - utilized GNU radio (not simple to understand)
    - Used said radio to sniff
    - Used an FPGA board to brute force to crack
    - Were able to read, write and clone
    There is a whole lot of research required to get to this point, and the pay off is very small.

    Not only is there value stored on the card, but it is cross referenced in the evening to audit and assure card balances match those of the database. De-activiating all cards that have balances different from what the database lists is trivial.


    "One time access is all a person needs too cause a large amount of damage."
    Yeah, someone might get a full days worth of rides for free, ZOMG! The sky is falling!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    trollificus, Aug 11th, 2008 @ 9:41am

    Okay, Phil...

    ...good point there. The hack is clearly not so easy to reproduce as to result in widespread abuse (read: loss of revenue)

    So...ummm...doesn't that just make the case that the MBTA response was even stupider than it at first appears?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Jeff, Aug 11th, 2008 @ 10:31am

    for the lulz

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Andrew D. Todd, Aug 11th, 2008 @ 11:03am

    So Why Not Make It Free?

    As you will see from the link below, transit systems are not usually able to collect fares amounting to more than half of their expenses. Sometimes the figure is a lot less. At that level, even collecting fares becomes counterproductive, particularly when the external costs of automobiles are taken into account. Transit systems are run at a loss, as a public good. The kind of people who use them a lot, students, old-age pensioners, etc., are generally entitled to really deep discounts. Why not just make the transit system free?

    http://en.wikipedia.org/wiki/Farebox_recovery_ratio

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    zealeus, Aug 11th, 2008 @ 11:27am

    Considering I'd never had known about this hack otherwise, thanks for the suing!
    Also, I doubt 99.9% of people even know WTF the article is talking about much, much less how to reproduce any of the hacks after having read the info.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    another mike, Aug 11th, 2008 @ 1:53pm

    same story from last thursday

    This is the story I commented about in last Thursday's Streisand Effect versus security through obscurity, here. So the going rate is one or two a week now.
    If someone finds a big hole in your system, whatever you do, don't sue them over it. Attend their presentation, and quietly fix the hole they found. When no one else can come in and exploit it, they'll be the laughing stock of the conference. You'll be more secure and have fewer attackers, you win twice.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Biz Modl, Aug 11th, 2008 @ 9:06pm

    Not even at the level of an ordinary injunction

    This case doesn't even rise to the level of an ordinary injunction. An injunction is only supposed to be granted if there will be irreparable harm to the plaintiff if the defendant goes ahead with the action they are being sued over. In this case, the transit authority at worst stands to have people riding who didn't pay. It won't increase their costs one iota because they're going to run the same trains they always do; added passengers don't cost any extra to carry. It probably won't decrease their revenue much because I suspect those who use the hack will ride for free just to prove they can, not because they are avoiding payment of a fare that they would have otherwise paid. And even if they do lose money, they have the option of suing the defendants for the damages. Maybe they won't get it all back, but if a transit system can be harmed by a reduction in paid fares, they would have all disappeared long ago.

    So there's not only not "irreparable harm", there's darn near no harm at all. And for this some judge wants to throw away the concept of free speech?

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This