Dutch Journalist In Legal Trouble For Showing How New Transit Card Is Easy To Defraud

from the imprison-the-messenger dept

Three years ago, the Boston Subway system (MBTA) got plenty of attention for getting a judge to block some MIT students from presenting a paper at DEFCON that showed how the MBTA's magnetic strip cards were vulnerable to hacking. Of course, all that really did was provide that much more attention for the weaknesses in the MBTA system. It seems we may be in for a repeat performance, of sorts, of this kind of "blame the messenger" approach from a public transporation group -- and this time it's by the very journalist who stepped in and did a presentation to replace the MIT kids who could not.... DEFCON regular, Dutch journalist Brenno de Winter won't be attending DEFCON this year because the Dutch transporation companies are taking legal action against him for daring to do his job as a reporter and highlight security problems with the Dutch transit system's "OV transit chip card." De Winter, quite reasonably, points out that both European and Dutch courts have supported journalists for reporting on security weaknesses -- and yet he still faces a legal fight that could net him six years in prison. Even worse, it appears that even the threat of such things now has de Winter self-censoring:
"They are effectively banning me from doing my job because if I write about this card, I have to think about the consequences," said 39-year-old de Winter, of Ede, The Netherlands. "I'm writing a book and I have to leave whole chapters out."
This is no way at all to thank someone who finds a flaw for you to fix, but the Dutch transportation conglomerate appears hellbent on making life difficult for those who point out technical problems, rather than just fixing the problems.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    That Anonymous Coward (profile), Aug 2nd, 2011 @ 8:17pm

    Color me not so surprised.

    This has become the response of nearly every Government and Agency around the world.
    Our systems are perfect and to say otherwise should be illegal.
    If you make us look foolish, we make your life hell.
    So what if we wasted millions on a project that is horribly flawed, we can just keep you from speaking and everything will be fine.

    One has to wonder at what point will the people actually demand and get better from the people in charge.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Cody Jackson (profile), Aug 2nd, 2011 @ 8:38pm

    Wikileaks FTW!

    It's this type of censoring that Wikileaks et al. are highly prized. If someone can't report the truth, or material that others are scared about, then at least post it anonymously.

    On a related note, if someone is scared about repurcussions and writes a book under a psuedonym, can that person be charged? Is an anonymous book considered plausible deniability?

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Aug 2nd, 2011 @ 9:00pm

    I would have to wonder if there is a difference between:

    "we found a problem in the way certain data is encoded on the card, which could permit fraud"

    and

    "we found a problem with the card, here is exactly what you need to do to hack into it".

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    NotMyRealName (profile), Aug 2nd, 2011 @ 9:52pm

    I don't see a difference between this and the videos on youtube showing how to pop a master lock with a coke can and some tin snips. The information should be unregulated - the asshole breaking into lockers should be punished.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Jamie (profile), Aug 2nd, 2011 @ 10:02pm

    When will companies realise that "security through obscurity" just doesn't work. As soon as anyone finds a hole, that security is gone. Even if the finder is gagged, the fact that there is a hole will lead others to find it.

    Instead of bringing lawsuits, the transporation companies should be spending that money to find a real fix for the problem. One that will stand up to public scrutiny.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Brendan (profile), Aug 2nd, 2011 @ 10:46pm

    Re: Wikileaks FTW!

    Came in to post the exact same thing.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    The eejit (profile), Aug 2nd, 2011 @ 11:02pm

    Re:

    Well, either way,. the company is notified. If they don't believe you, then perhaps you should show them and get evidence that this can happen.

    And if they don't like that, then perhaps they should have closed the flaw.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Prisoner 201, Aug 2nd, 2011 @ 11:59pm

    But Mike, don't you understand that if people know the product is crappy, it will possibly lead to lost sales.

    Of course he must be put away for a long time and be fined millions.

    Possibly causing lost sales is right up there with terrorism, child porn and treason.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    Paddy Duke (profile), Aug 3rd, 2011 @ 1:00am

    Re:

    Donít forget giving away lemonade.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Richard (profile), Aug 3rd, 2011 @ 1:32am

    Re:

    The difference is that the second is useful to help fix the flaw and the first isn't.

    Feynmann's maxim anyone?

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Marcel de Jong (profile), Aug 3rd, 2011 @ 4:40am

    De Winter has been a thorn in the side of our government as well. As he's been using the dutch FOIA-like laws to get information out in the open: http://www.bigwobber.nl
    To the point that the dutch government is looking into limiting our freedom of information. (Yes, the Dutch government prefers secrecy. Sadly, we're no Iceland.)

    And he has been going after local government IT-contracts, it's by law that the government has to open IT-bids to also open source companies and software products.
    It even resulted in weird statements where a governmental body (basically a group that was formed to protect the interests of municipalities) declared that they weren't part of the government thus didn't fall under the jurisdiction of our FOIA. (again, secrets are apparently better than open information, even though our tax-euros have paid for these reports, and pay these *bleep*s)

    When details became clear of TransLinkSystems case against Brenno, a donation drive was set up, to help Brenno pay his legal fees. They reached their goal within hours.

    He's a well respected freelance Investigative Journalist (with a capital I and J, as he really does investigate the stuff that he writes about)

    The funny thing about our public transit card was that BEFORE they even rolled the system out all manner of leaks and other issues were known and were talked about among security experts and even questions were asked to the minister of public transport at the time. But since it was a prestige project for this minister, it had to continue, and now we have a very flawed system:
    - No 2-way tickets possible,
    - Trips are actually more expensive,
    - anonymous cards that aren't very anonymous,
    - record-keeping that's borderline illegal,
    - and here's the kicker, we can still travel without paying, which was the biggest reason for rolling out this card.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    hmm (profile), Aug 3rd, 2011 @ 4:42am

    any time someone is trying to show a security flaw and gets sued they should INSTANTLY (anonymously) release the hack data to the public.

    Company with security flaw suddenly has a major breach on its hands + monetary losses.

    If this happens just a few times for a few hundred million a shot, companies wouldn't DARE to sue someone trying to help them as the consequences would be nightmareish

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Marcel de Jong (profile), Aug 3rd, 2011 @ 4:42am

    Re: Re:

    De Winter showed in one of his articles how it could be done. And he has done in to show it. Which is probably why he's being sued.

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    Marcel de Jong (profile), Aug 3rd, 2011 @ 4:44am

    Re:

    The information about how to hack our transit cards are actually out there... For a time you couldn't even get the card readers anywhere, because there was a huge run on them.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Aug 3rd, 2011 @ 5:49am

    Re: Re:

    Ahh, so telling every script kiddie on the planet how to hack these cards helps. I got it.

    right.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    The Devil's Coachman (profile), Aug 3rd, 2011 @ 8:08am

    Re: Re: Re:

    The very fact that they can means that they should, until the morons who rolled out such a ridiculously insecure piece of crap either fix it or abandon it. The problem is with them, not the hackers. They're idiots. The hackers are smart. End of discussion.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Nicedoggy, Aug 3rd, 2011 @ 8:26am

    Re: Re: Re:

    The MIT lock picking guide

    Why not?

    Are all the script kiddies in the world going to travel to the Netherlands to buy that card so they cannot pay for it?

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    Ninja (profile), Aug 3rd, 2011 @ 10:23am

    Re:

    It's a clear message for everybody. Find the security flaw but keep quiet, let ppl explore it. And since they are not doing anything about it (neither letting ppl show the flaws) they are signaling you should also abuse, exploit the shit out of those flaws.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Aug 3rd, 2011 @ 10:52am

    Re: Re: Re:

    It's funny watching you try to defend security by obscurity, a method that has been debunked over and over and over and over again.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    That Anonymous Coward (profile), Aug 3rd, 2011 @ 7:18pm

    Re: Re:

    I wonder why the people who stand to be hurt by these cards not being secure, the passengers, don't sue as well.
    The companies can claim they are being hurt, but their hurt is often just reflected in higher costs (or lessened services) directly passed onto the consumers.
    Their first action was to sue, not to find out what the insecurity was. Either they know about the flaw, or don't give a damn. There are many cases of the details of flaws being delayed to allow them time to fix them. Maybe it is time to have a look into the companies records to see how long they were aware of the flaw.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    chris, Aug 4th, 2011 @ 5:03am

    Re: Re: Re:

    Because of governmental immunity, and companies contracted to perform work on behalf of the government may have derivative immunity.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    chris, Aug 4th, 2011 @ 5:08am

    Re: Re: Re:

    Actually it does help because when they get hacked they will be forced to fix the problem. Or did you think they would just go ahead and fix it anyway, just to be nice?

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    chris, Aug 4th, 2011 @ 5:15am

    Re:

    Because from the companies perspective it's not a security problem. It's a public relations problem. It's their customers that have a security problem. Once you look at it this way it becomes obvious why they are responding the way they are.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This