Dutch Journalist In Legal Trouble For Showing How New Transit Card Is Easy To Defraud
from the imprison-the-messenger dept
Three years ago, the Boston Subway system (MBTA) got plenty of attention for getting a judge to block some MIT students from presenting a paper at DEFCON that showed how the MBTA’s magnetic strip cards were vulnerable to hacking. Of course, all that really did was provide that much more attention for the weaknesses in the MBTA system. It seems we may be in for a repeat performance, of sorts, of this kind of “blame the messenger” approach from a public transporation group — and this time it’s by the very journalist who stepped in and did a presentation to replace the MIT kids who could not…. DEFCON regular, Dutch journalist Brenno de Winter won’t be attending DEFCON this year because the Dutch transporation companies are taking legal action against him for daring to do his job as a reporter and highlight security problems with the Dutch transit system’s “OV transit chip card.” De Winter, quite reasonably, points out that both European and Dutch courts have supported journalists for reporting on security weaknesses — and yet he still faces a legal fight that could net him six years in prison. Even worse, it appears that even the threat of such things now has de Winter self-censoring:
“They are effectively banning me from doing my job because if I write about this card, I have to think about the consequences,” said 39-year-old de Winter, of Ede, The Netherlands. “I’m writing a book and I have to leave whole chapters out.”
This is no way at all to thank someone who finds a flaw for you to fix, but the Dutch transportation conglomerate appears hellbent on making life difficult for those who point out technical problems, rather than just fixing the problems.
Filed Under: brenno de winter, defcon, free speech, netherlands, reporting, security
Comments on “Dutch Journalist In Legal Trouble For Showing How New Transit Card Is Easy To Defraud”
Color me not so surprised.
This has become the response of nearly every Government and Agency around the world.
Our systems are perfect and to say otherwise should be illegal.
If you make us look foolish, we make your life hell.
So what if we wasted millions on a project that is horribly flawed, we can just keep you from speaking and everything will be fine.
One has to wonder at what point will the people actually demand and get better from the people in charge.
Re: Re:
It’s a clear message for everybody. Find the security flaw but keep quiet, let ppl explore it. And since they are not doing anything about it (neither letting ppl show the flaws) they are signaling you should also abuse, exploit the shit out of those flaws.
Re: Re: Re:
I wonder why the people who stand to be hurt by these cards not being secure, the passengers, don’t sue as well.
The companies can claim they are being hurt, but their hurt is often just reflected in higher costs (or lessened services) directly passed onto the consumers.
Their first action was to sue, not to find out what the insecurity was. Either they know about the flaw, or don’t give a damn. There are many cases of the details of flaws being delayed to allow them time to fix them. Maybe it is time to have a look into the companies records to see how long they were aware of the flaw.
Re: Re: Re: Re:
Because of governmental immunity, and companies contracted to perform work on behalf of the government may have derivative immunity.
Wikileaks FTW!
It’s this type of censoring that Wikileaks et al. are highly prized. If someone can’t report the truth, or material that others are scared about, then at least post it anonymously.
On a related note, if someone is scared about repurcussions and writes a book under a psuedonym, can that person be charged? Is an anonymous book considered plausible deniability?
Re: Wikileaks FTW!
Came in to post the exact same thing.
I would have to wonder if there is a difference between:
“we found a problem in the way certain data is encoded on the card, which could permit fraud”
and
“we found a problem with the card, here is exactly what you need to do to hack into it”.
Re: Re:
Well, either way,. the company is notified. If they don’t believe you, then perhaps you should show them and get evidence that this can happen.
And if they don’t like that, then perhaps they should have closed the flaw.
Re: Re: Re:
De Winter showed in one of his articles how it could be done. And he has done in to show it. Which is probably why he’s being sued.
Re: Re:
The difference is that the second is useful to help fix the flaw and the first isn’t.
Feynmann’s maxim anyone?
Re: Re: Re:
Ahh, so telling every script kiddie on the planet how to hack these cards helps. I got it.
right.
Re: Re: Re: Re:
The very fact that they can means that they should, until the morons who rolled out such a ridiculously insecure piece of crap either fix it or abandon it. The problem is with them, not the hackers. They’re idiots. The hackers are smart. End of discussion.
Re: Re: Re: Re:
The MIT lock picking guide
Why not?
Are all the script kiddies in the world going to travel to the Netherlands to buy that card so they cannot pay for it?
Re: Re: Re: Re:
It’s funny watching you try to defend security by obscurity, a method that has been debunked over and over and over and over again.
Re: Re: Re: Re:
Actually it does help because when they get hacked they will be forced to fix the problem. Or did you think they would just go ahead and fix it anyway, just to be nice?
I don’t see a difference between this and the videos on youtube showing how to pop a master lock with a coke can and some tin snips. The information should be unregulated – the asshole breaking into lockers should be punished.
When will companies realise that “security through obscurity” just doesn’t work. As soon as anyone finds a hole, that security is gone. Even if the finder is gagged, the fact that there is a hole will lead others to find it.
Instead of bringing lawsuits, the transporation companies should be spending that money to find a real fix for the problem. One that will stand up to public scrutiny.
Re: Re:
Because from the companies perspective it’s not a security problem. It’s a public relations problem. It’s their customers that have a security problem. Once you look at it this way it becomes obvious why they are responding the way they are.
But Mike, don’t you understand that if people know the product is crappy, it will possibly lead to lost sales.
Of course he must be put away for a long time and be fined millions.
Possibly causing lost sales is right up there with terrorism, child porn and treason.
Re: Re:
Don?t forget giving away lemonade.
De Winter has been a thorn in the side of our government as well. As he’s been using the dutch FOIA-like laws to get information out in the open: http://www.bigwobber.nl
To the point that the dutch government is looking into limiting our freedom of information. (Yes, the Dutch government prefers secrecy. Sadly, we’re no Iceland.)
And he has been going after local government IT-contracts, it’s by law that the government has to open IT-bids to also open source companies and software products.
It even resulted in weird statements where a governmental body (basically a group that was formed to protect the interests of municipalities) declared that they weren’t part of the government thus didn’t fall under the jurisdiction of our FOIA. (again, secrets are apparently better than open information, even though our tax-euros have paid for these reports, and pay these *bleep*s)
When details became clear of TransLinkSystems case against Brenno, a donation drive was set up, to help Brenno pay his legal fees. They reached their goal within hours.
He’s a well respected freelance Investigative Journalist (with a capital I and J, as he really does investigate the stuff that he writes about)
The funny thing about our public transit card was that BEFORE they even rolled the system out all manner of leaks and other issues were known and were talked about among security experts and even questions were asked to the minister of public transport at the time. But since it was a prestige project for this minister, it had to continue, and now we have a very flawed system:
– No 2-way tickets possible,
– Trips are actually more expensive,
– anonymous cards that aren’t very anonymous,
– record-keeping that’s borderline illegal,
– and here’s the kicker, we can still travel without paying, which was the biggest reason for rolling out this card.
any time someone is trying to show a security flaw and gets sued they should INSTANTLY (anonymously) release the hack data to the public.
Company with security flaw suddenly has a major breach on its hands + monetary losses.
If this happens just a few times for a few hundred million a shot, companies wouldn’t DARE to sue someone trying to help them as the consequences would be nightmareish
Re: Re:
The information about how to hack our transit cards are actually out there… For a time you couldn’t even get the card readers anywhere, because there was a huge run on them.