Educational CyberPlayGround - Boston Free Transit Card

Thursday, August 14, 2008

« Cyber Security for the next president | Main | Detroit House sells for 1 dollar »

Court Order Sought to Halt DefCon Talk about Transit Card Vulnerability
By Kim Zetter EmailAugust 08, 2008 | 2:45:00 AMCategories: DefCon

http://blog.wired.com/27bstroke6/2008/08/injunction-requ.html

LAS VEGAS -- The Massachusetts Bay Transportation Authority filed a
suit in federal court on Friday seeking a temporary restraining order
to prevent three undergraduate students from the Massachusetts
Institute of Technology from presenting a talk at the DefCon hacker
conference this weekend about security vulnerabilities in payment
systems used in the Massachusetts mass transit system.

The transit authority, known as the MBTA, is seeking to prevent the
students from "publicly stating or indicating" that electronic
passenger tickets used on the transit system have been compromised
until the MBTA can fix security flaws in the system. It further seeks
to bar the students from releasing any tools or providing any
information that would allow someone to hack the transit system and
obtain free rides.

The MBTA says disclosure of the flaws, before it has a chance to fix
them, will cause irreparable harm to the transit system.

The three student researchers, Zack Anderson, R.J. Ryan and Alessandro
Chiesa, are scheduled to give a talk Sunday afternoon entitled "The
Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of
Ticketing Systems."

According to a description of the talk posted on the conference web
site, the students plan to discuss vulnerabilities in the fare
collection system of Boston's T subway system and to demonstrate how
they reverse engineered the mag stripe on paper passenger tickets
known as the CharlieTicket as well as how they cracked the smartcard
tickets known as the CharlieCard. They also plan to release several
open source tools that they created in the course of their transit
card research.

The MBTA filed its suit in the U.S. District Court in Massachusetts
against the three students and their university, stating that the
students violated the Computer Crime and Fraud Act in accessing
protected MBTA computers without authorization to conduct their
research. The MBTA also asserts that MIT and the student's supervisor,
computer science professor Ron Rivest, failed to properly supervise
the students to prevent them from attacking and harming the transit
system.
<snip>

Judge too late:

http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf

More documents at:
http://cryptome.org/mbta-v-zack/mbta-v-zack.htm

<snip>

Electronic Frontier Foundation Media Release

For Immediate Release: Saturday, August 09, 2008

Contact:

Jennifer Stisa Granick
Civil Liberties Director
Electronic Frontier Foundation
jennifer@eff.org
+1 415 271-4879

Marcia Hofmann
Staff Attorney
Electronic Frontier Foundation
marcia@eff.org
+1 415 436-9333 x116

Rebecca Jeschke
Media Coordinator
Electronic Frontier Foundation
press@eff.org
+1 415 436-9333 x125

MIT Students Gagged by Federal Court Judge

EFF Backs Researchers Forced to Cancel Presentation on
Transit Fare Payment System

Las Vegas - Three students at the Massachusetts Institute
of Technology (MIT) were ordered this morning by a federal
court judge to cancel their scheduled presentation about
vulnerabilities in Boston's transit fare payment system,
violating their First Amendment right to discuss their
important research.

The Electronic Frontier Foundation (EFF) represents Zack
Anderson, RJ Ryan and Alessandro Chiesa, who were set to
present their findings Sunday at DEFCON, a security
conference held in Las Vegas. However, the Massachusetts
Bay Transit Authority (MBTA) sued the students and MIT in
United States District Court in Massachusetts on Friday,
claiming that the students violated the Computer Fraud and
Abuse Act (CFAA) by delivering information to conference
attendees that could be used to defraud the MBTA of transit
fares. This morning District Judge Douglas P. Woodlock,
meeting in a special Saturday session, ordered the trio not
to disclose for ten days any information that could be used
by others to get free subway rides.

"We wanted to share our academic work with the security
community and had planned to withhold a key detail of our
results so that a malicious attacker could not use our
research for fraudulent purposes," said Anderson. "We're
disappointed that the court is preventing us from
presenting our findings even with this safeguard."

Vulnerabilities in magnetic stripe and RFID card payment
systems implemented by many urban transit systems are
generally known. The student research applied this
information to the specific case of Boston's Charlie Card
and Charlie Ticket, and the project earned an A from
renowned computer scientist and MIT professor Dr. Ron
Rivest.

The court relied on a federal law aimed at computer
intrusions in issuing its order, holding that even
discussing the flaws at a public conference constituted a
"transmission" of a computer program that could harm the
fare collection system.

"The court's order is an illegal prior restraint on
legitimate academic research in violation of the First
Amendment," said EFF Civil Liberties Director Jennifer
Granick. "The court has adopted an interpretation of the
statute that is blatantly unconstitutional, equating
discussion in a public forum with computer intrusion.
Security and the public interest benefit immensely from the
free flow of ideas and information on vulnerabilities. More
importantly, squelching research and scientific discussion
won't stop the attackers. It will just stop the public
from knowing that these systems are vulnerable and from
pressuring the companies that develop and implement them to
fix security holes."

This case is part of EFF's Coders' Rights Project, launched
just this week to protect programmers and developers from
legal threats hampering their cutting-edge research. EFF
will seek relief for the researchers in the courts.

For the full temporary restraining order:
http://www.eff.org/files/filenode/MIT%20students%20TRO.pdf

For more on the Coders' Rights Project:
http://www.eff.org/issues/coders

For this release:
http://www.eff.org/press/archives/2008/08/09

About EFF

The Electronic Frontier Foundation is the leading civil
liberties organization working to protect rights in the
digital world. Founded in 1990, EFF actively encourages and
challenges industry and government to support free
expression and privacy online. EFF is a member-supported
organization and maintains one of the most linked-to
websites in the world at http://www.eff.org/

-end-

NetHappenings Mailing List

Thursday, August 14, 2008 9:42:28 PM (Eastern Daylight Time, UTC-04:00) Disclaimer | Comments [0] | Related posts:
ECP NetHappenings News and Headlines
Kids are Easy scapegoats
IBM plant
Offices of Merrill Lynch, Fenner and Smith.
From lead to dead
Gorillas slaughtered for your cell phone - Pay Attention

Comments are closed.

SIGN UP and GET POSTS DELIVERED TO YOUR EMAIL

Enter your email address:

You will get email if the Educational CyberPlayGround
has produced new content on that day.

Listen to this site on my phone with Jott Feeds

ON THIS PAGE....


EDUCATION: An interdisciplinary blog about Internet and Technology News, NetHappenings, K12 Newsletters, and Network Newsletters. Provides resources for the Arts, Music, Linguistics, Literacy, National Childrens Folksong Repository, K12 School Directory for K-12 teachers, teacher educators, homeschooling parents, policy wonks, journalists, and business.