RSSMIT students barred from presenting Boston subway fare loophole
By Ed Oswald | Published August 11, 2008, 5:12 PM
The three students were set to highlight security holes in the automated fare collection system used by the city's transit service, at a security conference on Sunday.
Zack Anderson, R.J. Ryan, and Alessandro Chiesa were set to give the talk at the DEFCON Conference in Las Vegas (PDF of full presentation available here from MIT). The Massachusetts Bay Transportation Authority complained that the students were going to show attendees how to exploit the hole, without first giving it a chance to fix the problem.
The transit agency sued both the students and the Massachusetts Institute of Technology to prevent the presentation from taking place, accusing them of violations of the Computer Fraud and Abuse Act.
According to the EFF's Jennifer Granick, who is assisting the group in their case, no identifiable information on how to exploit the hack would have been shown. It would, however, have called the MBTA's security into question.
In a presentation prepared for the conference, the three would have shown the agency's apparent lax efforts to protect itself, including unlocked doors, computer monitors with possibly sensitive information clearly visible to riders, and turnstiles that could be easily hacked.
Topics discussed would include how to forge fare cards, and alter the magnetic stripe and RFID chips in order to dupe the system. Once done, the hacker could ride the system for free.
Researchers were planning to highlight during the presentation that actually performing the hack would be "very illegal" and that information was "for educational use only."
While it wouldn't necessarily amount to a hacker being able to use the hack to take over the subway system itself, it certainly could pose a problem to an agency that depends heavily on fare collections to continue service.
In issuing its order barring the students from making their presentation, the court used a federal statute aimed at prosecuting computer intrusions. However, the EFF would have nothing of it, and argued it was in violation of the First Amendment.
"The court has adopted an interpretation of the statute that is blatantly unconstitutional, equating discussion in a public forum with computer intrusion," Granick said. "[The ruling] will just stop the public from knowing that these systems are vulnerable and from pressuring the companies that develop and implement them to fix security holes."
The interest group is lauding the work on this case as one of the first to officially fall under its recently created Coders' Rights project, launched last Wednesday.
This is a blatant violation of the First Amendment of our Constitution.
Here's the paper of the security flaws:
http://www.somedork.com/...and-the-first-amendment/
Read it, and don't let this tyranny stand!
Score: 0
|What is the lesson here? Zero day releases are the answer.
Score: 0
|The Real lesson here is that most of the commentators haven't a clue regarding the phrases they toss about.
Score: 0
|"In issuing its order barring the students from making their presentation, the court" is protecting those who really don't deserve protection.
The lazy and shifltess bureaucrats who (might have been bribed when they) selected this crap system and the investors and directors of the crap company who designed this system.
Now the taxpayers get screwed twice - once for buying a totally crap revenue collection system and a second time for protecting the incompetent slobs who sold the system.
Stand up for your right to free expression AND your right to NOT pay for your govenment to protect lazy, incompentent companies.
Score: 0
|The same thing is happening with the Oyster Card in the UK (the name of the card that is used on Public transport throughtout London).
Someone in Holland (I believe) is announcing a flaw whereby the RFID chip can be copied and therefore you can gain free travel. He has however said that he will announce the flaw in September, which gives Oyster a couple of months to find and correct the flaw (though they aren't being told what it is themselves).
If after that they haven't found the flaw, then it's their problem.
That's the method that should have been used here.
Score: 0
|No this is the "money is speech" country...
But you know bend something enough, like a democracy, and ends meet ...
Score: 0
|Nice, Maybe some Kool-Aid with your supper?
Score: 0
|You do know that the US isn't actually a democracy? Its a republic. The people have too much control in a democracy......
Score: 0
|What is this? Is the US a communist country now?
Score: 0
|apparently we are
Score: 0
|That's where the money is, apparently. Just ask corporate America.
Its amazing to see just how little Americans know about what communism actually is. [smiles] I guess that it was their bogeyman for far too long...
Score: 0
|