Declan McCullagh at c|net News reports:
A federal judge on Saturday granted the state of Massachusetts' request for an injunction preventing three MIT students from giving a presentation about hacking smartcards used in the Boston subway system.The order barred "providing program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System." The ban on "information" appears especially broad, and would restrict even lectures or papers describing the general techniques; this means the broader question about whether communicating code (source or object) is "speech" need not be reached here, because lectures and papers clearly are.The undergraduate students were scheduled to give a presentation Sunday afternoon at the Defcon hacker conference here that they had said would describe "several attacks to completely break the CharlieCard," an RFID card that the Massachusetts Bay Transportation Authority uses on the Boston T subway line. They also planned to release card-hacking software they had created.
U.S. District Judge Douglas Woodlock on Saturday ordered the students not to provide "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System." Woodlock granted the MBTA's request after a hastily convened hearing in Massachusetts that took place at 8 a.m. PDT on Saturday.
The suit, filed a day earlier, also names the Massachusetts Institute of Technology as a defendant. Neither MIT nor the students — Zack Anderson, R.J. Ryan, and Alessandro Chiesa — could immediately be reached for comment....
The MBTA, which is a state government agency, claims that "disclosure of this information will significantly compromise the CharlieCard and CharlieTicket systems" and "constitutes a threat to public health or safety." ...
Every one of the thousands of people here who registered for Defcon received a CD with the students' 87-page presentation titled "Anatomy of a Subway Hack." It recounts, in detail, how they wrote code to generate fake magcards. Also, it describes how they were able to use software they developed and $990 worth of hardware to read and clone the RFID-based CharlieCards.
Those CDs were distributed to conference attendees starting Thursday evening, meaning the injunction was nearly two days late. (On the other hand, the source code to the utilities — not included on the CD — was removed from web.mit.edu/zacka/www/subway/ by Saturday morning.) ...
The question is whether, in this context, the speech is constitutionally unprotected, and, even if it is, it can be restrained by a preliminary injunction. If the only argument was that the students' speech was "crime-facilitating" in the sense of helping others commit crimes (or even torts), I'd just rely on the analysis in my Crime-Facilitating Speech, 57 Stan. L. Rev. 1095 (2005). (For whatever it's worth, there's apparently a factual dispute about whether the students warned MBTA of their findings and gave them an opportunity to fix the security problem before going public with their conclusions; that question may be relevant to whether the students behaved properly, but under my Stan. L. Rev. analysis it shouldn't be relevant to whether their speech publicizing the violation is constitutionally protected.)
But here the MBTA argues (see the Complaint and the Memorandum in support of the Temporary Restraining Order) that the student defendants got the information by illegally accessing the material inside the MBTA cards, and other MBTA computer systems, in violation of the Computer Fraud and Abuse Act — a law that neutrally bans the conduct of unauthorized access to others' computer systems. Whether the speech communicating information they learned from their illegal conduct (if it was illegal) may be restricted is potentially a different question.
On the other hand, even otherwise unprotected speech generally can only be restricted after a finding on the merits that the speech is indeed unprotected. It generally can't be restricted via a temporary restraining order or a preliminary injunction that's just based on a preliminary, quick-and-dirty estimate of whether a crime was committed and whether the speech is therefore constitutionally unprotected. That's the best rationalization I could come up with of the "prior restraint" doctrine, which as I understand it means that speech cannot be restrained prior to a merits finding about whether it's unprotected. See this analysis in Mark Lemley's and my Duke article on preliminary injunctions in intellectual property cases, though note that our article responds largely to the fact that the prior restraint doctrine seems to be disregarded (mostly silently) in certain classes of cases, such as copyright cases.
So this is a pretty complex legal question, which is one reason I only offer the tentative framework above. I hope to have more thoughts on the subject in coming days.
Considering that RFIDs were cracked literally years ago but are somehow still being rolled out in new systems as if they were secure, I'd suggest that to be the intended result.
Oh look, it's working. :-/
Is this really true? It seem to constitute a threat to the MBTA's finances.
Of a man named Charlie
On a tragic and fateful day
He put ten cents in his pocket,
Kissed his wife and family
Went to ride on the MTA
- Man who never returned
http://www.mccullagh.org/
Unless one atempts to sever free speech from property rights, I don't see how this is a "complex question." Publishing ones ideas is a form of action. And this is clearly action in the furtherance of a crime.
If this were their motive, which I don't for a second believe, they could have accomplished it privately. This is not a whisper -- akin to: "psst, your fly is open." This is shouting to the world in order to ridicule and garner fame.
I don't understand the problem. If you are giving money to the GOP, why wouldn't you be out and proud of it?
"This is shouting to the world in order to ridicule and garner fame." Possibly. But if they just wispered, what guarantee is there that the system would actually do anything about it? Except perhaps arrest the students, maybe, in which case they would not have the public support because they didn;'t go public.
Sometimes shining light upon a problem is the best way to address the problem. Now, the MTA is forced to fix the problem whether they want to or not, or suffer more problems.
Plus, it's a very good stunt to show us all how vulnerable we all are, and to to remind us that nothing on computers is safe or secure, despite what people like to think.
And it sure worked, didn't it?
This wasn't merely "public proclamation of security vulnerabilities." This was "here's how we forged new values into the stored-value system, and how you can do it, too."
On a technical matter: how did the students figure out the checksum being used?
So you would have no problem with a political advocacy group opposed to your viewpoints, threatening to dig up dirt in your life and broadcast it?
Used to be, that was called extortion.
That's a pretty remarkable claim right there. If I buy an MBTA card from a vending machine, that's a sale under UCC, so the card itself becomes my property. Now, I do not have the right to use my property fraudulently -- for instance, to alter the card and use it to get free subway rides. But can I really be charged with unauthorized access to a "computer system" (smart cards have a little computer in them) that I own?
MBTA sold me a card. MBTA's property rights in that card terminated at the time of sale. It is no longer up to them whether an "access" to that card is "authorized" for Computer Fraud and Abuse Act purposes. While there are certainly illegal things I could do with that card (such as altering it and presenting it fraudulently ... or using it to pick a lock, or making a piece of illegal drug paraphernalia out of it), how can reading the data off of a piece of my own property be "unauthorized access"?
Free speech on security vulnerabilities is the only way to keep public knowledge anywhere close to criminal knowledge and to keep the residual risk built into systems anywhere near to appropriate level.
Without free speech on vulnerabilities we will degenerate to the 1 toggle bit security approach where no one can talk about what a bit in a software program means or how to modify it if it will allow a software exploit that causes financial harm.
There were a few different issues in their slides. One was that they were showing how "secure" offices were often left wide open. Another was the showing of keys that they photographed and showed in high-detail so they could be duplicated. Another was "here is how you can create new high value cards for the Charlie system."
I'm sketchy about the "public health and safety" claim, but there is something there for them to hang that claim on.
Sometimes shining light upon a problem is the best way to address the problem. Now, the MTA is forced to fix the problem whether they want to or not, or suffer more problems.
So, just talking about the forging cash values onto cards: who benefits? The MBTA clearly suffers, and now they have a choice over what kind of suffering. But I don't get who benefits by these guys making it very easy for people to create fraudulent stored-value cards.
I don't know the relevant statutes, etc., but it is certainly not atypical that a sale does not result in the new owner having unlimited ownership rights. Consider, e.g., the purchase of a home in a suburban neighborhood with an ornery association keeping watching. So, here, it is certainly plausible that the card is sold either for certain purposes only or for use generally with the exception of certain forbidden purposes. Given the presence of the law to set default contract terms where there has been no negotiation, I'd assume that one of those two cases applies (and, here, they are likely rather indistinguishable in effect). If the students wanted more access, they could have sought an unlimited use card (albeit likely at a higher - much, much higher - price).
"Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings." --Netherlands court, denying an injunction against Dutch researchers by the Dutch chip maker.
The information on how the chip works is already online, and the Massachusetts court is making itself look foolish. Many other groups have also reverse engineered (cracked) this kindergarden code, and the ever-industrious are selling clones. Is MA buying these Chinese
counterfeit'compatible' chips?Maybe they just obtained this publically accessible information, and were going to present that? Some MIT geeks should stand at the terminal and hand out free CDs with this information to BostonT commuters.
Gratifying to security types is that the Dutch court rejected the false concept of security-through-secrecy. But the action of the Boston court in even taking this case is a shame to Americans.
Also, the reason that the checksum was compromised: when you have developers building proprietary cryptography vs using a rock solid public crypto scheme, you end up with very easy to break crypto as most developers are not cryptomasters.
Most of the appliances that check the cards (on the bus, at the metro, etc) likely do not phone home all the time and so there's a possible way to avoid a network check for the stored balance. I think that is why the Fastlane rfid tags work better and are not as vulnerable to this crack - they check the balances real-time and are always connected.
Similar to the WEP 64bit poor crypto issue where you can brute force a key for access in about 2 days time on your home pc.
So, I think that the Court was probably right in issuing the TRO, but would likely be wrong to issue a permanent injunction. Remember the purpose of a TRO - to freeze the situation until the court can investigate further, inter partes.
The RFID chip itself has no security - it just stores data. The issue is how the information is encrypted. Many RFID systems had (have!) weak encryption and so the information is easily compromised, as in the comments regarding passport information. A strong encryption system (and there are several) AND a long random key will make for encoded information which cannot be compromised.
However, people are lazy and memory is weak and written information can be copied. As a result, most people choose weak/short keys that are easy to remember (and easy to guess) which gets us security compromises.
Moral of the story: always include the source code with your demos. Holds true in a professional setting as well.
Used to be, that was called extortion."
My understanding is that moveon is just going to identify people who donated to the GOP, not dig up dirt on the lives of the people who donated. If the former, I see no problem with it. Indeed, we have laws that insist on disclosure. If ther latter, then yes, I would have a problem with that.
But I donate to many groups and organizations, and I have no problem if the entire world knows about it. In fact, I'm rather proud of these organizations and have no reason to hide my contributions.
OTOH, the court should hear the case. Massachusetts claims among other things:
Magnetic-stripe cards (like most ATM and credit cards) are computers, these 'computers' are used for national security purposes, analyzing these cards is a threat to public health and safety, and MBTA will suffer "irreparable harm".
All this for decades-old information available to anyone via internet, on an issue that manufacturers and MBTA decline to fix.
Cryptome has all the information, but the complete DEFCON presentation is here, and the state's complaint here.
The law states that you can't hack the internal code. The card is sold to you for a purpose: to use for transportation. Just like a car is sold to you to use for transportation, not as a weapon -- even though it could be used that way.
Stealing the property of others [in this case, the taxpayers and honest transit users], is theft. Condoning theft is what got us into this current screwed up society.
Like the protagonist in The Kite Runner says, all wrongdoing is basically theft. When the law says you can't hack the source code, you're a thief if you do. A taste of jail time would be a great example to similarly minded thieves.
It is possibly a hack (don't comment unless you understand it) on the legal system. If not, it is a fine substitute for demonstrating legal incompetence.
If the court grants the injunction (Oh dear, it already did!) it will be enjoining speech, ie preventing persons from speaking. Period.
There is no 'security' aspect to the presentation. The proposed paper is about prior public speech and knowlege. It doesn't even contain any details on what has already long been published and discussed.
This is little different than a court preventing a citizen from presenting the Constitution or DoI to a group of people.
Yes, and I cited examples where uses of your property (the card) would be illegal: if you altered the card and used it to commit fraud, for instance, or if you made the card into illegal drug paraphernalia. But that's not what's at issue here.
One of the MBTA claims is apparently that accessing the data on the card is an "unauthorized access" under the terms of the Computer Fraud and Abuse Act. And it is that claim I'm calling out as a property-rights violation.
Please note, I'm not speaking to any of the MBTA's other claims, including unauthorized access to computer systems that the MBTA actually owns. I'm speaking solely to the claim of unauthorized access to a smart card which is not the MBTA's property.
The law in question doesn't say that.
The law in question is the Computer Fraud and Abuse Act, which prohibits (among other things) unauthorized access to protected computer systems. Unauthorized by whom, though? In the law, authorization to access a computer system comes from the owner of the computer system ... not the person who sold that computer system to the current owner.
The MBTA is claiming an ownership right (the right to refuse authorization to access a computer system) on a computer system (the smart card) that it does not in fact own.
To draw a parallel: Suppose that you purchase a computer system from Dell and use it for a purpose that Dell does not approve of. Perhaps you use it to put up a Web site critical of Dell's customer service practices. Perhaps you inspect the hardware and design of the computer and publish a paper on the engineering flaws of that design. Under the MBTA's logic, Dell would now be able to get you charged with "unauthorized access" because you are using the computer for a purpose Dell did not intend or desire: Dell sold you the computer to write term papers and look at porn, not to criticize Dell's customer service or engineering practices, so (by the MBTA's logic) you are committing "unauthorized access" to that Dell computer.
That's extortion, threats of invasion of privacy, and possible threats to life, safety, or property, all with the purpose of chilling the exercise of political-civil rights. To my mind, that's a Section 1985 violation and possibily a violation of a host of state and federal criminal laws as well. Why can't a court issue a TRO against such threatening letters?
Doesn't this mean that the party seeking a TRO will nearly always win? They will always be able to argue that there is "no harm" in delaying release of information while the court investigates further because the information can be released later. I think you can only get to this conclusion if you discount the harm of restricting the speech in the first place, so that there is weight on only one side of the scales.
In any event, as one poster has pointed out above, the only harm here is to the MBTA's ability to receive fares. It is a monetary harm, if anything. Compare that to the arm of the Pentagon Papers case, where the Supreme Court ruled that prior restraint was impermissible. Here you have money damage (which can be redressed in a lawsuit later), and there you have national security damage (which has no redress, if the damage was legitimate and not just embarrassment to the Nixon Administration). And yet, there the government lost, and here the government won.
Yes, the information here was not news being published by a standard media source, but still I thought the rule was generally that "Any system of prior restraints of expression comes to [the courts] bearing a heavy presumption against its constitutional validity”. I just don't see how you square that statement with a TRO here.
I pulled a CharlieTicket out of my wallet, ready to regale you with the fact that they reserve ownership, like any frequent shopper card would.
But, alas, it doesn't say that. It says "Subject to applicable tariff regulations and conditions of use. Ticket may be confiscated for misuse. Not replaceable if lost or stolen. Non-refundable."
Could any of those be construed to mean that the MBTA retains ownership?
(There's also a copyright symbol, but I don't think that restricts access in anyway.)
Is the CharlieCard any different with its text?
That was 1971.
This is 2008.
Don't you know that 9-11 changed everything?
Face it. The students' very first mistake was in planning to go to a dodgy venue like DEFCON in a dodgy town like Las Vegas. Just attending that conference —let alone presenting at it— should be enough to get your name on a hacker-terrorist watch list.
They should have covertly sent the info into the Netherlands, using assumed aliases. These days, security students who deserve "A" grades need 5ki1z and tradecraft.
It's not 1971 anymore. Hasn't been for a long time.
Stealing taxpayer money?! That's the government's job!
Thanks for a nice trip down memory lane. I hadn't even thought about "Adventure" for years, but your handle reminded me and brought back good memories of a life I had before law school.
EFF?
ACLU?
Grassroots Slashdot funding?
MA was wrong to seek this. The court was wrong to grant this. This is that apocryphal situation that 'the insurance companies and the auto/oil companies' life in fear of, where the little guy wins a legal precedent that interferes with their continuing to pick his pockets.
Keep in mind that a TRO is very temporary, and a preliminary injunction is just that. We aren't talking right now about keeping it out of the public domain forever, but rather just until the Court can review it more carefully on an expedited basis.
If you booted up your new Dell and a message popped up saying that Dell reserves the right to remotely delete any Web site created with that computer if they don't like it ... could that be construed to mean that Dell retains ownership of your computer? I suggest not. Moreover, it shouldn't even deter prosecution of Dell under the Computer Fraud and Abuse Act if they tried it!
Merely printing a message on a product, only to be seen after the purchaser has already purchased it, does not change the property rights of the purchaser.
(Former) Chief Justice Rehnquist disagrees with you in Alexander v United States:
(Emphasis added.)
Fwiw, Alexander has been cited elsewhere as a particularily cogent explanation of the law on prior restraint.
And, no, they can't sue the court. Or, if they do, they will lose, and may get hit with sanctions themselves. The state maybe, but not the Court.
As with anything in the Constitution, and in particular here, the 1st Amdt., nothing is absolute. There is information disclosure that our courts will enjoin. For example, should DOE come to a court and ask for an injunction against an imminent disclosure of our latest device designs, they are likely to get it. Ditto for tonight's targeted terrorist hideouts in Iraq or Afghanistan. In the first instance, the injunction is likely to be permanent, while in the later, by the time you could get to a preliminary injunction hearing, the information would likely be stale.
What many here are doing is arguing with facts that the Court does not yet have. It doesn't know that the MTA didn't retain an interest in the passes, that much of this information is already out in the public domain, that this wouldn't enable terrorists, etc. Its job right here is to be safe, rather than sorry, until there is a chance for a preliminary injunction hearing.
Have you ever attended a conference? Several thousand people flew to this conference for the purpose of hearing the presentations live and speaking face to face with various speakers and other attendees over the course of the weekend. All of the recordings of the presentations are available on DVD after the conference. If the difference between seeing the presentation at the conference and hearing a recording after the fact was "de minimis" why would anybody go to the conference? Why would anybody ever attend any conference about any subject? Surely a "de minimis" difference would not justify airplane tickets, hotels, and convention center space!
They are not making it "very easy," but there is a benefit to discussing these things because doing so helps security practitioners understand how to build effective security systems that work.
Also note that in trade secret cases, if you can't get a TRO, a preliminary injunction is often worthless, since the alleged discloser could disclose during the time between notice of a hearing and the hearing itself, with only the prospect of monetary damages available as a remedy (and these guys are likely judgment proof as they are students).
Keep in mind that disclosure of illegally discovered trade secret information is a violation of trade secret law. So, if you break into the safe that has the Coca Cola formula and put the formula out on the Internet, you can not only be prosecuted for the burglary, but also are subject to whatever the TS law provides. And that is what is being alleged right now, the equivalent to discovering the Coke formula through safe cracking. That is why the Computer Fraud and Abuse Act may be relevant.
I feel like the MTBA was trying to get (by analogy) an injunction that would prevent the MIT students from saying that the emperor is not wearing any clothes.
To further the analogy: RFID technology is known to have security flaws; it is like a completely sheer shirt. There is material there, but if our emperor is wearing only the RFD tech, then they are clearly naked despite having a sheer shirt on -- they can be seen bare. As the MTBA turns its back on the MIT students by filing court action, they have shown the hairy buttocks of their ignorance. They are already naked and want to enjoin the MIT students from speaking that issue.
By the way, did anyone else listen to the audio record of the Mass. Court hearing?
I couldn't take it beyond the first hour due to the stuttering of the MTBA's lead counsel. However, on the merits, I was interested in the issue where the judge repeatedly questioned defense counsel about whether there was "anything new" in the presentation. He vacillated between the two possible answers: there is something new in the speech by the MIT students, or there is nothing new.
EFF counsel said approximately that most of it was public knowledge, but that the technical application in this case constituted new information.
From the comments, it seems as if the judge did not agree -- he felt application of a generic principal to this case did not fall under "new" information.
But I am confused.... is it simply that had there been no new information the speech could have been enjoined? That, to me makes no sense, to issue a TRO for an already rung bell. Contrariwise, if there was something new, then the novel information is speech. Saying "I did this" is speech. Showing the results of your work is also clearly speech.
Again, you give little weight (if any) to the cost of restricting speech. That is contrary to the Supreme Court's instructions in New York Times v. U.S. They took the opposite approach and said there is a strong presumption against a prior restraint. They did not differentiate between a TRO and an injunction, preliminary or otherwise.
You could just as easily ask what are the damages of asking the party seeking a TRO to wait a little longer until they are able to appear before the court with the other party present and the court is able to look at all the evidence. That is especially true here, where everyone who would have been party to the presentation already had the information in CD format.
No one is claiming that the right to speak is absolute, but the rule is nevertheless fairly heavily stacked against those seeking to restrain speech. The targeted terrorist design example is a bad analogy, because the times and dates of troop movements are the one area where the courts have said that prior restraint is OK. But that is not going on here. The injunction against design disclosure is a better analogy, but given that the cat was out of the bag a while ago on this, and this is not really a "trade secret" in any fair sense of the word, I don't think that works either.
Well, here you have the real rationale, which is that there should be a different standard for obtaining a prior restraint when the alternative is suing someone that is judgment-proof. I don't think there is any precedent for that claim, is there? The proper remedy here is a suit for damages (lost fares) against the students. You may be able to force them into bankruptcy or get a lien against future wages, but blocking their speech because you don't think you can collect on a judgment is very difficult to square with the First Amendment.
These guys are likely judgment proof as they are students
I think the trade secret analogy, at least right now, is probably better than any other we have seen. I think that you could plausibly argue before a court that the students were trying to release secret information they acquired illegally that belonged to the MBTA. We have facts available to us to possibly disprove that, but that is now, and not then. Ok, the judgment proof was a throw away. There may have been some injunctive relief granted for that reason, but it is more likely I think that this is not taken into much consideration.
If their plan is to keep the insecure system, and try to get the courts to block people from talking about the poor quality of their "security", then they deserve no consideration at all.
It appears they've going for plan B. In which case the court screwed up. The only acceptable response to "you have a security vulnerability" is "how do we close it?" Not "how do we hide it?"
1. It hardens the security
2. It helps people understand the risks of the ever expanding government drive to create databases containing personal information.
Transit card exploits are the tip of the risk iceberg. A hack that would allow someone to pull all of your personal information of of the new passports that store it on RFID is something that presents far more risk to the passport holder.
The fact that the transit authority filed for a restraining order thereby providing a tidal wave of publicity to an utterly obscure presentation shows that they really don't understand security.
Subway presentation is available here Subway defcon presentation
Via a comment at dailypundit Welcome to the Third Millennium,
Interesting comment on the restraining order
Let me guess: you aren't an academic, right? These students were denied the opportunity to advertize themselves on a public stage. Giving a talk is how you get others to read your paper. It's also how you get others to see who you are so they can meet you in person afterward. People don't go to a talk to learn the details (which they will get from the paper or by e-mailing the authors). They go to the talk to see the speaker and to get an idea of whether they should be interested and read the paper / ask for more details / do followup work.
This TRO is stupid exactly because its purpose seems to have been one of spite: to deny the students the intangible benefits of giving their talk without in any way inhibiting the dissemination of their results. In fact, by drawing attention to the paper the TRO served to increase the dissemination.
Realistically, the goons are running the circus, with people of semi-to-full light fighting a losing rear-guard action.
I think this exceedingly silly. The TRO will likely be expired by the time an appeals court could hear this. The time to appeal is if and when a preliminary (or permanent) injunction is granted.
So, I am suggesting that they got more notice this way than if they had been able to do what they originally intended.Let me suggest that you are reading more into this than is warranted. Incompetence is a much better explanation than spite.
One can argue that for hackers to provide detailed information about how to hack a particular computer security system isn't terribly different from a gay student organization providing peer counseling, which the 4th Circuit, in one the predessecors to the Palladin case, held a state with a sodomy law could prohibit. The grounds would seem similar providing specific details about how to commit an illegal act to people inclined to commit it represents "solicitation" and goes beyond abstract advocacy of the act.
The 4th circuit's view of the solicitation exception has historcally been more expansive than most other circuits. If its view becomes established, it would appear to have a great many other applications.
No, it's job is to safeguard the first amendment until the party seeking the TRO justifies a prior restraint of expression.
The court may not have the facts at this stage, but that counsels against granting the TRO. The presumption is that a prior restraint of expression may not be justified, and to overcome that presumption, the moving party bears a very heavy burden. Vague and general claims of irreparable harm are insufficient.
If the facts are not known, the courts may not speculate in favor of granting the restraint. If any speculating is to be done, it must be in favor of the first amendment bar on prior restraints.
True, but (blind squirrel) Bruce has no idea what "safe" is. The Constitution is protection, our only shield against despotism and tyranny. Millions of peope suffer and die whan those protections are ignored.
"Safe" means to protect our nation, our Constitution; that is the courts' oath of office, its duty and obligation. It is not the court's place to join MBTA's squeals of horror and indignation at being lampooned.
Crushing civil rights to soothe MBTA is simply and plainly unconstitutional.
Yesterday, August 11, 2008, the Massachusetts Bay Transportation Authority (MTBA) filed and served a “MOTION to Modify Terms But Not Duration of Temporary Restraining Order”. The motion was accompanied by a declaration and exhibits.
The motion seeks a change to the language of the TRO:
(Underlining not rendered in HTML.)
They are not making it "very easy," but there is a benefit to discussing these things because doing so helps security practitioners understand how to build effective security systems that work.
When they give the source code to reproduce the checksums, they aren't just demonstrating how easy it is. That means that someone can get a $500 card writer and go into business selling $100 CharlieTickets without having to figure anything else out.
This isn't "proof of concept." This is "how big a splash can we make?"
All it will guarantee is that the next hack will simply be released anonymously onto black-hat sites with no warnings at all.
How do they ride the publicity wave if they do it anonymously?
Perhaps. Is there any evidence that they were going to do that? No, none at all.
Moving quickly to our next scary story in 'Security Theater':
Will MBTA try an injunction against the Post or against a couple of students? Hmmm...
At least by legend in the 20th century, MIT hackers made two successful exploits against the MBTA predecessor agency, the MTA. They thermite welded a trolley to its tracks, and they slid an MTA train braking for Kendall Square station halfway to Central Square. Either exploit could have been legally enjoined readily, and actually prevented had MTA learned of it in time.
In the present case any "damage" has either already been done, or is unpreventable practically even with a permanent injunction. Yet, now the MBTA isn't sure whether to believe they've been pwned. That is beyond silly.
One student had the source code up on their www.mit.edu website. It's gone now, so I can't check precisely what was there. But, unless they took some special obfuscation steps, then, yes, they did indeed give out the source code so that anyone with a $500 card reader could manufacture arbitrary CharlieTickets.
Now, if they showed this to the MBTA and the MBTA said "so what?," then I think they're clear ethically.
Full moral reasoning often doesn't develop until the mid-20's, and I know at MIT that sometimes you get people who are very smart but lack common sense. So it's easy to imagine that the little voice in their head that asked "wait, could someone be harmed by this?" was easily shouted down by the hopping little bunny saying "WHO CARES? THIS WILL BE COOL!"
6.001, the introductory EECS class at MIT, used to have a unit on ethics. The class has changed a lot recently, into an online format, so maybe students just skip over it now.
Nevertheless, the EFF, representing the MIT students, has moved to dismiss the TRO. And this is how it should be. TROs are temporary by their very nature. The next step is to have a preliminary hearing for the Court to try to judge whether the MBTA or the EFF appears to have the better case.
My guess though is that the MTBA is going to have more problems with the facts than with the theory. Is there really that much left undisclosed that cannot be otherwise reverse engineered or otherwise figured out? They seem to be a bit behind the ball throughout.
So you have NO EVIDENCE of anything. What part of NO EVIDENCE has to be repeated until you understand it? Good grief!
The phrase "source code" means almost nothing (technically the phrase means so many things, the end effect means nothing in particular) and adding "the source code" means nothing either.
Ethics? You blab about ethics when you would strip civil rights on the possibility of crime? You have no shame.
I did RTFA, which said:
(On the other hand, the source code to the utilities--not included on the CD--was removed from web.mit.edu/zacka/www/subway/ by Saturday morning.)
Now, maybe this isn't EVIDENCE IN A COURT OF LAW OMFGBBQ!!!11, but I think that it's a reasonable assumption to say that, yes, the students had the source code to the utilities up on MIT's website. Is it possible that Declan is wrong? Yes, yes it is. But for the standards of an Internet fight I have provided a source that says they provided the source code to the utilities. I know this won't make every single person happy, but that's fine, because some people are incorrigible.
Fortunately I did no such thing.
Uh, Bruce ... what trade secret does MBTA claim? Where does it make a trade secret claim? I can't find any claims, leaving 'none' and 'nowhere'.
MBTA does use trade secret cases to show --exactly like Bruce-- that courts have squelched speech. But they do not make the claim (which they must) that there is a trade secret.
Many people think the First Amendment is 'important' except when something really important happens, like a couple of dollars in 'real' damages. In contrast, our Founders thought the First Amendment was more important than trade secrets. They refused to ratify the Constitution with it's patent and copyright provisions until they were assured these parts --these Amendments-- would NEVER be violated without just cause.
The court's role is to protect people under the Constitution, our only shield against despotism and tyranny. Without this protection non-elected Authorites will willy-nilly sue for imaginary wrongs ... like they are currently being defended by Bruce for doing.
No, you provided a source that says source code used "in the process of researching these attacks" was on the website. There is absolutely no evidence to indicate material to aid attacks on any system was ever offered. No evidence.
The MIT students never claimed any "utilities" in any form; that is a Weber invention. The students do say --in a paper not intended for public consumption-- "We have purposely omitted detail of this checksum in any public disclosures ..."
What is ironic is that you --Dan Weber-- used source code many times already, uploading it onto Volokh's website computer in order to compile and run it.
Your continued use of the phrase "source code" as a scare tactic just shows you've watched too much SecurityTheater(tm).
If the students think I'm libeling them, they're free to sue me. They can find me in the Alumni Directory.
MBTA picked the right court. US District Court judge Douglas Woodlock is a previous (2005) recipient of another Muzzle Award for his role in approving of the razor-wire-enhanced protest pen outside the Democratic National Convention.
That's my alma mater! (Aafia Siddiqui's too?! But the Unibomber, Ted K, was Harvard's pride.) While it wasn't a true hack, MIT undergrads also tested their intellectual capacities (and sitzfleish) against another rail system, the NYC subway system, in a practical demonstration of the traveling salesman problem, establishing that it was possible to ride the length of every subway line in the system within a space of 24 hours.
Dan Weber, what year and what Course? Back when it really was Hell, or after they got soft and made everything pass/fail the first year? (Me - Course XIV in the long ago days of Julie Stratton and Freddie Fasset.)
I think they've modified Pass/Fail, too. You have a certain number you can use at any point in your education, not just freshmen year.
Dan Weber wrote at 8.13.2008 12:43am:Uh oh. Who's teaching 6.01 these days? Loved the way Bose taught it.
VIII here, with a bunch of XXI on the side. Seventeen hundred was too damned much in those days, but the buffet was all you can eat. That's my story and I'm sticking to it.
The MIT students have responded and cross-moved for reconsideration. Their motion is accompanied by Hoffman declaration and exhibits and Granick declaration.
Hearing is set for Thursday, August 14, 2008.
http://news.cnet.com/8301-1009_3-10016114-83.html
Check out the email exchange between the EFF lawyers and the MBTA lawyers. The EFF thinks the MBTA made a big security booboo when they included a "confidential" report from the MIT kids to the MBTA in court documents, thereby rendering it public information.
[The report characterizes the checksum (and generating algorithm) on CharlieTicket cards as "weak" and "only 6 bits long", information which is omitted from the Defcon slides. The exact nature of the current algorithm is not disclosed in the report, but it does note that "[an attacker] only has to generate and try 64 different cards to find a working forgery".]
My goodness, were you one of those people "rioting" at Julie's front door in protest of the bump in tuition to $1700? (That's so long ago that I'm not sure whether it was $1700 per semester or per year. I think the latter, though hard to believe.)
Dan Weber: "...we were down to a rate of only 1 suicide a year, which the administration seemed fine with until a few of them made the national news and they started panicking."
Oh, we had a substantially greater drop-out rate than a measly 1 per year. (Not as many as Cornell, though, with people "gorging out" there.) And some were quite public about it, e.g., jumping onto Storrow Drive from the top of BU Law. Yeah, those were the days.
I'd have major doubts. You underestimate the security community. Looking at the website, other talks included: " a new ... attack tool for exploiting web applications that use cleartext HTTP ... We'll demonstrate attacks on online banking as well as Gmail, LinkedIn, LiveJournal and Facebook. We'll also compromise computers and an iPhone by subverting their software installation and update process", "Deciphering Captcha" (100% effective), and "Compromising Windows Based Internet Kiosks". Unlike the three speakers I noted, the MIT students didn't implement any exploits: they just read the cards and tickets using off-the-shelf equipment, interpreted the results using existing research, and theorized about attacks that may be possible. Their presentation was carefully scrubbed of details that might in fact help attackers.
@Bruce Hayden:
Since every bit of information the students have is "public", I'm not sure what this means. Whatever information they didn't get from others they created themselves. There is no claim that they obtained any secret information directly from the MBTA. They did nothing that a general member of the public couldn't do.
The only sensible interpretation I can make of this modification is the MBTA believes that publishing security research is wrong, but once someone gets away with publishing certain results then others republishing these particular results can't be prevented.
I wasn't the model of serenity in those days, but those events did give me some perspective about what's important.
There's a very nice mp3 of original Screwed Right to the Wall and other stuff here. Link to the whole WTBS magilla and more on the page too.
And w.r.t. your 10:38am, that involved a lot more social engineering than later methods. One of the early tech phone hack pioneers died a couple years ago of natural causes. I didn't know him until working with him professionally years after those days.
[Important Note to Helpful Readers: If we have confusing typos and especially ugly formatting errors, such as an unclosed underline or bold tag, we'd love to hear from you about them -- but please e-mail the author about this, rather than leaving a comment. We often won't read the comments for a while after the post, and if there's a glaring formatting error, we'd see it quickly when we revisit the post, even without the comment; and in any event the comment likely isn't going to be that helpful to your fellow comment readers. So please e-mail us directly about glitches like this. Thanks!]
Comment Policy: We'd like the posts to be civil, of course (no profanity, personal insults, and the like), but we're also hoping that people try to be as calm, reasoned, and substantive as possible. So please, also avoid rants, invective, substantial and repeated exaggeration, and radical departures from the topic of the thread. Sticking with substance -- and staying on-topic -- will make the comments more helpful to other readers, and more pleasant.
As editors, we reserve the right to delete posts, and even to kick out posters, though we hope that both of these will be exceptional events. (We also reserve the right to be busy with other things, and therefore (1) not remove all the posts that might merit removal, and (2) ignore demands such as "You should remove A's posts, because they're just as bad as B's!")
Here's a tip: Reread your post, and think of what people would think if you said this over dinner. If you think people would view you as a crank, a blowhard, or as someone who vastly overdoes it on the hyperbole, rewrite your post before hitting enter.
And if you think this is the other people's fault -- you're one of the few who sees the world clearly, but fools wrongly view you as a crank, a blowhard, or as someone who overdoes it on the hyperbole -- then you should still rewrite your post before hitting enter. After all, if you're one of the few who sees the world clearly, then surely it's especially important that you frame your arguments in a way that is persuasive and as unalienating as possible, even to fools.
Our goal is to provide an interesting and pleasant environment that can help inform readers. To do that, we'll occasionally have to exercise our editorial discretion. Think of this as an in-person discussion group, where having different voices is critical to a great conversation -- but where sometimes the leader has to deal with cranks who sour the conversation more than they enliven it.
Naturally, there's always a risk that this discretion will be used erroneously, no matter how well-intentioned the editor. But discussion groups (especially on the Internet, but also off it) generally need an editor who'll occasionally make such judgments.
And, remember, it's a big Internet. If you think we were mistaken in removing your post (or, in extreme cases, in removing you) -- or if you prefer a more free-for-all approach -- there are surely plenty of ways you can still get your views out.