Massachusetts transit authority sues Defcon subway hackers

[p858snake]

Massachusetts transit authority sues Defcon subway hackers

Las Vegas (NV) ? Three MIT students probably won?t be giving their scheduled Defcon speech on getting free subway rides. The Massachusetts Bay Transit Authority ? the agency in charge of the Boston T subway ? sued the trio for computer fraud and requested a temporary restraining order to prevent them from presenting the talk.

Zack Anderson, RJ Ryan and Alessandro Chiesa are researchers and students at MIT under the instruction of the famous professor Ronald Rivest who helped create the RSA security algorithm. Their talk, which was scheduled for Sunday, was supposed to demonstrate how the subway?s ?CharlieCard? could be hacked into giving free subway rides. These hacks could conceivably be used on other subways.

According to the talk description, the trio used software radios and FPGAs to circumvent the protection mechanisms and to prove the point, they were going to do a live demo of the hack in action.

We give the nod to Dan Goodin at The Register for getting the scoop on this story. Anderson told Goodin that the team never intended to release tools for hacking into subway systems and had tried to warn the Transit Authority of vulnerabilities in their system.

Source: TG Daily

Link: The Presentation (PDF)

Link: The Tech (MIT's Newsletter): Students? subway security talk canceled by court order

[Argi]

Finding weaknesses in software != computer fraud.

[portauthority]

Hacking subway cards for free rides == computer fraud

[tiagosilva29]

The injunction was granted.

Judge orders halt to Defcon speech on subway card hacking

A federal judge on Saturday granted the Massachusetts transit authority's request for an injunction preventing three MIT students from giving a presentation about hacking smartcards used in the Boston subway system.

The Electronic Frontier Foundation, which is representing the students, anticipates appealing the ruling, said EFF senior staff attorney Kurt Opsahl.

The undergraduate students had been scheduled to give a presentation Sunday afternoon at the Defcon hacker conference here that they had said would describe "several attacks to completely break the CharlieCard," an RFID card that the Massachusetts Bay Transportation Authority uses on the Boston T subway line. They also planned to release card-hacking software they had created, but canceled both the presentation and the release of the software.

U.S. District Judge Douglas Woodlock on Saturday ordered the students not to provide "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System." Woodlock granted the MBTA's request after a hastily convened hearing in Massachusetts that took place at 8 a.m. PDT on Saturday.

EFF staff attorney Kurt Opsahl said that the temporary restraining order is "violating their First Amendment rights"; another EFF attorney said a court order pre-emptively gagging security researchers was "unprecedented."

EFF attorneys appeared with the three students--Zack Anderson, R.J. Ryan, and Alessandro Chiesa--in front of a crowd of hundreds at an afternoon session at Defcon, but largely prevented them from answering questions, citing the lawsuit. Although Sunday's talk is canceled, Defcon organizers hinted that there may be a related presentation on a similar topic.

The students told reporters that they had, on their own, asked their professor to initiate contact with the MBTA a week before the government agency contacted them on July 30 or July 31. But the process was delayed because professor Ron Rivest was at a security conference near San Francisco, and no contact with MBTA was made at the time.

But then the conversations took a hostile turn when MBTA mentioned an FBI criminal investigation of the MIT students. In the "initial contact, they said the FBI was investigating and that was not--we didn't find that to be a very pleasing way to start a nice dialogue with them. And we got a little concerned about what was happening," said Anderson, one of the students.

EFF's Opsahl said the students only intended to "provide an interesting and useful talk, but not one that would allow people to defraud the Massachusetts" government.

The MBTA, which is a state government agency, alleges in its lawsuit that "disclosure of this information will significantly compromise the CharlieCard and CharlieTicket systems" and "constitutes a threat to public health or safety."

Its suit asks a judge to order the students "from publicly stating or indicating that the security or integrity of the CharlieCard pass, the CharlieTicket pass, or the MBTA's Fare Media systems has been compromised." The requested order would also prevent them from circulating the summary of their talk, from providing any technical information, and from distributing any software they created.

That could be difficult to enforce. Every one of the thousands of people here who registered for Defcon received a CD with the students' 87-page presentation titled "Anatomy of a Subway Hack." It recounts, in detail, how they wrote code to generate fake magcards. Also, it describes how they were able to use software they developed and $990 worth of hardware to read and clone the RFID-based CharlieCards.

Those CDs were distributed to conference attendees starting Thursday evening, meaning the injunction arrived nearly two days late. (On the other hand, the source code to the utilities--not included on the CD--was removed from web.mit.edu/zacka/www/subway/ by Saturday morning.)

Court documents filed by MBTA suggest that representatives of the transit agency tried to pressure the students into halting their talk. During a meeting with the students and MIT professor Ron Rivest on Monday, MBTA Deputy General Manager for Systemwide Modernization Joseph Kelly unsuccessfully tried to obtain a copy of their planned presentation. Kelly spoke with Rivest again on Friday. (There was initial confusion about whether the meeting was Monday or Tuesday.)

A representative of the Defcon convention, who asked that her name not be used, said that the students submitted their Powerpoint presentation at least a month ago. The presentation says--not-so-presciently--"what this talk is not: evidence in court (hopefully)." It also says: "THIS IS VERY ILLEGAL! So the following material is for educational use only."

In addition, what looked like a black and white faxed copy of the entire presentation was entered as evidence in publicly available court records available on the Web on Saturday, meaning any attempt to limit its distribution further will encounter an additional hurdle.

Also released as part of the public record was a document marked "confidential" and written by the researchers that explains exactly how the Charlie cards can be cloned and forged. "Our research shows that one can write software that will generate cards of any value up to $655.36," the document says.

The document also discusses the lack of physical security at the MBTA. "Doors were left unlocked allowing free entry in many subways," the document says. "The turnstile control boxes were unlocked at most stations. Most shocking, however, were the FVM control rooms that were occasionally left open."

One portion of the MBTA's legal complaint that drew jeers from the Defcon crowd came in its odd claim that "A CharlieTicket standing alone constitutes a 'computer'" under federal antihacking law.

This isn't the first time speakers at security conferences have been hauled into court by companies seeking to muzzle them.

Source

Problems don't exist if no one speaks about them. :rolleyes:

[(Spork)]

yea that's it lock the people that can fix your buggy software . or ad lest show you the holes

freaking moron's

[gigapixels Veteran]

Not sure how I feel about this. On one hand, it's good that they found the weakness, but on the other, they shouldn't be broadcasting it to a large audience. They should approach whoever makes the software to help them fix these weaknesses. Once it is fixed, they can tell whoever they'd like.

freaking moron's

Excuse me, it's morans:

[Starbuck84]

/off-topic sorry, but LOL at that image :D

[theyarecomingforyou]

Not sure how I feel about this. On one hand, it's good that they found the weakness, but on the other, they shouldn't be broadcasting it to a large audience. They should approach whoever makes the software to help them fix these weaknesses. Once it is fixed, they can tell whoever they'd like.

+1

[Linkinfamous]

Not sure how I feel about this. On one hand, it's good that they found the weakness, but on the other, they shouldn't be broadcasting it to a large audience. They should approach whoever makes the software to help them fix these weaknesses. Once it is fixed, they can tell whoever they'd like.

I don't feel like digging further into it, but it says:

Anderson told Goodin that the team never intended to release tools for hacking into subway systems and had tried to warn the Transit Authority of vulnerabilities in their system.

If they had attempted to warn them of the vulnerability, and they didn't listen, whose fault is it?

[tiagosilva29]

they shouldn't be broadcasting it to a large audience.

Who defines "sensitive knowledge"? Or better yet, what is "sensitive knowledge"?

You know what probably constitutes a damned good "sensitive knowledge"? The entire subject of reactions in most chemistry classes. Or perhaps all the electronics classes.

Let's also assume that everyone's a bad person, and evildoers with such knowledge are a menace to society.

If they had attempted to warn them of the vulnerability, and they didn't listen, whose fault is it?

The company's fault obviously. They upped the prices to implement this system (the system costed around 200 millions), claiming it would be better for the passengers and secure.

When warned about this what do they do?

First, they threat the students with an FBI investigation on them.

Then they call in a federal order to restrict the students because "disclosure of this information will significantly compromise the CharlieCard and CharlieTicket systems" and "constitutes a threat to public health or safety". So, disclosure of this information will compromise an _already compromised system_ and what the **** to they mean with "a threat to public health or safety". They made (and are still making) a fortune with this system _under the banner of safety_. And in a nutjob USA over the damned terrorists what best deal or supreme worst publicity would you get?

Ultimate fix over this: shut up simple college students, who are probably not the first ones to know about these vulnerabilities, knowing they would talk about this over the holy-****-not-them! _DEFCON_ and pretend that the situation doesn't exist. Way to go.

[p858snake]

Not sure how I feel about this. On one hand, it's good that they found the weakness, but on the other, they shouldn't be broadcasting it to a large audience. They should approach whoever makes the software to help them fix these weaknesses. Once it is fixed, they can tell whoever they'd like.

Well the way i see it, the lawsuit made it worse. It would of been a presentation to around 100-200 interested in security and such, but now that it was banned everyone is interested and its getting passed around on the net.

[p858snake]

Federal Judge in DefCon Case Equates Speech with Hacking -- Updated with Recording from Hearing

Lawyers with the Electronic Frontier Foundation said a federal judge who granted a temporary restraining order on Saturday to halt a scheduled conference talk about security vulnerabilities came to "a very, very wrong conclusion." They said the judge's order constituted illegal prior restraint, which violated the speakers' First Amendment right to discuss important and legitimate academic research.

"When you discuss security issues, if you are telling the truth, that should be something protected at the core of the First Amendment," said Kurt Opsahl, senior staff attorney for the non-profit EFF, who was at DefCon to participate in an annual ask-the-EFF panel and to launch the organization's Coders Rights Project. "If you are truthfully telling the world about a dangerous situation, and (it is) a situation which is dangerous not because the security researcher exposes the vulnerability (but) because the person who made the product . . . made the vulnerability, (then) this should be core speech."

Opsahl was speaking at a press conference at the DefCon hacker conference in Las Vegas on Saturday after District Judge Douglas Woodlock of the U.S. District Court in Massachusetts granted a temporary restraining order requested by the Massachusetts Bay Transportation Authority.

The MBTA sought to bar three students enrolled at the Massachusetts Institute of Technology -- Zack Anderson, R.J. Ryan and Alessandro Chiesa -- from presenting a talk at DefCon about vulnerabilities in magnetic stripe tickets and RFID cards that are used in the MBTA's payment system. The MBTA feared that the students planned to teach the audience how to fraudulently add credit to a payment ticket or card in order to ride the transit system for free.

Opsahl said the judge, in making his decision, misinterpreted a part of the federal Computer Fraud and Abuse Act that refers to computer intruders or hackers. Such a person is described in part in the statute as someone who "knowingly causes the transmission of a program, information, code, or command to a computer or computer system."

Opsahl says the judge, during the hearing, likened the students' conference presentation to transmitting code to a computer.

"The statute on its face appears to be discussing sending code or similar types of information to a computer," Opsahl said. "It does not appear to contemplate somebody who is giving a talk to humans. Nevertheless, the court . . . believed that the act of giving a presentation to a group of humans was covered by the computer fraud, computer intrusion statute. We believe this is wrong."

EFF staff attorney Marcia Hoffman told reporters that the decision set a very dangerous precedent.

"Basically, what the court is suggesting here is that giving a presentation involving security to other security researchers is a violation of federal law," she said. "As far as I know, this is completely unprecedented, and it has a tremendous chilling effect on sharing this sort of research. . . . And we intend to fight it with everything we've got."

The students were scheduled to present their talk on Sunday about vulnerabilities in the subway's fare collection system. According to a description of the talk in a printed program given to conference attendees, the students planned to demonstrate how they reverse-engineered the mag stripe on CharlieTickets and cracked the encryption on RFID-enabled CharlieCards that are used in the Boston system. They also planned to release several open source tools that they created in the course of their research.

But the MBTA contended that disclosure of the flaws, before the MBTA had a chance to fix them, would cause irreparable harm to the transit system, particularly if it allowed someone to increase the amount of funds stored on a card or ticket and ride the transit system for free.

The MBTA filed its motion for a restraining order on Friday, August 9th, but Opsahl and Hofmann said that rather than make an immediate decision, District Judge Woodlock ordered a hearing for Saturday morning and allowed the EFF, which represented the students, to participate by telephone from San Francisco and Las Vegas, even though none of the non-profit's lawyers is licensed to practice in Massachusetts.

The court's restraining order bars the students from disclosing any information for ten days that could allow someone to defraud the transit system and ride the subway for free.

EFF lawyers and the students refused to discuss details of the now-cancelled presentation but did provide a timeline of events leading up to the MBTA's suit and also shed light on how the matter unfolded, disputing claims in the MBTA's court filings that the students had refused to give the MBTA information about the vulnerabilities they discovered.

According to MBTA's court filings, the agency first learned about the planned presentation on July 30th from an unnamed vendor, described in the complaint as "someone responsible for components of the MBTA's fare collection system" (.pdf). The next day the agency contacted MIT computer science professor Ron Rivest, the students' instructor, and told him that the FBI was investigating the issue.

"We didn't find that to be a very pleasing way to start a nice dialogue with them," Anderson said. "We got a little concerned about what was happening."

A few days later on Monday, August 4, a detective with the transit police and an FBI agent met with the MIT students, Rivest, and an MIT lawyer to discuss their concerns and inquire about the nature of the students' talk. The students say when they left that meeting they believed, due to verbal comments made to them during the meeting, that the issue had been resolved, and that the MBTA no longer had a problem with their talk. [Note: A previous story said the parties had met on August 5th, a date listed in MBTA's court filings. The students said that date was a misprint.]

The FBI's Boston office did not respond to a call asking to confirm if there is an ongoing investigation of the students, but Opsahl said as far as he knows, there is no FBI investigation.

Efforts to reach the MBTA for comment were not successful, but according to the MBTA's court filings, the students failed to respond to a request to provide the transit authority with copies of the conference presentation or with details about the vulnerabilities they found in the payment card system, and this was the reason for taking the students to court.

But the students say this isn't true.

They say the MBTA did ask for some material -- not a copy of their conference presentation -- which they provided on Friday at around 4:30 pm, which they say was around the same time the MBTA was heading to the courthouse to request the restraining order.

That material was a confidential vulnerability assessment report (.pdf) describing, in a more substantial way than the conference presentation slides do, the flaws in the MBTA payment system. The report became a public document when the MBTA included it among other papers it submitted to the court on Saturday.

The students maintain they didn't understand that the MBTA was specifically expecting a copy of their presentation until Friday, when they learned the MBTA was filing for a restraining order.

"And at that point we declined to provide the slides until we had an opportunity to see what the complaint said," Hofmann said.

Even though the MBTA received the vulnerability assessment report at that point, the students point out, it did not withdraw the lawsuit.

But according to an MBTA systems project manager, who filed a declaration with the court, the MBTA asked specifically for materials from their presentation and concluded after receiving the report that it likely did not constitute the materials that the students were planning to present at DefCon. In an e-mail that Anderson sent with the report he wrote, "Note that we absolutely are not disclosing everything we found in this report."

The students have been criticized by some for not following the generally accepted responsible disclosure guidelines (written by former hacker Rain Forest Puppy) in which a researcher discloses vulnerabilities to a company or agency first, to give that party an opportunity to fix the problems, before disclosing the flaws publicly.

The students say they had intended to contact the MBTA a week prior to July 30th, when the transit authority was still apparently unaware of the presentation. They refused to say what occurred at that time to prompt them to want to make contact with the MBTA, but said their intent was to provide the MBTA with details that they wouldn't be discussing in their public talk. Ultimately, however, they didn't act on the impulse because Rivest, who agreed to facilitate the contact, was out of town at a conference. Shortly thereafter, the MBTA discovered the talk and contacted Rivest.

The students maintain that they never intended to teach audience members how to de-fraud the transit system, despite provocative comments they wrote in the published description of their talk.

A description of their talk that is printed in the conference program schedule begins with the sentence "Want free subway rides for life?" The line was removed from an online version of the description after the MBTA met with the students on August 4th, but the students wouldn't comment about why the change was made.

Opsahl called the provocative language "rhetoric" and said it was always the students' intention to hold back key details from their talk that would help someone attack the MBTA system.

"Please understand that, rhetoric aside, the intention was to provide an interesting and useful talk, but not one that would enable people to defraud the Massachusetts Bay Transit System," he said.

As it stands now, the next step, before the temporary restraining order expires, will be to determine whether or not it should become a preliminary injunction to extend the gag for longer, Opsahl said.

Hofmann said it's unclear right now whether the EFF will continue to represent the students if further litigation is pursued, given that they have no one on staff who can practice in Massachusetts. They will have to evaluate the situation when and if it comes up.

As for the students' 1 pm speaker's slot on Sunday, DefCon has apparently already found a replacement. Brenno de Winter, a Dutch journalist and security consultant, told reporters on Saturday that he has offered to fill in -- essentially to give the same or a similar talk about vulnerabilities with transit fare cards, though without the focus on the Boston transit system.

UPDATE: I've obtained a digital recording of the hearing in Massachusetts so you can hear the arguments and the judge's comments.

Source: WIRED: Threat Level (+ Audio Recording)