LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

EFF: MIT Students Gagged by Federal Court Judge

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 9, 2008 23:44 UTC (Sat) by rmmst49 (guest, #39376)
Parent article: EFF: MIT Students Gagged by Federal Court Judge 

well that didn't work out so well . . .

http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentati...

(Log in to post comments)

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 10, 2008 1:30 UTC (Sun) by Sutoka (guest, #43890) [Link] 

This situation is as hilarious as it is sad (and I was laughing quite a bit while reading the
pdf). Since the presentation is already online they've gained *nothing* by stopping the talk,
and in reality they've only given it FAR more publicity than it would have otherwise received.
Really it's like grasping water... the tigher your grip, the more you'll lose.

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 10, 2008 4:19 UTC (Sun) by ekj (subscriber, #1524) [Link] 

Yeah, Streisand-effect strikes again !

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 10, 2008 10:52 UTC (Sun) by chel (guest, #11544) [Link] 

I just see a paper describing well known problems, a survey of current security and way's to
improve it. The fact MBTA thinks this talk reveals flaws indeed is as hilarious as it is sad.
They should know these problems and they also should know these problems are well known.

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 15, 2008 21:17 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

The fact MBTA thinks this talk reveals flaws indeed is as hilarious as it is sad.

But the fact is true.

If the talk doesn't reveal flaws, why would anyone attend? The paper definitely revealed flaws to me.

I don't think the MBTA claimed the talk revealed flaws that were not known to, or discoverable by, anybody. The claim was that it would reveal them to some people who would otherwise remain ignorant of them.

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 10, 2008 4:21 UTC (Sun) by shadesfox (guest, #28651) [Link] 

Be careful where you post that link!  The mooninites might find it!

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 10, 2008 16:08 UTC (Sun) by bboissin (subscriber, #29506) [Link] 

MBTA submitted a more detailed document to the court:
http://blog.wired.com/27bstroke6/files/vulnerability_asse...

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 11, 2008 23:37 UTC (Mon) by clugstj (subscriber, #4020) [Link] 

So, the MBTA gives the court a document that proves they knew about the vulnerability in the
system, and they still get their gag order?  They should have been denied out of sheer
stupidity.

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 15, 2008 21:49 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

So, the MBTA gives the court a document that proves they knew about the vulnerability in the system, and they still get their gag order?

The MBTA got that document about a day before the gag order, not enough time to properly evaluate it, much less fix the security flaws. MBTA says it asked the students earlier what they were going to say in the talk, and the students wouldn't say. All MBTA had then was the title of the talk, which was in part, "Want Free Subway Rides For Life?"

The gag order is temporary, just designed to keep both parties equal until they can fully study each other's position and a court can make an informed decision.

It's unfortunate that this didn't come to court until too soon before the conference to allow an informed decision, but that's the breaks. I suppose the MIT students could have forced the lawsuit earlier if they had wanted to, and were just gambling.

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 11, 2008 19:48 UTC (Mon) by tialaramex (subscriber, #21167) [Link] 

Some things aren't clear to me from this.

Cloning of mag-stripe tickets isn't very interesting, it's not novel and after all that's not
one reason why transport agencies are keen to phase them out - so I concentrated on the latter
part of the story.

The MiFare proximity card security seems more vulnerable than intended but it's not clear
whether they broke it in a "useful" way. That is to say, would a criminal who had done this
same work now be able to

• Travel toll free for a one time investment of (to pick a number out of the air) $1000 in the
hardware and software ?

• Permit any number of other people to travel toll free for no further investment, or some
trivial investment (e.g. $10 per traveller for a genuine MiFare card to be reprogrammed) ?

• Charge credit onto a MiFare card which was indistiguishable from genuine credit, ie allowing
the criminal to conveniently sell "discounted" travel credit, e.g. $50 of credit for $5 ?

It's also not clear how "fixable" this is. For example, a 48-bit key restriction in the MiFare
system as shipped might be something that its vendors could fix in an upgrade over the course
of the next year or two, allowing transport agencies to phase in a replacement, or it might be
very close to the heart of the system in which case such an "upgrade" would be a very
disruptive long-term project. Factors which were designed to be random but aren't can often be
improved (since the engineers assumed they were random they won't have depended on them being
unvarying) on the other hand bad crypto hardware may not be fixable at all, short of replacing
all the hardware in the system.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds