|
|
Log in / Subscribe / Register

EFF: MIT Students Gagged by Federal Court Judge

[Posted August 9, 2008 by jake]

From:  EFF Press <press-AT-eff.org>
To:  presslist-AT-eff.org
Subject:  EFF: MIT Students Gagged by Federal Court Judge
Date:  Sat, 09 Aug 2008 14:14:30 -0700
Message-ID:  <489E08B6.3040907@eff.org>

Electronic Frontier Foundation Media Release

For Immediate Release: Saturday, August 09, 2008

Contact:

Jennifer Stisa Granick
   Civil Liberties Director
   Electronic Frontier Foundation
   jennifer@eff.org
   +1 415 271-4879

Marcia Hofmann
   Staff Attorney
   Electronic Frontier Foundation
   marcia@eff.org
   +1 415 436-9333 x116

Rebecca Jeschke
   Media Coordinator
   Electronic Frontier Foundation
   press@eff.org
   +1 415 436-9333 x125

MIT Students Gagged by Federal Court Judge

EFF Backs Researchers Forced to Cancel Presentation on
Transit Fare Payment System

Las Vegas - Three students at the Massachusetts Institute
of Technology (MIT) were ordered this morning by a federal
court judge to cancel their scheduled presentation about
vulnerabilities in Boston's transit fare payment system,
violating their First Amendment right to discuss their
important research.

The Electronic Frontier Foundation (EFF) represents Zack
Anderson, RJ Ryan and Alessandro Chiesa, who were set to
present their findings Sunday at DEFCON, a security
conference held in Las Vegas.  However, the Massachusetts
Bay Transit Authority (MBTA) sued the students and MIT in
United States District Court in Massachusetts on Friday,
claiming that the students violated the Computer Fraud and
Abuse Act (CFAA) by delivering information to conference
attendees that could be used to defraud the MBTA of transit
fares.  This morning District Judge Douglas P. Woodlock,
meeting in a special Saturday session, ordered the trio not
to disclose for ten days any information that could be used
by others to get free subway rides.

"We wanted to share our academic work with the security
community and had planned to withhold a key detail of our
results so that a malicious attacker could not use our
research for fraudulent purposes," said Anderson.  "We're
disappointed that the court is preventing us from
presenting our findings even with this safeguard."

Vulnerabilities in magnetic stripe and RFID card payment
systems implemented by many urban transit systems are
generally known. The student research applied this
information to the specific case of Boston's Charlie Card
and Charlie Ticket, and the project earned an A from
renowned computer scientist and MIT professor Dr. Ron
Rivest.

The court relied on a federal law aimed at computer
intrusions in issuing its order, holding that even
discussing the flaws at a public conference constituted a
"transmission" of a computer program that could harm the
fare collection system.

"The court's order is an illegal prior restraint on
legitimate academic research in violation of the First
Amendment," said EFF Civil Liberties Director Jennifer
Granick.  "The court has adopted an interpretation of the
statute that is blatantly unconstitutional, equating
discussion in a public forum with computer intrusion.
Security and the public interest benefit immensely from the
free flow of ideas and information on vulnerabilities. More
importantly, squelching research and scientific discussion
won't stop the attackers.  It will just stop the public
from knowing that these systems are vulnerable and from
pressuring the companies that develop and implement them to
fix security holes."

This case is part of EFF's Coders' Rights Project, launched
just this week to protect programmers and developers from
legal threats hampering their cutting-edge research.  EFF
will seek relief for the researchers in the courts.

For the full temporary restraining order:
http://www.eff.org/files/filenode/MIT%20students%20TRO.pdf

For more on the Coders' Rights Project:
http://www.eff.org/issues/coders

For this release:
http://www.eff.org/press/archives/2008/08/09

About EFF

The Electronic Frontier Foundation is the leading civil
liberties organization working to protect rights in the
digital world. Founded in 1990, EFF actively encourages and
challenges industry and government to support free
expression and privacy online. EFF is a member-supported
organization and maintains one of the most linked-to
websites in the world at http://www.eff.org/


     -end-

_______________________________________________
presslist mailing list
https://falcon.eff.org/mailman/listinfo/presslist

to post comments

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 9, 2008 23:44 UTC (Sat) by rmmst49 (guest, #39376) [Link] (9 responses) 

well that didn't work out so well . . .

http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentati...

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 10, 2008 1:30 UTC (Sun) by Sutoka (guest, #43890) [Link] (3 responses) 

This situation is as hilarious as it is sad (and I was laughing quite a bit while reading the
pdf). Since the presentation is already online they've gained *nothing* by stopping the talk,
and in reality they've only given it FAR more publicity than it would have otherwise received.
Really it's like grasping water... the tigher your grip, the more you'll lose.

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 10, 2008 4:19 UTC (Sun) by ekj (guest, #1524) [Link] 

Yeah, Streisand-effect strikes again !

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 10, 2008 10:52 UTC (Sun) by chel (guest, #11544) [Link] (1 responses) 

I just see a paper describing well known problems, a survey of current security and way's to
improve it. The fact MBTA thinks this talk reveals flaws indeed is as hilarious as it is sad.
They should know these problems and they also should know these problems are well known.

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 15, 2008 21:17 UTC (Fri) by giraffedata (guest, #1954) [Link]

The fact MBTA thinks this talk reveals flaws indeed is as hilarious as it is sad.

But the fact is true.

If the talk doesn't reveal flaws, why would anyone attend? The paper definitely revealed flaws to me.

I don't think the MBTA claimed the talk revealed flaws that were not known to, or discoverable by, anybody. The claim was that it would reveal them to some people who would otherwise remain ignorant of them.

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 10, 2008 4:21 UTC (Sun) by MattBBaker (guest, #28651) [Link] (3 responses) 

Be careful where you post that link!  The mooninites might find it!

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 10, 2008 16:08 UTC (Sun) by bboissin (subscriber, #29506) [Link] (2 responses) 

MBTA submitted a more detailed document to the court:
http://blog.wired.com/27bstroke6/files/vulnerability_asse...

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 11, 2008 23:37 UTC (Mon) by clugstj (subscriber, #4020) [Link] (1 responses) 

So, the MBTA gives the court a document that proves they knew about the vulnerability in the
system, and they still get their gag order?  They should have been denied out of sheer
stupidity.

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 15, 2008 21:49 UTC (Fri) by giraffedata (guest, #1954) [Link]

So, the MBTA gives the court a document that proves they knew about the vulnerability in the system, and they still get their gag order?

The MBTA got that document about a day before the gag order, not enough time to properly evaluate it, much less fix the security flaws. MBTA says it asked the students earlier what they were going to say in the talk, and the students wouldn't say. All MBTA had then was the title of the talk, which was in part, "Want Free Subway Rides For Life?"

The gag order is temporary, just designed to keep both parties equal until they can fully study each other's position and a court can make an informed decision.

It's unfortunate that this didn't come to court until too soon before the conference to allow an informed decision, but that's the breaks. I suppose the MIT students could have forced the lawsuit earlier if they had wanted to, and were just gambling.

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 11, 2008 19:48 UTC (Mon) by tialaramex (subscriber, #21167) [Link] 

Some things aren't clear to me from this.

Cloning of mag-stripe tickets isn't very interesting, it's not novel and after all that's not
one reason why transport agencies are keen to phase them out - so I concentrated on the latter
part of the story.

The MiFare proximity card security seems more vulnerable than intended but it's not clear
whether they broke it in a "useful" way. That is to say, would a criminal who had done this
same work now be able to

• Travel toll free for a one time investment of (to pick a number out of the air) $1000 in the
hardware and software ?

• Permit any number of other people to travel toll free for no further investment, or some
trivial investment (e.g. $10 per traveller for a genuine MiFare card to be reprogrammed) ?

• Charge credit onto a MiFare card which was indistiguishable from genuine credit, ie allowing
the criminal to conveniently sell "discounted" travel credit, e.g. $50 of credit for $5 ?

It's also not clear how "fixable" this is. For example, a 48-bit key restriction in the MiFare
system as shipped might be something that its vendors could fix in an upgrade over the course
of the next year or two, allowing transport agencies to phase in a replacement, or it might be
very close to the heart of the system in which case such an "upgrade" would be a very
disruptive long-term project. Factors which were designed to be random but aren't can often be
improved (since the engineers assumed they were random they won't have depended on them being
unvarying) on the other hand bad crypto hardware may not be fixable at all, short of replacing
all the hardware in the system.

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 10, 2008 18:24 UTC (Sun) by jhardin (guest, #3297) [Link] (3 responses) 

Let's hope the EFF takes this all the way to the USSC and sticks it to Boston!

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 11, 2008 0:37 UTC (Mon) by mattdm (subscriber, #18) [Link] (2 responses) 

Just to be clear, MBTA != Boston.

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 13, 2008 11:05 UTC (Wed) by cpm (guest, #3554) [Link] (1 responses) 

  "just to be clear, MBTA != Boston."

Fair enough.

So, Boston corporate exercises no control over MBTA,
and MBTA is completely autonomous?

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 13, 2008 11:48 UTC (Wed) by mattdm (subscriber, #18) [Link]

It's perhaps more autonomous than it should be (given how poorly it's run), but either way it's a state agency, not a city one.

EFF: MIT Students Gagged by Federal Court Judge

Posted Aug 11, 2008 20:56 UTC (Mon) by csamuel (✭ supporter ✭, #2624) [Link]

It is ironic that prior to this a Dutch group of researchers won their case to publish their cryptanalysis of the Mifare Classic card, with the court saying:

Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.

So the cat was well and truly out of the bag on that facet of the MIT paper.


Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds