DEFCON talk on Charlie Card hacking blocked [updated]

CNET reports on yet another case of security-by-obscurity-by-court-order…

Three MIT students had planned to give a presentation at this year’s DEFCON, but the MBTA got a judge to issue a TRO preventing them from going ahead.

The presentation itself is available via the campus newspaper, as well as having been included in attendees conference materials.

Bruce Schneier recently wrote about the Mifare hacking paper that suffered a similar court challenge, although eventually allowed by the Dutch courts to be published.

The card system in Boston (and a number of other cities) uses the same technology, with the same weaknesses… (“Monoculture Bad”)

UPDATE: Discussion of the case in JOLT Digest, “An online companion to the Harvard Journal of Law & Technology”. (via saqib on The Cryptography Mailing List)

UPDATE: Nice overview from Ars Technica, highlighting the First Amendment issues in play here.

UPDATE: EFF Press Release: Judge Lifts Unconstitutional Gag Order Against MIT Students

The court found that the Massachusetts Bay Transportation Agency (MBTA) had no likelihood of success on the merits of its claim under the federal computer intrusion law and denied the transit agency’s request for a five-month injunction. In papers filed yesterday, the MBTA acknowledged for the first time that their Charlie Ticket system had vulnerabilities and estimated that it would take five months to fix.

Note that the MBTA suit is still alive, even though at least one judge apparently understands it to be a weak case. I hope that if it isn’t dropped, the expense involved comes up in the looming fare increase debate…

Bookmark this on Delicious

UPDATE: Popular Mechanics interview with Zack Anderson, one of the MIT students, on how this went down, and what happens now.

What happens next? There’s still a lawsuit from the MBTA, right?
Probably the next thing is, hopefully at this point we’ll be able to settle this and make it go away. If not, we’re going to have to file a motion to dismiss the case, but I think, and I definitely hope, that things are kind of over now. We didn’t give the talk, which was I think a primary aim that they had. That was effective on their part.


6 responses to “DEFCON talk on Charlie Card hacking blocked [updated]

  1. My personal sentiments, from an email thread elsewhere:

    The vendor should have disclosed the issue to their customers back in July.

    The MBTA could have called the vendor when the issue was disclosed to them, and asked “What’s the story here?”.

    Or they could have done 30 seconds of research with any search engine, to discover this was a known problem. When I looked earlier:

    “subway card hack” @ google = 93k hits,
    “subway card hack -mit” still leaves 64k chances to suck less. (I’ll grant these are sloppy statistics, but even if it was only 1,000 hits, surely a clue could have been found?)

    I think it’s sad that Boston keeps arresting and hassling MIT students for being clever or interesting, while no one seems to be asking why the responsible adults aren’t being careful with our money and infrastructure.

    My vote: Fire the security architect and CIO. Sue the vendor. Apologize to the students.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s