The MBTA just got a restraining order to prevent three MIT undergrads from giving a talk at Defcon.

[randomness]

From http://www.theregister.co.uk/2008/08/09/defcon_talk_halted/:

A federal judge on Saturday gagged three Massachusetts Institute of Technology undergraduates from publicly presenting research at Defcon demonstrating gaping holes in the electronic payment systems of one of the nation's biggest transit agencies.

Attorneys for the Electronic Frontier Foundation, which are representing the trio, said they directed the students to pull the talk, which had been scheduled for Sunday. They said the order constituted an "illegal prior restraint" on their clients' free-speech rights.

"It's a very dangerous precedent," EFF staff attorney Marcia Hoffman told reporters at the Defcon hacking conference in Las Vegas. "Basically, what the court is suggesting here is that giving a presentation involving security to other security researchers is a violation of federal law. As far as I know, this is completely unprecedented and it has a tremendous chilling effect on sharing this sort of research."

From http://www.tgdaily.com/content/view/38816/108/:

There’s a saying at Defcon that the best way to spread information is to get hit with a restraining order. Freedom of information is a big deal here and anything suppressing that is met with extreme resistance. But in this case, the attendees really don’t have to do too much work because the Transit Authority placed the talk slides into the addendum of the temporary restraining order request and everything is now in public record. Furthermore, the slides are in the official Defcon CD – something which more than 5000 people have right now. So you have a classic case of the horse is already out of the barn.

From http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf:

The CharlieCard is based on a MIFARE Classic RFID card producd by NXP. The card secures its data and transactions using a proprietary encryption algorithm called Crypto-1. Karsten Nohl, et al. of the University of Virginia reverse-engineered this algorithm and found serious vulnerabilities. These vulnerabilities allow one to recover the key from a card in less than 30 seconds. Armed with a key, an attacker can copy someone's card remotely. Although we have not absolutely verified this, we have strong reason to believe all CharlieCards use a common key.

We have not used the CharlieCard key to read CharlieCards, so we cannot comment for certain about the data on the card. We have evidence to show that the card has a stored value, which makes it vulnerable to the same forgery attacks detailed in the CharlieTicket section. Likewise, it is vulnerable to cloning attacks too, meaning the above scenario would not steal money from the people in the street, but rather, it would duplicate the value on those cards.

Edit: There is a link from The Tech (http://www-tech.mit.edu/V128/N30/subway/) which includes all the relevant documents submitted for the temporary restraining order.

The presentation slides are here: http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf (thanks to redbird for the link). As has been pointed out, they are nowhere as informative as the above vulnerability assessment.

http://blog.wired.com/27bstroke6/2008/08/eff-to-appeal-r.html adds:
"Hofmann said it's unclear right now whether the EFF will continue to represent the students if further litigation is pursued, given that they have no one on staff who can practice in Massachusetts. They will have to evaluate the situation when and if it comes up."

Comments

[redbird]

For the moment, what looks like the set of slides is here: http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf

Also, it's the same system as the Mifare, and the Dutch courts have ruled that the researchers can publish their paper on holes in that.

[digitalemur.livejournal.com]

Slide 5 cracks my shit up, yo.

[r-ness.livejournal.com]

Thanks for the link to the slides! I'll add it.

[allyphoe.livejournal.com]

the Transit Authority placed the talk slides into the addendum of the temporary restraining order request and everything is now in public record.

Bwahahaha.

[rmd.livejournal.com]

er, your html failed for the block quote stuff.

and the presentation slides make for interesting reading.

[r-ness.livejournal.com]

Thanks for the correction! Fixed.

I think I'll link the presentation slides, too, thanks!

[serendipity9000.livejournal.com]

Amusing timing to see this - currently part way through reading Little Brother.

[nathanjw]

The T's lawyers are being pretty dumb here. I'm also not convinced that the break here is really a big deal. There's a systems aspect that hasn't been explored - how can the fare collection system react to cloning or value-changing attacks? There are a lot of opportunities for detecting such uses and disabling the cards, or alerting someone to investigate, or whatever; similarly, since all value-adding and value-removing transactions are logged, there should be a central model of the contents of any given ticket or card, and deviations from that model can be detected.

From an individual user's point of view, the only threat (and it's still a bit distant) is someone using this to brush up against you with an antenna and clone or alter your charliecard.

[r-ness.livejournal.com]

The T's lawyers are being pretty dumb here. I'm also not convinced that the break here is really a big deal.

Agreed on both.

[frotz.livejournal.com]

The original documentation I saw said that the online card readers (in the subway, basically) would accept a discrepancy for 24 hours so that value additions from offline readers (buses, basically) could make it into the central database; discrepancies after that point would get the card blacklisted everywhere. They clearly put some thought into the risk, and have reasonable (imho, anyway) safeguards.

I don't think it's much of a risk for either the users or the MBTA, and their magstripe cards have always been trivially clonable. It's all very silly!

[karakara98.livejournal.com]

Interesting. I've had the TV on today with the Olympics on in the background, and so I watched the Boston local TV news. They characterized the presentation very differently. They called DefCon a "Hackers Conference" not a conference of those interested in security. They characterized the presentation as a how-to lesson, which the above quotes don't focus on. Having looked at part of the presentation, it does seem more like a lesson in getting free rides more than a critique of the security, but perhaps it's just a clever presentation technique? If it is, I wonder if that's what's gotten them in trouble. If it had been presented in a more stodgy, serious style, it would have been more boring, but perhaps less objectional to city bureaucratic types. If so, it's an interesting situation of one organizational culture not understanding another.

[stolen-tea.livejournal.com]

Defcon has a variety of stuff, spanning the full range. Government agents and large corporations send people to it, and it's one of the more public-facing, semi-respectable facets of the security/hacker community. A better candidate for a "hacker's conference" would be Black Hat, which was the previous weekend.

Not that, you know, my building used to be full of them or anything. :)

[cerridwynn.livejournal.com]

I saw that news story too. (I don't usually watch the local news but we too were watching the Olympics...) I had just read this post when the news segment came on and it was hard to believe the two reports were about the same story. I'm not really sure what to think now. I don't care terribly about the actual issue, but i find the totally slanted presentations pretty amusing! (My first reaction was to think the news was just repeating the official T point of view, but now i'm not sure...)