I think this entry should be titled “Mass Transit submits substantially more detailed vulnerability assessment of themselves as public record… Hilarity ensues.” But, to be fair, there’s a legitimate enough reason to halt the talk the students were going to give. The justification for malicious hacking is that it helps the security world fix it’s flaws, much like you imagine parents exposing their children to chicken pox on purpose. These students were purposely withholding the information so the system couldn’t fix it before they gave their talk. This undermines the legitimacy of hacking as a noble cause.
LAS VEGAS — Lawyers with the Electronic Frontier Foundation said a federal judge who granted a temporary restraining order on Saturday to halt a scheduled conference talk about security vulnerabilities came to “a very, very wrong conclusion.” They said the judge’s order constituted illegal prior restraint, which violated the speakers’ First Amendment right to discuss important and legitimate academic research.
“When you discuss security issues, if you are telling the truth, that should be something protected at the core of the First Amendment,” said Kurt Opsahl, senior staff attorney for the non-profit EFF, who was at DefCon to participate in an annual ask-the-EFF panel and to launch the organization’s Coders Rights Project. “If you are truthfully telling the world about a dangerous situation, and (it is) a situation which is dangerous not because the security researcher exposes the vulnerability (but) because the person who made the product . . . made the vulnerability, (then) this should be core speech.”
Opsahl was speaking at a press conference at the DefCon hacker conference in Las Vegas on Saturday after District Judge Douglas Woodlock of the U.S. District Court in Massachusetts granted a temporary restraining order requested by the Massachusetts Bay Transit Authority.
The MBTA sought to bar three students enrolled at the Massachusetts Institute of Technology — Zack Anderson, R.J. Ryan and Alessandro Chiesa — from presenting a talk at DefCon about vulnerabilities in magnetic stripe tickets and RFID cards that are used in the MBTA’s payment system. The MBTA feared that the students planned to teach the audience how to fraudulently add credit to a payment ticket or card in order to ride the transit system for free.
Opsahl said the judge, in making his decision, misinterpreted a part of the federal Computer Fraud and Abuse Act that refers to computer intruders or hackers. Such a person is described in part in the statute as someone who “knowingly causes the transmission of a program, information, code, or command to a computer or computer system.”
Opsahl says the judge, during the hearing, likened the students’ conference presentation to transmitting code to a computer.
“The statute on its face appears to be discussing sending code or similar types of information to a computer,” Opsahl said. “It does not appear to contemplate somebody who is giving a talk to humans. Nevertheless, the court . . . believed that the act of giving a presentation to a group of humans was covered by the computer fraud, computer intrusion statute. We believe this is wrong.”
EFF staff attorney Marcia Hoffman told reporters that the decision set a very dangerous precedent.
“Basically, what the court is suggesting here is that giving a presentation involving security to other security researchers is a violation of federal law,” she said. “As far as I know, this is completely unprecedented, and it has a tremendous chilling effect on sharing this sort of research. . . . And we intend to fight it with everything we’ve got.”
The students were scheduled to present their talk on Sunday about vulnerabilities in the subway’s fare collection system. According to a description of the talk in a printed program given to conference attendees, the students planned to demonstrate how they reverse-engineered the mag stripe on CharlieTickets and cracked the encryption on RFID-enabled CharlieCards that are used in the Boston system. They also planned to release several open source tools that they created in the course of their research.
But the MBTA contended that disclosure of the flaws, before the MBTA had a chance to fix them, would cause irreparable harm to the transit system, particularly if it allowed someone to increase the amount of funds stored on a card or ticket and ride the transit system for free.
The MBTA filed its motion for a restraining order on Friday, August 9th, but Opsahl and Hofmann said that rather than make an immediate decision, District Judge Woodlock ordered a hearing for Saturday morning and allowed the EFF, which represented the students, to participate by telephone from San Francisco and Las Vegas, even though none of the non-profit’s lawyers is licensed to practice in Massachusetts.
The court’s restraining order bars the students from disclosing any information for ten days that could allow someone to defraud the transit system and ride the subway for free.
EFF lawyers and the students refused to discuss details of the now-cancelled presentation but did provide a timeline of events leading up to the MBTA’s suit and also shed light on how the matter unfolded, disputing claims in the MBTA’s court filings that the students had refused to give the MBTA information about the vulnerabilities they discovered.
According to MBTA’s court filings, the agency first learned about the planned presentation on July 30th from an unnamed vendor, described in the only as “someone responsible for components of the MBTA’s fare collection system” (.pdf). The next day the agency contacted MIT computer science professor Ron Rivest, the students’ instructor, and told him that the FBI was investigating the issue.
“We didn’t find that to be a very pleasing way to start a nice dialogue with them,” Anderson said. “We got a little concerned about what was happening.”
A few days later on Monday, August 4, a detective with the transit police and an FBI agent met with the MIT students, Rivest, and an MIT lawyer to discuss their concerns and inquire about the nature of the student’s talk. The students say when they left that meeting they believed, due to verbal comments made to them during the meeting, that the issue had been resolved, and that the MBTA no longer had a problem with their talk. [Note: A previous story said the parties had met on August 5th, a date listed in MBTA's court filings. The students said that date was a misprint.]
The FBI’s Boston office did not respond to a call asking to confirm if there is an ongoing investigation of the students, but Opsahl said as far as he knows, there is no FBI investigation.
Efforts to reach the MBTA for comment were not successful, but according to the MBTA’s court filings, the students failed to respond to a request to provide the transit authority with copies of the conference presentation or with details about the vulnerabilities they found in the payment card system, and this was the reason for taking the students to court.
But the students say this isn’t true.
They say the MBTA did ask for some material — not a copy of their conference presentation — which they provided on Friday at around 4:30 pm, which they say was around the same time the MBTA was heading to the courthouse to request the restraining order.
That material was a confidential vulnerability assessment report (.pdf) describing, in a more substantial way than the conference presentation slides do, the flaws in the MTBA payment system. The report became a public document on Saturday when the MBTA included it among other papers it submitted to the court on Saturday.
The students maintain they didn’t understand that the MBTA was specifically expecting a copy of their presentation until Friday, when they learned the MBTA was filing for a restraining order.
“And at that point we declined to provide the slides until we had an opportunity to see what the complaint said,” Hofmann said.
Even though the MBTA received the vulnerability assessment report at that point, the students point out, it did not withdraw the lawsuit.
But according to an MBTA systems project manager, who filed a declaration with the court, the MBTA asked specifically for materials from their presentation and concluded after receiving the report that it likely did not constitute the materials that the students were planning to present at DefCon. In an e-mail that Anderson sent with the report he wrote, “Note that we absolutely are not disclosing everything we found in this report.”
The students have been criticized by some for not following the generally accepted responsible disclosure guidelines (written by former hacker Rain Forest Puppy) in which a researcher discloses vulnerabilities to a company or agency first, to give that party an opportunity to fix the problems, before disclosing the flaws publicly.
The students say they had intended to contact the MBTA a week prior to July 30th, when the transit authority was still apparently unaware of the presentation. They refused to say what occurred at that time to prompt them to want to make contact with the MBTA, but said their intent was to provide the MBTA with details that they wouldn’t be discussing in their public talk. Ultimately, however, they didn’t act on the impulse because Rivest, who agreed to facilitate the contact, was out of town at a conference. Shortly thereafter, the MBTA discovered the talk and contacted Rivest.
The students maintain that they never intended to teach audience members how to de-fraud the transit system, despite provocative comments they wrote in the published description of their talk.
A description of their talk that is printed in the conference program schedule begins with the sentence “Want free subway rides for life?” The line was removed from an online version of the description after the MBTA met with the students on August 4th, but the students wouldn’t comment about why the change was made.
Opsahl called the provocative language “rhetoric” and said it was always the students’ intention to hold back key details from their talk that would help someone attack the MBTA system.
“Please understand that, rhetoric aside, the intention was to provide an interesting and useful talk, but not one that would enable people to defraud the Massachusetts Bay Transit System,” he said.
As it stands now, the next step, before the temporary restraining order expires, will be to determine whether or not it should become a preliminary injunction to extend the gag for longer, Opsahl said.
Hofmann said it’s unclear right now whether the EFF will continue to represent the students if further litigation is pursued, given that they have no one on staff who can practice in Massachusetts. They will have to evaluate the situation when and if it comes up.
As for the students’ 1 pm speakers’ slot on Sunday, DefCon has apparently already found a replacement. Brenno de Winter, a Dutch journalist and security consultant, told reporters on Saturday that he has offered to fill in — essentially to give the same or a similar talk about vulnerabilities with transit fare cards, thought without the focus on the Boston transit system.
[phpbay]defcon, 7, “”, “”[/phpbay]
Related Posts: On this day...
- LinkedIn opts you into being used in advertisements; Here’s how to opt out - 2011
- Google buying UAV drones for Street View spying? - 2010
- Cars hacked through wireless tire sensors - 2010
- N00b boyfriend meets L33t parents - 2009
- Two convicted for refusal to decrypt data - 2009
- Gramps getting his porn-on in the Mac store - 2009
- Death by Caffeine - 2008
- Inside the network ops at DefCon 16 - 2008