|
|
|
MBTA Loses Gag Order Battle Against MIT Security Researchers
By: Brian Prince
2008-08-19
Article Rating:  / 2
There are 0 user comments on this Network Security & Hardware story.
The MBTA's fight to quiet three MIT students who uncovered vulnerabilities in the MBTA's Charlie Card ticketing system ended Aug. 19, as a federal judge lifted the 10-day gag order imposed on the students. The students had been blocked from presenting details of their findings at the Defcon conference earlier in August in Las Vegas. But the judge's decision to lift the MBTA's gag against the MIT students does not necessarily end the controversy: There is still the MBTA's lawsuit against the MIT students.A federal judge decided today not to extend the gag order imposed on three
students to prevent them from releasing details of vulnerabilities in
the Massachusetts Bay Transportation Authority ticketing system.
The three studentsZack Anderson, RJ Ryan and Alessandro Chiesaall hail
from MIT (Massachusetts Institute of Technology) and were set to reveal details
of their discovery at the Defcon conference in Las Vegas earlier in August.
Before they could, however, the MBTA filed a
lawsuit against both them and MIT in U.S.
district court in Massachusetts and
a judge issued a 10-day gag order Aug. 9 to block the students from making the
presentation.
In the Aug. 19 hearing, the judge denied a request by the MBTA
to impose a five-month injunction blocking the students from releasing details
of the attack while the agency fixes the issue. The students' presentation
reportedly illustrated a way to produce fare cards, reverse-engineer the cards'
magnetic stripes and hack RFID (radio-frequency identification) cards.
The decision, however, does not necessarily end the controversy. There is
still the lawsuit, and there have been no reports as of yet that the city is
dropping it. There is also no shortage of opinions on whether or not the trio
should have been allowed to present their findings at the security conference
before the MBTA could address the issue.
"This is a plain and simple case of irresponsible
disclosure," said Eric Ogren, principal analyst with the Ogren Group. "Other
than fame for the presenters and MIT, what good comes out of this research? I
do not see how the world is a better place with the publicity of defrauding
transit systems. There is nothing responsible about thisI see this as a
malicious action."
The students did notify the MBTA of their
findings a few days prior to their scheduled appearance at Defcon, which
Forrester Research analyst Chenxi Wang said is proper security etiquette for
researchers who find vulnerabilities. However, the issue gets more complex
after that if the organization wants to prohibit the researcher from discussing
the vulnerability, she said.
"Is it an irresponsible disclosure after the researcher has notified
the companyin this case MBTAbut discloses
the vulnerability before it is fixed?" Wang asked. "What if it takes
a long time for the company to fix the vulnerability?"
Wang continued, "In this particular case, it is
arguable whether the vulnerability they discovered was critical or not. How
many people would hack the RFID card to get free rides on the T? The MBTA is
probably better off letting them publish the result and work with the
researchers to fix the vulnerability rather than pursuing injunction in the
court system."
|
|
�������x}r㶲s\@♵MR%ZcY^f&uT� I)R|IN~b:?qt�M�Ze3NƖ�ht7�F;�?;;�~$rI56%S�E]"I�C(`R˩��IZN�ڶ?
�}�~mkr�u��;�z��>>;|�9|AL��T�adB$i�tL|ϨT�S_Fܨ�[:`&`1Z�lR!�j
�9i�?xi-'@I�R(CѺ��(D�ߵ-m:
\'|7*Un�Sp{ca_ʞ��z5"h4"j��;^7W��2�w:�bq?:!l�m�ڮ�U� ؓ�ۭ@x!D�y!rs�#�gߎ�03dc7l#205bR')�V�,"&�3Ýе�:s���z08ryj5jfO-�=K;O=k��\w=j�P?bA2xư!$ne$DJH�n6�,uQj)g�?-�I�p\.ܪn?AW}=
:ԍ�=$�f(jI�HU
&� �} p==\'�xtT!.�yӝÌfؖqwh �͡JZUQ��by_)�:?Wwcwm9{�2w77FuRV5MQ;e�?
n0u�h;\CR�}�NEs<_s�9"A���to&1W`J�LTRBpd"�A�1q�j�j�`Q��%oFe_�P+(.C#-byOa`%�pfQUe�:7gsKߺjZ:>;jN}1�fP+�M�~(#3h�ؕgxk�_:O�fGNW>n�s鐚&�tXAZ|]kU[_{�o!&AJAͼ�94��o��߆I@��-�:ur��ͪ5V z�[PĿ� G/<@'�L[1p3Z&j9T2��3=jM��H���k
�3!RBʼ�ĿI�K
_VPJB�-)\D7h+�Ԍ$ٛ�"Gn�;Cx��r!DKI��88�{���NR]�.iغ�\08�NCtWʲ9QY�+K\M흙ޢG=-*�<�OZV.�.~zi�8^%gk�,]ev"JB0qjꛛZ�ϏRa�^TU���G'&-d`q86ayƔIG�?y�L�>���NR'}:;SjZim;Ni(|���I�8hƋCrYnL,�r�Ӈ�!L���~�;ݣn]=&tnYXŞ�+LRVi`�I
�l"�]�LR}>l�8d
$n)s�s�Ln-)`@��#`��V��<� �2/?C�n@�}S(�}�9g)�nвc@ƘMGs{�wD`
[�q3�7/�j�7ab##[l~pe�
l4�T)f��FfO���~5lwnC9\϶,_ztO]҇1 4f�כ�n�d5�0K%gYA�3�'|(@]4>+WUPÃ"`"+42[�=!
= \Pȭ�T)w^IY䞅T_9YX��X`n�,Rd0q�6I
SXh��8G/C4꾶'ei[I%�ͺ�Z�I�J{a]hk%�T��7�Bj^¢ym<2�D֑`9HM^0�+e�zdч(�e6LF%d6�n���SkdQ6qobV57 Ȕm�yt~4E�j~Z,�<>kp6X"@�@�7w�L)mT.mT^·'Χޱ;�i6�E7;{\OM|tf:��gs?&نdpg�Ф0V�2Pa�BSbg`m1J,<<+ڂ�4`D� ��N�Lb�Р����\�@�U.(L1�9�r�2b*X��P�T�B$�E�P�7`u0$P/XL�+*�9G�pϟ��
sFWyYFZ?O�h<]HjP�'VVR尨V*�h��Gq�)4�Ɂ;����du??5�Yk�N(�zM͠W�>sn�.�y >{�V�N0aE�>yL��{H�[�eXZC}`/�cҧ8P�ĺU0�UESUG�+�+^>�F����]h��C\4!<�}g���4�pf
mWq=[JjJwg
`�Zp�zGc�M ��,rֽm?QeW᧘TVQqi?p;h跸f�@^5pj�?FMS؇Qcm/kRٯ�TҞ5^�ߜmhDA�`�!
Нv;#ؐCKAk2̯!�q�>:(TX�7gmE{H^ac7U�[@o�F)�M�e�4
"|GIpR|9y-�>�s 7poj%śzEnMsU-y�F�x�ٷ"�y@*Z𑿚uK v�s?n216<^uUJ`|,4̩,F�lؤκVs�|,On?R�L5sݿy�ji�==#ݸ,�YEn;&+琩gs�C/� �ܒ;� k@X'V-(7ϙ40p�2^=u�6,헳fO�14D|�\D"p-n�ōap�؉v? �sc[~O��s~7pթr�Vg�HWtČer,×?�Yq,
2w��2Q&OB�8JyZ��J�p9ԃ�`�뼂RUˇFWӛMO`�U!WTQԀO>ƞnR�HrX%W:�iZ=$c��e�(
FBR%%^!�fAɂ]A�ӀM\r8�khs!p}�/O&PFzM��q4I#⩬yF0.Ɨ!��s�kg�O̦:z�f36{%]M;o\!�Lc~u8I,+1Up]t3Mb>ҁ�h
03RlȪ�+> 2*ijARϢsG:Lpz�]�zߋ
uRԣo{{k7}óf�A"WS[�U�ts���C\Դ"hw
ĶRs'}D:iB�q=C
H\WK{(,�~w9ـo�|\V*
rF2�R@BZB$d1~ �4�qJh"g�:�A�;��?m-~=�`��rv�BC��:DHA2S1�
F]�nĖ�S9\)ŔN yr4
�AGJ脊fye5))eH5NR�MLC]�OC/�$$�;�kB:zs �gaM�6mn3�j;[/'�X�;[
.VH0_Ӹ\b跏�D XY�+o-yRb}YGJ^KjpVKu^�4@ �:��3e���Z��&
3�/wг��^w�Z{�yq\3r��$6l\�N*tb�9,_k==˲yӅce�jw;操�~;Oj9vЛ�Sq�Ƅ��`s�k;G�Q��r0&x&�4�lywy#�x�~4qj\[�93
Zt
�gcBxa1~hSr�쒋n4+Ҹ?�5LZ0�c,H~ CGH|5zǿ§G�� �r[k�gϜ�ƭtGv;vk},b20�}_?H+IcqO�r<��rt�ZTcd;I6ӱ$BUUk
�ʾ\EVe.tѓNth<>��iȸ�@7YU��d3tT?�#zi116g�nP;=�zP>Y.=]bwQ[�]xŞvYiIU�.J\�-"PnǸZZ�|:W�%0.րVJj1ԏ։vR����r��If�+qwKMlX�+Nf�&�/%KR$�]qj#q�/.+1Z�"U[PU�#�p4EjA-�/iM6FN.O&|"�YJ�uNv幝RɝқS,4t65�x<> �( ����0q~㜉�ChE^+%�W+GEhY�nޤx�?��3ڌ,U��JHlP
"�5;RE)�;9�7w�9_#'U����K�h9G{iW+cM� 6.5Lr{ H��-�֗cI+��Y�M~Jށ��%�( If%�@�R.��xJ4%S\�y
�Oxi�UAʻw(Jj}^�iO7LǏ0�}})^sȭ���ԗ�;ؤ㸷Lc,0ّ�
&X
?p�Pb|�ĠsXk1K"FoRk+ީJ"My⺪�Hz<0X�RPH&QD0&7ߖya��U
ێ&�MGR��\ߥkmzv� ,zxS*]s4QϷ[ReZ*�Ra�$��Y!y���foުaݡnds3&E?$r�;'@rLB'��@_`W�DI�Y��`�'VHgҦ_sPyuB*{ܲXt���f�t1�V�ckzУ.!�C0æ눨%�D█h-Cv"��-BMAl|Qֲ4�)73sq13+�q�7o7o7o7o6WZ|os^܊YJ>K>�5RNj[mc����I5�[�0B�d�6V`mY�٦j_6}e�&�T�
T{).EP|�>R50DB�J�Ig�40"B^
H�!��)I�i�)d?
Ŝ�kP u{@
�mN�,�~D𱬱�8+�Zz5�v_^X!g=r�m4z/[b�<{5W$)!�H�" �H�D�C&�BnO#ׂ&|�xyC+vWK�|jJ
w
98/# 1��pC84�z�,p�toʆ\SJ�JIJqE:yYхa_[}]:�wI�*!CCCC}>
\mP(1Ւq�'{ɋ`̦�G�h/Z==�;̰W}x,�K@"��?D��il@vִH.{}7R� 3=#gK�.�X?֭䀮F}%8J�;:Z�Q�{Gz�]�x
0tG#�H�� Cʁ���`oOB�O!@ //+SUX\8F�
tMt&�k9CUx;+of7bػ]-~ԼԤ#a\Z^.h�$|mιT+R_W$��[Q0�vK�3r�ƣRw6c�Y�CP?72A �$�E!?q4_�Q7p}Ӛ_3�h\$N@ŋD`;O`�Y�mZسG-]J>%c5H�ne$iZ>Џ���y{�¡YKj|!&3WJD:`��*�+┉fne�O%�%s_��fVI4�p��DX��ȓb .\.ޮb:�>&ܺN:?�_ӷN/㥽�^Fx�{Q}5nqo~|W�saۋ?@{61I�q*�!Z�p6P]}�z�Ucibnn�j�c"*9?
kE_A-ɴjgϡ6
�%��f4fT��,ԇ��w�[?_K�f?��`�*�n'yHdb1K=M�).b�?Dy��u&M]F��w-G~�RJ~~'#`M�;;-20���_[�;�E��[!
<��7�х�4�Vqc6F�:\ē;.~~GD"�bsʉmO��jxiQE#ư>B,XbH�X�ma:��bR�w�_^ݣ�A\ۦ;ѕOD�ntO�Q+"ݔ�PV�9�cW�F�%5z�J�0[AX�^qMT1&M�~4#uT]QS[��Z����[+W#r�d! `,%o,"�xa��q�uQ%�Ǥ@FpxAҲ�0cbS,�YүK�c.�ZEWWK.>%��܋%ӊ,ƻ.c
2��3}&5fLl8P;qU6'�a<::BM�[EvTBh��x#-F55�Rhsܴ5̈G�b�v \<\X;�b�=�Vں�q� yK-yrPU֝U�ȓ�Pc3B-* ;,�@:�Ny =�@k�m'0eNNµ�Aʥ�8IVuף6:F�̽K$|MD0FU�2�j�Y�ӀsǮV5U*�5�YQaZ�e"W�9Æ�ķ�v�,TOಈ{=ב:ۮŸ#=/bZN{�?���#Iу%)1Q�Z:<}Q-mER!&�P~�'���+}l4t_TEڵϔ_� $A�п���{{i/1�~H+k�&9vӹ�&0ڱ]w&-Rݽ<%��v�P\�ׯ0OyZܾ1ʒ2�[+�66mIU+ 7�g%ۅ]�a~E�H �X�\/:�Mz3jX:N#�F¯R߃~�9㞍7Z�:�ì 30]�71儔6�JzN[Ļeŧq+ӘP1iL!!S�O L%&�H!�4�7�\C�P�|°+SwO�R(kUeab+�Y�!kb��^<ҁM+qܒ:e{6
��}D`߄8/>��:{ỂWZ=$Fǻ/�|�T�3/b-#-Ѩ#C
+a�<$z̥7b?= wN�8��{ǃ�"Ba�,c+p�D['鍀��I��+62s��jD�l� ���V#C}N.ZVߺꡇU Cv�;G}m!��W~`7{S]w�Y2�h���a!�'B�9$�.+Ja S�Н�!k:�|e1q$V�Z�؟�ްn�?D�p��A�1HS�c/|cZ�.zʾBR/2OaH�9p=SѨ["#cR1��@Q>ɹ�cMNZfBE<
,iM�����YC) Q?#ϝ�F$�hD1f�x a9=g3bwژչ=��%��zHA�W|8snj�"(S[��]ă0>]w7aPO���AV
p͒wgy�6t0VQ=1e&�}�%nN���K
9b$�P!%�h$`x=9~amday~X&H�_P����b�JU(IhRW�|:P
|�+R0��ٕ���fY3U��r�ӄ^I+\A]��/ �PIZ�
�W{}KV=`�fڟ�S$4./Ͽ�iV>�ڗv�λx�
Z[8j��u+t//'UX��|j5++P/Үw3��:�?3_�2��AF&/n3��^a芪g-5nk
ǸJu�
yW��/"y%6\��(0gG6�+F.Э-'ވm]=�g�%Iy�=0?$Mu1WWvl+Jy.ߔ[nNJ>�j9.~QJxdB$WɴVی ә���|,y��|a2� 'GY+w�e�xĻO�e�ݞ܃�8{�r m>G�0[נ_`Y)W8#Au�^
E|p8m|Z+O�Tq4
j5%pN!3J81�|�H-M�ԳpNz?8
!rW�zrfhNo4pGsn`'�+�90l��Hj$7�rQӊj�~JR�~#\!a،`=bxojJ]N�m~X��,.g
�/(�@#غ7M{%}C7<8fȳRLq�
u+[�%� P��1�=:pǬ*Y�ۼx�`T���
ގe�@���7��J�,�w��;��ŨD@3d˝�_�p1iR�
� {{�[2gډ�e�:'�̔q8Sc��ӄ��Y"Dü�f�7��[h -�x�Q\$~�O�?g�)b|+S}&nd�Ldp!gB-ҋKt�^3@e�D�˺UB`
�jϗ=�n%c�$Q6#�bU�[��63wH
P,#V}$"0�;��Vӄ.N�wO80~.6�J�Hߍ!募@S�VN�#d-B
̸s_`��v9(]3&2-�J.�{J �1-�ycƠ}֝��D#iZ#X�nƀ_@n=,N7"fG_{=/pkx6,x'(|v[�@8>qk �o6Nώ{;]95
+Qݎ;Sg œj@@rĶ kZ1L-]Rx��3z_P��.;4m�F]2�˟$4����n_�s˙߳m3 p7�9=`&<;SÄ'OxŶ�/�G㿄&l�I�0�|F�` ��cO�il@�O� X3Wd]d��A_d|bOh�NYU7�M&$rq�;at]&Ѡ��`AtN[a��>$VS�ށ,ӧ6M\�-.^Us���Ã_V}myr�&}#K�m��^Ǩz�1>�Iϐ�Rx�DX�X��%r�˜2J1Д8ٶ2COA=t
&XnIG\�k<>c�iЄΧ^p멎T�U|�A�>cx L}��C2z
l|$_Oxƪ~Saxr=&����x���u-I�S`�ނ4�ܨN�AEVb0%�yMvSF}�?�dtE��#bSp!@>pM֦2QTD
�Q)ۉYb���d휙FfA9
3/�&U@DqDgPyGml<^|:ym떮�E{�Ofu�ݎfm/y�:" ��B�#VbmR>ŔK.)�tO�ደ��AVt3NEב�k,^��zX�ѻ$'Ps�hՆG��0ޏq7�PR�l@��xS
a
�{�m;pSz2
�
�Ѩ�pCTVD'����3^-�3qݼ�3Qa[_U9sm�jW6x�ozc|>[z0�XjPo!ˣŬ"D0Ȯ��'Z:tsh;h�sTHهl*~��&&�l{k+�НTnxFK-^P?Q�>�χ"@�LNENE<<�Sf )VSL_Xџ�_<|:T+��`�
|
Network Security & Hardware 
