Sunday, August 10, 2008

How not to discuss a security problem

The MBTA obtained a restraining order against three MIT students, preventing them from giving a talk on weaknesses in the T's "Charlie Card" system. My initial knee-jerk reaction was that this was a typical case of using lawsuits to keep people from realizing what a bad job someone had done with security; but as I read more, it looks as if the students went beyond reasonable bounds.

There is a PDF document of the students' intended slide show on The Tech's website. It says near the start:

You'll learn how to

  • Generate stored-value fare cards
  • Reverse engineer magstripes
  • Hack RFID cards
  • Use software radio to sniff
  • Use FPGAs to brute force
  • Tap into the fare vending network
  • Social engineer
  • WARCART!

AND THIS IS VERY ILLEGAL!
So the following material is for educational use only.

The Tech's article says:

According to the presentation, the students wrote software to generate and analyze cards like the CharlieCard to crack encryption keys on those cards, and they wrote software to read and duplicate cards like the CharlieCard. That software was available online days ago, but the students have since removed their tools from the Internet.

Disclosing weaknesses in security is one thing; providing specific instructions and tools for breaking it is another.

The Electronic Frontier Foundation considers their actions legitimate, though. The article quotes Zack Anderson, one of the students:

We wanted to share our academic work with the security community and had planned to withhold a key detail of our results so that a malicious attacker could not use our research for fraudulent purposes. We're disappointed that the court is preventing us from presenting our findings even with this safeguard.

This is directly at odds with the introduction to the slide show. It wouldn't be surprising if a group of MIT students promised more than they were going to deliver in order to get the audience's attention. It is stupid, though, and providing software online to duplicate cards is worse than stupid (though very likely simple to replicate).

The restraining order (PDF) is available on EFF's website, but it's very brief and doesn't explain the reasons for the action.

Posted by Gary McGath at 6:20 AM

Labels: , , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)