All Top Banking

Sorry Charlie...Boston Transit Authority Gag Order Lifted

Posted by John B. Frank Wednesday, August 20, 2008

A federal judge has lifted a gag order on three MIT students who were barred from talking publicly about security flaws they discovered in the Boston transit system's automated fare network.

So here's the Presentation!

A lawyer for the transit agency acknowledged its CharlieTicket system has security flaws. But the lawyer asked Judge George O'Toole Jr. to impose a five- month injunction continuing to block the students from revealing anything publicly about the security system. O'Toole rejected the request Tuesday.

The students had been blocked from presenting their findings on the security flaws in early August at DefCon, an annual computer hackers' conference.

"Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."
O'Toole did not rule on the students' claim that the MBTA had violated their First Amendment rights by stopping them from speaking at the hackers' convention.

This from the Boston Globe:
Cindy Cohn, a lawyer for the students, said the students had complied with the MBTA's request to turn over slides from their presentation and a 30-page "security analysis" that outlines everything they discovered about weaknesses in the fare system.

"The MBTA ultimately is trying to silence some uncomfortable truths that these students uncovered," said Cohn, legal director for the Electronic Frontier Foundation, a San Francisco-based legal organization that specializes in civil liberties issues related to technology.

"They brought an action against three college kids rather than address the problems in their own house," Cohn said.  Cohn said the students never intended to reveal key details that would have given hackers information to help them hack into the fare collection system and ride the system for free, despite what the online ad for the demonstration said.

But Ieuan Mahony, an attorney for the MBTA, said the MBTA simply wanted the students to refrain from revealing details about the security problems publicly until the MBTA has time to correct the flaws, which could take five months.  Mahony said that after reading the security analysis submitted by the students last week, the MBTA "has determined that the CharlieTicket system is compromised." 

"We've known that there are some issues with the CharlieTicket, but we realized after reading this paper that they were able to clone and counterfeit the CharlieTicket," Mahony said after the hearing.  Mahony said the MBTA still wants to get additional information from the students on how they were able to clone the CharlieTicket.

Some details about the vulnerabilities of automated fare system were released before the students' planned talk at the DefCon conference. Electronic copies of their 87-slide presentation were included on CDs handed out to conference attendees before the conference officially began and before the MBTA filed its lawsuit.  - Boston Globe

0 comments

Post a Comment

Powered by Blogger.

Blog Archive

Search This Blog

Our Manufacturing Facility

Learn More About Us

Find out how our patented technology can empower your financial institution.

Our secure two-factor online banking authentication eliminates dangerous passwords and usernames and replicates the same trusted process used to access cash at ATM's. (Insert Bank Issued Card, Enter Bank Issued PIN)

There is an R.O.I. as FI's also earn recurring revenue from each transaction conducted using our PCI 2.0 Certified PIN Entry Device. Our technology also provides a unique real-time P2P "Instant-Transfer" which allows your online banking customer to transfer cash from ANY of their bankcards to ANY other bankcard...with the Swipe of a card.

Help your bank eliminate phishing and your customers avoid identity theft by providing them with the ability to stop typing and start swiping. There is no safer way to conduct financial transactions online than by 3DES DUKPT encrypting the cardholder details, which we do at the mag-head "inside the box/outside the browser."

Total Pageviews

SLIM for PC or SmartPhone

SLIM for PC or SmartPhone
Click to Inquire

Chip and PIN eCommerce and Mobile

Chip and PIN eCommerce and Mobile
Click to Inquire

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers

Translate This Blog

BobCaps

Search ePayment News (example: NFC)

About Me

My photo
Named one of the best Payment Industry News Blogs 4 Years Running

Feedjit

My Zimbio