GNU/Linux

Originally Published August 10, 2008; Updated and Republished August 14, 2008; Updated and Republished August 26, 2008:

United States District Court Judge Douglas Woodlock, District of Massachusetts has issued an injunction prohibiting Massachusetts Institute for Technology (MIT) students from presenting their paper, "Anatomy of a Subway Hack" at this years DEFCON 16.

MIT students, Zack Anderson, R.J. Ryan, and Alessandro Chiesa, under professor Ron Rivest, figured out how to clone an insecure Massachusetts Bay Transportation Authority (MBTA) RFID¹ CharlieCard (researchers also looked at MBTA's CharlieTicket).

One wonders why MBTA is requesting and a court granting an injunction²against undergraduate MIT students—seems an injunction is better directed at the vendor of the MBTA RFID CharlieCard³.

There is something very refreshing about the MBTA's insecurity. One wonders how we've managed, in all our brilliance, to create a system in which 48 bit encryption is laughably trivial to protect us from them⁴.

Web:

• UPDATED 08/26/2008 MIT Tech, Students’ Presentation Shows How to Get Free T Fare
• UPDATED 08/26/2008 MIT Tech, MBTA Sues Three Students to Stop Speech on Subway Vulnerabilities
• UPDATED 08/19/2008 Reuters, Judge backs hackers in Boston subway dispute
• UPDATED 08/19/2008 ZDNet, MIT students ungagged: Judge vacates gag order
• UPDATED 08/19/2008 InfoZine, EFF Urges Judge to Lift Gag Order on MIT Students
• UPDATED 08/14/2008 Wired, Federal Judge Throws Out Gag Order Against Boston Students in Subway Case
• UPDATED 08/14/2008 ZDNet, Defcon’s over but MBTA wants gag order to remain
• UPDATED 08/14/2008 Wired, Computer Scientists Ask Court to Reconsider Gag Order in DefCon Case
• UPDATED 08/11/2008 InfoWeek, MIT Students Ordered To Withhold Boston's MTA Hack Details
• Cnet, Judge orders halt to Defcon speech on subway card hacking

-----notes-----

1. RFID technology is becoming ubiquitous. It is currently used in our new passports which were reportedly compromised by the Chinese during their manufacturing process.

While key size and shielding may differ between usages many security experts seem to think the current RFID passports are a bad idea.

2. Adopting policies and legislation aimed at securing our networks and peripheral devices by prohibiting our security researchers from publicly discussing and publishing their circumvention research is a crude and blunt approach. Not to mention ineffective and a blatant violation of our First Amendment.

However, we are making progress—we use to arrest and jail our security researchers!

3. Karsten Nohl's (University of Virginia) research previously exposed the Mifare Classic RFID cipher algorithm underpinning ticket system security used by various domestic and foreign subways.

4. Such a system, while entertaining and generative of make-work, does not seem particularly friendly, beneficial, or sustainable for humans.