Transit Authority Jumps In Front Of Train, Publishes Confidential White Paper
Las Vegas (NV) - Court cases are a wonderful thing because almost all the evidence and filings become public record. The Massachusetts Bay Transit Authority is suing MIT University and three students for hacking its fare system. The three students, Zack Anderson, 21, Alessandro Chiesa, 20 and Russell"RJ" Ryan, 22, were also hit with a temporary restraining order that forbids them from giving their scheduled speech at Defcon on Sunday afternoon. But unfortunately for the MBTA, its attorneys included a confidential white paper about the hack ... a paper that was supposed to be, well, confidential. Of course, we’ve included that document below. In a previous article, we published all the slides from the cancelled talk.
Electronic Frontier Foundation attorneys and the students held a press conference Saturday afternoon to inform attendees that the talk was cancelled. The EFF is representing the students and senior staff attorney Kurt Opsahl told the audience that he believed Judge Douglas Woodlock was wrong in issuing the injunction. The students stayed fairly quiet, but did says that they had faith in the justice system and were very grateful to the EFF for the help.
Legal documents by their very nature contain specific language and that specificity can come back to bite the MBTA. In a question and answer session, attendees suggested several creative ways of getting around the gag order.
The injunction is specifically against the three students and MIT University, so someone else could give a talk about the hack. In addition, since the MBTA is the organization that was granted the injunction, the students could possibly talk about another subway system. Attendees laughed and cheered when Defcon officials announced that they are seeking some "creative" ways to fill the now empty Sunday afternoon slot. Things that make you say hmmmm ...
Click here for the slides
-
Previous News Article
Massachusetts Bay Transit... -
Next News Article
First-tier Notebook Makers See...
Transit companies are already forced to raise prices because oil prices have gone up. If they also have to increase spending on IT security and on lawsuits then fares will go up even more. This hurts poorer people who can't afford cars, and benefits only lawyers.
I think those students should try to find other targets to hack.
Though I do agree that they should target something else.
It is there right to publish any information. If the Anarchist Cookbook is legal and protected then explaining a hack should be as well. There is a distinct difference between publishing knowledge and performing an illegal activity.
Yes, everyone should just look away. Then only the dark jedi know this stuff.
You don't need to see his identification. These aren't the vunerabilities you're looking for. You can go about your business. Move along.
Absolutely. If they can hack the system, kudos to them. They have every right to publish, and if that helps them get good paying jobs in IT somewhere that's great too.
But, once they find a vulnerability, the responsible approach is to tell the company what they've found, give it a month or so to patch it, and only then go public. That way everybody wins. I really hate it when some people find vulnerabilities (especially in browsers or in Windows) and then just make them public right away, with all the details. That enables even brain-challenged script kiddies to cause damage to lots of innocent people before a patch can be produced.
They did, where do you think they got the whitepaper and slides?
http://www.tomsguide.com/us/Massac [...] -2289.html
"Anderson told Goodin that the team never intended to release tools for hacking into subway systems and had tried to warn the Transit Authority of vulnerabilities in their system."
http://www.theregister.co.uk/2008/ [...] kers_sued/
What you don't know won't hurt you doesn't work. Even if this hole is used nefariously they might not get sued, but that isn't a good reason to ignore a security hole. It would be like Microsoft suing anyone who finds a security hole, just to say Windows has no holes. Instead they workout an update and ask that the finder of the hole wait till the patch is out in the wild before publishing anything.
And set a deadline, afterwards publish. Since users may be loosing info/getting compromised in the wild and nobody knows about it. (Since it's not published!) The vendor just denies it and therefore can't be heald liable.
This actually happened a few years ago at Defcon or Blackhat. Can't remember which. Instead of an attack on Transit it was on the UPS store copy cards. Pretty much exactly the same hack, one major difference was you could cash the card out!! The author of the hack ethicly disclosed it and was told by UPS that no such vulnerability existed. fact is sometimes the company just won't addmit to their short sitedness.