Twitter-based ad networks: a different perspective Mac Vs PC the Music Video Nokia iPhone Competitor on the way? 4 Reasons why online shopping sucks Blogging Advice from Blog Reviews A turning point in electric car design Was the Online Black Friday rise really that good? [NEWS FLASH] Yahoo+Microsoft - once more with feeling Social media emergency planning - ya right!
Category: Technology Author : JR Raphael Posted: August 15, 2008
Tags : , , , ,

Subway Hacking Case: Who’s Out of Line?

  • StumbleUpon
  • Digg
  • Reddit
  • Mixx
  • del.icio.us
  • MySpace
  • Fark
  • Facebook
  • TwitThis
  • Propeller
  • Wikio
  • Yahoo! Buzz

Three MIT students who found a security flaw in Boston’s transportation system won’t be talking about their discovery any time soon.

A federal judge has ruled against the students’ wishes and ordered them to stay silent, upholding a temporary restraining order requested by the Massachusetts Bay Transportation Authority. The MBTA sprung into action days before the students were set to reveal their findings at last weekend’s DEFCON 16 hackers’ conference.

The students say they found a simple way anyone could modify the cards used to pay for rides on Boston’s “T” subway system. In an nutshell, they discovered that the cards didn’t connect to a central database and didn’t have secure digital signatures — so adding hundreds of dollars in value to them wouldn’t take much.

The MBTA says it needs time to look over the data and decide how to handle it. Of course, in filing the complaint, the paperwork detailing the flaw made its way onto the Internet — so it’s all really a moot point.

That’s what makes it so surprising, then, that the judge refused to lift the restraining order and let the students discuss their discovery. Anyone can already find the information — and, on top of that, the students say they offered to give the MBTA their findings in advance. (The MBTA, for its part, says it received only a summarized version and wanted to see the whole presentation.)

The Electronic Frontier Foundation is fighting for the students’ side, but so far, it’s been a losing battle. Up next, the students will have to give the judge more details about the flaw they found. He’ll then rule on Tuesday whether to extend the restraining order or let them finally speak.

Is it the students’ responsibility to hold the MBTA’s hand and walk it through what they found? Seems to me that the kids have already gone above and beyond any obligation they might have had. Technically, if the MBTA can prove that the information would cause it harm if released, it’ll have the law on its side — though it does make you wonder where the line lies and why when it comes to this sort of case.


Related Posts



Viewing 1 Comment

    • ^
    • v
    I've debated this with my husband more than once. It's been shown time and time again that companies, even when informed of exploits, still manage to ignore them, assuming no one will actually use them or find them, or who even knows what. In an open source project, yes, I find it good will to fix the error rather than just report it. But with closed systems where there seems to be a good amount of sloppy design and programming, and then a reliance on others to fix it, I don't think there is any incentive to hold it, and I'm glad the EFF has taken this on. Is the MBTA going to pay them to hand-hold? Otherwise, all bets are off.

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus
View this post on FriendFeed

Add a comment on FriendFeed