Feeds

The Boston Trio and the MBTA

How the transport bods silenced security researchers

Intelligent flash storage arrays

The annual DEFCON conference in Las Vegas in early August got a bit more interesting than usual when three graduate students from the Massachusetts Institute of Technology were enjoined from giving a presentation by a court in Boston.

The three - Zach Anderson, RJ Ryan and Alessandro Chiesa - intended to present both a paper and slides to the assembled masses of hackers explaining certain configuration issues with respect to the Massachusetts Bay Transportation Authority (MBTA) fare card system for riding the Boston subway system. The fare card system, or Fare Media system, used stored value cards, known as CharlieCards, after a locally famous song by the Kingston Trio called Charlie on the MTA.

Let me tell you the story
Of some boys from MIT
On a tragic and fateful day
They put out some information
Kissed their career and reputation
And took for ride the MTA

The cards were subject to various cloning attacks, which would permit both sophisticated and unsophisticated hackers to create duplicate CharlieCards, and therefore evade payment for subway rides.

Needless to say, when the lawyers for the MBTA learned of the DEFCON presentation, they were not amused. While there are disputes about who contacted whom first, and precisely what information was going to be disclosed or not disclosed at the presentation, ultimately the MBTA went to court in Boston and obtained a temporary restraining order (TRO) preventing the release of certain information about the vulnerabilities. The TRO was eventually reversed by the court, but not until the trio was denied the opportunity to make their presentation. Of course, in keeping with the Streisand effect, where attempts to censor content merely draws attention to it, both the slides and the paper to be presented were widely disseminated in advance of the TRO.

Much of the debate over the TRO has focused on the prior restraint on free speech aspects of the case. However, more important to security researchers are the questions of responsible or irresponsible disclosure of security vulnerabilities, and potential civil or criminal liability for doing so.

Security for virtualized datacentres

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.