Skip to content

Tag Archives: MBTA

More on the T Hack

Tuesday, September 16, 2008

Those interested in the MIT students’ hack of the MBTA’s Charlie Card (”Don’t Enjoin the Messenger“) should read Bruce Schneier’s Wired article, “Boston Cout’s Meddling With ‘Full Disclosure’ Is Unwelcome” and follow the article’s links.  Schneier’s insights into security issues are always worthwhile.

Filed in Security | Also tagged , | Comments (0)

Don’t Enjoin the Messenger

Thursday, August 21, 2008

Two weeks ago three students from MIT appeared at DEFCON in Las Vegas to present their successful hack of the Massachusetts Transit Authority’s electronic fare system–the “Charlie Card.” The MBTA went to federal court to enjoin publication of students’ presentation, claiming it would violate the Computer Fraud and Abuse Act. The court granted the injunction on August 9, only to lift it yesterday, ruling that the MBTA was not likely to succeed on its CFAA claim. Follow the story’s arc here, here, here, and here–and then read Bruce Schneier’s timely (8/7) essay from The Guardian. Schneier’s piece discusses the successful hack of the London subway’s Oyster smartcard by students from the Netherlands. The Oyster card’s maker, NXP Semiconductors, sued to prevent publication of the hack; it lost. The Oyster card uses the same chip–the “Mifare Classic”–used by Boston and other transit systems. Schneier writes “[t]he security of Mifare Classic is terrible . . . it’s kindergarten cryptography. Anyone with any security experience would be embarrassed to put his name to the design. NXP attempted to deal with this embarrassment by keeping the design secret.” In ruling against NXP the Dutch court said “[d]amage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.” (Emphasis supplied)

These two cases follow a familiar pattern: Company A does a crap job designing or delivering a good or service to Company B; someone blows the the whistle on Company A’s mis- or malfeasance; Company B blames the whistleblower for leaking news of flaw instead of blaming Company A for its lousy performance. Here the Dutch court got it right, and the U.S. court is heading in the right direction.

Filed in Security | Also tagged , | Comments (0)