digg

Facebook Connect Join Digg About

MIT student newspaper publishes the banned DEFCON slides

tech.mit.edu The Massachusetts Bay Transportation Authority has sued three MIT students — Zackary M. Anderson '09, Russel J. Ryan '09, and Alessandro Chiesa '09 — and MIT to prevent the disclosure of security weaknesses in subway ticketing systems.

Who dugg this? Made popular Aug 11, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

328 Comments

show profanity settings
expand all
  • emkaysmith, on 08/11/2008, -4/+658Typical. Don't fix the problem -- attack the whistleblowers.
  • revrev, on 08/09/2008, -4/+268very nicely done.
  • Harbinger1080, on 08/10/2008, -4/+220That was awesome. I totally need to go warcarting...
  • Morghin, on 08/11/2008, -1/+184Because it's easier to sue their asses and prevent people from publishing gross security weaknesses in the future so that they can save a bit of cash and walk on in ignorant bliss.
  • codywyers, on 08/11/2008, -46/+223How sad. an excellent post like this gets 334 diggs
    but xkcd (as usual) gets 1k+
    at least this got to the FP
    i finally understand why people say digg isnt real news and continue to go to /. even though the formatting is inferior.
    The interface is slick, and occatioanlly there is a gem amongst the stones (ie this article)
    but in reality... Digg is the TMZ of tech news

    ah crap. now im just another digg-hate comment...
    thats not my intent! i love the digg tool, i dont know how it works (none of us really do)
    this is more of a disappointment at the content posted, not KRose and his team.

    ah crap. now im just another digg-user-hate comment.
    thats not my intent either! but what can i do. All this has happened before and all this will be said again.

    Anastasia Dualla is the final cylon!

  • Shadowgamers, on 08/11/2008, -6/+164Freedom of Speech get. And if they do try and remove it again, ctrl+c, ctrl+v :V
  • Nachoes, on 08/11/2008, -7/+1461) Get an injunction.
    2) ???
    3) Fail.
  • khsheehan, on 08/11/2008, -6/+144Am I the only person here who isn't going to pretend he has any idea what the ***** is going on?
  • Shao00, on 08/11/2008, -3/+80amazing, i wish i went to MIT
  • jocnnor, on 08/11/2008, -2/+76Michael: Ok, there’s still three whistles left out there. Whose got the whistles?
    Board Member #1: (blows whistle) He kept one.
    Michael: There’s a good example of whistle blowing, ok, but you’ve kept yours, so it’s hurting your case.
    Board Member #1: I was in the bathroom when you asked for it back.
    Board Member #2: (blows whistle) No, he wasn’t.
  • yunus, on 08/11/2008, -2/+73awesome Warcart
  • AbhorrentBanana, on 08/11/2008, -1/+67Very ingenious. Well done, very well done. If companies would just employ more White Hat hackers then maybe things wouldn't be this easy to crack and take advantage of.
  • odinfire, on 08/11/2008, -3/+61Meh... if a suicide terrorist was going to invade the subway system, I highly doubt they are going to bother saving a few bucks by hacking the gates. They'll just pay as usual and proceed to their bombing points.
  • ywwg, on 08/11/2008, -1/+59You've got it backwards. If you could do this stuff, you could go to MIT.
  • FoxtrotYankee, on 08/11/2008, -0/+54Background for those seeking what the ***** is going on:

    These are the slides to a presentation scheduled to be presented at Defcon (an annual gathering of Hackers in Las Vegas where we drink a lot but also do find some time to listen to some really cool presentations from people who do security research aka "hack"). So, the slides were never meant to stand on their own, they were to be projected during an hour-long talk. Most of the content was to come from the talk and not the slides.

    The MTA was asked to review the research so they could fix their holes before disclosure. They blew off the researchers and threatened them.

    The researchers decided that disclosure was ethical based on the MTA's inability to cooperate.

    The MTA filed suit for a TRO to keep the researchers from presenting their findings at Defcon. They were granted the TRO by a federal court (I think that was the court who did it).

    But, the MTA still screwed up. They went for the TRO too late. By the time they got their TRO, about 8000 Defcon attendees already had a CD that contained a copy of the slides (we get the slides for each presentation in advance). The TRO couldn't name 8000 attendees and, even if it could, I bet someone would have violated it anyhow and leaked the slides.

    In addition, the MTA's complaint that they filed with the Federal Court contained a copy of the slides and a brief that went into the vulnerabilities in far more detail. This complaint is public record. Oops.

    So, if you're not sure why the slides don't explain anything, it's because they were meant to be accompanied by a talk for context and explanation. If you wondered why this is important, it's because of the lawsuit.

    This was similar to a lawsuit from Cisco a couple of years ago against a presentation at Defcon's sister conference. http://www.wired.com/science/discoveries/news/2005 ...


  • goffy59, on 08/11/2008, -10/+63See! Freedom of Speech is *****. The government says you have freedom of speech just so you feel comfortable, when in reality, if you do something they disagree with; you get ***** in the ass or at least hassled.
  • Poltron, on 08/11/2008, -3/+54i want to see if this works in NYC subway.
  • zmigliozzi, on 08/11/2008, -1/+52Sue for showing security weakness in their system? Something just doesn't sound right. They really should just think of it as a free network analysis.
  • naterpoke, on 08/11/2008, -3/+431st amendment suceed!
  • fload, on 08/10/2008, -2/+40love it
  • n3demonic, on 08/11/2008, -1/+39Comes with PA speaker... "for announcements and intimidating music"
  • eliasg, on 08/11/2008, -0/+31What's scary is how many of those rooms were unlocked.
  • Zipko, on 08/11/2008, -1/+32It's much easier to crack security than it is to maintain it. Remember, the tough part of security is that you have to get it right every time, the hacker only has to be right once.

    Good security companies do employ these types of people, but even with the best talent in the industry it's not easy to keep determined people out.

    Also, look at it from a business perspective. Who cares if some MIT genius can get free subway rides for life? The system is good enough to keep most people from abusing it, and then money you lose from those who abuse it don't justify the high cost of fixing the holes.
  • soundchaser, on 08/11/2008, -0/+29i'll join you there.
    don't have a ***** clue how this works, but the slides were pretty interesting anyways.
    i don't think everyone on digg is a ***** engineering/programming student, although i'm sure many like to pretend they are.
  • Slackersrule, on 08/11/2008, -0/+28"what this talk is not: evidence in court (hopefully)"

    I wonder if this was before or after the restraining order.
  • borez, on 08/11/2008, -0/+27I'd love to hack my Oyster card, the cost of traveling around London is obscene.
  • ewarner, on 08/11/2008, -0/+25Hmmm, I live in Boston...
  • tomz17, on 08/11/2008, -0/+24AFAIK, they did... The response from the MBTA was to threaten to call the FBI and apply for an injunction w/ the vendor.
  • protogenxl, on 08/11/2008, -0/+24The MBTA was asking for trouble when they named the system after a fare hike protest song. (see the Dropkick Murphy's for a modern version of the song)
  • rebotfc, on 08/11/2008, -0/+23What was cool was that I understood some of that! It woulda been a great talk.
  • vastrightwing, on 08/11/2008, -1/+22Forget cracking the Charlie Card or Charlie ticket, they missed two very easy methods to skip the fare gates by simply throwing your backpack over the gate so it trips the sensors on the other side to open the gate. Also, tailgating a paying customer requires no equipment or fancy techniques. Very low tech.

    The fare gates should have been designed to be a man trap like in Japan.
  • iJessicaRabbit, on 08/11/2008, -0/+20I was reading the names and dates of war___, but when I actually SAW the warcart... my jaw dropped. That thing is AWESOME
  • dave122, on 08/11/2008, -0/+20you just hate freedom.
  • addiktion, on 08/11/2008, -0/+18These kids are seriously elite. This is the kind of nerdy stuff I envy!
  • malibusurf, on 08/11/2008, -0/+18Maybe instead of trying to censor useful (for all parties) information, they should worry about the fact that their state of the art monitoring facilities are devoid of staff, and that their wired network is totally vulnerable to attack. pp.73
  • ParanoydAndroid, on 08/11/2008, -1/+18If we truly want ground up systemic security then there should *never* be negative consequences to divulging flaws. The messenger is not the problem, and should never be treated as such. These kids need high paying jobs doing exactly what they're doing right now, not lawsuits.
    Now yes it would have been politer if they informed the city of the flaws first, but in my opinion they have no legal or moral imperative to do so.
  • tluweyen, on 08/11/2008, -3/+19Check spelling fail!!!!
  • ZubZerp, on 08/11/2008, -0/+16And then they become theoretical physicists in secret underground research facilities in New Mexico. Then they save the world from aliens with a crowbar.
  • borez, on 08/11/2008, -1/+17Did that for a while, apart from getting countless bikes nicked, I didn't really enjoy being attacked by car drivers on a daily basis, and don't even mention those sodding bendy buses.
  • Super6, on 08/11/2008, -0/+15You don't understand waht DEFCON is, do you? It's where whitehat hackers reveal exploits and people like the ZDI give them to the appropriate channels
  • cm32438, on 08/11/2008, -1/+16Sounds RISCy...
  • durnit, on 08/11/2008, -1/+16They have open courseware. So really, you could get something pretty close to an MIT education w/o having to pay or get accepted. Of course, you wouldn't have the status of being an MIT student, but who cares (a lot of people think they're egocentric social misfits anyway).
  • Grazfather, on 08/11/2008, -4/+19Coolest thing on digg in a long time.
  • chanop, on 08/11/2008, -5/+19I have a couple, one in my bathroom and one in my bedroom.
  • Nothlit, on 08/11/2008, -0/+13Yes, and stealing rides is surely the way to go...
  • crestfall, on 08/11/2008, -0/+12More proof that I am, in fact, much closer to brain-dead than I had suspected.
  • Shadowgamers, on 08/11/2008, -2/+14The EFF would challenge the suit as an unconstitutional attack on the first ammendment and the guys would challenge the EFF as a bla bla bla legal mumbo jumbo

    No idea how the American legal system works, but I hear you love that constitution of yours :v

    /deposits 2 pence
  • tekhna, on 08/11/2008, -0/+12No reason why it couldn't. Similar system. Someone just needs to do the gruntwork.
    Then again, it's been 10 years...
    http://query.nytimes.com/gst/fullpage.html?res=9F0 ...


    And there's always this trick- http://gothamist.com/2008/02/15/rubber_cement_m.ph ...
  • ubrikkean, on 08/11/2008, -0/+12But it sounds so ***** cool
  • digitalpencil, on 08/11/2008, -0/+12http://web.mit.edu/zacka/www/warcart.html
  • Fetching more discussions...
    Show 51 - 100 of 331 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.