Security

Three MIT students are disputing the Massachusetts transit agency's version of the events that led to the state filing a lawsuit last week--and obtaining a restraining order against their talk on subway card security scheduled for Sunday.

The latest dispute originates in comments made by to CNET News by Massachusetts Bay Transportation Authority spokesman Joe Pesaturo in in a report published Monday. In his e-mail to us, he said the students "agreed to provide the MBTA with a copy of the presentation" scheduled for the Defcon hacker conference on Sunday but never did.

A response posted Tuesday by the Electronic Frontier Foundation, which is representing the students, said MBTA "misrepresents" the situation:

After the Monday meeting, the students understood that the MBTA's concerns were resolved, and that the students were to provide a confidential vulnerability assessment by the end of the week. Contrary to the MBTA statement, the students did not believe that the MBTA wanted to see a copy of the presentation slides, and they did not agree to provide them to the MBTA.

(It is undisputed that the students--Zack Anderson, R.J. Ryan, and Alessandro Chiesa--wrote a separate analysis (PDF) for the MBTA marked "confidential" and presented it to the agency.)

Opposing parties in lawsuits often tell different stories. Human memories are imperfect. People may honestly remember the same sequence of events differently. So why is this particular dispute important?

One reason is that the judge in this lawsuit has until August 19 to renew the restraining order (by turning it into a preliminary injunction) or let it expire. Whoever can reasonably claim to have acted in good faith will have a better chance of prevailing.

It's unclear who's telling the truth; if the lawsuit continues, e-mails and spoken testimony will probably answer these questions. But it does seem likely that the MBTA requested a copy of the Defcon presentation--they knew it was scheduled; why would they not want to see it?--and never received it. The defendants would have had a very good reason for this; the slides are prepared with a hacker audience in mind and include warnings like "AND THIS IS VERY ILLEGAL!"

Oops. This is what lawyers call an "admission against interest."

Another bit of unresolved intrigue is that the MBTA told us on Monday that it wanted to meet with the students again. EFF has steadfastly refused to say whether it would consider such a meeting--making it, uncharacteristically, even less forthcoming than a bunch of government bureaucrats.

[Update: See our related story on a court hearing scheduled for Thursday in this case, and what both sides plan to ask the judge.]

The state of Massachusetts said Monday it is not prepared to abandon its lawsuit against MIT students who uncovered security vulnerabilities in Boston transit cards, even though thousands of copies of their 87-page presentation have been distributed.

A federal judge on Saturday granted the state transit authority's request for a restraining order barring the students' planned presentation at the Defcon conference. It orders them not to disclose any "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System."

The MIT students canceled their talk. But their presentation materials were handed out to Defcon attendees in the conference packet, and it has been distributed widely on the Web.

When we asked the Massachusetts Bay Transportation Authority if it would end the lawsuit as a result of the distribution, spokesman Joe Pesaturo replied: "The MBTA will reserve comment on the substance of the presentation until staff has had a sufficient period of time to thoroughly review the information, and meet with the students and their professor." Pesaturo did not respond to a followup question about whether any meeting has been set up.

The Electronic Frontier Foundation, which is providing a legal defense to the students, did not immediately respond to questions about whether a meeting has been arranged.

U.S. District Judge Douglas Woodlock granted MBTA a temporary restraining order, which under federal rules automatically expires in 10 days--meaning August 19--unless extended "for good cause."

That means MBTA needs to decide in the next week whether to try to ask Woodlock to convert his temporary order into a longer-lasting preliminary injunction.

MBTA's Pesaturo added in a separate message:

A week ago, the MBTA learned about the presentation to be made at the conference, and immediately contacted MIT. At a meeting last Tuesday involving all the parties, MIT staff and the students agreed to provide the MBTA with a copy of the presentation. After several days passed without getting any information from MIT, the MBTA had no choice but to seek assistance from a federal court judge on Friday. At 4:30 a.m. on Saturday, the presentation was finally provided to the MBTA. Staff is thoroughly reviewing the information to determine if there is any degree of substance to the claims being made by the students.

One reason the MBTA may want to proceed is that the restraining order does more than merely require the three students--Zack Anderson, R.J. Ryan, and Alessandro Chiesa--not to proceed with their presentation. It also applies to releasing "software code," which the trio had planned to post at web.mit.edu/zacka/www/subway/, but apparently never did.

During Saturday's hearing, an attorney for MBTA pointed to the students' plans to post Python code that could read magnetic cards and said: "This is not simply saying, 'We did it. Aren't we inventive?' It's also providing a tool to help accomplish this. Our understanding is that these would likely be software tools that would make it easier to analyze the cards." (An EFF attorney, on the other hand, characterized the code as general-purpose and "not tools which are targeted toward the MBTA system.")

Judge Woodlock said, according to a recording posted by Wired News, that the students acted "in contravention of best practices" and that he foresaw "no harm to defendants" in granting the restraining order. He did, however, add that "defendants are free to seek modification even before the end of the 10-day period."

LAS VEGAS -- The Defcon hacker conference ended its 16th year on Sunday, sending about 8,000 attendees home from a weekend of virus writing, discussion of Internet attacks, and general debauchery.

The highlight was most definitely the restraining order which prevented three MIT students from presenting their research on how to hack the Boston subway system. The students attended the event and even gave a news conference after the order came down on Saturday, but did not present their highly anticipated talk.

Instead, journalist and security expert Brenno de Winter took their empty spot and discussed how the cards used in transit system in The Netherlands and London can be hacked just like the ones used in Boston. Both systems, and many around the world, use the Mifare Classic chip technology, whose cryptography was cracked by researchers last year.

Defcon founder Jeff Moss, alias "Dark Tangent"

(Credit: Elinor Mills/CNET News)

"I was advised by several lawyers not to go into details of the Mifare Classic, but anybody who has access to Google...," de Winter said.

Breaking the rules is always a theme at Defcon, but while irreverence for established corporate and government protocols is condoned if not exactly encouraged, breaking Defcon rules definitely has its consequences. Defcon officials said they were considering banning film crews from future events after ejecting a team from the G4 cable network on Saturday for allegedly videotaping a crowd. Photographers and videographers are required to get permission to shoot anyone, even from behind, and are forbidden from shooting crowds.

There was a report that police were called in to investigate a Windows-based kiosk that was hacked to display pornographic images in the lobby. And the usual rowdiness and late-night drinking were a nightly, if not daily, activity. However, things did not seem to reach the level of tomfoolery they did in in the early and mid-1990s when elevators were hacked and cement was poured down toilets. Of course, many of the script kiddies from that era are now married with children.

There were, of course, a range of sessions, including ones on evaluating the risks of "good viruses," hijacking outdoor billboard networks, and compromising Windows-based Internet kiosks.

Members of SecureState, a company that does penetration testing of corporate networks, gave a live demo in one session of an automated attack on Microsoft SQL Server-based computer that left the machine vulnerable to attackers installing viruses and other malware. The team used new tools they are offering for download, SA Exploiter and Fast-Track.

One of the more controversial events at the event was a "Race to Zero," in which teams modified samples of viruses and tested them against antivirus software. Four teams managed to complete all the levels and get through the antivirus software.

There were less technical contests as well. "Mike" from Chicago won $3,000 for spending 30 straight hours listening to pitches and marketing buzz from security company Configuresoft and correctly answering questions on periodic quizzes on the presentations. After the announcement, he jumped out of his seat with his arms in the air. Asked how he felt, Mike, who declined to give a last name, said he "felt smelly."

The contest, called "Buzzword Survivor," was not without scandal. Several contestants claimed--and submitted a cell phone photo as evidence to organizers--that one of the contestants had fallen asleep at one point. However, he was allowed to remain in the contest and made it to the very end with all the others, winning $200. The second prize was $1,000.

Gartner analyst Paul Proctor came up with the idea on a whim. It was originally intended to have 10 contestants competing for 36 hours for a $10,000 prize, but the prize was reduced when only one sponsor stepped up.

The contestants had 10 minute breaks every hour, but otherwise were in their seats listening to detailed talks about the company, its products, and the industry.

"We've submitted them to pain," Andrew Bird, a Configuresoft vice president, who served as MC at the end of contest, said mischievously. "We played recorded Webinars at 4 a.m."

Note: In the video below, Defcon founder Jeff Moss, alias "Dark Tangent," discusses the ethics of hacking and disclosure issues that provoke debate, and often lawsuits, at the event.

(Credit: Elinor Mills/CNET News)

Click here for more coverage from Defcon.

MIT students Alessandro Chiesa, R.J. Ryan, Zack Anderson, and Electronic Frontier Foundation staff attorney Kurt Opsahl speak at a panel turned press conference at Defcon.

(Credit: Declan McCullagh/CNET News)

LAS VEGAS--A federal judge on Saturday granted the Massachusetts transit authority's request for an injunction preventing three MIT students from giving a presentation about hacking smartcards used in the Boston subway system.

The Electronic Frontier Foundation, which is representing the students, anticipates appealing the ruling, said EFF senior staff attorney Kurt Opsahl.

The undergraduate students had been scheduled to give a presentation Sunday afternoon at the Defcon hacker conference here that they had said would describe "several attacks to completely break the CharlieCard," an RFID card that the Massachusetts Bay Transportation Authority uses on the Boston T subway line. They also planned to release card-hacking software they had created, but canceled both the presentation and the release of the software.

U.S. District Judge Douglas Woodlock on Saturday ordered the students not to provide "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System." Woodlock granted the MBTA's request after a hastily convened hearing in Massachusetts that took place at 8 a.m. PDT on Saturday.

EFF staff attorney Kurt Opsahl said that the temporary restraining order is "violating their First Amendment rights"; another EFF attorney said a court order pre-emptively gagging security researchers was "unprecedented."

EFF attorneys appeared with the three students--Zack Anderson, R.J. Ryan, and Alessandro Chiesa--in front of a crowd of hundreds at an afternoon session at Defcon, but largely prevented them from answering questions, citing the lawsuit. Although Sunday's talk is canceled, Defcon organizers hinted that there may be a related presentation on a similar topic.

First page of subway-hacking presentation that was the subject of an injunction to stop its distribution--after it had already been distributed.

The students told reporters that they had, on their own, asked their professor to initiate contact with the MBTA a week before the government agency contacted them on July 30 or July 31. But the process was delayed because professor Ron Rivest was at a security conference near San Francisco, and no contact with MBTA was made at the time.

But then the conversations took a hostile turn when MBTA mentioned an FBI criminal investigation of the MIT students. In the "initial contact, they said the FBI was investigating and that was not--we didn't find that to be a very pleasing way to start a nice dialogue with them. And we got a little concerned about what was happening," said Anderson, one of the students.

EFF's Opsahl said the students only intended to "provide an interesting and useful talk, but not one that would allow people to defraud the Massachusetts" government.

The MBTA, which is a state government agency, alleges in its lawsuit that "disclosure of this information will significantly compromise the CharlieCard and CharlieTicket systems" and "constitutes a threat to public health or safety."

Its suit asks a judge to order the students "from publicly stating or indicating that the security or integrity of the CharlieCard pass, the CharlieTicket pass, or the MBTA's Fare Media systems has been compromised." The requested order would also prevent them from circulating the summary of their talk, from providing any technical information, and from distributing any software they created.

That could be difficult to enforce. Every one of the thousands of people here who registered for Defcon received a CD with the students' 87-page presentation titled "Anatomy of a Subway Hack." It recounts, in detail, how they wrote code to generate fake magcards. Also, it describes how they were able to use software they developed and $990 worth of hardware to read and clone the RFID-based CharlieCards.

Those CDs were distributed to conference attendees starting Thursday evening, meaning the injunction arrived nearly two days late. (On the other hand, the source code to the utilities--not included on the CD--was removed from web.mit.edu/zacka/www/subway/ by Saturday morning.)

Court documents filed by MBTA suggest that representatives of the transit agency tried to pressure the students into halting their talk. During a meeting with the students and MIT professor Ron Rivest on Monday, MBTA Deputy General Manager for Systemwide Modernization Joseph Kelly unsuccessfully tried to obtain a copy of their planned presentation. Kelly spoke with Rivest again on Friday. (There was initial confusion about whether the meeting was Monday or Tuesday.)

Chiesa, Ryan, and Anderson at an Electronic Frontier Foundation panel.

(Credit: Declan McCullagh/CNET News)

A representative of the Defcon convention, who asked that her name not be used, said that the students submitted their Powerpoint presentation at least a month ago. The presentation says--not-so-presciently--"what this talk is not: evidence in court (hopefully)." It also says: "THIS IS VERY ILLEGAL! So the following material is for educational use only."

In addition, what looked like a black-and-white faxed copy of the entire presentation was entered as evidence in publicly available court records available on the Web on Saturday, meaning any attempt to limit its distribution further will encounter an additional hurdle.

Also released as part of the public record was a document marked "confidential" and written by the researchers (PDF) that explains exactly how the Charlie cards can be cloned and forged. "Our research shows that one can write software that will generate cards of any value up to $655.36," the document says.

The document also discusses the lack of physical security at the MBTA. "Doors were left unlocked allowing free entry in many subways," the document says. "The turnstile control boxes were unlocked at most stations. Most shocking, however, were the FVM control rooms that were occasionally left open."

One portion of the MBTA's legal complaint that drew jeers from the Defcon crowd came in its odd claim that "A CharlieTicket standing alone constitutes a 'computer'" under federal antihacking law.

This isn't the first time speakers at security conferences have been hauled into court by companies seeking to muzzle them.

In 2005, Cisco Systems filed a lawsuit against security researcher Michael Lynn hours after he gave a talk at Defcon on how attackers could take over Cisco routers. The case was ultimately settled. Four years earlier, the FBI took Russian crypto expert Dmitry Sklyarov into custody at his Las Vegas hotel one day after he gave a presentation at Defcon on insecurities in e-book security software.

Another excerpt from the presentation distributed to thousands of Defcon attendees on CDs.

Princeton University computer science professor Ed Felten and his co-authors received legal threats from the recording industry involving a planned talk at a Pittsburgh security conference--but pulled the paper from the event, even though no lawsuit materialized.

Research into flaws in the encryption that the Mifare Classic cards, used by the MBTA, landed Dutch researchers in court recently. NXP sued to block a Dutch University from publishing information about vulnerabilities in the encryption used in the RFID cards around the world. Last month, a court ruled that the university could publish the information.

Karsten Nohl, a University of Virginia graduate student who worked with others to break the Mifare Classic crypto algorithm last year, said MBTA should not have sued researchers who voluntarily discussed their findings with them.

"It has been known for years that magnetic stripe cards can easily be tampered with and MBTA should not have relied on the obscurity of their data-format as a security measure," Nohl said. "MBTA made it clear that they are not interested in cooperating with researchers on identifying and fixing vulnerabilities, but their lawsuit will motivate more research into the security of Boston's public transport system."

MIT's student newspaper has posted a copy of the presentation that was distributed on Defcon CDs and the subject of the court order.

In the video clip below MIT student Zack Anderson tells reporters how he felt when he learned about the lawsuit filed by the MBTA. The lawsuit was filed a few days after he had met with the agency to discuss concerns about his talk at Defcon. He is with fellow MIT students R.J. Ryan, Alessandro Chiesa and EFF attorney Marcia Hofmann, who was advising the students about what they could say in lieu of the temporary restraining order against them.

(Credit: Elinor Mills)

CNET News.com's Elinor Mills contributed to this report.

[Note: This story was updated at 12:05 p.m. PDT to reflect that a temporary restraining order was issued. It was again updated at 1:30 p.m. PDT with more details from documents on how the hacks can be done, and at 4:30 p.m. with a report from the EFF press conference and 6:15 p.m. with video.]

Click here for more coverage from Defcon.

One of the many rooms at the Defcon hacker conference. The large screen in the upper right is Buzzword Survivor, where contestants stare at execrable vendor pitches for 30 hours straight--to share in a $5,000 prize.

(Credit: CNET News.com/Declan McCullagh)

Updated Saturday with change in price for "Buzzword Survivor" winners.

LAS VEGAS--At the Defcon hacker conference, which opened on Friday, some of the biggest buzz was in the press room.

Three journalists who allegedly sniffed the network in the press room were ejected from Defcon's sister event, the Black Hat security conference, on Thursday. On Friday, the journalists, with Global Security Magazine in France, asked to hold a news conference at Defcon to tell their side of the story. But when the hour arrived, the men were nowhere to be seen.

A press liaison for Defcon said the men, Marc Brami, Dominique Jouniot, and Mauro Israel, had called and canceled shortly before the scheduled hour.

An FBI agent who was at the event to speak on the "Meet the Feds" panel said he had sent the information about the case to the local FBI office in Las Vegas.

"Because of the nature of this, involving (citizens) from another country, it might be sent to the Computer Crime and Intellectual Property Department at the Justice Department," James Finch, assistant director for the FBI's cyberdivision, told CNET News. "I would assume that we'd bring it to the State Department, too."

While the brouhaha was the topic of conversation in the press room, a world of software and hardware hacking and events was unfolding in the Riviera conference center all around.

In one popular two-hour session security researchers explained how to make a fake key out of a credit card that can open certain types of Medeco M3 locks.

Other sessions focused on the security issues with social networks, exploiting Google gadgets, and medical identity theft, among many other topics.

Out in the halls and side rooms, hackers were involved in a wild assortment of activities that would make any rational network administrator shudder. One of the most controversial is a "Race to Zero" contest in which contestants modify sample viruses and throw them at antivirus products to see if they are detected.

The Defcon badges themselves are works of art and hackable electronic devices. Attendees are encouraged to come up with the most ingenious and "obscene" badge modifications as part of an official contest.

Then there's the CoffeeWars event where people can have their best coffee selections judged, a Guitar Hero contest, Hacker Jeopardy, a TCP/IP drinking game, lock-picking contests, a Toxic BBQ, an area called "Queercon," and a Defcon shoot at a private range (often with fully automatic weapons, as Nevada law permits).

Outside the event and up in the air a specially rigged weather balloon was launched to demonstrate airborne surveillance, and a van set up as a mobile hacker space was on display.

The show, typically not vendor-oriented, also had a "Buzzword Survivor" event in which 10 people signed up to listen to 30 straight hours of vendor pitches. Whoever lasts through all that marketing speak will share a $5,000 prize. (The original price of $10,000 was lowered after the organizers failed to get enough sponsors, a Defcon spokesman and event judge said.) Oddly, non-contestants were also sitting in.

Click here for more coverage from Defcon.

Security experts Tobias Bluzmanis, Marc Weber Tobias, and Matt Fiddler speak at Defcon about creating fake keys to high-security locks with credit cards.

(Credit: CNET News.com/Declan McCullagh)

LAS VEGAS--Don't have special lock-picking skills or equipment but want to pick a high-security lock?

A security researcher explained at the Defcon hacker conference here how to make a fake key out of a credit card that can open certain types of Medeco M3 locks used in the White House, Pentagon, and high-security areas around the world.

You need to make a picture of a legitimate key to have an image to transpose onto the plastic, which means an insider or someone with access to the key would need to cooperate, said Marc Weber Tobias, a lawyer who has written a book about breaking into high-security Medeco locks called Open in Thirty Seconds.

Basically, someone could grab an image of the key with a camera, cell phone, copy machine or scanner, print the image on a label or sheet of plastic, and cut along the outline with an X-Acto knife.

"Everybody has known about this forever with conventional locks, like Kwikset," Tobias said. "But high-security locks advertise that they have key control, especially Medeco."

Medeco claims they have key control for the high-security locks, which means control of the ability to duplicate or simulate keys with blanks, and only authorized locksmiths are supposed to be able to make duplicates, he said. "We've shown that's all out the window," he said.

More complex cylinder configurations in the Medeco locks will require extra steps, he said.

"So we've demonstrated the ability to simply make keys for this particular high-security lock," Tobias said of a recent live demonstration. "We didn't have to break the cylinder; we were able to look at pictures that were e-mailed to us and determine the angles on the key."

Potentially millions of high-security locks are at risk, according to Tobias. The technique does not work on other types of high-security locks; Medeco locks have an integrated design that makes the technique relatively easy, he said.

A Medeco spokesman did not return an e-mail seeking comment.

Medeco executives have previously complained about Tobias disclosing vulnerabilities with the locks to the public, even though Tobias had contacted the company as well. Tobias and other security researchers defend their actions in publicly disclosing flaws, saying that if they didn't do so the vendors wouldn't fix the products.

Tobias, and the Lock Picking Village organizers, were also showing their skills at the Last HOPE hacker conference in New York last month.

During the first part of the presentation, the panelists criticized the standards that apply to high-security locks, saying that they were not broad enough to encompass the range of possible picking and breaking attacks. In other words, a lock could be perfectly standards-compliant--but able to be bypassed in under a minute.

Click here for more coverage from Defcon.