JUser: :_load: Unable to load user with ID: 3286
Monday, 11 August 2008 04:09

US District Judge bans Defcon 16 security exploit speech

A Judge has granted a restraining order against three students who were due to present a talk detailing vulnerabilities in the electronic ticketing system of the Massachusetts Bay Transportation Authority at the Defcon 16 hacker conference over the weekend...

The annual Defcon security and hacking conference can always be pretty much guaranteed to cause some kind of media stir. Usually down to the nature of the exploits being demonstrated by 'security researchers' during the event.

Defcon 16, however, is unique as far as I can tell in that the big controversy is about a demonstration that did not happen.

On Friday, the Massachusetts Bay Transportation Authority filed a legal suit in a federal court to get a temporary restraining order preventing a bunch of Massachusetts Institute of Technology students from detailing security vulnerabilities in the mass transit system ticketing technology.

The filing sought to prevent the students from 'publicly stating or indicating' that electronic passenger tickets were compromised until such a time as the transportation authority had a chance to fix those same flaws. The argument being that the transit system would be irreparably harmed otherwise.

Zack Anderson, Alessandro Chiesa and RJ Ryan were to give their talk "The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems" on Sunday. This would have discussed how they reverse engineered the fare collection system, specifically the magnetic stripe on tickets as well as the smartcard ticket used in Massachusetts.

However, District Judge Douglas P. Woodlock granted the temporary restraining order preventing them from giving the speech and demonstration. In fact, the order prevents them from disclosing any information that could be used by others to get a free subway ride for a period of ten days.

The decision has been described by the Electronic Frontier Foundation, which is representing the students, as "an illegal prior restraint on legitimate academic research in violation of the First Amendment" and goes on to warn that "squelching research and scientific discussion won't stop the attackers."

Zack Anderson says "We wanted to share our academic work with the security community and had planned to withhold a key detail of our results so that a malicious attacker could not use our research for fraudulent purposes. We're disappointed that the court is preventing us from presenting our findings even with this safeguard."

The daft thing is that the kind of vulnerabilities that were to be discussed are fairly well known within both the security research and hacking communities. Indeed, the vacant Defcon speaking slot was quickly filled by a Dutch security consultant.

His topic? Vulnerabilities in transit fare cards...

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.




Recent Comments