Sunday, August 10, 2008

Classified National Security info OK, farecard details not so much

Publishing it, that is.

Apologies to both of my readers for dropping the ball on this one (you need to get all your internet security info via Insty!).

Seems you can publish the Pentagon Papers, or information about US monitoring of terrorist SWIFT financial transactions, but not a technical presentation about security weaknesses in the Boston subway "smart" farecard?
A federal judge on Saturday granted the Massachusetts transit authority's request for an injunction preventing three MIT students from giving a presentation about hacking smartcards used in the Boston subway system.
But wait - it gets better!
But then the conversations took a hostile turn when MBTA mentioned an FBI criminal investigation of the MIT students.
As always, the clueless government flack offers up a nonsensical justification:
The MBTA, which is a state government agency, alleges in its lawsuit that "disclosure of this information will significantly compromise the CharlieCard and CharlieTicket systems" and "constitutes a threat to public health or safety."
Health and Safety? Wow - this is maybe the first security vulnerability ever to threaten public health and safety. Unless you're talking about the health of the Mass.Gov's revenue stream:
"Our research shows that one can write software that will generate cards of any value up to $655.36," the document says.
Ah.

So, the Mass.Gov hires some lame company to create a farecard system. Company screws up the design of the system, which has all the security integrity of swiss cheese. Smart students find the problem, and publish. Gov threatens them with the Federales.

Let's look at the Massachusetts lefties. You know the ones I'm talking about: the ones who complain about the "illegal" NSA wiretaps. The reasoning goes like this:
  1. NSA listens to phone calls from one guy outside of the USA to another guy outside the USA.
  2. Because the phone call is routed through the USA, the terrorists now have fourth amendment protections.
Let's play the "Word Substitution Game." Replace "MBTA" with "DoD" and "Farecard system" with "terrorist monitoring", and see who squawks:
A federal judge on Saturday granted the Defense Department's request for an injunction preventing three MIT students from giving a presentation about a classified terrorist monitoring system.
So here's your chance, MassLibs. Stick up for the first amendment, student protest, and "up the system".

Or. Shut. Up.

UPDATE 10 August 2008 10:42: Via Slashdot, news that the MIT Student Newspaper has put the student's DEFCON presentation on-line. Good for them.

Also, for those of you who think that these kids are skating on the Black Hat side of things, they're working with their professor, Ron Rivest, who is one of the big names in computer security. The Mass.Gov screwed up, and is trying to cover their butts via the court system. Remind you of anything?

UPDATE 10 August 2008 16:49: Digital Soapbox linked from an information-rich post. If you're at all interested in ways to keep this sort of thing from happening again, check it out.

No comments: