|
 |
DEFCONstitution
by Paul McGoldrick
The importance of research at MIT can be simply stated by the ratio of undergraduate to graduate enrollments: 4000 to 6000. And it handsomely pays the man or woman who stays through those research years: 2007 graduates leaving for industry averaged salaries of $61,620 with a BS and $85,454 with a Masters in Engineering.
Some sectors, however, regard some MIT research to be less than appealing to their own work environments; we have noted on these pages before how the gaming industry was less than thrilled at two separate MIT research projects to relieve casinos, legally, of some of their profits at the blackjack tables.
It is curious, therefore, that Las Vegas should again be the place where more MIT research should become an issue – this time, in court.
This past weekend, August 8–10, 2008, has seen the annual meeting of computer hackers, together with some of the best known security experts in the world, at a conference: this year known as DEFCON 16 “Real Time Social Networking for Ninjas.” The event has become a showcase for the weaknesses discovered in virtually every kind of machine that uses electrical power. This year kicked off with a “Spiders Are Fun” party, and you could have attended sessions such as “Satan is on my Friends List: Attacking Social Networks,” or “Could Googling take down a President, Prime Minister, or an Average Citizen?”
But one session was not heard: MIT research students Zack Anderson, Alessandro Chiesa, and Russell Ryan were all set to present a paper entitled, “The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems.” A not-dissimilar paper on the vulnerabilities of mass transit in Belgium went ahead without challenge, but the Massachusetts Bay Transportation Authority – the subject of the MIT research – was less than happy. Once the MBTA got wind of the presentation, which said it would release the open-source tools that they used to attack the Boston T, they tried to have the presentation modified – particularly over concerns that there would be live demos on “how we broke these systems.”
No compromise was reached and the MBTA filed suit against the three researchers and MIT itself, the latter because the Authority felt the university had condoned the research, and snidely noting that the Institute would never have permitted such work on the college’s own security systems. Disclosure of the work would "harm the overall functioning of the MBTA's transit services."
The suit charged that the three researchers and MIT had violated The Computer Fraud and Abuse Act, alleging that the MBTA had been defrauded. A US District Judge sided with the MBTA and issued a restraining order. So from Saturday, August 9, there was a bar on providing information that might assist anybody abusing the transit system.
Unfortunately for the judge, and MBTA, they obviously have not been to any conferences in recent years, at least not to any where technology is understood. On registering for DEFCON 16 (cash only, $120, from everybody – they don’t want State/Federal fishing expeditions) Thursday, August 8 or Friday, August 9, probably, you would have in your package of materials a CD. On that CD (all 7000 copies of it) are all the presentations…including, of course, the one from MIT. And, of course, it is now available on the web as well. Great bit of publicity to highlight your own security failings, MBTA!
This is, surely, a blatant violation of First Amendment rights in preventing civilian research work from being disseminated? If MBTA believes that the MIT team used their information on holes in the security of their ticketing system for free transit, then they should be charging them under criminal statutes for theft. If they don’t believe that then they should be expending their energy not on law suits, but on getting their chickens back in the coop – because the foxes are already on their way.
The Electronic Frontier Foundation (EFF) has agreed to represent the MIT team in future court proceedings seeking relief for them.
I intended to close this piece by perhaps revealing the winners of the “Badge Hacking Contest” and the “Beverage Cooling Contraption Contest,” but a warning in the DEFCON FAQs is much more telling about their attendees:
“Q: Is there a free network at DEFCON?
A: Yes. It would be fair to describe the network as ‘hostile.’ It has been described as ‘the worlds most hostile network,’ but such descriptions are just attempts at flattery. It is recommended that if you want to connect to the DEFCON network pretend that you are sharing out your entire hard drive to 5,000 hackers. You may want to bring a ‘clean’ computer that you don't mind being infected/hacked/etc.”
|
|
|
|
|
