Something most troubling in the email exchange between Electronic Frontier Foundation lawyer Jennifer Granick and MBTA attorney Leuan Mahony, posted by News.com. The essence is that MBTA itself included the MIT students’ confidential report (PDF) to MBTA on their security weaknesses as an exhibit in their complaint and it is now a public document.
The students identify the problems:
- Value is stored on card not in a central database
- Anyone with a card can read and write to it
- No crypto signature algorithm
- No centralized card verification
According to the email exchange, EFF warned MBTA that by including the report in its court filing MBTA – not the students – had exposed a critical bit of information on how to hack the cards. “We strongly urge you to take emergency measures to have it removed expeditiously,” EFF’s Granick wrote on Saturday afternoon.
The MBTA’s response, from an email by Mahoney:
[...]The MBTA’s evaluators do not assess the risk of this information at the level you set in your email. The MBTA, with vendor support, has begun work on internal responses to the potential security risks at issue. It is our view that an internal, technical and personnel response is the best long-term solution. Accordingly, we do not share your view that legal “emergency measures” are required.
So the situation that the judge must consider this morning: the students confidentially alerted MBTA as to a specific, critical vulnerability; they withheld the information from their presentation; MBTA perhaps unwittingly made the document public in their request for TRO; MBTA was alerted to the danger that they – not the students – created; and concluded that it was not worth the effort to get the document removed from the public record.
Now you be the judge. How would you view MBTA’s demand for a permanent injunction?
----------------------------
Wow. Not only did the MBTA help destroy any "bag" that was holding the cat...they helped it mate and delivered its offspring..lol
These MBTA guys are well beyond their scope of understanding....with this useless TRO.
This now public security report includes checksum details required to forge CharlieTickets:
No comments:
Post a Comment