(my old Charlie Card, in my new apartment)
Well, I’ve been a DC resident for almost 24 hours now, and still my curiosity is drifting back up to Boston once again.
Universal Hub reports today that the MBTA is suing to prevent three MIT students – Zack Anderson, Russell Ryan, and Alessandro Chiesa – from giving a lecture at DefCon, a hacker convention in LA, on how to crack the Charlie Card.
The complaint (PDF).
The implications stretch beyond the MBTA – the Charlie Card is a MiFare Card, with a special proprietary encryption built on top. A Dutch group already showed the world how to “crack” the MiFare card earlier this year. These cards are used worldwide, in a variety of transportation and security settings.
As of today, the restraining order was filed and the talk for this weekend was canceled. But I would not say the MBTA won by any stretch. The students got the attention of the Electronic Frontier Foundation, who have now begun advising the students, and one of the documents filed by the court friday includes a detailed vulnerability assessment (PDF) given to the MBTA by the students. By submitting it, it is now on public record, where you can learn such things as:
a) value for Charlie Cards is stored on the card, not in a centralized database
b) anyone that has a card can read it and write value on it
c) not cryptographic signature is used on the card
d) the MBTA do not use any central card verification database
I am reminded of a famous DMCA case from a few years ago: Edward Felten, bright professor of computer science at Princeton, responded to a challenge in 2000 issued by the Secure Digital Music Initiative, a group of IT and music specialists that had developed a watermarking system for marking digital music files. SDMI offered a cash prize for breaking the system they had developed, but insisted that findings be sent to them confidentially. Felten and a group of students broke the watermark (allegedly in a matter of hours) and opted to present their findings to a IT conference, declining the cash prize. Upset at this, SDMI and the RIAA threatened to sue Felten under a DMCA anti-circumvention claim, and Felten decided to wait on presenting the paper. Up until this point, this sounds an awful lot like the case between the MBTA and the MIT students.
But consider how the story ends: the Electronic Frontier Foundation sued these groups under a First Amendment claim, though the case was dismissed due to lack of standing. Felten did end up presenting his work at the USENIX conference in 2001, and the Justice Department issued a statement saying that the DMCA does not threaten the work of those that research digital security.
While there are some clear tactical blunders from the students (putting “want free subway rides for life?” in the lecture description did erode some of their academic claims), in the end I see their work as quite similar to Felten’s, and should be presented and protected. Naturally, while the SDMI watermark was a theoretical exercise, the MBTA Charlie Cards are qutie real, and what Anderson, Ryan, and Chiesa are doing would illustrate a clear theft of services. However, if not these three, someone else will no doubt discover what these students did. Perhaps their discovery won’t be brought up in a scholarly setting to be reviewed and critiqued, but rather simply implemented at great cost to the T. Where does the MBTA stand then?
As Mr. Universe says in Serenity, “You can’t stop the signal.” This information will be available, be it in a matter of days or of years. Rather than squelch those that seek to make the world aware of it, perhaps the MBTA could re-appropriate funds from the Legal office to research some of the clear suggestions the students made.
