This story appeared on Network World at

This story appeared on Network World at
http://www.networkworld.com/columnists/2008/081108bradner.html

Transit officials don't understand publicity or security

'Net Insider By Scott Bradner , Network World , 08/11/2008

Imagine you work for the transportation authority in a major U.S. city. Your organization deployed a fare collection system over the last few years that uses both prepaid mag stripe and prepaid RFID-based fare cards. Now imagine that one of your suppliers points out the agenda of a security conference where someone is going to give a talk whose description starts out with: "Want free subway rides for life?" The description goes on to say that the talk will show how to break your new fare cards. What would you do?

If you worked for the Massachusetts Bay Transportation Authority (MBTA) you might freak out and start throwing lawyers. In fact, that is what just happened. (See "Massachusetts transit agency sues to stop hacker talk".)

I suppose there could be dumber things to do in this circumstance, but it might take a while to think of one. Actually, you could sue after the slides for the presentation had already been distributed to the 7,000 or more conference attendees and you could append a copy of a white paper covering the talk, thus making it a public document.

It would help if you were somewhat clueless about security and did not know that the underlying RFID technology your fare card uses had been broken earlier this year and the cat was well out of the bag. (See "Hacker trio finds a way to crack popular smartcard in minutes".)

By suing, the MBTA has ensured maximum attention to the fact that their fare cards are breakable and cloneable. If they had ignored the situation the story would have likely received almost no coverage because there was little new in it. The security community already knew that the MBTA RFID cards used the discredited Mifare Classic RFID and there would have been little interest in yet another example of breaking a technology that had already been broken. One thing that was not well known was that the mag stripe card was poorly designed from a security perspective. The MBTA's lawsuit has ensured that the poor design will now be known by tens of thousands, if not hundreds of thousands more people than would have found out if the talk had gone ahead.

The MBTA defaulted to the common but dumb idea that if security flaws are hidden they will not be exploited. This never works in the long run and is counter to more than 100 years of the understanding of security. (see "FCC ignores more than 100 years of wisdom".)

One can excuse the MBTA for doing what it did -- the people involved were unlikely to have the faintest idea about either the effect of calling attention to the talk by suing or the futility of trying to hide security flaws. It's harder to excuse the judge granting the MBTA's request for an injunction (something that did not happen when the makers of the Mifare Classic chips tried to block Dutch researchers disclosing their research into vulnerabilities in the technology.)

It's also hard to excuse the makers of these cards not understanding that they would get far better security if they asked for public review of their technology -- the 6-bit checksum on the mag stripe fare card would not have survived five minutes of such review. Sadly, there is no empirical evidence that such companies learn anything from experience.

Disclaimer: Places such as Harvard University endeavor to get students to learn without having to experience absolutely everything but the above discussion represents my opinion, not the university's.