Re: Judge approves TRO to stop DEFCON presentation
Jim Youll wrote: these have been circulating for hours, but they are content-free title slides... On Aug 9, 2008, at 7:38 PM, Ivan Krstić wrote: On Sat, 09 Aug 2008 17:11:11 -0400, Perry E. Metzger [EMAIL PROTECTED] wrote: Las Vegas - Three students at the Massachusetts Institute of Technology (MIT) were ordered this morning by a federal court judge to cancel their scheduled presentation about vulnerabilities in Boston's transit fare payment system, violating their First Amendment right to discuss their important research. http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf There's also the synopsis as an exhibit to the case found in the Wired article. Note the recommendations for corrective action are familiar from the previous reported weaknesses to the MIFARE system. http://blog.wired.com/27bstroke6/2008/08/injunction-requ.html DefCon: Boston Subway Officials Sue to Stop Talk on Fare Card Hacks -- Update: Restraining Order Issued; Talk Cancelled http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf Vulnerability Assessment of the MTBA System (Exhibit 1 to Case 1:08-cv-11364-GAO). A report on the Dutch Public Transit Card: http://staff.science.uva.nl/~delaat/sne-2006-2007/p41/report.pdf Recently updated Dutch information by Andy Tanenbaum: http://www.cs.vu.nl/~ast/ov-chip-card/ The fellows at Raboud University Nijmegan: http://www.ru.nl/ds/research/rfid/ (Where we'll probably be able to find the Esorics 2008 presentation. 'Dismantling MIFARE Classic', in October.) I'd imagine there is sufficient information available to replicate the attack, there's info on the MIFARE Classic cryptographic algorithm. http://www.cs.virginia.edu/~kn5f/pdf/Mifare.Cryptanalysis.pdf http://www.cs.virginia.edu/~kn5f/pdf/OV-card_security.pdf Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic http://eprint.iacr.org/2008/166.pdf Security Evalution of the disposable OV-chipkaart v1.7 updated 13 April 08 http://staff.science.uva.nl/~delaat/sne-2006-2007/p41/Report.pdf (which has a description of the memory structure found on the cards as well as a lot of useful protocol information.) And the Translink Netherlands report on why disclosure doesn't matter: http://www.translink.nl/media/bijlagen/nieuws/TNO_ICT_-_Security_Analysis_OV-Chipkaart_-_public_report.pdf (translation: security through obscurity? still obscure enough) And of course we've seen the Raboud video link found on Youtube: http://www.youtube.com/v/NW3RGbQTLhEhl=en - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Judge approves TRO to stop DEFCON presentation
On Aug 9, 2008, at 8:46 PM, Jim Youll wrote: these have been circulating for hours, but they are content-free title slides... [Moderator's note: I've read them and they're far from content free. They give you a recipe for doing things like rewriting the mag stripes on stored value cards to give you arbitrary balances, and they even include actual examples. Apologies to all. it's a UI issue with the PDF reader I was using and the layout of the PDF file. Pages other than the title slides - are obscured and it's not clear they're even present (the pages are readily visible in Acrobat Reader) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Judge approves TRO to stop DEFCON presentation
On Sat, 09 Aug 2008 19:38:45 -0400 Ivan Krsti__ [EMAIL PROTECTED] wrote: On Sat, 09 Aug 2008 17:11:11 -0400, Perry E. Metzger [EMAIL PROTECTED] wrote: Las Vegas - Three students at the Massachusetts Institute of Technology (MIT) were ordered this morning by a federal court judge to cancel their scheduled presentation about vulnerabilities in Boston's transit fare payment system, violating their First Amendment right to discuss their important research. http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf And the vulnerability assessment they prepared -- filed by the MBTA in court, and hence a matter of public record -- is at http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Judge approves TRO to stop DEFCON presentation
On Sat, 09 Aug 2008 17:11:11 -0400, Perry E. Metzger [EMAIL PROTECTED] wrote: Las Vegas - Three students at the Massachusetts Institute of Technology (MIT) were ordered this morning by a federal court judge to cancel their scheduled presentation about vulnerabilities in Boston's transit fare payment system, violating their First Amendment right to discuss their important research. http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf -- Ivan Krsti? [EMAIL PROTECTED] | http://radian.org - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Judge approves TRO to stop DEFCON presentation
these have been circulating for hours, but they are content-free title slides... [Moderator's note: I've read them and they're far from content free. They give you a recipe for doing things like rewriting the mag stripes on stored value cards to give you arbitrary balances, and they even include actual examples. Also, Please Don't Top Post. Please cut down quoted material to just the important content, too. -Perry] On Aug 9, 2008, at 7:38 PM, Ivan Krstić wrote: On Sat, 09 Aug 2008 17:11:11 -0400, Perry E. Metzger [EMAIL PROTECTED] wrote: Las Vegas - Three students at the Massachusetts Institute of Technology (MIT) were ordered this morning by a federal court judge to cancel their scheduled presentation about vulnerabilities in Boston's transit fare payment system, violating their First Amendment right to discuss their important research. http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf -- Ivan Krsti? [EMAIL PROTECTED] | http://radian.org - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]