Re: Judge approves TRO to stop DEFCON presentation
Jim Youll wrote: these have been circulating for hours, but they are content-free title slides... On Aug 9, 2008, at 7:38 PM, Ivan Krstić wrote: On Sat, 09 Aug 2008 17:11:11 -0400, Perry E. Metzger [EMAIL PROTECTED] wrote: Las Vegas - Three students at the Massachusetts Institute of Technology (MIT) were ordered this morning by a federal court judge to cancel their scheduled presentation about vulnerabilities in Boston's transit fare payment system, violating their First Amendment right to discuss their important research. http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf There's also the synopsis as an exhibit to the case found in the Wired article. Note the recommendations for corrective action are familiar from the previous reported weaknesses to the MIFARE system. http://blog.wired.com/27bstroke6/2008/08/injunction-requ.html DefCon: Boston Subway Officials Sue to Stop Talk on Fare Card Hacks -- Update: Restraining Order Issued; Talk Cancelled http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf Vulnerability Assessment of the MTBA System (Exhibit 1 to Case 1:08-cv-11364-GAO). A report on the Dutch Public Transit Card: http://staff.science.uva.nl/~delaat/sne-2006-2007/p41/report.pdf Recently updated Dutch information by Andy Tanenbaum: http://www.cs.vu.nl/~ast/ov-chip-card/ The fellows at Raboud University Nijmegan: http://www.ru.nl/ds/research/rfid/ (Where we'll probably be able to find the Esorics 2008 presentation. 'Dismantling MIFARE Classic', in October.) I'd imagine there is sufficient information available to replicate the attack, there's info on the MIFARE Classic cryptographic algorithm. http://www.cs.virginia.edu/~kn5f/pdf/Mifare.Cryptanalysis.pdf http://www.cs.virginia.edu/~kn5f/pdf/OV-card_security.pdf Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic http://eprint.iacr.org/2008/166.pdf Security Evalution of the disposable OV-chipkaart v1.7 updated 13 April 08 http://staff.science.uva.nl/~delaat/sne-2006-2007/p41/Report.pdf (which has a description of the memory structure found on the cards as well as a lot of useful protocol information.) And the Translink Netherlands report on why disclosure doesn't matter: http://www.translink.nl/media/bijlagen/nieuws/TNO_ICT_-_Security_Analysis_OV-Chipkaart_-_public_report.pdf (translation: security through obscurity? still obscure enough) And of course we've seen the Raboud video link found on Youtube: http://www.youtube.com/v/NW3RGbQTLhEhl=en - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Judge approves TRO to stop DEFCON presentation
On Aug 9, 2008, at 8:46 PM, Jim Youll wrote: these have been circulating for hours, but they are content-free title slides... [Moderator's note: I've read them and they're far from content free. They give you a recipe for doing things like rewriting the mag stripes on stored value cards to give you arbitrary balances, and they even include actual examples. Apologies to all. it's a UI issue with the PDF reader I was using and the layout of the PDF file. Pages other than the title slides - are obscured and it's not clear they're even present (the pages are readily visible in Acrobat Reader) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Judge approves TRO to stop DEFCON presentation
On Sat, 09 Aug 2008 19:38:45 -0400 Ivan Krsti__ [EMAIL PROTECTED] wrote: On Sat, 09 Aug 2008 17:11:11 -0400, Perry E. Metzger [EMAIL PROTECTED] wrote: Las Vegas - Three students at the Massachusetts Institute of Technology (MIT) were ordered this morning by a federal court judge to cancel their scheduled presentation about vulnerabilities in Boston's transit fare payment system, violating their First Amendment right to discuss their important research. http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf And the vulnerability assessment they prepared -- filed by the MBTA in court, and hence a matter of public record -- is at http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: security questions
IIRC, it used personal data already available to DEC -- so they didn't have to ask their employees for it That works great so long as the personal data is accurate. Banks these days are supposed to verify your identity when you open an account. Online banks pull your credit report anyway, so they make up some verification questions from historical info in the report. I'm regularly asked which of four street addresses I've lived at. Unfortunately, in my case the correct answer is invariably none of them. I'm part owner of a relative's house in New Jersey, and the credit bureaus all are sure that since my name is on the deed, that must be where I live. So that's the address that shows up. Adding to the excitement, they often ask what city, to which the answer would still be none of them even if I lived in that house. It's in Lawrenceville, but I guess it gets mail delivered from the Trenton P.O. so the allegedly correct answer is Trenton. It's not too hard for me to figure these out, but given the amount of plain wrong info in credit reports, this approach must lead to some pretty frustrating failures. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor More Wiener schnitzel, please, said Tom, revealingly. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]