[130334] in cryptography@c2.net mail archive
Re: Judge approves TRO to stop DEFCON presentation
daemon@ATHENA.MIT.EDU (David G. Koontz)
Sun Aug 10 11:37:00 2008
Date: Sun, 10 Aug 2008 14:31:50 +1200
From: "David G. Koontz" <david_koontz@xtra.co.nz>
To: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <43CFC4CD-14C3-4E82-8783-19D0719025FA@cr-labs.com>
Jim Youll wrote:
> these have been circulating for hours, but they are content-free title
> slides...
>=20
> On Aug 9, 2008, at 7:38 PM, Ivan Krsti=C3=84=E2=80=A1 wrote:
>=20
>> On Sat, 09 Aug 2008 17:11:11 -0400, "Perry E. Metzger"
>> <perry@piermont.com>
>> wrote:
>>> Las Vegas - Three students at the Massachusetts Institute of
>>> Technology (MIT) were ordered this morning by a federal court
>>> judge to cancel their scheduled presentation about vulnerabilities=
>>> in Boston's transit fare payment system, violating their First
>>> Amendment right to discuss their important research.
>>
>> <http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf>
There's also the synopsis as an exhibit to the case found in the Wired
article. Note the recommendations for corrective action are familiar fro=
m
the previous reported weaknesses to the MIFARE system.
http://blog.wired.com/27bstroke6/2008/08/injunction-requ.html
DefCon: Boston Subway Officials Sue to Stop Talk on Fare Card Hacks --
Update: Restraining Order Issued; Talk Cancelled
http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mt=
ba_system.pdf
Vulnerability Assessment of the MTBA System (Exhibit 1 to Case
1:08-cv-11364-GAO).
A report on the Dutch Public Transit Card:
http://staff.science.uva.nl/~delaat/sne-2006-2007/p41/report.pdf
Recently updated Dutch information by Andy Tanenbaum:
http://www.cs.vu.nl/~ast/ov-chip-card/
The fellows at Raboud University Nijmegan:
http://www.ru.nl/ds/research/rfid/
(Where we'll probably be able to find the Esorics 2008 presentation.
'Dismantling MIFARE Classic', in October.)
I'd imagine there is sufficient information available to replicate the
attack, there's info on the MIFARE Classic cryptographic algorithm.
http://www.cs.virginia.edu/~kn5f/pdf/Mifare.Cryptanalysis.pdf
http://www.cs.virginia.edu/~kn5f/pdf/OV-card_security.pdf
Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic
http://eprint.iacr.org/2008/166.pdf
Security Evalution of the disposable OV-chipkaart v1.7 updated 13 April =
08
http://staff.science.uva.nl/~delaat/sne-2006-2007/p41/Report.pdf
(which has a description of the memory structure found on the cards as we=
ll
as a lot of useful protocol information.)
And the Translink Netherlands report on why disclosure doesn't matter:
http://www.translink.nl/media/bijlagen/nieuws/TNO_ICT_-_Security_Analysis=
_OV-Chipkaart_-_public_report.pdf
(translation: security through obscurity? still obscure enough)
And of course we've seen the Raboud video link found on Youtube:
http://www.youtube.com/v/NW3RGbQTLhE&hl=3Den
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
