Dutch Journalist In Legal Trouble For Showing How New Transit Card Is Easy To Defraud
from the imprison-the-messenger dept
Three years ago, the Boston Subway system (MBTA) got plenty of attention for getting a judge to block some MIT students from presenting a paper at DEFCON that showed how the MBTA's magnetic strip cards were vulnerable to hacking. Of course, all that really did was provide that much more attention for the weaknesses in the MBTA system. It seems we may be in for a repeat performance, of sorts, of this kind of "blame the messenger" approach from a public transporation group -- and this time it's by the very journalist who stepped in and did a presentation to replace the MIT kids who could not.... DEFCON regular, Dutch journalist Brenno de Winter won't be attending DEFCON this year because the Dutch transporation companies are taking legal action against him for daring to do his job as a reporter and highlight security problems with the Dutch transit system's "OV transit chip card." De Winter, quite reasonably, points out that both European and Dutch courts have supported journalists for reporting on security weaknesses -- and yet he still faces a legal fight that could net him six years in prison. Even worse, it appears that even the threat of such things now has de Winter self-censoring:"They are effectively banning me from doing my job because if I write about this card, I have to think about the consequences," said 39-year-old de Winter, of Ede, The Netherlands. "I'm writing a book and I have to leave whole chapters out."This is no way at all to thank someone who finds a flaw for you to fix, but the Dutch transportation conglomerate appears hellbent on making life difficult for those who point out technical problems, rather than just fixing the problems.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: brenno de winter, defcon, free speech, netherlands, reporting, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
This has become the response of nearly every Government and Agency around the world.
Our systems are perfect and to say otherwise should be illegal.
If you make us look foolish, we make your life hell.
So what if we wasted millions on a project that is horribly flawed, we can just keep you from speaking and everything will be fine.
One has to wonder at what point will the people actually demand and get better from the people in charge.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
The companies can claim they are being hurt, but their hurt is often just reflected in higher costs (or lessened services) directly passed onto the consumers.
Their first action was to sue, not to find out what the insecurity was. Either they know about the flaw, or don't give a damn. There are many cases of the details of flaws being delayed to allow them time to fix them. Maybe it is time to have a look into the companies records to see how long they were aware of the flaw.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Wikileaks FTW!
On a related note, if someone is scared about repurcussions and writes a book under a psuedonym, can that person be charged? Is an anonymous book considered plausible deniability?
[ link to this | view in chronology ]
Re: Wikileaks FTW!
[ link to this | view in chronology ]
"we found a problem in the way certain data is encoded on the card, which could permit fraud"
and
"we found a problem with the card, here is exactly what you need to do to hack into it".
[ link to this | view in chronology ]
Re:
And if they don't like that, then perhaps they should have closed the flaw.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
Feynmann's maxim anyone?
[ link to this | view in chronology ]
Re: Re:
right.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Why not?
Are all the script kiddies in the world going to travel to the Netherlands to buy that card so they cannot pay for it?
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Instead of bringing lawsuits, the transporation companies should be spending that money to find a real fix for the problem. One that will stand up to public scrutiny.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Of course he must be put away for a long time and be fined millions.
Possibly causing lost sales is right up there with terrorism, child porn and treason.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
To the point that the dutch government is looking into limiting our freedom of information. (Yes, the Dutch government prefers secrecy. Sadly, we're no Iceland.)
And he has been going after local government IT-contracts, it's by law that the government has to open IT-bids to also open source companies and software products.
It even resulted in weird statements where a governmental body (basically a group that was formed to protect the interests of municipalities) declared that they weren't part of the government thus didn't fall under the jurisdiction of our FOIA. (again, secrets are apparently better than open information, even though our tax-euros have paid for these reports, and pay these *bleep*s)
When details became clear of TransLinkSystems case against Brenno, a donation drive was set up, to help Brenno pay his legal fees. They reached their goal within hours.
He's a well respected freelance Investigative Journalist (with a capital I and J, as he really does investigate the stuff that he writes about)
The funny thing about our public transit card was that BEFORE they even rolled the system out all manner of leaks and other issues were known and were talked about among security experts and even questions were asked to the minister of public transport at the time. But since it was a prestige project for this minister, it had to continue, and now we have a very flawed system:
- No 2-way tickets possible,
- Trips are actually more expensive,
- anonymous cards that aren't very anonymous,
- record-keeping that's borderline illegal,
- and here's the kicker, we can still travel without paying, which was the biggest reason for rolling out this card.
[ link to this | view in chronology ]
Company with security flaw suddenly has a major breach on its hands + monetary losses.
If this happens just a few times for a few hundred million a shot, companies wouldn't DARE to sue someone trying to help them as the consequences would be nightmareish
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]