Dutch Journalist In Legal Trouble For Showing How New Transit Card Is Easy To Defraud

from the imprison-the-messenger dept

Three years ago, the Boston Subway system (MBTA) got plenty of attention for getting a judge to block some MIT students from presenting a paper at DEFCON that showed how the MBTA's magnetic strip cards were vulnerable to hacking. Of course, all that really did was provide that much more attention for the weaknesses in the MBTA system. It seems we may be in for a repeat performance, of sorts, of this kind of "blame the messenger" approach from a public transporation group -- and this time it's by the very journalist who stepped in and did a presentation to replace the MIT kids who could not.... DEFCON regular, Dutch journalist Brenno de Winter won't be attending DEFCON this year because the Dutch transporation companies are taking legal action against him for daring to do his job as a reporter and highlight security problems with the Dutch transit system's "OV transit chip card." De Winter, quite reasonably, points out that both European and Dutch courts have supported journalists for reporting on security weaknesses -- and yet he still faces a legal fight that could net him six years in prison. Even worse, it appears that even the threat of such things now has de Winter self-censoring:
"They are effectively banning me from doing my job because if I write about this card, I have to think about the consequences," said 39-year-old de Winter, of Ede, The Netherlands. "I'm writing a book and I have to leave whole chapters out."
This is no way at all to thank someone who finds a flaw for you to fix, but the Dutch transportation conglomerate appears hellbent on making life difficult for those who point out technical problems, rather than just fixing the problems.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: brenno de winter, defcon, free speech, netherlands, reporting, security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    That Anonymous Coward (profile), 2 Aug 2011 @ 8:17pm

    Color me not so surprised.

    This has become the response of nearly every Government and Agency around the world.
    Our systems are perfect and to say otherwise should be illegal.
    If you make us look foolish, we make your life hell.
    So what if we wasted millions on a project that is horribly flawed, we can just keep you from speaking and everything will be fine.

    One has to wonder at what point will the people actually demand and get better from the people in charge.

    link to this | view in thread ]

  2. icon
    Cody Jackson (profile), 2 Aug 2011 @ 8:38pm

    Wikileaks FTW!

    It's this type of censoring that Wikileaks et al. are highly prized. If someone can't report the truth, or material that others are scared about, then at least post it anonymously.

    On a related note, if someone is scared about repurcussions and writes a book under a psuedonym, can that person be charged? Is an anonymous book considered plausible deniability?

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 2 Aug 2011 @ 9:00pm

    I would have to wonder if there is a difference between:

    "we found a problem in the way certain data is encoded on the card, which could permit fraud"

    and

    "we found a problem with the card, here is exactly what you need to do to hack into it".

    link to this | view in thread ]

  4. icon
    NotMyRealName (profile), 2 Aug 2011 @ 9:52pm

    I don't see a difference between this and the videos on youtube showing how to pop a master lock with a coke can and some tin snips. The information should be unregulated - the asshole breaking into lockers should be punished.

    link to this | view in thread ]

  5. icon
    Jamie (profile), 2 Aug 2011 @ 10:02pm

    When will companies realise that "security through obscurity" just doesn't work. As soon as anyone finds a hole, that security is gone. Even if the finder is gagged, the fact that there is a hole will lead others to find it.

    Instead of bringing lawsuits, the transporation companies should be spending that money to find a real fix for the problem. One that will stand up to public scrutiny.

    link to this | view in thread ]

  6. icon
    Brendan (profile), 2 Aug 2011 @ 10:46pm

    Re: Wikileaks FTW!

    Came in to post the exact same thing.

    link to this | view in thread ]

  7. icon
    The eejit (profile), 2 Aug 2011 @ 11:02pm

    Re:

    Well, either way,. the company is notified. If they don't believe you, then perhaps you should show them and get evidence that this can happen.

    And if they don't like that, then perhaps they should have closed the flaw.

    link to this | view in thread ]

  8. identicon
    Prisoner 201, 2 Aug 2011 @ 11:59pm

    But Mike, don't you understand that if people know the product is crappy, it will possibly lead to lost sales.

    Of course he must be put away for a long time and be fined millions.

    Possibly causing lost sales is right up there with terrorism, child porn and treason.

    link to this | view in thread ]

  9. icon
    Paddy Duke (profile), 3 Aug 2011 @ 1:00am

    Re:

    Don’t forget giving away lemonade.

    link to this | view in thread ]

  10. icon
    Richard (profile), 3 Aug 2011 @ 1:32am

    Re:

    The difference is that the second is useful to help fix the flaw and the first isn't.

    Feynmann's maxim anyone?

    link to this | view in thread ]

  11. icon
    Marcel de Jong (profile), 3 Aug 2011 @ 4:40am

    De Winter has been a thorn in the side of our government as well. As he's been using the dutch FOIA-like laws to get information out in the open: http://www.bigwobber.nl
    To the point that the dutch government is looking into limiting our freedom of information. (Yes, the Dutch government prefers secrecy. Sadly, we're no Iceland.)

    And he has been going after local government IT-contracts, it's by law that the government has to open IT-bids to also open source companies and software products.
    It even resulted in weird statements where a governmental body (basically a group that was formed to protect the interests of municipalities) declared that they weren't part of the government thus didn't fall under the jurisdiction of our FOIA. (again, secrets are apparently better than open information, even though our tax-euros have paid for these reports, and pay these *bleep*s)

    When details became clear of TransLinkSystems case against Brenno, a donation drive was set up, to help Brenno pay his legal fees. They reached their goal within hours.

    He's a well respected freelance Investigative Journalist (with a capital I and J, as he really does investigate the stuff that he writes about)

    The funny thing about our public transit card was that BEFORE they even rolled the system out all manner of leaks and other issues were known and were talked about among security experts and even questions were asked to the minister of public transport at the time. But since it was a prestige project for this minister, it had to continue, and now we have a very flawed system:
    - No 2-way tickets possible,
    - Trips are actually more expensive,
    - anonymous cards that aren't very anonymous,
    - record-keeping that's borderline illegal,
    - and here's the kicker, we can still travel without paying, which was the biggest reason for rolling out this card.

    link to this | view in thread ]

  12. icon
    hmm (profile), 3 Aug 2011 @ 4:42am

    any time someone is trying to show a security flaw and gets sued they should INSTANTLY (anonymously) release the hack data to the public.

    Company with security flaw suddenly has a major breach on its hands + monetary losses.

    If this happens just a few times for a few hundred million a shot, companies wouldn't DARE to sue someone trying to help them as the consequences would be nightmareish

    link to this | view in thread ]

  13. icon
    Marcel de Jong (profile), 3 Aug 2011 @ 4:42am

    Re: Re:

    De Winter showed in one of his articles how it could be done. And he has done in to show it. Which is probably why he's being sued.

    link to this | view in thread ]

  14. icon
    Marcel de Jong (profile), 3 Aug 2011 @ 4:44am

    Re:

    The information about how to hack our transit cards are actually out there... For a time you couldn't even get the card readers anywhere, because there was a huge run on them.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 3 Aug 2011 @ 5:49am

    Re: Re:

    Ahh, so telling every script kiddie on the planet how to hack these cards helps. I got it.

    right.

    link to this | view in thread ]

  16. icon
    The Devil's Coachman (profile), 3 Aug 2011 @ 8:08am

    Re: Re: Re:

    The very fact that they can means that they should, until the morons who rolled out such a ridiculously insecure piece of crap either fix it or abandon it. The problem is with them, not the hackers. They're idiots. The hackers are smart. End of discussion.

    link to this | view in thread ]

  17. identicon
    Nicedoggy, 3 Aug 2011 @ 8:26am

    Re: Re: Re:

    The MIT lock picking guide

    Why not?

    Are all the script kiddies in the world going to travel to the Netherlands to buy that card so they cannot pay for it?

    link to this | view in thread ]

  18. icon
    Ninja (profile), 3 Aug 2011 @ 10:23am

    Re:

    It's a clear message for everybody. Find the security flaw but keep quiet, let ppl explore it. And since they are not doing anything about it (neither letting ppl show the flaws) they are signaling you should also abuse, exploit the shit out of those flaws.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 3 Aug 2011 @ 10:52am

    Re: Re: Re:

    It's funny watching you try to defend security by obscurity, a method that has been debunked over and over and over and over again.

    link to this | view in thread ]

  20. icon
    That Anonymous Coward (profile), 3 Aug 2011 @ 7:18pm

    Re: Re:

    I wonder why the people who stand to be hurt by these cards not being secure, the passengers, don't sue as well.
    The companies can claim they are being hurt, but their hurt is often just reflected in higher costs (or lessened services) directly passed onto the consumers.
    Their first action was to sue, not to find out what the insecurity was. Either they know about the flaw, or don't give a damn. There are many cases of the details of flaws being delayed to allow them time to fix them. Maybe it is time to have a look into the companies records to see how long they were aware of the flaw.

    link to this | view in thread ]

  21. identicon
    chris, 4 Aug 2011 @ 5:03am

    Re: Re: Re:

    Because of governmental immunity, and companies contracted to perform work on behalf of the government may have derivative immunity.

    link to this | view in thread ]

  22. identicon
    chris, 4 Aug 2011 @ 5:08am

    Re: Re: Re:

    Actually it does help because when they get hacked they will be forced to fix the problem. Or did you think they would just go ahead and fix it anyway, just to be nice?

    link to this | view in thread ]

  23. identicon
    chris, 4 Aug 2011 @ 5:15am

    Re:

    Because from the companies perspective it's not a security problem. It's a public relations problem. It's their customers that have a security problem. Once you look at it this way it becomes obvious why they are responding the way they are.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.