Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Interview With MIT Subway Hacker Zack Anderson

timothy posted more than 6 years ago | from the clearly-a-terrorist dept.

Hardware Hacking 113

longacre writes "In his most extensive interview since the DefCon controversy emerged, MIT subway hacker Zack Anderson talks with Popular Mechanics about what's wrong with the Charlie Card, what happened at DefCon, and what it's like to tango with the FBI and the MBTA. The interview comes on the heels of Tuesday's court ruling denying motions by the MBTA to issue a preliminary injunction aimed at keeping the students quiet for a further five months."

Sorry! There are no comments related to the filter you selected.

Drop Lockheed-Martin: (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24710271)

and let Mig or Sukhoi build Orion.

Re:Drop Lockheed-Martin: (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24710301)

perhaps they should team up with dibold . . . they have a great track record in security.

Re:Drop Lockheed-Martin: (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24710351)

yeah. That is pretty darn funny. Notice that when it comes to aircraft who is more trusted; Boeing or MIG/Sukhoi ? And as far as rockets go, the russians have 1 system from the 60's that has had minor variations over the many decades. I would rather trust those that have done MANY things AND had many failures with a number of success, than an engineer that has done the same thing for so long. Besides, you did notice that after decades of running, it still crash lands in wrong areas.

The battle (5, Insightful)

Adreno (1320303) | more than 6 years ago | (#24710289)

I'm really glad that the court decided to overturn the injunction. We need to get information like this out in the open, so we can solve these problems quickly and in an open-source manner. Simply denying that a problem such as this exists does not solve the problem... it delays a fix, and makes it even MORE likely that such exploitation will happen in the first place.

Re:The battle (4, Insightful)

jellomizer (103300) | more than 6 years ago | (#24710363)

Unfortunately most peoples mind are stuck in the 20th century. And don't consider how quickly these things can spread now. Say 15 years ago this happened keeping it quite would have gave them a security advantage as it is easy to control the flow of information, so for someone else wanted to break in had to duplicate all the research again. However today once you try to silence someone the information flows faster, and it is harder to keep the information down, so when a problem is found it is best to fix it then put time in hushing it up. Sorry the world follows different dynamics now adapt or parish.

Re:The battle (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#24710425)

actually, the world has always been adapt or perish, that's nature. It's just the circumstances in which you had to adapt are a little different today than a million years ago.
 

Re:The battle (0)

e4g4 (533831) | more than 6 years ago | (#24710497)

He wasn't making the claim that adapt or perish was new - his last sentence was just missing a couple of commas.

"Sorry, the world follows different dynamics now, adapt or perish"

Re:The battle (2, Informative)

rbf2000 (862211) | more than 6 years ago | (#24710539)

Ironically, they made far more information publicly available than the MIT kids ever intended to present by including the security report in their motion. You think they would have sealed the document, or whatever the legal term is for hiding sensitive information like that.

Bad News (1)

c0d3r (156687) | more than 6 years ago | (#24710601)

Quoting Douglas Adams:

Only one thing moves faster than the speed of light, and its bad news which operates by it's own laws.

Or something or other like that.

Re:The battle (4, Funny)

SwordsmanLuke (1083699) | more than 6 years ago | (#24710957)

adapt or parish.

That's right! Change, or we're sending you to... church!

Re:The battle (0)

Anonymous Coward | more than 6 years ago | (#24710975)

Or Louisiana.

I'll take church, thanks.

Re:The battle (1)

herring0 (1286926) | more than 6 years ago | (#24711367)

Now if it was crawfish season I'd have to politely disagree with you but seeing as how it is hurricane season I'll join you at church.

Re:The battle (1)

LordAlced (1279598) | more than 6 years ago | (#24714191)

Oh noes, the evolutionism vs. creationism war is about to be fought on a whole new battlefield!

Re:The battle (0)

Anonymous Coward | more than 6 years ago | (#24711121)

Um, they were probably doing both. Trying to quiet it up while working on a fix. It was futile, but they were trying to buy time. It wasn't really a waste, given that lawyers aren't well-known for their programming and engineering skills. Just a waste of money.

Re:The battle (0)

Anonymous Coward | more than 6 years ago | (#24711599)

adapt or parish.

There's an anti-evolution joke in here, I'm sure of it.

Re:The battle (1)

alexandreracine (859693) | more than 6 years ago | (#24711931)

Fixing thing cost money. Why would they want to spend money?

Re:The battle (0)

Anonymous Coward | more than 6 years ago | (#24710845)

We need to get information like this out in the open, so we can solve these problems quickly and in an open-source manner.

What the hell does "solve these problems .. in an open-source manner" mean? Is that like submitting a patch to the judge's injunction order, hoping the law maintainer incorporates the patch?

Re:The battle (1)

lysergic.acid (845423) | more than 6 years ago | (#24712111)

or maybe he just means community collaboration, which only works if all information is publicly available and can be exchanged freely. chances are the security issues discovered aren't unique to MBTA. it would make more sense to discuss the problem and its potential solutions out in the open, this way others may contribute their own experiences or perhaps detect similar vulnerabilities in their own systems.

Obligatory IANAL (4, Insightful)

blcamp (211756) | more than 6 years ago | (#24710323)

US Constitution, Amendment I:

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.

Did I miss something here?

Not that I want a security system compromised, because I don't... but the 1st Amendment doesn't say "Congress shall ... abridge free speech in instances where a subway system is hacked".

no, not really (4, Insightful)

Reality Master 201 (578873) | more than 6 years ago | (#24710491)

Grow up - your free speech rights aren't absolute.

There's the classic example of shouting fire in a crowded theater, for example. There's various laws against disclosing all kinds of information - medical records (go to a hospital, and you'll find signs in the elevators reminding staff to be careful when discussing patients), state secrets, etc.

And that's not getting into the realm of lawsuits. I mean, I could go on for hours about how you molest your children while smoking crack, but you can sue me for libel and I'll lose if I can't back up my claims. If you sign an NDA and then announce a press conference to disclose stuff covered under that NDA, I can get an injunction against you to prevent your holding that press conference.

In this case, the folks running the subway got an injunction to prevent the disclosure of the hack. And a judge looked at the evidence and decided that they didn't deserve a permanent injunction.

Re:no, not really (0)

Anonymous Coward | more than 6 years ago | (#24710635)

Are you a lawyer?

Re:no, not really (0)

Anonymous Coward | more than 6 years ago | (#24711019)

Are you a lawyer?

Must be. The plain English of the First Amendment appears to be overwhelming him.

Re:no, not really (5, Interesting)

Hoplite3 (671379) | more than 6 years ago | (#24710721)

Yes, the old fire in the theater line... That's from the Holmes ruling in the Schenck case. Schenck was posting fliers bashing the draft for WWI and got swept up and jailed by the police. Holmes wrote for the Supreme Court majority that such speech was equivalent to shouting fire in a theater and Schenck (continued) his time in jail.

Remember kids: every time someone uses this line to define the limits on free speech, they are hearkening back to rulings that undercut the very purpose of the 1st amendment.

Re:no, not really (4, Informative)

_Sprocket_ (42527) | more than 6 years ago | (#24710835)

Very interesting. Further reference:
http://en.wikipedia.org/wiki/Schenck_v._United_States [wikipedia.org]

Re:no, not really (1, Interesting)

Anonymous Coward | more than 6 years ago | (#24711753)

But, didn't Schenck's actions fail the "Imminent lawless action" test, e.g. he was urging people to disobey the law and evade the draft? You have every right to declare in public that "Law XXX is harmful", etc. But you don't have a right to say "Law XXX is bad, therefore you should break the law!". Civil disobedience is certainly morally justified in some circumstances, but it is still unlawful, as is compelling others to break the law.

remember kids (4, Insightful)

Reality Master 201 (578873) | more than 6 years ago | (#24710913)

Remember kids: every time someone uses this line to define the limits on free speech, they are hearkening back to rulings that undercut the very purpose of the 1st amendment.

Every time someone picks a single item from among several used to make a point and rests their entire argument on it, you should be skeptical.

I noticed that you didn't mention the more applicable end of things, i.e., courts enjoining speech pursuant to a lawsuit, of the larger issue that free speech rights aren't absolute in the US, and never have been.

Also, Schenck vs. US was a bad decision, and fairly un-American in my view. But what Holmes said "The most stringent protection of free speech would not protect a man in falsely shouting fire in a theatre and causing a panic," is fundamentally reasonable, even if that justification wasn't appropriate to the case.

Re:remember kids (4, Insightful)

fuzznutz (789413) | more than 6 years ago | (#24711281)

"The most stringent protection of free speech would not protect a man in falsely shouting fire in a theatre and causing a panic," is fundamentally reasonable, even if that justification wasn't appropriate to the case.

The keyword there is FALSELY. It is not "illegal" to shout fire in a theater. In fact, I would hope that someone would do just that in the event of a fire. The key issue of the MIT students is prior restraint of free speech simply because a party doesn't like what they believe they might hear.

Re:remember kids (3, Insightful)

guibaby (192136) | more than 6 years ago | (#24715293)

The "shouting fire is a theater" thing is not a Free Speech issue. You have every right to yell fire in a crowded theater. Especially if there is a fire. What you will get in trouble for is the results of your speech. Free speech is and should be absolute. But; you are responsible for the results of your speech and you always have been.

Courts enjoining speech in a lawsuit or criminal case: This is not a law against free speech (as in congress shall make no law.) It is a judge doing his job in a specific instance to ensure a fair trial.

An NDA is a contractual obligation. Again this is not a law against free speech.

Laws against disclosure (medical records and such) again do not violate the "Congress shall make no law" because they apply to commercial entities which are not protected by the constitution. The constitution applies to people. Yes, I know, some judges have ruled as if corporation are "persons." It is very convenient sometimes to think that way, but it is not a constitutional matter.

Libel and Slander are also not limitations on speech. If you are sued for one of those things you are being sued for the damage that you did to that person not the speech itself.

Any abridgment you can come up with a reason for is either bad law, bad application of law or not an abridgment.

ANY law that restricts the speech of an individual is unconstitutional by definition.

Re:no, not really (1)

reddburn (1109121) | more than 6 years ago | (#24713775)

The first amendment is vague, and I'm glad of it. Congress makes no laws abridging free speech. You can say whatever you wish (unless that information is classified, in which case you have pledged to not divulge it, voluntarily abrogating your right in that instance). Without restriction, without a limit, some sort of inbuilt limit of what it would be meaningless or wrong to say, there can be no assertion nor reasons for asserting.

The reason for the preferred legal distinction between speech and action is that if the First Amendment is to make any sense whatsoever, speech must be declared separate from action, or as a special form of action that make action a target for regulation.

Because if the First Amendment protected action, it might as well have been written "Congress shall make no law abridging freedom of action," tantamount to "Congress shall make no law," thereby, "There will be no law."

It is the very debate over the lines we draw that creates our free speech, because within that debate, we are enacting and protecting the principles that our forefathers wanted to protect: the right to debate publicly without fear of retribution from a tyrannical government, to openly declaim about public policy, belief, religion, etc. without fear of reprisal. It is the job of the First Amendment to demarcate an area in which competing views can be considered without interference.

Re:no, not really (1)

Chees0rz (1194661) | more than 6 years ago | (#24715519)

That Sherlock Holmes is such a dick...

Re:no, not really (1)

az26er (1179135) | more than 6 years ago | (#24711201)

There's no law that prevents someone from shouting fire in a crowded theater if the damn theater is really on fire.

Re:no, not really (1)

wizzat (964250) | more than 6 years ago | (#24711677)

You're absolutely right, free speech is not an absolute right. There are limits in place via the interpretation of the Supreme court. The current limit (which negates and overrides your "Fire In a Theatre"/Clear and Present Danger test) is the Imminent Lawless Action test.

Check out Wikipedia [wikipedia.org] for more information.

Re:no, not really (1)

Reality Master 201 (578873) | more than 6 years ago | (#24712515)

Yeah, I know; I wasn't so much citing the clear and present danger test as put forward by Holmes, as citing a familiar example of a clear place where the individual's right to free speech is necessarily subsumed to the greater concern for public safety. The two somehow get combined into a single thought in people's minds, however; there's another response to my original post that cites the Schenck case as the origin of the (misquoted) phrase, and manages to miss the point that the example embodied in that choice of phrase and it's use in the justification of a bad court ruling are separate issues.

Note, too, that the practical example of (falsely) shouting fire in a crowded theater would still not be considered protected speech by the Imminent Lawless Action test.

Re:no, not really (0)

Anonymous Coward | more than 6 years ago | (#24712381)

"Grow up - your free speech rights aren't absolute."

They aren't, but they damn sure were meant to be.

Re:Obligatory IANAL (2, Insightful)

JohnnyKlunk (568221) | more than 6 years ago | (#24710533)

I think it's the interpretation
the right of the people peaceably to assemble, and to petition the government for a redress of grievances.

They're not stopping anyone from assembling peaceably, and they're not stopping anyone from petitioning the government.
If these kids tried to petition the government to fix the system and a law was passed to prevent them then this would be a violation. However the government is preventing a party from addressing the assembly on a sensitive issue. I don't beleive this is covered in the above

Not saying I agree with stopping the presentation, but the right of free speech is really about petitioning the government over greivances, not saying whatever you want.

Re:Obligatory IANAL (3, Insightful)

javelinco (652113) | more than 6 years ago | (#24710697)

I'm sorry, but no way does this make any sense. Did you forget the frickin' OR? As in: "or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances." You make no sense.

Re:Obligatory IANAL (4, Informative)

Ioldanach (88584) | more than 6 years ago | (#24710723)

Maybe this will help: Congress shall make no law (((respecting an establishment of religion) or (prohibiting the free exercise thereof)) or (abridging (the freedom (of speech) or (of the press)) or ((the right of the people peaceably to assemble) and (to petition the government for a redress of grievances)))). The alleged violation is "abridging (the freedom (of speech) or (of the press))". The assembly subclause is enclosed within a different area of the clause.

Re:Obligatory IANAL (2, Funny)

xstonedogx (814876) | more than 6 years ago | (#24711089)

If only the Founding Fathers had known LISP!

Re:Obligatory IANAL (0)

Anonymous Coward | more than 6 years ago | (#24714655)

Speak for yourself, I'm using my father's parentheses.

http://xkcd.com/297

It's a xkcd reference! Sudo mod me funny.

Re:Obligatory IANAL (0)

Anonymous Coward | more than 6 years ago | (#24711251)

My LISP is a bit rusty, could you convert that to Java?

Re:Obligatory IANAL (1)

doulos05 (945501) | more than 6 years ago | (#24711431)

See, THIS is why we should teach kids computer programming instead of civics. Because computer programming teaches you civics! I knew LISP would come in handy!

In all honesty, I wish legal documents were written that way. It would make the extraneous statements more obvious and the legalese less dense. Then again, it would also allow for easier refactoring, resulting is shorter and more understandable documents. Putting hundreds of lawyers out on the streets... wait, I'm not sure that's a bad thing.

Re:Obligatory IANAL (0)

Anonymous Coward | more than 6 years ago | (#24713685)

You should really see a doctor about that lisp.

Re:Obligatory IANAL (4, Insightful)

JesseMcDonald (536341) | more than 6 years ago | (#24710979)

Not saying I agree with stopping the presentation, but the right of free speech is really about petitioning the government over greivances [sic], not saying whatever you want.

No, the right of free speech is about speech alone not being a crime for which one can be punished, or a source of harm for which one can be made liable. It's fairly obvious that freedom of speech is separate from the right to petition; just look at where the semicolons were placed. The amendment is addressing three different rights:

  1. Freedom of religion
  2. Freedom of speech, including speech via the press
  3. Freedom of assembly for the purpose of petitioning the government for redress

You wouldn't try to argue that freedom of religion is all about petitioning the government for redress, would you? The segment describing freedom of religion relates to the right of assembly in exactly the same way as the segment about freedom of speech.

You did miss something. (4, Informative)

stomv (80392) | more than 6 years ago | (#24710647)

The US has tons of limits on free speech, including but not limited to restrictions with respect to
  * perjury
  * profanity
  * sealed courtroom/trial
  * threats
  * slander and libel
  * classified information
  * treason

Re:You did miss something. (4, Informative)

russotto (537200) | more than 6 years ago | (#24711199)

The US has tons of limits on free speech, including but not limited to restrictions with respect to
    * perjury

But no prior restraint here.

* profanity

Most such restrictions get shot down in court; if it's about profanity in particular, they fall afoul not only of freedom of speech but of religion as well.

* threats
* slander and libel

Again, no prior restraint here. And what constitutes a threat is reasonably narrowly defined, though prosecutors are always trying to stretch it

* classified information

You have, perhaps, heard of the Pentagon Papers case? Where the Washington Post and the New York Times could not be enjoined from publishing classified information?

* treason

It's awfully hard to commit treason with public speech. Laws against sedition, on the other hand, have a long history of violating freedom of speech.

Re:You did miss something. (1)

ChrisMaple (607946) | more than 6 years ago | (#24715731)

The "Pentagon Papers" and similar cases could not be enjoined for reaons that were as much political as legal. The huge political pressures for the release of the papers could not be defeated. The confidential classification was BS, and everyboby knew it; if you read the PP you saw nothing there that wasn't already believed to be common knowledge. Furthermore, at the time the actual leaker (who had taken an oath not to release classified data) was unknown. All the newspapers did was pass along the already compromised information.

People who get security clearances are given annual lectures on the importance of not blabbing and some of the law involved. It's prior restraint and properly so. People's lives are at stake.

Although what the Rosenbergs did was more spying than public speech, if atom bomb details had been published in the NYT they still would have gotten the death penalty, and again properly so. It was treason.

Re:You did miss something. (2, Funny)

lysergic.acid (845423) | more than 6 years ago | (#24712193)

you forgot the biggest one:

no talking in the library!

Re:You did miss something. (1)

witherstaff (713820) | more than 6 years ago | (#24713655)

You forgot the best limit - Free Speech Zones [wikipedia.org] . I grew up thinking that the free speech zone was anywhere on American soil... silly me.

Re:You did miss something. (2, Informative)

pbaer (833011) | more than 6 years ago | (#24714159)

You also forgot: *copyright

Re:Obligatory IANAL (2, Insightful)

SirGarlon (845873) | more than 6 years ago | (#24710815)

Not that I want a security system compromised, because I don't...

The students didn't hack a security system. They hacked the toll-collection system of the subway turnstiles. The MBTA made some whiny noise about the hack being a security risk but evidently the judge didn't believe their argument.

Re:Obligatory IANAL (1, Insightful)

Derosian (943622) | more than 6 years ago | (#24711009)

You aren't really missing anything. You just don't get that only Congress shall make no law, anyone else can make as many laws as they want.

Re:Obligatory IANAL (0)

Anonymous Coward | more than 6 years ago | (#24711137)

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances. Did I miss something here?

Yes, you did. The "free exercise thereof" explicitly refers to the "establishment of religion" portion. And they have not made a law abridging the freedom of speech. So what's your point posting this?

Re:Obligatory IANAL (1)

eeek77 (1041634) | more than 6 years ago | (#24711369)

Read "The Hacker Crackdown." When you have the ability to cause a blackout to the phone system of an entire US region - you most definitely do NOT have the freedom of speech.

I would enjoy reading a version of that book, written for today's circumstances.

Re:Obligatory IANAL (2, Insightful)

Tetsujin (103070) | more than 6 years ago | (#24711679)

Read "The Hacker Crackdown." When you have the ability to cause a blackout to the phone system of an entire US region - you most definitely do NOT have the freedom of speech.

And why not? Why shouldn't a student of security issues be able to discuss their findings about such a flaw with other security professionals? Why should someone, once they've gone to the trouble of investigating the situation and discovering such a flaw, be barred from legitimately profiting from that work? Just because it's inconvenient for the people who maintain the flawed system?

It sounds like the talk the MIT students were going to give would have satisfied both sides: allowed the students to legitimately profit from their own hard work, while not giving the general public the information needed to circumvent the system.

Re:Obligatory IANAL (1)

X0563511 (793323) | more than 6 years ago | (#24711597)

Yes you did:

US Constitution, Amendment I:

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.

Right argument, wrong backing. You want the stuff to the right of the semicolon: "... or abridging the freedom of speech..."

Re:Obligatory IANAL (1)

notes rules (652573) | more than 6 years ago | (#24711737)

I agree that this is good that the MIT student announced his findings and acted responsibly by not publishing his findings. But, I am not sure this is covered by the first amendment, although I like that amendment a lot. For example, what about credit card information? Let us assume that someone hacked into Visa's system because it was hackable. Is that free speech if someone posts private credit card information to the internet?

The real question I want to know... (4, Insightful)

rahvin112 (446269) | more than 6 years ago | (#24710389)

Did the MBTA learn a lesson here about making a mountain out of a molehill? They essentially took something that would have received almost no attention and turned it into a national news story and then publicly filed all the details in open court such that anyone with the wherewithal to defraud the MBTA now not only knew about the exploit but had the full details on how to do it.

Re:The real question I want to know... (2, Informative)

ParanoiaBOTS (903635) | more than 6 years ago | (#24710891)

Did the MBTA learn a lesson here about making a mountain out of a molehill? They essentially took something that would have received almost no attention and turned it into a national news story and then publicly filed all the details in open court such that anyone with the wherewithal to defraud the MBTA now not only knew about the exploit but had the full details on how to do it.

I doubt they learned anything. If I have noticed one thing about cases like this its that they always seem to make the same mistakes. It's really just a matter (again) of people addressing the symptom, not the problem.

Re:The real question I want to know... (1)

SparkleMotion88 (1013083) | more than 6 years ago | (#24711151)

Did the MBTA learn a lesson here about making a mountain out of a molehill?

Obviously not since they have not fully dropped this case yet. The MBTA doesn't seem to have a full understanding of consequences either. In the interview, Anderson says that he still isn't planning on sharing the details of the hacks, even though there is nothing preventing him from doing so. I know if I were on the wrong end of a lawsuit, I would probably publish every detail of this information out of spite (unless I really thought I needed it for leverage).

Re:The real question I want to know... (3, Insightful)

gad_zuki! (70830) | more than 6 years ago | (#24711493)

So? They *might* be exposing themselves to a higher frequency of short-term compromise but frankly the people with the know-how to do this and the equipment and the will dont exist in vast numbers.

The worst thing they could have done is 'play it cool' and downplay this. This would only encourage people to continue compromising their cards and give the MBTA little incentive to get off its collective ass.

As it stands now, this is so publicized that every transit organization around the world is freaking out about its level of encryption. This will have some pretty positive long-term consequences.

Im glad they didnt play it cool. The Streisand effect sometimes has unintended positive consequences.

Re:The real question I want to know... (1)

SanityInAnarchy (655584) | more than 6 years ago | (#24714439)

Did the MBTA learn a lesson here about making a mountain out of a molehill?

Unlikely. And, unfortunately, the "hacker" responsible seems to be more interested in his own personal integrity than in teaching them that lesson...

You see, he said, very clearly, that he'd be sharing no details which would allow someone to trivially cheat the system. He sent them documents showing everything he knew, and explaining that he wouldn't be sharing all of this in his talk.

And the asshats still decided to call the FBI, and to sue him.

If this was me, at this point, I'd say "OK, you blew it, this is all going up on wikileaks. And it's going up there because you were asshats about it."

the more I read about this.... (2, Interesting)

BitterOldGUy (1330491) | more than 6 years ago | (#24710401)

It's sounds more and more like the MBTA is just trying to cover up their mistake. This has nothing to do with public safety or stealing rides on the transit system.

Especially this part:

They're filing a lawsuit right now, basically, and nobody's in court for usâ"just MBTA lawyersâ"and we don't fully know what's going on.

Interesting. So, no one at MIT was served or anything. The MBTA just shows up in court to tell their story and theirs alone? And asks for an injunction?

At least they didn't go nuts like the time with the light brites under the bridges.

Re:the more I read about this.... (0)

Anonymous Coward | more than 6 years ago | (#24710657)

1-31-07 Never Forget

The moon rules! (2, Insightful)

Tetsujin (103070) | more than 6 years ago | (#24711805)

1-31-07 Never Forget

Damn right...

I like Boston but sometimes I feel like there's some kind of epidemic here that causes people to react to problems in the most brain-dead, paranoid methods possible...

Re:the more I read about this.... (3, Interesting)

MRe_nl (306212) | more than 6 years ago | (#24710759)

the more it just seems someone at MBTA mistook their (MIT's)vulnerabilities rapport for the
scheduled Defcon talk that Friday and panicked.
quote/
"The FBI agent said, basically, this is not going to be an investigation. We don't have anything here. Don't worry about it.

So we told them we'd provide them a vulnerability report, going over what we found, and also methods that could fix these problems, and they said we could get that to them within two weeks. We had actually planned on getting it to them within the week, before business hours ended on Friday, so they'd have this in their hands before we gave the talk. We felt this was a courtesy we should give them.

This report was not going over what we were speaking about at DefCon, that wasn't the point. Some other people at MBTA have claimed that it was, but the point of the report was to go over the vulnerabilities, and go over ways that they could fix them. That's what we provided them, and we got it to them that Friday."
end quote/

and that's where it went wrong I think.
Had that report arrived monday nothing might have happened.

Re:the more I read about this.... (1)

SirGarlon (845873) | more than 6 years ago | (#24710885)

And I notice the university didn't rush to send their own crack legal team to defend free inquiry and academic freedom.

Stored value cards are foolish (4, Insightful)

kriston (7886) | more than 6 years ago | (#24710415)

Stored value cards are foolish.
They should only ever be used for identification and authentication.
The value being managed must always be stored and administered on the billing system itself.

This is why the responsible agencies (EZ-Pass, WMATA DC Metro, NYC Metrocard) should not, and usually do not, use stored value cards.

How naive of the MBTA to do this.

Cloning is still a problem with DC Metro and NYC Metrocard, but this is relatively easy to detect using database analysis and trending.

The security should lie with the central system.
Stored value cards are never secure--especially if you're depending on the obsolete version of MiFare Classic which should have only ever been used for authentication (serial numbers, keys, and scanned fingerprints).

Never for a so-called "digital purse" like MBTA used it for.

Re:Stored value cards are foolish (2, Interesting)

schwaang (667808) | more than 6 years ago | (#24710669)

Stored value cards are foolish.
They should only ever be used for identification and authentication.
The value being managed must always be stored and administered on the billing system itself.

OK, but if you have RFID and a weak key, an id/auth-only system still has the problem where you can effectively copy someone's card with an antenna, and then use it until $0. You just can't refill it for free as in the stored value case.

I haven't thought about this much, but while the auth/central billing approach seems more secure (if you fix the key problem), it's got a single point of failure that brings down your entire transit system, where the lower security value-store approach does not. Maybe in the real world that's not a big deal, I don't know.

Re:Stored value cards are foolish (1)

kriston (7886) | more than 6 years ago | (#24710831)

The central system provides protection because you can trend activity and fix things afterward.
Surely, it doesn't prevent it, but it does allow you to detect it and recover quickly.
The stored value mode doesn't allow either, unless, maybe, the central system gets not just the fare paid but the stored value per card ID, and you're tracking that at the central system. And, in that case you might as well be using a central billing system.

Re:Stored value cards are foolish (1)

honkycat (249849) | more than 6 years ago | (#24711783)

Except that the stored value + post-facto audit allows the stations to work even if they are do not have connectivity to the main server 100% of the time. You could do a daily log dump/blacklist update from the station back to the central server. Given the number of turnstiles that are broken on the MBTA at any given time, having the turnstile free to operate independently of the mothership seems critical...

Re:Stored value cards are foolish (1)

pjt33 (739471) | more than 6 years ago | (#24711343)

I haven't thought about this much, but while the auth/central billing approach seems more secure (if you fix the key problem), it's got a single point of failure that brings down your entire transit system, where the lower security value-store approach does not. Maybe in the real world that's not a big deal, I don't know.

That reminds me of an interview question I was asked a few years back which basically wanted me to sketch a design for an ATM network. As in all things engineering, there's a trade-off to be made. What you can do is have each terminal store a copy of the transaction. If the central billing system is up it validates the user's credit in real time: if not, it commits the transaction later. You can get free travel, but only if you can bring down the connection to the centre.

Re:Stored value cards are foolish (1)

schwaang (667808) | more than 6 years ago | (#24711837)

Yeah that makes sense. You can always design in a workaround if you forsee the problem and the (probability of the problem) X (severity of the problem) X (effectiveness of the workaround) is high enough to justify the cost. The potential losses with the store-and-forward solution are small, like when a retailer's credit card verification system is down and they have to write transactions on paper slips. A few might be bad, but the business stays open.

Re:Stored value cards are foolish (2, Interesting)

flink (18449) | more than 6 years ago | (#24710905)

Stored value cards are foolish.
They should only ever be used for identification and authentication.
The value being managed must always be stored and administered on the billing system itself.

A system that must communicate with a central database isn't very useful for:
  * buses
  * trolleys
  * the commuter rail

Where a network connection isn't necessarily available as the reader must reside on the vehicle itself.

I'd be interested to hear how the other cities who don't use stored value cards solve this problem.

Re:Stored value cards are foolish (2, Funny)

Anonymous Coward | more than 6 years ago | (#24711139)

I'd be interested to hear how the other cities who don't use stored value cards solve this problem.
They kindly request the sheeple to use dollar bills, and/or money coins. It's amazing technology.

Re:Stored value cards are foolish (0)

Anonymous Coward | more than 6 years ago | (#24711577)

replication

Yeah they are (1)

mpapet (761907) | more than 6 years ago | (#24711925)

Busses just send the data off via some kind of modem. Doing it offline is actually cheaper over the life of a transit project by anywhere from 10-40%, but the annual operating costs are slightly higher if they went 100% offline.

Politically, which do you think wins?

Re:Stored value cards are foolish (2, Informative)

kriston (7886) | more than 6 years ago | (#24712285)

You may have read my comment already but there is an advisory value stored on the card but it's not the authoritative record of the balance. As with the Oyster Card "hacks" in London the cards can be turned off within one day. The central billing system analyzes trending and riders are accepted into the vehicle based on the balance on the card. If that balance doesn't match with the central database the card is turned off within hours. Same happens with cloned cards which can be detected the same way even more quickly as cards are used in impossible locations at impossible time intervals. The vehicle acceptance systems use store-and-forward wireless systems--remember, all the vehicles have onboard radios which will work several times per hour even on routes with the poorest coverage.

My Guess? (0, Redundant)

/dev/trash (182850) | more than 6 years ago | (#24713603)

Dollar bills?

You F*cking Idiot (1, Troll)

mpapet (761907) | more than 6 years ago | (#24711771)

You do a good job at sounding like you know something about the subject, but you are woefully misinformed and out of date. The reason offline stored value is not used is that it is too slow for transit. By now the speeds are probably better than they were a few years ago. The other reason is the cost structure makes online systems politically attractive. Municipalities waste 100's of millions of dollars up front for implementing online system to have going-forward operating costs negligibly lower.

The security should lie with the central system.
There is no need for this kind of antiquated thinking anymore. Their system is centralized. The guy is misinformed about what is stored on the card. The guy is also misinformed about cloning. Where will he source the right card that is ready for initialization? Will he know how to initialize it correctly? It would work in Hollywood, but in real life it's non-trivial.

Not always (1)

Reverberant (303566) | more than 6 years ago | (#24712053)

The security should lie with the central system.

flink [slashdot.org] lays out one reason why central system doesn't make a lot of sense on a multimodal transit system (don't forget they also have boats).

In the case of rail transit, a centralized fare system will also require a communications system with 100% uptime between the stations and the central system. I've had experience with the station-to-dispatch communications system and it's anything but reliable because the infrastructure is so old. The MBTA is in the process of upgrading the system but it's probably going to be years before 200+ stations are all upgraded.

In the meantime, if the comm goes down between the station and the centralized fare system, you either close the station until communications are restored (bad) or you let people ride for free until communications are restored (bad).

Stored values on the card is a decent compromise, but the security on the card should have been tighter.

Re:Stored value cards are foolish (1)

kriston (7886) | more than 6 years ago | (#24712093)

I'd like to add that the flamebait posters who've replied to my post might want to investigate how Metrocard works when it comes to accessing the central database in vehicles. I would amend my earlier post to also state that the cards do, indeed, carry the balance of the card, they do not hold the authoritative balance of the card. On vehicles that do not have real-time data links the card's value is used to allow the holder to board the vehicle. The data is checked in a store-and-forward manner (like your local UPS driver's handheld does). If the balance presented by the card and the transaction ID do not match up with the database the card is turned off.

Naturally this doesn't prevent the first or even the second fraudulent fare it certainly blocks the subsequent transactions after the trend is discovered.

Incidentally the vehicles for the newer Smartcard-based systems have real-time data links.

Thought you'd like to know, and maybe try to do some more research, you guys.

Re:Stored value cards are foolish (0)

Anonymous Coward | more than 6 years ago | (#24712801)

You are so right!

But what I do not understand is why this kid is treated as such a uber-hacker when he just discovered that they used Mifare Classic when Mifare Classic has been broken for over a year!

The FBI's role (4, Interesting)

MikeRT (947531) | more than 6 years ago | (#24710485)

The FBI's role should have been to offer him and his buddies a lab, security clearance and a plush job to do this kind of work for them. Seriously, these are the kind of guys that the cops want working for them because every security hole in the infrastructure they find helps the cops do their job--and these guys are smart and educated enough to help the vendor fix the problem.

Re:The FBI's role (1)

blueg3 (192743) | more than 6 years ago | (#24711825)

Someone's going to offer them such a job, but probably not publicly in the context of an investigation.

Re:The FBI's role (1)

/dev/trash (182850) | more than 6 years ago | (#24713637)

Who says they haven't?

The question we all want answered (1)

smooth wombat (796938) | more than 6 years ago | (#24710501)

My first weekend in Vegas after turning 21.

Did you get drunk and wake up next to a showgirl?

Re:The question we all want answered (1)

jgtg32a (1173373) | more than 6 years ago | (#24710877)

If not then you're doing it wrong

Re:The question we all want answered (1)

CogDissident (951207) | more than 6 years ago | (#24711135)

At least its not Reno. That town is so old, even the showgirls are like 50. (I really wish I could erase that mental image)

Re:The question we all want answered (1)

PPH (736903) | more than 6 years ago | (#24713067)

Next question: Why just one?

Let The Wild Rumpus Start! (-1, Offtopic)

curmudgeon99 (1040054) | more than 6 years ago | (#24710593)

Corporations with weaknesses are screwed. Information wants to be free and once people know there are vulnerabilities, they will be found and exploited. Just drives me nuts how companies expect the law to protect them from the Wild West of the "Internets". Remember that Darwin had some good ideas that apply to corporations and their predators--hackers. In short, it means the weak get their lunches eaten and the strong do the eating. MBNA should just hand over the keys to their bank accounts to these hackers. All they need is to piss off the hacker community and make it sport going after them.

MBNA != MBTA (4, Informative)

SirGarlon (845873) | more than 6 years ago | (#24710955)

You seem to be confusing the bank, MBNA, with the Boston transit authority, MBTA. Hacking MBNA would almost certainly be a felony. Hacking the MBTA is not even definitely illegal if you don't actually ride a train without paying. That what all this is about.

Haha! Pwned! (0)

Anonymous Coward | more than 6 years ago | (#24710745)

Pressing the fire alarm to open all turnstiles is a "hack"???

These guys are laughable. Don't they know that that

What it's like to tango with the MBTA (5, Funny)

knifeyspooney (623953) | more than 6 years ago | (#24711003)

Having lived in Boston for five years, I don't need to RTFA to know what that was like.

-They arrived at court 45 minutes late without apologizing to the judge
-During oral arguments, the MBTA's attorney paused several times, each time for 5-10 minutes, for no apparent reason
-MBTA officials wore blazers acquired off the rack for $9,000 apiece; no immediate plans to purchase pants
-Despite earning one of the highest wages in the industry, the attorney was surly and lazy

And, after the judge denied the MBTA's request for an injunction against the hacker, GM Dan Grabauskas issued a press release trumping the agency's legal victory.

"21" movie effect? (1)

peter303 (12292) | more than 6 years ago | (#24711061)

The average-Joe thinks MIT students are more devious than they really are?

Speaking of hacking, why is Slashdot scanning me? (0, Offtopic)

COBOL the Barbarian (8707) | more than 6 years ago | (#24711073)

My firewall shows an aggressive port scan coming from 216.34.181.45

http://slbsoftware.com/scanned.png [slbsoftware.com]

What now? (2, Informative)

SeeSp0tRun (1270464) | more than 6 years ago | (#24711221)

The MBTA has the information, but lets look at this for a moment. The fares in Boston went up roughly $.50 last year on the subway alone, with upwards of $2 on the rail system. This was mainly done to pay for the current Charlie Card system, as well as perform some additional maintenance and renovations in various stations. So after basically overhauling their token system, for a hefty price no less, they are going to spend how much extra for new data storage on fares? Not to mention the people that they will have to hire in order to sort through everything, and apprehend violators in the underbellies of Boston, or New York, or anywhere with a subway.

I just don't see this going past "We sure showed those MIT kids what was what..." in the board room.
I use the system at least twice a week, and not even the physical securities have changed since the report was originally filed.

Wrong interview (2, Insightful)

Skapare (16644) | more than 6 years ago | (#24711947)

This is the wrong interview. What we should have is an interview with top management to find out why they made bad decisions to go with an insecure system. Maybe their excuse is they were not aware of a nearby school with highly qualified consultants to help them in a quest to get a very secure system.

Re:Wrong interview (1)

Jdogatl (836125) | more than 6 years ago | (#24715111)

It is not just here, it is in a lot of places. This is not even the first public transit system to be hacked in this manner, this past January a group of Dutch students from the University of Amsterdam hacked the upcoming RFID system in a similar manner. This caused a big fall out since they had already invested $2 Billion (nor sure Dollar or Euro but not the point) and parliament is wondering what they can salvage of the system. Students went before the parliament and gave their opinion and suggestions. Edit: last year was this past January

tubgirL (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#24712005)

OF AMERICA) today, do, or indeed what a pop0lar 'news

Prof Rivest (3, Insightful)

bugs2squash (1132591) | more than 6 years ago | (#24714017)

It had to help the students that Rivest was their professor. At least his reputation in the security world goes before him.

It it were a lesser name in the field would their claim to have been studying the security of the system been taken so seriously ?

If it had been just some guy in charge of Mississippi state university's computer science curriculum they would likely all be in jail by now.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?