With Lawsuit Settled, Hackers Working With MBTA 90
narramissic writes "The three MIT students who were sued earlier this year by the Massachusetts Bay Transit Authority for planning to show at Defcon how they had had reverse engineered the magnetic stripe tickets and smartcards said Monday that they are now working to make the Boston transit system more secure. 'I'm really glad to have it behind me. I think this is really what should have happened from the start,' said Zack Anderson, one of the students sued by the MBTA."
should have happened from the start (Score:3, Informative)
To have lost a suit?
Knowledge must be free or freedom is compromised. If that information is somehow 'embarrassing', to damned bad as its part of the price of freedom.
Re:nothing new (Score:5, Informative)
Interestingly, they really didn't meet any of the conditions you stated!
A couple of bits from the first link:
The passage in the Defcon show guide describing their talk begins, "Want free subway rides for life?" That line was removed from the description of the talk posted at the Defcon Web site.
Can't see that as not causing trouble (at least from the MBTA's perspective...)
The researchers refused to give the transit authority information about security flaws in its system ahead of the talk, the filings state.
Which is not particularly polite - and in fact definitely takes them out of any resonable definition of "White Hat"...
And while hacking around on a smartcard they bought shouldn't be illegal (as long as they don't actually use it for free rides), this bit:
They say they were able to access fiber switches connecting fare vending machines to the unlocked network
is the kind of thing that gets people under said house arrest...
To be honest, these guys were pretty lucky for the way this whole thing turned out. They freely admitted in their published talk that they illegally accessed a gov't network and planned on explaining how to get "free subway rides" to a room full of hackers without revealing how to the gov't organization about to get screwed over... at the very least they could have expected a protracted court case that made their life hell for the next couple years...
Re:Summary Fail (Score:3, Informative)
Look at physical security... (Score:1, Informative)
Look at the way physical security is handled. When videos circulated of a Kryptonite tubular pin tumbler lock being picked with a Bic pen, they voluntarily recalled every single tubular pin tumbler lock they ever made and issued brand new disc tumbler locks. I got a new bike lock from that, even though I was lockless for about a week to ship and receive, but it was the gesture that counted.
If Kryptonite [Ingersoll-Rand] were to follow in the footsteps of MBTA or voting systems vendors, they'd refuse to fix the problem, and instead just throw lawsuits into the wind to try to take down the videos.
Is there such a thing as a UL for electronic security?
And this is a good outcome? (Score:3, Informative)
The problem is there was a implementation of a system with some potential exposures that nobody was exploiting. Quite possibly, no exploitation was because of a lack of knowledge rather than any impractacality of the exploit.
Sure, everything could be made more secure. Did you know that there are only about 100 unique car key "encodings"? This means that if you have a Ford the chances are excellent that your key will open the door of some other Ford in an airport parking lot. Or a mall. Why isn't this a huge problem - it sure sounds like it is a huge exposure, doesn't it. Well, partly it isn't exploited because nobody knows about it, or almost nobody.
Security by obscurity works and it is cheap to implement. Actually closing all those holes can be extremely expensive and in the physical world it probably doesn't work any better.
So how do you avoid spending millions of dollars for needless security? Well, first off you can strongly discourage security probing. Next, you can defend your obscurity because it is cheaper than fixing the holes someone discovered.
Which is better in the public interest: having a truely "secure" transit card system or preventing the disclosure of information that will certainly lead to exploits? It almost doesn't matter how much fixing the security might cost as long as it is $1 more than keeping the holes secret and defending against probing.
Do we really want public institutions spending large amounts of money to make things "secure" when exploiting holes in public infrsstructure is illegal anyway?
Paying these folks anything, even fifty cents, just encourages more people to follow in their footsteps.
Re:they did not have permission at all (Score:3, Informative)
They went into closets they knew they didn't belong in (that's entering/trespass, look it up; it doesn't matter if the door is locked. If it is locked, then it's BREAKING and entering)
In Mass the simple act of pushing open a door to gain access to any unauthorized area is breaking and entering.
Re:What's this? (Score:3, Informative)
Then again, this is the same group of people who successfully sued the glue manufacturer who created the glue that failed to hold up 2-ton slabs of concrete. Never mind that the glue was never designed for such an application or that no one in their right mind GLUES 2-ton slabs of concrete to the ceiling of tunnels.
Well that`s just a blatant misstatement, and while I`m not saying the MBTA is a well run organization, they don't need additional problems attributed to them.
First of all, the slabs of concrete that fell were part of the Big Dig, which is run by Massachusetts Turnpike Authority, not the MBTA. Both are poorly run transportation organizations in Massachusetts, but they are not the same.
Secondly, the suits in the ceiling collapse were brought by the Massachusetts Attorney General's office not the MBTA. They were brought against many of the companies involved, including the adhesive company and Bechtel/Parsons Brinckerhoff, the primary consulting firm. The Turnpike Authority was not really to blame, it was either BPB for using an adhesive meant for wall panels for ceilings, or the adhesive company for not realizing their product was being improperly used. Both were sued by the Massachusetts Attorney General's office and paid millions to the state.
Re:nothing new (Score:5, Informative)
Re:nothing new (Score:5, Informative)
Interestingly, they really didn't meet any of the conditions you stated!
A couple of bits from the first link:
The passage in the Defcon show guide describing their talk begins, "Want free subway rides for life?" That line was removed from the description of the talk posted at the Defcon Web site.
Can't see that as not causing trouble (at least from the MBTA's perspective...)
The researchers refused to give the transit authority information about security flaws in its system ahead of the talk, the filings state.
Which is not particularly polite - and in fact definitely takes them out of any resonable definition of "White Hat"...
And while hacking around on a smartcard they bought shouldn't be illegal (as long as they don't actually use it for free rides), this bit:
[snip]
From another FA [itworld.com]
The students said they tried to contact the MBTA around July 20 through their professor Ron Rivest, who teaches in MIT's Department of Electrical Engineering and Computer Science, but did not actually connect with the agency until around July 30.
It's been a crazy week for Anderson, who looked haggard -- he said it took him 18 hours to travel by air to Defcon and he had not slept since Thursday.
And another [itworld.com]:
Mahoney [the MBTA attorney] praised a security analysis the students had prepared for the agency, saying the information in it convinced them of the vulnerability.
Looks like you're wrong, or one of TFAs is wrong anyway.
Re:And this is a good outcome? (Score:5, Informative)
Did you know that there are only about 100 unique car key "encodings"? This means that if you have a Ford the chances are excellent that your key will open the door of some other Ford in an airport parking lot.
Untrue. Ford (the example you offer) has since 1984 used a key with 10 cut positions with 5 possible depths, which is 9,765,625 (5^10) possible combinations. The door only uses the first four cuts, so in theory the odds are 1 in 625 that any given key will open a random car's door. With worn locks and/or intentionally half-cut tryout keys, that drops to 1 in 256 at best. The ignition uses the last 6 cuts, so it's only a useful trick for getting at the contents of the car. The reason it's not a problem is that opening a random car door is largely useless, and opening a specific car door can be accomplished much quicker through methods other than standing there going through a giant ring of tryout keys.
It almost doesn't matter how much fixing the security might cost as long as it is $1 more than keeping the holes secret and defending against probing.
Except that fixing the problem is a a predictable, one time expense, and "keeping it quiet" is a never-ending process. The latter will continue forever until the former action is taken, so now which path is cheaper?