With Lawsuit Settled, Hackers Working With MBTA 90
narramissic writes "The three MIT students who were sued earlier this year by the Massachusetts Bay Transit Authority for planning to show at Defcon how they had had reverse engineered the magnetic stripe tickets and smartcards said Monday that they are now working to make the Boston transit system more secure. 'I'm really glad to have it behind me. I think this is really what should have happened from the start,' said Zack Anderson, one of the students sued by the MBTA."
Summary Fail (Score:4, Interesting)
FTFA:
1. Prevent them from giving their talk
2. Judge threw out the gag order
3. Amicable???
The settlement ends the matter in an amicable way.
The article fails to really specify end results, but it sounds like some kind of job deal was worked out where the kids will help improve security.
Re:What's this? (Score:5, Interesting)
Except the MBTA system isn't fixable. It's just full of fail.
For starters, the card's balance is stored ON THE CARD and nowhere else.
Secondly, the fare-taking devices are not hooked up to any sort of network. They just kind of assume that only the special blessed writing device can change the balance on the card.
This isn't quite as stupid as it sounds since the devices use PKI so that theoretically the write request must be signed by a blessed source.
Except, rather than use a tested encryption source like AES (which is available), they went with some proprietary 40-bit encryption scheme for the smart card. The ticket was even worse, there they used a 6-bit checksum. Yes: 6 bits.
So the only way to fix it is to build a network to monitor potential fraud, rip out all the fare-taking devices, and replace every single ticket and smart card.
Now you can see why the MBTA sued: their massive incompetence means that fixing the problem they created will easily run into the billions of dollars.
Then again, this is the same group of people who successfully sued the glue manufacturer who created the glue that failed to hold up 2-ton slabs of concrete. Never mind that the glue was never designed for such an application or that no one in their right mind GLUES 2-ton slabs of concrete to the ceiling of tunnels.
So get rid of the officials (Score:0, Interesting)
That is why we now have the idea of open source governance and the metagovernment project [metagovernment.org]. Why make officials be answerable to the people? Why not just get rid of the officials and have the people govern?
Mob rule? Think again. Web 2.0 is not about mobs, it is about the "wisdom of crowds."
Re:Hack first, ask later? (Score:5, Interesting)
As far as I'm concerned, the MBTA should have done a bit more R&D and implemented a system that wasn't so easily compromised.
Also, I believe that historically most system flaws are not fixed UNTIL they are hacked and exploited.
Re:What's this? (Score:3, Interesting)
So the only way to fix it is to build a network to monitor potential fraud, rip out all the fare-taking devices, and replace every single ticket and smart card.
Which is what they should have done from the start, and is what they did in e.g. London, where a hack exists for the cards, but isn't worth the effort because a tampered card can be blocked within 24 hours.
Then again, this is the same group of people who successfully sued the glue manufacturer who created the glue that failed to hold up 2-ton slabs of concrete. Never mind that the glue was never designed for such an application or that no one in their right mind GLUES 2-ton slabs of concrete to the ceiling of tunnels.
I'm no civil engineer, but I doubt we're talking PVA here.
Those kids should keep their eyes and ears open .. (Score:5, Interesting)
Many organizations, both governmental and corporate, have a tendency to react to employees (or consultants) finding security problems by harrassing, firing, and/or suing them. We already know that the MBTA has management that takes this approach. So the kids should be carefully documenting everything they do, with an eye towards defending themselves from or countersuing the MBTA for the MBTA's actions against them if they do their job well.
Something I've been noticing in particular is that when I read management characterizations of security "hacking", it almost always sounds like a description of what I do routinely as part of all software debugging. In the eyes of management, the media, and the courts, all software developers are "hackers", and they mean this term as a criminal indictment. We are all suspect, especially when we give them bad news about what their systems are already doing.
Re:they did not have permission at all (Score:2, Interesting)
Except the MIT students weren't charged with shit. No fraud, no violation of the CFAA--nothing. MBTA's entire case was a preliminary injunction against the students for presenting their findings at Defcon. That gag order was lifted in mid August and the case was dismissed in October. The only "news" now is that the students completed helping the MBTA secure their systems against the vulnerabilities that were presented in the Defcon presentation. IOW, THEY GOT AWAY WITH IT! HAR!. And, of course, MBTA got help in securing their system after they pulled their head out of their asses and decided that these guys could actually help them. So, win-win for everyone.
Re:And this is a good outcome? (Score:3, Interesting)
Did you know that there are only about 100 unique car key "encodings"? This means that if you have a Ford the chances are excellent that your key will open the door of some other Ford in an airport parking lot. Or a mall. Why isn't this a huge problem - it sure sounds like it is a huge exposure, doesn't it. Well, partly it isn't exploited because nobody knows about it, or almost nobody.
I had a VW Passat in the mid 90's and after leaving work one afternoon I walked to my car (I worked in a photo store in a strip mall), unlocked the door, got in and the car wouldn't start. I remember looking up and thinking it was odd how dark my sunroof was until I realized there was NO sunroof. I got out of the car and it was a slightly different color than my car but I was able to lock and unlock the doors with my keys!
Last year's card (Score:2, Interesting)
Considering all you need to do to "hack" MBTA's system is to use last year's card for that month, I hope the awesome brainpower of MIT can improve the situation somewhat.
Re:Hack first, ask later? (Score:5, Interesting)
I really can't stand when people compare every incident of 'hacking' to breaking into somebody's house. The MIT students didn't break into anything
I can't stand it when antisocial self-described geniuses think that they have the right to touch/use/mess with other people's stuff simply because they're doing so via electronic signals. If it doesn't belong to you, don't mess with it. That's lesson some of us learned when we were in kindergarten.
They went way beyond what would be considered "white hat" activities. They made up IDs and lied their way into MBTA headquarters, went into a conference room, and plugged in their laptops and played around with the network. Let me repeat that for you: they essentially broke into private property and used a private network by physical location.
They also went into network closets all over the system where they knew they didn't belong, which is trespassing. It doesn't matter if the door is locked or not.