With Lawsuit Settled, Hackers Working With MBTA 90
narramissic writes "The three MIT students who were sued earlier this year by the Massachusetts Bay Transit Authority for planning to show at Defcon how they had had reverse engineered the magnetic stripe tickets and smartcards said Monday that they are now working to make the Boston transit system more secure. 'I'm really glad to have it behind me. I think this is really what should have happened from the start,' said Zack Anderson, one of the students sued by the MBTA."
nothing new (Score:1)
Re: (Score:2)
Well, the story of the "kid hacks into a network, and instead of doing jailtime, ends up as security chief of said network's owner" always sounded like a fairy tale to me...
Although its possible they are more common than I though... I don't work in IT, after all
Re: (Score:3, Insightful)
More likely, if you're caught hacking then you'll be confined to monitored house arrest and unpaid servitude as an FBI snitch-bitch. And that's after making the deal which will keep you out of prison.
Re:nothing new (Score:5, Informative)
Interestingly, they really didn't meet any of the conditions you stated!
A couple of bits from the first link:
The passage in the Defcon show guide describing their talk begins, "Want free subway rides for life?" That line was removed from the description of the talk posted at the Defcon Web site.
Can't see that as not causing trouble (at least from the MBTA's perspective...)
The researchers refused to give the transit authority information about security flaws in its system ahead of the talk, the filings state.
Which is not particularly polite - and in fact definitely takes them out of any resonable definition of "White Hat"...
And while hacking around on a smartcard they bought shouldn't be illegal (as long as they don't actually use it for free rides), this bit:
They say they were able to access fiber switches connecting fare vending machines to the unlocked network
is the kind of thing that gets people under said house arrest...
To be honest, these guys were pretty lucky for the way this whole thing turned out. They freely admitted in their published talk that they illegally accessed a gov't network and planned on explaining how to get "free subway rides" to a room full of hackers without revealing how to the gov't organization about to get screwed over... at the very least they could have expected a protracted court case that made their life hell for the next couple years...
Re: (Score:2)
Re:nothing new (Score:5, Informative)
Re:nothing new (Score:5, Informative)
Interestingly, they really didn't meet any of the conditions you stated!
A couple of bits from the first link:
The passage in the Defcon show guide describing their talk begins, "Want free subway rides for life?" That line was removed from the description of the talk posted at the Defcon Web site.
Can't see that as not causing trouble (at least from the MBTA's perspective...)
The researchers refused to give the transit authority information about security flaws in its system ahead of the talk, the filings state.
Which is not particularly polite - and in fact definitely takes them out of any resonable definition of "White Hat"...
And while hacking around on a smartcard they bought shouldn't be illegal (as long as they don't actually use it for free rides), this bit:
[snip]
From another FA [itworld.com]
The students said they tried to contact the MBTA around July 20 through their professor Ron Rivest, who teaches in MIT's Department of Electrical Engineering and Computer Science, but did not actually connect with the agency until around July 30.
It's been a crazy week for Anderson, who looked haggard -- he said it took him 18 hours to travel by air to Defcon and he had not slept since Thursday.
And another [itworld.com]:
Mahoney [the MBTA attorney] praised a security analysis the students had prepared for the agency, saying the information in it convinced them of the vulnerability.
Looks like you're wrong, or one of TFAs is wrong anyway.
Summary Fail (Score:4, Interesting)
FTFA:
1. Prevent them from giving their talk
2. Judge threw out the gag order
3. Amicable???
The settlement ends the matter in an amicable way.
The article fails to really specify end results, but it sounds like some kind of job deal was worked out where the kids will help improve security.
Re: (Score:3, Informative)
What's this? (Score:5, Insightful)
On one hand I'm surprised that the MBTA has decided to work with these guys to make their system more secure, on the other hand I wish this would happen more often instead of the mindless suing that government organizations and other companies seem so fond of.
Re:What's this? (Score:5, Insightful)
Government officials have long since forgotten that they are, according to the Constitution, answerable to us, not vice versa. Having said that I am glad things went the way of the students, and it should ALWAYS be the case. I would not consider those students who pointed out a security issue to be evildoers who need punishment. They are citizens or legal residents who are afforded the right to free speech, which includes alerting folks of poor designs implemented by government agencies.
Re: (Score:3, Insightful)
So California's Prop 8 was wisdom?
Re: (Score:2)
if Begich didn't beat Stevens, I wouldn't even say this.
You've got an unelected, uneducated, unaccountable mob of people trying to make decisions better than an vaguely educated, vaguely accountable and elected group of people.
Thanks, but no thanks. Especially when some people can't figure out we went to the moon or that homeopathy is just water, a web2.0 community collaboration isn't what I'd consider efficient Government. Not yet atleast. It's a neat idea, but nothing I'd put stock in for awhile.
Re: (Score:2)
"Government officials have long since forgotten that they are, according to the Constitution, answerable to us, not vice versa."
And people have long since forgotten that reality works differently because it involves actual people and not abstract designs and robots.
Re: (Score:3, Insightful)
> Common sense finally prevailing?
I don't think so, this sounds more like
"If you can't beat 'em buy 'em"
Re:What's this? (Score:5, Interesting)
Except the MBTA system isn't fixable. It's just full of fail.
For starters, the card's balance is stored ON THE CARD and nowhere else.
Secondly, the fare-taking devices are not hooked up to any sort of network. They just kind of assume that only the special blessed writing device can change the balance on the card.
This isn't quite as stupid as it sounds since the devices use PKI so that theoretically the write request must be signed by a blessed source.
Except, rather than use a tested encryption source like AES (which is available), they went with some proprietary 40-bit encryption scheme for the smart card. The ticket was even worse, there they used a 6-bit checksum. Yes: 6 bits.
So the only way to fix it is to build a network to monitor potential fraud, rip out all the fare-taking devices, and replace every single ticket and smart card.
Now you can see why the MBTA sued: their massive incompetence means that fixing the problem they created will easily run into the billions of dollars.
Then again, this is the same group of people who successfully sued the glue manufacturer who created the glue that failed to hold up 2-ton slabs of concrete. Never mind that the glue was never designed for such an application or that no one in their right mind GLUES 2-ton slabs of concrete to the ceiling of tunnels.
Re: (Score:3, Interesting)
So the only way to fix it is to build a network to monitor potential fraud, rip out all the fare-taking devices, and replace every single ticket and smart card.
Which is what they should have done from the start, and is what they did in e.g. London, where a hack exists for the cards, but isn't worth the effort because a tampered card can be blocked within 24 hours.
Then again, this is the same group of people who successfully sued the glue manufacturer who created the glue that failed to hold up 2-ton slabs of concrete. Never mind that the glue was never designed for such an application or that no one in their right mind GLUES 2-ton slabs of concrete to the ceiling of tunnels.
I'm no civil engineer, but I doubt we're talking PVA here.
Re: (Score:2)
Why would you suggest replacing a system that works? If nobody knows how the system works, were there that many people already exploiting it before this information was made public?
The problem is this is a public works sort of project. If you aren't a local taxpayer, you probably have no right to even suggest they spend millions (hundreds of millions?) to replace it with something that is more secure.
Look, defeating the system is illegal. Anyone distributing information to assist in an illegal act should
Re: (Score:2, Flamebait)
Wow, what a gleaming white fantasy world you must live in. I had to check if you were a new account - thought you were trolling.
I bet you don't mind people reading your mail or medical records, or having your brick-and-mortar credit card transactions zipped over un-encrypted wireless networks...
Re: (Score:2)
Riding the MBTA today, I saw three people simply walk through the badly-blaring doorstyles. This is pretty average of a day. I'd guess hackers make up less than 5% of the total farejumping.
Re: (Score:1)
Re: (Score:2)
I don't live in Boston, but I do live in London, which spent whatever was required to have networked card readers. London does have twice the population of Boston though (with eight times as many buses and 1½ times as many stations).
If the level of this fraud remains low then it's probably not worth fixing the flaw. No doubt the authorities will be looking out for organised criminals forging tickets.
Defeating DVD CSS etc is illegal, but the majority of the /. crowd supports the right to publish algor
Re: (Score:2)
fail
Re: (Score:3, Informative)
Then again, this is the same group of people who successfully sued the glue manufacturer who created the glue that failed to hold up 2-ton slabs of concrete. Never mind that the glue was never designed for such an application or that no one in their right mind GLUES 2-ton slabs of concrete to the ceiling of tunnels.
Well that`s just a blatant misstatement, and while I`m not saying the MBTA is a well run organization, they don't need additional problems attributed to them.
First of all, the slabs of concrete that fell were part of the Big Dig, which is run by Massachusetts Turnpike Authority, not the MBTA. Both are poorly run transportation organizations in Massachusetts, but they are not the same.
Secondly, the suits in the ceiling collapse were brought by the Massachusetts Attorney General's office not the MBTA. They
should have happened from the start (Score:3, Informative)
To have lost a suit?
Knowledge must be free or freedom is compromised. If that information is somehow 'embarrassing', to damned bad as its part of the price of freedom.
Re: (Score:2, Funny)
Knowledge must be free or freedom is compromised.
I wouldn't want to compromise your freedom... so what is your credit card number?
Re: (Score:3, Insightful)
Thank you! You have just captured the central hypocritical ideology of Slashdot:
"Information yearns to be free! Unless, of course, its my information, which must be protected at all costs!"
Re: (Score:2)
Screw credit cards (Score:2)
What is the login for his paypal account? Last I checked the market for paypal accounts are way higher then a mere credit card number.
Information wants to be free comrade nurb432, so you post your paypal login, I'll post mine*. While you are at it, maybe you can fax me your birth certificate too. I dont plan to use it, but I demand you release it anyway, for freedom's sake.
* Offer expires 30 seconds after this comment is posted. Not valid in the Milky Way Galaxy. Machines used to assemble Paypal may have
It's hush money (Score:5, Insightful)
The judge threw out the gag ording, which I assume means the kids can legally make the knowledge public (even if they'll be sued later). By "hiring" the kids to make recommendations on their security, everyone saves a bunch of legal costs, the MBTA keeps the kids' from going public with the exploits, and the kids still get to make a name for themselves, and maybe make a few dollars. Everybody wins. That doesn't mean the MBTA actually cares about anything the kids have to say in their recommendations.
Re: (Score:2)
The talk is already out there. No real reason to try and keep them quiet about it. This seems to be an honest attempt to improve the existing system.
Unfortunately, the administrators will want to reduce costs while the hackers will want the *best* system. The compromise between the two will be no better than what we have now.
Re: (Score:2)
Unfortunate for whom, you might want to consider. Illicit cards / recharges will be a silent subsidy for Mass's burgeoning organized crime industry, as well as the poorer denizens of the metropolitan area.
They just have to make sure that it doesn't get too much publicity. As long as they can keep it to a story or two per year, and put forth the appearance that they're "doing something about it," it'll be business as usual in the Bay State.
Re: (Score:1)
Re: (Score:3, Insightful)
Their goals are unknown, so it's not anyone's place to assume. However, the traditional hacker motive has been to discover how a (often closed) system works, figure out if there are any defects, and share the information gained with other hackers and the public. Hackers of all walks (including and perhaps especially open source developers) have a natural distaste for technology whose detai
Re: (Score:2)
You watch too many movies. Finding an exploit in something is exciting, and equall
Re: (Score:2)
I can't speak for every hacker, but I've known enough of them to say with a degree of certainty that most of them do what they do because it's fun. Getting public recognition for doing something clever is a nice benefit, but its rarely the primary motivation.
In Soviet Russia (Score:1, Troll)
Re: (Score:1)
Oh wait...
Hack first, ask later? (Score:3, Insightful)
I haven't been able to find it in my brief perusal of the link... does anyone know offhand if the MIT students asked permission first, or if they just did it, planned the talk, and then got in trouble?
If the former, MBTA is messed up. If the latter, I would have to honestly say that the MIT students should have thought about what they were doing and asked before they decided to hack something and tell others how to do it.
If someone asked me if they could do a security audit on my house and I said sure, that'd be cool. If they broke in, were going to give a talk about it to some other dudes and THEN I found out about it, I'd be a bit upset, too. Would I want to fix my security, sure, but I'd be kinda mad they did it without asking. Just because you CAN break in doesn't mean you have a right to do it, it's still MY property, not yours...
Re:Hack first, ask later? (Score:5, Interesting)
As far as I'm concerned, the MBTA should have done a bit more R&D and implemented a system that wasn't so easily compromised.
Also, I believe that historically most system flaws are not fixed UNTIL they are hacked and exploited.
Re: (Score:2)
Hacking as those students did is rather like publishing sensitive information like SSN, credit card numbers etc.
Why it is better then breaking into house?
Re: (Score:1)
Re: (Score:3, Insightful)
Re: (Score:2)
"Able to access" != accessed
Re:Hack first, ask later? (Score:5, Interesting)
I really can't stand when people compare every incident of 'hacking' to breaking into somebody's house. The MIT students didn't break into anything
I can't stand it when antisocial self-described geniuses think that they have the right to touch/use/mess with other people's stuff simply because they're doing so via electronic signals. If it doesn't belong to you, don't mess with it. That's lesson some of us learned when we were in kindergarten.
They went way beyond what would be considered "white hat" activities. They made up IDs and lied their way into MBTA headquarters, went into a conference room, and plugged in their laptops and played around with the network. Let me repeat that for you: they essentially broke into private property and used a private network by physical location.
They also went into network closets all over the system where they knew they didn't belong, which is trespassing. It doesn't matter if the door is locked or not.
Re: (Score:2)
Great, then you realize that the MBTA system belonged to the MIT students, as they were taxpayers and concerned citizens. You surely support their dedicated examining of it for flaws, above and beyond what was expected, and even went far enough to expose management malfeasance in specing, building, and defending a broken system.
Had these patriots not exposed the problems they found, the good people of their city might have been secretly exploited for years and the incompetent officials who let if happen wou
we welcome the 15 year olds to the discussion... (Score:2)
Great, then you realize that the MBTA system belonged to the MIT students, as they were taxpayers and concerned citizens.
What are you, fifteen? You don't get the right to jump in a city fire truck because you're a taxpayer. You don't get to walk around the Oval Office because you're a taxpayer. City property is owned by the CITY. The MBTA is a quasi-state agency, overseen by the Executive Office of Transportation (it extends WAY beyond Boston- it's one of the largest transit systems in the country.)
Re: (Score:2)
With a few exceptions, taxpayers DO get to inspect city/state/federal equipment. And surely if I saw a fire, right next to a firetruck whose firemen were all incapacitated by eating bad seafood, I'd jump in and help as best I could.
Guess what? It's not your fucking job
It's not my fucking job, which is why we hire firemen, but when they can't do it, it's MY world which means it's my responsibility to see that it gets done.
You do not have the right to break the law to prove a system is insecure.
Surely you misunderstand. I do have that right. It has a cost to exercise, namely proving to a judge (and the rest of societ
Re: (Score:2)
Re: (Score:1)
Your analogy is broken, because it states that they actually broke into your house. What the kids did would be more analogous to giving a talk on how to pick a lock, and perhaps telling us where we can get a lock pick set.
As long as we're talking imperfect analogies, what if this were Windows Vista? Let's say you discover a vulnerability. You could give a talk about how one c
they did not have permission at all (Score:4, Insightful)
I know this goes against the Slashdot perception of how these "kids" were sweet, innocent little virgins who did no wrong, but:
Then, they used the modified MiFare cards in gates- they had photos showing them using the cards in gates. That's THEFT and FRAUD, people. You can't walk into a bank, cash a fake check for $500, and then publish a paper and say "the banking system is insecure!", and be shocked and amazed when you're charged with forgery and uttering.
Re: (Score:1)
Re: (Score:2, Interesting)
Except the MIT students weren't charged with shit. No fraud, no violation of the CFAA--nothing. MBTA's entire case was a preliminary injunction against the students for presenting their findings at Defcon. That gag order was lifted in mid August and the case was dismissed in October. The only "news" now is that the students completed helping the MBTA secure their systems against the vulnerabilities that were presented in the Defcon presentation. IOW, THEY GOT AWAY WITH IT! HAR!. And, of course, MBTA got hel
Re: (Score:3, Informative)
They went into closets they knew they didn't belong in (that's entering/trespass, look it up; it doesn't matter if the door is locked. If it is locked, then it's BREAKING and entering)
In Mass the simple act of pushing open a door to gain access to any unauthorized area is breaking and entering.
Re: (Score:2)
Don't they all mind being wrong about something tautological? It's called breaking because the idea is that things get broken... Otherwise the crime would be called 'Entering'. Don't you (presumably a citizen) mind living in an area where the law is essentially random?
Re: (Score:2)
The relevance to this hacking
breaking and entering are in fact two diff crimes (Score:2)
Otherwise the crime would be called 'Entering'. Don't you (presumably a citizen) mind living in an area where the law is essentially random?
Read your local police blotter. On a fairly regular basis here in Boston and surrounding cities/towns, people occasionally find some dude sleeping on their couch.
If there was no sign that the door was locked or of any damage in them getting in, guess what they're charged with? Entering. If there are signs up saying "private property", then they can also be charg
Re: (Score:1)
They were repeatedly denied.
It wasn't until they were going to present the hack at a conference that the gag order was brought up and issued.
Either way, the MBTA basically told them to get lost on their suggestions and then threatened them to hell and back when they were going to go public with the knowledge.
I read the paper, whoever de
Re: (Score:1)
Re: (Score:2)
Bad analogy.
Your house holds little resemblance to a mass-transit ticketing system. It is
Lessons Learned (Score:2)
and/or:
Sell your hack to the highest bidder.
Give your hack to a few friends.
Saturate your hack so everyone has access to it.
SLAPP (Score:4, Insightful)
The Transit Authority's SLAPP lawsuit has served its purpose: it prevented the students from speaking at Defcon. In the end there was no judgment sought, for no judgment was necessary in order that the Transit Authority's wishes be granted in full. The speakers were silenced without trial, and now we're told this should be interpreted as a kind of "happy ending".
It's not a happy ending. It's sad. Very sad.
Those kids should keep their eyes and ears open .. (Score:5, Interesting)
Many organizations, both governmental and corporate, have a tendency to react to employees (or consultants) finding security problems by harrassing, firing, and/or suing them. We already know that the MBTA has management that takes this approach. So the kids should be carefully documenting everything they do, with an eye towards defending themselves from or countersuing the MBTA for the MBTA's actions against them if they do their job well.
Something I've been noticing in particular is that when I read management characterizations of security "hacking", it almost always sounds like a description of what I do routinely as part of all software debugging. In the eyes of management, the media, and the courts, all software developers are "hackers", and they mean this term as a criminal indictment. We are all suspect, especially when we give them bad news about what their systems are already doing.
Re: (Score:2)
Case in point [oreilly.com].
Re: (Score:2)
Yeah, that story has sounded suspicious from the start. I've wondered whether we'll ever read the real story, which is probably about who decided they didn't like him and decided to get rid of him. There's also the question of whether anyone with any sense will take the job now. How long before the next guy is treated the same way? I know I'd want to hear a good explanation of just what I'd be walking into, and see some evidence that I'd be allowed to do a good job.
Reminds me... (Score:1)
This reminds me of the days when fone phreaks would get hired by the telephone companies after running amok on their systems
Look at physical security... (Score:1, Informative)
Look at the way physical security is handled. When videos circulated of a Kryptonite tubular pin tumbler lock being picked with a Bic pen, they voluntarily recalled every single tubular pin tumbler lock they ever made and issued brand new disc tumbler locks. I got a new bike lock from that, even though I was lockless for about a week to ship and receive, but it was the gesture that counted.
If Kryptonite [Ingersoll-Rand] were to follow in the footsteps of MBTA or voting systems vendors, they'd refuse to fix
And this is a good outcome? (Score:3, Informative)
The problem is there was a implementation of a system with some potential exposures that nobody was exploiting. Quite possibly, no exploitation was because of a lack of knowledge rather than any impractacality of the exploit.
Sure, everything could be made more secure. Did you know that there are only about 100 unique car key "encodings"? This means that if you have a Ford the chances are excellent that your key will open the door of some other Ford in an airport parking lot. Or a mall. Why isn't this a huge problem - it sure sounds like it is a huge exposure, doesn't it. Well, partly it isn't exploited because nobody knows about it, or almost nobody.
Security by obscurity works and it is cheap to implement. Actually closing all those holes can be extremely expensive and in the physical world it probably doesn't work any better.
So how do you avoid spending millions of dollars for needless security? Well, first off you can strongly discourage security probing. Next, you can defend your obscurity because it is cheaper than fixing the holes someone discovered.
Which is better in the public interest: having a truely "secure" transit card system or preventing the disclosure of information that will certainly lead to exploits? It almost doesn't matter how much fixing the security might cost as long as it is $1 more than keeping the holes secret and defending against probing.
Do we really want public institutions spending large amounts of money to make things "secure" when exploiting holes in public infrsstructure is illegal anyway?
Paying these folks anything, even fifty cents, just encourages more people to follow in their footsteps.
Re: (Score:3, Interesting)
Did you know that there are only about 100 unique car key "encodings"? This means that if you have a Ford the chances are excellent that your key will open the door of some other Ford in an airport parking lot. Or a mall. Why isn't this a huge problem - it sure sounds like it is a huge exposure, doesn't it. Well, partly it isn't exploited because nobody knows about it, or almost nobody.
I had a VW Passat in the mid 90's and after leaving work one afternoon I walked to my car (I worked in a photo store in a strip mall), unlocked the door, got in and the car wouldn't start. I remember looking up and thinking it was odd how dark my sunroof was until I realized there was NO sunroof. I got out of the car and it was a slightly different color than my car but I was able to lock and unlock the doors with my keys!
Re: (Score:1)
Re:And this is a good outcome? (Score:5, Informative)
Did you know that there are only about 100 unique car key "encodings"? This means that if you have a Ford the chances are excellent that your key will open the door of some other Ford in an airport parking lot.
Untrue. Ford (the example you offer) has since 1984 used a key with 10 cut positions with 5 possible depths, which is 9,765,625 (5^10) possible combinations. The door only uses the first four cuts, so in theory the odds are 1 in 625 that any given key will open a random car's door. With worn locks and/or intentionally half-cut tryout keys, that drops to 1 in 256 at best. The ignition uses the last 6 cuts, so it's only a useful trick for getting at the contents of the car. The reason it's not a problem is that opening a random car door is largely useless, and opening a specific car door can be accomplished much quicker through methods other than standing there going through a giant ring of tryout keys.
It almost doesn't matter how much fixing the security might cost as long as it is $1 more than keeping the holes secret and defending against probing.
Except that fixing the problem is a a predictable, one time expense, and "keeping it quiet" is a never-ending process. The latter will continue forever until the former action is taken, so now which path is cheaper?
Re: (Score:2)
It's because of how we pay and blame executives.
Imagine a timeline, CEO A's team introduces a fatal flaw, he leaves. CEO B is there when the accusations about the flaw surface. It's B's pay and reputation on the line.
If B fails to deal with the crisis he'll be fired and make a fraction of A.
If B deals well with the crisis he'll retire normally, making as much as A.
If B covers it up or SLAPPs it into submission for C to deal with, he'll still make as much money as if it didn't happen.
CEO pay needs to be base
Re: (Score:2)
Honda, however, used a ridiculously small number of key cuts through the late 90's.
I had a '94 Acura Integra, which had those wonderful Honda locks. When it was totaled, I bought another Integra (a '96). My old keys were a perfect match for the new car, and also for my roommate's Accord, and with a little jiggling would work on the Prelude that replaced it. That Prelude is broken into nearly every night - not even a case of motor oil is safe in the trunk.
Re: (Score:1)
It works because no one bothers to try it. I had a 1984 Mitsubishi Colt and the locks on the doors didn't work at all. I couldn't lock either the driver or passenger side doors (but fortunately the ignition lock did work). So with both doors unlocked for the whole 8 years I owned the car I got it broken in to twice. On both occasions it was a brick through the passenger side window. Simply trying the door would have opened it..
Last year's card (Score:2, Interesting)
Considering all you need to do to "hack" MBTA's system is to use last year's card for that month, I hope the awesome brainpower of MIT can improve the situation somewhat.
For a limited definition of "secure" (Score:2)
To be clear, "security" in this sense means "not letting people defeat the electronic turnstile and ride for free," not "protecting the transit system from crime and/or terrorist attack." That is, we're only talking about security of the MBTA's revenue stream here -- which would have been better served by just leaving in the old token-operated mechanical turnstiles.