Slashdot Mirror
How to Take Over a Train Station
ThinkComp writes "Everyone knows that home wireless networks are insecure, but who would expect a major transportation hub to be vulnerable to the same problems? Well, waiting for my friend's train at South Station in Boston, MA, I happened to notice that it was possible to take control of the entire station's wireless network, including its home page and authorization method (free wireless, anyone?)--and those of thirty other businesses throughout Massachusetts, thanks to a few coding errors on the part of the wireless company with which South Station contracted."
Nah, this shouldn't be news anyway. When you can get control of the arrival/departure boards and track switch control from your laptop on the wireless, then it will be news. Until then, the title is misleading!
This person merely tried common tricks to expose the network settings. Here's a summary:
1.) Try the default login/password combination and make some educated guesses.
2.) Look at the source code of web pages.
3.) Don't be an idiot admin and leave your system wider than your momma.
At first this wasn't entirely the case. Consider, for example, copying all the files from /usr/bin to your home directory 1000 times. Back in the old days that would be enough to fill up the harddrive which would quickly stop other people from using the system. You could affect other people, the kernel didn't stop you, so it must be allowed right! Well no. You're wasting resources and being an asshole. But rather than put a sign on the wall that said "please don't waste disk space" someone decided this was a "security" issue and implemented disk quotas into the kernel. Now you can't affect other users by using up all the disk space.
Consider the "fork bomb" issue. For those who don't know, this is just like using up all the harddrive space, except instead of disk you're wasting memory. A fork bomb will quickly bring an older unix machine to its knees, and back in the days when I had the joy of sharing a unix lab with other students, a fork bomb would go off at least twice a day. Why? Cause if the kernel permitted it, it must be ok right? Now there's protections in most kernels just to detect a fork bomb and stop it.
Such a strange way of thinking. Thankfully most unix users do not try to apply this attitude to the real world. If there were to see the police or the government as some kind of kernel they might be surprised to find that they could kick over granny in the street or go ballistic with an automatic weapon. The police didn't stop me, it must be ok, right?
Just to bring this long post back on topic: just because you can take over the wireless internet of a train station, doesn't mean you should do it. It doesn't mean that it is permitted. There doesn't need to be a failsafe kernel monitoring and stopping every undesirable action that you can possibly perform. We can live with people being able to break the rules. It's called freedom.
How we know is more important than what we know.
I don't know, I think it's news. I create very similar sites, so hearing about things like this is extremely helpful to my practices. And it could serve as a wake-up call to others who might be slacking.
And, if their web site is that insecure, what makes you think their other systems (electronic and other) aren't similarly flawed?
Regardless, what I would really like to hear is the behind the scenes stories from all companies involved.
expletives welcomed
Ignoring the grandstanding title and the fact that the author astroturfed his own "article" and site, here's a quote:
A more farfetched, but very real possibility, is that computers or workers at airports and train stations also use these same networks to make everything tick. If that is the case, it might be possible for an intelligent high school student to start changing train timetables or rerouting baggage.
And his evidence for this is, what? His own personal opinion? He's been watching Hackers too much if he thinks the schedule board at South Station is networked; it's a -flip- chart (seriously, stick around for 5-10 minutes, and watch it update itself). I'd be amazed if it had anything better than a dedicated thinnet connection to an ancient PC. It's not like some kid with mad h@x0r skills is going to go bippity-boop and put up "TRAIN TO FUCKVILLE 4:20". No. That happens in Hollywood, where people "launch the genetic algorithmic viral defenses!". It does not happen in the real world.
There are a lot of cheap shots and snide remarks aimed at "The Guvmint", "The Man", etc. This guy sounds like he's about 19, not to mention he's just admitted to logging into places he knew he didn't belong AND changing settings (he changed the back, but still...) Sounds like a great federal inditement to me.
Some googling shows he's in his very early 20's(graduated from Harvard in 2004 in "3 years", which means he's maybe 21 now), runs some consulting company. Sounds like he's just out to promote his business like every other story submitter these days...
Please help metamoderate.
And it could serve as a wake-up call to others who might be slacking.
I wish I could believe that.
What will probably happen is they get hacked and any problems that arise will be considered a terrorist act. The company will get all sorts of sympathy from the unknowing public while the perp goes to federal "pound him in the ass" prison and owes $4 Billion in damages. The CEOs of the company will denounce the act, get fat bonuses, jump ship, and might even throw a quarter at the problem on their way out the door.
But I feel that last part is overly optimistic.
"Giving money and power to governments is like giving whiskey and car keys to teenage boys." - P.J. O'Rourke