Slashdot Mirror
Interview With MIT Subway Hacker Zack Anderson
longacre writes "In his most extensive interview since the DefCon controversy emerged, MIT subway hacker Zack Anderson talks with Popular Mechanics about what's wrong with the Charlie Card, what happened at DefCon, and what it's like to tango with the FBI and the MBTA. The interview comes on the heels of Tuesday's court ruling denying motions by the MBTA to issue a preliminary injunction aimed at keeping the students quiet for a further five months."
I'm really glad that the court decided to overturn the injunction. We need to get information like this out in the open, so we can solve these problems quickly and in an open-source manner. Simply denying that a problem such as this exists does not solve the problem... it delays a fix, and makes it even MORE likely that such exploitation will happen in the first place.
US Constitution, Amendment I:
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.
Did I miss something here?
Not that I want a security system compromised, because I don't... but the 1st Amendment doesn't say "Congress shall ... abridge free speech in instances where a subway system is hacked".
The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
Did the MBTA learn a lesson here about making a mountain out of a molehill? They essentially took something that would have received almost no attention and turned it into a national news story and then publicly filed all the details in open court such that anyone with the wherewithal to defraud the MBTA now not only knew about the exploit but had the full details on how to do it.
Especially this part:
They're filing a lawsuit right now, basically, and nobody's in court for usâ"just MBTA lawyersâ"and we don't fully know what's going on.
Interesting. So, no one at MIT was served or anything. The MBTA just shows up in court to tell their story and theirs alone? And asks for an injunction?
At least they didn't go nuts like the time with the light brites under the bridges.
Stored value cards are foolish.
They should only ever be used for identification and authentication.
The value being managed must always be stored and administered on the billing system itself.
This is why the responsible agencies (EZ-Pass, WMATA DC Metro, NYC Metrocard) should not, and usually do not, use stored value cards.
How naive of the MBTA to do this.
Cloning is still a problem with DC Metro and NYC Metrocard, but this is relatively easy to detect using database analysis and trending.
The security should lie with the central system.
Stored value cards are never secure--especially if you're depending on the obsolete version of MiFare Classic which should have only ever been used for authentication (serial numbers, keys, and scanned fingerprints).
Never for a so-called "digital purse" like MBTA used it for.
Kriston
The FBI's role should have been to offer him and his buddies a lab, security clearance and a plush job to do this kind of work for them. Seriously, these are the kind of guys that the cops want working for them because every security hole in the infrastructure they find helps the cops do their job--and these guys are smart and educated enough to help the vendor fix the problem.
Grow up - your free speech rights aren't absolute.
There's the classic example of shouting fire in a crowded theater, for example. There's various laws against disclosing all kinds of information - medical records (go to a hospital, and you'll find signs in the elevators reminding staff to be careful when discussing patients), state secrets, etc.
And that's not getting into the realm of lawsuits. I mean, I could go on for hours about how you molest your children while smoking crack, but you can sue me for libel and I'll lose if I can't back up my claims. If you sign an NDA and then announce a press conference to disclose stuff covered under that NDA, I can get an injunction against you to prevent your holding that press conference.
In this case, the folks running the subway got an injunction to prevent the disclosure of the hack. And a judge looked at the evidence and decided that they didn't deserve a permanent injunction.
Did you get drunk and wake up next to a showgirl?
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Quoting Douglas Adams:
Only one thing moves faster than the speed of light, and its bad news which operates by it's own laws.
Or something or other like that.
The US has tons of limits on free speech, including but not limited to restrictions with respect to
* perjury
* profanity
* sealed courtroom/trial
* threats
* slander and libel
* classified information
* treason
Support a few technologists in Washington.
Pressing the fire alarm to open all turnstiles is a "hack"???
These guys are laughable. Don't they know that that
Every time someone picks a single item from among several used to make a point and rests their entire argument on it, you should be skeptical.
I noticed that you didn't mention the more applicable end of things, i.e., courts enjoining speech pursuant to a lawsuit, of the larger issue that free speech rights aren't absolute in the US, and never have been.
Also, Schenck vs. US was a bad decision, and fairly un-American in my view. But what Holmes said "The most stringent protection of free speech would not protect a man in falsely shouting fire in a theatre and causing a panic," is fundamentally reasonable, even if that justification wasn't appropriate to the case.
You seem to be confusing the bank, MBNA, with the Boston transit authority, MBTA. Hacking MBNA would almost certainly be a felony. Hacking the MBTA is not even definitely illegal if you don't actually ride a train without paying. That what all this is about.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
Having lived in Boston for five years, I don't need to RTFA to know what that was like.
-They arrived at court 45 minutes late without apologizing to the judge
-During oral arguments, the MBTA's attorney paused several times, each time for 5-10 minutes, for no apparent reason
-MBTA officials wore blazers acquired off the rack for $9,000 apiece; no immediate plans to purchase pants
-Despite earning one of the highest wages in the industry, the attorney was surly and lazy
And, after the judge denied the MBTA's request for an injunction against the hacker, GM Dan Grabauskas issued a press release trumping the agency's legal victory.
The average-Joe thinks MIT students are more devious than they really are?
The MBTA has the information, but lets look at this for a moment. The fares in Boston went up roughly $.50 last year on the subway alone, with upwards of $2 on the rail system. This was mainly done to pay for the current Charlie Card system, as well as perform some additional maintenance and renovations in various stations. So after basically overhauling their token system, for a hefty price no less, they are going to spend how much extra for new data storage on fares? Not to mention the people that they will have to hire in order to sort through everything, and apprehend violators in the underbellies of Boston, or New York, or anywhere with a subway.
I just don't see this going past "We sure showed those MIT kids what was what..." in the board room.
I use the system at least twice a week, and not even the physical securities have changed since the report was originally filed.
Something witty.
You do a good job at sounding like you know something about the subject, but you are woefully misinformed and out of date. The reason offline stored value is not used is that it is too slow for transit. By now the speeds are probably better than they were a few years ago. The other reason is the cost structure makes online systems politically attractive. Municipalities waste 100's of millions of dollars up front for implementing online system to have going-forward operating costs negligibly lower.
The security should lie with the central system.
There is no need for this kind of antiquated thinking anymore. Their system is centralized. The guy is misinformed about what is stored on the card. The guy is also misinformed about cloning. Where will he source the right card that is ready for initialization? Will he know how to initialize it correctly? It would work in Hollywood, but in real life it's non-trivial.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
1-31-07 Never Forget
Damn right...
I like Boston but sometimes I feel like there's some kind of epidemic here that causes people to react to problems in the most brain-dead, paranoid methods possible...
Bow-ties are cool.
Busses just send the data off via some kind of modem. Doing it offline is actually cheaper over the life of a transit project by anywhere from 10-40%, but the annual operating costs are slightly higher if they went 100% offline.
Politically, which do you think wins?
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
This is the wrong interview. What we should have is an interview with top management to find out why they made bad decisions to go with an insecure system. Maybe their excuse is they were not aware of a nearby school with highly qualified consultants to help them in a quest to get a very secure system.
now we need to go OSS in diesel cars
The security should lie with the central system.
flink lays out one reason why central system doesn't make a lot of sense on a multimodal transit system (don't forget they also have boats).
In the case of rail transit, a centralized fare system will also require a communications system with 100% uptime between the stations and the central system. I've had experience with the station-to-dispatch communications system and it's anything but reliable because the infrastructure is so old. The MBTA is in the process of upgrading the system but it's probably going to be years before 200+ stations are all upgraded.
In the meantime, if the comm goes down between the station and the centralized fare system, you either close the station until communications are restored (bad) or you let people ride for free until communications are restored (bad).
Stored values on the card is a decent compromise, but the security on the card should have been tighter.
Dollar bills?
It had to help the students that Rivest was their professor. At least his reputation in the security world goes before him.
It it were a lesser name in the field would their claim to have been studying the security of the system been taken so seriously ?
If it had been just some guy in charge of Mississippi state university's computer science curriculum they would likely all be in jail by now.
Nullius in verba
Container problem.
by the time the court had acted
1 thousands had been given a "presentations cd" as part of the conference
2 the presentation (and additional details) had been filed in court NOT UNDER SEAL
3 the MTBA had well and truely annoyed a large number of hackers (of various shades)
Anybody here that wants the information and does not have it in great detail does not belong here (heck half of Digg has it info by now)
Any person using FTFY or editing my postings agrees to a US$50.00 charge
The sad thing is that such security trivia could pass as a final network security project at MIT. MBTA's security problems take minimal technical expertise to exploit. Not worthy of an MIT project IMHO.
1. Who initiated the meeting between you and MTBA? You or them?
2. Did you ride MBTA using non-genuine fare cards?
3. Did you walk into non-public areas of MTBA?
That was a love-fest, not an interview.
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)