Interview With MIT Subway Hacker Zack Anderson

longacre writes "In his most extensive interview since the DefCon controversy emerged, MIT subway hacker Zack Anderson talks with Popular Mechanics about what's wrong with the Charlie Card, what happened at DefCon, and what it's like to tango with the FBI and the MBTA. The interview comes on the heels of Tuesday's court ruling denying motions by the MBTA to issue a preliminary injunction aimed at keeping the students quiet for a further five months."

Re:The battle

[rbf2000]

Ironically, they made far more information publicly available than the MIT kids ever intended to present by including the security report in their motion. You think they would have sealed the document, or whatever the legal term is for hiding sensitive information like that.

You did miss something.

[stomv]

The US has tons of limits on free speech, including but not limited to restrictions with respect to
  * perjury
  * profanity
  * sealed courtroom/trial
  * threats
  * slander and libel
  * classified information
  * treason

Re:You did miss something.

[russotto]

The US has tons of limits on free speech, including but not limited to restrictions with respect to
    * perjury

But no prior restraint here.

* profanity

Most such restrictions get shot down in court; if it's about profanity in particular, they fall afoul not only of freedom of speech but of religion as well.

* threats
* slander and libel

Again, no prior restraint here. And what constitutes a threat is reasonably narrowly defined, though prosecutors are always trying to stretch it

* classified information

You have, perhaps, heard of the Pentagon Papers case? Where the Washington Post and the New York Times could not be enjoined from publishing classified information?

* treason

It's awfully hard to commit treason with public speech. Laws against sedition, on the other hand, have a long history of violating freedom of speech.

Re:You did miss something.

[pbaer]

You also forgot: *copyright

Re:Obligatory IANAL

[Ioldanach]

Maybe this will help: Congress shall make no law (((respecting an establishment of religion) or (prohibiting the free exercise thereof)) or (abridging (the freedom (of speech) or (of the press)) or ((the right of the people peaceably to assemble) and (to petition the government for a redress of grievances)))). The alleged violation is "abridging (the freedom (of speech) or (of the press))". The assembly subclause is enclosed within a different area of the clause.

Re:no, not really

[_Sprocket_]

Very interesting. Further reference:
http://en.wikipedia.org/wiki/Schenck_v._United_States

Re:The real question I want to know...

[ParanoiaBOTS]

Did the MBTA learn a lesson here about making a mountain out of a molehill? They essentially took something that would have received almost no attention and turned it into a national news story and then publicly filed all the details in open court such that anyone with the wherewithal to defraud the MBTA now not only knew about the exploit but had the full details on how to do it.

I doubt they learned anything. If I have noticed one thing about cases like this its that they always seem to make the same mistakes. It's really just a matter (again) of people addressing the symptom, not the problem.

MBNA != MBTA

[SirGarlon]

You seem to be confusing the bank, MBNA, with the Boston transit authority, MBTA. Hacking MBNA would almost certainly be a felony. Hacking the MBTA is not even definitely illegal if you don't actually ride a train without paying. That what all this is about.

What now?

[SeeSp0tRun]

The MBTA has the information, but lets look at this for a moment. The fares in Boston went up roughly $.50 last year on the subway alone, with upwards of $2 on the rail system. This was mainly done to pay for the current Charlie Card system, as well as perform some additional maintenance and renovations in various stations. So after basically overhauling their token system, for a hefty price no less, they are going to spend how much extra for new data storage on fares? Not to mention the people that they will have to hire in order to sort through everything, and apprehend violators in the underbellies of Boston, or New York, or anywhere with a subway.

I just don't see this going past "We sure showed those MIT kids what was what..." in the board room.
I use the system at least twice a week, and not even the physical securities have changed since the report was originally filed.

Re:Stored value cards are foolish

[kriston]

You may have read my comment already but there is an advisory value stored on the card but it's not the authoritative record of the balance. As with the Oyster Card "hacks" in London the cards can be turned off within one day. The central billing system analyzes trending and riders are accepted into the vehicle based on the balance on the card. If that balance doesn't match with the central database the card is turned off within hours. Same happens with cloned cards which can be detected the same way even more quickly as cards are used in impossible locations at impossible time intervals. The vehicle acceptance systems use store-and-forward wireless systems--remember, all the vehicles have onboard radios which will work several times per hour even on routes with the poorest coverage.