Slashdot Mirror
With Lawsuit Settled, Hackers Working With MBTA
narramissic writes "The three MIT students who were sued earlier this year by the Massachusetts Bay Transit Authority for planning to show at Defcon how they had had reverse engineered the magnetic stripe tickets and smartcards said Monday that they are now working to make the Boston transit system more secure. 'I'm really glad to have it behind me. I think this is really what should have happened from the start,' said Zack Anderson, one of the students sued by the MBTA."
How many other times have we seen this pattern?
FTFA:
1. Prevent them from giving their talk
2. Judge threw out the gag order
3. Amicable???
The settlement ends the matter in an amicable way.
The article fails to really specify end results, but it sounds like some kind of job deal was worked out where the kids will help improve security.
Development notes at http://devscribbles.blogspot.com
Common sense finally prevailing? Has hell frozen over?
On one hand I'm surprised that the MBTA has decided to work with these guys to make their system more secure, on the other hand I wish this would happen more often instead of the mindless suing that government organizations and other companies seem so fond of.
Veni, Vidi, Velcro!
To have lost a suit?
Knowledge must be free or freedom is compromised. If that information is somehow 'embarrassing', to damned bad as its part of the price of freedom.
---- Booth was a patriot ----
Okay, so fundamentally, the MBTA's goal is to prevent the kids from making their knowledge public. The kids' goal is probably to make a name for themselves, and maybe do something cool by defeating the MBTA's security.
The judge threw out the gag ording, which I assume means the kids can legally make the knowledge public (even if they'll be sued later). By "hiring" the kids to make recommendations on their security, everyone saves a bunch of legal costs, the MBTA keeps the kids' from going public with the exploits, and the kids still get to make a name for themselves, and maybe make a few dollars. Everybody wins. That doesn't mean the MBTA actually cares about anything the kids have to say in their recommendations.
...Hax0rz work for the Government.
I haven't been able to find it in my brief perusal of the link... does anyone know offhand if the MIT students asked permission first, or if they just did it, planned the talk, and then got in trouble?
If the former, MBTA is messed up. If the latter, I would have to honestly say that the MIT students should have thought about what they were doing and asked before they decided to hack something and tell others how to do it.
If someone asked me if they could do a security audit on my house and I said sure, that'd be cool. If they broke in, were going to give a talk about it to some other dudes and THEN I found out about it, I'd be a bit upset, too. Would I want to fix my security, sure, but I'd be kinda mad they did it without asking. Just because you CAN break in doesn't mean you have a right to do it, it's still MY property, not yours...
That is why we now have the idea of open source governance and the metagovernment project. Why make officials be answerable to the people? Why not just get rid of the officials and have the people govern?
Mob rule? Think again. Web 2.0 is not about mobs, it is about the "wisdom of crowds."
1. Never disclose your name.
and/or:
Sell your hack to the highest bidder.
Give your hack to a few friends.
Saturate your hack so everyone has access to it.
It's about time that a government agency get its head out of its ass about security.
Clearly the loser company that put the system together for them are scammers and should be without a business and the employees should all be fired. I mean, pay millions for a payment system and you'd think it'd be secure, right? It took some genius kids from MIT to realize that if you pull the fire alarm, all the gates open and all the people can get a free ride! Duh, who thought of this???
Idiots.
The Transit Authority's SLAPP lawsuit has served its purpose: it prevented the students from speaking at Defcon. In the end there was no judgment sought, for no judgment was necessary in order that the Transit Authority's wishes be granted in full. The speakers were silenced without trial, and now we're told this should be interpreted as a kind of "happy ending".
It's not a happy ending. It's sad. Very sad.
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
Many organizations, both governmental and corporate, have a tendency to react to employees (or consultants) finding security problems by harrassing, firing, and/or suing them. We already know that the MBTA has management that takes this approach. So the kids should be carefully documenting everything they do, with an eye towards defending themselves from or countersuing the MBTA for the MBTA's actions against them if they do their job well.
Something I've been noticing in particular is that when I read management characterizations of security "hacking", it almost always sounds like a description of what I do routinely as part of all software debugging. In the eyes of management, the media, and the courts, all software developers are "hackers", and they mean this term as a criminal indictment. We are all suspect, especially when we give them bad news about what their systems are already doing.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
I know this goes against the Slashdot perception of how these "kids" were sweet, innocent little virgins who did no wrong, but:
Then, they used the modified MiFare cards in gates- they had photos showing them using the cards in gates. That's THEFT and FRAUD, people. You can't walk into a bank, cash a fake check for $500, and then publish a paper and say "the banking system is insecure!", and be shocked and amazed when you're charged with forgery and uttering.
Please help metamoderate.
... once they got out of prison.
I remember going to CanSecWest (whitehat hacker con in Vancouver) last spring. About a fifth (probably more) of the people I spoke to had criminal records.
In Vegas they employ former cheaters to catch cheaters on the casino floors. The general idea is: if they know how to do it, they know how to spot it.
The tradeoff of course is reliability. In most blackhat hacker cases though it's usually a high school or college student involved... so they can play the "I was young and stupid" card. Plus security admins make so much coin that they'd probably be stupid to risk losing their job.
This reminds me of the days when fone phreaks would get hired by the telephone companies after running amok on their systems
Look at the way physical security is handled. When videos circulated of a Kryptonite tubular pin tumbler lock being picked with a Bic pen, they voluntarily recalled every single tubular pin tumbler lock they ever made and issued brand new disc tumbler locks. I got a new bike lock from that, even though I was lockless for about a week to ship and receive, but it was the gesture that counted.
If Kryptonite [Ingersoll-Rand] were to follow in the footsteps of MBTA or voting systems vendors, they'd refuse to fix the problem, and instead just throw lawsuits into the wind to try to take down the videos.
Is there such a thing as a UL for electronic security?
The problem is there was a implementation of a system with some potential exposures that nobody was exploiting. Quite possibly, no exploitation was because of a lack of knowledge rather than any impractacality of the exploit.
Sure, everything could be made more secure. Did you know that there are only about 100 unique car key "encodings"? This means that if you have a Ford the chances are excellent that your key will open the door of some other Ford in an airport parking lot. Or a mall. Why isn't this a huge problem - it sure sounds like it is a huge exposure, doesn't it. Well, partly it isn't exploited because nobody knows about it, or almost nobody.
Security by obscurity works and it is cheap to implement. Actually closing all those holes can be extremely expensive and in the physical world it probably doesn't work any better.
So how do you avoid spending millions of dollars for needless security? Well, first off you can strongly discourage security probing. Next, you can defend your obscurity because it is cheaper than fixing the holes someone discovered.
Which is better in the public interest: having a truely "secure" transit card system or preventing the disclosure of information that will certainly lead to exploits? It almost doesn't matter how much fixing the security might cost as long as it is $1 more than keeping the holes secret and defending against probing.
Do we really want public institutions spending large amounts of money to make things "secure" when exploiting holes in public infrsstructure is illegal anyway?
Paying these folks anything, even fifty cents, just encourages more people to follow in their footsteps.
Considering all you need to do to "hack" MBTA's system is to use last year's card for that month, I hope the awesome brainpower of MIT can improve the situation somewhat.
I use Windows... like a two dollar wh.. why don't I just go ahead and not finish that sentence.
What is the login for his paypal account? Last I checked the market for paypal accounts are way higher then a mere credit card number.
Information wants to be free comrade nurb432, so you post your paypal login, I'll post mine*. While you are at it, maybe you can fax me your birth certificate too. I dont plan to use it, but I demand you release it anyway, for freedom's sake.
* Offer expires 30 seconds after this comment is posted. Not valid in the Milky Way Galaxy. Machines used to assemble Paypal may have been used in the making of peanut based products. Void in all 50 states.
Case in point.
When I was a kid, we only had one Darth.
So, is this any different to get those nice guys from the Russian Business Network, who are clearly very technically skilled, to review the security controls around my e-commerce business?
To be clear, "security" in this sense means "not letting people defeat the electronic turnstile and ride for free," not "protecting the transit system from crime and/or terrorist attack." That is, we're only talking about security of the MBTA's revenue stream here -- which would have been better served by just leaving in the old token-operated mechanical turnstiles.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
Having tried to take the T to the airport and from work a few times lately, I see how they're avoiding the problem. Very simple social engineering, really, make the service so unreliable that you wouldn't take it even with a hacked card.
Otherwise the crime would be called 'Entering'. Don't you (presumably a citizen) mind living in an area where the law is essentially random?
Read your local police blotter. On a fairly regular basis here in Boston and surrounding cities/towns, people occasionally find some dude sleeping on their couch.
If there was no sign that the door was locked or of any damage in them getting in, guess what they're charged with? Entering. If there are signs up saying "private property", then they can also be charged with trespassing. Just because you're ignorant doesn't mean common law is "essentially random."
Please help metamoderate.
Great, then you realize that the MBTA system belonged to the MIT students, as they were taxpayers and concerned citizens.
What are you, fifteen? You don't get the right to jump in a city fire truck because you're a taxpayer. You don't get to walk around the Oval Office because you're a taxpayer. City property is owned by the CITY. The MBTA is a quasi-state agency, overseen by the Executive Office of Transportation (it extends WAY beyond Boston- it's one of the largest transit systems in the country.)
Also, college students don't pay ANY taxes unless they make over $8k; that's the Federal floor, I think. I believe the MA floor is higher. The taxes they pay via the university (ie their tuition) is tenuous at best given that the university probably receives far more federal and state grants than it pays to the state in taxes, as a non-profit organization.
Had these patriots not exposed the problems they found, the good people of their city might have been secretly exploited for years and the incompetent officials who let if happen would have escaped notice or punishment.
Guess what? It's not your fucking job. If the people are incompetent, challenge the elected officials who put them in those jobs, or assert your claims in the local paper, or ask established experts in the field to look into it. Again, it's that antisocial "geek" crap, thinking that somehow everything is your domain or responsibility. It's not.
You do not have the right to break the law to prove a system is insecure. I can prove your door lock is insecure by bumping your lock and writing "BOO!" on your wall. That doesn't justify it or make it "right"; it's still breaking, entering, and vandalism.
Please help metamoderate.
Yeah, that story has sounded suspicious from the start. I've wondered whether we'll ever read the real story, which is probably about who decided they didn't like him and decided to get rid of him. There's also the question of whether anyone with any sense will take the job now. How long before the next guy is treated the same way? I know I'd want to hear a good explanation of just what I'd be walking into, and see some evidence that I'd be allowed to do a good job.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
With a few exceptions, taxpayers DO get to inspect city/state/federal equipment. And surely if I saw a fire, right next to a firetruck whose firemen were all incapacitated by eating bad seafood, I'd jump in and help as best I could.
Guess what? It's not your fucking job
It's not my fucking job, which is why we hire firemen, but when they can't do it, it's MY world which means it's my responsibility to see that it gets done.
You do not have the right to break the law to prove a system is insecure.
Surely you misunderstand. I do have that right. It has a cost to exercise, namely proving to a judge (and the rest of society) the worth of my actions versus their cost, but I do have that right. If you did not have the "right" to jaywalk, you could not avoid a car on the sidewalk. We have the right but occasionally must justify it.
Again, it's that antisocial "geek" crap, thinking that somehow everything is your domain or responsibility. It's not.
And how old are you? You've got this funny "If anything is wrong, just call a teacher and they'll make it all better" philosophy. What do you do when the teacher is the problem, or having the problem?
I can prove your door lock is insecure [...]
Yeah. But this situation is like them offering to demo the lock-bumping in the middle of the day, to the homeowner (MBTA) and others, but the homeowner reporting it as a B&E anyway.
Nothing they did was harmful. They snooped around a bit, queried publicly accessible servers, edited their property (the card) to test a theory, and went to make the information public (instead of selling it to the mafia).
writing "BOO!" on your wall.
You're the one bringing vandalism into this. Everyone else would have settled for a post-it note with a description of the weakness and what to do to prevent it.
You do not have the right to break the law
You live in a sick little world, if people are just supposed to watch fires burn, and systems break, because the appointed officials are incompetent and the elected officials uncaring. And I mean, my god, a LAW! That's like a rule one of those people made, and had written down! Can you imagine, a rule, on paper, it would be so sacrosanct you would be struck down by the hand of god himself if you even asked to read it, let alone challenge it!
Seriously, breaking laws has a cost to society. One quick trial + one legal-aid lawyer + some police time = $afairbit. But when the cost of leaving a problem uninvestigated or untreated is higher, it's worth it. This is why we have Good-Samaritan laws and protect whistle-blowers.