With Lawsuit Settled, Hackers Working With MBTA

narramissic writes "The three MIT students who were sued earlier this year by the Massachusetts Bay Transit Authority for planning to show at Defcon how they had had reverse engineered the magnetic stripe tickets and smartcards said Monday that they are now working to make the Boston transit system more secure. 'I'm really glad to have it behind me. I think this is really what should have happened from the start,' said Zack Anderson, one of the students sued by the MBTA."

Re:nothing new

[Dahamma]

Interestingly, they really didn't meet any of the conditions you stated!

A couple of bits from the first link:

The passage in the Defcon show guide describing their talk begins, "Want free subway rides for life?" That line was removed from the description of the talk posted at the Defcon Web site.

Can't see that as not causing trouble (at least from the MBTA's perspective...)

The researchers refused to give the transit authority information about security flaws in its system ahead of the talk, the filings state.

Which is not particularly polite - and in fact definitely takes them out of any resonable definition of "White Hat"...

And while hacking around on a smartcard they bought shouldn't be illegal (as long as they don't actually use it for free rides), this bit:

They say they were able to access fiber switches connecting fare vending machines to the unlocked network

is the kind of thing that gets people under said house arrest...

To be honest, these guys were pretty lucky for the way this whole thing turned out. They freely admitted in their published talk that they illegally accessed a gov't network and planned on explaining how to get "free subway rides" to a room full of hackers without revealing how to the gov't organization about to get screwed over... at the very least they could have expected a protracted court case that made their life hell for the next couple years...

Re:What's this?

[Gman14msu]

Then again, this is the same group of people who successfully sued the glue manufacturer who created the glue that failed to hold up 2-ton slabs of concrete. Never mind that the glue was never designed for such an application or that no one in their right mind GLUES 2-ton slabs of concrete to the ceiling of tunnels.

Well that`s just a blatant misstatement, and while I`m not saying the MBTA is a well run organization, they don't need additional problems attributed to them.

First of all, the slabs of concrete that fell were part of the Big Dig, which is run by Massachusetts Turnpike Authority, not the MBTA. Both are poorly run transportation organizations in Massachusetts, but they are not the same.

Secondly, the suits in the ceiling collapse were brought by the Massachusetts Attorney General's office not the MBTA. They were brought against many of the companies involved, including the adhesive company and Bechtel/Parsons Brinckerhoff, the primary consulting firm. The Turnpike Authority was not really to blame, it was either BPB for using an adhesive meant for wall panels for ceilings, or the adhesive company for not realizing their product was being improperly used. Both were sued by the Massachusetts Attorney General's office and paid millions to the state.

Re:nothing new

[DMalic]

You're reading verbatim the brief where the MTBA lies their butt off. The students were not only fully in the right, but 110% - they offered all relevant information, were not planning to provide any illegal or directly damaging info in their talk, etc etc. The MBTA wasn't willing to listen, fix their problems, or even admit they had one - the bureaucrats running it were more interesting in covering things up, which is how this whole fuss got started.

Re:nothing new

[Thinboy00]

Interestingly, they really didn't meet any of the conditions you stated!

A couple of bits from the first link:

The passage in the Defcon show guide describing their talk begins, "Want free subway rides for life?" That line was removed from the description of the talk posted at the Defcon Web site.

Can't see that as not causing trouble (at least from the MBTA's perspective...)

The researchers refused to give the transit authority information about security flaws in its system ahead of the talk, the filings state.

Which is not particularly polite - and in fact definitely takes them out of any resonable definition of "White Hat"...

And while hacking around on a smartcard they bought shouldn't be illegal (as long as they don't actually use it for free rides), this bit:

[snip]

From another FA

The students said they tried to contact the MBTA around July 20 through their professor Ron Rivest, who teaches in MIT's Department of Electrical Engineering and Computer Science, but did not actually connect with the agency until around July 30.

It's been a crazy week for Anderson, who looked haggard -- he said it took him 18 hours to travel by air to Defcon and he had not slept since Thursday.

And another:

Mahoney [the MBTA attorney] praised a security analysis the students had prepared for the agency, saying the information in it convinced them of the vulnerability.

Looks like you're wrong, or one of TFAs is wrong anyway.

Re:And this is a good outcome?

[Dun+Malg]

Did you know that there are only about 100 unique car key "encodings"? This means that if you have a Ford the chances are excellent that your key will open the door of some other Ford in an airport parking lot.

Untrue. Ford (the example you offer) has since 1984 used a key with 10 cut positions with 5 possible depths, which is 9,765,625 (5^10) possible combinations. The door only uses the first four cuts, so in theory the odds are 1 in 625 that any given key will open a random car's door. With worn locks and/or intentionally half-cut tryout keys, that drops to 1 in 256 at best. The ignition uses the last 6 cuts, so it's only a useful trick for getting at the contents of the car. The reason it's not a problem is that opening a random car door is largely useless, and opening a specific car door can be accomplished much quicker through methods other than standing there going through a giant ring of tryout keys.

It almost doesn't matter how much fixing the security might cost as long as it is $1 more than keeping the holes secret and defending against probing.

Except that fixing the problem is a a predictable, one time expense, and "keeping it quiet" is a never-ending process. The latter will continue forever until the former action is taken, so now which path is cheaper?