With Lawsuit Settled, Hackers Working With MBTA

narramissic writes "The three MIT students who were sued earlier this year by the Massachusetts Bay Transit Authority for planning to show at Defcon how they had had reverse engineered the magnetic stripe tickets and smartcards said Monday that they are now working to make the Boston transit system more secure. 'I'm really glad to have it behind me. I think this is really what should have happened from the start,' said Zack Anderson, one of the students sued by the MBTA."

Summary Fail

[Kazrael]

Sad that the summary wouldn't also mention how the lawsuit was settled.

FTFA:
1. Prevent them from giving their talk
2. Judge threw out the gag order
3. Amicable???

The settlement ends the matter in an amicable way.

The article fails to really specify end results, but it sounds like some kind of job deal was worked out where the kids will help improve security.

Re:What's this?

Except the MBTA system isn't fixable. It's just full of fail.

For starters, the card's balance is stored ON THE CARD and nowhere else.

Secondly, the fare-taking devices are not hooked up to any sort of network. They just kind of assume that only the special blessed writing device can change the balance on the card.

This isn't quite as stupid as it sounds since the devices use PKI so that theoretically the write request must be signed by a blessed source.

Except, rather than use a tested encryption source like AES (which is available), they went with some proprietary 40-bit encryption scheme for the smart card. The ticket was even worse, there they used a 6-bit checksum. Yes: 6 bits.

So the only way to fix it is to build a network to monitor potential fraud, rip out all the fare-taking devices, and replace every single ticket and smart card.

Now you can see why the MBTA sued: their massive incompetence means that fixing the problem they created will easily run into the billions of dollars.

Then again, this is the same group of people who successfully sued the glue manufacturer who created the glue that failed to hold up 2-ton slabs of concrete. Never mind that the glue was never designed for such an application or that no one in their right mind GLUES 2-ton slabs of concrete to the ceiling of tunnels.

Re:Hack first, ask later?

[cob666]

I'll probably get slammed for this but I really can't stand when people compare every incident of 'hacking' to breaking into somebody's house. The MIT students didn't break into anything, they reverse engineered and hacked an MBTA card.

As far as I'm concerned, the MBTA should have done a bit more R&D and implemented a system that wasn't so easily compromised.

Also, I believe that historically most system flaws are not fixed UNTIL they are hacked and exploited.

Those kids should keep their eyes and ears open ..

[jc42]

Many organizations, both governmental and corporate, have a tendency to react to employees (or consultants) finding security problems by harrassing, firing, and/or suing them. We already know that the MBTA has management that takes this approach. So the kids should be carefully documenting everything they do, with an eye towards defending themselves from or countersuing the MBTA for the MBTA's actions against them if they do their job well.

Something I've been noticing in particular is that when I read management characterizations of security "hacking", it almost always sounds like a description of what I do routinely as part of all software debugging. In the eyes of management, the media, and the courts, all software developers are "hackers", and they mean this term as a criminal indictment. We are all suspect, especially when we give them bad news about what their systems are already doing.

Re:Hack first, ask later?

[SuperBanana]

I really can't stand when people compare every incident of 'hacking' to breaking into somebody's house. The MIT students didn't break into anything

I can't stand it when antisocial self-described geniuses think that they have the right to touch/use/mess with other people's stuff simply because they're doing so via electronic signals. If it doesn't belong to you, don't mess with it. That's lesson some of us learned when we were in kindergarten.

They went way beyond what would be considered "white hat" activities. They made up IDs and lied their way into MBTA headquarters, went into a conference room, and plugged in their laptops and played around with the network. Let me repeat that for you: they essentially broke into private property and used a private network by physical location.

They also went into network closets all over the system where they knew they didn't belong, which is trespassing. It doesn't matter if the door is locked or not.