Slashdot Mirror
With Lawsuit Settled, Hackers Working With MBTA
narramissic writes "The three MIT students who were sued earlier this year by the Massachusetts Bay Transit Authority for planning to show at Defcon how they had had reverse engineered the magnetic stripe tickets and smartcards said Monday that they are now working to make the Boston transit system more secure. 'I'm really glad to have it behind me. I think this is really what should have happened from the start,' said Zack Anderson, one of the students sued by the MBTA."
FTFA:
1. Prevent them from giving their talk
2. Judge threw out the gag order
3. Amicable???
The settlement ends the matter in an amicable way.
The article fails to really specify end results, but it sounds like some kind of job deal was worked out where the kids will help improve security.
Development notes at http://devscribbles.blogspot.com
Common sense finally prevailing? Has hell frozen over?
On one hand I'm surprised that the MBTA has decided to work with these guys to make their system more secure, on the other hand I wish this would happen more often instead of the mindless suing that government organizations and other companies seem so fond of.
Veni, Vidi, Velcro!
Okay, so fundamentally, the MBTA's goal is to prevent the kids from making their knowledge public. The kids' goal is probably to make a name for themselves, and maybe do something cool by defeating the MBTA's security.
The judge threw out the gag ording, which I assume means the kids can legally make the knowledge public (even if they'll be sued later). By "hiring" the kids to make recommendations on their security, everyone saves a bunch of legal costs, the MBTA keeps the kids' from going public with the exploits, and the kids still get to make a name for themselves, and maybe make a few dollars. Everybody wins. That doesn't mean the MBTA actually cares about anything the kids have to say in their recommendations.
I'll probably get slammed for this but I really can't stand when people compare every incident of 'hacking' to breaking into somebody's house. The MIT students didn't break into anything, they reverse engineered and hacked an MBTA card.
As far as I'm concerned, the MBTA should have done a bit more R&D and implemented a system that wasn't so easily compromised.
Also, I believe that historically most system flaws are not fixed UNTIL they are hacked and exploited.
Do what thou wilt shall be the whole of the Law - Aleister Crowley
Interestingly, they really didn't meet any of the conditions you stated!
A couple of bits from the first link:
The passage in the Defcon show guide describing their talk begins, "Want free subway rides for life?" That line was removed from the description of the talk posted at the Defcon Web site.
Can't see that as not causing trouble (at least from the MBTA's perspective...)
The researchers refused to give the transit authority information about security flaws in its system ahead of the talk, the filings state.
Which is not particularly polite - and in fact definitely takes them out of any resonable definition of "White Hat"...
And while hacking around on a smartcard they bought shouldn't be illegal (as long as they don't actually use it for free rides), this bit:
They say they were able to access fiber switches connecting fare vending machines to the unlocked network
is the kind of thing that gets people under said house arrest...
To be honest, these guys were pretty lucky for the way this whole thing turned out. They freely admitted in their published talk that they illegally accessed a gov't network and planned on explaining how to get "free subway rides" to a room full of hackers without revealing how to the gov't organization about to get screwed over... at the very least they could have expected a protracted court case that made their life hell for the next couple years...
Many organizations, both governmental and corporate, have a tendency to react to employees (or consultants) finding security problems by harrassing, firing, and/or suing them. We already know that the MBTA has management that takes this approach. So the kids should be carefully documenting everything they do, with an eye towards defending themselves from or countersuing the MBTA for the MBTA's actions against them if they do their job well.
Something I've been noticing in particular is that when I read management characterizations of security "hacking", it almost always sounds like a description of what I do routinely as part of all software debugging. In the eyes of management, the media, and the courts, all software developers are "hackers", and they mean this term as a criminal indictment. We are all suspect, especially when we give them bad news about what their systems are already doing.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
You're reading verbatim the brief where the MTBA lies their butt off. The students were not only fully in the right, but 110% - they offered all relevant information, were not planning to provide any illegal or directly damaging info in their talk, etc etc. The MBTA wasn't willing to listen, fix their problems, or even admit they had one - the bureaucrats running it were more interesting in covering things up, which is how this whole fuss got started.
Interestingly, they really didn't meet any of the conditions you stated!
A couple of bits from the first link:
The passage in the Defcon show guide describing their talk begins, "Want free subway rides for life?" That line was removed from the description of the talk posted at the Defcon Web site.
Can't see that as not causing trouble (at least from the MBTA's perspective...)
The researchers refused to give the transit authority information about security flaws in its system ahead of the talk, the filings state.
Which is not particularly polite - and in fact definitely takes them out of any resonable definition of "White Hat"...
And while hacking around on a smartcard they bought shouldn't be illegal (as long as they don't actually use it for free rides), this bit:
[snip]
From another FA
The students said they tried to contact the MBTA around July 20 through their professor Ron Rivest, who teaches in MIT's Department of Electrical Engineering and Computer Science, but did not actually connect with the agency until around July 30.
It's been a crazy week for Anderson, who looked haggard -- he said it took him 18 hours to travel by air to Defcon and he had not slept since Thursday.
And another:
Mahoney [the MBTA attorney] praised a security analysis the students had prepared for the agency, saying the information in it convinced them of the vulnerability.
Looks like you're wrong, or one of TFAs is wrong anyway.
$ make available
I really can't stand when people compare every incident of 'hacking' to breaking into somebody's house. The MIT students didn't break into anything
I can't stand it when antisocial self-described geniuses think that they have the right to touch/use/mess with other people's stuff simply because they're doing so via electronic signals. If it doesn't belong to you, don't mess with it. That's lesson some of us learned when we were in kindergarten.
They went way beyond what would be considered "white hat" activities. They made up IDs and lied their way into MBTA headquarters, went into a conference room, and plugged in their laptops and played around with the network. Let me repeat that for you: they essentially broke into private property and used a private network by physical location.
They also went into network closets all over the system where they knew they didn't belong, which is trespassing. It doesn't matter if the door is locked or not.
Please help metamoderate.
Did you know that there are only about 100 unique car key "encodings"? This means that if you have a Ford the chances are excellent that your key will open the door of some other Ford in an airport parking lot.
Untrue. Ford (the example you offer) has since 1984 used a key with 10 cut positions with 5 possible depths, which is 9,765,625 (5^10) possible combinations. The door only uses the first four cuts, so in theory the odds are 1 in 625 that any given key will open a random car's door. With worn locks and/or intentionally half-cut tryout keys, that drops to 1 in 256 at best. The ignition uses the last 6 cuts, so it's only a useful trick for getting at the contents of the car. The reason it's not a problem is that opening a random car door is largely useless, and opening a specific car door can be accomplished much quicker through methods other than standing there going through a giant ring of tryout keys.
It almost doesn't matter how much fixing the security might cost as long as it is $1 more than keeping the holes secret and defending against probing.
Except that fixing the problem is a a predictable, one time expense, and "keeping it quiet" is a never-ending process. The latter will continue forever until the former action is taken, so now which path is cheaper?
If a job's not worth doing, it's not worth doing right.