Slashdot Mirror

← Back to Stories (view on slashdot.org)

With Lawsuit Settled, Hackers Working With MBTA

Posted by ScuttleMonkey on from the how-it-should-be dept.

narramissic writes "The three MIT students who were sued earlier this year by the Massachusetts Bay Transit Authority for planning to show at Defcon how they had had reverse engineered the magnetic stripe tickets and smartcards said Monday that they are now working to make the Boston transit system more secure. 'I'm really glad to have it behind me. I think this is really what should have happened from the start,' said Zack Anderson, one of the students sued by the MBTA."

4 of 90 comments (clear)

  1. It's hush money by NoKaOi · · Score: 5, Insightful

    Okay, so fundamentally, the MBTA's goal is to prevent the kids from making their knowledge public. The kids' goal is probably to make a name for themselves, and maybe do something cool by defeating the MBTA's security.

    The judge threw out the gag ording, which I assume means the kids can legally make the knowledge public (even if they'll be sued later). By "hiring" the kids to make recommendations on their security, everyone saves a bunch of legal costs, the MBTA keeps the kids' from going public with the exploits, and the kids still get to make a name for themselves, and maybe make a few dollars. Everybody wins. That doesn't mean the MBTA actually cares about anything the kids have to say in their recommendations.

  2. Re:What's this? by Anonymous Coward · · Score: 5, Interesting

    Except the MBTA system isn't fixable. It's just full of fail.

    For starters, the card's balance is stored ON THE CARD and nowhere else.

    Secondly, the fare-taking devices are not hooked up to any sort of network. They just kind of assume that only the special blessed writing device can change the balance on the card.

    This isn't quite as stupid as it sounds since the devices use PKI so that theoretically the write request must be signed by a blessed source.

    Except, rather than use a tested encryption source like AES (which is available), they went with some proprietary 40-bit encryption scheme for the smart card. The ticket was even worse, there they used a 6-bit checksum. Yes: 6 bits.

    So the only way to fix it is to build a network to monitor potential fraud, rip out all the fare-taking devices, and replace every single ticket and smart card.

    Now you can see why the MBTA sued: their massive incompetence means that fixing the problem they created will easily run into the billions of dollars.

    Then again, this is the same group of people who successfully sued the glue manufacturer who created the glue that failed to hold up 2-ton slabs of concrete. Never mind that the glue was never designed for such an application or that no one in their right mind GLUES 2-ton slabs of concrete to the ceiling of tunnels.

  3. Re:nothing new by DMalic · · Score: 5, Informative

    You're reading verbatim the brief where the MTBA lies their butt off. The students were not only fully in the right, but 110% - they offered all relevant information, were not planning to provide any illegal or directly damaging info in their talk, etc etc. The MBTA wasn't willing to listen, fix their problems, or even admit they had one - the bureaucrats running it were more interesting in covering things up, which is how this whole fuss got started.

  4. Re:nothing new by Thinboy00 · · Score: 5, Informative

    Interestingly, they really didn't meet any of the conditions you stated!

    A couple of bits from the first link:

    The passage in the Defcon show guide describing their talk begins, "Want free subway rides for life?" That line was removed from the description of the talk posted at the Defcon Web site.

    Can't see that as not causing trouble (at least from the MBTA's perspective...)

    The researchers refused to give the transit authority information about security flaws in its system ahead of the talk, the filings state.

    Which is not particularly polite - and in fact definitely takes them out of any resonable definition of "White Hat"...

    And while hacking around on a smartcard they bought shouldn't be illegal (as long as they don't actually use it for free rides), this bit:

    [snip]

    From another FA

    The students said they tried to contact the MBTA around July 20 through their professor Ron Rivest, who teaches in MIT's Department of Electrical Engineering and Computer Science, but did not actually connect with the agency until around July 30.

    It's been a crazy week for Anderson, who looked haggard -- he said it took him 18 hours to travel by air to Defcon and he had not slept since Thursday.

    And another:

    Mahoney [the MBTA attorney] praised a security analysis the students had prepared for the agency, saying the information in it convinced them of the vulnerability.

    Looks like you're wrong, or one of TFAs is wrong anyway.

    --
    $ make available