Join 3,376 readers in helping fund MetaFilter (Hide)


MIT Hackers Restrained
August 11, 2008 1:09 PM   Subscribe

Three MIT students planned to reveal to Defcon how to make counterfeit "Charley Cards" - the electronic passes that allow access to Boston's MBTA transit system. The MBTA sued for a restraining order, and a judge has granted it.

The MBTA complaint (PDF)
The Judge's order (PDF)
Robert Cringely on the subject
posted by Kirth Gerson (104 comments total) 6 users marked this as a favorite

 
Defcon will probably have a lot of blinking LEDs, and this was just too much for sensitive, panicky Boston.
posted by optovox at 1:18 PM on August 11, 2008 [12 favorites]


The DEFCON slides are online, having been pusblished by the MIT student paper. Via here Just checked the link and it is still functional. Presumably they are in defiance of the order then?
posted by Blacksun at 1:20 PM on August 11, 2008


...published....
posted by Blacksun at 1:21 PM on August 11, 2008


Among the documents the MBTA filed with its declaration to the court today is a vulnerability assessment report (.pdf) that the three students gave the MBTA about the flaws in its system. The document is dated August 8, the day the MBTA filed its lawsuit against the students, and is essentially the information the students declined to give the MBTA before it filed its lawsuit.

Ironically, the document reveals more about the vulnerability in the MBTA system than the slides that the restraining order sought to suppress contain. The vulnerability assessment report is now available for anyone to download from the Massachusetts court's electronic records system.


rail fail
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 1:23 PM on August 11, 2008 [7 favorites]


For what conceivable reason would their "warcart" need a smoke grenade launcher?
posted by SweetJesus at 1:27 PM on August 11, 2008


I find it funny how the MBTA decided to issue a restraining order instead of fixing their problems.
posted by LSK at 1:32 PM on August 11, 2008 [8 favorites]


Smart kids: Hey, MBTA, FYI you might be getting paid in monopoly money.
MBTA: Arrest these here criminals!
posted by preparat at 1:32 PM on August 11, 2008 [5 favorites]


“Civil libertarians and the students’ lawyers quickly assailed the order as a blatant attack on free speech.

Jennifer Granick, a lawyer with the Electronic Frontier Foundation, which is representing the students, said in siding with the MBTA, Woodlock wrongly applied to speech a federal computer crime statute used to prevent transmitting harmful programs from one computer to another.

‘The statute is meant to stop people from committing computer fraud and abuse, not to stop people from talking about computers,’ she said. ‘These conferences are populated with people from Google, Microsoft, Sisco, wanting to collect information about security vulnerabilities that might exist in their systems. If you don’t let this information be discussed, the attackers are going to research it, but no legitimate person is going to talk about it.’

MBTA spokeswoman Lydia Rivera said the 10-day injunction will give experts time to examine the students’ research to see if they indeed discovered how to get free rides.

‘The injunction prevents them from disclosing ways to hack into the system,’ Rivera said. ‘It’s a preventive matter for us.’”*
posted by ericb at 1:40 PM on August 11, 2008


LSK writes "I find it funny how the MBTA decided to issue a restraining order instead of fixing their problems."

It doesn't fix the MBTA's problem, but it "fixes" blame on the students while covering up the incompetent IT folks at MBTA.

Sure, if the MBTA were working for the Commonwealth of Massachusetts, it's not a fix, but the government's been capture by the "civil servants", just as corporations no longer work for thier shareholders but are captured by their top executives. The fix is just "sweep it under the rug until I get my pension."
posted by orthogonality at 1:41 PM on August 11, 2008 [1 favorite]


What did you guys expect? It's fucking Boston.
posted by mullingitover at 1:41 PM on August 11, 2008


are populated with people from Google, Microsoft, Sisco,

Sisco?
posted by odinsdream at 1:42 PM on August 11, 2008 [7 favorites]


“Clearly, the end result and the ultimate Internet-wide publication of the students' find might not be what the MBTA wanted. It's an effect, however, that security gurus such as Dan Kaminsky -- the man who discovered the Internet-wide DNS flaw in July -- have seen before.

‘Suppressing speech in the United States has not worked well in recent times,’ Kaminsky, an analyst with ICActive, told TechNewsWorld. ‘It ends up just calling out whatever it was that you were trying to block.’

It's a courtesy, Kaminsky believes, to give a company enough time to respond to a flaw before exposing it. In his case, he opted to keep the details of his finding quiet for a full six months so the proper parties could find a fix before the news became widespread. Not taking those steps, Kaminsky said, can be detrimental to everyone involved.

‘You've got to give people some time. If you don't, you're just giving enough warning to the lawyers and nothing else,’ Kaminsky proposed.

‘No one here is getting what they want,’ he added. ‘That is always tragic to see.’”*
posted by ericb at 1:44 PM on August 11, 2008


are populated with people from Google, Microsoft, Sisco,

Sisco?


It's from the Boston Herald. Whaddya expect?
posted by ericb at 1:45 PM on August 11, 2008


odinsdream writes "Sisco?"

Sisco?
posted by mullingitover at 1:48 PM on August 11, 2008 [2 favorites]


So....

What's the algorithm for generating the checksum?
posted by mr_roboto at 1:51 PM on August 11, 2008


Er, Sisco?
posted by mullingitover at 1:51 PM on August 11, 2008


‘Suppressing speech in the United States has not worked well in recent times,’ Kaminsky, an analyst with ICActive, told TechNewsWorld. ‘It ends up just calling out whatever it was that you were trying to block.’

Exactly! Had it not been for the speech suppression, I never would have known or cared about the hack. Now, it's been on the front page of blogs everywhere for everyone to learn. GG, MBTA.
posted by jmd82 at 1:54 PM on August 11, 2008


...the incompetent IT folks at MBTA.

Charlie Cards are actually MIFARE Classic cards from NXP/Philips and have been hacked before. "The MIFARE Classic encryption can be broken in about twelve seconds on a laptop."

I'd lay blame for the vulnerability on the manufacturer and not the MBTA IT folks.
posted by ericb at 1:55 PM on August 11, 2008


Maybe it was Sysco.

There in its quest to improve its Unique 3D Technology using the latest advancements in poultry reverse engineering.

posted by preparat at 1:56 PM on August 11, 2008 [2 favorites]


Awesome synchronicity as I just played Defcon for the first time in six months, totally kicked ass, then came straight to Mefi. That game is so tight!
posted by autodidact at 1:56 PM on August 11, 2008


Just checked the link and it is still functional. Presumably they are in defiance of the order then?

Apparently PDFs of all talks were distributed to conference attendees. Presumably, the authors submitted this material prior to the issuing of the restraining order (which applies only to these three MIT undergrads; the rest of us are free to act as we choose regarding this material). The restraining order is a day late and an amendment short...
posted by mr_roboto at 1:57 PM on August 11, 2008


More on MiFare and its vulnerability -- How they hacked it: The MiFare RFID crack explained
"Last month, the Dutch government issued a warning about the security of access keys based on the ubiquitous MiFare Classic RFID chip. The warning comes on the heels of an ingenious hack, spearheaded by Henryk Plotz, a German researcher, and Karsten Nohl, a doctoral candidate in computer science at the University of Virginia, that demonstrated a way to crack the encryption on the chip.

Millions upon millions of MiFare Classic chips are used worldwide in contexts such as payment cards for public transportation networks throughout Asia, Europe and the U.S. and in building-access passes.

The report asserts that systems employing MiFare will likely be secure for another two years, since hacking the chip seems to be an involved and expensive process. But in a recent report published by Nohl, titled 'Cryptanalysis of Crypto-1,' he presents an attack that recovers secret keys in mere minutes on an average desktop PC."
posted by ericb at 1:58 PM on August 11, 2008


There is no real need to hack the Charley card since there are already several ways to bypass the system. 1. Simply slide on through. Most turnstyles are open during rush hour because people use them as both entrances and exits. Wearing your iPod earphones you simply wave your wallet in the vicinity of the card reader and walk on through. If ever a T cop or "customer service agent" challenges you you simply say you didn't hear the ding dong noise. 2. The buddy system. Check all the turnstiles for a 'free' pass. sometimes people wave their card twice and the turnstyle will register an extra fare and the screen says 'admit 1' or 'admit 2'. -just walk on through. 3. just walk on through. Most 'customer service reps' won't challenge you. 4. Travel during rush hour. (Commuter Rail only) the conductors rarely collect fares.
posted by Gungho at 2:01 PM on August 11, 2008 [3 favorites]


> Smart kids: Hey, MBTA, FYI you might be getting paid in monopoly money.
MBTA: Arrest these here criminals!


More like:
Smart kids: Hey, MBTA: ere's eighty five different ways to break into the Boston subway system, complete with maps, diagrams of the keys used, instructions for building and programming relevant electronics, and photos of insecure entryways.
MBTA: Who are you? You have no credentials, please stop annoying us.
Smart kids: Hey, l33t haxx0rs and shady types: Here's eighty five different ways to break into the Boston subway system, complete with maps, diagrams of the keys used, instructions for building and programming relevant electronics, and photos of insecure entryways.
MBTA: Wait. Don't do that. Please. Don't.
Smart kids' lawyer: You can't stop us.
Boston cops: Yes we can.
Smart kids: OMFGWTFBBQ.

I'm all for free-ranging public hacks of this sort, even sympathetic to the keep-The-Man-honest arguments, and I don't think the kids should have been arrested. But. Complaining that the target was upset and looking surprised that the MBTA took action after the fact is naive at best. Heavy handed? Yeah. Wanting to send a message? Yeah. Letting more stupid leak out in legal documents? Par for the course.

As for mocking the MBTA for not fixing problems before Defcon, they had less than a week's lead time. That's hardly enough, especially to secure or replace an whole electronic ticketing and transaction system, hardware and software. They should be pissed and in damage containment mode.
posted by ardgedee at 2:03 PM on August 11, 2008 [2 favorites]


Gungho, look out your window. Black helicopters in 3... 2... 1...
posted by unSane at 2:05 PM on August 11, 2008


4. Travel during rush hour. (Commuter Rail only) the conductors rarely collect fares.

Even if they do, if you get caught you only have to either pay the fare +$2 (since people buy tickets on board all the time) or worse, fill out a form if you don't have the cash!
posted by mkb at 2:06 PM on August 11, 2008


...and I don't think the kids should have been arrested.

They weren't arrested. They were served with a Temporary Restraining Order (10-days).
posted by ericb at 2:06 PM on August 11, 2008 [1 favorite]


The MBTA is a lousy system. The subways and buses are constantly late, the fares keep getting jacked up (with no improvement in service), and they have consistently refused to do anything substantive to improve accessibility, including in new construction. With a few exceptions, the concessions they've made to access have been jury-rigged, stop-gap, and unreliable. Fuck 'em.
posted by spaceman_spiff at 2:12 PM on August 11, 2008


> I'd lay blame for the vulnerability on the manufacturer and not the MBTA IT folks.

Actually, if you look at the slides you can see that IT (and mbta in general) are more than responsible for their fair share of getting pwn3d.

Some highlights: Unlocked network closets, keys left in maintenance areas, allowing people to walk into offices dressed as MBTA employees and hold meetings in a conference room, giving them full access to their network.

If MBTA uniforms and hats are sold to 'collectors' on ebay, you would think they would instruct every person to actually check someone's ID and have some way to control physical access to their facilities.

Remember, this talk was not just about getting free passes for the subway, but on the security of the transit system as a whole.
posted by mrzarquon at 2:14 PM on August 11, 2008 [3 favorites]


BTW -- its CharlieCard, not CharleyCard.
posted by ericb at 2:14 PM on August 11, 2008


...IT (and mbta in general) are more than responsible for their fair share of getting pwn3d.

Point well taken.
posted by ericb at 2:15 PM on August 11, 2008


> As for mocking the MBTA for not fixing problems before Defcon, they had less than a week's lead time. That's hardly enough, especially to secure or replace an whole electronic ticketing and transaction system, hardware and software. They should be pissed and in damage containment mode.

Actually, I am mocking them for not even considering this to be a problem up front, and probably assuming that the system was secure.

I really don't care about the card system, how were they supposed to know how a proprietary system works? they just had to trust the vendors that it was secure. But the 'leaving maintenance keys in the boxes' and seeing the photos of the guys just walking through the gates un hindered, probably not even stopped, yeah, that deserves mocking. If I walk into my server room to find a guy in a clown suit playing with my servers, getting a pie in the face is the least of my worries at that point.
posted by mrzarquon at 2:21 PM on August 11, 2008 [2 favorites]


the fares keep getting jacked up (with no improvement in service)...

Just last week: MBTA chief warns of 'hefty' fare hike.
posted by ericb at 2:23 PM on August 11, 2008


Sisco?

What, you don't think the commanding officer of Deep Space 9 takes computer security seriously?
posted by Tomorrowful at 2:24 PM on August 11, 2008 [1 favorite]


It may be fun to cheat but the rates later on go up for those who do not cheat...but if you need more info:

The MIT students confidential vulnerability assessment of the MBTA fare card:

http://cryptome.org/mbta-v-zack/10-scott-henderson-declaration.pdf

__________

The DEFCON presentation (via http://news.cnet.com/8300-1009_3-83.html?tag=bc):

http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf

Cryptome mirror: http://cryptome.org/mbta-v-zack/Defcon_Presentation.zip (Zipped PDF, 4.1MB)

__________

The MBTA v. Students court documents including the presentation to be made at DEFCON:

http://cryptome.org/mbta-v-zack/mbta-v-zack.htm

__________
posted by Postroad at 2:32 PM on August 11, 2008


Anyone else want to call bullshit on the Defcon premise? It wants to make itself out to be some smart kid camp where hackers are out to save the world from improper security, but...

In reality it is a bunch of hackers that like to break security and let the world know how they did it. It is part theft, part misplaced heroism, and loaded with as much ego as brainpower. Let's face it, these hackers don't come up with security breaches and then go quietly tell the owners of the security system what the breach is and how to make the security better. No, they go splashing the hack all over the Internets and at geek conventions so they appear nerd cool.

I just can't get all soft and fluffy for the hackers. They seem at least as cavalier about security as those that create the insecure systems the hackers are intent on exploiting. Giving these guys hero status while shaking a finger at the security companies seems a little hypocrtical. I know it isn't popular to say, but once you expose a hack, it filters out into the world for use by anyone that cares to exploit the hack. Translation: in a great many situations the hackers are not exposing the problem, they are the problem.

For these reasons, I totally understand granting a preliminary injunction. I also think that the attorneys for the MBTA royally screwed up if they put sensitive and confidential information out into the court system without filing it under seal.
posted by Muddler at 2:35 PM on August 11, 2008


Having gone through the PDF presentation again, I say that the MBTA should hire them as consultants -- and pay each of them a hefty fee. Their academic "exercise" puts the MBTA security personnel and procedures to shame.
posted by ericb at 2:38 PM on August 11, 2008


...but if you need more info...

BTW -- MIT's The Tech has quite an extensive list of hyperlinked documents (15 at current count) relative to the story.
posted by ericb at 2:40 PM on August 11, 2008


It is part theft, part misplaced heroism, and loaded with as much ego as brainpower.

And they go have a conference where they go a swing their security dicks in public. Yep.

The alternative is to have them swing them in private while they ask for several million dollars of "protection" money or simply sell their exploits to organized crime. It's not like everyone is just going to shut up and forget about testing security.
posted by GuyZero at 2:45 PM on August 11, 2008 [1 favorite]


In a country where a President can be elected with voting systems as crooked as a duck's penis that were defended in the public media with simple reiterated statements like, "they're secure because we say they are. Trust us!"; shiny new airport security enhancements that are no more effective at stopping dedicated attackers than a five year old with a plastic sword and a smirk; and anyone carrying a camera risks being kneed in the back, sat on by a pea-brained "guard" and arrested for trespassing, disturbing the peace and/or resisting arrest -- no, this doesn't surprise me at all.

It's all the same thing, all of it. If you say the same thing over and over again, completely ignoring what is said to you, eventually people will start to believe in your reality no matter how insane or contradictory it is. In groups, we're just a bunch of stupid monkeys flinging shit and we never ever learn.

Disgusted, going for beer.
posted by seanmpuckett at 2:51 PM on August 11, 2008 [2 favorites]


Anyone else want to call bullshit on the Defcon premise? It wants to make itself out to be some smart kid camp where hackers are out to save the world from improper security, but...

MIT. Nothing new here.

In the Netherlands last year, two German hackers, Karsten Nohl and Henryk Plotz, were able to remove the coating on the Mifare chip and photograph the internal circuitry. By studying the circuitry, they were able to deduce the secret cryptographic algorithm used by the chip.

And thus the new Dutch rail card was hacked after the government spent EUR 2b installing the new RFID system.

In addition to embarassing the transport minister, the Dutch were forced to scrap the investment and replace it with something more robust.

So yeah, the Dutch were saved from improper security by a bunch of hackers.
posted by three blind mice at 2:51 PM on August 11, 2008


It is part theft, part misplaced heroism, and loaded with as much ego as brainpower.

This sounds like essentially all corporate enterprise.
posted by aramaic at 2:52 PM on August 11, 2008


Cisco
posted by Kirth Gerson at 2:58 PM on August 11, 2008


BTW -- its CharlieCard, not CharleyCard.

Well, at least I got it right in the tag. Sorry, CharlieCard.
posted by Kirth Gerson at 3:03 PM on August 11, 2008


Just to clarify what happened, the Kids published the information before the judge issued the restraining order. CDs had already been distributed in advance of DEFCON.

So the cat's already out of the bag, and anyone else can republish the documents (notwithstanding the students' copyright, of course)
posted by delmoi at 3:04 PM on August 11, 2008


Ah Boston, Boston.
posted by signal at 3:05 PM on August 11, 2008


And thus the new Dutch rail card was hacked after the government spent EUR 2b installing the new RFID system.

In addition to embarassing the transport minister, the Dutch were forced to scrap the investment and replace it with something more robust.
The cool thing about that hack was that you could steal someone's fair card number just by walking by them. I'm not sure if that's the case with this new system.
posted by delmoi at 3:05 PM on August 11, 2008


I guess someone forgot to tell MBTA that internet > restraining order. Seriously, did they think that would stop the information going public? The worst thing about it is that what they discovered isn't even complex. It's basic stuff like leaving keys, ID materials and surveillance equipment out in the open.
posted by saturnine at 3:07 PM on August 11, 2008


The subways and buses are constantly late, the fares keep getting jacked up (with no improvement in service), and they have consistently refused to do anything substantive to improve accessibility, including in new construction. With a few exceptions, the concessions they've made to access have been jury-rigged, stop-gap, and unreliable. Fuck 'em.

This sounds suspiciously familiar...are there any well maintained mass transit systems?
posted by Remy at 3:07 PM on August 11, 2008


In reality it is a bunch of hackers that like to break security and let the world know how they did it. It is part theft

How on earth is breaking security in any sense 'theft'? With the extension of copyright infringement into the 'theft' are we now at the point where doing anything that costs the powerful money is now 'theft'?
posted by delmoi at 3:10 PM on August 11, 2008 [7 favorites]


This sounds suspiciously familiar...are there any well maintained mass transit systems?

DC's was excellent, when I was there. Admittedly, it was only for a few months in the summer, but my experience (and what I've been told by others) was that it was incredibly accessible, reasonably clean and well-lit, and ran on a fairly regular schedule (with electronic - visual! - notices in most or all stations counting down to the next train). I think the part I used closed down once for a day or two because of flooding, but that was after a pretty bad storm. I didn't take the buses, though, so I can't speak to that.
posted by spaceman_spiff at 3:16 PM on August 11, 2008 [1 favorite]


posted by Muddler It is part theft

No, it isn't.
posted by optovox at 3:18 PM on August 11, 2008


posted by delmoi the Kids published the information before the judge issued the restraining order. CDs had already been distributed in advance of DEFCON. So the cat's already out of the bag, and anyone else can republish the documents

In a related story, the MBTA has hired Cory Doctorow and Xeni Jardin as consultants.
posted by optovox at 3:22 PM on August 11, 2008 [1 favorite]


If you're not familiar with Boston, the MBTA is the worst example of corruption and lack of oversight. Every city machine has corruption, but rarely is it as brazen as the kind displayed by the Massachusetts Bay Transportation Authority.

It starts at the top with overpaid officials who are just on the take, and trickles down to lazy workers who embody the worst stereotypes of labor union excess. The trains are consistently overcrowded, filthy and delayed. Back when they had humans working the ticket booths, it was very common to see them talking to their friends on grimy wall phones (cell phones won't work underground) and devoting a lot more effort to the conversation than actually doing their jobs.

The Charlie system has made the fare collection automated, but the MBTA didn't lay anyone off once it was instituted. They might have devoted those redundant workers to other projects, ensuring the system would work more smoothly, but the service hasn't improved. So there are a bunch of people on the payroll that were paid to barely work presumably being paid to do even less. And the higherups don't care to fix it because they're making fantastic salaries and accountable to nobody. Actually improving their workers productivity would be a headache!

So I'm not surprised that the response from the MBTA is "supress!"
posted by Mayor Curley at 3:26 PM on August 11, 2008 [6 favorites]


I'm shocked that people don't get how this is part theft. You really have to stretch yourself to ignore the very fundamental fact that the hack allows a user of the mass transit system to ride for free.

People, that is illegal. It is a theft. It is no different from shoplifting or a thousand other petty ways of stealing while others pay. It's the same sort of stealing that is replicated over and over again by hackers. People just don't want to admit that they're leaches. They hide themselves in a cloak of ego, patting themselves on the back for their ingenuity.

I also love how people are trying to absolve the hackers by saying how the MBTA sucks. Yeah, I'm sure you're really teaching them a lesson by stealing a free ride. Nothing makes the trains run on time like decreasing their funding in a time of increasing fuel costs, choaked highways, global warming concerns, and infrastructure cracking. You stay classy, hackers. Way to be heroes.
posted by Muddler at 3:58 PM on August 11, 2008


"Hey, your software has a hack, you might want to fix that." almost never gets anything done. Security researchers and hackers publicize their hacks in part because it's the only way security holes get closed.
posted by Pope Guilty at 4:06 PM on August 11, 2008


posted by Muddler I'm shocked that people don't get how this is part theft.

Muddler, the MIT students didn't ride the subway for free. They discovered, engineered, and exploited flaws in the MBTA's system and had prepared a presentation revealing the flaws in the MBTA's system. That's not theft.
posted by optovox at 4:07 PM on August 11, 2008 [2 favorites]


> In reality it is a bunch of hackers that like to break security and let the world know how they did it. It is part theft, part misplaced heroism, and loaded with as much ego as brainpower.

Are you serious? Do you work with security in any way, shape, or form, or are you just blowing hot air?

These guys, the ones willing to go to DefCon and Black Hat conferences and speak publically, are the *good guys*. These are the guys who break into systems and then publish about them. Instead, they could have kept their mouths shut and made a fortune selling fake MBTA cards, or sell it to the highest bidder to do with it whatever they want. Plant bombs on the trains, sell fake cards, etc.

Instead the information was publicized, the users of the system (the MBTA) have been made aware of severe and critical oversights, in regards to network and physical security of the transit system. MBTA might even be held accountable for this in some way.

Of course, too many people love to blame the messenger (and its easier to do now, saying they "stole" information, they are terrorists, etc.) and not ever take heed to the message. Which is simply this: You can't take someone's word that their product is secure. You have to test it, you have to make informed decisions. In a lot of ways these guys are pushing for real security and real citizens rights. They are pushing for the cutting edge in encryption and security, and making companies accountable for their actions. Which means yeah, they break some 'laws,' but when the law being broken is one that supports an unjust system (such as a corrupt and poorly managed transit system, or an e-voting system with no peer auditing), then isn't it just civil disobedience?

I'd rather have a security product that survived in the hands of defcon participants than something that my vendor "swears" is secure.
posted by mrzarquon at 4:08 PM on August 11, 2008 [19 favorites]


I'm shocked that people don't get how this is part theft. You really have to stretch yourself to ignore the very fundamental fact that the hack allows a user of the mass transit system to ride for free.

These guys weren't caught by MBTA security in the act of getting free rides. That would be theft. They published a presentation explaining how the system could be bypassed. Publishing is not theft. You may wish to argue that it's unethical to publish it, but that's a different thing from theft.
posted by scalefree at 4:10 PM on August 11, 2008


Muddler thinks talking about it is the same as doing it.
posted by event at 4:12 PM on August 11, 2008 [3 favorites]


> I'm shocked that people don't get how this is part theft. You really have to stretch yourself to ignore the very fundamental fact that the hack allows a user of the mass transit system to ride for free.

Yup, it lets you ride the MBTA for free. Did these guys ride the MBTA for free? Possibly, but you have to take their word for it, because their hack is undetectable by the current system. Also, they have turned in their documentation and findings and suggestions on how to fix the problem. So do you really want to label these guys as a thieves when they have done a great public service? Because someone else who found this out could have tapped into the unlocked network closets (which they also pointed out) and instead of stealing free rides, could have been stealing every persons credit card information as they bought their tickets.
posted by mrzarquon at 4:17 PM on August 11, 2008


Look, if people want to convince themselves that hackers don't do hacks to get stuff for free, fine. If people want to convince themselves that hackers that go to defcon do so for the public good and not ego, fine. Ad homs suggesting I know nothing of security really don't advance your arguments - just makes you look like you have nothing else to say. Just agree to disagree as I do.

I suppose it is possible that the MIT folks never stole a ride. Pretty impractical and not at all logical, but whatever. I also suppose you can convince yourself that by publishing their findings and basically teaching the world how to ride for free they are in now way aiding and abetting the stealing of rides. I also suppose you can convince yourselves that it is great and wonderful that these hackers are doing public disclosure instead of just going to the MBTA and telling them of the problem. Again, whatever. A thousand ways to bring security issues to light and hackers choose the ego route - yup, worship them.

People, do you ever stop to think to yourselves that the only people that know of the security issues are pretty much the hackers? Do you consider that public announcement of hacks just creates more hackers that do ride for free, and instead of the MBTA being able to internalize that very small cost they suddenly have to pay massively more money to fix a hack that otherwise wouldn't have been a big enough security issue to bother fixing? This is not NASA, this is not the Pentagon. This is a pure money issue. Without general knowledge of a hack that can be exploited, the marginal number of free riders might not have called for any fix at all. Perhaps further security risks would have called for patches to avoid credit card theft. If the hackers had just approached the transit folks and talked to them, at least someone in the MBTA could have made that decision and applied a fix BEFORE everybody and their brother knew how to rip off the MBTA and potentiall its riders.

Anybody have any stats on how many defcon presenters approach the operators of the systems for suggested fixes BEFORE they announce the problems to the world (and with enough time for a fix to be put in place, not a day before announcement)? Ever wonder why that isn't the ethical first requirement before being given a presentation slot? Guess.
posted by Muddler at 4:39 PM on August 11, 2008


I'm shocked that people don't get how this is part theft. You really have to stretch yourself to ignore the very fundamental fact that the hack allows a user of the mass transit system to ride for free.

Telling someone their car door is unlocked = grand theft auto.
posted by dirigibleman at 4:43 PM on August 11, 2008 [5 favorites]


Muddler: Yeah, I'm sure you're really teaching them a lesson by stealing a free ride.

You don't understand what actually happened. You should probably stop commenting until you do.
posted by signal at 4:44 PM on August 11, 2008 [4 favorites]


I suppose it is possible that the MIT folks never stole a ride. Pretty impractical and not at all logical, but whatever.

Some people just can't understand why you'd do something if not to profit from it.
posted by Pope Guilty at 4:47 PM on August 11, 2008 [2 favorites]


Look, if people want to convince themselves that hackers don't do hacks to get stuff for free, fine.

Security researcher = thief.

If the hackers had just approached the transit folks and talked to them, at least someone in the MBTA could have made that decision and applied a fix BEFORE everybody and their brother knew how to rip off the MBTA and potentiall its riders.

From ericb's link:
“We made first contact,” said Zack Anderson, 21, a Los Angeles native, who majors in electronic engineering and computer science. “We wanted to let them know what we found and we wanted to tell them some ideas we had on how they could fix that system ... We felt like the issue was resolved. That was verbally affirmed in a Monday meeting. Then Friday we find out there’s a federal lawsuit against us.”
posted by dirigibleman at 4:48 PM on August 11, 2008


Massachusetts: We Want To Meet With MIT Subway-Hacking Students -- "State transit agency says it's reviewing the Defcon presentation prepared by three students it sued, and wants to meet with them before deciding whether to continue with a federal lawsuit."
posted by ericb at 4:50 PM on August 11, 2008



Sisco?

Yeah. That's a super secret encryption of Cisco.
posted by notreally at 4:56 PM on August 11, 2008


posted by Muddler Look, if people want to convince themselves that hackers don't do hacks to get stuff for free, fine.

If the students wanted to continue getting free rides, they would not have revealed their findings to the MBTA, published a paper, and discussed their findings at a seminar. Think about it.
posted by optovox at 5:00 PM on August 11, 2008


These guys are actually the enemy of the true thieves.
posted by smackfu at 5:13 PM on August 11, 2008


Look, if people want to convince themselves that hackers don't do hacks to get stuff for free, fine. If people want to convince themselves that hackers that go to defcon do so for the public good and not ego, fine.

You know what's even better than free stuff? Money! If they're so interested in "getting free stuff", why wouldn't they just sell the reverse engineering toolkit to some carders and call it a day? Exactly what "free stuff" did they get again?

I also suppose you can convince yourselves that it is great and wonderful that these hackers are doing public disclosure instead of just going to the MBTA and telling them of the problem.

Except, of course, they did tell the MBTA. And they haven't released any software, or source code, or any other exploit related frameworks.

I suppose it is possible that the MIT folks never stole a ride.

No one (including the MBTA) is saying they did. "Free rides" are not part of the dispute.

People, do you ever stop to think to yourselves that the only people that know of the security issues are pretty much the hackers?

Jesus...

Do you consider that public announcement of hacks just creates more hackers that do ride for free, and instead of the MBTA being able to internalize that very small cost they suddenly have to pay massively more money to fix a hack that otherwise wouldn't have been a big enough security issue to bother fixing?

How exactly are other hackers going to ride for free again? They haven't released any source code or implementation details. What they have released is a very high-level presentation that details their "proof-of-concept" hack.

Without general knowledge of a hack that can be exploited, the marginal number of free riders might not have called for any fix at all.

General knowledge won't give you shit. I have the general knowledge of how the hack works from reading the abstract, but without specific implementation details or source code its not gonna help me one bit.

Anybody have any stats on how many defcon presenters approach the operators of the systems for suggested fixes BEFORE they announce the problems to the world (and with enough time for a fix to be put in place, not a day before announcement)?

One more time: pretty much ALL OF THEM! Often times they privately approach the vendor with the vulnerability, and are rewarded with a lawsuit. Imagine that...

If the hackers had just approached the transit folks and talked to them, at least someone in the MBTA could have made that decision and applied a fix BEFORE everybody and their brother knew how to rip off the MBTA and potential its riders.

You clearly have no idea what you're talking about. You talk about hackers like they're magicians.
posted by SweetJesus at 5:13 PM on August 11, 2008 [2 favorites]


> Telling someone their car door is unlocked = grand theft auto.

Telling someone their car door is unlocked = being a good citizen.

Promptly taking off down the street afterwards to tell everybody else that the car door's unlocked, the key's in the ignition, the porn's in the trunk, the garage door opener's got fresh batteries, and the credit cards are in the glovebox... well, that's a little more questionable.
posted by ardgedee at 5:13 PM on August 11, 2008


muddler, I have 3 questions for you:

1. If you can disregard the hacker's motives for a second, do you think looking for flaws in security systems used by the public, and exposing those flaws is:
a) Good policy.
b) Bad policy.

2. Do you think the motivation of the people involved affect whether a policy is good or bad?

3. Do you read any security related blogs or publications? If you do, you would have the answer to: "how many defcon presenters approach the operators of the systems for suggested fixes BEFORE they announce the problems to the world"

I once had a bad condition, but the best doctor to cure it was only in it for the money and the bragging rights. I went with the doctor that just cured people out of the kindness of his heart. I have been stupid ever since.
posted by dirty lies at 5:16 PM on August 11, 2008 [1 favorite]


Anyway, hats off to the kids for going to the MBTA first. Except they prioritized scoring l33t points at Black Hat over giving the MBTA time to fix any flaws (even assuming the MBTA tried). Compare this with Dan Kaminsky's DNS cache poisoning vulnerability discovery, which had a couple months between discovery and publicity, during which he worked behind the scenes on fixes.
posted by ardgedee at 5:23 PM on August 11, 2008


odinsdream writes "Sisco?"

Sisco?


Sisco?
posted by zardoz at 5:27 PM on August 11, 2008


People, do you ever stop to think to yourselves that the only people that know of the security issues are pretty much the hackers?

Pffft. You know about these security issues now. Are you a hacker?

My company sends our top network security guy to Defcon to learn about new attacks. It's really common, especially at larger system software companies and network equipment vendors. You're pretty much clueless about how this scene works.
posted by ryanrs at 5:32 PM on August 11, 2008


I'm slighter dumber (pretty impressive, really) after reading Muddler's comments. Law and Order types inevitably have that effect.

You know who the real thieves are? The MBTA, for spending your tax dollars putting a piece of crap security system into place and then spending more of your tax dollars trying to suppress the information rather than admitting to their mistake--or fixing it.
posted by maxwelton at 5:32 PM on August 11, 2008 [9 favorites]


> (even assuming the MBTA tried)

Their immediate response was to try to stop any discussion that there was even a problem. Not a good sign that they are working to fix the problem, instead doing damage control to ensure no one knows that such a problem exists.

As for scoring l33t points: DefCon is where you go if you want to be taken seriously as a security researcher. The DefCon crowd is actually very professional, even going so as to kick out people who were attacking the wrong network. People don't go there for the lulz.
posted by mrzarquon at 5:38 PM on August 11, 2008


Anyway, hats off to the kids for going to the MBTA first. Except they prioritized scoring l33t points at Black Hat over giving the MBTA time to fix any flaws (even assuming the MBTA tried).

No. The CharlieCard is a MIFARE Classic system which has been broken for a while. The MIT guys weren't the first to publish a working MIFARE attack. The MIFARE Wikipedia article had this info back in January 2008.
posted by ryanrs at 5:45 PM on August 11, 2008


I have actually heard there are many lulz at DefCon.
posted by TheOnlyCoolTim at 5:46 PM on August 11, 2008


Bruce Schneier re. MIFARE: You know your proprietary encryption has been broken when random Chinese companies start selling compatible chips.
posted by ryanrs at 5:52 PM on August 11, 2008 [1 favorite]


I'm not sure why this is a big deal. Anyone with an umbrella can get a free ride on the T. Just slide it between the two panels, thus triggering the motion sensor for exiting, and walk through.

Now if you'll excuse me, there's someone knocking at m- DON'T TASE ME BRO!
posted by robocop is bleeding at 5:55 PM on August 11, 2008 [1 favorite]


I suppose it is possible that the MIT folks never stole a ride. Pretty impractical and not at all logical, but whatever.

Yeah, but they also probably purchased a bunch of CharlieCards while working on their attack. I'll bet the number of cards they destroyed is greater than the number of free rides they took.

Also they also did a bunch of free security consulting work for the MBTA. They could have sold that info to the highest bidder instead. Pretty generous, those MIT kids.
posted by ryanrs at 6:04 PM on August 11, 2008 [2 favorites]


Security through obscurity does work, but not always and not for everybody. This implies somebody sooner or later will figure it out. I'm actually more concerned by the routine behavior of those who are in charge of the economic and financial aspects of security, from hiring experts and financing the security side of IT infrastructure, than by some hack work.

If nobody complains, nobody notices that the money has been poorly spent. Therefore , it is not only or not necessarily only a matter of giving enough time to fix up problems, which should be part of the job description anyway, but it is also a desire of not being poundend by the upper senior management that doesn't really care or know about the why and hows.

Even worse, somebody could notice that some failure in choosing or forming a competent team and allocating enough resources rests on some top cat shoulders. PGP, crypto, transparency , accountability..all thrown behind the shoulders, thanks to a mass of incompent stockholders. Unless, of course, somebody starts showing how badly some infintely paid leaders suck , market-will-fix-it-all ideology notwithstanding.
posted by elpapacito at 6:09 PM on August 11, 2008


Security through obscurity does work, but not always

Weak. Leaving my front door unlocked works most of the time, too.
posted by ryanrs at 6:17 PM on August 11, 2008


At least it wasn't Sisqo...
posted by benzo8 at 7:04 PM on August 11, 2008


As for mocking the MBTA for not fixing problems before Defcon, they had less than a week's lead time. That's hardly enough, especially to secure or replace an whole electronic ticketing and transaction system, hardware and software. They should be pissed and in damage containment mode.

Bull. They should be in begging- and groveling-for-their-jobs mode, because they fucked up rather massively. They implemented a system that was never opened up for public review, and in retrospect has gaping security holes. (The MiFare encryption scheme is a ludicrously weak, proprietary, security-through-obscurity job; it never would have survived open review.) That by itself borders on negligence. Everyone involved in that decision ought to be up for one hell of a public reaming, since they're the ones who put the system at risk by building something that a couple of kids from MIT could break wide open.

The hackers deserve to be lauded in this case, because without them, we'd never know how badly-designed the system was until actual abuse became rampant and visible.

The problem, the core issue, is not that a flaw was discovered and disclosed. The problem was that a poorly-designed system was purchased and implemented at great public expense with little transparency, oversight, or review from disinterested experts. The people involved in that decision should be pilloried for it, because it's inexcusable. The flaw is not in the fare-collection system; the flaw is in the MBTA for selecting and implementing the system.

Security vulnerabilities like this need to be disclosed — and I'd argue that they not only need to be disclosed, but they need to be disclosed in as disruptive a way as possible — because that's the only way the processes that brought the broken systems about will ever be fixed. Quiet disclosure may or may not result in a particular vulnerability getting fixed; public, embarrassing, impossible-to-ignore disclosure brings attention and provides a possible means for fixing more deeply-rooted issues.
posted by Kadin2048 at 8:34 PM on August 11, 2008 [3 favorites]


They should be in They should be in begging- and groveling-for-their-jobs mode, because they fucked up rather massively., because they fucked up rather massively.

But that's the point-- the MBTA officials will NEVER be in begging- and groveling-for-their-jobs mode. No one cares of the system is hackable because there's no accountability. The new system is in place, it's done. They don't care if people scam it as long as they're quiet about it and don't make the officials' jobs harder because the officials will never be called on it. If these meddling kids hadn't made such a stink, the whole controversy boils down to three articles in the Boston Herald and public outrage for a week until a state trooper is discovered asleep in his cruiser at a Public Works site. Then people stop talking about it and paychecks get deposited as per usual.

I'm not maligning the state in general-- I love it here and would never live anywhere else in the U.S. But our system of public transit is corrupt and terrible. The only solution is a wide boycott of the whole thing to force a reorganization, but that's never going to happen. And the people running it are blissfully aware of that.
posted by Mayor Curley at 9:25 PM on August 11, 2008


Bull. They should be in begging- and groveling-for-their-jobs mode, because they fucked up rather massively. They implemented a system that was never opened up for public review, and in retrospect has gaping security holes. (The MiFare encryption scheme is a ludicrously weak, proprietary, security-through-obscurity job; it never would have survived open review.) That by itself borders on negligence. Everyone involved in that decision ought to be up for one hell of a public reaming, since they're the ones who put the system at risk by building something that a couple of kids from MIT could break wide open.

I personally don't understand how some of these companies get the jobs that they do. For instance, we've just had new ticketing systems deployed over here. The user interface looks like it was created by a 5 year old using MSPaint and VB. And I'd stake a large bet that the latter two are the case in my regard.

Everything I've ever seen with the transition from the old, reliable electromechanical systems to computerised GUI systems simply reeks of poor UX and UI design, stability problems and just having a real air of unprofessionalism. It's like the company was just a bunch of guys with some kick ass cutting edge RF gear while customer facing systems were simply an afterthought and generated by the coder the night before the deployment.

I shudder every time I see our ticketing machines. It doesn't inspire me with confidence that the people behind it know proper software engineering and I do expect that our own ticketing system is full of holes waiting to be exploited.
posted by Talez at 9:27 PM on August 11, 2008


I wonder if it'd be cheaper, in terms of pollution, traffic and road damage costs, just to make the public transport system free.
posted by aeschenkarnos at 10:50 PM on August 11, 2008


The MBTA sucks donkey cock.

They've had it in their power (and finances) to be able to run the T 24/7... hell, they could just cycle-down to a single train an hour if they were worried about giving the line workers enough time to work on the tracks... but no.

No, instead you've got a city where the last subway cars leave the station at 12:30am, but the bars close at 2:00am. That makes great fucking sense. "Sorry, folks! Guess you'll have to drive home."
posted by Civil_Disobedient at 11:37 PM on August 11, 2008 [1 favorite]


Promptly taking off down the street afterwards to tell everybody else that the car door's unlocked, the key's in the ignition, the porn's in the trunk, the garage door opener's got fresh batteries, and the credit cards are in the glovebox... well, that's a little more questionable.

MBTA don't own the car and in fact are paid to keep it secure along with the porn, the garage and the credit cards, this may have been what caused you to shout it from the rooftops.

The fact that the people who are paying them are idiots and upon learning their money is being wasted turn around and attack you, may have been what caused you to shout it from the rooftops.

Actually to stretch this to breaking point, you can't actually tell the people who paid the security averse car-minder but have to tell a friend of theirs who will twist and distort what you say because they've got their own little car-minding scams and don't want to rock the boat, yeah, this is what causes all that rooftop shouting.
posted by fullerine at 2:59 AM on August 12, 2008


I find it funny how the MBTA decided to issue a restraining order instead of fixing their problems.

You have obviously never been to Boston.

The MBTA likes to create problems so that it can then spend years "fixing" them. I give you exhibit a: Copley. Oh holy hell.
posted by grapefruitmoon at 4:01 AM on August 12, 2008


(Oh yeah, I should mention as I'm on my way out the door to experience the joys of the green line: Copley is an old station. Very old. Opened in 1909. Outdated, no elevator access, etc. The MBTA is "updating" it and has been for some time and won't be done until late next year. This means that most of the station is boxed off behind partitions and there's general construction everywhere. It's a mess. An over-crowded mess. And this is the green line station that services one of the busiest areas of town: Back Bay/John Hancock tower/Boston Public Library/Newbury St shopping district... Arlington Station a couple blocks down is nearly as bad as well. "Updating" my ass.)
posted by grapefruitmoon at 4:04 AM on August 12, 2008


grapefruitmoon, that glacially-slow progress seems to now be a feature of all construction projects in the state. It takes years to rebuild a dinky two-lane bridge over some railroad tracks.
It took years to rebuild all the bridges over Rte 3 north of 95. Then, when the long-anticipated widening of Rte 3 began (what was it - five years later?), the bridges all had to be done over, because they weren't long enough to span the wider highway. Widening Rte 3 by one lane took longer than the entire construction of Rte 128 did. Your tax dollars at rest.
posted by Kirth Gerson at 4:24 AM on August 12, 2008


Denial!

"There have been claims in the past that have been made against our card or other cards, and, happily, they've all been able to be dismissed or dealt with," said Daniel A. Grabauskas, general manager of the Massachusetts Bay Transportation Authority. "I'm confident it will be the same thing here."
posted by smackfu at 5:44 AM on August 12, 2008


Dude, you were the subject of a Defcon talk. You should be feeling several emotions right now—primarily embarrassment and anxiety. But definitely NOT confidence.
posted by ryanrs at 6:06 AM on August 12, 2008


Civil_Disobedient writes "No, instead you've got a city where the last subway cars leave the station at 12:30am, but the bars close at 2:00am. That makes great fucking sense. 'Sorry, folks! Guess you'll have to drive home.'"

Solution: change last call to midnight.
posted by Mitheral at 6:37 AM on August 12, 2008


"In reality it is a bunch of hackers that like to break security and let the world know how they did it."

In reality you don't seem to have any idea what you're talking about. The vast majority of people attending Defcon are IT professionals. Programmers, sys admins, network engineers, etc. So unless you think those attending are there trying to break into things thay already have full access to, I'm not sure what you're talking about.
posted by Ragma at 8:29 AM on August 12, 2008


The vast majority of people attending Defcon are IT professionals. Programmers, sys admins, network engineers, etc.

Yep...and, as always...Feds hang out with hackers at Defcon.
posted by ericb at 9:17 AM on August 12, 2008


Yep...and, as always...Feds hang out with hackers at Defcon.

Still have my "I spotted the Fed" t-shirt from DefCon 2 to prove it.
posted by scalefree at 9:08 AM on August 13, 2008


Court tells students to disclose hacker secrets in T case -- "Refuses to lift order prohibiting public discussion."
posted by ericb at 9:33 AM on August 15, 2008


Judge Lifts Gag on Students over Transit Security
"A federal judge has lifted a gag order on three MIT students who were barred from talking publicly about security flaws they discovered in the Boston transit system's automated fare network.

A lawyer for the transit agency acknowledged its CharlieTicket system has security flaws. But the lawyer asked Judge George O'Toole Jr. to impose a five- month injunction continuing to block the students from revealing anything publicly about the security system. O'Toole rejected the request Tuesday."
posted by ericb at 12:04 PM on August 19, 2008


More details:
“Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: that the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses.

Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA.

On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer ‘transmission.’ Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system. Lawyers for the MBTA claimed Tuesday they had proof the students had violated the law, but stopped short of specifying what they did.

It's unclear what transit officials will do next. Lawyers for the MBTA weren't immediately available after the ruling, but they could appeal O'Toole's ruling to the U.S. First Circuit Court of Appeals. Unless either side backs down or a settlement happens, a trial on the T's lawsuit against the students and MIT will eventually occur, but so far no date has been set.

Lawyers for the students, in a case that has generated more attention in local media concerned about problems in the transit system than it has among national media concerned about privacy issues, welcomed the judge's decision. ‘This was a case of shooting the messenger,’ said Cindy Cohn, a lawyer with the Electronic Frontier Foundation, a San Francisco advocacy group that was representing the students along with the Massachusetts affiliate of the ACLU and the Fish & Richardson law firm.

But Ieuan Mahony, a lawyer for the Boston law firm Holland & Knight who is representing the MBTA, said the transit authority had no interest in chilling computer security research. Instead, he said it merely wanted to ensure a method for wide-scale fare violations wasn't disseminated.

Security researchers working for the MBTA spent the last several days working through a confidential 30-page analysis--which has not been made public--that students had sent to the court and T officials. The document detailed the complete method for breaking the local Charlie card payment system, including specific details the students say they didn't plan to reveal at the Defcon conference.

MBTA said in documents filed with the court said that fixing the security flaws would take five months. (‘Students have the ability to cause significant harm to the CharlieTicket system, during the roughly five-month window that remedial actions will require.’)

T officials concluded that the students had, in fact, found a way to break the paper Charlie card system, but had only found theoretical methods for breaking the plastic Charlie card, an RFID smart card that can have T fares electronic added to it.

Mahony said the 30-page analysis was a ‘very useful document,’ adding, it's ‘invaluable, but there are additional materials that cause us great concern.’ In particular, the transit authority wanted correspondence with Defcon officials and materials from their class with MIT professor Ron Rivest, a cryptographer best known as one of the co-inventors of the RSA public key encryption system, which is commonly used in e-commerce.


Despite the First Amendment implications of the case, O'Toole made it clear he intended to steer clear of the Bill of Rights. ‘I appreciate the breadth of views of others,’ he said, ‘but my views are considerably more limited.’ (Federal judges generally try to avoid constitutional issues if the dispute can be resolved by interpreting the text of a statute. In this case, it was a 1986 law that he decided didn't properly apply in this case.)

What the students intend to do now that the gag order has been lifted is unclear. If they wished, they could still make the Defcon presentation at some other forum. Cohn said she hasn't spoken with the three, who are still on summer break.”
posted by ericb at 12:09 PM on August 19, 2008


« Older Springfield Punx....  |  Confusing Words... Newer »


This thread has been archived and is closed to new comments