Hackers ate my baby!

Pure evil

EVIL MIT HACKER steathily infiltrates the T with EVIL MIT HACKER SHOPPING CART (Source).

In focusing on the OMG EVIL MIT HACKERS angle (but also, to give them credit, the First Amendment/prior restraint angle), the media are completely overlooking the first part of the students' presentation, which discusses how easy it is to get on the T for free without using EVIL MIT HACKER WAREZ, such as, for example: Walking through unattended Charliegates and Green Line rear doors, looking through the windows in those high-tech all-seeing security kiosks, walking into unlocked rooms at Park Street that house switches connecting Charliegates to the MBTA network, etc. In case you missed it, Kaz has more.

For some reason, Dan Grabauskas doesn't seem upset about this, or maybe reporters just aren't asking him about it, because it's not as sexay as OMG EVIL MIT HACKERS or they haven't actually read the presentation themselves, or both.



    Free tagging: 


    I just flipped over the

    By on

    I just flipped over the presentation. I liked how they were able to set up a laptop over the turnstile to read the "tap pad" and no one stopped them. Oh yeah, because that high tech security booth was empty... another awesome picture.

    I don't see what the big deal is really. Wasn't it already publicized that the charlie card was inherently insecure? And haven't people been hacking mag stripes for years now? Although it would be cool to have a charlie ticket with $600+ on it just by changing a few bits of data.

    yep- MIT, where following months behind = research!

    By on


    Their "research" covers work already done in Europe to completely break open the Mifare system....which was publicized heavily about 7-8 months ago.

    Then again, this is the same school that generated Our Little Princess, "Star", who thought that potential employers would be impressed and wowed by some LEDs wired up in her clothes.

    This isn't so much "research", as simply publicizing already well-known information, in a convenient, easy-to-digest form.

    Undergraduate Class Project

    They didn't invent this stuff and didn't claim to... in fact, they referenced heavily (which you might have noted when you read through their presentation ...)

    They analyzed the vulnerabilities, selected specific systems to demonstrate the potential for forgery, completed their project, then wrote it up to get their grade. Theory and lab demo is nice, but functional implementation with common and inexpensive materials is the next step. The low expense and ease heavily underscores exactly how likely it is that less benevolent folks will figure this out.

    This is about what one would expect from a class project - a very complete and well done and well communicated one, at that. The scope is right, the use of existing information is fully appropriate and well packaged, and they managed to complete their work on time so the difficulty was right on target. These are not graduate students, and this was not a full funded research dissertation.

    Your post about "already done" (at least in theory or in a lab) only underscores just exactly how stupid it is that the T didn't fix the problem before these kids even put in their midterm project proposal, let alone showed up with a laptop! The T was trying to slide by on the notion that it wouldn't be easy so they didn't have to do squat. This class project dope slaps those lamers.

    Sometimes simple and and derivative is vastly stronger than cutting edge and sophisticated.

    Red Card

    By on

    You have me agreeing with Swirly again. That's how you should know just how wrong you are on this. Free kick - MIT, and you're off to the showers.

    Proceed from Different Assumptions

    1) The point of running the T isn't to run the T. It is to aggrandize politicians, provide employment for your army of hangers-on, and perpetuate the medieval patronage systems by closing ranks and demanding loyalty. Job to do? What's that? Our job is to BE IN CHARGE.

    2) The hackers are a problem because they uncovered and noticed a POLITICALLY embarrassing issue and tried to get it fixed. They are too young to know that bringing up problems in a perfect and loyalty-based patronage systems makes YOU the problem. It makes you a negative person to question experts, it puts a target on your back to show that their appointed selves lack specific technical qualifications (despite their blind loyalty and boot licking) to properly do the jobs they have been handed. If they do have qualified people working for them, these people learned long ago not to mention anything like this ever ever ever.

    Welcome to Massachusetts and to the rest of the Northeast, for that matter.

    Quick Review...

    By on

    I read the presentation deck, as I am a regular T rider and InfoSec guy. I wrote my thoughts about it last night and posted it this morning. The synopsis is that they're spot on and the MBTA is a bunch of iditos.

    But we already knew that already, didn't we?

    All weekend CH25 "news" has

    By on

    All weekend CH25 "news" has been reporting that they HACKED INTO MBTA SYSTEMS. This morning "VB" questioned why this show is even allowed to go on and said that the FBI should be there arresting everyone as they walk into the parking lot. It's pretty lame..

    Holy Cow!

    By on

    I just paged through the presentation and although I should know better, I am just shaking my head at the total and complete ineptitude of the MBTA. What gets me isn't that these MIT students did what they did, but that with really very little effort, they were able to gain access to places and information that should have been absolutely off-limits. I've seen many of the things documented at the beginning of the slide deck - unlocked doors, keys left dangling, computer screens with confidential information - in my 10 or so years of daily commutes. Even after 9/11 and all the hysteria of random bag checks and the "see something, say something" campaign I've been amazed at the gross laxity in security at stations like Park Street or Government Center.

    I wish I could work up some sort of reaction to the hackers and their antics but I can't. They're just exploiting weaknesses that should have been worked through before the system was even put online. The sad thing is that exposing these issues in the CharlieTickets and the CharlieCards doesn't do a damn thing about the real problem - the MBTA as a haven for every hack's alcoholic/lackwit relative who needs a job.

    National security, obscenity and the imminent threat of violence

    By on

    Dan Kennedy takes a look at the First Amendment implications of the case. He notes that then Supreme Court Chief Justice Charles Evan Hughes listed the above three things in his landmark decision on prior restraint.

    Now which one of those categories do CharlieCard flaws and unlocked doors at Park Street fall into? Kennedy is not surprised at the judge who issued the temporary restraining order:

    ... For those of you with long memories, you may recall that Judge Woodlock is a piece of work. During the 2004 Democratic National Convention in Boston, Woodlock ruled that a cage set up by officials for the use of protesters was "an offense to the spirit of the First Amendment" — but then declined to do anything about it. ...

    Kudos to Kennedy

    Now we're getting somewhere! Kennedy does his homework on prior restraint of free speech and blows the doors off the decision.

    Originally, I thought a temporary restraining order would be appropriate but I was wrong. Now, I think the judge is wrong. It won't stand on appeal but the damage has been done.

    I wonder if the ACLU passed on this case....if Ms. Granick is a constitutional lawyer.

    Civil libertarians and the students’ lawyers quickly assailed the order as a blatant attack on free speech.

    Jennifer Granick, a lawyer with the Electronic Frontier Foundation, which is representing the students, said in siding with the MBTA, Woodlock wrongly applied to speech a federal computer crime statute used to prevent transmitting harmful programs from one computer to another.

    “The statute is meant to stop people from committing computer fraud and abuse, not to stop people from talking about computers,” she said. “These conferences are populated with people from Google, Microsoft, Sisco, wanting to collect information about security vulnerabilities that might exist in their systems. If you don’t let this information be discussed, the attackers are going to research it, but no legitimate person is going to talk about it.”

    MBTA proposes mediation, but won't drop TRO

    By on

    E-mail exchange between MBTA and EFF lawyers, submitted by the MBTA as part of a filing seeking an amendment to the current temporary restraining order to keep the students from talking about "non-public" matters since, I guess, it's become pretty obvious that pretty much every thing in their original presentation was already public.

    EFF says: Drop the TRO, then we'll talk; notes MBTA put more information into the public court documents than the students would have, that Defcon is over and the students weren't able to give their talk.

    Groklaw has more on the latest legal maneuvering.

    'Transit officials don't understand publicity or security'

    By on

    Scott Bradner, Harvard University's technology security officer, doesn't think much of the MBTA in this case:

    ... By suing, the MBTA has ensured maximum attention to the fact that their fare cards are breakable and cloneable. If they had ignored the situation the story would have likely received almost no coverage because there was little new in it. The security community already knew that the MBTA RFID cards used the discredited Mifare Classic RFID and there would have been little interest in yet another example of breaking a technology that had already been broken. One thing that was not well known was that the mag stripe card was poorly designed from a security perspective. The MBTA's lawsuit has ensured that the poor design will now be known by tens of thousands, if not hundreds of thousands more people than would have found out if the talk had gone ahead. ...

    Conflict-of-interest note: Bradner wrote the above column for Network World, where I'm an editor.

    Putting a name to it

    By on

    The increasingly common name for this kind of "footbullet" phenomenon of gaining unwanted attention by yelling "Hey world, this guy is trying to tell my secrets!!" is The Barbara Streisand Effect, named for when Barbara sued a coastal erosion researcher to keep a photo of her mansion off his website...which then caused everyone to download it like mad on the internet.


    By on

    The MIT students will counter-sue the MBTA for defamation, take ownership of the MBTA as a result of the lawsuit, and solve all of our transit woes.

    Book it. Done.

    Thanks for bringing us the

    Thanks for bringing us the up to date coverage. This is where the blog-o-sphere shines and the dead tree journals fail.