Hey, there! Log in / Register
Bet you didn't know about this MBTA service: Grading student papers
By adamg on Fri, 08/15/2008 - 12:35pm
Here is the T's latest filing in its effort to shut up those three MIT students. And here is part of the T's arguments to force the students to tell all:
It is unlikely that Professor Rivest would award an "A" for the work represented in the Report and the Presentation, indicating that additional sensitive materials exist in the possession of the Individual Defendants. The MBTA notes that the Individual Defendants have been unwilling, to date, to produce the "A" paper they prepared for Professor Rivest.
But keep reading the brief, down to the part where the T argues the students have forfeited their First Amendment rights, in part because their talk was "commercial speech" and in part because they were planning on giving their talk to a convention of hackers (and also computer security experts, most of whom probably aren't working for the MBTA), and that alone shows how they would have incited illegal activity. The T also cites as proof a photo the students took of an MBTA networking switch - without noting that the students were able to take the photo because the T failed to lock the room at Park Street where the switch was located.
The T got its temporary restraining order extended to at least Tuesday.
Topics:
Free tagging:
Ad:
Support Universal Hub
Help keep Universal Hub going. If you like what we're up to and want to help out, please consider a (completely non-deductible) contribution.
Comments
trespassing
The T also cites as proof a photo the students took of an MBTA networking switch - without noting that the students were able to take the photo because the T failed to lock the room at Park Street where the switch was located.
Bzzzt. M.G.L. C266 S120. If there was any signage prohibiting trespassing, which might include "authorized personnel only", etc- then they committed criminal trespass simply by going in. In NH, there wouldn't even need to be a sign- trespassing there is defined as going somewhere "you know you don't belong."
Also, it's a common myth that if the door on your house is unlocked and a burglar walks right in, that it's somehow not a crime, or you're at fault. M.G.L. C266 S17: entering with intent to commit a felony (or scare people inside the home/business) is a crime itself; no "breaking" necessary.
These idiots bragged about "using a phantom meeting" to get into MBTA offices and plug into the MBTA private network; that's two levels of trespass, and probably some nice state or federal charges relating to having used the private network. If they lied to an MBTA officer about a meeting, well- now there's a charge right there, too.
Then, there's photographic evidence of them modifying a ticket and using a fare vending machine to verify it- if they did actually use the ticket, bam! Fraud...
Seriously- I'd place good money that the MBTA police and a DA are working hard on finding video evidence that these clowns went where they didn't belong.
If I were Ron Rivest, I wouldn't give them an A, either. All they did was follow in a lot of other people's footsteps...it's hardly work that I would expect to earn an A at MIT, either...even if they are undergrads.
Did they go into the room?
Or did they just stand outside the open door and take a photo of what was inside? That's not trespassing.
Right: let's not break any laws
At the same time, however, the MBTA should be tightening up the holes these kids found. An unlocked wiring closet in one of the busiest subway stations in the system? Are they kidding? That's just plain moronic and irresponsible - and begging for somebody a lot more devious to do something (or stupid; imagine some drunk wandering in there and just going berserk and ripping out wires and stuff - on the first of the month).
So far all we've heard from the T is "These dumb kids didn't tell us anything we didn't know" (which in itself is a bit depressing, because it implies the T doesn't care about poor security practices, both computer and physical) and "These MIT kids must know more than they're letting on, and they better tell us everything," which in its own way is kind of sad, too.
Also? Throwing the book at them? Muzzling them in federal court? Overkill, perhaps?
oy vey
So far all we've heard from the T is "These dumb kids didn't tell us anything we didn't know" (which in itself is a bit depressing, because it implies the T doesn't care about poor security practices, both computer and physical)
Like I said, the Mifare Classic vulnerabilities were well publicized 8 months ago. What would be disturbing: if the MBTA knew about the vulnerabilities BEFORE the attacks against Mifare Classic were known. Ie, if the manufacturer or vendor told them Mifare Classic's problems during the planning phase. Unfortunately, the readers are only compatible with Classic cards. They'd have to re-install new readers (among other things) in EVERY single turnstile, farebox, and ticket machine...in a system which only sits inactive for about 5 hours out of every day. You think the MBTA has problems? How about the millions of cards and readers used in Europe for building access? That's not just a money issue, it's a real safety and security problem.
It's much easier for the MBTA to implement fraud detection methods via data inspection (like, for example, looking for cards that have a value but no payment history, a pretty easy check), or evidence of cloned cards (like, say, a card being used at Harvard Sq, and then 10 minutes later appearing in Forest Hills), couple it with CCTV surveillance, and prosecute the hell out of anyone that tries to game the system.
I hate the "it's possible, OMG OMG!" attitude of some hackers. Guess what? It's also possible to punch someone in the face. Trip them. Kick a baby. Or smash a car window. Break down most people's front door. Or go on a shooting spree with a legally purchased handgun or rifle. Yet, most or the overwhelming majority of people don't do these things, because they're discouraged by the punishments if they're caught, and both their own personal morals and those of the society they live in. Japan is one good example of where morals are enough to keep the crime rate pretty low; not that they're pure white angels, of course...
Yet, these immature self-proclaimed geniuses are happy to demonstrate serious moral judgment problems in their publicity grab. The methods of disclosure and such are endlessly debated in computer security circles, which is pretty good proof in the pudding that neither side is ideal.
For example: if they approached the MBTA, and the MBTA ignored them- why didn't they go to the Executive Office of Transportation? Or the Governor?
What's possible
Last time I checked, it was possible to just walk onto a bus in Amsterdam without paying anything.
Of course, if you get caught freeloading, you get a hefty fine.
I agree with this point you're making, that what they disclosed is not really such a big deal. It's like saying someone could pick my front door lock. Well, I know that. I lock it just the same. Because most crimes are crimes of opportunity by stupid thugs looking for low-hanging fruit. If someone is smart enough to clone cards, they're probably smart enough to get a real job too.
On the other hand, if it isn't such a big deal then why go after these kids so vehemently? If they're not disclosing great secrets, why the gag order? Let them talk their way into a little community service and be done with it.
The low hanging fruit
It is *so* dumb simple to make a fake card worth, say, $200 and the cost for doing so is *so* much less than the profit that the margin for such a forged card is high. That will entice the simplest of criminals to do so. It costs you $1.50 (I think that was the price the students quoted), you sell it for $50 (making $48.50 in profit), and the buyer gets $150 profit. The MBTA couldn't currently catch someone doing this if they wanted to because they don't even have the auditing system that the students recommended to them in the very first place (before the gag order was ever in play). Everyone wins except the MBTA.
That's the low-hanging fruit and is far more profitable than a real job and with ZERO risk at this time.
Forget the encryption issues for a second
Since you're right, "everybody" already knew about the issues there.
What is new in their paper is the identification of physical security issues - the unlocked doors, the unmanned booths, the documents lying atop desks in the "security" kiosks. Is the T doing anything about that?
Go to the EOT? The governor? Why would they think to do that? As for publicity grab, um, it was the MBTA that made the news by suing them in federal court.
New?
That part sounds like the same old same old to me.
Say, they didn't have an MBTA master key, did they? They could have got one from any bum on the Common.
Oh, that's right, Grabauskas promised he'd fix that. What he didn't say is he'd fix it by just leaving the doors open.
As for publicity grab...
Not only did the MBTA make the news.. it was the MBTA that published the far-more-detailed specifics of their hack in the court record. The DEFCON presentation is now moot; the MBTA has made available the details they were going to leave out of the presentation. (I think it's been redacted now, but of course, you can't undo on the Internet.)
It's always a little confusing to me...
That when some young computer nerds (who are in fact much smarter than the old corporate hacks building these systems) reveal a security flaw or hole some people want them thrown in jail.
What if, instead of being MIT computer nerds, they were, say, engineers from Wentworth, and instead of strolling into a network room they jumped a fence and discovered a city bridge was dangerously unsafe and about to fall?
Now, I don't condone illegal activity, but when someone is merely pointing out that a certain system is flawed (because the MBTA would never admit this themselves) they are, in my opinion doing the company a favor in the long run.
But if people insist that laws have been broken and charges should be filed then lets turn this up to 11 shall we? Lets slap these kids with some offenses and then fire EVERYONE responsible for building such a costly and ultimately worthless RIFD token system. If we really think everyone should be held accountable for their actions than I think their is an entire group of people at the MBTA who should be scraping gum off telephone poles instead of building complex mass transit fair systems.
Seriously..
In this town?
They'd probably shoot them. Or at least louse up traffic for an entire afternoon.
haha yes wentworth!!
finally, some notoriety that doesn't begin with "that other institute of technology." Although to be fair, we do have our fair share of computer nerds mixed about our future engineers, contractors and architects. Were just a little less smug and not always vying for attention, like those students accross the river.
That being said, these students have pointed out fundamental flaws both in the physical and digital system of the MBTA. Regardless of how long this knowledge has been public, the MBTA most certainly has been aware and has apparently done little beyond a gag order and finger pointing to resolve this problem.
Some of the students' statements are questionable
For instance, they recommend that the T maintain a central repository of CharlieCard value, rather than depending on the card to know its own value. I'm pretty sure such a repository already exists, otherwise the T would not be able to offer online management of CharlieCards to employers. Also, if your CharlieCard stops working, you can take it to Downtown Crossing and get it replaced with another of equal value. That too requires a central repository.
Bus and Green Line fareboxes are not connected to the T's computer system in real time (and therefore are presumably reconciled overnight when the vehicles are parked in storage yards), but I'm pretty sure that every fare gate and vending machine has a permanent real-time connection to the T database.
Not just a repository
First, I wonder if they're doing it based on the credit card used to add value to the CharlieCard by refunding you all/some of your latest purchase. Cash? Sorry, you should have used a traceable transaction. Just a guess as to how it would be possible without any sort of card-tracking. Even still, if they have a repository, the students were suggesting the important part which is an Auditing Software that would watch for odd fluctuations (such as a card whose value is $1 going to $100 with no purchase event at a kiosk). That is most certainly not in place.
Finally, the T maintains that a broken *CharlieTicket* leaves you out of luck. The ticket is the method that is most easily hacked according to what the students found. It is on the Ticket that the 6-bit checksum is used to validate the card value and it is the magnetic strip on the ticket that is most easily duplicated/edited because of all of the magnetic readers out there. The RFID on the CharlieCard is a more expensive and slightly more secure beast to crack (but still totally do-able according to the students et al). Copying or forging the Cards is harder. The Ticket sounds pretty dumb simple.
Problems on both sides
As I said earlier, the students shot themselves in the foot by claiming their presentation would let people get free rides for life. The T is pushing on this for all it's worth.
On the other hand, the T's claim that the students intended to cause "damage to protected computers" is extremely far-fetched, and I don't see how it can hold up in court.
This is based on a quick skimming of the document. I may have more detailed comments on my blog later.
More commentary
Here's my latest take. The more carefully I read the T's claims, the more bizarre they look. The T actually claimed that the purpose of the presentation is to stir people into "imminently" breaking the system as soon as they've heard the talk. It must be even easier to crack than we realized!
Egg on their face
The MBTA is just embarrassed that their new and expensive system is so easily bypassed. The court action is their way of trying to demonize the students and hope this problem will be swept under the carpet.
Unfortunately the more they try to suppress this information, the more people will want to know what it is.
Just out of curiosity
Weren't they going to do their presentation at a convention in Las Vegas in front of people all around the country? I can see the fear in the MBTA's eyes: people learn of the hack, and eagerly fly to Boston from cities near and far with their free Charlie Cards, swipe their card at Airport, ride to Wonderland and back, then fly home, giggling maniacally.
Am I missing something here?
Getting away with it: priceless
Cost of an airplane ticket: 500 dollars. Money saved by cloning a charlie card: $1.70. Getting away with it: priceless.
And it's so easy to do! Don't you have a card cloner just sitting around your house somewhere?
A letter in today's Globe
A letter in today's Globe suggesting that Grabauskas "was browbeaten by his legal staff into wielding a sledgehammer" reminded me that, indeed, the T's legal staff is made up of the type of attorneys who give attorneys a bad name -- smug, dismissive, obfuscatory and unfortunately, entrenched. Not to excuse SUV-driving Manager Dan, since he was hired to, you know, manage the place, but the motto for his legal advisors' office is "We don't care, we don't have to. We're the MBTA."
While Patrick's shaking things up (kinda sorta) in other state authorities, he and the legislature need to be looking into some tree-shaking over at the Transportation Building, starting with the T's once-respected GM.
Every time somebody evades a fare, the terrorists win
Good analysis by Harvey Silverglate on how the T managed to convince two judges that national security is somehow at stake in this case.