On Friday, the MBTA sued MIT and three MIT students, claiming that the students planned to present a paper at the DEFCON hacker’s conference explaining how to circumvent the security on the T’s Charlie Cards and thus create counterfeit cards. At a hearing held on Saturday (!), Judge Douglas Woodlock of the U.S. District Court in Boston granted the T a temporary restraining order forbidding the students to provide any information that would assist someone else to circumvent the T’s security system.
I’m sorry I don’t have links–the lawsuit documents are available on the PACER system at the Court’s website to those of you with PACER passwords, or at the courthouse. The docket number is 08-11364.
There is obviously a concern here about the constitutionality of a prior restraint on speech–the idea is that in general, the government can’t forbid speech, even if the speech can be punished after the fact. There is probably an exception for national security secrets, etc. My suspicion is that Judge Woodlock’s order wouldn’t pass constitutional muster.
But also worrisome is the notion that trying to keep a lid on these undergrads’ results will improve the T’s security. The truth of the matter is that if these three undergraduates can defeat the Charlie card, than lots of people can. The T is opting for the illusion of security rather than real security, e.g., open-source security that can be vetted and tested by anyone.
TedF
http://www.eff.org/press/archi…
I really don’t think so. I don’t think there’s anything about divulging those secrets that relates to free speech at all. It’s encouraging and enabling people to break the law and steal from a public asset.
<
p>No, actually probably very few people can defeat the Charlie card system without the help of these jokers. That’s not to excuse bad security from the T, but the students could have done the responsible and correct thing by contacting the T first. (If in fact they did, then this little tirade is, of course, “non-operative.”)
Really? They were planning, literally, to “speak” about this subject at a conference, and their speech is clearly on a matter of public concern (namely, the security of the T’s Charlie Card system). Sounds like protected speech to me, and I would agree with Ted that the constitutionality of Judge Woodlock’s order seems highly dubious.
<
p>Furthermore, it’s not as though these guys are former T employees publicizing information that they agreed to keep confidential — that might be a different case. Rather, they appear to be independent outsiders who want to talk about how vulnerable the T’s security system is to being hacked. Would it have been more “responsible and correct” to talk to the T first? Maybe, maybe not (one could argue that they will get a lot more attention and likely a quicker response this way). But even if so, that doesn’t mean that their chosen course is not constitutionally protected.
Do you think it was legal to hack the cards to begin with?
<
p>If not, why is it legal to publicize how to hack said cards?
<
p>Just asking. Good responses to my previous comment, which makes me rethink. I’m just not as reflexively supportive of the “information wants to be free” meme anymore.
Legal to reverse engineer the cards, figure out how they work, and figure out how to hack them? Yes.
<
p>Legal to use the counterfeit card to board a train or bus? No.
<
p>TedF
And the issue here. After all, the judge has forbidden them from discussing what they did, not convicted them for doing the research in the first place.
<
p>Free speech is an interesting academic aspect of this matter (although the students probably think it is rather more immediate and less conjectural!).
<
p>The more important aspects, however, it seems to me, are (1) The T has a multi-million dollar system that can be hacked by undergraduates. That is a problem unlikely to go away on its own, and (2) T management is trying to treat the symptoms rather than the illness.
<
p>I personally think the students should be allowed to present their paper because this will encourage the T to adopt a real solution, rather than the legal equivalent of fingers in one’s ears.
<
p>I wonder if this would have happened if the T were privatized, like the much better mass transit system in Hong Kong?
<
p>If you’re willing to include public-private partnerships, I submit to you: TfL, the London transit system which uses the already-hacked oyster card and who’s subways are managed by private companies.
<
p>To be honest, I have no idea which part(s) of the public-private partnership were responsible for the TgL going with the oyster card.
It’s illegal to grow marijuana.
It’s legal to publish documents explaining how to grow marijuana.
<
p>Many other things could be substituted.
<
p>Well, speaking inexactly, if it was impermissible to enjoin the publication of the Pentagon Papers, it’s probably impermissible to enjoin the publication of the students’ paper. Somewhat more exactly, this speech doesn’t seem to fall into the categories in which prior restraint is permissible, e.g., revealing troop movements in wartime, or publishing obscenity, or inciting to violence. (Near v. Minnesota, 283 U.S. 697, 716 (1931)). On the other hand, there may be more recent cases dealing with hacking specifically. I’ve quickly read through the MBTA’s brief (again, I’m sorry I don’t have a link), and it’s interesting to me that the T doesn’t seem to have cited such a case, which leads me to believe that there isn’t one.
<
p>TedF
Suppose they were going to encourage and enable people to break the law and
steal from a public asset.build a hydrogen bomb.<
p>That was that 70s case when Howard Morland anncounced he was going to publish a how-to article on H-bomb building. I think the government sought a restraining order but I don’t recall the case ever going to court, because he decided not to publish. Each matter, (build a bomb or rob the T) is pretty clearly prior restraint of speech stuff.
<
p>The standard: Court has to determine if the substantial risks of imminent harm outweighs the cost of prior restraint, no?
The H-bomb case is inclusive, because although the government won a preliminary injunction, it abandoned its case before an appellate court could rule, perhaps because it thought it was about to lose. The trial court’s decision is here.
<
p>And on the standard, yes, the court weighs the risk of irreparable harm, but the plaintiff must always make some showing of likely success on the merits.
<
p>TedF
<
p>Did I just encourage you to break the law and steal? Of course not. I did tell you one of many methods to do it though.
<
p>2. Jokers? Hardly. They look at security in an academic sense, analyzing and applying known work-arounds. Defcon is a major conference and absolutely essential for good security. Another talk at Defcon this year was how to pick the White House locks with a photo of the key, a shrinky dink, and a paper clip. I would hope that those who are in charge of White House security pay attention.
<
p>3. Security is never absolute, be it physical [lock] or digital [Charlie Card]. Exploring vulnerabilities is an important part of improving security, and it’s certainly not the job of those MIT kids to do it for the for-profit company who sold their system to the T.
<
p>4. Let’s be clear. Hacking the card to not pay a far does not “constitute a threat to public health or safety.” as the MBTA claimed and is referenced in this article.
<
p>5. If the MBTA contract doesn’t find the maker of the CharlieCard liable for crack-based fraud, shame on the MBTA for both (i) buying a substandard product and (ii) not making sure the vendor isn’t on the hook for the vendor’s substandard work.
<
p>6. When the students contacted the MBTA, they found out that the MBTA mentioned an FBI investigation into the background of the three students. Not exactly friendly behavior by the MBTA. At that point, I’d have walked out of the room and make it my mission to publish the crack. After all, the MBTA made it clear that they didn’t want to work with these three security experts, and at that point the experts owe the MBTA zip.
3. Security is never absolute, be it physical [lock] or digital [Charlie Card]. Exploring vulnerabilities is an important part of improving security, and it’s certainly not the job of those MIT kids to do it for the for-profit company who sold their system to the T.
<
p>Isn’t what the T is doing a form of security? Yes, security is never absolute, so part of maintaining it is stopping people from teaching how to exploit vulnerabilities. There is no system that could be devised that couldn’t be hacked, so therefore security consists of stopping hackers.
the T’s ability to do so is constrained to some extent by the Constitution.
What a devastating riposte, good sir! I can see that I am no match for your astonishing mental prowess. How foolish of me e’en to have engaged you on a matter as to which you are clearly so expert as to require no further illumination of your views.
that doesn’t have a million counter assertions, all written by lawyers, and i’ll eat my hat (or finish my Honeycomb).
<
p>
<
p>Well, yes, indeed, that clears things up quite a bit.
“reinterpretations” of “habeas corpus”, “cruel and unusual punishment”, “search and seizure of personal papers without a warrant”, etc. by the likes of John Yoo and David Addington- there is little in the Constitution that is not subject to debate- at least until the Supreme Court weighs in. Could this be a case headed in that direction?
The substance of They’s argument (yes/no and nyah nyah nyah) is also the essence of many of the Bush administration’s arguments: assertion, not reason.
<
p>No doubt that is why David doffed his hat to the commenter: “What a devastating riposte, good sir! I can see that I am no match for your astonishing mental prowess. How foolish of me e’en to have engaged you on a matter …” etc.
<
p>Incorrect. Instead, consider:
<
p>There is no system that could be devised that couldn’t be cracked, so therefore security consists of ensuring that the value of obtaining access to the secured item or items is less than the expected cost of obtaining the item, where cost is measured as the combination of time required, expense, risk of harm, risk of incarceration, etc.
<
p>Firstly, at the risk of being pedantic, those who break into a secure area or system are crackers, not hackers. Hackers explore like the three kids did, but they don’t exploit the hole themselves. Secondly, it’s true that making it more difficult to disseminate the information falls under the category of time, ie time to learn and understand the information necessary to perform the crack. But to be clear, the goal isn’t to stop hackers but rather to make the burden of access more costly than the value of the secured item for crackers.
<
p>The lock on my door won’t stop someone from breaking it down — but it will require the person to either (a) use a pick or (b) kick it down. The former requires an investment in time [learning to pick], money [the picks], and still presents a risk of being caught in the act. The latter relies on the noise generated by breaking the door and the time required to generate suspicion from a neighbor. In neither case does my locked door “stop” the person from B&E; it merely slows them down and increases the risk that they’ll get caught. Security is never as simply as “stopping” a threat precisely because, as you mention, there’s no system that could be devised that couldn’t be hacked.
Actually, it is exactly that: speech.
<
p>MiFare Classic has serious security vulnerabilities. Their main tactic for protecting the “security” of the system seems to be to try to squelch all discussion of its vulnerabilities. However, there’s really no way anyone can argue that telling people about those vulnerabilities is anything other than speech.
<
p>London’s tube bought the same system and is having similar issues.
<
p>I wish we’d learned this lesson already: Just because you wish someone weren’t saying something, doesn’t mean suppressing their ability to say it is a good solution.
considering that it is ultimately the only solution. One person figuring out a crack isn’t a big problem, them telling other people how to do it is a big problem. We also can’t stop someone from figuring it out in their bedroom, nor, if they truly figured it out, stop them from using their crack. But we can stop people from telling other people about it, because that’s the point when they emerge from their bedroom and expose themselves. That’s where they do the damage, and that’s where we can catch them.
Catch them? Do the damage?
<
p>You’ve got it exactly backwards. Discovering or teaching someone how to use technology ‘for evil’ isn’t itself evil, nor is it criminal. Committing the crime is evil and criminal.
I think committing the crime of fare-evasion is rather benign and forgivable, but teaching others how to do it is very damaging and unforgivable. If you want a free T, get it through democracy, not by breaking the backs of honest people. And it’s the only place to catch people, unless the crack isn’t effective and they can catch people as they use it, in which case arrest them then too.
And that’s fare-evasion. Teaching others how to do it is neither damaging nor unforgivable. Enough with the thoughtcrime. It’s doing that’s criminal, not merely talking about it, thinking about it, or fantasizing about it.
<
p>Each and every time someone tries the crack, they could be caught. Furthermore, the system can simply be repaired to the state it should have been in anyway.
<
p>Come on, this was Defcon 16, held in Vegas. Few people there live in or near Eastern Massachusetts, and few Americans not there have ever heard of the Defcon conference.
<
p>Pssst. Want to skip fare? Just follow someone closely in. Or in outdoor protected stations, come in trackside or through an emergency exit door. Or on the green line get in on the back when it’s crowded, after holding up your CharlieCard that doesn’t have monthly fare paid but rather the standard debit system.
<
p>There. I just taught you a number of ways to break the backs of honest people. Surely what I did was very damaging and unforgivable, right?
and everyone knows about those simple ways, and yet not many do them. This kind of thing is different, just like people feel copying music or software is different. People that would never steal software from a store don’t have a problem unlocking software with a crack. It’s like its an entitlement to get free software if you are smart enough to know how, and if that mentality were applied to the T, many many more people would become fare evaders. You don’t want that to happen, do you?
Why don’t people do them? Because the reward [saving $1.70] isn’t worth the cost [risk of getting caught, shame in stealing]. Would it be any different if you were stealing a fare electronically?
<
p>It would. It would be far more expensive. They had to buy equipment worth hundreds of dollars, write software to access that equipment, and then identify the CharlieTicket mag strip code sequence.
<
p>They show the equipment necessary and publish the strip sequence, but they don’t publish the software necessary.
<
p>To replicate their hack, you’d have to invest close to $500 and spend hours (10? 100?) writing software to edit the contents of your CharlieTicket. You’d also have to take care to maintain the checksum, and update fields in addition to the “value on the card field” and if you made a mistake you’d run the risk of getting caught by the MBTA police, who might very well be on the lookout for modified cards.
<
p>All to save $1.70 a ride or $59 a month when, as they point out, there are far cheaper and easier ways to skip fare.
<
p>Given how easy it is to steal fare now, you feel that
and I just don’t see it. The investment in money is hundreds of dollars, in time is perhaps a hundred hours, and the risk of getting caught is not insignificant. All to save a few bucks? There’s a reason that people stealing money from copy machines is such a rare event — the reward just isn’t worth the risk.
<
p>Is that important to your argument? Why? I thought it was about free speech, saying not doing, etc. But now you seem to agree that publishing the software would be wrong, so where exactly is the line? I agree its not a crime to say “you could create counterfeit cards,” it becomes a crime when it actually enables people to do it.
<
p>And the profit potential of being able to create working CharlieCards (is that a crime?) and sell them (is that a crime?) would be worth a big investment. If they work, people would be happy to buy them for half price. But you apparently think no crime has taken place until someone uses one. Not only is that arresting the wrong person, it assumes they wouldn’t work as intended. If they don’t work, then there is no problem. I can make cards that don’t work.
<
p>
I’m merely pointing out that the actual likelihood of others replicating the hack and, in fact, making it a crack, is very low and would result in a cost to the MBTA so small that it’s irrelevant. As for the rest…
<
p>
<
p>I don’t know, but I suspect not.
<
p>
<
p>If you represent them as authentic, certainly. If you represent them as fugazi, then I’m not sure, particularly if you use a card with magstripe that isn’t an actual CharlieTicket.
<
p>
<
p>If they knew they were counterfeit? I seriously doubt it. T rides don’t cost enough for most people to justify risking jail time to save $0.85.
<
p>
<
p>Or sells a counterfeit card as if it were not counterfeit. Do you have any evidence [say, something in the MGL, US code, or a court case] that suggests otherwise?
<
p>
<
p>It may or may not be arresting the wrong person, depending on whether or not the person knew the card was fugazi. If he knew, then it’s arresting the right person. If he didn’t, then there was a crime that already took place when the vendor misrepresented the item sold, and it isn’t hard to go “up the chain” to the person from whom the card user purchased the counterfeit card.
<
p>Both of these scenarios make terrible business models. When the Herald shows a headline about people getting arrested for buying “discount” MBTA cards, the customer pool will dry up awfully quickly.
It’s only a terrible business model if the word on the street is that they don’t work and you might get arrested. So being able to catch them is certainly key to their security, as is having the Herald publish pictures so that the market evaporates and no one tries. (didn’t the herald already do an expose about rampant fare-evasion, and show some people getting arrested? and yet, people keep trying, to save that $1.70)
<
p>But that business model is quite promising if it is based on hackers being allowed to research and publicize and work together to perfect ways to not get caught, without any fear of being arrested themselves. Sorry, but if it isn’t already, that should be a crime. It’s easy to separate that from protected speech. And in this case, though it is clear now that it all was protected speech, a prior injuction was called for, since these guys announced in advance that they were going to distribute a working hack. I don’t think it should be legal to facilitate theft, to teach people how to get away with it. Or books on painless suicide for that matter.
<
p>While I’m on a tangent, this is similar to people thinking that marijauna possesion should be decriminalized if you have an ounce or less. It’s actually quite the opposite logically: here the users are allowed to get away with it, while the facilitators of their use are arrested. So how could most people on this blog be so illogical? I think it is just self-interest, white college kids struggling with the burden of intense self-righteousness. They smoke but don’t deal, and hack but don’t steal. At least not when they might get caught.
That, essentially, is the same logic that is used to support government secrecy and all sorts of other closed-society ideas. It is in direct opposition to the very successful founding ideals of this country, though. It is also wrong, even though it may sound compelling.
<
p>The idea that we should legally suppress information because that information makes it easier for people to ride the T for free is about as fundamentally un-American an idea as I can think of.
They met with the MBTA and were surprised about the court filing a few days later because they thought they had satisfied the T’s concerns.
<
p>However, it’s not the court’s place to judge whether they were mean or nice, or morally right, it’s the court’s place to judge what’s legal. The court got this one very very wrong, IMO, and I hope it will be overturned and I hope the appeals court gives this judge a very serious verbal blasting. What he did is far more harmful, irresponsible, and dangerous.
Just peripheral knowledge as portrayed in the posting, could lead one to assume that these individuals met, engaged in behavior and conduct to undermine the fiscal and public safety of the MBTA, engaged in conduct that should anticipate that one or many would use that information to engage in theft from the MBTA. Ergo conspiracy. I would assume that the Middlesex DA will empanel a grand jury—unless of course these lads are connected like Sen Marzilli.
How is the public’s safety compromised by some people getting rides they didn’t pay for?
take away the T’s money from fares, and (without corresponding subsidies from taxes) they can’t pay for anything: police, tracks, operator training, etc.
<
p>So maybe your argument is that the T should be free, paid for by taxes 100%. OK, but this isn’t the way to achieve that.
that a few geeks getting free rides is going to “take away” enough money from the MBTA to stop its operations? No – of course you don’t. You’re just mountaineering on a molehill, so you can pretend that your lawn order nonsense has some validity.
<
p>NYC’s subway system had a longtime problem with people jumping over the turnstiles to avoid paying the fare. Inexplicably, that didn’t cause the system to grind to a halt. Go figure.
MCRD, it’s very clear from the presentation itself that the students were not actually encouraging anyone to use their methods. They write: “THIS IS VERY ILLEGAL! So the following material is for educational use only.”
<
p>Do you have any actual evidence that the students actually conspired to use their counterfeit fare cards? If not, what is the basis for your post?
<
p>TedF
Trying to sell us on the notion that saying “Don’t do this, this is very illegal!” means something significant… Don’t waste my time.
Since the MBTA is partially subsidized by the feds, and that the MBTA may or not be involved in interstate commerce (I don’t know—sheer speculation) and the MBTA falls under DOT regulation, and these lads allegedly conspired to undermine the integrity of the computer systems by doctoring/counterfeting/adulterating the “Charlie” cards—-right off the top of my head, these lads may be looking down the barrel of more than several federal violations. Keep in mind that under federal law, conspiracy can be construed as talking to the guy next to you about spitting on the grass. As they saw in the world of jurisprudence—A grand jury can indict a ham sandwich. Shame these kids have all the brains in the world and not an ounce of common sense.
<
p>Next we will have the MIT crowd trumpeting, ” Hey we’ve found the way to crack the code for switching the MBTA rails at rail junctures and stop and go codes for the locomotives, but don’t do this because it is illegal and will kill people.” Of course they should be held blameless because their intent was not to cause mayhem, injury and death. Ya—OK kid.
<
p>Like I said—prosecute them and let a jury of their peers decide—-it’s the American way.
That’s not much of an answer, MCRD. All you’ve done is misstated the law of conspiracy (which requires proof of an agreement to commit a crime, not just discussion of a crime) and pointed out that it’s easy to obtain an indictment.
<
p> I take it that there is in fact no evidence of a crime?
<
p>TedF
They could totally use that to send those conspirators to Leavenworth!
and talked about it with a friend. Ergo he and I should be booked with conspiracy to rob banks, right?
Care to guess what the consequence will be? And yes, you talk to someone about knocking off a bank and you are guilty of conspiracy. Like these local marshfield kids who did nothing other than talk about killing classmates and blowing up the school. They all went to jail, except for the two threw up on the other two. More interesting the initial rat, who originally threw up on his fellow conspirators went to jail. Moral to the story is you better watch what you say and to whom. I’m not condoning it. Personally I believe it is prosecutorial misconduct, but the SJC didn’t seem to mind, and the original rat and chief conspirator was highly connected—-not that it did him any good.
Don’t know what case you’re talking about, and we’re getting pretty far afield, but even if there’s an agreement to commit a crime, there’s no criminal conspiracy without an overt act in furtherance of the conspiracy. Right?
<
p>TedF
Publicizing a weakness in security systems is often the only way to get them fixed, and to put pressure on companies and future decisionmakers to get solid security. If you don’t embarass them, they will routinely and predictably take the easy way out – unless you can make them financially liable, whcih is even better than embarassment.
<
p>If, on the other hand, you suppress publication, the information goes through underground channels among those who want to exploit it for profit and who will try to keep it under the radar. Nothing gets fixed, the damage continues, people don’t know about it, and mistakes get repeated.
<
p>This is one example of a larger set of ideas that can basically be summarized as “open societies are more effective and successful than closed societies”, and is the larger theme that things like freedom of speech are part of.
software writers are good at creating more paid work for themselves, the Y2K bug being a good example of creating work to be done later by someone else. Now the most nerdy and sociopathic of them live to figure out how to make themselves heroes with burdensome security.
<
p>If the information would have gone through underground channels, then we need INTERPOL in those underground channels to start arresting people, like Mr. Anderson bringing in Neo (but in reality, Mr. Anderson isn’t a bad guy and the world isn’t a computer simulation – fyi)
You don’t sound like you’ve worked at a software company. Good solid security is something most “nerds” don’t know how to do in the first place, and it takes a lot of time and therefore expense for a company to design it into their products. They have to hire people with a security background, they have to make their products larger, and wait longer to release, and slow down adding other useful features that customers may want. It’s a business decision, and businesses generally don’t do it because there’s economic loss and not much profit in it. As long as they can make the right people believe their product is secure and responsibly designed, and do enough damage control, most of the actual damage and costs and risks of the lack of security in their products ends up falling on others. Companies won’t make different business decisions unless the economic motives change.
That question has come up time and again, but it seems that the conclusion most come to is that they’re just different, each with their own strengths and weaknesses.
<
p>
<
p>Another good article on the pro’s and con’s of both open and closed source.
<
p>Also, a wikipedia page on the two.
That’s very interesting. I’m not an expert on this stuff, so maybe I’m off base. But it seems to me that once you know that someone has compromised your security, you ought to bet that someone else can do the same thing. Maybe you’re right and closed-source security is better in some cases, but that seems to me to be even potentially true true only while it still seems that no one has broken the security. Also, I am not sure that any of your linked articles make much of a case for closed-source being more secure than open-source, but I don’t want to debate what the articles say.
<
p>TedF
I think there’s a difference between “open source” and “closed source” security in the sense of publishing or not publishing the details of how the system works, and “open source” and “closed source” in the sense of owning up to and fixing versus denying, hiding or censoring flaws that are discovered. I don’t have too much trouble believing that, all else being equal, systems whose workings aren’t published are neither more nor less secure than systems whose workings are. But you’re quite right that when a flaw is found (and it’s almost always when, not if) trying to shut up the people who found it and prevent knowledge of it from being made public is counterproductive (and this is where all else isn’t equal, because with a system that’s completely open in the first place, it’s almost impossible to try to hide flaws this way).
If there is a hacker sub-culture that would now turn all their attention to the T because they tried to stop a hacker from publishing this, that is a problem that should met with greater force, not backed down from. These kids aren’t heroes who can do no wrong, they’re sociopaths who should be locked up for a long time.
That’s a pretty nice false dichotomy there, but I’m sure with a little work you could make it even more extreme.
http://poetry.eserver.org/light-brigade.html
<
p>TedF
Sheesh–second typo today!
Our military aircraft have encryption equipment that changes frequencys 5K/Sec. It’s been broken.
<
p>USA now has the capability to capture enemy radar pulses, transform them into what we desire, and retransmit them back to the originating energy source. An F-22 Raptor becomes forty Raptors, or a barn swallow.
<
p>Anything is possible and nothing is safe.
Weighing the merits of open vs. closed “security” is one thing. Enforcing one’s concept of “closed source security” after its weaknesses have leaked, by attempting to suppress speech, is insane, ridiculous, and absolutely not part of weighing the comparison between the two.
<
p>Furthermore, those aspects of the CharlieCard system that “leaked” didn’t actually leak from a truly “closed” system – they weren’t truly secret to begin with. If they were accessible to some people outside the system, then they were accessible to other people outside the system as well. That means that those portions of the security system here were neither open nor closed, merely obscure, a middle-ground that falls outside of the comparison you’re citing.
<
p>I do think his conclusion is not quite right, and that in general secure systems need to depend on keeping as little of the system as possible “closed”, because the more of it you depend on keeping closed, the more vulnerable you are. However, his conclusion also doesn’t apply to the situation we’re looking at here.
In the post and in the comments you’ll find .pdfs of the MBTA complaint, the judge’s order, and a copy of the banned presentation with some entertaining pictures.
<
p>Follow up UH post here.
…it would depend upon how you came across that information and the intent behind publishing the number.
<
p>Why not ask Google?
http://tswartz1.typepad.com/ne…
is I probably would have never read any of this if the T just let the kids do their presentation. Now, I got curious. Now, I better understand how to be an elite Charlie haxxor.
you’re not a lawyer.
but it made me laugh hysterically. Says who? Grumpy gramps? My guess: absolutely nothing happens to these kids, except for the fact that the MIT just chose to give them a solid few minutes of fame. In the end, this will be remembered as the new attack of the Mooninites in Boston. Do all of our public agencies in Massachusetts have to be so pathetic?
the mbta, not mit.
You should acquaint yourself with Mr. Sullivan. He’s an Abington lad. Mr. Sullivan is a big believer in “thought crimes.”
closed the barn door after the horses left. The MIT kids distributed CDs with their presentation on it to Defconeers the day before the RO was issued. As if that weren’t enough, the MBTA included the students’ vulnerability report in their lawsuit, so it’s now public. The report includes more damaging material than the Defcon presentation did.
truly.
In regards to the publicity of these ‘security’ problems.
<
p>1. MIT kids make presentation to some hacker convention no one pays attention to. Not interesting, not covered by the media, almost know one reads the kids’ report.
<
p>2. MBTA takes kids to court. A little bit more interesting, but still not a real story. More people read report.
<
p>3. MBTA tries to prevent kids from having the freedom of speech, paints them out to be hackers who’d give free Charlie Cards to everyone, ignores the fact that they these kids were actually trying to help eliminate the system’s vulnerabilities – making this look like Boston’s newest attack of the Mooninites. The story’s now far more interesting, with plenty of intrigue for everyone. Newspapers will cover it – with potential to grow into major story. Suddenly, everyone’s wanting to read the report on how to bust a Charlie Card. Along with being wicked funny, the very nature of today’s internet means that this report will widely available due to the MBTA’s incompetence.
<
p>Good job, MBTA! Seriously, though, can we have one state agency that’s prepared to deal with today’s internet and younger generations in ways that actually, well, make sense? I’d be happy to host some sort of a conference to train them… my rules for success for the state’s agencies will mainly be built around the primary rule in the Hitchiker’s Guide to the Galaxy: don’t panic.
this story was on the national part of NPR news this evening. The MBTA has done a splendid job of transforming this molehill into a mountain.
may not attract the attention of the average citizen; however, it does attract the attention of the attendees, who shall we say are those types who hang outside of TJX stealing millions of credit card numbers. I wouldn’t laugh away the situation, Ryan.
Yeah, TJX certainly improved “public safety” and the financial security of their customers by keeping everything secret. Secrecy’s great for security!
<
p>(Note: sarcasm)
but not sure that whether we read about it or not was their (misguided) concern over at the MBTA; rather having the hack exposed at Defcon.
<
p>Of course if these MIT kids were actually up to no good, I’m sure that the last thing they would want to do is actually publicize the security flaw (although I don’t exactly know how much you’re going to net with free subway rides v. cleaning out credit card accounts).
I’m not sure what you’re saying in that first sentence. What do you mean?
<
p>BTW, it was exposed at DefCon because the slides from the talk were already distributed to attendees on CD before the MBTA went to court and got the actual talk cancelled.
<
p>You’re right of course that if their goal was to actually get free subway rides, they’d have kept quiet, but perhaps you missed the fact Professor Rivest (one of the best known and most respected names in cryptography) supervised their work. It was intended as research.
there was nothing to do about the presentation, either. I’m saying they handled it in the worst. possible. way. imaginable.
<
p>The MIT students weren’t going to include the exact way they did what they did; they in fact gave a report to the MBTA on how to close those vulnerabilities to the same folks at DefCon who you’d be worried about couldn’t have such easy access.
<
p>The people at DefCon who could take the presentation and run with it likely already had the skills necessary to know how to bust the Charlie Card system – upon reading the actual presentation, I can see that it isn’t exactly rocket science.
<
p>I’m not trying to laugh away the situation at all; I’m just saying that I couldn’t possibly imagine a way that the MBTA could have dealt with that would have made the situation worse. They took what could have been a good thing – an invitation to fix their security problems – and created it into a press nightmare. All the while ignoring the fact that plenty of people are already getting free rides from such ‘high tech’ methods as taking the back door on the Green Line.
sorry I didn’t edit this. LOL.
not exactly known as the Rand Institute. Cut the well-connected folks some slack… they’re still trying to figure out how to get those internet tubes turned off so that this won’t spread any further.
but I am a Republican so type slowly…
<
p>Are people here in favor of these guys hacking into the T system and exposing how to ride the “T” for free? The system is already having huge financial problems, ridership is up due to fuel costs and the Gov is trying to work on many issues within the state and could use stability where ever he can get it.
<
p>So… are the people here in favor of “hackarama” with all of the problems it will cause or are people here saying we should follow the law (both legal and moral) and do the right thing. If education is the goal, I’m sure the “T” would take all the information these hackers used to break the system and fix it better.
<
p>Strange comments.
i really want to know.
The other people who replied sound like they DO want to jeopardize the system citing First Amendment rights. I am not a huge fan of the “T” but I would draw the line at anything that hurts the system. If it has flaws then let them know so they can fix it.
<
p>If someone lost their pocketbook, should the person who finds it publish your name, phone, address, credit card numbers, driver’s license numbers… to teach you a lesson about being so “careless” with your personal information… or just return it and say “be more careful”. I don’t care about the personalities on either side but I do care about the system and all the systems that run our society. Just because you CAN do something doesn’t mean you DO IT.
That’s what the kids were trying to do. They had a generic report they were going to give at a convention with people they actually cared about (wanting, I suppose, their 15 minutes in that crowd), but who represent a very tiny segment of the population at large. The report did not actually teach people how they did what they did. It was no more instructive than the list of ingredients on the side of my box of Cheerios.
<
p>Furthermore, they gave a more detailed report to the MBTA with the intentions of closing the existing vulnerabilities. They were, in effect, offering to help the MBTA make sure people couldn’t hack into the system. The MBTA refused their help and took them to court instead. Smart.
<
p>
<
p>Funny, I think that was the same exact point that the students were trying to make. Apparently, these source that you’ve been reading all day were the wrong ones…
<
p>Speaking only for myself, I’m in favor of exposing the apparently quite significant flaws in the T’s security in order to force the T to improve the security and prevent fare-hopping. The T apparently would prefer to believe that it can conceal the security flaws–a hopeless task, as these hackers have shown–than to fix them. That’s counterproductive, in my opinion.
<
p>There’s also the constitutional problem–the T’s TRO seems constitutionally dubious to me for reasons stated earlier.
<
p>
<
p>According to Cos, the students had discussions with the T, which went ahead and sued them anyway. I don’t think we have enough information to know what the students told the T. I find your faith in the T’s bureaucracy touching, coming from a Republican, but I am not sure I share your faith that the T would have taken the students’ information and spent major money to repair the system on its own.
<
p>TedF
Freedom of speech is more important than covering the asses of the MBTA’s security people. The damage from diminishing the former would be much greater than any conceivable outcome of the latter.
People here recognize the fact that the way the MBTA behaved was very stupidly. A) It’s a publicity nightmare. B) It ensures that more people will read the power point presentation, not less. C) It may just piss off a few hackers enough to actually produce these cards.
<
p>Go read the report: doing what they did would cost people hundreds of dollars. With the same technology and far less time spent into a project, they could come away with something far more profitable. What I’m in favor of is a state agency that can deal with the younger generation and the ‘internets.’
<
p>Also, if the T was so concerned about people stealing free rides, maybe they’d instruct a few more of their drivers to shut the back doors on the Green Line. That alone must lead to hundreds of free rides a day… far more than these fancy card tricks ever would have accomplished.
Hundreds? I’d bet you missed at least one zero. Then there’s Red Sox gameday freebies, above ground secure station fire exit entries [like on blue line], below ground secure station fire exit entries [like on red line], unlocked doors all over the system, following a person through the “turnstyles” closely, hopping over the “turnstyles”, getting on a bus free because it’s dollar bill machine is full, wearing an MBTA ball cap so the driver doesn’t charge you, etc. The number of free rides is high, although tiny as a percentage of rides.
<
p>And, by the way, let’s look a bit at the MBTA budget.
<
p>Revenue:
$386 million Revenue from transportation
$ 45 million Revenue from “other”
$734 million Revenue from sales tax
$139 million Revenue from local assessments
$ 24 million Revenue from “other income”
<
p>So — to recap, fares make up less than 30% of the MBTA’s revenue. If 1 out of 3000 people get a free fare, it dings the MBTA total revenue 1.0%. Nowhere near one in three hundred are getting a free fare, even including all of the ways to get free fares from above.
<
p>So, relax people. The crack is hard to do and expensive. Very few people are even capable of doing the crack, fewer of those are immoral enough to do it, and fewer than that would also find it worth the hundreds of dollars and hours investment.
<
p>The real issue is that the MBTA is carrying over $5 Billion (with a B) in long term debt, not a couple techies ripping off the T for free rides. If we increased the sales tax from 5% to 6% for one year and allocated that extra money to MBTA debt, we’d cut their debt by 15% at a public cost of about $10/person/month for that year. Cut their interest payments by 15%, and suddenly their heads are above water again. The Lege doesn’t have to give the MBTA the money either — they could just pay for some new capital projects the MBTA was going to pay for, letting the MBTA CIP budget get paid for out of the increased sales tax for a year. It’s not my favorite way to fund the T [I’d prefer an increased tax on gasoline and/or low MPG vehicle purchases], and I’m not arguing that the MBTA management and rank & file are in a position to do great work with the proposed cash infusion [as opposed to pissing it away], but a plan like this could do a tremendous amount of good. Or, we might have citizens throwing buses in the bay due to the higher “T” tax.