Sunday 10 August 2008 — This is almost 15 years old. Be careful.
A trio of MIT students found security weaknesses in the MBTA, the Boston public transporation system, colloquially known as “the T”. The students were going to present their findings at Defcon, that is, until a judge ordered them not to.
Of course, the injunction did far more to spread the news than the talk alone would have, including making public the students’ whitepaper about the vulnerabilites. Their slides, Anatomy of a Subway Hack are also online, including a photo of an over-the-top modded shopping cart that they somehow used as part of their work.
How many times do we have to see this story played out? A system is deployed with poor security, someone figures out the weaknesses, tries to talk about it, and is sued to prevent disclosure, only making the information even more available to the public. These injunctions are like putting a flashing red light on top of something: they only attract more attention to the situation. The presentation slides have already been distributed to all Defcon attendees, that toothpaste is not going back in the tube.
The MBTA should either decide that this is not that big a deal (how many people are really going to hack RFID cards to get on the T for free?), or get to work designing improvements. And they should hire these students to crack the new system before it’s deployed.
It seems that the RFID uses one of the strongest encryptions possible for the low power CPU. The card has neither the batteries nor the heat sink that you are used to in your laptop.
If the city managed to make the perfect solution (which will be breakable in a few years of CPU improvement at Moore's law rate) then they would saddle the tax payers or riders with hundreds of thousands of dollars of cost. As opposed to losing a few hundred dollars on the hands of a capable hacker who will do it for fun.
The court decision is correct in this case, from the common sense perspective.
You can get a copy from Wired's Threat Level blog here:
If the MBTA believes that its security is the best that could be achieved, then they should accept the consequences of their design. Trying to muzzle discussion of their (public) system is pointless and will only hurt their efforts.
BTW, Here's a radical proposal: make the T free. Then we wouldn't need any of this infrastructure, and wouldn't have to worry about its security. We wouldn't have to spend tax dollars to build this bogus system, we could spend them on providing public transportation. Roads are nearly 100% subsidized infrastructure for cars, why not provide subsidies for alternatives to cars? It would also speed service, since people could board trolleys faster without stopping to pay, and could use all the doors on the trolley instead of just the front door to get on.
I used T only a couple of times. From what I observed, I could not agree more: making it free would save money. However, a free subway in New York City would probably attract a lot of homeless people, or poor people who would otherwise walk a couple of blocks to work. People also tend to take less care of things that they perceive are free. Plus tourists get to ride for free making congestion at rush hour while not paying taxes.
This "radical proposal" of free worked for online newspapers, and did not work in socialism (health care, education, roads - all free but crummy). It would be great if Boston did the first experiment.
But yeah, it still works if I attach the antenna leads.
Each card costs 2,500 won or roughly $2. Not bad eh?
Add a comment: