Slashdot Log In
Interview With MIT Subway Hacker Zack Anderson
Posted by
timothy
on Fri Aug 22, 2008 02:01 PM
from the clearly-a-terrorist dept.
from the clearly-a-terrorist dept.
longacre writes "In his most extensive interview since the DefCon controversy emerged, MIT subway hacker Zack Anderson talks with Popular Mechanics about what's wrong with the Charlie Card, what happened at DefCon, and what it's like to tango with the FBI and the MBTA. The interview comes on the heels of Tuesday's court ruling denying motions by the MBTA to issue a preliminary injunction aimed at keeping the students quiet for a further five months."
Related Stories
[+]
Your Rights Online: Massachusetts Sues to Halt Defcon Subway Hacking Talk 270 comments
According to CNET, "The state of Massachusetts has asked a federal judge for a temporary restraining order preventing three MIT students from giving a presentation on Sunday about hacking smartcards used in the Boston subway system." It'll be interesting to see whether Dutch-style openness or Soviet-style secrecy prevails in Las Vegas. Update: 08/09 20:57 GMT by T : "Too late," says reader Bluey: "Injunction was already granted."
[+]
Your Rights Online: MIT Students' Gag Order Lifted 160 comments
mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days. "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
The battle (Score:5, Insightful)
Re:The battle (Score:5, Insightful)
Unfortunately most peoples mind are stuck in the 20th century. And don't consider how quickly these things can spread now. Say 15 years ago this happened keeping it quite would have gave them a security advantage as it is easy to control the flow of information, so for someone else wanted to break in had to duplicate all the research again. However today once you try to silence someone the information flows faster, and it is harder to keep the information down, so when a problem is found it is best to fix it then put time in hushing it up. Sorry the world follows different dynamics now adapt or parish.
Parent
Re: (Score:2, Informative)
Bad News (Score:2)
Quoting Douglas Adams:
Only one thing moves faster than the speed of light, and its bad news which operates by it's own laws.
Or something or other like that.
Re:The battle (Score:5, Funny)
adapt or parish.
That's right! Change, or we're sending you to... church!
Parent
Obligatory IANAL (Score:5, Insightful)
US Constitution, Amendment I:
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.
Did I miss something here?
Not that I want a security system compromised, because I don't... but the 1st Amendment doesn't say "Congress shall ... abridge free speech in instances where a subway system is hacked".
no, not really (Score:5, Insightful)
Grow up - your free speech rights aren't absolute.
There's the classic example of shouting fire in a crowded theater, for example. There's various laws against disclosing all kinds of information - medical records (go to a hospital, and you'll find signs in the elevators reminding staff to be careful when discussing patients), state secrets, etc.
And that's not getting into the realm of lawsuits. I mean, I could go on for hours about how you molest your children while smoking crack, but you can sue me for libel and I'll lose if I can't back up my claims. If you sign an NDA and then announce a press conference to disclose stuff covered under that NDA, I can get an injunction against you to prevent your holding that press conference.
In this case, the folks running the subway got an injunction to prevent the disclosure of the hack. And a judge looked at the evidence and decided that they didn't deserve a permanent injunction.
Parent
Re:no, not really (Score:5, Interesting)
Yes, the old fire in the theater line... That's from the Holmes ruling in the Schenck case. Schenck was posting fliers bashing the draft for WWI and got swept up and jailed by the police. Holmes wrote for the Supreme Court majority that such speech was equivalent to shouting fire in a theater and Schenck (continued) his time in jail.
Remember kids: every time someone uses this line to define the limits on free speech, they are hearkening back to rulings that undercut the very purpose of the 1st amendment.
Parent
Re:no, not really (Score:5, Informative)
Very interesting. Further reference:
http://en.wikipedia.org/wiki/Schenck_v._United_States [wikipedia.org]
Parent
remember kids (Score:5, Insightful)
Every time someone picks a single item from among several used to make a point and rests their entire argument on it, you should be skeptical.
I noticed that you didn't mention the more applicable end of things, i.e., courts enjoining speech pursuant to a lawsuit, of the larger issue that free speech rights aren't absolute in the US, and never have been.
Also, Schenck vs. US was a bad decision, and fairly un-American in my view. But what Holmes said "The most stringent protection of free speech would not protect a man in falsely shouting fire in a theatre and causing a panic," is fundamentally reasonable, even if that justification wasn't appropriate to the case.
Parent
Re:remember kids (Score:4, Insightful)
The keyword there is FALSELY. It is not "illegal" to shout fire in a theater. In fact, I would hope that someone would do just that in the event of a fire. The key issue of the MIT students is prior restraint of free speech simply because a party doesn't like what they believe they might hear.
Parent
Re: (Score:3, Insightful)
The "shouting fire is a theater" thing is not a Free Speech issue. You have every right to yell fire in a crowded theater. Especially if there is a fire. What you will get in trouble for is the results of your speech. Free speech is and should be absolute. But; you are responsible for the results of your speech and you always have been.
Courts enjoining speech in a lawsuit or criminal case: This is not a law against free speech (as in congress shall make no law.) It is a judge doing his job in a specif
Re: (Score:2, Insightful)
the right of the people peaceably to assemble, and to petition the government for a redress of grievances.
They're not stopping anyone from assembling peaceably, and they're not stopping anyone from petitioning the government.
If these kids tried to petition the government to fix the system and a law was passed to prevent them then this would be a violation. However the government is preventing a party from addressing the assembly on a sensitive issue. I don't beleive this
Re:Obligatory IANAL (Score:4, Insightful)
Parent
Re:Obligatory IANAL (Score:5, Informative)
Parent
Re: (Score:3, Funny)
If only the Founding Fathers had known LISP!
Re:Obligatory IANAL (Score:5, Insightful)
No, the right of free speech is about speech alone not being a crime for which one can be punished, or a source of harm for which one can be made liable. It's fairly obvious that freedom of speech is separate from the right to petition; just look at where the semicolons were placed. The amendment is addressing three different rights:
You wouldn't try to argue that freedom of religion is all about petitioning the government for redress, would you? The segment describing freedom of religion relates to the right of assembly in exactly the same way as the segment about freedom of speech.
Parent
You did miss something. (Score:5, Informative)
The US has tons of limits on free speech, including but not limited to restrictions with respect to
* perjury
* profanity
* sealed courtroom/trial
* threats
* slander and libel
* classified information
* treason
Parent
Re:You did miss something. (Score:5, Informative)
But no prior restraint here.
Most such restrictions get shot down in court; if it's about profanity in particular, they fall afoul not only of freedom of speech but of religion as well.
Again, no prior restraint here. And what constitutes a threat is reasonably narrowly defined, though prosecutors are always trying to stretch it
You have, perhaps, heard of the Pentagon Papers case? Where the Washington Post and the New York Times could not be enjoined from publishing classified information?
It's awfully hard to commit treason with public speech. Laws against sedition, on the other hand, have a long history of violating freedom of speech.
Parent
Re: (Score:3, Funny)
you forgot the biggest one:
no talking in the library!
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
The students didn't hack a security system. They hacked the toll-collection system of the subway turnstiles. The MBTA made some whiny noise about the hack being a security risk but evidently the judge didn't believe their argument.
Re: (Score:2, Insightful)
Re: (Score:2)
Yes you did:
Right argument, wrong backing. You want the stuff to the right of the semicolon: "... or abridging the freedom of speech..."
Re: (Score:3, Insightful)
Read "The Hacker Crackdown." When you have the ability to cause a blackout to the phone system of an entire US region - you most definitely do NOT have the freedom of speech.
And why not? Why shouldn't a student of security issues be able to discuss their findings about such a flaw with other security professionals? Why should someone, once they've gone to the trouble of investigating the situation and discovering such a flaw, be barred from legitimately profiting from that work? Just because it's inconvenient for the people who maintain the flawed system?
It sounds like the talk the MIT students were going to give would have satisfied both sides: allowed the students to legit
The real question I want to know... (Score:5, Insightful)
Did the MBTA learn a lesson here about making a mountain out of a molehill? They essentially took something that would have received almost no attention and turned it into a national news story and then publicly filed all the details in open court such that anyone with the wherewithal to defraud the MBTA now not only knew about the exploit but had the full details on how to do it.
Re: (Score:2, Informative)
Did the MBTA learn a lesson here about making a mountain out of a molehill? They essentially took something that would have received almost no attention and turned it into a national news story and then publicly filed all the details in open court such that anyone with the wherewithal to defraud the MBTA now not only knew about the exploit but had the full details on how to do it.
I doubt they learned anything. If I have noticed one thing about cases like this its that they always seem to make the same mistakes. It's really just a matter (again) of people addressing the symptom, not the problem.
Re: (Score:2)
Obviously not since they have not fully dropped this case yet. The MBTA doesn't seem to have a full understanding of consequences either. In the interview, Anderson says that he still isn't planning on sharing the details of the hacks, even though there is nothing preventing him from doing so. I know if I were on the wrong end of a lawsuit, I would probably publish every detail of this information out of spite (unless I really t
Re:The real question I want to know... (Score:4, Insightful)
So? They *might* be exposing themselves to a higher frequency of short-term compromise but frankly the people with the know-how to do this and the equipment and the will dont exist in vast numbers.
The worst thing they could have done is 'play it cool' and downplay this. This would only encourage people to continue compromising their cards and give the MBTA little incentive to get off its collective ass.
As it stands now, this is so publicized that every transit organization around the world is freaking out about its level of encryption. This will have some pretty positive long-term consequences.
Im glad they didnt play it cool. The Streisand effect sometimes has unintended positive consequences.
Parent
the more I read about this.... (Score:2, Interesting)
Especially this part:
They're filing a lawsuit right now, basically, and nobody's in court for usâ"just MBTA lawyersâ"and we don't fully know what's going on.
Interesting. So, no one at MIT was served or anything. The MBTA just shows up in court to tell their story and theirs alone? And asks for an injunction?
At least they didn't go nu
Re:the more I read about this.... (Score:4, Interesting)
the more it just seems someone at MBTA mistook their (MIT's)vulnerabilities rapport for the
scheduled Defcon talk that Friday and panicked.
quote/
"The FBI agent said, basically, this is not going to be an investigation. We don't have anything here. Don't worry about it.
So we told them we'd provide them a vulnerability report, going over what we found, and also methods that could fix these problems, and they said we could get that to them within two weeks. We had actually planned on getting it to them within the week, before business hours ended on Friday, so they'd have this in their hands before we gave the talk. We felt this was a courtesy we should give them.
This report was not going over what we were speaking about at DefCon, that wasn't the point. Some other people at MBTA have claimed that it was, but the point of the report was to go over the vulnerabilities, and go over ways that they could fix them. That's what we provided them, and we got it to them that Friday."
end quote/
and that's where it went wrong I think.
Had that report arrived monday nothing might have happened.
Parent
Re: (Score:2)
The moon rules! (Score:3, Insightful)
1-31-07 Never Forget
Damn right...
I like Boston but sometimes I feel like there's some kind of epidemic here that causes people to react to problems in the most brain-dead, paranoid methods possible...
Stored value cards are foolish (Score:5, Insightful)
Stored value cards are foolish.
They should only ever be used for identification and authentication.
The value being managed must always be stored and administered on the billing system itself.
This is why the responsible agencies (EZ-Pass, WMATA DC Metro, NYC Metrocard) should not, and usually do not, use stored value cards.
How naive of the MBTA to do this.
Cloning is still a problem with DC Metro and NYC Metrocard, but this is relatively easy to detect using database analysis and trending.
The security should lie with the central system.
Stored value cards are never secure--especially if you're depending on the obsolete version of MiFare Classic which should have only ever been used for authentication (serial numbers, keys, and scanned fingerprints).
Never for a so-called "digital purse" like MBTA used it for.
Re: (Score:3, Interesting)
OK, but if you have RFID and a weak key, an id/auth-only system still has the problem where you can effectively copy someone's card with an antenna, and then use it until $0. You just can't refill it for free as in the stored value case.
I haven't thought about this much, but while the auth/central billing approach seem
Re: (Score:2)
The central system provides protection because you can trend activity and fix things afterward.
Surely, it doesn't prevent it, but it does allow you to detect it and recover quickly.
The stored value mode doesn't allow either, unless, maybe, the central system gets not just the fare paid but the stored value per card ID, and you're tracking that at the central system. And, in that case you might as well be using a central billing system.
Re: (Score:2)
Except that the stored value + post-facto audit allows the stations to work even if they are do not have connectivity to the main server 100% of the time. You could do a daily log dump/blacklist update from the station back to the central server. Given the number of turnstiles that are broken on the MBTA at any given time, having the turnstile free to operate independently of the mothership seems critical...
Re: (Score:2)
I haven't thought about this much, but while the auth/central billing approach seems more secure (if you fix the key problem), it's got a single point of failure that brings down your entire transit system, where the lower security value-store approach does not. Maybe in the real world that's not a big deal, I don't know.
That reminds me of an interview question I was asked a few years back which basically wanted me to sketch a design for an ATM network. As in all things engineering, there's a trade-off to be made. What you can do is have each terminal store a copy of the transaction. If the central billing system is up it validates the user's credit in real time: if not, it commits the transaction later. You can get free travel, but only if you can bring down the connection to the centre.
Re: (Score:3, Interesting)
A system that must communicate with a central database isn't very useful for:
* buses
* trolleys
* the commuter rail
Where a network connection isn't necessarily available as the reader must reside on the vehicle itself.
I'd be interested to hear how the other cities who don't use stored value cards s
Re: (Score:2, Funny)
They kindly request the sheeple to use dollar bills, and/or money coins. It's amazing technology.
Re: (Score:3, Informative)
You may have read my comment already but there is an advisory value stored on the card but it's not the authoritative record of the balance. As with the Oyster Card "hacks" in London the cards can be turned off within one day. The central billing system analyzes trending and riders are accepted into the vehicle based on the balance on the card. If that balance doesn't match with the central database the card is turned off within hours. Same happens with cloned cards which can be detected the same way ev
The FBI's role (Score:5, Interesting)
The FBI's role should have been to offer him and his buddies a lab, security clearance and a plush job to do this kind of work for them. Seriously, these are the kind of guys that the cops want working for them because every security hole in the infrastructure they find helps the cops do their job--and these guys are smart and educated enough to help the vendor fix the problem.
The question we all want answered (Score:2)
Did you get drunk and wake up next to a showgirl?
Re: (Score:2)
What it's like to tango with the MBTA (Score:5, Funny)
Having lived in Boston for five years, I don't need to RTFA to know what that was like.
-They arrived at court 45 minutes late without apologizing to the judge
-During oral arguments, the MBTA's attorney paused several times, each time for 5-10 minutes, for no apparent reason
-MBTA officials wore blazers acquired off the rack for $9,000 apiece; no immediate plans to purchase pants
-Despite earning one of the highest wages in the industry, the attorney was surly and lazy
And, after the judge denied the MBTA's request for an injunction against the hacker, GM Dan Grabauskas issued a press release trumping the agency's legal victory.
"21" movie effect? (Score:2)
What now? (Score:2, Informative)
Wrong interview (Score:3, Insightful)
This is the wrong interview. What we should have is an interview with top management to find out why they made bad decisions to go with an insecure system. Maybe their excuse is they were not aware of a nearby school with highly qualified consultants to help them in a quest to get a very secure system.
Prof Rivest (Score:4, Insightful)
It it were a lesser name in the field would their claim to have been studying the security of the system been taken so seriously ?
If it had been just some guy in charge of Mississippi state university's computer science curriculum they would likely all be in jail by now.
MBNA != MBTA (Score:5, Informative)
Parent