Forgot your password?
typodupeerror
Hardware Hacking The Courts Transportation Build

Interview With MIT Subway Hacker Zack Anderson 113

Posted by timothy
from the clearly-a-terrorist dept.
longacre writes "In his most extensive interview since the DefCon controversy emerged, MIT subway hacker Zack Anderson talks with Popular Mechanics about what's wrong with the Charlie Card, what happened at DefCon, and what it's like to tango with the FBI and the MBTA. The interview comes on the heels of Tuesday's court ruling denying motions by the MBTA to issue a preliminary injunction aimed at keeping the students quiet for a further five months."
This discussion has been archived. No new comments can be posted.

Interview With MIT Subway Hacker Zack Anderson

Comments Filter:
  • The battle (Score:5, Insightful)

    by Adreno (1320303) on Friday August 22, 2008 @03:10PM (#24710289)
    I'm really glad that the court decided to overturn the injunction. We need to get information like this out in the open, so we can solve these problems quickly and in an open-source manner. Simply denying that a problem such as this exists does not solve the problem... it delays a fix, and makes it even MORE likely that such exploitation will happen in the first place.
  • Obligatory IANAL (Score:5, Insightful)

    by blcamp (211756) on Friday August 22, 2008 @03:12PM (#24710323) Homepage

    US Constitution, Amendment I:

    Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.

    Did I miss something here?

    Not that I want a security system compromised, because I don't... but the 1st Amendment doesn't say "Congress shall ... abridge free speech in instances where a subway system is hacked".

  • Re:The battle (Score:5, Insightful)

    by jellomizer (103300) on Friday August 22, 2008 @03:15PM (#24710363)

    Unfortunately most peoples mind are stuck in the 20th century. And don't consider how quickly these things can spread now. Say 15 years ago this happened keeping it quite would have gave them a security advantage as it is easy to control the flow of information, so for someone else wanted to break in had to duplicate all the research again. However today once you try to silence someone the information flows faster, and it is harder to keep the information down, so when a problem is found it is best to fix it then put time in hushing it up. Sorry the world follows different dynamics now adapt or parish.

  • by rahvin112 (446269) on Friday August 22, 2008 @03:17PM (#24710389)

    Did the MBTA learn a lesson here about making a mountain out of a molehill? They essentially took something that would have received almost no attention and turned it into a national news story and then publicly filed all the details in open court such that anyone with the wherewithal to defraud the MBTA now not only knew about the exploit but had the full details on how to do it.

  • by kriston (7886) on Friday August 22, 2008 @03:18PM (#24710415) Homepage Journal

    Stored value cards are foolish.
    They should only ever be used for identification and authentication.
    The value being managed must always be stored and administered on the billing system itself.

    This is why the responsible agencies (EZ-Pass, WMATA DC Metro, NYC Metrocard) should not, and usually do not, use stored value cards.

    How naive of the MBTA to do this.

    Cloning is still a problem with DC Metro and NYC Metrocard, but this is relatively easy to detect using database analysis and trending.

    The security should lie with the central system.
    Stored value cards are never secure--especially if you're depending on the obsolete version of MiFare Classic which should have only ever been used for authentication (serial numbers, keys, and scanned fingerprints).

    Never for a so-called "digital purse" like MBTA used it for.

  • no, not really (Score:5, Insightful)

    by Reality Master 201 (578873) on Friday August 22, 2008 @03:23PM (#24710491) Journal

    Grow up - your free speech rights aren't absolute.

    There's the classic example of shouting fire in a crowded theater, for example. There's various laws against disclosing all kinds of information - medical records (go to a hospital, and you'll find signs in the elevators reminding staff to be careful when discussing patients), state secrets, etc.

    And that's not getting into the realm of lawsuits. I mean, I could go on for hours about how you molest your children while smoking crack, but you can sue me for libel and I'll lose if I can't back up my claims. If you sign an NDA and then announce a press conference to disclose stuff covered under that NDA, I can get an injunction against you to prevent your holding that press conference.

    In this case, the folks running the subway got an injunction to prevent the disclosure of the hack. And a judge looked at the evidence and decided that they didn't deserve a permanent injunction.

  • by JohnnyKlunk (568221) on Friday August 22, 2008 @03:25PM (#24710533)
    I think it's the interpretation
    the right of the people peaceably to assemble, and to petition the government for a redress of grievances.

    They're not stopping anyone from assembling peaceably, and they're not stopping anyone from petitioning the government.
    If these kids tried to petition the government to fix the system and a law was passed to prevent them then this would be a violation. However the government is preventing a party from addressing the assembly on a sensitive issue. I don't beleive this is covered in the above

    Not saying I agree with stopping the presentation, but the right of free speech is really about petitioning the government over greivances, not saying whatever you want.
  • by javelinco (652113) on Friday August 22, 2008 @03:38PM (#24710697) Journal
    I'm sorry, but no way does this make any sense. Did you forget the frickin' OR? As in: "or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances." You make no sense.
  • by SirGarlon (845873) on Friday August 22, 2008 @03:46PM (#24710815)

    Not that I want a security system compromised, because I don't...

    The students didn't hack a security system. They hacked the toll-collection system of the subway turnstiles. The MBTA made some whiny noise about the hack being a security risk but evidently the judge didn't believe their argument.

  • remember kids (Score:5, Insightful)

    by Reality Master 201 (578873) on Friday August 22, 2008 @03:50PM (#24710913) Journal

    Remember kids: every time someone uses this line to define the limits on free speech, they are hearkening back to rulings that undercut the very purpose of the 1st amendment.

    Every time someone picks a single item from among several used to make a point and rests their entire argument on it, you should be skeptical.

    I noticed that you didn't mention the more applicable end of things, i.e., courts enjoining speech pursuant to a lawsuit, of the larger issue that free speech rights aren't absolute in the US, and never have been.

    Also, Schenck vs. US was a bad decision, and fairly un-American in my view. But what Holmes said "The most stringent protection of free speech would not protect a man in falsely shouting fire in a theatre and causing a panic," is fundamentally reasonable, even if that justification wasn't appropriate to the case.

  • by JesseMcDonald (536341) on Friday August 22, 2008 @03:55PM (#24710979) Homepage

    Not saying I agree with stopping the presentation, but the right of free speech is really about petitioning the government over greivances [sic], not saying whatever you want.

    No, the right of free speech is about speech alone not being a crime for which one can be punished, or a source of harm for which one can be made liable. It's fairly obvious that freedom of speech is separate from the right to petition; just look at where the semicolons were placed. The amendment is addressing three different rights:

    1. Freedom of religion
    2. Freedom of speech, including speech via the press
    3. Freedom of assembly for the purpose of petitioning the government for redress

    You wouldn't try to argue that freedom of religion is all about petitioning the government for redress, would you? The segment describing freedom of religion relates to the right of assembly in exactly the same way as the segment about freedom of speech.

  • by Derosian (943622) on Friday August 22, 2008 @03:56PM (#24711009) Homepage Journal
    You aren't really missing anything. You just don't get that only Congress shall make no law, anyone else can make as many laws as they want.
  • Re:remember kids (Score:4, Insightful)

    by fuzznutz (789413) on Friday August 22, 2008 @04:20PM (#24711281)

    "The most stringent protection of free speech would not protect a man in falsely shouting fire in a theatre and causing a panic," is fundamentally reasonable, even if that justification wasn't appropriate to the case.

    The keyword there is FALSELY. It is not "illegal" to shout fire in a theater. In fact, I would hope that someone would do just that in the event of a fire. The key issue of the MIT students is prior restraint of free speech simply because a party doesn't like what they believe they might hear.

  • by gad_zuki! (70830) on Friday August 22, 2008 @04:37PM (#24711493)

    So? They *might* be exposing themselves to a higher frequency of short-term compromise but frankly the people with the know-how to do this and the equipment and the will dont exist in vast numbers.

    The worst thing they could have done is 'play it cool' and downplay this. This would only encourage people to continue compromising their cards and give the MBTA little incentive to get off its collective ass.

    As it stands now, this is so publicized that every transit organization around the world is freaking out about its level of encryption. This will have some pretty positive long-term consequences.

    Im glad they didnt play it cool. The Streisand effect sometimes has unintended positive consequences.

  • by Tetsujin (103070) on Friday August 22, 2008 @04:49PM (#24711679) Homepage Journal

    Read "The Hacker Crackdown." When you have the ability to cause a blackout to the phone system of an entire US region - you most definitely do NOT have the freedom of speech.

    And why not? Why shouldn't a student of security issues be able to discuss their findings about such a flaw with other security professionals? Why should someone, once they've gone to the trouble of investigating the situation and discovering such a flaw, be barred from legitimately profiting from that work? Just because it's inconvenient for the people who maintain the flawed system?

    It sounds like the talk the MIT students were going to give would have satisfied both sides: allowed the students to legitimately profit from their own hard work, while not giving the general public the information needed to circumvent the system.

  • The moon rules! (Score:3, Insightful)

    by Tetsujin (103070) on Friday August 22, 2008 @04:55PM (#24711805) Homepage Journal

    1-31-07 Never Forget

    Damn right...

    I like Boston but sometimes I feel like there's some kind of epidemic here that causes people to react to problems in the most brain-dead, paranoid methods possible...

  • Wrong interview (Score:3, Insightful)

    by Skapare (16644) on Friday August 22, 2008 @05:06PM (#24711947) Homepage

    This is the wrong interview. What we should have is an interview with top management to find out why they made bad decisions to go with an insecure system. Maybe their excuse is they were not aware of a nearby school with highly qualified consultants to help them in a quest to get a very secure system.

  • Prof Rivest (Score:4, Insightful)

    by bugs2squash (1132591) on Friday August 22, 2008 @08:10PM (#24714017)
    It had to help the students that Rivest was their professor. At least his reputation in the security world goes before him.

    It it were a lesser name in the field would their claim to have been studying the security of the system been taken so seriously ?

    If it had been just some guy in charge of Mississippi state university's computer science curriculum they would likely all be in jail by now.
  • Re:remember kids (Score:3, Insightful)

    by guibaby (192136) on Friday August 22, 2008 @11:22PM (#24715293)

    The "shouting fire is a theater" thing is not a Free Speech issue. You have every right to yell fire in a crowded theater. Especially if there is a fire. What you will get in trouble for is the results of your speech. Free speech is and should be absolute. But; you are responsible for the results of your speech and you always have been.

    Courts enjoining speech in a lawsuit or criminal case: This is not a law against free speech (as in congress shall make no law.) It is a judge doing his job in a specific instance to ensure a fair trial.

    An NDA is a contractual obligation. Again this is not a law against free speech.

    Laws against disclosure (medical records and such) again do not violate the "Congress shall make no law" because they apply to commercial entities which are not protected by the constitution. The constitution applies to people. Yes, I know, some judges have ruled as if corporation are "persons." It is very convenient sometimes to think that way, but it is not a constitutional matter.

    Libel and Slander are also not limitations on speech. If you are sued for one of those things you are being sued for the damage that you did to that person not the speech itself.

    Any abridgment you can come up with a reason for is either bad law, bad application of law or not an abridgment.

    ANY law that restricts the speech of an individual is unconstitutional by definition.

You can do this in a number of ways. IBM chose to do all of them. Why do you find that funny? -- D. Taylor, Computer Science 350

Working...