Follow Slashdot stories on Twitter


Forgot your password?
Hardware Hacking The Courts Transportation Build

Interview With MIT Subway Hacker Zack Anderson 113

longacre writes "In his most extensive interview since the DefCon controversy emerged, MIT subway hacker Zack Anderson talks with Popular Mechanics about what's wrong with the Charlie Card, what happened at DefCon, and what it's like to tango with the FBI and the MBTA. The interview comes on the heels of Tuesday's court ruling denying motions by the MBTA to issue a preliminary injunction aimed at keeping the students quiet for a further five months."
This discussion has been archived. No new comments can be posted.

Interview With MIT Subway Hacker Zack Anderson

Comments Filter:
  • by BitterOldGUy ( 1330491 ) on Friday August 22, 2008 @03:18PM (#24710401)
    It's sounds more and more like the MBTA is just trying to cover up their mistake. This has nothing to do with public safety or stealing rides on the transit system.

    Especially this part:

    They're filing a lawsuit right now, basically, and nobody's in court for usâ"just MBTA lawyersâ"and we don't fully know what's going on.

    Interesting. So, no one at MIT was served or anything. The MBTA just shows up in court to tell their story and theirs alone? And asks for an injunction?

    At least they didn't go nuts like the time with the light brites under the bridges.

  • The FBI's role (Score:5, Interesting)

    by MikeRT ( 947531 ) on Friday August 22, 2008 @03:23PM (#24710485)

    The FBI's role should have been to offer him and his buddies a lab, security clearance and a plush job to do this kind of work for them. Seriously, these are the kind of guys that the cops want working for them because every security hole in the infrastructure they find helps the cops do their job--and these guys are smart and educated enough to help the vendor fix the problem.

  • by schwaang ( 667808 ) on Friday August 22, 2008 @03:36PM (#24710669)

    Stored value cards are foolish.
    They should only ever be used for identification and authentication.
    The value being managed must always be stored and administered on the billing system itself.

    OK, but if you have RFID and a weak key, an id/auth-only system still has the problem where you can effectively copy someone's card with an antenna, and then use it until $0. You just can't refill it for free as in the stored value case.

    I haven't thought about this much, but while the auth/central billing approach seems more secure (if you fix the key problem), it's got a single point of failure that brings down your entire transit system, where the lower security value-store approach does not. Maybe in the real world that's not a big deal, I don't know.

  • Re:no, not really (Score:5, Interesting)

    by Hoplite3 ( 671379 ) on Friday August 22, 2008 @03:39PM (#24710721)

    Yes, the old fire in the theater line... That's from the Holmes ruling in the Schenck case. Schenck was posting fliers bashing the draft for WWI and got swept up and jailed by the police. Holmes wrote for the Supreme Court majority that such speech was equivalent to shouting fire in a theater and Schenck (continued) his time in jail.

    Remember kids: every time someone uses this line to define the limits on free speech, they are hearkening back to rulings that undercut the very purpose of the 1st amendment.

  • by MRe_nl ( 306212 ) on Friday August 22, 2008 @03:42PM (#24710759)

    the more it just seems someone at MBTA mistook their (MIT's)vulnerabilities rapport for the
    scheduled Defcon talk that Friday and panicked.
    "The FBI agent said, basically, this is not going to be an investigation. We don't have anything here. Don't worry about it.

    So we told them we'd provide them a vulnerability report, going over what we found, and also methods that could fix these problems, and they said we could get that to them within two weeks. We had actually planned on getting it to them within the week, before business hours ended on Friday, so they'd have this in their hands before we gave the talk. We felt this was a courtesy we should give them.

    This report was not going over what we were speaking about at DefCon, that wasn't the point. Some other people at MBTA have claimed that it was, but the point of the report was to go over the vulnerabilities, and go over ways that they could fix them. That's what we provided them, and we got it to them that Friday."
    end quote/

    and that's where it went wrong I think.
    Had that report arrived monday nothing might have happened.

  • by flink ( 18449 ) on Friday August 22, 2008 @03:50PM (#24710905)

    Stored value cards are foolish.
    They should only ever be used for identification and authentication.
    The value being managed must always be stored and administered on the billing system itself.

    A system that must communicate with a central database isn't very useful for:
      * buses
      * trolleys
      * the commuter rail

    Where a network connection isn't necessarily available as the reader must reside on the vehicle itself.

    I'd be interested to hear how the other cities who don't use stored value cards solve this problem.

  • Re:no, not really (Score:1, Interesting)

    by Anonymous Coward on Friday August 22, 2008 @04:52PM (#24711753)

    But, didn't Schenck's actions fail the "Imminent lawless action" test, e.g. he was urging people to disobey the law and evade the draft? You have every right to declare in public that "Law XXX is harmful", etc. But you don't have a right to say "Law XXX is bad, therefore you should break the law!". Civil disobedience is certainly morally justified in some circumstances, but it is still unlawful, as is compelling others to break the law.

  • by iminplaya ( 723125 ) on Saturday August 23, 2008 @07:33AM (#24717455) Journal

    Although what the Rosenbergs did was more spying than public speech, if atom bomb details had been published in the NYT they still would have gotten the death penalty, and again properly so. It was treason.

    Citation needed. The Rosenbergs were railroaded []*. They weren't even charged with, or convicted of treason. And furthermore, the case shows why we should not allow grand jury testimony to be withheld from the public.

    *During the trial the prosecutor announced in a national news conference that he had secured sworn affidavits from an old friend of the Rosenbergs's, William Perl, which conclusively proved the conspiracy. Saypol decided against putting Perl on the stand, however, when Perl admitted to lying in his affidavits.

Who goeth a-borrowing goeth a-sorrowing. -- Thomas Tusser