Some of what these kids did is not just "pointing out an obvious weakness" but reverse engineering a good system that Boston spent millions installing and now millions replacing is just wasteful.

On the other hand, the system is terrible. On Sat night I approached the very super high-tech security stand shown in the presentation as unoccupied and it was unoccupied then as well. The whole Harvard station was empty except for me and some drunks.

They missed on "hack" too. Many people just follow fare-paying people through the gate. Simple. See it all the time. MBTA agents will not approach and apprehend the people who do this. They refuse to.

The Lab

@Stacky Botrus: They did offer it to them. That's why they thought it was resolved. They demonstrated the holes and gave them suggestions on how to fix it.

GirlGadget

@OMG! Birthday!: Haven't you learned anything? All you need to do is dress like Crocodile Dundee and claim that the woman you love is at the exit. People will let you stand on their head for that shit!

Xavoc

Geez, they can crack complex computer systems but don't sort the PDF list so that 10 through 14 don't appear before 1 through 9? I guess kids today can't be bothered to add zeros before the significant digits in a list... :-(

Toshie

i don't know which is sadder, that the subway tickets are a part of national security, or that the smartest people in the world (MIT grads) are that idiotic to present it live.

UrIt

@Open_universe:

the world should thank MIT, they're a human progress factory

lldsandsll

Rather than presenting it at a "hacker convention" why not present it to the MBTA themselves, and offer to fix it, amd make bajillians.

EPIC FAILURE MR BELVEDERE!

Stacky Botrus

These retards should be thanking the MIT geeks for pointing out how vulnerable their setup is. At the very least, the physical stuff, the keys and badges left out in the open ,etc., should be taken care of.

Open_universe

You want to know what is a security threat? How about narrow subway platforms crammed with people in mazelike stations with choke points at the exit.

Posting how-to's on getting free passes is less of a threat than a mass-transit system that is vulnerable to panic.

Thank you for riding the NYC MTA.

OMG! Birthday!

Make sure to read the whole presentation. Its actually pretty awesome.

And sad, when they walk through things that should be locked, and especially when the security booth is completely empty.

Log1c

wheres the NYC MTA one? =)

gusnyc.com

;)

thegadgeteer

when you're very smart there is no need to obey the law, jackasses.

livermore111

@thegadgeteer: State

Scott

Police

thegadgeteer

All they really needed to do was throw on a bunch of garbage bags to make it look like a homeless guy owned it if they wanted camouflage.

Xavoc

Option A:
They release all this information publicly so that people know there is a serious issue and can fix it.

Option B:
They say nothing at all which leaves the system wide open for any terrorists to come in and abuse the system using this same method & utilize it for a terrorist attack. All this because nobody bothered to point out it could be done in a manner that would garner public attention.

The worst part is that companies like these simply ignore any security threats brought to them directly, as they like to hide behind hugely biased beliefs that their systems are secure. Embarrassment is pretty much the only way to get these things fixed...

However, as in most cases, even now instead of fixing the problem they go after those who found it.

Bobby T.

Please excuse the syntax of that first sentence. Also, the loudspeaker and smoke grenade cart that the MIT students didn't have the balls to actually push to their desired destination sums up everything I've observed about MIT students since being here.

The Lab

Well at least electronic voting systems are un-hackable....

Let's have a vote, which political party do YOU think has hired the best hackers to be able to swing the election?

DNC? Young, fresh, ready for change?

RNC? Old, stodgy, but with the full support of the NSA? (Thanks Dick!)

av8thor

@Bobby T.: Terrorists? Really... come on now... I know they must be shaking in their boots about paying train fair.

Sorry, it's Monday.

reefer

Now...after I spent a whole summer at MIT, they release this right before I'm leaving.

Grrrrr.

bobx3

I say some group pulls a hackers (the movie except the graphics will be better now) on the mbta and since when is what essentially is a floppy disk constitute a computer are they morons or what. This is what happens when old men make laws

crash1105

heres the low-tech hack of the D.C. metro for ya, no MIT degree needed...

[www.schneier.com]

Shub-Niggurath

Must try. As a Boston resident I will confirm.

LJN

@The Lab: Hmm doesnt sound like such a good" system, and honestly not what I want to hear on the news @ 6 "Well we spent millions on a good system to prevent this kind of thing." The kids did present it to them and suggestions to make it better, all in all I think they did a good deed.

Alex2643

Wsup with the people in Boston?? They're always getting confused for terrorists, remember that Aqua Teen Hunger Force bomb scare?

pdditty

@Alex2643: Think about it this way, ANY system is hackable. The only differentiating feature is the difficulty of the hack. With the CharlieCard hack, they took a system that was moderately difficult to hack and made it easy, even decoding the variables on the mag strip. That took the number of people likely to exploit the hack from a few nerds to many quasinerds. In this area there are innumerable quasinerds.

Some of those security holes needed a fix, but telling people which magstrip reader/writer to buy and what digits to change lowered the bar a significant amount.

The Lab

hackings rediculous, just leave the systems alone! Everyone is a damn criminal nowadays, mbta only costs1.75 to ride, pretty cheap considering the alternatives! Just pay it, MIT grads are gonna make enough money to spare the change anyways

livermore111

As far as I know, the NYC Metrocard still has not been successfully hacked, and it dates back to the mid-1990's. Impressive, actually.

bandit

And the "National Security" blanket stretches to cover just a little bit more...

sansovino

@gusnyc.com: I'm with you ...waiting patiently...

Screw that

Waiting Inpatiently....

....
...
..
....
..
.......
!

AskTheAdmin

"What we've got here is... failure to communicate. Some men you just can't reach. So you get what we had here last week, which is the way he wants it... well, he gets it..."

SigmundTheSeaMonster

Excellent I need to try this out!

mynameisjay

I'm beginning to wonder why people live is Massachusetts. It seems to be a breeding ground for terrorists.

Tony Bullard

this is a perfect example of the principles outlined in this paper: [portal.acm.org]

also if you read the articles carefully, you should point out that attempts were made to contact the mbta prior to releasing the slides/code/presentation (granted the time table wasn't very conducive to the mbta fixing), so the mbta probably could have taken a more tactful approach to handling the situation, perhaps by just requesting more time from the mit students.

Boston sure does know the best way to deal with technology...

icanswim2002

So, the thing about filing a lawsuit in court is that if you aren't careful, all the docs you submit become public info and then are leaked to the internets anyway.

Just saw an article on PC World that the .pdf is everywhere now.

Lodlaiden_

If you're going to figure out a way to do something for free for life, why did you choose riding the subway?!

scotth0

Die Hard 5

Chelseafc65

The thing is as someone else mentioned every system is hackable. Mifare fully understands that the security weaknesses in the 1K classics and they are outlined in their datasheets. The real weakness is in how the system is implemented around the RFID which was seriously lax

mike-atron

ya really !@gusnyc.com:

ajmernone

A card constitutes a computer? WTF?

michaelleung

Yes, berate the people the pointed out how shitty their security is instead of actually fixing it, or let them fix it for them.

Good show all knowing Government

Breach