September 01, 2008
PEER REVIEW OF THE MIT/MBTA "HACK" - PART 2
I replied:
Part 3 here.
Comments are disabled.
Post is locked.
Wozniak & Jobs and the rest of the phreaks certainly should have been at least cited & fined. Using a blue box is the same as using a slug, or doing what I used to do on coin pay phones pre-DTMF (which is what the Blue Box generated) which was to short the coin box cover to the mouthpiece mic in the receiver with a piece of wire (which made the same connection that a coin in the slot did), then flash the hook switch with the phone number you wanted to call. This activated the stepper switch in the central office the same way that the number bumps on the old dial phone contacts did. Stealing is stealing.
Impersonating a celebrity is just pranking, but if you cause harm somehow while doing so, you're liable, regardless of your intentions. Telling the MBTA that you had a hack to their card system, and that you were going to publicize it, moves from threat to action. So what else could the MBTA have done, given that they found out about the DefCon preso shortly beforehand, other than what they did? Ignore it, wait for the reaction, then say what? "Yeah, we knew we had holes, so what? Take your best shot, geeks." No, they had to protect the integrity of their system and confidence of their users and play hardball. Yeah, it gets messy, and irony aside, the unintended consequences cut both ways. Streisand effect notwithstanding, you don't let punks push you around, and you don't ignore threats to public transportation post-9/11. A picture of Barbara's back porch is trivial, and her overreaction deserves mocking. MIT students dangling a challenge in front of an internet full of bored geeks is trouble no matter how restrained you are.
And regardless of the EFF and the rest of the chatterers, wrong is still wrong. Thinking it's cool, and enjoying the theatricality of it all, doesn't make it right. This is one of the tropes I dislike most about the socialist thinking displayed here, that anything that can be taken is free. This includes the assholes that think they have the absolute right to download music, movies, and other property, and unlock iPhones, and that somehow the tenets of free speech inoculate misbehavior - like the people who praise taggers as artists - and that each individual defines his own morality, and any restraints imposed at all are somehow oppressive. Remember how angry people were when Apple 'bricked' their unlocked iPhones? Sorry, kids, wrong is wrong, and all your inane pop philosophy won't make it right. Read the fuckin' contract, Weezer, and violate it at your peril.
Now answer me some questions, none of which were fielded in all the back and forth, we-said they-said of all the articles I've read:
Is what they did actually technically difficult, or was it like I said, simply brute-forcing their way through every possible combination to finally find a hole (they even use the term "brute force" several times)? Is their code work original, or just simple applications of basic routines? We do stuff like this every day (RFID cards, readers, encryption, etc), and though the code stuff is not my expertise, it still looks to me like they just read the manuals and stole some configuration information. What is it that they did that is such a big deal? And how is it different, in impact to the system, from simply stealing keys or cards?
And just how vulnerable is the system? Can this process be easily duplicated? What kind of smarts and resources would it take?
How could this profitably be exploited? How likely would it have been that somebody would have used the exploits and actually tried to defraud the system? The way I see it, somebody would need a "warcart" and equal good luck, resources, and free time to crack the code, then either start cloning cards and selling them at a discount, or...what?
Even if somebody did do this, internal audits would identify cards being used that had no equivalent cash or credit card income. And, if somebody was selling cloned cards, how long would it take to make back their "warcart" investment, plus the cost of the cards, the card coders, etc? And what is the likelihood that they would get caught quickly once they started fencing these cards? This stuff happens in movies all the time, which is where I think some of the commenters get their "expertise", but how often does it happen in real life?
Or maybe they just go malicious, and use their access to corrupt the system. How is that different from non-technical damage caused by things like smoke bombs, trashcan fires, graffiti, superglue in the locks, or other forms of vandalizing and denying access?
So my point is this - even if they did find flaws, what are the possible losses to the MBTA from others actually trying to exploit the flaws vs. the cost of fixing the flaws? Hence my lock and key analogy. Every lock has a key, keys can be stolen & copied, every lock can be picked or hammered open, every cash box or turnstile can be forced, every inside employee is a potential breach. It seems to me that MBTA and the other municipalities that run these systems know what the risks are, and realize that the cost of implementing a system that is immune to all possible attacks, however far-fetched, is far greater than the possible losses due to hacked cards. And the possible losses from hacked cards is probably nothing compared with losses from counterfeit bills, stolen credit cards, insider theft, and plain old vandalism. When the MBTA wrote the specs and got bids for this system, security was just one of the dozens of performance metrics and cost considerations they reviewed. You spend your time and money where it does the most good. Is what the MIT guys did really worth worrying about?
The MIT kids could have done a public service, got the same geek glory, and avoided problems by quietly informing the MBTA of their findings. But they succumbed to the lure of fame and the rush of hacking 'the man'. Now it's higher costs at the turnstiles to cover the legal fees and cost of the code patches, which they will have to spend even if the likelihood of somebody actually using the hack is nil.
I also have no love for the smelly hippie underground types who celebrate these guys, and who justify their petty anarchy as a righteous application of free speech, and who get clean modern subsidized transportation and then bitch about it, and who couldn't graduate high school but pretend they are all some kind of movie super-hacker heroes, exposing the greedy incompetent bureaucrats. Look at the comments in the Wired article - the rage at Mitt Romney, the leftist cant, the absolutist indignation at this terrible, horrible, useless system that somehow gets all these people where they want to go. Not a one of them could begin to develop or implement any part of the system, but they spout off like they are experts, and condemn the people in charge as evil morons. OK, Sparky, what's your plan? They never have one. It's all ephemeral should-be and why-not and if-only, all fantasy and wish-come-true, flying cars and lightsabers, solar farms and recycling. Don't like the Boston subway system as it is? Then walk through the slush, butthead.
The common wisdom is that these 3 guys will now immediately be hired as high-paid security consultants. Is what they did that big a deal? And would you hire somebody that exhibited this kind of judgment, knowing it would cost the taxpayers and the university big money? I think they are more likely to end up as DefCon celebrities, writing blogs and spinning yearns, criticizing but never actually producing. Because making something work is hard, breaking it is easy.
Impersonating a celebrity is just pranking, but if you cause harm somehow while doing so, you're liable, regardless of your intentions. Telling the MBTA that you had a hack to their card system, and that you were going to publicize it, moves from threat to action. So what else could the MBTA have done, given that they found out about the DefCon preso shortly beforehand, other than what they did? Ignore it, wait for the reaction, then say what? "Yeah, we knew we had holes, so what? Take your best shot, geeks." No, they had to protect the integrity of their system and confidence of their users and play hardball. Yeah, it gets messy, and irony aside, the unintended consequences cut both ways. Streisand effect notwithstanding, you don't let punks push you around, and you don't ignore threats to public transportation post-9/11. A picture of Barbara's back porch is trivial, and her overreaction deserves mocking. MIT students dangling a challenge in front of an internet full of bored geeks is trouble no matter how restrained you are.
And regardless of the EFF and the rest of the chatterers, wrong is still wrong. Thinking it's cool, and enjoying the theatricality of it all, doesn't make it right. This is one of the tropes I dislike most about the socialist thinking displayed here, that anything that can be taken is free. This includes the assholes that think they have the absolute right to download music, movies, and other property, and unlock iPhones, and that somehow the tenets of free speech inoculate misbehavior - like the people who praise taggers as artists - and that each individual defines his own morality, and any restraints imposed at all are somehow oppressive. Remember how angry people were when Apple 'bricked' their unlocked iPhones? Sorry, kids, wrong is wrong, and all your inane pop philosophy won't make it right. Read the fuckin' contract, Weezer, and violate it at your peril.
Now answer me some questions, none of which were fielded in all the back and forth, we-said they-said of all the articles I've read:
Is what they did actually technically difficult, or was it like I said, simply brute-forcing their way through every possible combination to finally find a hole (they even use the term "brute force" several times)? Is their code work original, or just simple applications of basic routines? We do stuff like this every day (RFID cards, readers, encryption, etc), and though the code stuff is not my expertise, it still looks to me like they just read the manuals and stole some configuration information. What is it that they did that is such a big deal? And how is it different, in impact to the system, from simply stealing keys or cards?
And just how vulnerable is the system? Can this process be easily duplicated? What kind of smarts and resources would it take?
How could this profitably be exploited? How likely would it have been that somebody would have used the exploits and actually tried to defraud the system? The way I see it, somebody would need a "warcart" and equal good luck, resources, and free time to crack the code, then either start cloning cards and selling them at a discount, or...what?
Even if somebody did do this, internal audits would identify cards being used that had no equivalent cash or credit card income. And, if somebody was selling cloned cards, how long would it take to make back their "warcart" investment, plus the cost of the cards, the card coders, etc? And what is the likelihood that they would get caught quickly once they started fencing these cards? This stuff happens in movies all the time, which is where I think some of the commenters get their "expertise", but how often does it happen in real life?
Or maybe they just go malicious, and use their access to corrupt the system. How is that different from non-technical damage caused by things like smoke bombs, trashcan fires, graffiti, superglue in the locks, or other forms of vandalizing and denying access?
So my point is this - even if they did find flaws, what are the possible losses to the MBTA from others actually trying to exploit the flaws vs. the cost of fixing the flaws? Hence my lock and key analogy. Every lock has a key, keys can be stolen & copied, every lock can be picked or hammered open, every cash box or turnstile can be forced, every inside employee is a potential breach. It seems to me that MBTA and the other municipalities that run these systems know what the risks are, and realize that the cost of implementing a system that is immune to all possible attacks, however far-fetched, is far greater than the possible losses due to hacked cards. And the possible losses from hacked cards is probably nothing compared with losses from counterfeit bills, stolen credit cards, insider theft, and plain old vandalism. When the MBTA wrote the specs and got bids for this system, security was just one of the dozens of performance metrics and cost considerations they reviewed. You spend your time and money where it does the most good. Is what the MIT guys did really worth worrying about?
The MIT kids could have done a public service, got the same geek glory, and avoided problems by quietly informing the MBTA of their findings. But they succumbed to the lure of fame and the rush of hacking 'the man'. Now it's higher costs at the turnstiles to cover the legal fees and cost of the code patches, which they will have to spend even if the likelihood of somebody actually using the hack is nil.
I also have no love for the smelly hippie underground types who celebrate these guys, and who justify their petty anarchy as a righteous application of free speech, and who get clean modern subsidized transportation and then bitch about it, and who couldn't graduate high school but pretend they are all some kind of movie super-hacker heroes, exposing the greedy incompetent bureaucrats. Look at the comments in the Wired article - the rage at Mitt Romney, the leftist cant, the absolutist indignation at this terrible, horrible, useless system that somehow gets all these people where they want to go. Not a one of them could begin to develop or implement any part of the system, but they spout off like they are experts, and condemn the people in charge as evil morons. OK, Sparky, what's your plan? They never have one. It's all ephemeral should-be and why-not and if-only, all fantasy and wish-come-true, flying cars and lightsabers, solar farms and recycling. Don't like the Boston subway system as it is? Then walk through the slush, butthead.
The common wisdom is that these 3 guys will now immediately be hired as high-paid security consultants. Is what they did that big a deal? And would you hire somebody that exhibited this kind of judgment, knowing it would cost the taxpayers and the university big money? I think they are more likely to end up as DefCon celebrities, writing blogs and spinning yearns, criticizing but never actually producing. Because making something work is hard, breaking it is easy.
Part 3 here.
Posted by: JBD at
02:00 PM
| No Comments
| Add Comment
Post contains 1329 words, total size 9 kb.
14kb generated in CPU 0.0049, elapsed 0.0229 seconds.
23 queries taking 0.0193 seconds, 28 records returned.
Powered by Minx 1.1.6c-pink.
23 queries taking 0.0193 seconds, 28 records returned.
Powered by Minx 1.1.6c-pink.