Boston Trolley Hack - Security Stupidity Personified
Here's a near perfect example of two core problems that reside at the heart most IT security and electronic privacy issues, those being, ignorance and denial.
This particular act of stupidity is currently being played out in the courts at the hands of non other than the very bureaucracy that is charged with trundling my posterior into the office every day -- the Massachusetts Bay Transit Authority, aka, the T.
Now, being a daily rider of the 501 Express Bus heading downtown and back, I have a litany of feedback that I could offer regarding the T. But instead of getting into issues of unpredictable climate controls or poor scheduling or any of that daily grind, let's instead examine the legal and PR circus that has been triggered by the MBTA over some MIT students' research that identified security issues found in the T's electronic ticketing system.
Much has been made of the T's spanking new CharlieCard electronic infrastructure, painstakingly installed over the last several years and pitched as the multi-million dollar solution to long-existing problems including toll jumpers, insider fare thieves and transactional ease-of-use.
However, now the security of the entire system has been thrown into question based on a research report prepared for presentation by the three MIT undergrads at the just-finished Defcon hacker show in Las Vegas.
That part of the show never went on though, as when the T caught wind of the research, or rather, saw that it would be detailed publicly, it jumped into action and sued the kids involved to stop them, as well as MIT, and successfully had the talk barred from moving forward via a federal court injunction won here in Boston.
(Yeah, the same town that sprung into an anti-terrorist maelstrom based on some ads for the Aqua Teen Hunger Force movie... and yes, the first sign mistaken for a bomb was found at a T stop, under a road where a similarly-themed ad for the same movie stood for several months previous. Oh yeah, this is my hometown. Eeesh.)
Now the T is angrily demanding more information about the hack, which promised free rides for life for those able to pull it off, in the same courtroom.
And all of this might make sense on some level... if... only... the researchers hadn't attempted to tell the T about the problem long before scheduling their Defcon chat, only to have officials with the organization ignore all of their attempts to do so.
So, rather than listening to the researchers, fixing the problems they found, and getting out ahead of any public shaming... now we have a government entity suing one of the nation's finest technical institutions and those same students who were trying to help them fix the involved problem in the first place... and the system remains vulnerable!
What this lunacy demonstrates is just how much less organizations like the T actually care about security than they worry about controlling perceptions. That some MIT kids could easily defeat the security of their expensive new e-ticket system didn't move the T to action, however, that it would be reported in a public forum moved them to call in the lawyers and go ballistic.
That makes sense right?
So now, we the taxpayer, we the commuter, see the revenue we've handed over to this government body being spent not on improving anything, but instead on fighting an ethical battle in court over the legality of the students' work and presentation, while far less effort could have been spent to actually fix the problems being detailed, and long before they were announced publicly.
The level of self-defeatism involved is appalling.
We never heard about data leakage and most companies weren't doing anything about it until the passage of Calif. 1386, when companies dropping the ball on data security started getting bad press for it and others were moved to align smarter defenses to protect their own images from being similarly tarnished.
Organizations like the T refuse to listen to offers of help in identifying and fixing vulnerabilities, the pretend the problems don't exist until it's too late, and they end up making fools of themselves in the process as they flail their arms and try to blame everyone but themselves for this outcome.
Unfortunately it would seem that the only way to motivate many large organizations to do anything about security is to threaten them with public embarrassment.
Sad but true.
See you on the 501.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.