Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Blogs
    • Security Watch

    Boston Trolley Hack – Security Stupidity Personified

    By
    Matthew Hines
    -
    August 14, 2008
    Share
    Facebook
    Twitter
    Linkedin

      Here’s a near perfect example of two core problems that reside at the heart most IT security and electronic privacy issues, those being, ignorance and denial.

      This particular act of stupidity is currently being played out in the courts at the hands of non other than the very bureaucracy that is charged with trundling my posterior into the office every day — the Massachusetts Bay Transit Authority, aka, the T.

      Now, being a daily rider of the 501 Express Bus heading downtown and back, I have a litany of feedback that I could offer regarding the T. But instead of getting into issues of unpredictable climate controls or poor scheduling or any of that daily grind, let’s instead examine the legal and PR circus that has been triggered by the MBTA over some MIT students’ research that identified security issues found in the T’s electronic ticketing system.

      Much has been made of the T’s spanking new CharlieCard electronic infrastructure, painstakingly installed over the last several years and pitched as the multi-million dollar solution to long-existing problems including toll jumpers, insider fare thieves and transactional ease-of-use.

      However, now the security of the entire system has been thrown into question based on a research report prepared for presentation by the three MIT undergrads at the just-finished Defcon hacker show in Las Vegas.

      That part of the show never went on though, as when the T caught wind of the research, or rather, saw that it would be detailed publicly, it jumped into action and sued the kids involved to stop them, as well as MIT, and successfully had the talk barred from moving forward via a federal court injunction won here in Boston.

      (Yeah, the same town that sprung into an anti-terrorist maelstrom based on some ads for the Aqua Teen Hunger Force movie… and yes, the first sign mistaken for a bomb was found at a T stop, under a road where a similarly-themed ad for the same movie stood for several months previous. Oh yeah, this is my hometown. Eeesh.)

      Now the T is angrily demanding more information about the hack, which promised free rides for life for those able to pull it off, in the same courtroom.

      And all of this might make sense on some level… if… only… the researchers hadn’t attempted to tell the T about the problem long before scheduling their Defcon chat, only to have officials with the organization ignore all of their attempts to do so.

      So, rather than listening to the researchers, fixing the problems they found, and getting out ahead of any public shaming… now we have a government entity suing one of the nation’s finest technical institutions and those same students who were trying to help them fix the involved problem in the first place… and the system remains vulnerable!

      What this lunacy demonstrates is just how much less organizations like the T actually care about security than they worry about controlling perceptions. That some MIT kids could easily defeat the security of their expensive new e-ticket system didn’t move the T to action, however, that it would be reported in a public forum moved them to call in the lawyers and go ballistic.

      That makes sense right?

      So now, we the taxpayer, we the commuter, see the revenue we’ve handed over to this government body being spent not on improving anything, but instead on fighting an ethical battle in court over the legality of the students’ work and presentation, while far less effort could have been spent to actually fix the problems being detailed, and long before they were announced publicly.

      The level of self-defeatism involved is appalling.

      We never heard about data leakage and most companies weren’t doing anything about it until the passage of Calif. 1386, when companies dropping the ball on data security started getting bad press for it and others were moved to align smarter defenses to protect their own images from being similarly tarnished.

      Organizations like the T refuse to listen to offers of help in identifying and fixing vulnerabilities, the pretend the problems don’t exist until it’s too late, and they end up making fools of themselves in the process as they flail their arms and try to blame everyone but themselves for this outcome.

      Unfortunately it would seem that the only way to motivate many large organizations to do anything about security is to threaten them with public embarrassment.

      Sad but true.

      See you on the 501.

      Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to [email protected].

      Avatar
      Matthew Hines

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×