Posted by: The Weave
CIO, Hacking, Midmarket CIO
Two weeks ago three MIT students were forbidden by a judge to give a presentation on how susceptible Boston’s subway fare system is to fraud.
Now another judge has allowed them to give the presentation. The problem is said presentation was scheduled for a hacker convention held two weeks ago. Funny how that works out.
Last week I commended the three students for their work and blasted the Massachusetts Bay Transportation Administration for its consistent incompetence in all matters related to running a transportation system.
But I also called one of the students out as being a bit bratty and self-important.
I’ve changed my mind. It’s a judge and an agency chief that deserve my ire. They are the ones who failed to do their jobs.
At 21, student Zack Anderson has been blasted at by a free-speech hating judge and sued by a financially-troubled public transportation agency, the same one that tried to hand executives 9% pay raises last week.
Now U.S. District Judge Douglas Woodlock’s ruling has been reversed and the MBTA – headed by general manager Dan Grabauskas – is admitting that the CharlieTicket can be hacked.
About 70% of MBTA riders use what’s known as a CharlieCard, which the students say can be cloned. Others use the CharlieTicket, which can be compromised to add value to. That appears to be the easier of the two hacks and the one the MBTA admits can be pulled off.
It only took a few days for both of these men to be proven wrong. There were some concerns voiced along the way that the prior restraint exercised by Woodlock would have a chilling effect on security research. But it has been pretty clear from the start that the students did nothing wrong and Woodlock’s decision would not stand. It just needed to stand long enough to keep them off the stage at the conference.
Media watchdog and Boston-area blogger Dan Kennedy took time out last week to quickly chronicle Woodlock’s history of First Amendment trashing.
And Grabauskas? This has been embarrassing all around for the MBTA. The students’ planned slide presentation was techy, to be sure, but it also featured photos of open doors, unmanned computer banks and unlocked padlocks from around the MBTA system.
Now the MBTA has changed its tune and claims to want to meet with the students to work toward fixing the gaping security holes in the fare system. As if Anderson and company area supposed to suddenly go all sweet on the same folks who just sued them.
In a statement quoted by the The Boston Globe, Grabauskas said that “my invitation to the students to sit down with us and discuss their findings. A great opportunity now presents itself.”
As a Massachusetts taxpayer and MBTA customer, Anderson owes me nothing. Publishing proof that it is way too easy to rip off the MBTA was pro bono work in the first place.
This kid worked his way into MIT and then managed an ‘A’ for his MBTA hack work. That stuff isn’t easy and it is legions beyond taking a few SQL classes.
A suggestion for Anderson, one he surely has already thought of: Shake Grabauskas’ hand,. Look him square in the eye. Name your price.