Comments on: Massachusetts: We want to meet with MIT subway-hacking students

State transit authority says it's reviewing the Defcon presentation prepared by three students it sued, and wants to meet with them before deciding whether to continue with a federal lawsuit.

[BlitzBoy1120]

And thats why I'm planning to go to that school XD

[magicmaster]

Dear MBTA:

If MBTA had not filed the restraining order, I would not have known the presentations that was meant to be presented to SELECTED hackers.

Withdraw the lawsuit, or I will distribute the copy of powerpoint presentation to everyone else...wait! I already did!

Have a nice day,

What the hack

[Linuxiac38]

All 22 million of us received it, so, thanks 4 teh hack!

Security through obscurity just got blown out the window! Thanks, MBTA! are you following the precedent set by the Boston Police, with the Adult Swim "bomba"?

[michaelo1966]

Read the overview of their presentation; the value of a card is stored as a few bytes in a fixed-field on the stripe. Anybody with a mag-stripe reader/writer -- available widely and cheaply -- can write a program to change the stored value on those cards turning their $1 card into a $100 card with a swipe. Not releasing software to do it is meaningless -- anybody can write it -- the hard part was figuring out which field was which. The MTA was stupid for storing the kit n' caboodle unencrypted on a paper mag-stripe card, but rather than take responsibility for being idiots they decided to sue: it's the American way. I'll bet they paid some "security contractor" gobs of money to program and maintain this system.

[bmrowe23]

This is what happens when you mix the smartest people with too much time on their hands with the dumbest most impatient. At least they all ride public transportation, right? MTBA should say thank-you and grant a few free lifetime passes for MIT's time and discretion. That is what a criminal would have if they kept the hack to themselves. On the other hand it wouldn't hurt the resumes of these students to have a short internship to help fix the problem.

[dragonwithaheadache]

I can agree with this, appearently the kids paid attention to their studies at MIT then used them the way they should. Glad I don't live in Boston, I would hate to see the security on the City's Network.

[fdunn3]

MTBA, how do you know that the MIT students were the first to learn of the security flaw in your system as the irresponsible hackers would be selling the cards and using them for himself and you would even know it.

Now some responsible IT students step up to the plate but you have no contigency plan. Whose fault is that? Certainly not theirs.

Don't be so cocky as to think your system is so secure that people aren't already abusing it. You shouldn't be sueing these students you should be hiring them.

[NoVista]

Well said!

Oh well, there's DefCon and DeafEars ...