T hacking exposes a deeper clash

["Richard M. Smith" <rms () computerbytesman com>]

http://www.boston.com/news/local/articles/2008/08/18/t_hacking_exposes_a_dee
per_clash/

T hacking exposes a deeper clash


Where agency sees attack, MIT students talk of constructive exploration


By Michael Levenson, Globe Staff  |  August 18, 2008

Recent inventions to emerge from the workshop of Zack Anderson include the
"Killbot," a radio-controlled robot with a "1,500,000-candlepower spotlight
to blind the victim," a bullhorn "to terrify victims," and a spinning drill
bit "to bore through obstacles."

Anderson, a 21-year-old electrical engineering major at MIT, has also
designed a security system for his workshop that features sirens, flashing
lights, and a digitally altered recording of his voice bellowing "Intrusion
detected! Initiating auto-lockdown sequence!" and "releasing toxin into
atmosphere!"

Impressive stuff. But it's not generating half the attention as his project
for Professor Ronald L. Rivest's Computer and Network Security class last
semester. That endeavor, for which he earned an A, has gotten the
fresh-faced senior from Beverly Hills, Calif., a visit from an FBI agent, an
MBTA sergeant detective, nationwide press attention, and a starring role in
a federal lawsuit.

Anderson, along with his freshman-year roommate, R. J. Ryan, 22, and another
student in the class, Alessandro Chiesa, 20, claimed in their project to
have developed a way to hack into the MBTA's recently installed $180 million
automated fare-collection system and provide fellow hackers with "free rides
for life."

Not surprisingly, the T was not pleased to learn of the development. The
agency, which is strapped for cash and contemplating a fare increase in
2010, successfully sued the students to prevent them from presenting their
findings at DEFCON, a hacker's convention that recently drew more than 6,000
people to the Riviera Hotel and Casino in Las Vegas.

The trio face a hearing in Boston's federal court tomorrow when a temporary
restraining order keeping them from releasing their findings expires.

The T, which did not return calls for this story, has said the students'
findings could cause "significant damage to the transit system." The agency
has also sued MIT, saying the institute failed to teach its undergraduates
"to responsibly disclose information concerning perceived security flaws."

The students strongly disagree, and their case has electrified the cowboy
community of hackers, where the line is often blurry between those who break
into a system so the system's flaws can be exposed and patched and those who
crack into a network merely to create mischief.

"It was all the discussion at DEFCON," said Dave Marcus, security research
and communications director at McAfee Avert Labs in Santa Clara, Calif., who
attended the Aug. 8-10 convention. "Anytime you suppress research, it goes
through the research community like wildfire. We can all feel like 'the man'
is coming down on us as security researchers."

Anderson said the MBTA should consider his project an opportunity to improve
security. He says the students omitted enough key details from their 87-page
PowerPoint presentation, titled "anatomy of a subway hack," that others
would not be able to program free rides onto their CharlieCards. The
students also say that after they were visited by FBI agent Jacob Shaver and
MBTA Sergeant Richard Sullivan on Aug. 4, they gave the MBTA a confidential
"vulnerability assessment" so the agency could fix the gaps in its
fare-collection system.

"It wasn't to enable others to get a free fare or cause any sort of havoc,"
Anderson said, calling over the Internet from Mexico, where he was on
vacation last week. "It was really to show how major the issues are in this
system, which also might resonate in many other systems around the world."

Anderson - who got his first computer (a Compaq Presario) in the fourth
grade, taught himself QBasic, a programming language, in the sixth grade,
and started building robots in the eighth grade - said part of the
motivation for the hack was the challenge.

"I've always been interested in electronics," said Anderson, who grew up
scouring alleyways for discarded machines. "Ever since I was a little kid, I
would take things apart to see how they work."

These days, he proudly calls himself a hacker.

"If a lot of people think hacker, they think of someone who illegally breaks
into systems," he said. "I don't at all think that's what hacker means. I
think hacking is a culture of curiosity and exploration and learning and
building and creating new things."

Hackers say they generally divide into three camps: do-gooder "white hats,"
nefarious "black hats," and "grey hats," who fall somewhere in between. Some
say the MIT students' project might fall in the middle of the ethical gray
scale.

"I can understand the MBTA's response," said Joe Grand, a 32-year-old hacker
who calls himself Kingpin and was part of a 1990s hacker crew in Boston
called L0pht Heavy Industries. "Nobody likes to have their work broken and
publicly announced. I also agree that people need to know about systems that
are broken. So there is definitely a fine line."

The students' PowerPoint presentation includes photos of MBTA police badges
and hats that they purportedly bought on eBay, diagrams showing how to
reprogram a CharlieCard to contain $653 in value, and cheeky warnings that
"this is very illegal! So the following is for educational use only!"

Eleven computer scientists have signed a letter arguing that to block the
project "could have a devastating chilling effect" on future research.

"Discussing vulnerabilities and discussing problems that are out there
improves security as a whole," Anderson said. "When you put things out in
the open, other researchers can look at them and see how these things can be
fixed."

Chiesa declined to comment for this article. Ryan did not respond to
messages. But Anderson said the trio hopes to resolve the battle with the T
and move on to other projects.

He said he eventually wants a career "building and growing companies," and
noted that he is working on a new endeavor, a socially conscious start-up
company that will seek to convert heat from a car's shock absorbers into
energy for the engine.

"Definitely," he said. "It's a lot more rewarding to work on a problem
that's going to help people."

Michael Levenson can be reached at mlevenson () globe com.
<http://cache.boston.com/bonzai-fba/File-Based_Image_Resource/dingbat_story_
end_icon.gif>

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.