tag:blogger.com,1999:blog-6074847022851564936.post1561337429183351509..comments2008-08-30T07:27:48.874-04:00Aliothhttp://www.blogger.com/profile/05182368463863852729noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-6074847022851564936.post-25675332733740816722008-08-30T07:27:00.000-04:002008-08-30T07:27:00.000-04:00IIRC magstripe, at least, doesn't have room for much information and should be relatively easy to hack. It's an old technology. I suspect they've been using it a couple decades. To fix it, they'd probably have to rip out the hardware in every station and put in something better. It's the kind of project that takes months of planning and an expenditure big enough to require approval by some body of government, which can also take months.<BR/><BR/>Also, I believe that some sort of lawsuit and/or prosecution is required by the way the legal system works (or fails to work).qiihoskehhttp://www.blogger.com/profile/06729684109780848463noreply@blogger.comtag:blogger.com,1999:blog-6074847022851564936.post-25471680101430365552008-08-24T23:04:00.000-04:002008-08-24T23:04:00.000-04:00Well, in order to know how to hack something, you have to actually hack it. ('Theoretical hacking' is an oxymoron.) So, yes, in that sense, these students did "actually hack the cards".<BR/><BR/>As I understand it, the consensus in the white-hat hacking community is that it's okay to break a security system as long as you don't actually exploit the break, and you bring the flaw to the attention of whoever's responsibility it is.<BR/><BR/>These students told the MBTA about the flaw, and offered to help them fix it. I think it's a pretty safe bet that they weren't planning on getting much financial gain by exploiting the flaw they found.<BR/><BR/>I'm told that there's kind of a protocol for politely publicizing security flaws: first you tell the people whose flaw it is, and give them some time to fix it, before you go public. For hardware-based problems, like this one, you give them longer because it takes longer to change hardware than software. So I guess these students could be faulted for going public too soon and not giving the MBTA enough lead time -- I'm not sure if this is actually the case. But even if it is, that's not a reason for the MBTA to sue them.Aliothhttp://www.blogger.com/profile/05182368463863852729noreply@blogger.comtag:blogger.com,1999:blog-6074847022851564936.post-77089157112825591032008-08-24T22:51:00.000-04:002008-08-24T22:51:00.000-04:00Question: did the students in question actually hack the cards, or did they just figure out how? If the latter, they deserve a shout out from MBTA; if the former, not so much. Of course, in either case there's no sense in trying to prevent the presentation.Math_Magehttp://www.blogger.com/profile/14642323916552846153noreply@blogger.com