Zack Anderson was one of three MIT students who caused a stir over the summer when they decided to disclose flaws they discovered in the Massachusetts transit authority's "Charlie Card" fare system.
Anderson, Russell "RJ" Ryan and Alessandro Chiesa planned to show off their findings (.pdf) at the Defcon hacker conference in August, prompting the Massachusetts Bay Transportation Authority (MBTA) to seek a temporary gag order until the problems could be fixed.
A US District court judge eventually dissolved the gag order, but the incident rekindled debate over whether flaws should be publically disclosed before the affected vendor has a chance to fix them.
In this Q&A, Anderson explains the surprise he and his peers felt over the MBTA's response, why he thinks the flaw exposure was necessary and what the lesson is for future researchers.
What was the main motivation for hacking into the MBTA's ticketing system?
It started as a class project. We wanted to do a security analysis of an important system which, if the security were compromised, could lead to a number of issues. We settled on subway fare collection systems and saw that the system integrator that makes Boston's fair collection system also makes collection systems around the world. We figured that if we were to find vulnerabilities in the Boston system they might well apply to others.
Were you surprised by how easily you were able to punch through the system?
Yeah. What was most surprising, though, was the fact that they already have a lot of infrastructure in place to build a much more secure system but they don't have the software to leverage that hardware.
Were you and your fellow students surprised by the resistance you ran into with the MBTA after you announced your discovery?
Absolutely. We did contact the MBTA and said we wanted to sit down with them, go over what we had found and recommend some ways to fix it so they could go back to the integrator and say'this is what we'd like done.' We thought that would go well, since we were out to help them. What happened instead was a lot of animosity from the start. The funny thing is that we eventually did sit down with them and everything was fine. The person we sat down with thanked us and was mad at the system integrator for making a flawed system that the MBTA had spent millions of dollars on.
- +
Hiring Manager: Emphasize Integrity, Attitude 14/12/2007 11:18:07
William Howell shares his hiring mistakes and his secrets for selecting the best job candidates, finding objective references and using LinkedIn as a recruiting tool.William Howell shares his hiring mistakes and his secrets for selecting the best job candidates, finding objective references and using LinkedIn as a recruiting tool.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Still Sneaking In: The Threats Your Security Tools Aren't Telling You About
Everything you need to know about email and web security (but were afraid to ask)
Data grids and service-oriented architecture
Simplify and Secure: Managing User Identities Throughout their Lifecycles
Simplify, Integrate and Safeguard Your Business with Secure Web Business Enablement
Achieving the impossible: Unlimited application scalability
Dude! You Say I Need an Application-Layer Firewall?!
Discover the advantages of an open architecture multi-vendor network solution
Zones provide focussed content from Computerworld and leading technology partners.
Security Management
Protect your critical IT assets, achieve sustainable regulatory compliance, reduce IT administration costs and enable new business opportunities with our IT security solutions.
IT Security as a business enabler?
Download Whitepaper
|
Success Stories
Australian Unity minimises costs and maximises productivity with single sign-on for 1,400 users
Australian Unity needed to address its business and security risks including user management and application security management. The company chose an enterprise single sign-on (ESSO) solution and discovered increased employee productivity, reduced help desk costs and elevated data protection.
Download the full Success Story
BT saves more than £15 million and improves customer services with comprehensive Identity & Access Management
To enable future growth and ensure its services remain competitive, BT needed to build closer relationships with its customers and suppliers. Discover how the company is now performing over 36 million transactions a day with their improved Identity & Access Management Solution.
Download the full Success Story
Identity & Access Management
Simplify and Secure: Managing User Identities Throughout their Lifecycles
Organisations are constantly challenged to keep pace with ongoing changes to users and their roles, responsibilities and requirements. Discover how CA can help you create a unified approach for managing users identities, providing them with timely and appropriate access to applications and information.
Download Whitepaper
Simplify, Integrate and Safeguard Your Business with Secure Web Business Enablement
Modern organisations are required to aggressively expand the number and type of Web applications and services provided to customers, partners and employees. Discover how to automate, delegate and centralise your key processes and services including user administration, access policies, auditing and compliance by reading on.
Download Whitepaper
Simplify, Integrate and Secure: Providing Secure Access to Server-based Information and Resources Across Platforms
Distributed servers are a powerful asset in any company’s infrastructure. Over time, most organisations have acquired a variety of different platforms and are relying on them to house an increased amount of critical applications, processes and data. Read on to discover how you can achieve a consistently higher level of server access security across multiple platforms including virtual hosts and guest operating systems.
Download Whitepaper
Buying Guides
