Metaboston

If you can't beat them pay them to join you.

The MBTA has now hired the students it was formerly suing for exposing the glaws in teh Charlie Card system

The lawsuit against the students was dismissed after a judge lifted a gag order in August that prevented the students from discussing their work. The students had planned to present their research at the Defcon hacker conference in Las Vegas on August 10, but canceled their presentation after a judge granted the MBTA’s request for an injunction the day before.

"This is a great opportunity for both the MBTA and the MIT students. As we continue to research ways to improve the fare system for our customers, we appreciate the cooperative spirit demonstrated by the MIT students,” MBTA General Manager Daniel Grabauskas said in a statement published on the Electronic Frontier Foundation Web site on Monday. EFF attorneys represented the students in their legal defense.

One of the students, Zack Anderson, was quoted as saying: “We’ve always shared the goal of making the subway as safe and secure as can be. I am glad that we can work with the MBTA to help the people of Boston, and we are proud to be a part of something that puts public interest first.”'

A new series of plays use the T as both inspiration and constraint.

At 11:15 a.m. last Saturday, Ginger Lazarus boarded an Orange Line train at Oak Grove. While her fellow passengers were eager to reach their destinations - many of them appeared to be headed to the Red Sox game - Lazarus was hoping for a long ride. The clock was ticking: she had to write a short play, to be performed the following Wednesday, by the time she arrived at the end of the line at Forest Hills.

Across town, playwright Forrest Walter was getting on the Green Line at Lechmere with the same goal. Later in the day, three more playwrights would be boarding the T to participate in Mill 6 Collaborative’s theatrical experiment, The T Plays. Over the next week, a total of ten local writers will take on the challenge of writing a short play, set on the MBTA, in the time it takes to get from end of the T to the other.

The whole event is sponsored by the Mill 6 Collaborative. 

Why did the MBTA sue the MIT students who exposed their Charlie Card problems and not the vendor of their system. A plausible theory:

“As Chris stated in his own article, “…Doesn’t this seem backwards to you? Shouldn’t the MBTA be suing the vendor who sold them the flawed system? Security problems go away by mandating independant security testing before a product is accepted, not by trying to get security researchers to be quiet. This is a good example of how the reactive approach doesn’t work. The flaws are still in the system and suing researchers has just shined a bright light on them…” - Unfortunately, in a typical bean-counter response to a threat to the profit model, this comes down to protecting an expensive investment and in a free market economy, the investment many times wins over blatant, slap-you-in-the-face logic.

Although to the observer it makes more sense to attack the source of the problem, profits reside in the path of the easiest hill to overcome. I would speculate that it was determined the three MIT researchers were the less likely candidates to put up any relevant fight equaling less expense long-term in costly litigation as opposed to a well-funded vendor who would be adamant and ferocious about protecting their own bottom-line. This means that from a budget perspective, the corporation will traditionally move towards the least cost initiative counting on their shark-like aggressiveness to payoff - they didn’t count on the MIT students to be resilient, spiny blowfish… ouch.

This fits in with Bruce Schneier's essay on the MBTA issue that we posted about recently.

The always-interesting security guru Bruce Schneier provides an essay on the lessons of the MIT-MBTA security issue:

The problem isn't the researchers; it's the products themselves. Companies will only design security as good as what their customers know to ask for. Full disclosure helps customers evaluate the security of the products they buy, and educates them in how to ask for better security. ***

In a world of forced secrecy, vendors make inflated claims about their products, vulnerabilities don't get fixed, and customers are no wiser. Security research is stifled, and security technology doesn't improve. The only beneficiaries are the bad guys.

This seems particularly on point because it appears that the MBTA didn't understand the vulnerabilities of the product they had purchased in order to implement the Charlie Card. 

A federal judge refused to extend the MBTA's injunction against 3 MIT students who discovered security issues with the MBTA's fare card system.

Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA.

On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer "transmission." Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system. Lawyers for the MBTA claimed Tuesday they had proof the students had violated the law, but stopped short of specifying what they did.

The MBTA's lawyer Ieuan Mahony tries to defend the agency's position although he doesn't come across that well in this clip with Harvey Silverglate and Hiawatha Bray.

The MBTA's restraining order prevents the MIT students who exposed lax security and Charlie Card problems from speaking.  But the Electronic Frontier Foundation is pointing out its problems with the MBTA's descriptions.

"Yesterday, the Massachusetts Bay Transportation Authority issued a statement to CNET that misrepresents the facts leading up to the MBTA's lawsuit against three MIT students. The statement said:

A week ago, the MBTA learned about the presentation to be made at the conference, and immediately contacted MIT. At a meeting last Tuesday involving all the parties, MIT staff and the students agreed to provide the MBTA with a copy of the presentation. After several days passed without getting any information from MIT, the MBTA had no choice but to seek assistance from a federal court judge on Friday. At 4:30 a.m. on Saturday, the presentation was finally provided to the MBTA. Staff is thoroughly reviewing the information to determine if there is any degree of substance to the claims being made by the students.

The MIT students would like to clarify a few facts:

• The MIT students, through their Professor Ron Rivest, initiated contact with the MBTA. The students wanted to let the MBTA know what they found and wanted to provide some ideas about how to fix the system.
  

While the Electronic Frontier Foundation continues to move forward with the appeal process for the MIT students who exposed the significant flaws in the MBTA's Charlie Card, we agree with Harry Lewis that the MBTA's time would be better spent locking their doors than trying to control information that it is widely available.   (Slide of unlocked doors from the DEFCON presentation).

Last week we wrote about Zackary Anderson's warcart used in research into security flaws in the MBTA's Charlie Card that would allow the cards to be copied or value to be added without payment.  Anderson and two other MIT students were due to give a presentation on the issues at the  DEFCON hacker convention.  Now the MBTA has sued the 3 students to prevent the presentation from going forward.

"The lawsuit surprised many DEF CON attendees, who are accustomed to relatively cordial relations with software companies who are informed of security holes. It also surprised the students, who said they had until then gotten positive reactions from the MBTA. (More below)

The MBTA is trying to makes sure all riders pay on the Green Line where enforcement has been hit-or-miss.

"Tired of paying the MBTA fare? Try a ride on the Green Line, where customers routinely board without paying.

"There's so many times when you get on the T and you're like, well, the train keeps running and I haven't paid in a week and a half. I mean I've heard people say that," said 21-year-old Boston University student Dena Lewittes, who pays monthly for a Linkpass."

New Blue Line trains come into service:

"The transit agency on Wednesday unveiled the first of 94 new subway cars that will replace the current fleet of 70 cars that are nearly three decades old.

The new cars will come into service over the next 18 months."

The MBTA's Charlie Cards use RFID chips and now a UVA student has hacked those chips raising questions about the security of these cards and the MBTA itself.

"New research that shows smart cards with encrypted RFID chips might not be as secure as previously thought is raising concerns in Boston, where the subway CharlieCards use just such technology. The research raises the specter of thieves with $1,000 worth of equipment cracking smart card encryption and making counterfeit cards to do everything from swipe fares to gain access to high-security areas.

***

The particular RFID chip in question – the Mifare Classic, of which a billion-plus have been sold – is made by Philips spinoff NXP Semiconductors, which has been widely quoted saying that only a portion of the cryptographic algorithm has been obtained by the researchers. (The researchers have not fully disclosed their method in an effort to keep those with bad intentions from copying them.) Security experts have known all along that such chips, which generally cost less than a dollar, were crackable, but didn’t realize it could be so economically feasible."

MBTA Manager Daniel Grabauskas will discuss MBTA issues and problems on Radio Boston's Feb. 29th show "Is the T on Track?" 

You can send in your comments to discuss with Grabauskas.

MBTA loses $55 million on debt derivatives

"'It appears the MBTA was willing to accept short-term cash for long-term debt,' said [State Auditor Joe] DeNucci, 'and then paid millions of dollars in termination fees when the interest rates changed and became unfavorable to the authority.'”

***

“'These rate swaps were highly speculative, risky and complex, and have proved costly to the riders who are paying increased fares and the taxpayers who subsidize the MBTA,' said DeNucci."

How long until a rate increase?

The MBTA will begin to provide free WiFi service on trains on the 45 mile Worcester-Framingham-Boston line this week with plans to eventually extend service to all commuter lines. 

"The Worcester-Framingham-Boston line, [Lt. Gov. Timothy P. ] Murray said, is a good place to start testing the service, in part to make up to commuters for some of the problems with periodic delays. 'This is a way to mitigate some of the problems we have had over the last year as we try to improve service, and we really want to bring it to the whole commuter rail system,' he said."
A great idea for using that dead time on the train;  will the spread of WiFi on commuter trains and other public transport help to speed the decline of paper newspapers?  Interesting that commuters noticed the WiFi as it was being tested before any official announcement. 

While trains overseas have WiFi this is an apparent first in the U.S.

"This would be likely be the largest deployment of train-based Wi-Fi outside of Europe, where GNER in the UK and SJ in Sweden have a couple dozen trains on a small number of lines unwired. This trial uses Sprint’s EVDO service through an external antenna mounted on each car; 45 coaches are currently set up for Wi-Fi. The authority has already received piles of enthusiastic comments. No word on which service provider (if any) is involved among the several companies that unwire trains." (There's more technical info from WiFi Net News on the plan for the aficionado).

(via Endgadget)

Why Medford is divided about the Green Line extension.    Some look forward to higher property values others worry about gentrification, crowding, and noise.  Will Medford become Somerville or Arlington?  And behind all those issues is frustration that residents have "been given little chance to provide input to a project that seemed ordained by officials elsewhere."

Interesting article on the history and the uniqueness of the Boston subway system.

The Mattapan Line and its beautiful old trolley cars.  The picture left  is by Richard Panse with more gorgeous pictures at Subchat.  You can also see more of his great photography at Railroad Picture Archives.net.

The cars themselves are rare gems of public transport, holdovers from a golden age of urban trolleys: 

"The President's Conference Committee car is truly a survivor. It had certainly done what the designers had intended- to serve reliably in everyday rapid transit service. So well-designed are these cars, that they often serve for more than one owner for years at a time. It used to be that most major cities in America had large fleets of these cars in service. With the retirement of Newark's fleet in 2001, that only leaves San Francisco and Boston as the only regular operators of the streamlined trolleys.

Once the backbone of Boston's streetcar and subway lines, the PCC is now limited to a unique shuttle operation serving some of the south suburbs. The Mattapan High Speed Line is one of the few places where you can still ride a PCC in regular service. A free shuttle service tacked onto the end of the Ashmont terminal of the MBTA Red Line, the ride is like a step back in time.

__

The fleet consists of 11 cars, all originally built for Boston under a wartime construction contract with Pullman-Standard, and were delivered in 1945-46. A recent rebuilding program is restoring these cars to their original appearance, including the original 1950's orange-and-cream MTA scheme."