Massachusetts Bay Transportation Authority v. Anderson et al
Filing
56
DECLARATION re 50 MOTION for Preliminary Injunction Third Supplemental Declaration of Ieuan G. Mahony by Massachusetts Bay Transportation Authority. (Attachments: # 1 Exhibit 1, # 2 Exhibit 2)(Mahony, Ieuan-Gael)
EXHIBIT 2
T hacking exposes a deeper clash - The Boston Globe
Page 1 of 2
THIS STORY HAS BEEN FORMATTED FOR EASY PRINTING
T hacking exposes a deeper clash
By Michael Levenson, Globe Staff | August 18, 2008
o«$o>ton$iobr
Where agency sees attack, MIT students talk of constructive exploration
Recent inventions to emerge from the workshop of Zack Anderson include the "Killbot," a radio-controlled robot with a "1,500,000-candlepower spotlight to blind the victim," a bullhorn "to terrify victims," and a spinning drill bit "to bore through obstacles." Anderson, a 21-year-old electrical engineering major at MIT, has also designed a security system for his workshop that features sirens, flashing lights, and a digitally altered recording of his voice bellowing "Intrusion detected! Initiating auto-lockdown sequence!" and "releasing toxin into atmosphere!" Impressive stuff. But it's not generating half the attention as his project for Professor Ronald L. Rivest's Computer and Network Security class last semester. That endeavor, for which he earned an A, has gotten the fresh-faced senior from Beverly Hills, Calif., a visit from an FBI agent, an MBTA sergeant detective, nationwide press attention, and a starring role in a federal lawsuit. Anderson, along with his freshman-year roommate, R. J. Ryan, 22, and another student in the class, Alessandro Chiesa, 20, claimed in their project to have developed a way to hack into the MBTA's recently installed $180 million automated fare-collection system and provide fellow hackers with "free rides for life." Not surprisingly, the T was not pleased to learn of the development. The agency, which is strapped for cash and contemplating a fare increase in 2010, successfully sued the students to prevent them from presenting their findings at DEFCON, a hacker's convention that recently drew more than 6,000 people to the Riviera Hotel and Casino in Las Vegas. The trio face a hearing in Boston's federal court tomorrow when a temporary restraining order keeping them from releasing their findings expires. The T, which did not return calls for this story, has said the students' findings could cause "significant damage to the transit system." The agency has also sued MIT, saying the institute failed to teach its undergraduates "to responsibly disclose information concerning perceived security flaws." The students strongly disagree, and their case has electrified the cowboy community of hackers, where the line is often blurry between those who break into a system so the system's flaws can be exposed and patched and those who crack into a network merely to create mischief. "It was all the discussion at DEFCON," said Dave Marcus, security research and communications director at McAfee Avert Labs in Santa Clara, Calif., who attended the Aug. 8-10 convention. "Anytime you suppress research, it goes through the research community like wildfire. We can all feel like 'the man' is coming down on us as security researchers." Anderson said the MBTA should consider his project an opportunity to improve security. He says the students omitted enough key details from their 87-page PowerPoint presentation, titled "anatomy of a subway hack," that others would not be able to program free rides onto their CharlieCards. The students also say that after they were visited by FBI agent Jacob Shaver and MBTA Sergeant Richard Sullivan on Aug. 4, they gave the MBTA a confidential "vulnerability assessment" so the agency could fix the gaps in its fare-collection system. "It wasn't to enable others to get a free fare or cause any sort of havoc," Anderson said, calling over the Internet from Mexico, where he was on vacation last week. "It was really to show how major the issues are in this system, which also might resonate in many other systems around the world."
http://www.boston.eom/news/local/massachusetts/articles/2008/08/l 8/t_hacking_exposes_... 8/18/2008
T hacking exposes a deeper clash - The Boston Globe
Page 2 of 2
Anderson - who got his first computer (a Compaq Presario) in the fourth grade, taught himself QBasic, a programming language, in the sixth grade, and started building robots in the eighth grade - said part of the motivation for the hack was the challenge. "I've always been interested in electronics," said Anderson, who grew up scouring alleyways for discarded machines. "Ever since I was a little kid, I would take things apart to see how they work." These days, he proudly calls himself a hacker. "If a lot of people think hacker, they think of someone who illegally breaks into systems," he said. "I don't at all think that's what hacker means. I think hacking is a culture of curiosity and exploration and learning and building and creating new things." Hackers say they generally divide into three camps: do-gooder "white hats," nefarious "black hats," and "grey hats," who fall somewhere in between. Some say the MIT students' project might fall in the middle of the ethical gray scale. "I can understand the MBTA's response," said Joe Grand, a 32-year-old hacker who calls himself Kingpin and was part of a 1990s hacker crew in Boston called LOpht Heavy Industries. "Nobody likes to have their work broken and publicly announced. I also agree that people need to know about systems that are broken. So there is definitely a fine line." The students' PowerPoint presentation includes photos of MBTA police badges and hats that they purportedly bought on eBay, diagrams showing how to reprogram a CharlieCard to contain $653 in value, and cheeky warnings that "this is very illegal! So the following is for educational use only!" Eleven computer scientists have signed a letter arguing that to block the project "could have a devastating chilling effect" on future research. "Discussing vulnerabilities and discussing problems that are out there improves security as a whole," Anderson said. "When you put things out in the open, other researchers can look at them and see how these things can be fixed." Chiesa declined to comment for this article. Ryan did not respond to messages. But Anderson said the trio hopes to resolve the battle with the T and move on to other projects. He said he eventually wants a career "building and growing companies," and noted that he is working on a new endeavor, a socially conscious start-up company that will seek to convert heat from a car's shock absorbers into energy for the engine. "Definitely," he said. "It's a lot more rewarding to work on a problem that's going to help people." Michael Levenson can be reached at mlevenson@globe.com. ·
© Copyright 2008 The New York Times Company
http://www.boston.eom/news/local/massachusetts/articles/2008/08/l 8/t_hacking_exposes_... 8/18/2008
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?