Just a little background: a group of MIT students hacked the MBTA’s (known as the “T”) “CharlieCard” stored-value RFID system and attempted to publish a paper on their findings at the recent DEFCON event. They were slapped with an injunction/lawsuit, and MIT was also named in the suit. The injunction was lifted yesterday, with the judge citing misapplication of a computer fraud law as the reason. So the students are free, for the moment, anyway, to proceed.
How one comes down on this issue depends upon one’s view of the role of the hacker in society. Hackers, to use the term loosely, are nerds who experiment with a given technology, probing its limits. “Ethical hackers” seek out flaws in security and other elements, reporting their findings to those who employ them so as to fix the problems before they reach the scale of the MBTA case. The MIT students were not employed by the T, and so it is their ethics that are ultimately in question here.
My personal view is that anyone finding a security flaw in any system should report the flaw to the system’s operator so that such can be repaired. Once the repair is complete, the finder of flaw should have the right to publish, and get the credit for the discovery. This kind of recognition is really all that most hackers crave anyway, separating themselves from the much-more-dangerous professional information thieves, who have no ethics and are purely in it for the money. So, hackers can play a useful role and should be stifled only to protect others (like us taxpayers) from their otherwise unchecked over-exuberance – and information thieves deserve the recognition they will get with other thieves, in prison.
The problem here is that the MIT students positioned their discovery not as a flaw to be fixed, but rather as a way to get free rides on Boston’s subway system. That would be theft, putting them – and anyone using the knowledge they generated to steal from the MBTA – into the category of thieves. Now, having been a college student myself, I think it’s safe to say that this class of hacker doesn’t always see the ethical dilemma here. Being perpetually just this side of broke moderates the very definition of theft, especially from a big government bureaucracy.
And it is with that bureaucracy that the problem really lies. The MiFare Classic contactless smart card at the heart of the MBTA’s RFID system has known security problems. It should never have been deployed, at least not in its present form – sure, there’s no such thing as absolute security, wired or wireless, but there’s also no excuse to spend hundreds of millions of dollars of the taxpayer’s money on half-baked solutions that don’t work, period. While, again, stealing is of course ethically wrong, the MBTA IT staff thus has no one to blame but themselves for the current state of affairs.
I’d lecture the MIT kids on ethics, but otherwise let them go. They’ll be paying massive taxes on their huge incomes in the future, truly the best punishment of all. And I’d bet they’ll be building really good wireless security systems for us someday, or perhaps even running the MBTA. And they won’t make the mistakes that the current management team should have foreseen.
Copyright © 2008 IDG Communications, Inc.