From the Boston Globe (Emaphasis Mine)
A junior at Needham High School posted students’ schedules and identification numbers and teachers’ classroom rosters on his Facebook account after hacking into an online student information system, school officials said yesterday.
I have always been a fan of the The Flea at MIT. A Cambridge institution, I can remember being introduced to it my Freshman year at college with the promise of cheap computer equipment. It did not disappoint and it instantly turned me into a die-hard flea market rat. I would arrive an hour before the gates open to get up in the front of the line. My arrival time, while inconvenient, would almost always pay off, by the time the gates open the lines would stretch down around the block. I would sometimes be starting my second loop around and still see people waiting in line to get in. I reveled in the smell of musty electronic equipment; haggling with vendors, rummaging through boxes, and lugging home backpacks full of electronic junk that would deck out my dorm room. It was a six story parking garage of nerdvana.
After moving down to New Bedford, the logistics of getting up to Cambridge became more complicated. That, coupled with the fact that I now had to store all my tech into a much smaller room, I only started to occasionally go to the flea. Yesterday, I drove up with Steve, KB1MEH, to my first flea of the year, and I was blown away at how small the flea had become. While the outside was filled with the usual vendors, and there were quite a few deals there, what was once a nearly-filled to capacity parking garage didn’t even have a complete floor filled. Steve informed me that it was a similar scene the month before when he went.
On the ride home, I thought to myself about the proclamations of “Ham Radio is dying!” and the subset of that “Hamfests are dying!“, and wondering how the applied to the Flea. While the Flea can be classified as a “Hamfest” and you can often find radios for sale, the amount of computer gear outnumbered the amount of radio gear easily 4:1. What did this mean?
After some thought I came to a conclusion: What we are seeing is the mainstreaming of computer gear that occured in the early 2000s. Computers are now a consumer technology and the vast majority of consumers are likely to toss them out at the end of life. Since older technology has a very limited life-span, the glut “vintage” technology for sale in the late-1990s and early-2000s are now completely worthless and are likely to join their older counterparts in the recycling center or dump. What doesn’t will likely make their way to eBay or Craigslist rather then flea market as it is a lot easier to post an ad online rather then set up shop at a flea market that smells of BO and musty electronics.
I think we may be seeing the same thing on the Hamfest side. With the more non-user-serviceable nature of new radios, when they break, it can be often cheaper to replace them rather then fix them. Since this is leading to a shorter life-span of radios and the conveience factor of online marketplaces, we will likely see flea markets, tech or otherwise, continue to shrink.
I am very happy that I nabbed some cheap ceramic insulators and some more connectors for my budding projects, though.
NOTE: This weblog, and especially this post is of my own opinion and had nothing to do with my employer.
If you’ve been paying attention to the usual DEFCON brouhaha this weekend, you’ll note that my fine public transportation system decided to file an injunction against 3 MIT students who tested the MBTA’s security and successfully reversed engineering the Charlie Card. Too bad the presentation deck had already been released. Whoopsie!
As a surly information security engineer and a regular MBTA rider, I feel that I can more-or-less discuss with some authority the issues discussed in the presentation deck.
First, the physical security issues they discuss are spot on. As any regular rider of the MBTA knows, there are near constant issues with “exit only” doors unlocked or left wide open and people zipping through open gates when someone is exiting. The MBTA “customer service agents” either ignore it or flat out don’t care. On the Green Line (Which are trolleys, for you non-Bostonian folk.) people regularly get on via a rear door completely bypassing the fare collection system up front. Hell, even the MBTA Police seem to not want to deal with it. As someone who drops $250/month on the MBTA, I am the one who ends up getting screwed.
Social engineering the employees is always one of the biggest issues and the hardest to protect from. As shown in the deck, one can hit up eBay and make oneself into a true blue MBTA employee. I’ve seen first hand (badly) forged MBCR (MBTA’s commuter rail contractor) credentials being used by people to scam free rides. The MBTA spends big bucks on their Anti-Terrorism education campaigns, perhaps that would be better spent in educating their employees to do the same and teach them to start securing their infrastructure. They should also start classifying their information and at least try to keep “non-public” information somewhat private.
The Charlie Card issues are trivial. I long suspected that the stored value cards were similar to the New York Metro Card and would be vulnerable to a cloning attack or could be easily reversed engineered. These guys sat down and did it. From what I can glean regarding the RFID attack, the encryption key is trivial to crack and can be brute forced rather quickly. Had the MBTA opted to go with a more secure RFID system, this would be a lot harder to break, and from the sounds of it, more secure fare collection systems exist.
I’m somewhat pleased at the local media coverage on this. They seem to be painting a fair picture of the situation. So, Kudos to them.
In my not so humble opinion, the MBTA is 100% in the wrong on this. The judge should not have issued the gag order and the presentation should have gone forward. By doing so, the MBTA squashed discussion on its security, and has made itself even less secure in the process.
UPDATE: Apparently k4sac from twitter submitted this to digg. If you liked the post, considering feeding my ego and giving it a bump.
Twitter
LinkedIn
Facebook
Flickr
FriendFeed