August 14, 2008

MIT hackers make Massachusetts officials nervous at Defcon

Join Our Community of Science Lovers!

This article was published in Scientific American’s former blog network and reflects the views of the author, not necessarily those of Scientific American

The annual Defcon computer security conference might be relabeled as the Woodstock of corporate paranoia.

It seems like almost every year one or more academic researchers gets in trouble with the law for presenting a paper that corporations contend will result in security breaches that will bring on Armageddon. A few days ago, a U.S. District Court in Massachusetts issued an injunction to prevent three MIT students from presenting “Anatomy of a Subway Hack” at Defcon in Las Vegas, a chronicle of how the students demonstrated numerous vulnerabilities in the Boston subway system that would enable, for instance, someone to change a $1.25 fare card to one worth $100.

The students notified the Massachusetts Bay Transportation Authority of their intention to present the paper (from Wired), and authority officials hit the panic button. What came next was just as predictable. By the time the injunction was issued, the offending PowerPoint presentations had already been distributed to conference attendees and were already up on the Internet.

The whole world could check whether the work of these MIT pointy heads could match the craft of Olympic gold medalists from Bulgaria, Moldavia and other former Soviet satellites where the economies seem to run on hacking in the same way that Humboldt County in northern California depends on a certain monoculture.

There is a better way. Known as the Johnson & Johnson defense in professional football (or in Tylenol marketing), the best riposte for the authority would have been to publish the presentation on its Web site, save lawyer costs (allowing officials to mouth perfunctory statements about keeping fares down and preventing climate change) and then hire the students who wrote the paper as security consultants. Judges, lawyers and chief executives need to take a half-day (or half-hour) course in which they are reminded that it is impossible to combat the nanopore leakiness of the Internet.

Check out this CNET story, which includes a link to the students' description of what they did.

On supporting science journalism

If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.

It’s Time to Stand Up for Science

If you enjoyed this article, I’d like to ask for your support. Scientific American has served as an advocate for science and industry for 180 years, and right now may be the most critical moment in that two-century history.

I’ve been a Scientific American subscriber since I was 12 years old, and it helped shape the way I look at the world. SciAm always educates and delights me, and inspires a sense of awe for our vast, beautiful universe. I hope it does that for you, too.

If you subscribe to Scientific American, you help ensure that our coverage is centered on meaningful research and discovery; that we have the resources to report on the decisions that threaten labs across the U.S.; and that we support both budding and working scientists at a time when the value of science itself too often goes unrecognized.

In return, you get essential news, captivating podcasts, brilliant infographics, can't-miss newsletters, must-watch videos, challenging games, and the science world's best writing and reporting. You can even gift someone a subscription.

There has never been a more important time for us to stand up and show why science matters. I hope you’ll support us in that mission.

Thank you,

David M. Ewalt, Editor in Chief, Scientific American