Home > Geeky, Security > False sense of security

False sense of security

August 14, 2008

I’m actually sympathetic to Boston for getting a court order to forbid three MIT students from giving a talk about security problems they found in the subway payment system.  I mean, after the city spent $180m to set up the system, how could those students jeopardize it by revealing the holes in the wall?  Nor is it surprising that city officials didn’t understand the security hole – according to security expert Bruce Schneier, they didn’t do their research, didn’t know how to buy a secure product in the first place.  They fell for a sales pitch.

They want “time” to fix the problem that they don’t even understand yet.  It’s what every company, every half-assed government agency charged with keeping our information safe from identity thieves, says.  The bad guys won’t figure it out if… Shhh!… we just don’t talk about it!

Yeah.  I’m sure Boston will give the problem all the attention it deserves without a spotlight on it. They wouldn’t drag their feet, sweep it under the rug, and just basically forget about it after news reports die down.  Would they?

Categories: Geeky, Security
  1. james old guy
    August 14, 2008 at 12:20 | #1

    I don’t understand the mentality that it is ok to hack into someone else system. If Boston had paid MIT to do research as to problems that is one thing but doing it just because they can is another. If someone breaks into your house but doesn’t take anything and then tells you your house is unsecure who has been violated? As far as I am concerned those so called students should be in jail.

  2. August 14, 2008 at 13:30 | #2

    Well that’s a very good point, and it must be irritating as hell to the BTA.  For the purposes of this post I’m not judging them one way or the other.  The fact is they did it, and they found something very important, and if the long history of corporate and government security is any indication, the problem will not be fixed unless it’s out there where something has to be done.

    Boston certainly should have paid MIT to find security holes, but they believed the sales pitch and being clueless dimwits, didn’t think it was necessary.  Saying “hack a system, go to jail” is satisfying, but the problem is that the bad guys (who really are out to do harm) don’t scare, and are usually impossible to catch.  The best we can do is know about the holes they can crawl in, and patch them.

    Your house or mine are not like the BTA system, though; we don’t keep people’s credit card numbers in our houses.  Corporations and governments do.  They have a much higher, and more public security obligation.

  3. August 16, 2008 at 20:46 | #3

    Speaking as one whose credit card was hacked along with thousands of others from an insecure system in a national chain of stores, I’d rather the white hats warn me than sit through another insincere “oopsie!” speech from paid bureaucrats after the fact. And yes, I do take the “T” on occasion. I still don’t understand what was wrong with re-usable brass tokens. Is it really so much cheaper to produce and clean up all the paper litter from the new system?

  4. August 16, 2008 at 20:49 | #4

    I’m thinking I meant to say “unsecure system” there. I have no information regarding the relative self-confidence of computer systems.

Comments are closed.