The Tech (MIT student newspaper) publishes the banned DEFCON slides

Epic. That's all I can say.<p>The amount of work that went into this is awesome. They're hacking real life.

Context: <a href="http://blog.wired.com/27bstroke6/2008/08/injunction-requ.html" rel="nofollow">http://blog.wired.com/27bstroke6/2008/08/injunction-requ.htm...</a>

Incredibly cool. How could they possibly think they could just put the stored value on the card itself, unencrypted? I always assumed the card was just a token that refreshed some database on their end, instead of stupidly storing it in hex right there on the card stripe.

Look at the man on the Charlie Card. Seriously, go look.<p>See him leaning out of the window with that mocking grin, waiving his forged card in triumph and thinking, "<i>Suckers!</i>"

Awesome social and software hack.<p>Just hope the media and security services (and alarmists) in general don't use it to go on about anti-terrorism and how we are all under constant terrorist threat (and push more anti-terror measures).

Make sure to pay in cash for any cards that you alter...

Brilliant! Like the warcart, particularly the smoke grenade!

First off, let me say that I thought this presentation was cool as hell - a holistic view of security, showing all the various weaknesses, with cost/value. Very, very well done.<p>Having said that, I also have to say that there's an underlying attitude that often exists from folks showing off security loopholes that bugs me - "we're just showing all the ways in which this system sucks, so we're really the good guys." Right. And if I walk up to you on the street and stab you in the eye with my pen, I'm just showing you how vulnerable you are by not wearing body armor and a helmet with a face shield.

It's nice that they used the GNU Radio for their attack. I was planning on doing this with Chicago's "Chicago Card", but didn't have the money for a USRP when I was in school. (And, there was no research budget for undergrads.)<p>I am seriously tempted to buy one now, though.

I opened the slides only expecting the analysis of the contents and security vulnerabilities of Charlie cards. As it's easy to exploit a broken fare collection system with little risk (perhaps even commercially), this design shows serious negligence on the part of the MBTA. Kudos to them for figuring out something every Boston hacker was casually wondering about.<p>However, these slides go beyond that, briefly covering many avenues that seem to be more aimless mischief than serious analysis. Most of the slides remind me more of the Anarchist Cookbook than a vulnerability disclosure. I wonder why they didn't include the "hop over the gate" and "pay with counterfeit money" exploits?

I still wouldn't use a modified MTA card - cameras are pointed at every turnstile, and swipes could be logged with card id/money left on card. From a master log, it would be pretty trivial to find any inconsistencies and id you from the tapes...

Kudos -- especially for the RFID work. Decidedly non-trivial.

I took the bus yesterday and they just starting rolling out a new magnetic card system. I was actually thinking of buying a card reader off ebay and try to reverse engineer it.

Bug: the scribd link seems to point to the pdf as well.

It would be useful to indicate that the link was a pdf. Maybe it's because I haven't had a coffee yet today, but the [scribd] in the title made me think the whole link was going to scribd not a PDF.

So what's the phantom meeting exploit?

Okay, this is evidentally about people stealing subway fares or some shit. I nodded off about 3 slides in, so I could be wrong. Correct me if I'm wrong, do.<p>Still, I'm glad to know what the best minds of my generation are up to: utilizing their magnificent collective genius to steal the occasional nickel. The occasional dime. Great work, guys. Here's a quarter. Einstein always held out for the quarters...<p>Here's a tip: Just pay the goddamned fare and get some real work done. Thanks.<p>Seymour cray [iirc] had an algorithm for buying the best car:<p>1. Enter dealership.<p>2. Point at car.<p>3. Purchase car.<p>...point is: Don't worry about the trivial parts of life.