To figure out how the payment system worked, Grand hooked up an oscilloscope to a parking meter and monitored what happened when he used a genuine payment card. He then analyzed that data by hand, and wrote a software program that would emulate the smart card. After some trial and error, he finally figured out what his program needed to say to the meter in order to work. Then he built a card that would replay the same data, using a programmable smart card called a Silver Card.
A replay attack? Someone hasn't figured out encryption yet...
In a general smart card system, neither the card nor the reader its inserted into, is supposed to trust the other, as either could be a fake.
Further, the mechanism used to establish the trust (eg challenge-response) could be observed by a "man in the middle", so should be designed to resist replay attack.
Yet its scary how easy it is to get this wrong -- e.g. some of the satellite TV conditional access hacks came about as a result of random number generators always yielding a predictable (short) sequence, facilitating a basic replay attack without the hackers even realizing there was an otherwise-passable challenge-response at work.
Even more scary, on a related note, not that long ago I witnessed the implementation of a network security "protocol" for a rather prominent US defense contractor, where the latter insisted that authentication was to be achieved by encrypting an access password with AES256 using a static shared secret, refusing to allow any type of challenge-based auth, and failing to see any problem with always encrypting the same plaintext with the same key (which obviously yields the same result on the wire every time, making it a breeze to replay without needing any understanding of the underlying "encryption").
I attended a talk by Chris Tarnovsky at last year's Defcon. It was the best talk I went to, and the main reason why I resolved to go back to Defcon -- unfortunately I won't be able to attend this year, but if anyone from here is going , I advise you not to miss his presentation.
Actually, this is definitely Hacker News. Finding a way inside a system and beating it is interesting and clever. Actually doing so improperly is illegal and immoral, but that doesn't make the act of security penetration any less "hacker worthy."
My response was not to the technological achievement, but to the ethics of it. I am always unimpressed with doing wrong things, not matter how impressed others are.
Many people here at hn are capable of impressive cracking, but choose not to even go that way. I'm sure there are systems out there I could crack if I tried, probably quite a few for financial gain. But I dare not go there. That's one cherry that will never be popped.
Say what you will about the technical merits of individual feats, but I'm much more impressed with someone who tackles the problems of other people and goes to work every day building something of use rather than shooting fish in a barrel, which much cracking is.
I stand by every single word I wrote. In fact, it's one of my favorite posts. Since crackers often do what they do to impress their peers, perhaps we should all just be unimpressed so that they can channel their energy into something more useful.
I didn't know what to expect when I made that post, but I have to say I'm disappointed. Why am I so often the only responder who has a sense of right and wrong?
Thanks Thomas, for providing me an opportunity to explain with the only reply that was suitable.
Sometime in the next N*10 years I'm going to end up in the same city as you, buy you a drink, and by the time you finish that drink you will have conceded that what Joe and Jacob did was praiseworthy and impressive. Doubt me? Raise the stakes: I'll bet you $100.
Wait, what? I'll take that bet. I'll eagerly agree that it was praiseworthy and impressive, but I'll hold off on doing so until after I've finished any quantity of alcohol that you're able to purchase for less than $100. If you doubt me, then I think we've found an interesting new variant on Eliezer's AI box experiment.
You're on. Hopefully WITH city = "Mountain View" && N = 1.
Warning: I'm "ethically" required to disclose that I'll be ordering a double Goldschlager top shelf Long Island Iced Tea, so I won't mind losing that bet :-)
"Pomposity" is the last word people who know me would use to describe me. I guess my writing continues to convey unintended meaning. One of these days, people will interpret exactly what I meant. Until then, I'll keep trying...
I was referring to the impression your writing (specifically the quoted sentence) conveys, (as I said, the rest of the post is well crafted) which is why I called it out. If I thought you were really pompous, I wouldn't spend the time or bandwidth. just think of it as purely subjective "tone check" feedback from a well wisher.
"Why am I so often the only responder who has a sense of right and wrong?" is a (relatively) off kilter question. Others do have a "sense of right and wrong". Whether that matches your "sense of right and wrong" exactly is a more subtle issue.
"If I thought you were really pompous, I wouldn't spend the time or bandwidth."
Neither would a prospective customer or investor. I'd just always wonder what happened. Fortunately, hn provides a good safe place to practice. Thanks for the lesson, plinkplonk.
Which would be appropriate, except the guys in the story didn't "take from others". They analyzed the system, found a flaw, and told the city about it. Moreover, they are not telling other people how to hack SF's specific system, nor does the story imply that they are continuing to make or use the "free" cards. If it turns out that other people are already secretly using this technique, the researchers may have saved SF and other cities a lot of money.
My Aunty shoulder surfed me the other day .. "you're not one of those there hackers are you [...]". So I got chance to explain hackers vs. crackers for the 100th time.
A replay attack? Someone hasn't figured out encryption yet...