Stephen304 @ Stephen304 @lemmy.ml

Posts

0

Comments

120

Joined

4 yr. ago

You can actually keep it locked and it still works. It just prompts you to unlock it when you press the auto fill button. It also means that it won't show autofill suggestions on the login screen and just a generic bitwarden autofill button. You can change how long it stays unlocked for between immediately to any custom number of hours / minutes or only on app restart.

Article text:

Teens Hacked Boston Subway’s CharlieCard to Get Infinite Free Rides—and This Time Nobody Got Sued Andy Greenberg 8 - 11 minutes

In early August of 2008, almost exactly 15 years ago, the Defcon hacker conference in Las Vegas was hit with one of the worst scandals in its history. Just before a group of MIT students planned to give a talk at the conference about a method they’d found to get free rides on Boston’s subway system—known as the Massachusetts Bay Transit Authority—the MBTA sued them and obtained a restraining order to prevent them from speaking. The talk was canceled, but not before the hackers’ slides were widely distributed to conference attendees and published online.

In the summer of 2021, 15-year-olds Matty Harris and Zachary Bertocchi were riding the Boston subway when Harris told Bertocchi about a Wikipedia article he’d read that mentioned this moment in hacker history. The two teenagers, both students at Medford Vocational Technical High School in Boston, began musing about whether they could replicate the MIT hackers’ work, and maybe even get free subway rides.

They figured it had to be impossible. “We assumed that because that was more than a decade earlier, and it had got heavy publicity, that they would have fixed it,” Harris says.

Bertocchi skips to the end of the story: “They didn’t.”

Four young people posing together

The Boston subway hackers (from left to right) Scott Campbell, 16; Noah Gibson, 17; Matty Harris, 17; and Zack Bertocchi, 17.Photograph: Roger Kisby

Now, after two years of work, that pair of teens and two fellow hacker friends, Noah Gibson and Scott Campbell, have presented the results of their research at the Defcon hacker conference in Las Vegas. In fact, they not only replicated the MIT hackers’ 2008 tricks, but took them a step further. The 2008 team had hacked Boston’s Charle Ticket magstripe paper cards to copy them, change their value, and get free rides—but those cards went out of commission in 2021. So the four teens extended other research done by the 2008 hacker team to fully reverse engineer the CharlieCard, the RFID touchless smart cards the MBTA uses today. The hackers can now add any amount of money to one of these cards or invisibly designate it a discounted student card, a senior card, or even an MBTA employee card that gives unlimited free rides. “You name it, we can make it,” says Campbell.

To demonstrate their work, the teens have gone so far as create their own portable “vending machine”—a small desktop device with a touchscreen and an RFID card sensor—that can add any value they choose to a CharlieCard or change its settings, and they’ve built the same functionality into an Android app that can add credit with a tap. They demonstrate both tricks in the video below:

In contrast to the Defcon subway-hacking blowup of 2008—and in a sign of how far companies and government agencies have come in their relationship with the cybersecurity community—the four hackers say the MBTA didn’t threaten to sue them or try to block their Defcon talk. Instead, it invited them to the transit authority headquarters earlier this year to deliver a presentation on the vulnerabilities they’d found. Then the MBTA politely asked that they obscure part of their technique to make it harder for other hackers to replicate.

The hackers say the MBTA hasn’t actually fixed the vulnerabilities they discovered and instead appears to be waiting for an entirely new subway card system that it plans to roll out in 2025. When WIRED reached out to the MBTA, its director of communications, Joe Pesaturo, responded in a statement that “the MBTA was pleased that the students reached out and worked collaboratively with the fare collection team.”

“It should be noted that the vulnerability identified by the students does NOT pose an imminent risk affecting safety, system disruption, or a data breach,” Pesaturo added. “The MBTA's fraud detection team has increased monitoring to account for this vulnerability [and] does not anticipate any significant financial impact to the MBTA. This vulnerability will not exist once the new fare collection system goes live, due to the fact that it will be an account-based system versus today’s card-based system.”

The high schoolers say that when they started their research in 2021, they were merely trying to replicate the 2008 team’s CharlieTicket hacking research. But when the MBTA phased out those magstripe cards just months later, they wanted to understand the inner workings of the CharlieCards. After months of trial and error with different RFID readers, they were eventually able to dump the contents of data on the cards and begin deciphering them.

Unlike credit or debit cards, whose balances are tracked in external databases rather than on the cards themselves, CharlieCards actually store about a kilobyte of data in their own memory, including their monetary value. To prevent that value from being changed, each line of data in the cards’ memory includes a “checksum,” a string of characters computed from the value using the MBTA’s undisclosed algorithm.

The hackers figured out how to reproduce a “checksum” calculation intended to prevent the value stored on CharlieCards from being changed, circumventing that anti-hacking protection.Photograph: Roger Kisby

By comparing identical lines of memory on different cards and looking at their checksum values, the hackers began to figure out how the checksum function worked. They were eventually able to compute checksums that allowed them to change the monetary value on a card, along with the checksum that would cause a CharlieCard reader to accept it as valid. They computed a long list of checksums for every value so that they could arbitrarily change the balance of the card to whatever amount they chose. At the MBTA’s request, they’re not releasing that table, nor the details of their checksum reverse engineering work.

Not long after they made this breakthrough, in December of last year, the teens read in the Boston Globe about another hacker, an MIT grad and penetration tester named Bobby Rauch, who had figured out how to clone CharlieCards using an Android Phone or a Flipper Zero handheld radio-hacking device. With that technique, Rauch said he could simply copy a CharlieCard before spending its value, effectively obtaining unlimited free rides. When he demonstrated the technique to the MBTA, however, it claimed it could spot the cloned cards when they were used and deactivate them.

Early this year, the four teenagers showed Rauch their techniques, which went beyond cloning to include more granular changes to a card’s data. The older hacker was impressed and offered to help them report their findings to the MBTA—without getting sued.

In working with Rauch, the MBTA had created a vulnerability disclosure program to cooperate with friendly hackers who agreed to share cybersecurity vulnerabilities they found. The teens say they were invited to a meeting at the MBTA that included no fewer than 12 of the agency’s executives, all of whom seemed grateful for their willingness to share their findings. The MBTA officials asked the high schoolers to not reveal their findings for 90 days and to hold details of their checksum hacking techniques in confidence, but otherwise agreed that they wouldn’t interfere with any presentation of their results. The four teens say they found the MBTA’s chief information security officer, Scott Margolis, especially easy to work with. “Fantastic guy,” say Bertocchi.

The teens say that as with Rauch’s cloning technique, the transit authority appears to be trying to counter their technique by detecting altered cards and blocking them. But they say that only a small fraction of the cards they’ve added money to have been caught. “The mitigations they have aren’t really a patch that seals the vulnerability. Instead, they play whack-a-mole with the cards as they come up,” says Campbell.

“We’ve had some of our cards get disabled, but most get through,” adds Harris.

So are all four of them using their CharlieCard-hacking technique to roam the Boston subway system for free? “No comment.”

For now, the hacker team is just happy to be able to give their talk without the heavy-handed censorship that the MBTA attempted with its lawsuit 15 years ago. Harris argues that the MBTA likely learned its lesson from that approach, which only drew attention to the hackers’ findings. “It’s great that they’re not doing that now—that they’re not shooting themselves in the foot. And it’s a lot less stressful for everyone,” Harris says.

He’s also glad, on the other hand, that the MBTA took such a hardline approach to the 2008 talk that it got his attention and kickstarted the group’s research almost a decade and a half later. “If they hadn’t done that,” Harris says, “we wouldn’t be here.”

Update 5 pm ET, August 10, 2023: Added a statement form an MBTA spokesperson. Update 11:25 am, August 11, 2023: Clarified when the teens' meeting with the MBTA took place.

Isn't collabora just libreoffice under the hood? And nextcloud office is branded collabora I believe.

I sell stuff on eBay enough that having a printer is worth it so I can buy and print shipping labels at home, that way I can use USPS package pickup to ship stuff from my front door without needing to leave the house.

Not wanting to use any app that goes to a google server for a lemmy app is being privacy focused. Telling other people their preference in not valuing the same thing is wrong is elitism - saying that no app should do something, and nobody else should use an app that does that thing, because you prefer it that way - that's elitism.

Sync and the people who like it aren't invalid just because your preference is being privacy focused.

Along the same lines, it's totally possible to espouse the values of privacy to others without being elitist, as long as you aren't talking down to other people or invalidating other people's preferences, because that's elitism.

I find the connect UI to be really similar to Sync. They both group the vote buttons on posts, unlike all the alternatives, which reduces visual clutter and the icons and layout seem well designed in terms of icon and text size and margins looking symmetric (looks less like a backend dev just threw all the buttons vaguely where they're supposed to go).

One thing connect seems to do better is that collapsing a comment collapses the comment itself and not just the replies (makes it easier to move down a thread by collapsing each root comment). On the other hand, the tap target for re-expanding the comment seems to not extend the whole width of the collapsed comment.

I'm in a similar boat to wanting the reddit app but cleaner and not buggy. So connect and sync are my top 2 right now. I didn't mind the reddit app UI it was just so buggy and laggy.

I just downloaded infinity to give it a shot and I find the UI to be a little rougher around the edges. The most noticeable is the layout of posts on the feed - the icons dont look like they are consistent sizes and the lack of grouping compared to Sync (like having a box around both vote and vote count) makes it look more cluttered. I also think the default theme color (the intense blue color) kinda hurts my eyes because it's too high contrast maybe, so changing that was the first thing I did- I think having a milder default would provide a better out of the box experience.

I have no major gripes about the base functionality, they're both functional enough for me but the aesthetics of sync win for now. Also it seems like both sync and infinity don't collapse the comment you pressed and only the replies, making it seemingly impossible to collapse top level comments which inconveniences how I read threads, by collapsing top level comments as I go down the thread - long top comments stay expanded so I have to scroll past a lot more.

Those are my first impressions based on never using either sync or infinity (be it lemmy or reddit) before like this week.

Edit: Just downloaded Connect too, looks very similar to Sync in level of polish so I think those will probably be my top 2

I know so, and clearly so do you since you haven't offered any arguments to the contrary. Besides "nuh uh you're still wrong"... It's so funny that you would pick such a losing argument to troll about though, like why wouldn't you pick a topic where you can better fake that you're arguing in good faith?

I mean you're literally the one who asked ¯⁠\⁠_⁠(⁠ツ⁠)⁠_⁠/⁠¯ who am I to deny you the enlightenment. But I assume you're just trolling or have the maturity of a teenager because clearly you're wrong.

Opnsense / pfsense is practically a business router like what you might find at a university or hospital. In no universe is it comparable to a consumer router, let alone one from Asus.

I have no idea. I'm using the fpm docker image with a redis container and it's still slow as shit. I haven't looked at APCu though so that might help.

No you can't. You're being silly. They don't even support lacp with more than 2 members out of the box. No gateway groups, no unbound with adjustable cache ttl and cache revalidation. I would know I switched away from Asus specifically because of it's shortcomings, many of which cannot even be fixed by ddwrt such as low system memory for state table, which btw can easily be filled up by torrenting. My opnsense box has a huge state table because I just dropped in 8GB of ram.

You only need to look at the Asus router admin interface to see how many more pages of configuration options opnsense has.

It would be the case if they implemented authenticated fetch, which is a fediverse protocol that mastodon and some others support, but it's not widely enabled because anything that doesn't support it would get blocked. It basically allows servers to reject fetches from defederated servers, and since lemmy doesn't support it, defederation is somewhat one way since the defederated server can still anonymously fetch new content despite being defederated.

I think it's ok. The problem is my wallpaper is a cat so everything material you is like light coffee colored which I don't really like. But I'm too lazy to find a better color that doesn't look worse.

I think it's through the nextcloud social app, I haven't installed it though because my nextcloud is slow enough without it

Edit: just checked and it has mostly negative reviews and it's listed as beta

I'm not sure if you understood my comment fully since none of the benefits I gave have to do with number of devices. Again, the main reasons I listed are that dedicated router boxes on x86 hardware is much more flexible configuration-wise and has many more software packages and addons that can be easily installed compared to consumer routers. You can have plugins like nginx, radius, wireguard, snort (as well as full power to run ids/ips at full speed), etc. For configuration, you have more control over multicast, ways to customize local dns resolution, the full range of local hostname resolution settings, DNS failover, multi wan with the full ability to tune failover metrics, advanced routing rules using hostname aliases that periodically auto-update, advanced dhcp flags and dhcp6/SLAAC settings, virtual IPs (a huge help when doing 0-downtime migrations between hardware or subnets), network bridges, GRE and LAGG, v6 router advertisements, and so so much more.

If I had a consumer combo router there's a good chance I would not have vlans, all my roommates would see each other's smart devices and it would be pretty annoying. I wouldn't be able to selectively route only traffic to google servers from only my laptop, phone, and chromecast through the same Germany VPN so that all the non-google traffic would be unVPNed, and I wouldn't be able to set multiple multi-wan failover modes (let alone gateway groups to group failover WANs) so that for example one vlan fails over from the fiber connection to the copper connection while our neighbors connection fails over from the copper connection to the cable internet connection. I would have no ingress load balancer on my router handling incoming traffic to my homelab, and I would have to use extra media converters to get my SFP+ fiber connection to connect to a consumer router's 2.5G port (did we even have consumer routers with mgig 4 years ago? That's around when I got my fiber).

None of this has to do with number of devices, but total capacity is a bonus of having nicer hardware than consumer crap. This wouldn't be a benefit to most people, which is why my main points are about configurability and flexibility with third party packages, but it is a benefit to me since I have 4 gig of total wan and a 10G link to my core switch. If any 2 of the 10 people in this apartment decide to download from steam at the same time, they will both get a full gig download with plenty of bandwidth left over for the other 7 people to be streaming or doing whatever. Again nothing to do with number of devices, more to do with how many simultaneous high-bandwidth uses you expect to coincide. Of course I could just have everyone share a single gig connection (or 1.2 gig which is currently the maximum residential plan you can get here), but then I would need to deal with traffic shaping / queues, another thing that opnsense coincidentally excels at, having way more traffic shaping options. You can even do traffic shaping on a per-destination basis - for example you could use an auto updating ASN alias to categorize traffic to steam or netflix, then dynamically apply different traffic shaping rules based on which user is accessing those services.

TL;DR, consumer routers cannot come close to achieving a fraction of the configuration options that open router platforms have. While you might see benefits in capacity if you invest in a good uplink and high end APs (I have uap u6 pro which is "good for 350 devices", though really I bought for the higher single device performance and higher modulation rates and better mimo configuration), even people with slow internet and very few devices can benefit from the immense amount of configurability that these OSes provide - you're practically one step away from running a bare OS with open source packages installed and editing a slew of config files where you can use every obscure configuration option that any of these FOSS contributors ever put into these daemons. In fact many of the opnsense configuration pages have an advanced text box at the bottom where you can put in extra config directives in case the UI doesn't include a knob for something you need.

It's great, 10/10 recommend opnsense or pfsense

For a moment I thought that was jb weld

I recently got an instant pot and gave my rice cooker back to my parents, the tough part was figuring out how to make it not stick of you don't have a nonstick liner. Letting it naturally release pressure with the keep warm off seems to do the trick for mine, I'm guessing quick release releases too much moisture, and the keep warm doesn't help either. With that I get good rice every time with no sticking.

If I understand correctly, every sync feature that requires the subscription (and cannot be purchased by a one time fee) requires the sync dev to run a constantly online server. Translation makes calls to translation services that cost money, push notifications require a push server since Lemmy servers don't include support for it, etc. Removing ads doesn't cost sync ongoing cash which is why you can get it for a one time fee.

Seems reasonable to me.

Because then you get the best of both worlds, powerful routing hardware that can easily route and firewall at multi gig speeds, extreme flexibility in software packages to run on your open router platform, and a prosumer AP with best in class wifi performance, antenna configuration, mimo, solid chipset and driver, etc.

Doing everything on a prosumer router running mips or arm with limited package selection at best and a locked down router is at worst is subpar just as trying to get good modulation rates with a client oriented wifi card running in AP mode with subpar antenna configuration.

If you want the best wifi and the best routing/firewall/IDs with the widest package selection (and ability to just run any x86 application) then a separate router box running an x86 based os like opnsense,pfsense,whatever paired with a high end AP (business AP is a good choice) will always be the way to go unless you value compact, low power, or simplicity over achieving the best performance.

I love FOSS but I got pretty used to the official reddit app, and Sync is the only app that feels like if the reddit app wasn't buggy and laggy. The paid aspect doesn't bother me because I would have donated to whatever app I use anyway, at $5/mo the $20 one time ad removal option makes sense if I use it for more than 4 months so it's worth it to me.