This happened while I was on vacation, so by now it is rather old news. That won’t stop me from sounding off about it, though.

A couple of weeks ago, now, there was a national news story about a group of MIT students who “hacked the subway system” in Boston. Basically they took a hard look at the electronic “smart” cards (where the word “smart” is defined very loosely) that the Boston transit system uses in lieu of old-fashioned subway tokens. Smart students that they are, they found several ways to tamper with the cards so that one could get through the turnstiles without paying a fare. They wrote a report on their work and wanted to present that report at a computer-security conference. They never got a chance to do that, because the Massachusetts Bay Transit Authority (MBTA) sued for an injunction to stop them publicizing their results.

Let’s be clear about what these students did. They figured out how to tamper with the “smart” cards to get through the subway turnstiles for free. The MBTA alleged, in their leagal filings, that this “constitutes a threat to public health or safety.”

Nonsense. The only security threat it constitutes is to the MBTA’s revenue stream. Not only are the MBTA’s attorneys lying through their teeth: they’re crying wolf.

The MBTA’s approach to this situation is wrong in so many ways. First and foremost, I don’t see how these electronic cards are any improvement over the token system that existed until about two years ago. Tokens have the advantage that they can’t be hacked, and also the significant advantage that the token system was already installed and paid for. Second, if the MBTA wanted for some unknown reason to spend millions to “upgrade” to an electronic card-reading system, they could have done it competently. Perhaps even hired consultants (or even a team of MIT students) to look for security holes before they paid all that money to install it. Third, they could have tried politely asking the students to postpone their talk before slapping them with a lawsuit and threatening them with an FBI criminal probe. Fourth, they could have tried to actually fix their mistakes instead of attacking the students who exposed their incompetence. Instead, they chose act belligerently (trampling the First Amendment in the process) and got the opposite of their desired result: instead of being a presented at a routine computer conference, the vulnerabilities of the card-reading system are all over the national headlines. Nice move.

The underlying problem here is that the MBTA didn’t think carefully about the system before they installed it. No doubt they were sold a rosy story by the computer manufacturer; but I still blame the MBTA. They didn’t scrutinize that story. They simply believed, as many companies and government agencies believe, that new computer systems would be some kind of magical cure-all. I work with complex computer systems all day (well, every work day at least) and take it from me: there ain’t no such thing as a free lunch. Installing a computerized system doesn’t make problems magically disappear: indeed, if done badly, it creates whole new families of problems.

We face a similar problem with electronic voting machines. Governments clamored and rushed to get new machines after the debacle of the 2000 Florida election, and crooked manufacturers rushed out shoddy machines to meet the sudden demand. No one (at least, no one who was considered worth listening to) stopped to ask why a new voting machine had to be an electronic machine, or whether there may have been a lower-cost way to solve the original problems of butterfly ballots and hanging chad. Computer experts warned that electronic voting machines could be vulnerable to error and fraud, but did the state election commissions listen to the experts? Or did they prefer to just enjoy a lot of fancy expense-account dinners and then sign on the dotted line?

Our society uses computers for practically everything. Therefore, computer security affects practically everything. I don’t expect our government officials to understand computer security in any detail, but I do think it’s reasonable to demand they acknowledge the subject exists. We wouldn’t stand for the state government hiring an architect for a new bridge without having independent experts inspect the plans. We shouldn’t stand for them spending millions on new computer systems without expert advice, either. To paraphrase my favorite NRA bumper sticker, if computer security is only considered by the experts, then only the experts will have secure computers.