
Meter hackers find free parking in San Francisco - abennett
http://www.itworld.com/hardware/73131/meter-hackers-find-free-parking-san-francisco
======
Locke1689
_To figure out how the payment system worked, Grand hooked up an oscilloscope
to a parking meter and monitored what happened when he used a genuine payment
card. He then analyzed that data by hand, and wrote a software program that
would emulate the smart card. After some trial and error, he finally figured
out what his program needed to say to the meter in order to work. Then he
built a card that would replay the same data, using a programmable smart card
called a Silver Card._

A replay attack? Someone hasn't figured out encryption yet...

~~~
jrockway
The cards that do crypto cost 0.05 cents more each. Think of the profit margin
erosion when you sell them for $5 each.

~~~
ars
Why do the cards have to do the encryption? Why can't the meter do it?

~~~
pcc
In a general smart card system, neither the card nor the reader its inserted
into, is supposed to trust the other, as either could be a fake.

Further, the mechanism used to establish the trust (eg challenge-response)
could be observed by a "man in the middle", so should be designed to resist
replay attack.

Yet its scary how easy it is to get this wrong -- e.g. some of the satellite
TV conditional access hacks came about as a result of random number generators
always yielding a predictable (short) sequence, facilitating a basic replay
attack without the hackers even realizing there was an otherwise-passable
challenge-response at work.

Even more scary, on a related note, not that long ago I witnessed the
implementation of a network security "protocol" for a rather prominent US
defense contractor, where the latter insisted that authentication was to be
achieved by encrypting an access password with AES256 using a static shared
secret, refusing to allow any type of challenge-based auth, and failing to see
any problem with always encrypting the same plaintext with the same key (which
obviously yields the same result on the wire every time, making it a breeze to
replay without needing any understanding of the underlying "encryption").

------
felipe
For a moment I thought the title said "available parking" instead of "free
parking". Now _that_ would be a great hack!

------
RobGR
I attended a talk by Chris Tarnovsky at last year's Defcon. It was the best
talk I went to, and the main reason why I resolved to go back to Defcon --
unfortunately I won't be able to attend this year, but if anyone from here is
going , I advise you not to miss his presentation.

------
clistctrl
I noticed this about the meters in Davis Square, I've been contemplating if it
was possible...

------
edw519
We are "hackers" who build things for others.

They are "hackers" who take from others.

We are to be encouraged and admired.

They are to be caught and punished.

We do the right thing no matter how hard it is.

They do the easy thing no matter how wrong it is.

We love turning nothing into something.

They love turning something into nothing.

We get a rush when we see something appear for the first time ever.

They get a rush when they see the same thing disappear again.

We will persevere no matter what it takes.

They will quit when no one notices anymore.

We will leave our mark.

They will take someone else's mark away.

Don't confuse us with them.

~~~
tptacek
A strange response from a very smart person to a rather impressive
technological achievement.

~~~
edw519
My response was not to the technological achievement, but to the ethics of it.
I am always unimpressed with doing wrong things, not matter how impressed
others are.

Many people here at hn are capable of impressive cracking, but choose not to
even go that way. I'm sure there are systems out there I could crack if I
tried, probably quite a few for financial gain. But I dare not go there.
That's one cherry that will never be popped.

Say what you will about the technical merits of individual feats, but I'm much
more impressed with someone who tackles the problems of other people and goes
to work every day building something of use rather than shooting fish in a
barrel, which much cracking is.

I stand by every single word I wrote. In fact, it's one of my favorite posts.
Since crackers often do what they do to impress their peers, perhaps we should
all just be unimpressed so that they can channel their energy into something
more useful.

I didn't know what to expect when I made that post, but I have to say I'm
disappointed. Why am I so often the only responder who has a sense of right
and wrong?

Thanks Thomas, for providing me an opportunity to explain with the only reply
that was suitable.

~~~
tptacek
Sometime in the next N*10 years I'm going to end up in the same city as you,
buy you a drink, and by the time you finish that drink you will have conceded
that what Joe and Jacob did was praiseworthy and impressive. Doubt me? Raise
the stakes: I'll bet you $100.

~~~
edw519
You're on. Hopefully WITH city = "Mountain View" && N = 1.

Warning: I'm "ethically" required to disclose that I'll be ordering a double
Goldschlager top shelf Long Island Iced Tea, so I won't mind losing that bet
:-)

~~~
rms
My money's on tptacek.

