6 Feb
2018
6 Feb
'18
10:58 a.m.
On Mon, Feb 05, 2018 at 05:54:57PM -0500, Dan Cross wrote:
Speaking of things like that...This just landed in my
inbox:
http://www.mymtaalerts.com/m?78F2F
The metrocard vending machines in the NYC subway are little PCs. I could
swear I've seen either an OS/2, Windows, or Linux startup sequence on one
or more of them before (maybe all three).
Anyway, what do you want to bet that the MTA is making people go around
with media and manually install updates for Spectre/Meltdown across the
transit system?
No bet. How much do you want to bet the MTA isn't bothering to update
gazillions of *other* already published and known security holes that
were zero days years ago? Holes that are probably *Way* easier to
exploit than those using Spectre/Meltdown?
If it's anything like the MBTA in Massachusetts their security is
limited to trying to sue graduate students[1] in an attempt to impose
prior restraint on their research (and including the presentation[2]
as an exhibit on the lawsuit and letting it be published on the
court's website for all to see?).
[1] https://en.wikipedia.org/wiki/Massachusetts_Bay_Transportation_Authority_v.…
[2] http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
- Ted