It’s hard for me to characterize the MBTA’s most recent insanity: Are they in denial about their security problems? Or are they so disconnected from reality that they think they can hide their security problems? Let’s explore the question.

First, a review of recent events: Three MIT students study the MBTA’s security and prepare a presentation to DEFCON 16. (Their advisor is Professor Ron Rivest, the “R” in RSA.) Dr. Rivest contacts the MBTA about the research. The students, the professor, and the MBTA have a meeting. Later that week the MBTA seeks an injunction in federal court to prevent them from delivering the presentation. The injunction is granted and the presentation is canceled. The presentation is filed as a part of the request for injunction, making it a public record. The presentation had also already been distributed on a disc to all of the DEFCON attendees. The article is readily available on MIT’s student newspaper website, The Tech.

Did you click the article? You should. It’s a big file, almost 5 megs, but it’s chock full of great pictures and clear explanations.

So, let’s review option 1, that the MBTA is in denial that there are security problems:

• Do you think MBTA General Manager Dan Grabauskas believes his own words when he says that he’s “confident” that the claims will be “dismissed or dealt with.”? I’m assuming he looked at the same presentation I just did. He really thinks the claims can be dismissed? It seems to me that he’s spouting a line of bull, and the people who can contradict him have an injunction preventing them from proving him wrong.
• Did he see the same pictures that I did of open locks, exposed fiber cables, empty surveillance rooms, and unprotected keys?
• Maybe the MBTA is confused by that presentation. Maybe they just don’t understand how data is encoded in magnetic stripes.

And option two, that the MBTA thought they could simply hide the problems?

• They sought the injunction, right?  That argues that they thought they could hide the information. But if they’re trying to hide information, why did they file the information themselves as a public document? (ABC News: “But, not only had the presentation already been distributed at the Defcon convention, it was entered into public record when the MBTA filed its complaint.”)  It doesn’t add up.
• Maybe they thought that the injunction wouldn’t get any attention.  It’s possible, I guess.  But is the MBTA’s PR department that clueless?  That’s a reach, even for Lydia Rivera.

I guess there is always option three, which is just incompetence. There’s an argument to be made here.

• MBTA couldn’t even get the timeline right in its press release.
• Past history: Two items just from my blog.
• The aforementioned open locks, exposed fiber cables, empty surveillance rooms, and unprotected keys.

It doesn’t really matter which explanation is the right one.  The presentation speaks for itself.  The MBTA is a security disaster.

A final note: As a former editor of The Tech, I’m proud of their role in this.  Good for them for publishing the research.