From mboxrd@z Thu Jan  1 00:00:00 1970
From: tytso@mit.edu (Theodore Ts'o)
Date: Mon, 5 Feb 2018 23:58:22 -0500
Subject: [TUHS] Happy birthday, Ken Thompson!
In-Reply-To: <CAEoi9W7pnAVRyVt9+wSLXWzR+2ZviZk26vqedEUDUjROJ0rEgQ@mail.gmail.com>
References: <alpine.BSF.2.21.1802040755530.50080@aneurin.horsfall.org>
 <184378368.23385.1517692373907.JavaMail.tomcat@india-live-be03>
 <CALMnNGgKPC4UM8tzxmCSRv1=FRLx1-cWY4GOFB6qDa6Qosd7CA@mail.gmail.com>
 <alpine.DEB.2.11.1802051312090.30577@grey.csi.cam.ac.uk>
 <CALMnNGi8QBMS2AhCLgA-vuY=R_fFObh2J1yHVRfxy_8erJXcfA@mail.gmail.com>
 <alpine.BSF.2.21.1802060941020.50080@aneurin.horsfall.org>
 <CAEoi9W7pnAVRyVt9+wSLXWzR+2ZviZk26vqedEUDUjROJ0rEgQ@mail.gmail.com>
Message-ID: <20180206045822.GA17801@thunk.org>

On Mon, Feb 05, 2018 at 05:54:57PM -0500, Dan Cross wrote:
> Speaking of things like that...This just landed in my inbox:
> 
> http://www.mymtaalerts.com/m?78F2F
> 
> The metrocard vending machines in the NYC subway are little PCs. I could
> swear I've seen either an OS/2, Windows, or Linux startup sequence on one
> or more of them before (maybe all three).
> Anyway, what do you want to bet that the MTA is making people go around
> with media and manually install updates for Spectre/Meltdown across the
> transit system?

No bet.  How much do you want to bet the MTA isn't bothering to update
gazillions of *other* already published and known security holes that
were zero days years ago?  Holes that are probably *Way* easier to
exploit than those using Spectre/Meltdown?

If it's anything like the MBTA in Massachusetts their security is
limited to trying to sue graduate students[1] in an attempt to impose
prior restraint on their research (and including the presentation[2]
as an exhibit on the lawsuit and letting it be published on the
court's website for all to see?).

[1] https://en.wikipedia.org/wiki/Massachusetts_Bay_Transportation_Authority_v._Anderson
[2] http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf

						- Ted