From mboxrd@z Thu Jan  1 00:00:00 1970
From: gregg.drwho8@gmail.com (Gregg Levine)
Date: Tue, 6 Feb 2018 00:05:16 -0500
Subject: [TUHS] Happy birthday, Ken Thompson!
In-Reply-To: <20180206045822.GA17801@thunk.org>
References: <alpine.BSF.2.21.1802040755530.50080@aneurin.horsfall.org>
 <184378368.23385.1517692373907.JavaMail.tomcat@india-live-be03>
 <CALMnNGgKPC4UM8tzxmCSRv1=FRLx1-cWY4GOFB6qDa6Qosd7CA@mail.gmail.com>
 <alpine.DEB.2.11.1802051312090.30577@grey.csi.cam.ac.uk>
 <CALMnNGi8QBMS2AhCLgA-vuY=R_fFObh2J1yHVRfxy_8erJXcfA@mail.gmail.com>
 <alpine.BSF.2.21.1802060941020.50080@aneurin.horsfall.org>
 <CAEoi9W7pnAVRyVt9+wSLXWzR+2ZviZk26vqedEUDUjROJ0rEgQ@mail.gmail.com>
 <20180206045822.GA17801@thunk.org>
Message-ID: <CAC5iaNGrsoVF3me0R9NB0A1nUyW9mD=DGuW_6UshcrCK72jMfw@mail.gmail.com>

Hello!
In NYC the machines who sell MTA  transit cards and refill them are
running Windows Embedded. And not the most up to date version. I've
watched them cause the classic BSOD more then once, and sometimes
worse.

The actual hardware that's delivers the cards and the single use ones
are running something else, and appear to be VME based. The whole
thing is a revolting kludge that's asking for trouble.

Oh and Dan Cross? Thank you for your service to this country, again and again.
-----
Gregg C Levine gregg.drwho8 at gmail.com
"This signature fought the Time Wars, time and again."


On Mon, Feb 5, 2018 at 11:58 PM, Theodore Ts'o <tytso at mit.edu> wrote:
> On Mon, Feb 05, 2018 at 05:54:57PM -0500, Dan Cross wrote:
>> Speaking of things like that...This just landed in my inbox:
>>
>> http://www.mymtaalerts.com/m?78F2F
>>
>> The metrocard vending machines in the NYC subway are little PCs. I could
>> swear I've seen either an OS/2, Windows, or Linux startup sequence on one
>> or more of them before (maybe all three).
>> Anyway, what do you want to bet that the MTA is making people go around
>> with media and manually install updates for Spectre/Meltdown across the
>> transit system?
>
> No bet.  How much do you want to bet the MTA isn't bothering to update
> gazillions of *other* already published and known security holes that
> were zero days years ago?  Holes that are probably *Way* easier to
> exploit than those using Spectre/Meltdown?
>
> If it's anything like the MBTA in Massachusetts their security is
> limited to trying to sue graduate students[1] in an attempt to impose
> prior restraint on their research (and including the presentation[2]
> as an exhibit on the lawsuit and letting it be published on the
> court's website for all to see?).
>
> [1] https://en.wikipedia.org/wiki/Massachusetts_Bay_Transportation_Authority_v._Anderson
> [2] http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
>
>                                                 - Ted