NYTransitWoe

On 1/18/2019 at 12:43 PM, itmaybeokay said:

The complete fare collection system, inclusive of the MVMs, is already slated for replacement.

It's flatly incorrect that a physically old machine is inherently less secure. Most vulnerabilities are in software. Hardware vulnerabilities are fairly rare, and generally difficult to exploit. One could even make the argument that these older machines are more secure because they are too old to fall victim to the Spectre or Meltdown vulnerabilities. 

Yes, outdated operating systems are generally completely insecure. But also, Yes, the software on the MVM's has been updated. 

Besides, hardware that you'd consider outdated already handles roughly 80% of credit card transactions and probably 90% of ATM swipes. So entrenched are the aged systems that the problem is actually finding developers who can write COBOL. 

https://www.reuters.com/article/us-usa-banks-cobol/banks-scramble-to-fix-old-systems-as-it-cowboys-ride-into-sunset-idUSKBN17C0D8

A choice quote:

 

So there you go. Decidedly more outdated equipment performing mission critical functions at the peaks of the economic food chain, and the core problem isn't the machines, isn't the security - it's finding developers who know COBOL. 

But, again. It doesn't matter - the machines, and the whole fare payment system is already slated for replacement. There's just no cybersecurity emergency requiring it be at the top of the list. The crisis just does not exist.

As you were. 

The lack of expertise in old tech is in itself a security risk.  If a system needs maintenance and you have to spend extra time finding the person to do the job, that is the time you are exposing your system's vulnerabilities.  And I don't need to mention to you the number of times banks and credit agencies have been hacked over the years.  And to your point about software being vulnerable instead of hardware, old hardware usually runs old software, because newer software often have system requirements that demand newer hardware.  So in short, again, your statement of "aged hardware <> insecure" may be true in the rawest sense, but in all practical purposes everybody knows that's not true.

But if you get NEW hardware to run old software, that's different.  My company is in such a position.  Our mission-critical software was written for an ancient OS called PICK system from the 80s, with no modern security whatsoever.  But IBM made a Windows software called "Universe" that happens to support PICK system.  So we bought a modern Windows server PC with all the modern security, run "Universe" on it, and it in turns runs the ancient software that we use to this day.  Our software, which had no security, now requires Windows authentication to run.  We are happy to not only be able to continue using the software, but also have better security as well.

17 hours ago, itmaybeokay said:

I didn't say the machines shouldn't be replaced. They should be, and they are being replaced as I noted. I just said that the age of the physical hardware is not an indication of it's security. The age of the physical machine is not an attack vector. Literally the only attack vector you reasonably have on an MVM would be if you could somehow maliciously craft a magnetic card to overflow a buffer and deploy a malicious payload. You have 97 bytes to work with. Godspeed. 

It is not just the aged computer, but anything networked to it could be vulnerable.  There may not even need to have networking involved.  Any activities, offline or on, networked or not, that have some relation with the aged equipment, not necessarily technical activities, could cause problems that would ultimately affect security.  So for all practical purposes (at least in private businesses than I'm in; maybe government agencies are different), age IS a concern for security.  In short, you put an outdated equipment in any environment that has at least some relation to the mission-critical functions in that environment, you have a problem.  And that problem may affect security.  Sure, if you have the technical expertise to make an old computer secure, you can do that.  But nobody is going to do that in all practical purposes.

24 minutes ago, itmaybeokay said:

Yes, they have upgraded the software on the machines. It's a little more than an off-the-shelf computer in there. Note the reference to FPGA on that bios screen. That means there's a custom chip involved somewhere. 

As it happens, they're in the process of replacing the metrocard with a whole contactless solution - whether that is good or bad remains to be seen but yeah, they're changing the whole fare collection system, let alone the MVMs. 

 

But no - just because a machine is physically old doesn't inherently make it insecure. Give me any computer ever made and I'll make it the most secure known to mankind. 

Just unplug it and encase it in concrete. Problem solved. Oh, you want it to work, too? 

MVMs aren't connected to the internet and they're about as physically restrictive to intrusion as an ATM so I think you're fine. If you're worried about the security of your credit card information, make sure there's not a skimmer over the card reader and check your statements carefully. More likely you got skimmed at a restaurant than anything else. 

But keeping old hardware is just a bad idea in general because tech support and maintenance becomes harder and more expensive as the hardware ages.  Of course you can fix anything and make anything secure, but sometimes it is cheaper to just buy new hardware than fix old ones.  E.g. I could replace the broken ISA sound card on my 90s PC, or I could just upgrade to newer tech.  It's always best to quit on a technology at the right time than to have an outdated technology quit on you at the most inopportune time.  So I think this is just another case of MTA keeping their equipment way past its shelf life, just like its 1930-era switching system.

This photo was taken in the 42nd St Time Square Station.  It shows a really old computer's start-up screen.  Those who used PCs in the 90s should recognize this.  The screen even says "American Megatrends 1997" on top.  I saw this yesterday and it was still here this morning.  I remember these vending machines were first used in the 90s.  That means the computer inside this vending machine came from the 90s and has probably never been upgraded all this time, which is rather disturbing to say the least.  We have been putting our credit card info into a 20-year-old computer that has probably very little E-security to speak of.  I hope they are in the process of finally upgrading these computers, which may explain the boot-up screen,