The last week has been pretty cool. There turned out to be enough space, so I did get a chance to attend most of the presentations at the You Shot the Sheriff conference. It was at an Australia/New Zealand-themed bar, which was slightly random. But they had a really delicious catered lunch of crepes, and a pretty extensive open bar. So props for the venue choice. I’ll try to write about some of my favorite presentations later. There were a lot of interesting people in attendance, from both Americas. The crowd did tend toward white-hat/IT security professional types—”we’re the sellout hackers,” one guy told me—rather than more underground people. I discovered one way you can tell when a hacker’s going mainstream: they tuck their t-shirts in. Although, I did meet a guy who started one of the first e-zines about the hacker scene in Brazil back in the early 1990s. There was even an American representative from Microsoft’s Security Response Team at the conference. He seemed pleasantly indulgent about the fact that everyone else in attendance spent all their time breaking his software.
Tuesday, there was an afterparty at a Cuban bar, with similar open bar. Wednesday, I went out for drinks with the conference organizers, I recorded a brief interview I’ll try to type up later. Thursday, I got drinks (again) with a really cool Brazilian hacker/security researcher guy. So basically, my liver probably hates me (I took Friday night off), but I’ve been having an awesome time.
I’ve done kind of a poor job of writing about things as they happened, so there’s a bunch of stuff in Chile that I should try to go back and cover. Apologies if that makes this kind of hard to follow. One cool thing a Chilean hacker showed me is actually less of a hack, and more of just a “why would they make it like that?” security failure.
Unlike Buenos Aires, where every bus line is a separate company competing against each other and fighting tooth-and-nail against a unified payment system, Santiago has a very convenient contactless smartcard system (called the “bip!”—”beep!” in Spanish—card) for both buses and metro lines. However, for reasons that are totally beyond me, the Santiago transit system has decided to make all the information about the movements of anyone using their bip card accessible to anyone who cares to see it.
If you go to this website, and then click on “Saldo y Movemientos” you can enter my Bip card number (08969210) in the field for “Ingrese su Nº Tarjeta bip!”, choose to see the last 90 days, and click “Acceptar” to see every place that I added money to the card or took a bus or metro during my time in Santiago.
To be fair, I paid cash for the card, so my bip number isn’t actually personally identifying information (or it wasn’t until I wrote this blog post, anyway). But for university students in Santiago, their student ID card doubles as a bip pass, and that student ID number IS personally identifiable. Plus, I’m sure many people pay for their bip card with a credit card, or tie their bip card to a credit account so it will automatically debit to recharge.
Furthermore, if you really just wanted to creep on a random stranger, the bip card number is printed on the receipt you get for adding value to the card. As you’d expect, most of these receipts are immediately abandoned in garbage cans or on the floor of the metro station. It would be trivial to retrieve one and then monitor that person’s movement.
I don’t have any objection to a city transit agency tracking its ridership, especially when done in a way that’s more-or-less anonymous. Obviously, it helps them to see which lines are busy, where they need to add buses, trains, and so forth. What I don’t understand is why they decided to make this information available the way they do.
What could the possible advantage to riders be? I guess it might theoretically be convenient to check the balance on your card from the internet. But surely you already know the places you’ve gone, right? Making that data accessible to the public with no authentication is only a minor security vulnerability, but it’s also a completely unnecessary one.
So was Buenos Aires’ bus system inspired by LA’s or vise-versa?
~Steve
Also, I’ve been out of the loop on local Chicago news lately, but I seem to remember a recent controversy about similarly tracking people through U-Passes and Chicago Cards… as in, the CTA was planning to do this sort of thing and there were protests against it. I’m not sure what become of that controversy…
~Steve
Wow, wish I’d known about that when I was living there… I think I still have my old bip card around someplace…