In light of the Memestream hacker... [looks at Decius] er... security personal outing to NYC last week, I have been quite interested in the Metrocard. Here is a talk from Beyond Hope about it.

Mertocard Presentation at Beyond Hope [ftp: real audio]

] One of the things I learned in the years I have spent in
] law enforcement at both the federal and local level is
] that witnesses of traumatic events relate few details.
] When people are frightened or otherwise psychologically
] shocked, their minds don't record movies, but snapshots,
] and not many of them, either.
]
] Annie's story has a wealth of detail, so much that I find
] myself disbelieving that she could have been as afraid as
] she says she was.

One Hand Clapping: Criticism of Annie Jacobson's story

Here's the changelog. Lots of options for people without a Magstripe reader, even on Macs and Suns!

Version 1.3 (7-17-2004)

- Added Raw mode (-r) to display the raw binary on a track.
- Now parsing command line options with getopt-like code.
- Windows/ directory added with Project and Workspace files
to make Windows development easier.
- Makefile added to make Linux/DOS developement easier.
- Hardware plans and documents have been added to a directory
called "hardware"
- Added Input Mode (-i) where a bitstream of 1's and 0's from
stdin is passed through the parsing engine. Allows for card
research to be done without a card reader!
- Issuing Bank Names are reported based on CC Prefix.
- bitgen, a command line tool to generate valid Track 2
bitstreams was added. Used with Input mode allows for
meaningful functionality for users without a reader hardware.
- DOS support has been dropped (briefly) while I find a better
compiler than Turbo C++ 1.01 to use. Getting the STL to work
in this older compilers really sucks! It will return.
- mod10 tool has been added. Will validate credit card numbers
using the Luhn algorithm, and will generate valid numbers
from a prefix. Used with bitgen to create valid bitstreams
for Stripe Snoop users without hardware readers.

Cards Added

Georgia Institute of Technology Buzzcard (Insecure)
Georgia Institute of Technology Buzzcard (Secure)
American Automobile Association Membership Card
Kroger Plus Card

Get it here: https://sourceforge.net/project/showfiles.php?group_id=113229

http://homepage.mac.com/leperous/.Pictures/silence.jpg

Indeed.

RE: The Fifth HOPE Artwork

] On June 29, 2004, at 12:28 p.m., I flew on Northwest
] Airlines flight #327 from Detroit to Los Angeles with my
] husband and our young son. Also on our flight were 14
] Middle Eastern men between the ages of approximately 20
] and 50 years old. What I experienced during that flight
] has caused me to question whether the United States of
] America can realistically uphold the civil liberties of
] every individual, even non-citizens, and protect its
] citizens from terrorist threats.

I'm always extra observant these days when I get on a plane. I size people up. I assess them. I've never seen anything that ended up bothering me. This person did. This is your worst nightmare airplane story.

By Jeremy's Gold Star system I'm giving this story a 1/2 gold star. This is simply the scariest thing I've read in 3 years. Don't read this if you're not prepared. Its fucked up.

Its also important. You're reading about this because of the blogosphere. I imagine that this will get wide coverage online and the mainstream press will pick it up, like the Trent Lott thing. If this is what it claims to be its as important as a successful attack. People need and want to know that things like this are going down. DHS and the airline industry would rather they didn't, for various reasons, not all of which are bad ones.

Is it what it claims to be? Thats primarily the reason why it will be important. Its impossible to know how accurate this account is until someone from the Government actually makes a statement on it. That won't happen until a large number of people are talking about it.

This story is also seriously flawed, hence the 1/2 star. Once the facts are presented, the not so facts are presented. Ann Coultier is quoted. The lack of racial profiling is questioned. Unfortunately the fact that those ideas are tagged onto this information will cloud the value of it. People on the left will think twice about blogging it or considering it. People on the right will be drawn into its conclusions by its information.

The fact is that its properly called Islamic Extremeism, not Arab Extremeism, and there is a very good reason for that, only part of which is the fact that not all Arabs are Muslim. The critical issue from a security standpoint is that if you focus all your investigative efforts on Arabs you will find an airplane full of guys from the Sudan rammed right up your ass, and you cannot tell the difference between guys from the Sudan and guys from Atlanta based on what they look like.

Those that argue for a crackdown on Arabs are not just racist, they're stupid. And not only because they're missing part of the puzzle, but also because whats good for the goose is good for the gander, and they never seem to consider that, even in the context of bombings by radical fundamentalist Christians.

This does not imply that 15 Arabs on a plane acting sketchy as all hell is not a something you ought to investigate. Clearly, in this case, if the story is true, it was investigated. To what end, who knows. I seriously doubt that if there was something substantive going on here that the agents would have just let these guys go and forgotten about it. I also seriously doubt that they would have let this woman know what they did when she called. But its irrelevant.

Assuming this information is accurate, I'll say I no longer find jokes about DHS's alert system so funny.

(Of course, its worth reading this from the other direction. Maybe it was just a group of guys from Detroit rolling down to do a show. Lots of Middle Eastern people in Detroit. Maybe they had a lot to drink and all needed to hit the bathroom. Maybe they wanted to chat in the hallways because they weren't sitting near eachother. But there was enough going on here to spook the security forces. Her fears were not totally unreasonable.)

Terror in the Skies, Again? - WomensWallStreet ***1/2 Gold Star***

I imagine alot more people would use Stripe Snoop, except they have to buy and assemble some equipment. Well no more! Now Mac/Sun/SGI/HP users can run Stripe Snoop. See this entry from the Stripe Snoop FAQ:

Q: Do I need a hardware interface to use Stripe Snoop?

A: NO! Stripe Snoop plans to be the definitive program for researching and labeling magstripe data. Because of this, a new Input Mode has been added. This allows for a bitsream to be entered on the keyboard (stdin) to be parsed, decoded, and analyzed as if it came in from the hardware reader. Raw Mode has been added so that people who have a reader can output the raw bitsteam to a file. This allows for easy sharing of card info without everyone needing a card reader, and a copy of that card.

Both Raw and Input Mode are not in the current releaseof Stripe Snoop, 1.2. They are however, available in the CVS code.

Update The web view of the CVS doesn't show the updated code. You need to anonymously download the cvs tree using the following instructions:

https://sourceforge.net/docman/display_doc.php?docid=14033&group_id=1

] This demo is the first peek of the comic book adaptation
] of George Orwell%u2019s Nineteen Eighty-four. As you will
] see, it%u2019s still in the penciling stage. Inking and
] colors (sort of) are yet to come

1984 Comic Demo

] "If you're 15 and angry at your dad, you want to go and
] break something. But the biggest part of hacking is
] creation," notes "Acidus," a speaker at a Friday panel on
] intellectual property and technology.

Sorry Abaddon! This wasn't exactly what I said, but close.

The line that got be the biggest applause was "Do you think Marconi and Tesla could have built the radio if the telegraph was a little black box you couldn't open? We are selling out our future inventors and innovators for the short terms profits of the RIAA."

USATODAY.com - Hackers have HOPE

I'm modifying some of my code to deal with the non standard it uses. Data is on track 2, but I'm not yet sure how to read it.

UPDATE!
The code in CVS for Stripe Snoop now supports Raw mode with a "-r". All this information was collected with it.

Here is what I have looking at some 1 signle ride cards.

On the back of the card is a date (all are issued 7/11/2004), a time, and a number. Based on different single ride cards I have, I believe this number is a station id. (for these cards, all are 1445, but I have others, like 1439 and 0122).

Some of this data looks very similiar or is the same. This is only track 2. Most likely , the rest of the data is stored on Track 3,
the read/write track. Also, the number of leading, trailing zeros can be random. It does not seem to follow any known character set.

4:44P 1445
0000000111100111101110000000000001010010010110000110101001011100100
00001100000100001000000000000000000000000000000000010

5:59P 1445
0000000111100111101110000000000001010010010110000110101001011100100
00001100000100001000000000000000000000000000000000010

5:59P 1445
0000000011110110110111000000000000101001001011000011010100101110010
0000011000001000000100000000000000000000000000000000000

6:00P 1445
0000000011110111000111000000000000101001001011000011010100101110010
000001100000100000000000000000000000000000000000000000000

6:02P 1445
0000000011110111000111000000000000101001001011000011010100101110010
00000110000010000000000000000000000000110000000000000000

Metrocard hacking

] Welcome to FUH2.com, home of the official Hummer H2
] salute. So...why all the fuss? Well, it breaks down like
] this:

FUH2 | Fuck You And Your H2