CDR: RE: RISKS: New Jersey shuts down E-ZPass statement site after sec urity breached

Trei, Peter ptrei at rsasecurity.com
Mon Nov 6 06:46:27 PST 2000 

EZ-Pass is a perfect example of people choosing 
convenience over security, and a bad design "creating 
the tools for tyranny". 

While the accounting system most certainly keeps records
of where you were, and when, so it can do billing, the system
is structured in such a way that an intrusive government can
place antennas anywhere they want, and clandestinely 
record all EZ-Pass equipped vehicles passing a given point
(even if it is not a toll site).

[It just struck me that there may be a novel legal challenge to
this; since you have contracted with a transport agency to
use EZ-Pass, any non-contractual activation of the system
could be legally construed as computer hacking - the snooping
antenna has to power up your EZ-pass' chip (that's what those
big inductive loop antennas are for), cause it to run a program,
and return a result. If the EZ-Pass is rented from the authority
I don't know if you'd have standing to sue, though.]

Of course, EZ-Pass could have been designed so that the
device was anonymous, and prepaid stored value (bought
for cash) smartcards used to meter access. 

It would probably have worked out cheaper as well, since the
accounting overhead goes away, and they make intereset on
the float of unused cards....

....but such a mechanism would not have suited Big Brother
nearly as well.

Peter

Disclaimer: The above represents my personal views only]

> ----------
> From: 	Bill Stewart[SMTP:bill.stewart at pobox.com]
> Reply To: 	Bill Stewart
> Sent: 	Friday, November 03, 2000 10:35 PM
> To: 	cypherpunks at cyberpass.net
> Subject: 	RISKS: New Jersey shuts down E-ZPass statement site after
> security breached 
> 
> the following pleasant article on privacy was on RISKS.
> 
> Date: Tue, 24 Oct 2000 11:19:44 -0400 (EDT)
> From: danny burstein <dannyb at panix.com>
> Subject: EZ-Pass discovers risk of sending URLs instead of actual text
> 
> In a story datelined 24-Oct-2000, and headlined:
> 
>    New Jersey shuts down E-ZPass statement site after security breached 
> 
> The Associated Press reported on a problem with privacy and security on
> the New Jersey EZPASS website where people can review their usage.
> (EZPass is a radio transponder placed in your motor vehicle which is
> "read" at toll booths, enabling you to zip through without having to stop
> and hand over cash. Naturally it keeps records of when and where you
> were for billing purposes... Which is another RISK all together)
> 
	[...]

More information about the cypherpunks-legacy mailing list