Feeds

Gag order lifted for students who hacked subway card

MIT students free to discuss gaping holes

SANS - Survey on application security programs

Three Massachusetts Institute of Technology undergraduates are once again free to publicly discuss gaping security holes in the Boston subway system after a federal judge refused to renew a gag order requested by transportation officials.

US District Judge George A. O'Toole rejected arguments by the Massachusetts Bay Transportation Authority officials that disclosure of flaws in the subway's electronic payment system constituted a violation of the Computer Fraud and Abuse Act (CFAA). The students had been barred from publicly discussing the defects since August 9, when a different federal judge halted their Defcon presentation, titled "Anatomy of a Subway Hack."

The Electronic Frontier Foundation, which represented the trio, asserted the gag order was an unconstitutional restraint on their free-speech rights, but O'Toole seemed to steer clear or those arguments. Instead, he focused on the language in the CFAA, which discusses the transmission of malicious code to protected computers.

"The judge today correctly found that it was unlikely that the CFAA would apply to security researchers giving an academic talk," EFF Staff Attorney Marcia Hofmann said in a statement. "A presentation at a security conference is not some sort of computer intrusion. It's a protected speech and vital to the free flow of information about computer security vulnerabilities."

The students aren't out of the woods yet. The MBTA's lawsuit naming Zack Anderson, 21, RJ Ryan, 22 and Alessandro Chiesa, 20, and MIT where they attend undergraduate courses, continues. The complaint, filed in US District Court in Boston, seeks unspecified monetary damages for violation of the CFAA, negligent supervision and other causes of action.

The research uncovered errors in both of the MBTA's electronic fare payment systems. The students received an A for their work from Ronald Rivest, who prior to becoming an MIT professor was one of the mathematicians who developed the RSA cryptography algorithm.

The irony of the lawsuit is that most of the information about the vulnerabilities has already circulated widely. All 87 pages of their Defcon presentation have been online for weeks now. And raw research into the Mifare card, the radio frequency identification chip at the heart of the MBTA's CharlieCard, was announced earlier this year. The students have also submitted a 30-page security analysis and have agreed to meet with MBTA security personnel to answer questions.

For the first time, attorneys with the MBTA acknowledged in court papers filed Monday that the system had vulnerabilities and estimated it could take five months to fix them. They had requested a preliminary order preventing disclosure that would take the place of a temporary restraining order that expired Tuesday.

The episode is a lesson in what's come to be known as responsible disclosure in computer security circles. MBTA officials weren't informed of the research findings until a few days before the scheduled Defcon talk. Proponents of responsible disclosure argue researchers should share security vulnerability findings with manufacturers of the affected wares prior to going public to minimize the damage.

What's more, the students issued teasers for their talk that included statements such as "Want free subway rides for life?".

Whatever, the shortcomings of its clients, the EFF argued the MBTA was designed to punish the messenger.

"The MBTA ultimately is trying to silence some uncomfortable truths that these students uncovered," EFF attorney Cindy Cohn said, according to the Associated Press. "They brought an action against three college kids rather than address the problems in their own house." ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.