Feeds

Gag order lifted for students who hacked subway card

MIT students free to discuss gaping holes

The essential guide to IT transformation

Three Massachusetts Institute of Technology undergraduates are once again free to publicly discuss gaping security holes in the Boston subway system after a federal judge refused to renew a gag order requested by transportation officials.

US District Judge George A. O'Toole rejected arguments by the Massachusetts Bay Transportation Authority officials that disclosure of flaws in the subway's electronic payment system constituted a violation of the Computer Fraud and Abuse Act (CFAA). The students had been barred from publicly discussing the defects since August 9, when a different federal judge halted their Defcon presentation, titled "Anatomy of a Subway Hack."

The Electronic Frontier Foundation, which represented the trio, asserted the gag order was an unconstitutional restraint on their free-speech rights, but O'Toole seemed to steer clear or those arguments. Instead, he focused on the language in the CFAA, which discusses the transmission of malicious code to protected computers.

"The judge today correctly found that it was unlikely that the CFAA would apply to security researchers giving an academic talk," EFF Staff Attorney Marcia Hofmann said in a statement. "A presentation at a security conference is not some sort of computer intrusion. It's a protected speech and vital to the free flow of information about computer security vulnerabilities."

The students aren't out of the woods yet. The MBTA's lawsuit naming Zack Anderson, 21, RJ Ryan, 22 and Alessandro Chiesa, 20, and MIT where they attend undergraduate courses, continues. The complaint, filed in US District Court in Boston, seeks unspecified monetary damages for violation of the CFAA, negligent supervision and other causes of action.

The research uncovered errors in both of the MBTA's electronic fare payment systems. The students received an A for their work from Ronald Rivest, who prior to becoming an MIT professor was one of the mathematicians who developed the RSA cryptography algorithm.

The irony of the lawsuit is that most of the information about the vulnerabilities has already circulated widely. All 87 pages of their Defcon presentation have been online for weeks now. And raw research into the Mifare card, the radio frequency identification chip at the heart of the MBTA's CharlieCard, was announced earlier this year. The students have also submitted a 30-page security analysis and have agreed to meet with MBTA security personnel to answer questions.

For the first time, attorneys with the MBTA acknowledged in court papers filed Monday that the system had vulnerabilities and estimated it could take five months to fix them. They had requested a preliminary order preventing disclosure that would take the place of a temporary restraining order that expired Tuesday.

The episode is a lesson in what's come to be known as responsible disclosure in computer security circles. MBTA officials weren't informed of the research findings until a few days before the scheduled Defcon talk. Proponents of responsible disclosure argue researchers should share security vulnerability findings with manufacturers of the affected wares prior to going public to minimize the damage.

What's more, the students issued teasers for their talk that included statements such as "Want free subway rides for life?".

Whatever, the shortcomings of its clients, the EFF argued the MBTA was designed to punish the messenger.

"The MBTA ultimately is trying to silence some uncomfortable truths that these students uncovered," EFF attorney Cindy Cohn said, according to the Associated Press. "They brought an action against three college kids rather than address the problems in their own house." ®

5 things you didn’t know about cloud backup

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
prev story

Whitepapers

Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.