Feeds

Gag order lifted for students who hacked subway card

MIT students free to discuss gaping holes

Secure remote control for conventional and virtual desktops

Three Massachusetts Institute of Technology undergraduates are once again free to publicly discuss gaping security holes in the Boston subway system after a federal judge refused to renew a gag order requested by transportation officials.

US District Judge George A. O'Toole rejected arguments by the Massachusetts Bay Transportation Authority officials that disclosure of flaws in the subway's electronic payment system constituted a violation of the Computer Fraud and Abuse Act (CFAA). The students had been barred from publicly discussing the defects since August 9, when a different federal judge halted their Defcon presentation, titled "Anatomy of a Subway Hack."

The Electronic Frontier Foundation, which represented the trio, asserted the gag order was an unconstitutional restraint on their free-speech rights, but O'Toole seemed to steer clear or those arguments. Instead, he focused on the language in the CFAA, which discusses the transmission of malicious code to protected computers.

"The judge today correctly found that it was unlikely that the CFAA would apply to security researchers giving an academic talk," EFF Staff Attorney Marcia Hofmann said in a statement. "A presentation at a security conference is not some sort of computer intrusion. It's a protected speech and vital to the free flow of information about computer security vulnerabilities."

The students aren't out of the woods yet. The MBTA's lawsuit naming Zack Anderson, 21, RJ Ryan, 22 and Alessandro Chiesa, 20, and MIT where they attend undergraduate courses, continues. The complaint, filed in US District Court in Boston, seeks unspecified monetary damages for violation of the CFAA, negligent supervision and other causes of action.

The research uncovered errors in both of the MBTA's electronic fare payment systems. The students received an A for their work from Ronald Rivest, who prior to becoming an MIT professor was one of the mathematicians who developed the RSA cryptography algorithm.

The irony of the lawsuit is that most of the information about the vulnerabilities has already circulated widely. All 87 pages of their Defcon presentation have been online for weeks now. And raw research into the Mifare card, the radio frequency identification chip at the heart of the MBTA's CharlieCard, was announced earlier this year. The students have also submitted a 30-page security analysis and have agreed to meet with MBTA security personnel to answer questions.

For the first time, attorneys with the MBTA acknowledged in court papers filed Monday that the system had vulnerabilities and estimated it could take five months to fix them. They had requested a preliminary order preventing disclosure that would take the place of a temporary restraining order that expired Tuesday.

The episode is a lesson in what's come to be known as responsible disclosure in computer security circles. MBTA officials weren't informed of the research findings until a few days before the scheduled Defcon talk. Proponents of responsible disclosure argue researchers should share security vulnerability findings with manufacturers of the affected wares prior to going public to minimize the damage.

What's more, the students issued teasers for their talk that included statements such as "Want free subway rides for life?".

Whatever, the shortcomings of its clients, the EFF argued the MBTA was designed to punish the messenger.

"The MBTA ultimately is trying to silence some uncomfortable truths that these students uncovered," EFF attorney Cindy Cohn said, according to the Associated Press. "They brought an action against three college kids rather than address the problems in their own house." ®

Intelligent flash storage arrays

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.