Feeds

Gag order lifted for students who hacked subway card

MIT students free to discuss gaping holes

Boost IT visibility and business value

Three Massachusetts Institute of Technology undergraduates are once again free to publicly discuss gaping security holes in the Boston subway system after a federal judge refused to renew a gag order requested by transportation officials.

US District Judge George A. O'Toole rejected arguments by the Massachusetts Bay Transportation Authority officials that disclosure of flaws in the subway's electronic payment system constituted a violation of the Computer Fraud and Abuse Act (CFAA). The students had been barred from publicly discussing the defects since August 9, when a different federal judge halted their Defcon presentation, titled "Anatomy of a Subway Hack."

The Electronic Frontier Foundation, which represented the trio, asserted the gag order was an unconstitutional restraint on their free-speech rights, but O'Toole seemed to steer clear or those arguments. Instead, he focused on the language in the CFAA, which discusses the transmission of malicious code to protected computers.

"The judge today correctly found that it was unlikely that the CFAA would apply to security researchers giving an academic talk," EFF Staff Attorney Marcia Hofmann said in a statement. "A presentation at a security conference is not some sort of computer intrusion. It's a protected speech and vital to the free flow of information about computer security vulnerabilities."

The students aren't out of the woods yet. The MBTA's lawsuit naming Zack Anderson, 21, RJ Ryan, 22 and Alessandro Chiesa, 20, and MIT where they attend undergraduate courses, continues. The complaint, filed in US District Court in Boston, seeks unspecified monetary damages for violation of the CFAA, negligent supervision and other causes of action.

The research uncovered errors in both of the MBTA's electronic fare payment systems. The students received an A for their work from Ronald Rivest, who prior to becoming an MIT professor was one of the mathematicians who developed the RSA cryptography algorithm.

The irony of the lawsuit is that most of the information about the vulnerabilities has already circulated widely. All 87 pages of their Defcon presentation have been online for weeks now. And raw research into the Mifare card, the radio frequency identification chip at the heart of the MBTA's CharlieCard, was announced earlier this year. The students have also submitted a 30-page security analysis and have agreed to meet with MBTA security personnel to answer questions.

For the first time, attorneys with the MBTA acknowledged in court papers filed Monday that the system had vulnerabilities and estimated it could take five months to fix them. They had requested a preliminary order preventing disclosure that would take the place of a temporary restraining order that expired Tuesday.

The episode is a lesson in what's come to be known as responsible disclosure in computer security circles. MBTA officials weren't informed of the research findings until a few days before the scheduled Defcon talk. Proponents of responsible disclosure argue researchers should share security vulnerability findings with manufacturers of the affected wares prior to going public to minimize the damage.

What's more, the students issued teasers for their talk that included statements such as "Want free subway rides for life?".

Whatever, the shortcomings of its clients, the EFF argued the MBTA was designed to punish the messenger.

"The MBTA ultimately is trying to silence some uncomfortable truths that these students uncovered," EFF attorney Cindy Cohn said, according to the Associated Press. "They brought an action against three college kids rather than address the problems in their own house." ®

Gartner critical capabilities for enterprise endpoint backup

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?