Massachusetts: We want to meet with MIT subway-hacking students

The state of Massachusetts said Monday it is not prepared to abandon its lawsuit against MIT students who uncovered security vulnerabilities in Boston transit cards, even though thousands of copies of their 87-page presentation have been distributed.

A federal judge on Saturday granted the state transit authority's request for a restraining order barring the students' planned presentation at the Defcon conference. It orders them not to disclose any "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System."

The MIT students canceled their talk. But their presentation materials were handed out to Defcon attendees in the conference packet, and it has been distributed widely on the Web.

When we asked the Massachusetts Bay Transportation Authority if it would end the lawsuit as a result of the distribution, spokesman Joe Pesaturo replied: "The MBTA will reserve comment on the substance of the presentation until staff has had a sufficient period of time to thoroughly review the information, and meet with the students and their professor." Pesaturo did not respond to a followup question about whether any meeting has been set up.

The Electronic Frontier Foundation, which is providing a legal defense to the students, did not immediately respond to questions about whether a meeting has been arranged.

U.S. District Judge Douglas Woodlock granted MBTA a temporary restraining order, which under federal rules automatically expires in 10 days--meaning August 19--unless extended "for good cause."

That means MBTA needs to decide in the next week whether to try to ask Woodlock to convert his temporary order into a longer-lasting preliminary injunction.

MBTA's Pesaturo added in a separate message:

A week ago, the MBTA learned about the presentation to be made at the conference, and immediately contacted MIT. At a meeting last Tuesday involving all the parties, MIT staff and the students agreed to provide the MBTA with a copy of the presentation. After several days passed without getting any information from MIT, the MBTA had no choice but to seek assistance from a federal court judge on Friday. At 4:30 a.m. on Saturday, the presentation was finally provided to the MBTA. Staff is thoroughly reviewing the information to determine if there is any degree of substance to the claims being made by the students.

One reason the MBTA may want to proceed is that the restraining order does more than merely require the three students--Zack Anderson, R.J. Ryan, and Alessandro Chiesa--not to proceed with their presentation. It also applies to releasing "software code," which the trio had planned to post at web.mit.edu/zacka/www/subway/, but apparently never did.

During Saturday's hearing, an attorney for MBTA pointed to the students' plans to post Python code that could read magnetic cards and said: "This is not simply saying, 'We did it. Aren't we inventive?' It's also providing a tool to help accomplish this. Our understanding is that these would likely be software tools that would make it easier to analyze the cards." (An EFF attorney, on the other hand, characterized the code as general-purpose and "not tools which are targeted toward the MBTA system.")

Judge Woodlock said, according to a recording posted by Wired News, that the students acted "in contravention of best practices" and that he foresaw "no harm to defendants" in granting the restraining order. He did, however, add that "defendants are free to seek modification even before the end of the 10-day period."

[BlitzBoy1120]

And thats why I'm planning to go to that school XD

[magicmaster]

Dear MBTA:

If MBTA had not filed the restraining order, I would not have known the presentations that was meant to be presented to SELECTED hackers.

Withdraw the lawsuit, or I will distribute the copy of powerpoint presentation to everyone else...wait! I already did!

Have a nice day,

What the hack

[Linuxiac38]

All 22 million of us received it, so, thanks 4 teh hack!

Security through obscurity just got blown out the window! Thanks, MBTA! are you following the precedent set by the Boston Police, with the Adult Swim "bomba"?

[michaelo1966]

Read the overview of their presentation; the value of a card is stored as a few bytes in a fixed-field on the stripe. Anybody with a mag-stripe reader/writer -- available widely and cheaply -- can write a program to change the stored value on those cards turning their $1 card into a $100 card with a swipe. Not releasing software to do it is meaningless -- anybody can write it -- the hard part was figuring out which field was which. The MTA was stupid for storing the kit n' caboodle unencrypted on a paper mag-stripe card, but rather than take responsibility for being idiots they decided to sue: it's the American way. I'll bet they paid some "security contractor" gobs of money to program and maintain this system.

[bmrowe23]

This is what happens when you mix the smartest people with too much time on their hands with the dumbest most impatient. At least they all ride public transportation, right? MTBA should say thank-you and grant a few free lifetime passes for MIT's time and discretion. That is what a criminal would have if they kept the hack to themselves. On the other hand it wouldn't hurt the resumes of these students to have a short internship to help fix the problem.

[dragonwithaheadache]

I can agree with this, appearently the kids paid attention to their studies at MIT then used them the way they should. Glad I don't live in Boston, I would hate to see the security on the City's Network.

[fdunn3]

MTBA, how do you know that the MIT students were the first to learn of the security flaw in your system as the irresponsible hackers would be selling the cards and using them for himself and you would even know it.

Now some responsible IT students step up to the plate but you have no contigency plan. Whose fault is that? Certainly not theirs.

Don't be so cocky as to think your system is so secure that people aren't already abusing it. You shouldn't be sueing these students you should be hiring them.

[NoVista]

Well said!

Oh well, there's DefCon and DeafEars ...