Judge leaves gag order intact on subway card-hacking students

BOSTON--A federal judge on Thursday let stand a temporary restraining order preventing three Massachusetts Institute of Technology students from discussing or disclosing their research into security vulnerabilities in the payment system for the local subway system.

In a 45-minute hearing here, U.S. District Judge George O'Toole Jr. also granted a request by the Massachusetts Bay Transportation Authority to obtain documents from the three students and their MIT professor Ron Rivest, a renowned researcher best known as co-inventor of the RSA public key encryption system commonly used in e-commerce systems.

O'Toole didn't amend or revoke the temporary restraining order. Instead, he postponed discussion on it until another hearing that will take place Tuesday. None of the students (who are on summer break), nor Rivest, was in court.

On Saturday, a different judge who was on duty over the weekend granted the state transportation agency an order against the three students, who had been scheduled to give a presentation at the Defcon hacker conference a day later. They canceled their presentation, and their attorneys have been fighting to lift the gag order ever since.

Jennifer Granick, an attorney with the advocacy group Electronic Frontier Foundation who's representing the three students, said the EFF might appeal the judge's ruling to the U.S. 1st Circuit Court of Appeals, but the timing is tight: the judge has required the students to make a good effort to provide the documents--including a class paper on "The T" hack and records of communications with Defcon organizers--by Friday afternoon.

Under federal rules, the temporary restraining order automatically expires Tuesday, and Granick had asked the judge to terminate it immediately on grounds that it violated the students' First Amendment rights and based on long-standing court precedent that disfavors prior restraint of speakers. But O'Toole declined to rule on her request, and instead scheduled another hearing for Tuesday morning.

The students provided the court and MBTA officials with a new 30-page report that details all of their findings, including particular information to complete the Charlie Card hack that they say they had no intention of revealing in the Defcon discussion. But T officials still want additional information, saying they want to ensure no other vulnerabilities exist that the students have yet to reveal. (This is in addition to a 5-page analysis, marked "confidential," that the students sent to MBTA last week.)

Granick told reporters after the hearing that there is no more relevant information that her clients, Alessandro Chiesa, R.J. Ryan, and Zack Anderson, can provide. "That document should have resolved the whole matter," Granick said, adding, "There is no other shoe to drop."

Debate over what is responsible disclosure
At the heart of the case is an increasingly contentious debate between security researchers and their subjects about what is responsible disclosure. The students and their lawyers argue that giving that Defcon presentation would have been a public service. Indeed, at a time when local politicians and Boston newspapers are debating the efficacy of the T's electronic payment system, it could have been a necessary part of the public discussion.

U.S. District Judge Douglas Woodlock in Massachusetts granted the temporary restraining order before the students could make their Defcon presentation, on the grounds that the Computer Fraud and Abuse Act might have been violated. Lawyers for the students argue the CFAA, if properly interpreted, should not apply because it refers to the dissemination of information from computer-to-computer, not person-to-person.

Ieuan-Gael Mahony, a lawyer from the Boston firm Holland & Knight representing the MBTA, argued, however, that at this point, there is no harm being done to the students by the restraining order and there was no reason to lift it. (The gag order goes beyond the Defcon presentation; it continues to bar the students from providing any "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System.")

Eleven security researchers have sent a letter to the court backing the students' claims and criticizing this form of a gag order. But rather than ruling on the First Amendment and prior restraint questions on Thursday, the judge postponed a decision until he has more material before him.

MIT students Alessandro Chiesa, R.J. Ryan, and Zack Anderson showed up at, but did not speak at, the Defcon conference in Las Vegas on Saturday.

(Credit: Declan McCullagh/News.com)

[Michichael]

Wow, this is absolutely ridiculous. It's been accepted in Europe that it is not only a violation of basic rights, but a fallacy in security to restrict a researcher from presenting his findings on the RFID vulnerabilities. I'm smelling something incredibly fishy here between the "impartial" judge and Massachusetts, and I'm not one for conspiracy theories.

[DeltaBravo]

Nothing fishy here. Just a judge with a good sense of right and wrong. These "researchers", being spoiled brats, are trying to puff up their public image by harming an innocent company. If they wanted to practice free speech responsibly they would have revealed what they know to the company and offered to help correct the problem. If the company didn't do anything about it, after a reasonable period of time (which could take several months), then a public announcement would be appropriate.

[The_Decider]

Innocent?

The problems they found can only be explained by saying that MTBA is grossly incompetent.

[protagonistic]

What can I say, most judges in this country at that level are little more than political hacks. They do not even understand the concept of freedom anymore. I think it must be a requirement these days that to graduate from law school you have to prove you have eliminated the last vestige of common sense from your reasoning.

[DeltaBravo]

The judge understands the concept of freedom. The problem is that neither you nor these three spoiled brats understands the concept of responsibility.

[The_Decider]

It is the transit system avoiding responsibility.

The problem is that you don't seem to understand the issues. If you point out a fire hazard, would you expect to get a gag order? These kids found many fire hazards and should be commended.

[fdunn3]

I think that the MBTA is afraid that the public will find out that the hack is being used on a daily basis and that they have done nothing about it.

The EFF should subpoena security records and ridership data on the T cards as I think they will find it interesting reading. (Such as duplicated cards.)

Only then will the MBTA back off as they know they have been busted.

[DeltaBravo]

While I have no problem with honest "hackers" uncovering vulnerabilities in software, I feel they have a moral obligation to notify the companies affected rather than make public revelations that can only serve to help others harm innocent individuals and companies. These guys are looking to puff themselves up in the eyes of others by hurting a company that doesn't deserve such treatment. They claim free speech rights but have no concept of free speech responsibility. One can not work without the other. I don't know if the Judge's decision can be upheld on appeal but these jerks need to grow up and MIT needs to do a better job of teaching their students something about morality and adulthood.

[aphoog]

Why are the students actions immoral? If you happen to keep all your money in a safe made of straw and I just happen to state that straw is combustible.... was I immoral or is the owner of the straw safe stupid?

[The_Decider]

MBTA deserves this. Look at the power point slides. A group of drunken monkeys could produce a more secure system.

Or do you think that it is OK to have critical network gear in a publicly accessible, unlock room?

In no way is finding and pointing out serious security issues is immoral. Some of what they did might be illegal, but not immoral.

Funny how people who rail against these kids are technically illiterate and can't grasp the magnitude of the flaws(some tech related, many not) were not fixed by MBTA.

[ktappe]

First, MBTA is not a "company", it is a publicly-owned service that is funded by taxpayers. No individual entity is being "hurt" by these students--they are attempting to perform a public service and bring about more security on that public service.
Second, they DID (if you read the article) submit a security brief to the MBTA over a week before the conference. So they did act morally.
Third, if the MBTA was aware of the security deficiencies in the system already, then it most certainly did deserve to be treated like this. Worse, in fact.
So lastly, these people are not "jerks" as you call them. They seem like they are performing an admirable, necessary function. Without them, would anyone currently be discussing the MBTA's security flaws?

[ghifarix]

For others to hack into any software program it shows up that program to be unfinished incomplete or the hack to be different or otherwise new perhaps superior. Therefore this Hack should not have been subjugate as a patent violation in any way for or manner. These MIT students are being repressed because the culture of monopoly reject competition-lets say improvement. If any thing moral were to show its principle head it should have been the owners of the old software negotiating with the creators of the new. The learned judge not only robed the MIT developers she simply said that America have reach the pinnacle of developing - gate closed- lets move on to China.

[The_Decider]

Not only that, many of the flaws were not technical at all. Leaving rooms with switches and routers unlocked and publicly accessible, is one example. Turnstile boxes were found unsecured. Crap like that.

Every executive and employee that has anything remotely to do with security should be fired and jailed for violating the public trust in such an incompetent manner.

[LarryLarryLarryLarry]

The students' report is online. I read the 87 page pdf file yesterday. I won't say where, because then I'm the bad guy, but hmmm, if you wanted to find some supressed document, what is the most obvious website that would show such a document?

[KenHaggerty]

It's surprisingly easy to hack the subway system and actually works for multiple subway systems. I read through the file and even as an architecture student I could understand it. I agree that the MBTA maybe should have had prior notice as a courtesy but the fact is that at least the students are bringing the issue to public attention and not keeping it secret and looting money off the MBTA.

[Maccess]

Why not just fix the vulnerability so the hacking information becomes worthless?

[Jimmu411]

We MUST maintain the principles of security by ignorance! If we muzzle these three, surely no one else will be able to figure out the weaknesses in the system!