Judge lifts MIT students' card-hacking gag order
This post was updated at 1:45 p.m. PDT with comment from MBTA General Manager Daniel Grabauskas.
BOSTON--The three Massachusetts Institute of Technology students who have been barred by a court order from discussing subway card vulnerabilities are now free to say what they want.
In a ruling certain to be cheered by computer researchers, a federal judge here Tuesday let the 10-day-old gag order expire. U.S. District Judge George O'Toole Jr. refused to grant a preliminary injunction requested by the Massachusetts Bay Transportation Authority that would have blocked the students from talking about their findings until January 1, 2009.
The MBTA's requested injunction would have replaced a temporary restraining order granted during the Defcon hacker conference, which automatically expires on Tuesday under federal court rules.
First page of subway-hacking presentation that was the subject of an injunction to stop its distribution--after it had already been distributed.
The MIT students planned to make a presentation at Defcon on security vulnerabilities in the Massachusetts transit authority's electronic card and ticketing system. But a different federal judge who was on duty that weekend blocked the presentation after MBTA sued the students and MIT.
Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: that the students' presentation was likely a violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses.
Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA.
On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer "transmission." Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system. Lawyers for the MBTA claimed Tuesday they had proof the students had violated the law, but stopped short of specifying what they did.
Lawyers for the MBTA could still appeal O'Toole's ruling to the U.S. First Circuit Court of Appeals. Unless either side backs down or a settlement happens, a trial on the T's lawsuit against the students and MIT will eventually occur, but so far, no date has been set.
In a statement released on Tuesday afternoon, MBTA General Manager Daniel Grabauskas sounded conciliatory toward the students and hinted that the transit authority may be willing to work with the students outside of the courts.
"The 10-day process yielded a lot more information than we had at the start, and that was a key objective all along," Grabauskas said. "The students had repeatedly said the lawsuit was an impediment to opening up a productive dialogue with the MBTA about their findings. Now that the court proceedings are behind us, I renew my invitation to the students to sit down with us and discuss their findings. A great opportunity now presents itself."
He added, "With respect to the information that was sealed, I have every expectation that the students will act in accordance with the principles of 'responsible disclosure.'"
Lawyers for the students, in a case that has generated more attention in local media concerned about problems in the transit system than it has among national media concerned about privacy issues, welcomed the judge's decision. "This was a case of shooting the messenger," said Cindy Cohn, a lawyer with the Electronic Frontier Foundation, a San Francisco-based advocacy group that was representing the students along with the Massachusetts affiliate of the ACLU and the Fish & Richardson law firm.
But Ieuan Mahony, a lawyer for the Boston law firm Holland & Knight who is representing the MBTA, said the transit authority had no interest in chilling computer security research. Instead, he said it merely wanted to ensure that a method for wide-scale fare violations wasn't disseminated.
Security researchers working for the MBTA spent the last several days working through a confidential 30-page analysis--which has not been made public--that students had sent to the court and T officials. The document detailed the complete method for breaking the local Charlie card payment system, including specific details the students say they didn't plan to reveal at the Defcon conference.
MBTA said in documents filed with the court that fixing the security flaws would take five months. ("Students have the ability to cause significant harm to the CharlieTicket system, during the roughly five-month window that remedial actions will require.")
T officials concluded that the students had, in fact, found a way to break the paper Charlie card system, but had only found theoretical methods for breaking the plastic Charlie card, an RFID smart card that can have T fares electronically added to it.
Mahony said the 30-page analysis was a "very useful document," adding, it's "invaluable, but there are additional materials that cause us great concern." In particular, the transit authority wanted correspondence with Defcon officials and materials from their class with MIT professor Ron Rivest, a cryptographer best known as one of the co-inventors of the RSA public key encryption system, which is commonly used in e-commerce.
Despite the First Amendment implications of the case, O'Toole made it clear he intended to steer clear of the Bill of Rights. "I appreciate the breadth of views of others," he said, "but my views are considerably more limited." (Federal judges generally try to avoid constitutional issues if the dispute can be resolved by interpreting the text of a statute. In this case, it was a 1986 law that he decided didn't properly apply in this case.)
What the students intend to do now that the gag order has been lifted is unclear. If they wished, they could still make the Defcon presentation at some other forum. Cohn said she hasn't spoken with the three, who are still on summer break.
One of the students, Zack Anderson, told The Boston Globe in an interview published Monday that after the dust-up with the MBTA is done, he intends to work on a company that converts heat from a car's shock absorbers into energy for the car's engine. He reiterated in the interview that the students never intended to cause harm to the transit system.
"It wasn't to enable others to get a free fare or cause any sort of havoc," Anderson told the Globe. "It was really to show how major the issues are in this system, which also might resonate in many other systems around the world."
But one thing is certain: they have no intention of revealing the 30-page document that contained the specific details that told someone how to break the Charlie card system.
CNET News' Declan McCullagh contributed to this report.
Jim Kerstetter has been writing about the high-tech industry for more than 13 years, as a senior editor at PC Week, a Silicon Valley correspondent at BusinessWeek, and now an executive editor at CNET News. He moved back to Boston because he missed the Red Sox. E-mail Jim. 
If the MBTA had any clue whatsoever it would now start working with these kids to fix the mess that their incompetence wrought.
The original injunction was handed down over a weekend by the judge who was on duty to handle these matters. This was not Judge O'Toole. It was another judge.
Judge O'Toole presided over the hearing to determine if the order should be extended. And weighing the data, he made the decision to not extend the order.
This isn't - as michaelo1966 implies - a case of CYA on his part.
It is quite likely that this was the calendered hearing for the extension of the initial injunction. It is quite possible he wasn't dragging his feet.
By the way, earlier coverage of this issue shows that "the kids" tried to work with MBTA. But that they were stonewalled. MBTA then ran to Court and I am sure that made them really excited about sitting down with MBTA.
This is the second ruling from this judge who initially upheld the injunction. Therefore this judge overruled himself.
http://news.cnet.com/8301-1009_3-10017172-83.html?tag=bl
Translation: "Now that the 'authority' has unsuccessfully attempted to cover up their stupidity in selecting this $75 + Million 'automated fare collection system', and after the 'authority' rejected the student's fair offer and instead attempted to criminalize them, now the 'authority' would like to have a helpful little site down chit chat.
Advice: DON'T DO IT.
The locals here know why: the "authority" is one of the most corrupt government agencies on the planet. They screw the general public as easily as they would screw these students.
It's no great mystery what's wrong with their system: it be them, and they know it.
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
Pretty good stuff. Now if only I had a warcart...
The fact is, you wouldn't have fixed it at all, if not for students finding it. If someone else had found out about the issue, you'd have had people robbing the subway blind for multiple years, with no one reporting it... by the time you found out about it, you'd be deciding whether to keep it hidden just a little while longer until your next planned upgrade, or whatever to c.y.a.
No, in the long run, there is no need for 'responsible disclosure'...WIDE OPEN 100% disclosure is what works best.
This is subway fare, not a nuclear bomb.
- by DigitalFrog August 20, 2008 2:57 PM PDT
- Maybe the students should now turn around and sue the MBTA for security consultancy fees since the document was found to be 'invaluable'.....
- Like this Reply to this comment
-
(16 Comments)