Security

This post was updated at 1:45 p.m. PDT with comment from MBTA General Manager Daniel Grabauskas.

BOSTON--The three Massachusetts Institute of Technology students who have been barred by a court order from discussing subway card vulnerabilities are now free to say what they want.

In a ruling certain to be cheered by computer researchers, a federal judge here Tuesday let the 10-day-old gag order expire. U.S. District Judge George O'Toole Jr. refused to grant a preliminary injunction requested by the Massachusetts Bay Transportation Authority that would have blocked the students from talking about their findings until January 1, 2009.

The MBTA's requested injunction would have replaced a temporary restraining order granted during the Defcon hacker conference, which automatically expires on Tuesday under federal court rules.

First page of subway-hacking presentation that was the subject of an injunction to stop its distribution--after it had already been distributed.

The MIT students planned to make a presentation at Defcon on security vulnerabilities in the Massachusetts transit authority's electronic card and ticketing system. But a different federal judge who was on duty that weekend blocked the presentation after MBTA sued the students and MIT.

Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: that the students' presentation was likely a violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses.

Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA.

On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer "transmission." Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system. Lawyers for the MBTA claimed Tuesday they had proof the students had violated the law, but stopped short of specifying what they did.

Lawyers for the MBTA could still appeal O'Toole's ruling to the U.S. First Circuit Court of Appeals. Unless either side backs down or a settlement happens, a trial on the T's lawsuit against the students and MIT will eventually occur, but so far, no date has been set.

In a statement released on Tuesday afternoon, MBTA General Manager Daniel Grabauskas sounded conciliatory toward the students and hinted that the transit authority may be willing to work with the students outside of the courts.

"The 10-day process yielded a lot more information than we had at the start, and that was a key objective all along," Grabauskas said. "The students had repeatedly said the lawsuit was an impediment to opening up a productive dialogue with the MBTA about their findings. Now that the court proceedings are behind us, I renew my invitation to the students to sit down with us and discuss their findings. A great opportunity now presents itself."

He added, "With respect to the information that was sealed, I have every expectation that the students will act in accordance with the principles of 'responsible disclosure.'"

Lawyers for the students, in a case that has generated more attention in local media concerned about problems in the transit system than it has among national media concerned about privacy issues, welcomed the judge's decision. "This was a case of shooting the messenger," said Cindy Cohn, a lawyer with the Electronic Frontier Foundation, a San Francisco-based advocacy group that was representing the students along with the Massachusetts affiliate of the ACLU and the Fish & Richardson law firm.

But Ieuan Mahony, a lawyer for the Boston law firm Holland & Knight who is representing the MBTA, said the transit authority had no interest in chilling computer security research. Instead, he said it merely wanted to ensure that a method for wide-scale fare violations wasn't disseminated.

Security researchers working for the MBTA spent the last several days working through a confidential 30-page analysis--which has not been made public--that students had sent to the court and T officials. The document detailed the complete method for breaking the local Charlie card payment system, including specific details the students say they didn't plan to reveal at the Defcon conference.

MBTA said in documents filed with the court that fixing the security flaws would take five months. ("Students have the ability to cause significant harm to the CharlieTicket system, during the roughly five-month window that remedial actions will require.")

T officials concluded that the students had, in fact, found a way to break the paper Charlie card system, but had only found theoretical methods for breaking the plastic Charlie card, an RFID smart card that can have T fares electronically added to it.

Mahony said the 30-page analysis was a "very useful document," adding, it's "invaluable, but there are additional materials that cause us great concern." In particular, the transit authority wanted correspondence with Defcon officials and materials from their class with MIT professor Ron Rivest, a cryptographer best known as one of the co-inventors of the RSA public key encryption system, which is commonly used in e-commerce.

Despite the First Amendment implications of the case, O'Toole made it clear he intended to steer clear of the Bill of Rights. "I appreciate the breadth of views of others," he said, "but my views are considerably more limited." (Federal judges generally try to avoid constitutional issues if the dispute can be resolved by interpreting the text of a statute. In this case, it was a 1986 law that he decided didn't properly apply in this case.)

What the students intend to do now that the gag order has been lifted is unclear. If they wished, they could still make the Defcon presentation at some other forum. Cohn said she hasn't spoken with the three, who are still on summer break.

One of the students, Zack Anderson, told The Boston Globe in an interview published Monday that after the dust-up with the MBTA is done, he intends to work on a company that converts heat from a car's shock absorbers into energy for the car's engine. He reiterated in the interview that the students never intended to cause harm to the transit system.

"It wasn't to enable others to get a free fare or cause any sort of havoc," Anderson told the Globe. "It was really to show how major the issues are in this system, which also might resonate in many other systems around the world."

But one thing is certain: they have no intention of revealing the 30-page document that contained the specific details that told someone how to break the Charlie card system.

CNET News' Declan McCullagh contributed to this report.

After he's done with his security dust up with the Massachusetts Bay Transportation Authority, Zack Anderson plans on slightly different work: A company that turns heat from a car's shock absorbers into energy for the car's engine.

Hopefully, a government agency won't take offense to that work, as well.

Anderson is one of three Massachusetts Institute of Technology students who were blocked by the MBTA and a judge's order from making a presentation on vulnerabilities in the T's card-based fare system at the recent Defcon conference in Las Vegas. They're still blocked from making that presentation under a gag order that expires Tuesday. A hearing will be held in federal court in Boston Tuesday morning to determine whether the temporary restraining order should be converted into a preliminary injunction.

In an interview with the The Boston Globe, Anderson defended the presentation the students planned to make at Defcon. "It wasn't to enable others to get a free fare or cause any sort of havoc," Anderson told The Globe. "It was really to show how major the issues are in this system, which also might resonate in many other systems around the world."

The MBTA, not surprisingly, doesn't seem so willing to participate in this particular scientific discourse. In a hearing last week, a federal judge ordered the students to hand over classroom material and any correspondence they've had with Defcon organizers. The students have already provided the judge and T officials with two reports, including a 30-page paper that included details the students say they didn't intend to reveal in their Defcon talk.

The students and the MBTA are still fighting over what documents they should have to reveal, including unpublished research notes.

A new controversy is brewing in the lawsuit pitting three Massachusetts Institute of Technology students against the Massachusetts transit agency: Whether or not their unpublished research notes and other material must be handed over to the state government.

The MIT students are asking a federal judge not to require them to hand over unpublished research notes and other material to the Massachusetts Bay Transportation Authority, which obtained a restraining order against a conference presentation earlier this month. They already have turned over their prepared presentation and have prepared a separate security analysis for the agency.

First page of subway-hacking presentation that was the subject of an injunction to stop its distribution--after it had already been distributed.

The students filed a motion over the weekend saying that a judge hearing the case "plainly erred" by ordering them to divulge the material. Instead of turning over more material by a Saturday deadline, the students apparently handed over only correspondence with organizers of the Defcon conference.

This dispute is likely to come to a head at a hearing scheduled for 7:30 a.m. PDT on Tuesday before U.S. District Judge George O'Toole Jr. in Boston. Last week, O'Toole denied the students' request to postpone the document-delivery deadline to allow an emergency appeal to the U.S. First Circuit Court of Appeals.

The hearing is required under federal court rules because the temporary restraining order expires on Tuesday. O'Toole has the option of converting the order into a more formal preliminary injunction (with or without modifications) or allowing it to expire.

So far, O'Toole has not proven especially sympathetic to the students, who are represented by the San Francisco-based Electronic Frontier Foundation. He refused to lessen the sting of the original temporary restraining order, even though the MBTA had suggested it. He also granted much of the MBTA's request for unpublished documents, which EFF says runs afoul of clear legal precedent.

MBTA has demanded copies of documents including correspondence with the Defcon conference, a paper prepared for an MIT class, software, physical equipment, modified MBTA farecards, notes from meetings, and so on. MBTA also wants to conduct a four-hour deposition of computer science major Zack Anderson and a two-hour deposition of MIT professor Ron Rivest. (The other student defendants are Alessandro Chiesa and R.J. Ryan.)

Here's an excerpt from EFF's latest brief, filed over the weekend, which objects to its clients being forced to turn over unpublished material in a prior restraint case:

More broadly, the Discovery Order amounts to a grant of pre-publication review and, as such, flies in the face of long established free speech principles. Such an order would never be permitted if the content in question were, for example, a reporter's notes, and it should not stand here. Through this discovery process, MBTA has enlisted the court's power to obtain pre-publication review of academic speech by a public authority, and delay publication until its review is complete...

Prepublication review has been permitted only in the most extraordinary circumstances. For example, a contract requiring such review was held constitutional where the defendant, a former Central Intelligence Agency agent, had voluntarily agreed to limit publications regarding CIA activities. The Court held that the government had "a compelling interest in protecting both the secrecy of information important to our national security and the appearance of confidentiality so essential to the effective operation of our foreign intelligence service" and the prepublication review requirement was a reasonable means for protecting that interest. Even in these extraordinary cases, there has never been discovery to determine what the CIA agent knew (or court review of the agent's knowledge), just a review of what they proposed to publish.

No such extraordinary circumstance exists here. The MBTA already has ample information about its own security systems, what the students know, what they intended to say at Defcon, and what they would like to be free to say now if the TRO is lifted. The MBTA appears to wish to review everything the students have ever done or thought related to their research in order to pass judgment (in the context of the preliminary injunction proceeding) on anything they might say about it in the future. The First Amendment does not countenance that type of pre-publication review, and neither should this Court.

The state of Massachusetts is showing no signs of abandoning its fight to keep a restraining order in place against three MIT students who discovered subway card vulnerabilities. In fact, the state transit agency is escalating its rhetoric.

In a legal brief filed Thursday, the Massachusetts Bay Transportation Authority went so far as to claim that the three "defendants enjoy no protections under the First Amendment."

The document was filed around the same time that U.S. District Judge George O'Toole Jr. held a hearing in the case in his Boston courtroom. O'Toole denied a request from the students' attorneys to lift the gag order--and instead ordered the students to divulge to the transit agency by Friday more information about what they've done.

MBTA has demanded copies of documents including correspondence with the Defcon conference, a paper prepared for an MIT class, software, physical equipment, modified MBTA farecards, notes from meetings, and so on. MBTA wants to conduct a four-hour deposition of computer science major Zack Anderson at 9 a.m. ET Friday at their attorney's offices at 10 St. James Avenue, followed by a two-hour deposition of MIT professor Ron Rivest at 2:30 p.m ET. (The other student defendants are Alessandro Chiesa and R.J. Ryan.)

MBTA has asked O'Toole to convert the temporary restraining order, which automatically expires on Tuesday, to a longer-lasting preliminary injunction. To buttress its case, it has highlighted news coverage quoting PGP creator Phil Zimmermann as saying traditionally researchers give vendors a month's notice before they disclose a vulnerability in a system--which amounts to an implicit criticism of the MIT defendants and ammunition for the plaintiffs.

Also on Thursday, the Boston Globe published an editorial saying O'Toole "ought to lift" the gag order and that security concerns "should not trump First Amendment rights."

Here's an excerpt from the MBTA's 14-page brief, submitted by Ieuan Gael Mahony, a partner at the Holland & Knight law firm:

First Amendment protection does not extend to speech that advocates a violation of law, where the advocacy "is directed to inciting or producing imminent lawless action and is likely to incite or produce such action." The Individual Defendants' conduct falls squarely within this well established zone of no protection.

First, unless restrained, the Individual Defendants would have given their Presentation, and related materials (which have not yet been made available) to one of the world's largest hacker conferences. Advocacy in favor of illegal behavior, in this context, is likely to incite or produce illegal behavior. Second, the Presentation, and likely the related code and materials, unequivocally constitute advocacy in favor of a violation of law.... the Individual Defendants are vigorously and energetically advocating illegal activity, and this advocacy, in the context of the DEFCON Conference, is both directed to inciting or producing imminent lawless action, and likely to produce such action. Therefore, the Individual Defendants enjoy no protections under the First Amendment.

The Individual Defendants' DEFCON presentation constitutes commercial speech. Commercial speech is any "speech that proposes a commercial transaction." Here, the Presentation is full of marketing, and self-promotional statements. It is not a research paper. As commercial speech advertising illegal activity, it receives no First Amendment protection.

The problem with the MBTA's arguments on this point is that the MIT students weren't proposing any commercial transaction--the MBTA is citing precedent relating to commercial advertising that aren't applicable to a student presentation at a security conference.

The students were going to give the talk at Defcon for free, were planning on giving the code away for free, and were offering to sell precisely nothing. If the mere existence of self-promotional statements and related puffery eliminated First Amendment protections, then every politician could be subject to court-imposed gag orders too.

MBTA also seems to argue that even if the students are engaging in noncommercial speech, they should nevertheless be gagged because it's (a) advocating illegal behavior and (b) likely to convince others to violate the law.

Advocating illegal behavior generally is legal; otherwise distributing step-by-step instructions on how to grow marijuana at home would be a criminal offense.

The exception to that general rule, according to the U.S. Supreme Court in the 1969 Brandenburg v. Ohio case, is this: "Constitutional guarantees of free speech and free press do not permit a state to forbid or proscribe advocacy of the use of force or of law violation except where such advocacy is directed to inciting or producing imminent lawless action and is likely to incite or produce such action."

"Producing imminent lawless action?" That sure doesn't seem to describe a sober, critical, and probably slightly geekish talk at the Defcon conference. Another Supreme Court case says imminent lawless action by definition does not include "advocacy of illegal action at some indefinite future time."

But Judge O'Toole seems to favor MBTA's arguments. On Thursday, he chose not to modify the gag order to make it apply only to "nonpublic" information, even though the MBTA had been the party that suggested the change in the first place. For EFF and its clients, that can't be a good sign.

BOSTON--A federal judge on Thursday let stand a temporary restraining order preventing three Massachusetts Institute of Technology students from discussing or disclosing their research into security vulnerabilities in the payment system for the local subway system.

In a 45-minute hearing here, U.S. District Judge George O'Toole Jr. also granted a request by the Massachusetts Bay Transportation Authority to obtain documents from the three students and their MIT professor Ron Rivest, a renowned researcher best known as co-inventor of the RSA public key encryption system commonly used in e-commerce systems.

O'Toole didn't amend or revoke the temporary restraining order. Instead, he postponed discussion on it until another hearing that will take place Tuesday. None of the students (who are on summer break), nor Rivest, was in court.

On Saturday, a different judge who was on duty over the weekend granted the state transportation agency an order against the three students, who had been scheduled to give a presentation at the Defcon hacker conference a day later. They canceled their presentation, and their attorneys have been fighting to lift the gag order ever since.

Jennifer Granick, an attorney with the advocacy group Electronic Frontier Foundation who's representing the three students, said the EFF might appeal the judge's ruling to the U.S. 1st Circuit Court of Appeals, but the timing is tight: the judge has required the students to make a good effort to provide the documents--including a class paper on "The T" hack and records of communications with Defcon organizers--by Friday afternoon.

Under federal rules, the temporary restraining order automatically expires Tuesday, and Granick had asked the judge to terminate it immediately on grounds that it violated the students' First Amendment rights and based on long-standing court precedent that disfavors prior restraint of speakers. But O'Toole declined to rule on her request, and instead scheduled another hearing for Tuesday morning.

The students provided the court and MBTA officials with a new 30-page report that details all of their findings, including particular information to complete the Charlie Card hack that they say they had no intention of revealing in the Defcon discussion. But T officials still want additional information, saying they want to ensure no other vulnerabilities exist that the students have yet to reveal. (This is in addition to a 5-page analysis, marked "confidential," that the students sent to MBTA last week.)

Granick told reporters after the hearing that there is no more relevant information that her clients, Alessandro Chiesa, R.J. Ryan, and Zack Anderson, can provide. "That document should have resolved the whole matter," Granick said, adding, "There is no other shoe to drop."

Debate over what is responsible disclosure
At the heart of the case is an increasingly contentious debate between security researchers and their subjects about what is responsible disclosure. The students and their lawyers argue that giving that Defcon presentation would have been a public service. Indeed, at a time when local politicians and Boston newspapers are debating the efficacy of the T's electronic payment system, it could have been a necessary part of the public discussion.

U.S. District Judge Douglas Woodlock in Massachusetts granted the temporary restraining order before the students could make their Defcon presentation, on the grounds that the Computer Fraud and Abuse Act might have been violated. Lawyers for the students argue the CFAA, if properly interpreted, should not apply because it refers to the dissemination of information from computer-to-computer, not person-to-person.

Ieuan-Gael Mahony, a lawyer from the Boston firm Holland & Knight representing the MBTA, argued, however, that at this point, there is no harm being done to the students by the restraining order and there was no reason to lift it. (The gag order goes beyond the Defcon presentation; it continues to bar the students from providing any "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System.")

Eleven security researchers have sent a letter to the court backing the students' claims and criticizing this form of a gag order. But rather than ruling on the First Amendment and prior restraint questions on Thursday, the judge postponed a decision until he has more material before him.

MIT students Alessandro Chiesa, R.J. Ryan, and Zack Anderson showed up at, but did not speak at, the Defcon conference in Las Vegas on Saturday.

(Credit: Declan McCullagh/News.com)

MIT students Alessandro Chiesa, R.J. Ryan, and Zack Anderson show up at, but do not speak at, the Defcon conference in Las Vegas on Saturday.

(Credit: Declan McCullagh/News.com)

The state of Massachusetts plans to ask a federal judge on Thursday to keep in place a restraining order that prevents three MIT students from publicly discussing vulnerabilities they discovered in subway card security.

U.S. District Judge George O'Toole in Boston is scheduled to hear arguments at 11 a.m. ET on whether to modify or eliminate the temporary restraining order, which attorneys for the students characterize as a prior restraint in violation of decades of First Amendment precedent.

A different judge who was on duty on Saturday gave the Massachusetts Bay Transportation Authority an order prohibiting the students from discussing or publishing information that might let anyone "circumvent or otherwise attack the security of the Fare Media System."

In an effort to lessen the sting of free speech complaints, MBTA's attorneys now are asking O'Toole to reword the order to apply only to "nonpublic" information, recognizing that the presentation slides are circulating online. But they insist the rest of the order must remain intact because the agency is greatly "concerned with the core issue of immediate concern in this case--the security and integrity of its Fare Media System."

O'Toole has until August 19 to extend the order in the form of a preliminary injunction or let it expire.

Security researchers are paying close attention to this case because it could eventually set a precedent weighing their First Amendment rights to publish freely--against the desires of vendors to keep embarrassing and potentially explosive details secret.

The Electronic Frontier Foundation, which is providing a legal defense to the MIT students--Zack Anderson, R.J. Ryan, and Alessandro Chiesa--plans on Thursday to ask O'Toole to dissolve the restraining order completely.

EFF is offering three main arguments for its position: First, the Defcon conference is over and the presentation and separate analysis (PDF) have been widely circulated online (unfortunately for MBTA, a copy of the presentation was in the materials distributed to conference attendees).

Second, EFF says, the Computer Fraud and Abuse Act's prohibition on the "transmission of...information" that may damage a computer was never intended to encompass a public presentation and was not written to do so. Third, the restraining order is an unconstitutional prior restraint; if the Supreme Court permitted the publication of the Pentagon Papers in 1971 over the heated objections of the Nixon administration, why should a student presentation not also qualify?

"The TRO as initially granted restricted the students from providing true, publicly known, legally acquired information about the MBTA's CharlieCards and CharlieTickets in violation of the First Amendment," the EFF said in a legal brief. "The current TRO as the MBTA suggests that it be modified still restricts the students from providing true, legally acquired information about these cards This restriction also violates the First Amendment."

EFF has enlisted some high-profile academics to help it make the case that the restraining order is antithetical to security research. Carnegie Mellon University's David Farber, Columbia's Steven Bellovin, Berkeley's David Wagner, and the University of Pennsylvania's Matt Blaze are among the academics who signed a letter to the judge on Monday. It says:

We are concerned that the pall cast by the temporary restraining order will stifle research efforts and weaken academic computing research programs. In turn, we fear the shadow of the law's ambiguities will reduce our ability to contribute to industrial research in security technologies at the heart of our information infrastructure. We urge that you reconsider and remove the temporary restraining order issued on August 10, 2008.

For its part, the MBTA says it's willing to negotiate. It's offered to engage in "non-binding" professional mediation, without "preconditions," as an alternative to proceeding with Thursday's hearing. (See our related story).

In an e-mail message to EFF on Monday, Ieuan-Gael Mahony, a partner at the Holland & Knight law firm, wrote:

In a mediation process, for example, we would hope to discuss and obtain an understanding of the information, if any, the MIT Undgrads hold that might threaten Fare Media System security. We do not set preconditions on a mediation, however, as we stongly believe -- again - that discussions between reasonable parties toward a resolution are preferable to an externally imposed resolution... There are countless examples from large to small of relationships that are polarized and entrenched-hostile because of bad choices by both sides shortly after the rift began. We would like to avoid this here, if possible. We think talking in a non-binding, professionally mediated environment is the best way to avoid further misunderstanding, and potential "bad choices." ... You request, in an "on/off" manner, that we now "shut off' the TRO. This is traditional advocacy, where the goal is to "win all" and avoid "lose all." With our mediation proposal, we look for, and are willing to accept, gradations between these poles.

EFF appears to have rejected the request for a mediation. EFF attorney Marcia Hofmann refused to answer our questions, saying only that: "We decline to discuss our ongoing communications with counsel for the MBTA. Our priority at this point is to ensure that the temporary restraining order is lifted..."

In a testy e-mail exchange with MBTA's lawyer, EFF has suggested that he made a tactical error by filing both the presentation and the summary marked "confidential" as publicly available court exhibits. Read on for more details.

[Editor's Note: Below is the text of a e-mail thread between EFF's Jennifer Granick and MBTA attorney Ieuan-Gael Mahony. One topic is whether the EFF will agree to enter into nonbinding mediation, which MBTA would prefer. Another is MBTA's complaint about a "large amount of misinformation" circulating in the press. Any transcription errors arising from placing the e-mail messages into HTML format are ours, not theirs.]

From: Mahony, leuan (BOS - X75835)
Sent: Monday, August 11, 2008 3:36 PM
To: 'jennifer@eff.org'
Cc: 'cindy@eff.org'; 'kurt@eff.org'; 'marcia@eff.org'; JSwope@eadplaw.com; 'WMitchell@mbta.com'; 'SDarling@mbta.com'
Subject: RE: CRITICAL INFORMATION: MBTA v Anderson et al

Jennifer:
We are unwilling to lift the TRO in the binary "on/off" manner you state, and respond more fully to your email as follows:
(A) Removing the TRO Is Not a Tailored Solution We are willing to discuss tailored solutions to the underlying problem, and have proposed a formal mediation process for these discussions. You have given no response to our proposal for mediation. You recall that I asked for a negotiated solution before the Saturday hearing. I confirmed these inquiries to you in email, and these emails are public record and freely available on the web. See http://www-tech.mit.edu/V128/N30/subway.html. You did not respond meaningfully to those requests, either.
(B) Misinformation Threatens To Cloud the Issues In following the DEFCON-related press, it is clear that a large amount of misinformation has been circulated concerning the meaning of the TRO, and related points. For example, you know, because Judge Woodlock asked you these questions in open court, that the primary concern was with the content the students might or might not supply to go with the literal expression embodied in the Presentation, as well as the Report. Press reports suggest that the TRO banned circulation of the paper materials themselves. You know this is incorrect.
Yet your email relies on this theme. We made it clear in our papers: based on the information we have (a large part of which you intentionally withheld from us until 4:38 AM Saturday morning) we do not know what your clients have done or are capable of doing. Their broad statements concerning "free subway rides for life" suggest they are capable of a lot. This is the concern. We would like to create an environment, immediately, where all parties can share the information they feel is warranted, in order to quantify and assess this risk. We would like to "re-do" the August 5 (or 4) meeting, but with more sensitivity, hopefully all around, as to the mutual stakes.
We think a mediated solution presents mutual benefits. The structure of non-binding mediation assures mutual benefits - or at a minimum a clear assessment of the alternatives to a negotiated solution. In a mediation process, for example, we would hope to discuss and obtain an understanding of the information, if any, the MIT Undgrads hold that might threaten Fare Media System security. We do not set preconditions on a mediation, however, as we stongly believe - again - that discussions between reasonable parties toward a resolution are preferable to an externally imposed resolution, where it is possible to avoid such an external resolution.
(C) We Are Very Sensitive To Your Clients' Concerns Over The Restraint Finally, we believe we understand the point in your email that the TRO "continues to hang over our clients' heads, making them uncertain what if anything they can say about their research and this case." One goal with a mediated solution, working together, would be to reduce or eliminate uncertainty (to the extent uncertainty from a legal or practical perspective exists). Another goal of a mediated solution would be to determine other parameters of responsible disclosure under these circumstances. Yet another goal with a mediated solution might be to "make amends" on all sides, whatever that might mean here. There are countless examples from large to small of relationships that are polarized and entrenched-hostile because of bad choices by both sides shortly after the rift began. We would like to avoid this here, if possible. We think talking in a non-binding, professionally mediated environment is the best way to avoid further misunderstanding, and potential "bad choices."
(D) Conclusion: Renewed Request for Mediation You request, in an "on/off" manner, that we now "shut off' the TRO. This is traditional advocacy, where the goal is to "win all" and avoid "lose all." With our mediation proposal, we look for, and are willing to accept, gradations between these poles. We believe - whether in light or not in light of recent history - that reasonable "win-win" solutions are available, if the parties meet and work through options. We ask that you confer carefully with your clients, and respond to our mediation proposal. We believe that mediation should commence as soon as possible. We have made this proposal to MIT counsel as well.
Let me know
leuan

From: Mahony, leuan (BOS - X75835)
Sent: Monday, August 11, 2008 11:37 AM
To: 'jennifer@eff.org'
Cc: 'cindy@eff.org'; 'kurt@eff.org'; 'marcia@eff.org'; 'WMitchell@mbta.com'; 'SDarling@mbta.com'
Subject: Re: CRITICAL INFORMATION: MBTA v Anderson et al

Jennifer:
We are considering your proposal. We are having a meeting of senior management on this and related issues this afternoon at 1:30 eastern. I will report our response as soon as it is complete.
I will continue to keep you posted,
leuan
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)

From: Jennifer Granick
To: Mahony, leuan (BOS - X75835)
Cc: cindy@eff.org ; kurt@eff.org ; marcia@eff.org ; WMitchell@mbta.com ; SDarling@mbta.com
Sent: Mon Aug 11 00:26:42 2008
Subject: Re: CRITICAL INFORMATION: MBTA v Anderson et al

Dear leuan:

Thank you for your thoughts. I'm surprised your client feels that the Report does not pose a risk, given that it contains information my clients intended to keep confidential. It appears my clients are more cautious about disclosing vulnerability information than yours are. Moving forward, both the slides from our client's intended presentation and the confidential Report are now publicly available. This constitutes more information than the students would have presented at their Defcon talk. Furthermore, your client reportedly does not feel that the security risk posed by the availability of this information warrants emergency measures. Finally, Defcon is over and the students did not give their talk. Under these circumstances, would your client be willing to stipulate to lifting the TRO at this time? While the protection it provides is now moot as to your client's concerns, it continues to hang over our clients' heads, making them uncertain what if anything they can say about their research and this case. Please let me know right away.

Thank you,
Jennifer
Civil Liberties Director
Electronic Frontier Foundation
454 Shotwell Street
San Francisco, CA 94110
415.436.9333 x 134
fax 415.436.9993
jennifer@eff.org

On Aug 10, 2008, at 12:18 PM, wrote:
Dear Jennifer:
Let me address your email and phone call from yesterday, and also return to earlier discussions over a "moving-forward" relationship between the parties.
(A) Your Email First, we want to thank you for your concern. Second, as I indicated earlier today, the MBTA, along with a system vendor, has completed its review of your email, and re-reviewed the three page summary report attached as Exhibit 1 to Scott Henderson's Declaration (the "Report"). This review does not alter the original assessment of the Report, provided by Mr. Henderson in his declaration. Yet it is the case that (a) the quantity and quality of information provided by the three page Report, standing alone, is less than (b) the quantity and quality of the information provided by the Report read in combination with the Students' 87 page presentation entitled "Anatomy of a Subway Hack" (the "Presentation"). If the MBTA had been given the Presentation when first requested (or even at the time when the Presentation , we understand, was made available to DEFCON attendees), the "(b)" circumstance might have been avoided. In any event, the MBTA's evaluators do not assess the risk of this information at the level you set in your email. The MBTA, with vendor support, has begun work on internal responses to the potential security risks at issue. It is our view that an internal, technical and personnel response is the best long-term solution. Accordingly, we do not share your view that legal "emergency measures" are required. We do not think that seeking court relief on this issue and at this point is appropriate. Again, thank you for your concern.
(B) Moving-Forward Relationships We can see from your clients' statements in the press, and the EFF's public statements, that the lawsuit generally, and Temporary Restraining Order in particular, do not from your perspectives represent a fair or balanced situation. From my first conversations with Marcia and Kurt, and then later with you, Jennifer, I stated my view that parties, acting reasonably, will invariably develop and implement a resolution of a dispute that is substantially better tailored to their interests than a resolution imposed on them by an external authority. We think we should continue discussions, to see if we can find a solution that is better tailored to all parties' interests. In my view, Judge Woodlock, in his findings and rulings, directed the parties to work toward a solution perhaps more "creative" and "outside the box" than the standard "keep fighting in court over abstract issues while life goes by". The goal would be to shift from an adversarial mode to a cooperative, discussion mode, if possible. We respect your clients' continued statements that their goal remains to provide solutions to security risks. We propose formal mediation as the process for seeking a more optimal going-forward solution. We think we should reserve a full day, or perhaps two. We suggest that the mediation take place in Boston. Other issues, such as mediator costs, whether formal "written submissions" are exchanged, and the like we can discuss.
Let us know your thoughts.
Thanks
leuan

From: Mahony, leuan (BOS - X75835)
Sent: Sunday, August 10, 2008 9:27 AM
To: 'Jennifer Granick'
Cc: Cindy Conn; Kurt Opsahl; Marcia Hofmann; Mahony, leuan (BOS - X75835)
Subject: RE: CRITICAL INFORMATION: MBTA v Anderson et al

Jennifer:
The MBTA and one of its vendors have completed review per your email, below. I'll have results to you later today.
I'll continue to keep you informed.
Thanks
leuan

From: Jennifer Granick [mailto:jennifer@eff.org]
Sent: Saturday, August 09, 2008 5:14 PM
To: Mahony, leuan (BOS - X75835)
Cc: Cindy Conn; Kurt Opsahl; Marcia Hofmann
Subject: CRITICAL INFORMATION: MBTA v Anderson et al

Dear Mr. Mahony:

This email is to follow up on my phone call to you of just a few minutes ago. As you know, Mr. Anderson, Mr. Ryan and Mr. Chiesa provided your client MBTA with a confidential three page summary of their research and recommendations for securing the fare collection system. It has just come to our attention through third parties at the Defcon conference that plaintiffs have made this report publicly available on the court's pacer website by filing the document as an exhibit. This confidential document contains the checksum information without which an attacker can not create a forged card. This information is highly sensitive, which is why my clients planned to withhold it from their presentation. We strongly urge you to take emergency measures to have it removed expeditiously.

Best wishes,
Jennifer Granick
Civil Liberties Director
Electronic Frontier Foundation
454 Shotwell Street
San Francisco, CA 94110
415.436.9333x134
fax 415.436.9993
jennifer@eff.org

Three MIT students are disputing the Massachusetts transit agency's version of the events that led to the state filing a lawsuit last week--and obtaining a restraining order against their talk on subway card security scheduled for Sunday.

The latest dispute originates in comments made by to CNET News by Massachusetts Bay Transportation Authority spokesman Joe Pesaturo in in a report published Monday. In his e-mail to us, he said the students "agreed to provide the MBTA with a copy of the presentation" scheduled for the Defcon hacker conference on Sunday but never did.

A response posted Tuesday by the Electronic Frontier Foundation, which is representing the students, said MBTA "misrepresents" the situation:

After the Monday meeting, the students understood that the MBTA's concerns were resolved, and that the students were to provide a confidential vulnerability assessment by the end of the week. Contrary to the MBTA statement, the students did not believe that the MBTA wanted to see a copy of the presentation slides, and they did not agree to provide them to the MBTA.

(It is undisputed that the students--Zack Anderson, R.J. Ryan, and Alessandro Chiesa--wrote a separate analysis (PDF) for the MBTA marked "confidential" and presented it to the agency.)

Opposing parties in lawsuits often tell different stories. Human memories are imperfect. People may honestly remember the same sequence of events differently. So why is this particular dispute important?

One reason is that the judge in this lawsuit has until August 19 to renew the restraining order (by turning it into a preliminary injunction) or let it expire. Whoever can reasonably claim to have acted in good faith will have a better chance of prevailing.

It's unclear who's telling the truth; if the lawsuit continues, e-mails and spoken testimony will probably answer these questions. But it does seem likely that the MBTA requested a copy of the Defcon presentation--they knew it was scheduled; why would they not want to see it?--and never received it. The defendants would have had a very good reason for this; the slides are prepared with a hacker audience in mind and include warnings like "AND THIS IS VERY ILLEGAL!"

Oops. This is what lawyers call an "admission against interest."

Another bit of unresolved intrigue is that the MBTA told us on Monday that it wanted to meet with the students again. EFF has steadfastly refused to say whether it would consider such a meeting--making it, uncharacteristically, even less forthcoming than a bunch of government bureaucrats.

[Update: See our related story on a court hearing scheduled for Thursday in this case, and what both sides plan to ask the judge.]

The state of Massachusetts said Monday it is not prepared to abandon its lawsuit against MIT students who uncovered security vulnerabilities in Boston transit cards, even though thousands of copies of their 87-page presentation have been distributed.

A federal judge on Saturday granted the state transit authority's request for a restraining order barring the students' planned presentation at the Defcon conference. It orders them not to disclose any "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System."

The MIT students canceled their talk. But their presentation materials were handed out to Defcon attendees in the conference packet, and it has been distributed widely on the Web.

When we asked the Massachusetts Bay Transportation Authority if it would end the lawsuit as a result of the distribution, spokesman Joe Pesaturo replied: "The MBTA will reserve comment on the substance of the presentation until staff has had a sufficient period of time to thoroughly review the information, and meet with the students and their professor." Pesaturo did not respond to a followup question about whether any meeting has been set up.

The Electronic Frontier Foundation, which is providing a legal defense to the students, did not immediately respond to questions about whether a meeting has been arranged.

U.S. District Judge Douglas Woodlock granted MBTA a temporary restraining order, which under federal rules automatically expires in 10 days--meaning August 19--unless extended "for good cause."

That means MBTA needs to decide in the next week whether to try to ask Woodlock to convert his temporary order into a longer-lasting preliminary injunction.

MBTA's Pesaturo added in a separate message:

A week ago, the MBTA learned about the presentation to be made at the conference, and immediately contacted MIT. At a meeting last Tuesday involving all the parties, MIT staff and the students agreed to provide the MBTA with a copy of the presentation. After several days passed without getting any information from MIT, the MBTA had no choice but to seek assistance from a federal court judge on Friday. At 4:30 a.m. on Saturday, the presentation was finally provided to the MBTA. Staff is thoroughly reviewing the information to determine if there is any degree of substance to the claims being made by the students.

One reason the MBTA may want to proceed is that the restraining order does more than merely require the three students--Zack Anderson, R.J. Ryan, and Alessandro Chiesa--not to proceed with their presentation. It also applies to releasing "software code," which the trio had planned to post at web.mit.edu/zacka/www/subway/, but apparently never did.

During Saturday's hearing, an attorney for MBTA pointed to the students' plans to post Python code that could read magnetic cards and said: "This is not simply saying, 'We did it. Aren't we inventive?' It's also providing a tool to help accomplish this. Our understanding is that these would likely be software tools that would make it easier to analyze the cards." (An EFF attorney, on the other hand, characterized the code as general-purpose and "not tools which are targeted toward the MBTA system.")

Judge Woodlock said, according to a recording posted by Wired News, that the students acted "in contravention of best practices" and that he foresaw "no harm to defendants" in granting the restraining order. He did, however, add that "defendants are free to seek modification even before the end of the 10-day period."

MIT students Alessandro Chiesa, R.J. Ryan, Zack Anderson, and Electronic Frontier Foundation staff attorney Kurt Opsahl speak at a panel turned press conference at Defcon.

(Credit: Declan McCullagh/CNET News)

LAS VEGAS--A federal judge on Saturday granted the Massachusetts transit authority's request for an injunction preventing three MIT students from giving a presentation about hacking smartcards used in the Boston subway system.

The Electronic Frontier Foundation, which is representing the students, anticipates appealing the ruling, said EFF senior staff attorney Kurt Opsahl.

The undergraduate students had been scheduled to give a presentation Sunday afternoon at the Defcon hacker conference here that they had said would describe "several attacks to completely break the CharlieCard," an RFID card that the Massachusetts Bay Transportation Authority uses on the Boston T subway line. They also planned to release card-hacking software they had created, but canceled both the presentation and the release of the software.

U.S. District Judge Douglas Woodlock on Saturday ordered the students not to provide "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System." Woodlock granted the MBTA's request after a hastily convened hearing in Massachusetts that took place at 8 a.m. PDT on Saturday.

EFF staff attorney Kurt Opsahl said that the temporary restraining order is "violating their First Amendment rights"; another EFF attorney said a court order pre-emptively gagging security researchers was "unprecedented."

EFF attorneys appeared with the three students--Zack Anderson, R.J. Ryan, and Alessandro Chiesa--in front of a crowd of hundreds at an afternoon session at Defcon, but largely prevented them from answering questions, citing the lawsuit. Although Sunday's talk is canceled, Defcon organizers hinted that there may be a related presentation on a similar topic.

First page of subway-hacking presentation that was the subject of an injunction to stop its distribution--after it had already been distributed.

The students told reporters that they had, on their own, asked their professor to initiate contact with the MBTA a week before the government agency contacted them on July 30 or July 31. But the process was delayed because professor Ron Rivest was at a security conference near San Francisco, and no contact with MBTA was made at the time.

But then the conversations took a hostile turn when MBTA mentioned an FBI criminal investigation of the MIT students. In the "initial contact, they said the FBI was investigating and that was not--we didn't find that to be a very pleasing way to start a nice dialogue with them. And we got a little concerned about what was happening," said Anderson, one of the students.

EFF's Opsahl said the students only intended to "provide an interesting and useful talk, but not one that would allow people to defraud the Massachusetts" government.

The MBTA, which is a state government agency, alleges in its lawsuit that "disclosure of this information will significantly compromise the CharlieCard and CharlieTicket systems" and "constitutes a threat to public health or safety."

Its suit asks a judge to order the students "from publicly stating or indicating that the security or integrity of the CharlieCard pass, the CharlieTicket pass, or the MBTA's Fare Media systems has been compromised." The requested order would also prevent them from circulating the summary of their talk, from providing any technical information, and from distributing any software they created.

That could be difficult to enforce. Every one of the thousands of people here who registered for Defcon received a CD with the students' 87-page presentation titled "Anatomy of a Subway Hack." It recounts, in detail, how they wrote code to generate fake magcards. Also, it describes how they were able to use software they developed and $990 worth of hardware to read and clone the RFID-based CharlieCards.

Those CDs were distributed to conference attendees starting Thursday evening, meaning the injunction arrived nearly two days late. (On the other hand, the source code to the utilities--not included on the CD--was removed from web.mit.edu/zacka/www/subway/ by Saturday morning.)

Court documents filed by MBTA suggest that representatives of the transit agency tried to pressure the students into halting their talk. During a meeting with the students and MIT professor Ron Rivest on Monday, MBTA Deputy General Manager for Systemwide Modernization Joseph Kelly unsuccessfully tried to obtain a copy of their planned presentation. Kelly spoke with Rivest again on Friday. (There was initial confusion about whether the meeting was Monday or Tuesday.)

Chiesa, Ryan, and Anderson at an Electronic Frontier Foundation panel.

(Credit: Declan McCullagh/CNET News)

A representative of the Defcon convention, who asked that her name not be used, said that the students submitted their Powerpoint presentation at least a month ago. The presentation says--not-so-presciently--"what this talk is not: evidence in court (hopefully)." It also says: "THIS IS VERY ILLEGAL! So the following material is for educational use only."

In addition, what looked like a black-and-white faxed copy of the entire presentation was entered as evidence in publicly available court records available on the Web on Saturday, meaning any attempt to limit its distribution further will encounter an additional hurdle.

Also released as part of the public record was a document marked "confidential" and written by the researchers (PDF) that explains exactly how the Charlie cards can be cloned and forged. "Our research shows that one can write software that will generate cards of any value up to $655.36," the document says.

The document also discusses the lack of physical security at the MBTA. "Doors were left unlocked allowing free entry in many subways," the document says. "The turnstile control boxes were unlocked at most stations. Most shocking, however, were the FVM control rooms that were occasionally left open."

One portion of the MBTA's legal complaint that drew jeers from the Defcon crowd came in its odd claim that "A CharlieTicket standing alone constitutes a 'computer'" under federal antihacking law.

This isn't the first time speakers at security conferences have been hauled into court by companies seeking to muzzle them.

In 2005, Cisco Systems filed a lawsuit against security researcher Michael Lynn hours after he gave a talk at Defcon on how attackers could take over Cisco routers. The case was ultimately settled. Four years earlier, the FBI took Russian crypto expert Dmitry Sklyarov into custody at his Las Vegas hotel one day after he gave a presentation at Defcon on insecurities in e-book security software.

Another excerpt from the presentation distributed to thousands of Defcon attendees on CDs.

Princeton University computer science professor Ed Felten and his co-authors received legal threats from the recording industry involving a planned talk at a Pittsburgh security conference--but pulled the paper from the event, even though no lawsuit materialized.

Research into flaws in the encryption that the Mifare Classic cards, used by the MBTA, landed Dutch researchers in court recently. NXP sued to block a Dutch University from publishing information about vulnerabilities in the encryption used in the RFID cards around the world. Last month, a court ruled that the university could publish the information.

Karsten Nohl, a University of Virginia graduate student who worked with others to break the Mifare Classic crypto algorithm last year, said MBTA should not have sued researchers who voluntarily discussed their findings with them.

"It has been known for years that magnetic stripe cards can easily be tampered with and MBTA should not have relied on the obscurity of their data-format as a security measure," Nohl said. "MBTA made it clear that they are not interested in cooperating with researchers on identifying and fixing vulnerabilities, but their lawsuit will motivate more research into the security of Boston's public transport system."

MIT's student newspaper has posted a copy of the presentation that was distributed on Defcon CDs and the subject of the court order.

In the video clip below MIT student Zack Anderson tells reporters how he felt when he learned about the lawsuit filed by the MBTA. The lawsuit was filed a few days after he had met with the agency to discuss concerns about his talk at Defcon. He is with fellow MIT students R.J. Ryan, Alessandro Chiesa and EFF attorney Marcia Hofmann, who was advising the students about what they could say in lieu of the temporary restraining order against them.

(Credit: Elinor Mills)

CNET News.com's Elinor Mills contributed to this report.

[Note: This story was updated at 12:05 p.m. PDT to reflect that a temporary restraining order was issued. It was again updated at 1:30 p.m. PDT with more details from documents on how the hacks can be done, and at 4:30 p.m. with a report from the EFF press conference and 6:15 p.m. with video.]

Click here for more coverage from Defcon.