Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Incident Response, TDR, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Judge denies five-month gag in transit hack case

Updated on Wednesday, Aug. 20 at 2:07 p.m. EST

A U.S. District Court judge has sided with three Massachusetts Institute of Technology (MIT) students in their quest to present findings on vulnerabilities in the Massachusetts Bay Transportation Authority's (MBTA) subway fare collection system.

Ten days ago, a judge in Boston issued a temporary restraining order to the students -- Zack Anderson, R.J. Ryan and Alessandro Chiesa, preventing them from giving their planned talk Aug. 10 at the Defcon hacker conference in Las Vegas.

The students were set to show how flaws in the MBTA's transit fare payment system -- namely its CharlieCard and CharlieTicket passes -- could be exploited through forgery and cloning to gain passengers free rides. The project had earned them an "A" from their MIT computer science professor.

The judge who issued the gag order said the students were in violation of the federal Computer Fraud and Abuse Act. But the Electronic Frontier Foundation (EFF), a digital rights watchdog representing the students, said the law applied to computer intrusions -- not research talks at conferences.

On Tuesday, the MBTA asked another judge to extend the restraining order for five months while it fixed the vulnerabilities.

U.S. District Judge George O'Toole Jr., however, ruled against this request, agreeing with the EFF that federal computer intrusion laws do not apply to this case.

"A presentation at a security conference is not some sort of computer intrusion," EFF Staff Attorney Marcia Hofmann said in a statement. "It's protected speech and vital to the free flow of information about computer security vulnerabilities. Silencing research does not improve security -- the vulnerability was there before the students discovered it and would remain in place regardless of whether the students publicly discussed it or not."

The MBTA has filed a separate lawsuit against MIT and the students. The EFF said this has prevented the students and the agency from working together cooperatively.

But MBTA said it wants to try.

"Now that the court proceedings are behind us, I renew my invitation to the students to sit down with us and discuss their findings," MBTA General Manager Daniel Grabauskas said in a statement. "A great opportunity now presents itself."

The MIT students also could not be reached on Wednesday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.