A federal judge has lifted a gag order on three MIT students who were barred from talking publicly about security flaws they discovered in the Boston transit system's automated fare network.
So here's the Presentation!
A lawyer for the transit agency acknowledged its CharlieTicket system has security flaws. But the lawyer asked Judge George O'Toole Jr. to impose a five- month injunction continuing to block the students from revealing anything publicly about the security system. O'Toole rejected the request Tuesday.
The students had been blocked from presenting their findings on the security flaws in early August at DefCon, an annual computer hackers' conference.
"Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."
So here's the Presentation!
A lawyer for the transit agency acknowledged its CharlieTicket system has security flaws. But the lawyer asked Judge George O'Toole Jr. to impose a five- month injunction continuing to block the students from revealing anything publicly about the security system. O'Toole rejected the request Tuesday.
The students had been blocked from presenting their findings on the security flaws in early August at DefCon, an annual computer hackers' conference.
"Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."
O'Toole did not rule on the students' claim that the MBTA had violated their First Amendment rights by stopping them from speaking at the hackers' convention.
This from the Boston Globe:
This from the Boston Globe:
Cindy Cohn, a lawyer for the students, said the students had complied with the MBTA's request to turn over slides from their presentation and a 30-page "security analysis" that outlines everything they discovered about weaknesses in the fare system.
"The MBTA ultimately is trying to silence some uncomfortable truths that these students uncovered," said Cohn, legal director for the Electronic Frontier Foundation, a San Francisco-based legal organization that specializes in civil liberties issues related to technology.
"They brought an action against three college kids rather than address the problems in their own house," Cohn said. Cohn said the students never intended to reveal key details that would have given hackers information to help them hack into the fare collection system and ride the system for free, despite what the online ad for the demonstration said.
But Ieuan Mahony, an attorney for the MBTA, said the MBTA simply wanted the students to refrain from revealing details about the security problems publicly until the MBTA has time to correct the flaws, which could take five months. Mahony said that after reading the security analysis submitted by the students last week, the MBTA "has determined that the CharlieTicket system is compromised."
"We've known that there are some issues with the CharlieTicket, but we realized after reading this paper that they were able to clone and counterfeit the CharlieTicket," Mahony said after the hearing. Mahony said the MBTA still wants to get additional information from the students on how they were able to clone the CharlieTicket.
Some details about the vulnerabilities of automated fare system were released before the students' planned talk at the DefCon conference. Electronic copies of their 87-slide presentation were included on CDs handed out to conference attendees before the conference officially began and before the MBTA filed its lawsuit. - Boston Globe
"The MBTA ultimately is trying to silence some uncomfortable truths that these students uncovered," said Cohn, legal director for the Electronic Frontier Foundation, a San Francisco-based legal organization that specializes in civil liberties issues related to technology.
"They brought an action against three college kids rather than address the problems in their own house," Cohn said. Cohn said the students never intended to reveal key details that would have given hackers information to help them hack into the fare collection system and ride the system for free, despite what the online ad for the demonstration said.
But Ieuan Mahony, an attorney for the MBTA, said the MBTA simply wanted the students to refrain from revealing details about the security problems publicly until the MBTA has time to correct the flaws, which could take five months. Mahony said that after reading the security analysis submitted by the students last week, the MBTA "has determined that the CharlieTicket system is compromised."
"We've known that there are some issues with the CharlieTicket, but we realized after reading this paper that they were able to clone and counterfeit the CharlieTicket," Mahony said after the hearing. Mahony said the MBTA still wants to get additional information from the students on how they were able to clone the CharlieTicket.
Some details about the vulnerabilities of automated fare system were released before the students' planned talk at the DefCon conference. Electronic copies of their 87-slide presentation were included on CDs handed out to conference attendees before the conference officially began and before the MBTA filed its lawsuit. - Boston Globe
