Print 11 comment(s) - last by sevesteen.. on Aug 20 at 8:36 PM

Regardless, MBTA was still successful in stopping the DEF CON presentation

A federal judge lifted the temporary gag order placed on three MIT students Tuesday, who were originally set to give a presentation at DEF CON that outlined a number of security holes in the Massachusetts Bay Transportation Authority’s RFID-based fare infrastructure.

The MBTA originally sued the three student researchers earlier this month in an attempt to stop the trio from delivering their presentations. While its efforts were successful — the presentation was snuffed – the lawsuit was one day late. Slides of the presentation were already published in a CD-ROM handed to DEF CON attendees earlier in the day, and soon after posted online (PDF) by MIT student newspaper The Tech.

In his ruling, Federal Judge George O’Toole said that the chances of the MBTA prevailing on its claims under the Computer Fraud and Abuse Act was “minimal,” in which it tried to invoke the Act’s protections from “transmission” of a damaging computer program for the trio’s verbal presentation.

Critics feared the courts’ seemingly hasty decision had inadvertently attacked free speech, because the Act only prohibits the transmission of “code programs” in a computer, not damaging presentations. O’Toole’s interpretation equated free speech with computer hacking, feared some.

“So the attempt to stretch the Computer Fraud and Abuse Act has failed. Please read the statute for yourself, and ask yourself: do you want talking about computers and security to become a crime punishable by fines and imprisonment and subject to FBI and Secret Service oversight?” asks law and technology blog Groklaw. “That's what almost just happened.”

“At first glance, the issues at play may appear obscure, and of interest only to technical researchers and lawyers,” reads an EFF analysis of the situation. “But … the right to publish without pre-publication review is part of the purpose of the 1st amendment, and one of the reasons Americans fought the Revolutionary War.”

The MIT students were behaving as good citizens within this culture of security research. They met with the MBTA before the presentation. They never planned to expose the full details of their successful expose of the vulnerability of the MBTA's fare system … The free speech implications are even more important because showing faults with a government agency's systems is core political speech. The Boston Herald reports that an MBTA Advisory Council Member was concerned with the fare card payment systems (in light of this controversy), and noted that the ‘T gave a no-bid contract for CharlieCard services to a former government employee.’ This makes the public interest in this matter even stronger,” it reads.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

I'm all for free speech...
By Beenthere on 8/20/2008 10:46:05 AM , Rating: -1
I'm all for free speech but with this right comes a responsibility. In the case of hackers - who by the way illegally hacked the transit authorities systems using MIT facilities - two crimes that require prosecution IMO, there is a social responsibility to report security vulnerabilities instead of exploiting them or disclosing them for fame and or fortune.

Obviously these students who you would think might have above average intelligence, are more interested in publicity than in respecting existing laws and social responsibilities. That being the case these folks should be prosecuted for their crimes and sentenced to jail time and full restitution for all losses that are the result of their hacking and inappropriate public disclosure of a means to break the transit authorities computer system security.

By onelittleindian on 8/20/2008 10:52:54 AM , Rating: 2
I wouldn't mind if they were charged with a direct hack. But preventing the free flow of information is very dangerous. There have times people have been charged just for discussing the fact that there might be a weakness in a large public system. Those sorts of acts have a terrible chilling effect.

RE: I'm all for free speech...
By Regs on 8/20/2008 11:09:38 AM , Rating: 2
more interested in publicity than in respecting existing laws

I think the whole point is to use publicity to make people aware not enough is being done.

RE: I'm all for free speech...
By Beenthere on 8/20/08, Rating: 0
RE: I'm all for free speech...
By blaster5k on 8/20/2008 12:46:21 PM , Rating: 2
I'm not sure I agree here. Having it out in the open provides added pressure to fix the problem ASAP. If it's not made public, they may choose to try hiding it instead of fixing it. In that case, people can potentially get ripped off without knowing (via cloning or whatever), which I think is even worse. The MBTA is rather cash-strapped, so I wouldn't be surprised to see them go the "hiding" route if they could.

RE: I'm all for free speech...
By Regs on 8/20/2008 2:53:58 PM , Rating: 2
That sounds reasonable to me. Though most of the time, no one wants to spend the money, resources, or time until it's to late anyway.

I can also see what you're getting at about the students ego clouding their judgements.

RE: I'm all for free speech...
By BeenThere2 on 8/20/2008 4:45:35 PM , Rating: 2
Responsible adults fix the problem and move on...

Whatever the reason, MBTA should not have tried to hide the research which uncovered the vulnerability, especially since the researchers discussed their findings with MBTA well before "going public." Instead of denying/discrediting, then employing legal means to stifle the research, I am curious why MBTA did not make use of this free research to verify the facts (scientific method works every time), then resolve any proved issues.

Seems to me that, under a cooperative agreement, the researchers would be more likely to postpone publication (without losing credit), MBTA would gain a "fixed" system, and the PR would be positive.

Except for the small victory of preventing publication at DEFCON, MBTA lost the war: MBTA comes off as a big government agency bullying the little guy(s). That's not exactly the kind of PR MBTA wants or needs...

RE: I'm all for free speech...
By sevesteen on 8/20/2008 8:36:51 PM , Rating: 2
How long do responsible adults wait before releasing damaging security information? Fairly often, the people with poor security would rather fight the disclosure instead of fix the problem. If one group can find a vulnerability, so can a less-honest group.

"I f***ing cannot play Halo 2 multiplayer. I cannot do it." -- Bungie Technical Lead Chris Butcher
Related Articles

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki