Print 11 comment(s) - last by sevesteen.. on Aug 20 at 8:36 PM

Regardless, MBTA was still successful in stopping the DEF CON presentation

A federal judge lifted the temporary gag order placed on three MIT students Tuesday, who were originally set to give a presentation at DEF CON that outlined a number of security holes in the Massachusetts Bay Transportation Authority’s RFID-based fare infrastructure.

The MBTA originally sued the three student researchers earlier this month in an attempt to stop the trio from delivering their presentations. While its efforts were successful — the presentation was snuffed – the lawsuit was one day late. Slides of the presentation were already published in a CD-ROM handed to DEF CON attendees earlier in the day, and soon after posted online (PDF) by MIT student newspaper The Tech.

In his ruling, Federal Judge George O’Toole said that the chances of the MBTA prevailing on its claims under the Computer Fraud and Abuse Act was “minimal,” in which it tried to invoke the Act’s protections from “transmission” of a damaging computer program for the trio’s verbal presentation.

Critics feared the courts’ seemingly hasty decision had inadvertently attacked free speech, because the Act only prohibits the transmission of “code programs” in a computer, not damaging presentations. O’Toole’s interpretation equated free speech with computer hacking, feared some.

“So the attempt to stretch the Computer Fraud and Abuse Act has failed. Please read the statute for yourself, and ask yourself: do you want talking about computers and security to become a crime punishable by fines and imprisonment and subject to FBI and Secret Service oversight?” asks law and technology blog Groklaw. “That's what almost just happened.”

“At first glance, the issues at play may appear obscure, and of interest only to technical researchers and lawyers,” reads an EFF analysis of the situation. “But … the right to publish without pre-publication review is part of the purpose of the 1st amendment, and one of the reasons Americans fought the Revolutionary War.”

The MIT students were behaving as good citizens within this culture of security research. They met with the MBTA before the presentation. They never planned to expose the full details of their successful expose of the vulnerability of the MBTA's fare system … The free speech implications are even more important because showing faults with a government agency's systems is core political speech. The Boston Herald reports that an MBTA Advisory Council Member was concerned with the fare card payment systems (in light of this controversy), and noted that the ‘T gave a no-bid contract for CharlieCard services to a former government employee.’ This makes the public interest in this matter even stronger,” it reads.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: I'm all for free speech...
By Beenthere on 8/20/2008 12:36:04 PM , Rating: 0
Responsible adults don't go public with damaging security information until the vulnerability is fixed. Reporting the problem to the proper authorities and keeping your mouth shut for a few months until the problem is fixed is the proper solution. Then if you wanna tell the world what a great hacker you are - from your prison cell, that's OK as long as you're held accountable for all of your actions. Anything less than a proper response to security issues in the digital age is irresponsible and unacceptable as it's meant to cause harm to others, no matter how you sugar coat the facts.

RE: I'm all for free speech...
By blaster5k on 8/20/2008 12:46:21 PM , Rating: 2
I'm not sure I agree here. Having it out in the open provides added pressure to fix the problem ASAP. If it's not made public, they may choose to try hiding it instead of fixing it. In that case, people can potentially get ripped off without knowing (via cloning or whatever), which I think is even worse. The MBTA is rather cash-strapped, so I wouldn't be surprised to see them go the "hiding" route if they could.

RE: I'm all for free speech...
By Regs on 8/20/2008 2:53:58 PM , Rating: 2
That sounds reasonable to me. Though most of the time, no one wants to spend the money, resources, or time until it's to late anyway.

I can also see what you're getting at about the students ego clouding their judgements.

RE: I'm all for free speech...
By BeenThere2 on 8/20/2008 4:45:35 PM , Rating: 2
Responsible adults fix the problem and move on...

Whatever the reason, MBTA should not have tried to hide the research which uncovered the vulnerability, especially since the researchers discussed their findings with MBTA well before "going public." Instead of denying/discrediting, then employing legal means to stifle the research, I am curious why MBTA did not make use of this free research to verify the facts (scientific method works every time), then resolve any proved issues.

Seems to me that, under a cooperative agreement, the researchers would be more likely to postpone publication (without losing credit), MBTA would gain a "fixed" system, and the PR would be positive.

Except for the small victory of preventing publication at DEFCON, MBTA lost the war: MBTA comes off as a big government agency bullying the little guy(s). That's not exactly the kind of PR MBTA wants or needs...

RE: I'm all for free speech...
By sevesteen on 8/20/2008 8:36:51 PM , Rating: 2
How long do responsible adults wait before releasing damaging security information? Fairly often, the people with poor security would rather fight the disclosure instead of fix the problem. If one group can find a vulnerability, so can a less-honest group.

"Intel is investing heavily (think gazillions of dollars and bazillions of engineering man hours) in resources to create an Intel host controllers spec in order to speed time to market of the USB 3.0 technology." -- Intel blogger Nick Knupffer
Related Articles

Most Popular ArticlesSmartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
UN Meeting to Tackle Antimicrobial Resistance
September 21, 2016, 9:52 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Update: Problem-Free Galaxy Note7s CPSC Approved
September 22, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki