Home » Data Protection » Network Security

News

Judge Dissolves Gag Order Against MIT Students

A U.S. District court judge on Tuesday dissolved a gag order against a trio of MIT students who say they found flaws in the Massachusetts transit authority's ticketing system

By Chris Kanaracus, IDG News Service (Boston Bureau)

August 20, 2008 — CSO —

A U.S. District court judge on Tuesday dissolved a gag order against a trio of MIT students who say they found flaws in the Massachusetts transit authority's ticketing system.

Zack Anderson, Russell "RJ" Ryan and Alessandro Chiesa had planned to present details of their findings at the Defcon hacker conference before a judge imposed the gag following a motion by the Massachusetts Bay Transportation Authority.

The students, who were apparently not present at Tuesday's hearing, are being represented by the Electronic Frontier Foundation, a San Francisco organization that advocates for civil rights in the high-tech world.

EFF legal director Cindy Cohn argued Tuesday that the federal Computer Fraud and Abuse Act concerns the transmission of information to protected computers, not speech to other people, in this case the students' planned speech at Defcon.

In addition, the students have no intention of releasing "key" pieces of information that would allow others to hack the system, Cohn said.

During her remarks, Cohn repeatedly framed the dispute as a First Amendment issue, and said if U.S. District Judge George O'Toole upheld the restraining order, he would be making "an unprecedented ruling" that would render the scientific community reluctant to publicize research of public benefit, for fear of legal reprisals. "This will set an example that will ultimately leave us all less secure."

She also characterized the MIT students as victims, saying they were only trying to help the MBTA by exposing the weaknesses in the system. "Our clients didn't create a vulnerability, they found it. They are being punished because they want to talk about it."

MBTA attorney Ieuan-Gael Mahoney had asked for a five-month continuation of the restraining order, saying that was how long the MBTA has determined it will take for the organization and its vendor to fix vulnerabilities in the MBTA Charlie Ticket system.

Mahoney praised a security analysis the students had given the agency, saying the information in it convinced them of the vulnerability.

"This is a very useful document. From it we came to the conclusion the Charlie Ticket had been compromised," Mahoney said.

But along with that praise, Mahoney weighed new allegations that the students had committed illegal acts. Mahoney did not provide specifics but said the MBTA has "solid information."

O'Toole ultimately sided with Cohn following the roughly 90-minute hearing.

The restraining order only pertained to the students' ability to discuss their findings publicly; the MBTA's lawsuit against them remains outstanding, Cohn said after the hearing.

It is unclear whether the MBTA will appeal O'Toole's ruling; Mahoney wasn't immediately available for comment after the hearing.