Injunction lifted against MIT students

Three MIT students won a victory in court this week, but it was a rather bittersweet one as the injunction that was overturned was, at best, dubious. The students had researched the security of the Massachusetts Bay Transportation Agency's (MBTA) tickets and pre-paid cards. They were planning to give a presentation about their findings at the DEFCON security conference when MBTA sued them. Even after the Electronic Frontier Foundation (EFF) stepped in to represent the students, MBTA was able to get a ten-day injunction that made the presentation impossible.

The judge who issued the injunction relied on the Computer Fraud and Abuse Act, a statute aimed at preventing computer intrusions, to make his decision. He ruled that speaking at a conference was a "transmission" of a computer program that could harm MBTA by allowing people to get free subway rides. The free speech rights of the students, Zack Anderson, RJ Ryan and Alessandro Chiesa, were completely ignored by the judge. Unfortunately, when a second judge lifted the injunction this week, he did it on narrow grounds, not considering the First Amendment issues either. He instead, ruled that MBTA was unlikely to succeed on the merits of its case.

While the injunction has been lifted, the suit continues. MBTA is likely to be the biggest loser in all of this for a number of reasons, not least of which is the "Streisand Effect". By trying to squelch discussion of their security problems, MBTA ensured that the story got much wider play than it would have as a report from DEFCON. As Barbara Streisand found out when she tried to remove aerial pictures of her Malibu estate from a California coastal survey, suing someone to stop information from flowing rarely works; in fact, on the internet, it generally backfires.

After getting an "A" in Professor Ron Rivest's—the R in RSA—class, the students met with MBTA to outline what they had found. They also provided a confidential report that included all of the details. They told MBTA that they planned to keep some of those details out of the DEFCON presentation to stop others from trivially exploiting the system. With no advance warning, 48 hours before the presentation, MBTA sued to get an injunction.

Had MBTA done its homework, it would have realized that the slides of the presentation [PDF] were already available, both on the net and on CDs given to the conference attendees. Worse still, MBTA entered the confidential report, with details left out of the presentation, into the open court record. For an agency that claimed that release of the information would cause harm, it did far more to harm to itself than the students did.

It is a common fallacy that security problems are somehow, magically kept at bay if they are not discussed. Time and again we see organizations try to stifle discussion of security problems rather than to actually address them. Any system that is likely to attract the attention of "white hat" security researchers is very likely to have attracted others as well. In fact, for a system like MBTA's, where large amounts of money can be made, the chances that someone of malicious intent isn't already looking for vulnerabilities are vanishingly small.

By treating the "MIT Three" as criminals, MBTA has done itself and the Boston-area taxpayers a disservice. The students are willing to work with the agency to identify and fix the problems, but not while they are being sued. The agency told the judge this week that it would take it five months to fix the problems identified—it is hard to see how that is expedited by spending time in court.

While the students were under a gag order, various MBTA officials were saying that there were no security problems. Because their First Amendment rights had been suspended, the students were unable to respond to defend their research. Only recently has the agency confessed that they do, indeed, have security problems. This is one of the reasons that "prior restraint" on free speech has been deemed unconstitutional in various cases, including the famous "Pentagon Papers" case.

It is hard to see how the students could have been more "responsible" with their disclosure. It is not as if these vulnerabilities came out of left field; similar types of problems had been reported for other transit systems. Had MBTA done its job, the students might not have been able to find any flaws to report on. But, instead of thanking them and, perhaps, hiring them, MBTA tried to bully them. The next time someone finds a flaw in their systems, they may decide to anonymously report it with full details—or exploit it for free subway rides.