Massachusetts Judge Stops MIT Students from Presenting Transit System Hacking Tips

Published October 10, 2008

A federal judge in the U.S. District Court in Boston has issued a gag order preventing three Massachusetts Institute of Technology (MIT) students from presenting research findings at Defcon 16, an annual conference of computer hackers.

The gag order, issued August 9, was requested by the Massachusetts Bay Transit Authority (MBTA), claiming the presentation would impair the safety and security of transportation networks under its jurisdiction.

MIT students Zack Anderson, R.J. Ryan, and Alessandro Chiesa were prepared to present research on ways to manipulate the CharlieCard and CharlieTicket systems in MBTA systems in the Boston metropolitan area.

Free Subway Rides

MBTA was concerned about the title of the presentation, which asked attendees if they wanted “free subway rides for life.” The agency also complained the students refused to submit their presentation to MBTA for vetting prior to the presentation at Defcon 16.

The Electronic Frontier Foundation (EFF) represented the students and argued the gag order entailed illegal prior restraint. The foundation has prior connections with Defcon and the related Black Hat Briefings, with the former convention holding annual fundraisers to support EFF’s work.

There is precedent for this sort of gag order. In 2005, Michael Lynn from Internet Security Systems (ISS) planned to show attendees at the Black Hat Briefings, another security and hacker conference, how to break through router security from remote locations. Cisco Systems filed suit against Lynn and won an injunction preventing him from offering information on breaking into Cisco routers.

Hackers Help

The MIT students claim their information was readily available to MBTA prior to the presentation at Defcon 16. The convention’s organizers created nearly one thousand CDs to distribute prior to the convention for attendees who wanted their own copies of the presentations.

Case Western University School of Law Prof. Raymond Ku says programmers are bound by an informal “best practices” code and that such distribution of information about vulnerabilities is good for the industry. “We believe the disclosure of [security] information is generally good because it provides those operating a system the opportunity to fix a security threat of which they may not be aware,” Ku said.

Ku also said programmers can “provide other members of the public with the opportunity to identify similar security threats and fix them” by consulting with organizations such as MBTA.

Agency Overreacted

The gag order issued to the three MIT students can be interpreted in one of two ways, Ku says. “If the gag order is interpreted to mean that the students cannot provide others with the means of exploiting the vulnerability in the MBTA system, then I believe it is fair,” Ku said.

Ku’s opinion on the validity of the gag order changes, however, “if it is interpreted more broadly to prevent the dissemination of more general knowledge and information regarding the vulnerability in question.” Such a broad interpretation of the gag order “would stand in the way of security testing and free speech in an open society,” he said.

“The real lesson here is that coming down like a ton of bricks on information security researchers … gets unwanted publicity for the vulnerability in your own systems,” noted Prof. Timothy Armstrong of the University of Cincinnati College of Law.

Armstrong says MBTA should have “just ignored the students” to make sure their “research would have remained a passing curiosity.”

Nicholas Katers ([email protected]) writes from Franklin, Wisconsin.