MBTA lawyers also argued the students only contacted the T months after preparing to speak at the conference and that making their research available could “incite lawless action.” But the Electronic Frontier Foundation lawyers said the case is critical to free speech rights and that discouraging security researchers from performing these types of checks could set a dangerous precedent.
A federal judge yesterday lifted a gag order on three MIT students who found security flaws with the MBTA’s CharlieTicket system.
The ruling came despite a request from MBTA lawyers that the measure be extended five months, the estimated time it would take to fix the system. Ieuan Mahony, the lead attorney representing the agency, said the T has known some issues existed with the CharlieTicket system, but that a 30-page security analysis conducted by the MIT students and handed over to the T last week revealed that system “is compromised.”
At the center of the gag order debate was the Computer Fraud and Abuse Act (CFAA). The T got a temporary restraining order on Aug. 9, one day before students were set to present their findings at a hacker conference. The Electronic Frontier Foundation (EFF), the nonprofit representing the MIT students, sought to dissolve that order.
Yesterday, Judge George O’Toole Jr. ruled the gag order was without merit because the T hadn’t proven the CFAA — which relates to transferring information such as viruses and worms to a protected computer, but not to another person — had been violated.
The T’s lawsuit, which remains in federal court, claims the students illegally hacked into its system by uncovering flaws with the CharlieTicket system. Lawyers for the T have sought more information from the students about their research than what they have already provided, as well as an unspecified amount in damages.
While the MIT students found ways to clone the MBTA’s paper CharlieTickets, they only found theoretical ways to crack the plastic CharlieCards. According to the T, 30 percent of total subway rides are taken using CharlieTickets, while 70 percent are taken using CharlieCards.
