Judge refuses to lift gag order in subway-hack case

Judge refuses to lift gag order in subway-hack case

A federal judge in Boston Thursday refused to lift a temporary restraining order preventing three MIT students from publicly discussing details of several security vulnerabilities that they found in the electronic ticketing system used by the city's mass transit authority.

The decision means that the gag order imposed on the students last Saturday will remain unchanged at least until Aug. 19, when U.S. District Judge George O'Toole is scheduled to hold another hearing in the case. The restraining order, which was issued in response to a lawsuit filed by the Massachusetts Bay Transportation Authority (MBTA), will expire that same day unless it's extended or turned into a permanent injunction.

At today's hearing, O'Toole also asked the MIT students to submit a copy of a class paper in which they detailed the vulnerabilities that they had found, according to the Electronic Frontier Foundation (EFF), a high-tech civil rights group that is representing the students in the case. The MBTA requested a copy of the paper in a motion that it filed, the EFF said.

In addition, O'Toole asked the three undergrads -- Zack Anderson, Russell "RJ" Ryan and Alessandro Chiesa -- to provide copies of programming code that they included in a planned presentation to show how the MBTA's e-ticketing system could be hacked.

The San Francisco-based EFF had filed a motion in court this week asking O'Toole to lift the restraining order (download PDF). A spokeswoman for the group expressed disappointment at the judge's refusal to do so and said that the EFF will now go ahead with a planned appeal of the decision to issue the gag order.

The restraining order was handed down one day before Anderson, Ryan and Chiesa were scheduled to detail the MBTA's vulnerabilities at the Defcon hacker convention in Las Vegas. In its motion requesting the restraining order (download PDF), the MBTA claimed that it was forced to seek the court's intervention because neither MIT nor the students had given the transit agency enough information to assess the vulnerabilities that were about to be publicly disclosed.

The MBTA said in its court filings that its intention wasn't to permanently gag the students but to give itself some time to determine the validity and seriousness of the issues being raised by the students and to develop a course of action for addressing them.

Although the students had to cancel their talk, the slides that they put together for the presentation were included on a CD given to Defcon attendees and thus have become publicly available.

The EFF has called the restraining order a violation of the students' First Amendment rights as well as a prior restraint on free speech. Along with the filing that requested the lifting of the order, the EFF submitted a letter in support of the students signed by 11 computer science professors and security researchers (download PDF).

David Farber, a professor of computer science and public policy at Carnegie Mellon University's School of Computer Science, was one of the people who signed the letter. He said today that the decision to issue the restraining order was a "bad, bad idea."

Based on the available information, the students appear to have notified MBTA officials about their research and even provided them with confidential information relating to the vulnerabilities, Farber said. The students also appear to have assured the MBTA in advance that their presentation wouldn't provide the level of detail needed for someone to actually exploit the vulnerabilities, he said. For the MBTA to then ask a court to gag the students was totally out of line, according to Farber.

What makes its actions even more egregious, he claimed, is the fact that the paper the students were scheduled to present had been vetted by MIT Professor Ron Rivest, who Farber described as one of more respected figures in the security community.

It could be argued that the students could have worked with the MBTA to fix the issues before publicly disclosing them, Farber acknowledged. But it is unconstitutional to prevent them from speaking about their discoveries just because the MBTA felt that it wasn't given adequate notice, he contended. "In practice," Farber said, "a good middle ground is to keep the courts out of it."

But Gartner Inc. analyst John Pescatore said the MBTA wasn't given a reasonable amount of time to fix the problems or develop work-arounds for them.

The intent of disclosing flaws should be to make software and systems more secure, "not to make headlines or sell tickets to security conferences," Pescatore said. In this case, he added, "the students went for publicity."

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.



Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments