Three Massachusetts Institute of Technology students who had been barred by a court order from discussing travel-smartcard vulnerabilities can now discuss the flaws.
In a ruling on Tuesday, a federal judge in Boston let a 10-day-old gag order expire. The order had been imposed at the request of the Massachusetts Bay Transportation Authority (MBTA), to prevent the students giving a talk on travel-smartcard vulnerabilities at the Defcon security conference.
On Tuesday, US district judge George O'Toole Jr refused to grant a preliminary injunction requested by the MBTA that would have blocked the students from talking about their findings until 1 January, 2009.
The MIT students planned to make a presentation at Defcon on security vulnerabilities on the Massachusetts transit authority's electronic card and ticketing system. But a different federal judge blocked the presentation after MBTA sued the students and MIT.
Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: that the students' presentation was likely to be a violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses.
O'Toole said MBTA lawyers had failed to convince him on two points. First, the students' presentation was meant to be delivered to people, and was not a computer-to-computer "transmission". Second, the MBTA couldn't prove the students had caused at least $5,000 (£2,500)-worth of damage to the transit system. Lawyers for the MBTA claimed on Tuesday they had proof the students had violated the law, but stopped short of specifying what they did.
Lawyers for the MBTA could still appeal O'Toole's ruling to the US First Circuit Court of Appeals. Unless either side backs down or a settlement happens, a trial on the MBTA's lawsuit against the students and MIT will eventually occur.
However, in a statement released on Tuesday afternoon, MBTA general manager Daniel Grabauskas struck a conciliatory stance toward the students, and hinted that the transit authority may be willing to work with the students outside the courts.
"The 10-day process yielded a lot more information than we had at the start, and that was a key objective all along," Grabauskas said. "The students had repeatedly said the lawsuit was an impediment to opening up a productive dialogue with the MBTA about their findings. Now that the court proceedings are behind us, I renew my invitation to the students to sit down with us and discuss their findings. A great opportunity now presents itself."
He added: "With respect to the information that was sealed, I have every expectation that the students will act in accordance with the principles of 'responsible disclosure'."
Lawyers for the students welcomed the judge's decision. "This was a case of shooting the messenger," said Cindy Cohn, a lawyer with the Electronic Frontier Foundation, a San Francisco-based advocacy group that was representing the students, along with the Massachusetts affiliate of the ACLU and the Fish & Richardson law firm.
Ieuan Mahony, a lawyer for the Boston law firm Holland & Knight representing the MBTA, said the transit authority had no interest in chilling computer security research. Instead, he said it merely wanted to ensure that a method for wide-scale fare violations wasn't disseminated.
Security researchers working for the MBTA have spent the last several days working through a confidential 30-page analysis — which has not been made public — that students had sent to the court and MBTA officials. The document detailed the complete method for breaking the MBTA's Charlie card payment system, including specific details the students say they didn't plan to reveal at the Defcon conference.
MBTA said in documents filed with the court that fixing the security flaws would take five months. "Students have the ability to cause significant harm to the CharlieTicket system, during the roughly five-month window that remedial actions will require."
MBTA officials concluded that the students had, in fact, found a way to break the paper Charlie-card system, but had only found theoretical methods for breaking the plastic card, an RFID smartcard that can have fares electronically added to it.
Mahony said the 30-page analysis was a "very useful document", adding that it is "invaluable, but there are additional materials that cause us great concern". In particular, the transit authority wanted correspondence with Defcon officials and materials from their class with MIT professor Ron Rivest, a cryptographer best known as one of the co-inventors of the RSA public key encryption system, which is commonly used in e-commerce.
What the students intend to do now the gag order has been lifted is unclear. If they wished, they could still make the Defcon presentation at some other forum. Cohn said she hasn't spoken with the three, who are still on their summer break.
CNET News.com's Declan McCullagh contributed to this report.
