August 9th, 2008
MIT students fight for right to expose security gaps in Boston subway
The talk by three MIT students was to be titled “The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems.” It was to be delivered Sunday at Defcon. Then the Massachusetts Bay Transportation Authority sued for an injunction to stop the speech and a U.S. District Court granted the temporary injunction.
Now the Electronic Frontier Foundation is appealing that decision, Computerworld reports.
“The court ultimately came to a very, very wrong conclusion,” EFF senior staff attorney Kurt Opsahl said. “The first notice that the MBTA provided that they were going to the court was after they had gone to the court,” Opsahl said at the EFF session. The judge cited a computer intrusion statute in issuing the order, he said.
“The statute on its face appears to be discussing sending code programs or similar type of information to a computer and does not appear to contemplate somebody who is giving a talk to humans,” Opsahl said. “Nevertheless, the court disagreed with that interpretation.”
The EFF’s main legal theory is that telling the truth about security weakness should be protected by the First Amendment.
The students planned to physical security problems they found with the system, such as unlocked gates and unattended surveillance booths. They say they were able to access fiber switches connecting fare vending machines to the unlocked network, and they also describe techniques to clone and reverse-engineer the MBTA’s CharlieTicket magnetic stripe tickets and CharlieCard smartcards, CW says.
