The state of Massachusetts said Monday it is not prepared to abandonwho uncovered security vulnerabilities in Boston transit cards, even though thousands of copies of their 87-page presentation have been distributed.
A federal judge on Saturday granted the state transit authority's request for a restraining order barring the students' planned presentation at the Defcon conference. It orders them not to disclose any "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System."
The MIT students canceled their talk. But their presentation materials were handed out to Defcon attendees in the conference packet, and it has been distributed widely on the Web.
When we asked the Massachusetts Bay Transportation Authority if it would end the lawsuit as a result of the distribution, spokesman Joe Pesaturo replied: "The MBTA will reserve comment on the substance of the presentation until staff has had a sufficient period of time to thoroughly review the information, and meet with the students and their professor." Pesaturo did not respond to a followup question about whether any meeting has been set up.
The Electronic Frontier Foundation, which is providing a legal defense to the students, did not immediately respond to questions about whether a meeting has been arranged.
U.S. District Judge Douglas Woodlock granted MBTA a temporary restraining order, which under federal rules automatically expires in 10 days--meaning August 19--unless extended "for good cause."
That means MBTA needs to decide in the next week whether to try to ask Woodlock to convert his temporary order into a longer-lasting preliminary injunction.
MBTA's Pesaturo added in a separate message:
A week ago, the MBTA learned about the presentation to be made at the conference, and immediately contacted MIT. At a meeting last Tuesday involving all the parties, MIT staff and the students agreed to provide the MBTA with a copy of the presentation. After several days passed without getting any information from MIT, the MBTA had no choice but to seek assistance from a federal court judge on Friday. At 4:30 a.m. on Saturday, the presentation was finally provided to the MBTA. Staff is thoroughly reviewing the information to determine if there is any degree of substance to the claims being made by the students.
One reason the MBTA may want to proceed is that the restraining order does more than merely require the three students--Zack Anderson, R.J. Ryan, and Alessandro Chiesa--not to proceed with their presentation. It also applies to releasing "software code," which the trio had planned to post at web.mit.edu/zacka/www/subway/, but apparently never did.
During Saturday's hearing, an attorney for MBTA pointed to the students' plans to post Python code that could read magnetic cards and said: "This is not simply saying, 'We did it. Aren't we inventive?' It's also providing a tool to help accomplish this. Our understanding is that these would likely be software tools that would make it easier to analyze the cards." (An EFF attorney, on the other hand, characterized the code as general-purpose and "not tools which are targeted toward the MBTA system.")
Judge Woodlock said, according to a recording posted by Wired News, that the students acted "in contravention of best practices" and that he foresaw "no harm to defendants" in granting the restraining order. He did, however, add that "defendants are free to seek modification even before the end of the 10-day period."