“Civil libertarians and the students’ lawyers quickly assailed the order as a blatant attack on free speech.

Jennifer Granick, a lawyer with the Electronic Frontier Foundation, which is representing the students, said in siding with the MBTA, Woodlock wrongly applied to speech a federal computer crime statute used to prevent transmitting harmful programs from one computer to another.

‘The statute is meant to stop people from committing computer fraud and abuse, not to stop people from talking about computers,’ she said. ‘These conferences are populated with people from Google, Microsoft, Sisco, wanting to collect information about security vulnerabilities that might exist in their systems. If you don’t let this information be discussed, the attackers are going to research it, but no legitimate person is going to talk about it.’

MBTA spokeswoman Lydia Rivera said the 10-day injunction will give experts time to examine the students’ research to see if they indeed discovered how to get free rides.

‘The injunction prevents them from disclosing ways to hack into the system,’ Rivera said. ‘It’s a preventive matter for us.’”^*

“Clearly, the end result and the ultimate Internet-wide publication of the students' find might not be what the MBTA wanted. It's an effect, however, that security gurus such as Dan Kaminsky -- the man who discovered the Internet-wide DNS flaw in July -- have seen before.

‘Suppressing speech in the United States has not worked well in recent times,’ Kaminsky, an analyst with ICActive, told TechNewsWorld. ‘It ends up just calling out whatever it was that you were trying to block.’

It's a courtesy, Kaminsky believes, to give a company enough time to respond to a flaw before exposing it. In his case, he opted to keep the details of his finding quiet for a full six months so the proper parties could find a fix before the news became widespread. Not taking those steps, Kaminsky said, can be detrimental to everyone involved.

‘You've got to give people some time. If you don't, you're just giving enough warning to the lawyers and nothing else,’ Kaminsky proposed.

‘No one here is getting what they want,’ he added. ‘That is always tragic to see.’”^*

"Last month, the Dutch government issued a warning about the security of access keys based on the ubiquitous MiFare Classic RFID chip. The warning comes on the heels of an ingenious hack, spearheaded by Henryk Plotz, a German researcher, and Karsten Nohl, a doctoral candidate in computer science at the University of Virginia, that demonstrated a way to crack the encryption on the chip.

Millions upon millions of MiFare Classic chips are used worldwide in contexts such as payment cards for public transportation networks throughout Asia, Europe and the U.S. and in building-access passes.

The report asserts that systems employing MiFare will likely be secure for another two years, since hacking the chip seems to be an involved and expensive process. But in a recent report published by Nohl, titled 'Cryptanalysis of Crypto-1,' he presents an attack that recovers secret keys in mere minutes on an average desktop PC."

And thus the new Dutch rail card was hacked after the government spent EUR 2b installing the new RFID system.

In addition to embarassing the transport minister, the Dutch were forced to scrap the investment and replace it with something more robust.

“We made first contact,” said Zack Anderson, 21, a Los Angeles native, who majors in electronic engineering and computer science. “We wanted to let them know what we found and we wanted to tell them some ideas we had on how they could fix that system ... We felt like the issue was resolved. That was verbally affirmed in a Monday meeting. Then Friday we find out there’s a federal lawsuit against us.”

"A federal judge has lifted a gag order on three MIT students who were barred from talking publicly about security flaws they discovered in the Boston transit system's automated fare network.

A lawyer for the transit agency acknowledged its CharlieTicket system has security flaws. But the lawyer asked Judge George O'Toole Jr. to impose a five- month injunction continuing to block the students from revealing anything publicly about the security system. O'Toole rejected the request Tuesday."

“Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: that the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses.

Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA.

On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer ‘transmission.’ Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system. Lawyers for the MBTA claimed Tuesday they had proof the students had violated the law, but stopped short of specifying what they did.

It's unclear what transit officials will do next. Lawyers for the MBTA weren't immediately available after the ruling, but they could appeal O'Toole's ruling to the U.S. First Circuit Court of Appeals. Unless either side backs down or a settlement happens, a trial on the T's lawsuit against the students and MIT will eventually occur, but so far no date has been set.

Lawyers for the students, in a case that has generated more attention in local media concerned about problems in the transit system than it has among national media concerned about privacy issues, welcomed the judge's decision. ‘This was a case of shooting the messenger,’ said Cindy Cohn, a lawyer with the Electronic Frontier Foundation, a San Francisco advocacy group that was representing the students along with the Massachusetts affiliate of the ACLU and the Fish & Richardson law firm.

But Ieuan Mahony, a lawyer for the Boston law firm Holland & Knight who is representing the MBTA, said the transit authority had no interest in chilling computer security research. Instead, he said it merely wanted to ensure a method for wide-scale fare violations wasn't disseminated.

Security researchers working for the MBTA spent the last several days working through a confidential 30-page analysis--which has not been made public--that students had sent to the court and T officials. The document detailed the complete method for breaking the local Charlie card payment system, including specific details the students say they didn't plan to reveal at the Defcon conference.

MBTA said in documents filed with the court said that fixing the security flaws would take five months. (‘Students have the ability to cause significant harm to the CharlieTicket system, during the roughly five-month window that remedial actions will require.’)

T officials concluded that the students had, in fact, found a way to break the paper Charlie card system, but had only found theoretical methods for breaking the plastic Charlie card, an RFID smart card that can have T fares electronic added to it.

Mahony said the 30-page analysis was a ‘very useful document,’ adding, it's ‘invaluable, but there are additional materials that cause us great concern.’ In particular, the transit authority wanted correspondence with Defcon officials and materials from their class with MIT professor Ron Rivest, a cryptographer best known as one of the co-inventors of the RSA public key encryption system, which is commonly used in e-commerce.


Despite the First Amendment implications of the case, O'Toole made it clear he intended to steer clear of the Bill of Rights. ‘I appreciate the breadth of views of others,’ he said, ‘but my views are considerably more limited.’ (Federal judges generally try to avoid constitutional issues if the dispute can be resolved by interpreting the text of a statute. In this case, it was a 1986 law that he decided didn't properly apply in this case.)

What the students intend to do now that the gag order has been lifted is unclear. If they wished, they could still make the Defcon presentation at some other forum. Cohn said she hasn't spoken with the three, who are still on summer break.”