BOSTON — A federal judge lifted a gag order yesterday on three MIT students who were barred from talking publicly about security flaws they discovered in the state's automated mass transit fare system, even as a lawyer acknowledged the system was "compromised."
U.S. District Judge George O'Toole Jr. rejected a request by the Massachusetts Bay Transportation Authority to impose a five-month injunction blocking the students from revealing anything publicly about the security system. O'Toole also dissolved a temporary restraining order that had prohibited the students from speaking about their findings earlier this month at DefCon, an annual computer hackers' convention, in Las Vegas. The conference ended on Aug. 10.
The students — Zack Anderson, R.J. Ryan and Alessandro Chiesa — said in an Internet posting that they planned to show others how to duplicate their breaking of the MBTA's security system.
"Want free subway rides for life?" the online posting said.
The MBTA plans to continue with its lawsuit against MIT and the three students, who are all undergraduates and did not attend yesterday’s hearing. The MBTA claims the students violated the federal Computer Fraud and Abuse Act.
But in dissolving the gag order, O'Toole found the MBTA was unlikely to succeed on that claim. He said he agreed with the students' attorney that the 1986 law is aimed at preventing the transmission of viruses and worms to a protected computer, not at preventing information from being given to an audience during a speech.
O'Toole did not rule on the students' claim that the MBTA had violated their First Amendment rights by stopping them from speaking at the hackers' convention.
Cindy Cohn, a lawyer for the students, said the students had complied with the MBTA's request to turn over slides from their presentation and a 30-page "security analysis" that outlines everything they discovered about weaknesses in the fare system.
"The MBTA ultimately is trying to silence some uncomfortable truths that these students uncovered," said Cohn, legal director for the Electronic Frontier Foundation, a San Francisco-based legal organization that specializes in civil liberties issues related to technology.
"They brought an action against three college kids rather than address the problems in their own house," Cohn said.
Cohn said the students never intended to reveal key details that would have given hackers information to help them hack into the fare-collection system and ride the system for free, despite what the online ad for the demonstration said.
But Ieuan Mahony, an attorney for the MBTA, said the MBTA simply wanted the students to refrain from revealing details about the security problems publicly until the MBTA has time to correct the flaws, which could take five months.
Mahony said that after reading the security analysis submitted by the students last week, the MBTA "has determined that the CharlieTicket system is compromised."
"We've known that there are some issues with the CharlieTicket, but we realized after reading this paper that they were able to clone and counterfeit the CharlieTicket," Mahony said after the hearing.
The MBTA still wants to get additional information from the students on how they were able to clone the CharlieTicket, Mahony said.
Some details about the vulnerabilities of the automated-fare system were released before the students' planned talk at the DefCon conference. Electronic copies of their 87-slide presentation were included on CDs handed out to conference attendees before the conference officially began and before the MBTA filed its lawsuit.