Injunction to Silence MIT Student Hackers Backfires

A federal court order that prevented three MIT students from telling a hackers conference how they were able to break into Boston's subway fare collection system has backfired.

The injunction was meant to block discussion of how the students figured out how to evade the comuter system's security to change a $1.25 fare card to a $100 fare card.

Despite the court order -- or possibly because of it -- their 87-slide presentation that they were not allowed to talk about at last week's Defcon convention can now be studied by fellow hackers online.

Computer security experts say the attempt to gag the alleged hackers has boomeranged -- again.

"Every single time, harassing the researcher ends up spreading the research," said Dan Kaminsky, a computer security consultant for Seattle-based IOActive, Inc.


MIT students Zack Anderson, R.J. Ryan and Alessandro Chiesa were scheduled to present their "Anatomy of a Subway Hack" Sunday at the popular Las Vegas hackers convention. They had already received an A on the project from their professor at the Massachussets Institute of Technology.

Their trip to the podium, however, was blocked when they were served with an injunction obtained by the Massachusetts Bay Transportation Authority ordering them not to talk about the flaws in the MBTA security system.

But, not only had the presentation already been distributed at the Defcon convention, it was entered into public record when the MBTA filed its complaint. In the blink of a mouse click, the slides were posted on the Internet and hackers were shaking their heads at the MBTA's attempt to block discussion of the information.

"The bottom line is independent security research is how we get more secure networks," Kaminsky said. "But because anyone can just say anything, the way we differentiate what's true from what's not is to actually show the details that can be independently verified."

The students emphasize that their objectives were not to defraud the transit authority.

"Our intention … was to find out what vulnerabilities might be present and then determine how those might be fixed," said Anderson.

Most importantly, he said, the students never planned to reveal the information that would actually permit others to hack the system. The slideshow and presentation did not include the key enabling information.

The senior said they contacted transit authority officials in late July. The purpose of the meeting was to educate them about the system's flaws and present them with possible solutions.

Early last week, Anderson said, the students met with the transportation officials. After walking representatives through their presentation, the students thought they had allayed the transit authority's fears.

But on Aug. 8, they were notified that a federal lawsuit had been filed against them.

"It was a huge shocker," said Anderson.

In a complaint filed Friday with a U.S. district court in Massachusetts, the transportation authority said the students did not provide it with ample time to address the system's weaknesses. As a result, public disclosure of the flaws could cause significant damage to the transit system.

In an e-mail, a spokesman for the MBTA told that, at the meeting, the students agreed to provide the transit authority with a copy of the presentation. After several days passed without receiving the information, the MBTA said it had "no choice but to seek assistance from a federal court judge."

  • 1
  • |
  • 2
Join the Discussion
blog comments powered by Disqus
You Might Also Like...