The three MIT students who were silenced at the last minute before their scheduled Defcon talk are now allowed to speak, as U.S. District Judge George A. O'Toole refused to renew the existing TRO (Temporary Restraining Order) against them.
Students free to talk after TRO is lifted. (IMG:MBTA)
“Today, Judge George O'Toole lifted the gag order on three MIT students who were sued by the Massachusetts Bay Transportation Authority for discovering a security vulnerability in the MBTA's fare payment system. The Court found that the MBTA was not likely to prevail on the merits of its claim under the federal Computer Fraud and Abuse Act,” Electronic Frontier Foundation (EFF) senior staff attorney Kurt Opsahl wrote in a blog post.
Zack Anderson, R. J. Ryan and Alessandro Chiesa were issued a TRO to prevent them from talking at Defcon about vulnerabilities in the Massachusetts Bay Transit Authority's Boston fare cards, known as 'CharlieCard' and 'CharlieTicket'.
Specifically, the MBTA claimed the students had violated the Computer Fraud and Abuse Act (CFAA) by delivering information to conference attendees that could be used to defraud the MBTA of its transit fares.
“MBTA had argued that the CFAA, which prohibits the transmission of a program that causes damage to a computer, also covers "verbal transmission," such as talking to people at conferences," Opsahl added. "Judge O'Toole, however, looked closely at the statute, and held that the CFAA does not apply to security researchers like the students talking to people."
While the TRO has been removed, the three students are named in a lawsuit filed by the MBTA seeking monetary damages for violation of the CFAA, negligent supervision and other causes of action.
What started the MBTA on a tangent was not the Defcon talk, but an e-mail from NXP. NXP, as you may recall from past articles, is the company that created the flaws MiFare Classic RFID chip, the same chip that was exposed by the MIT students as being flawed.
For the last year or so, NXP has tried to stamp out negative press and criticisms over the weak and ineffective security it used to protect the MiFare Classic. Because of that, it is no shock to see NXP go running to the MBTA to prevent the students from talking.
Yet, in what is a classic case of “cat out of the bag” syndrome, the MIT research was online the day the TRO was announced. Moreover, the research and details on the flaws for MiFare Classic have been discussed and available online for months.
While the students are still looking at a filed lawsuit, the EFF is representing them, so they have a strong supporter on their side.
Wish them luck.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)