Boston Judge Refuses to Lift Gag Order on MIT Students After MBTA Hack
Restraining order remains in place until Aug. 19; judge requests more info from students. Students were able to change CharlieTicket value from $2 to $653.
Fri, August 15, 2008
Computerworld — A federal judge in Boston today refused to lift a temporary restraining order preventing three MIT students from publicly discussing details of several security vulnerabilities that they found in the electronic ticketing system used by the city's mass transit authority.
The decision means that the gag order imposed on the students last Saturday will remain unchanged at least until Aug. 19, when U.S. District Judge George O'Toole is scheduled to hold another hearing in the case. The restraining order, which was issued in response to a lawsuit filed by the Massachusetts Bay Transportation Authority (MBTA), will expire that same day unless it's extended or turned into a permanent injunction.
At today's hearing, O'Toole also asked the MIT students to submit a copy of a class paper in which they detailed the vulnerabilities that they had found, according to the Electronic Frontier Foundation (EFF), a high-tech civil rights group that is representing the students in the case. The MBTA requested a copy of the paper in a motion that it filed, the EFF said.
In addition, O'Toole asked the three undergrads — Zack Anderson, Russell "RJ" Ryan and Alessandro Chiesa — to provide copies of programming code that they included in a planned presentation to show how the MBTA's e-ticketing system could be hacked.
The San Francisco-based EFF had filed a motion in court this week asking O'Toole to lift the restraining order (download PDF). A spokeswoman for the group expressed disappointment at the judge's refusal to do so and said that the EFF will now go ahead with a planned appeal of the decision to issue the gag order in the U.S. Appeals Court for the First Circuit.
The restraining order was handed down by another judge one day before Anderson, Ryan and Chiesa were scheduled to detail the MBTA's vulnerabilities at the Defcon hacker convention in Las Vegas. In its motion requesting the restraining order (download PDF), the MBTA claimed that it was forced to seek the court's intervention because neither MIT nor the students had given the transit agency enough information to assess the vulnerabilities that were about to be publicly disclosed.
The MBTA said that its intention wasn't to permanently gag the students but to give itself some time to determine the validity and seriousness of the issues being raised by the students and to develop a course of action for addressing them.
In a statement sent via e-mail today, the MBTA said it was pleased that a second federal judge had upheld the restraining order, but "disappointed at the defendants' continued resistance to provide the information" requested by the agency. The MBTA added that it remains hopeful that all of the defendants will be "cooperative" as the case continues.
