Judge Lets MIT Students Share Their Research On Boston Subway Vulnerabilities

from the first-amendment-wins-again dept

While it took about a week and a half, a judge has now lifted the gag order that had prevented some MIT students from sharing a presentation about vulnerabilities in the Boston subway system. The judge refused to ban the students from talking about it for a period of five months (which the MBTA insisted it needed to fix the system). This is definitely a win for free speech, though I'm sure the debate over how and when to disclose security vulnerabilities will continue for a long, long time.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Nick Stamoulis, Aug 19th, 2008 @ 7:50pm

    Kudos to MIT! We saw this on our local news and apparently the MBTA was getting all huffy and puffy over it claiming that they wanted to check out these claims first to see if they were valid before they were released. Uhhhh trust me MBTA - if genius students at MIT found the flaw, we're highly doubting it needs to be confirmed by blue collar workers at the MBTA. MIT > MBTA

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Aug 19th, 2008 @ 8:22pm

    Boston Baked Beans

    MBTA needed the extra time to investigate whether this was a hoax device.

    For those with a short memory:
    http://www.cnn.com/2007/US/02/01/boston.bombscare/

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Grady, Aug 19th, 2008 @ 8:27pm

    Re:

    "Uhhhh trust me MBTA - if genius students at MIT found the flaw, we're highly doubting it needs to be confirmed by blue collar workers at the MBTA. MIT > MBTA"

    There are so many things to say to you that I'm not going to.

    The world would be nothing if it weren't for those "blue collar workers".....you need to show them more respect than that.


    Anyways, I don't agree with the judge, I believe this would be a case where a gag order is reasonable, at least to some extent.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Matt Bennett, Aug 19th, 2008 @ 9:03pm

    And of course, they missed the black hat conference.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    IanK, Aug 19th, 2008 @ 9:27pm

    I'd understand a 30 day gag order for Boston transit to quickly check out these issues (albeit not thoroughly). Give them 5 months, and Boston would have fixed the problems as if nothing was ever wrong.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Relonar, Aug 19th, 2008 @ 9:28pm

    Re: #3

    well I have to disagree with you, it may be youth or stupidity, but I believe that words and ideas should be allowed to be spread freely without fear of government intervention. I believe that any information can be shared no matter what the context, bias, or content is. Both parties 'should' have acted differently towards each other, but what 'should' have happened rarely does in real-time. The students might have been better off giving a heads up to the MBTA to their vulnerability, but on the other hand there is little reason to have it 'hushed' after the fact.

    Next time you have an idea you want to share, try thinking about how frightening it would be if you had to decide if it was worth an imaginary risk because a judge could issue a gag over that just on the whim of someones nerves it tweaked. Ok, this was overly simplified.

    now away from principles and back to the relevancies of this case and why the gag order was extreme.
    The vulnerability was discovered by students of an acknowledged academic body.
    Before the order was issued documentation was already in circulation.
    If an attack were to take place by producing counterfeit cards the information provided would have been far from a how-to leaving a vast majority of the work to the attacker.
    now we let the lawyers battle with their fancy words, libraries, past cases, and all the other stuff that drove me away from law.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Sam, Aug 19th, 2008 @ 9:56pm

    I have worked for boeing before. I have lots of information. Would you like that too?

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Grady, Aug 19th, 2008 @ 10:00pm

    Re: Re: #3

    "I believe that any information can be shared no matter what the context, bias, or content is."

    So, if I got access to a government employees user name and password, and found a way into the system, you believe I should have the right to publish said information to whomever and however I please? Does that make sense? Where does security of state end and "freedom" begin? Should our "rights" really be that much more important than the security of a governmental body? Don't get me wrong, I'm not saying freedom of speech isn't important, but we as Americans have gone from a unified body to a state where it's all about "me" and not about "us". Twenty years ago they would have been told to be quiet till they got it fixed, and everyone would have agreed it was the right thing to do, but now....

    I agree, the two bodies acting disrespectfully to one another. The students should have told MBTA of the discovery and given them proper time to correct it before making the presentation available. And the MBTA shouldn't have filed for the gag. But I do believe they had a right to file, and all intents and purposes, the gag should have been given.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    DanC, Aug 19th, 2008 @ 11:17pm

    Re: Re: Re: #3

    The reason the gag order should never have been granted in the first place is perfectly displayed by the MBTA's initial reaction to the MIT students - FBI criminal investigations.

    Twenty years ago they would have been told to be quiet till they got it fixed, and everyone would have agreed it was the right thing to do, but now....

    The problem, however, is that the timetable for fixing the problem is determined by the company in that case. If you don't have to worry about the initial disclosure of the problem, maybe you can put off fixing it for a year. Or two. Maybe you don't have to actually fix it at all, or you can just say you fixed it. Delaying public knowledge of a problem only encourages delays in fixing the problem.

    The release of the vulnerability puts the onus on the company to respond promptly to the problem.

    Should our "rights" really be that much more important than the security of a governmental body?

    Should? Our rights are more important than the security of a governmental body. If the MBTA uses faulty security measures, they don't have to tell you. And because they don't have to tell you, they can put off fixing the problem, because you don't know about it. And if they can silence anyone who does know, they really don't have a reason to fix the problem in a reasonable amount of time.

    Which boils down to the main issue: hiding problems doesn't encourage a company to fix them. It makes those systems less secure, while providing the illusion of security.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Nicks AnASS, Aug 19th, 2008 @ 11:29pm

    Re: Nick

    I love your condescending attitude regarding blue collar workers, these are the same people that work day in and day out to make our life safer and healthier. I believe a salamander is of more use to the world than you are.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Aug 19th, 2008 @ 11:34pm

    Re: Re:

    So any time the Government is at risk, everyone one should shut up.....
    Stupid people working for the government wasted money buying a stupid system and someone want so to prove it...

    So much for a Open Society...

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Aug 19th, 2008 @ 11:50pm

    What most don't realize is that Mass. probably is more corrupt than almost any state in the US. The MBTA, Turnpike Authority, etc is populated by a bunch of people that couldn't get and HOLD a real job in the real world. 70% of the people couldn't make change in a toll booth without a computer. It isn't Civil Service .. it is Corrupt Service. Having lived in Mass for 40 years, I have no respect for anyone that works in those organizations.

    That being said, the idiots that bought the system were not "Blue Color", they were no talent, no skill hacks with some sort of "White Collar" certification (ie, some Community college in MA) that got their jobs for who they knew, not what they knew.

    The only way to get rid of corrupt idiots in Mass is for someone to get killed and the public to force the Governor to get pro-bono support from responsible lawyer firm located in Mass to fire the bozo. Even the Governor couldn't get the job done. (Look up the Big Dig firing.)

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    bobbknight, Aug 19th, 2008 @ 11:55pm

    Stupidity

    What Is Stupidity? The MBTA
    Sue to stop kids from giving a security lecture.
    1) Put all the exploit info in the public domain.
    2) Accuse the kids of theft.
    A) By the way they had to buy more ride cards than they would have used to ride the system.
    Right now someone is riding the MBTA for free.
    Me I laugh at the stupid idiots at the MBTA for inuring the Streisand effect.

    So here's the story line so far:
    MIT kids go to MBTA and say we have found out how to get free rides on the MBTA, and we are going to give a Black Hat presentation on the exploit. We will leave out the secret, and only tell of the net result. MBTA say ok cool and gives no indication of any other intentions.
    But before the Black Hat conference MBTA sues the kids and gets an gag order, placing the full exploit with the secret part into the suit, placing it into the public domain.
    The gag order gets lifted the day it was to expire. Everyone jumps for joy at the victory for First Amendment rights.

    As I see it the kids rights were trampled and they should sue the MBTA and the original judge should be sanctioned.

    NO ONE WON HERE
    Rights were truncated
    The sheeple lost another one to semi government and governmental elites and to the judiciary.

    Grady, in both of your paragraphs you are wrong, as I have outlined above.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Dan, Aug 19th, 2008 @ 11:57pm

    Soooo the MBTA are to lazy to fix their problem and they use a patsy judge as a tool to gag disclosure. Like a little kid with his hands over his eyes saying "you can't see me". Forget that the MIT students offered the MBTA details of the flaws FIRST and got blown off. Now the MBTA is moaning it will take 5 months to fix, maybe they should have in with a smile and an ataboy handshake and dinner instead of kiss off. I said the first judge was an idiot and now we have a higher ruling on the matter.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    YouKnowNothing, Aug 20th, 2008 @ 6:04am

    Re:

    What most don't realize is that Mass. probably is more corrupt than almost any state in the US.

    After living in MA for many years, I used to think this way, too.

    Until I moved to Rhode Island. There isn't even the attempt to disguise or hide government corruption down here. It's openly acknowledged and mocked as "just the way things are" in RI.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Aug 20th, 2008 @ 7:25am

    Re: Re:

    LOL try a nice southern city sometime, Memphis, Birmingham or maybe New Orleans. The politicans down here are far cheaper then they are in Boston I promise you that.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    sean, Aug 20th, 2008 @ 11:21am

    Re: Re: Re: #3

    "Where does security of state end and "freedom" begin?"

    I'm not sure if you are dyslexic but I believe that should have read "Where does security of state begin and "freedom" end?" Since with out freedom there is no need for security only perceived security.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Sean, Aug 20th, 2008 @ 11:37am

    Re: Stupidity

    At least they were not arrested for passing out condoms at freshman orientation like a student at Northern Kentucky University was on July 31, 2008.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Daz, Aug 20th, 2008 @ 10:46pm

    Re: Stupidity

    Absolutely agree,

    this was no win for free speech :(

    they were silenced for no good reason - the conference is over the talk will never happen - they were censored without a reason good enough to violate their free speech right.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Aug 21st, 2008 @ 4:50am

    Re: Re: Stupidity

    "they were censored without a reason good enough to violate their free speech right."

    Then they should have had the guts to have the talk anyway. Let the chips fall were they may. They may have had a few nights in jail but I doubt much more then that would have come from it.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Jesse Cantu, Aug 26th, 2008 @ 10:14am

    MBTA Thought Analysis

    This whole issue really weighs on my mind considering the industry ramfications. Jon Longoria wrote an interesting, albeit brief, article regarding the plausible thought process MBTA took going into this. You can check it out here: http://thereformed.org/2008/08/25/mbta-put-profit-before-security/

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This