Press Starting To Notice WiFi-In-The-Sky Claims Not Being Supported In Reality

Judge Lets MIT Students Share Their Research On Boston Subway Vulnerabilities

from the first-amendment-wins-again dept

Tue, Aug 19th 2008 7:32pm — Mike Masnick

While it took about a week and a half, a judge has now lifted the gag order that had prevented some MIT students from sharing a presentation about vulnerabilities in the Boston subway system. The judge refused to ban the students from talking about it for a period of five months (which the MBTA insisted it needed to fix the system). This is definitely a win for free speech, though I'm sure the debate over how and when to disclose security vulnerabilities will continue for a long, long time.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: boston, first amendment, free speech, gag order, research, subway, vulnerabilities
Companies: mbta

21 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Nick Stamoulis, 19 Aug 2008 @ 7:50pm

Kudos to MIT! We saw this on our local news and apparently the MBTA was getting all huffy and puffy over it claiming that they wanted to check out these claims first to see if they were valid before they were released. Uhhhh trust me MBTA - if genius students at MIT found the flaw, we're highly doubting it needs to be confirmed by blue collar workers at the MBTA. MIT > MBTA
[ link to this | view in chronology ]
- Grady, 19 Aug 2008 @ 8:27pm
  
  Re:
  "Uhhhh trust me MBTA - if genius students at MIT found the flaw, we're highly doubting it needs to be confirmed by blue collar workers at the MBTA. MIT > MBTA"
  
  There are so many things to say to you that I'm not going to.
  
  The world would be nothing if it weren't for those "blue collar workers".....you need to show them more respect than that.
  
  Anyways, I don't agree with the judge, I believe this would be a case where a gag order is reasonable, at least to some extent.
  [ link to this | view in chronology ]
  - Relonar, 19 Aug 2008 @ 9:28pm
    
    Re: #3
    well I have to disagree with you, it may be youth or stupidity, but I believe that words and ideas should be allowed to be spread freely without fear of government intervention. I believe that any information can be shared no matter what the context, bias, or content is. Both parties 'should' have acted differently towards each other, but what 'should' have happened rarely does in real-time. The students might have been better off giving a heads up to the MBTA to their vulnerability, but on the other hand there is little reason to have it 'hushed' after the fact.
    
    Next time you have an idea you want to share, try thinking about how frightening it would be if you had to decide if it was worth an imaginary risk because a judge could issue a gag over that just on the whim of someones nerves it tweaked. Ok, this was overly simplified.
    
    now away from principles and back to the relevancies of this case and why the gag order was extreme.
    The vulnerability was discovered by students of an acknowledged academic body.
    Before the order was issued documentation was already in circulation.
    If an attack were to take place by producing counterfeit cards the information provided would have been far from a how-to leaving a vast majority of the work to the attacker.
    now we let the lawyers battle with their fancy words, libraries, past cases, and all the other stuff that drove me away from law.
    [ link to this | view in chronology ]
    - Grady, 19 Aug 2008 @ 10:00pm
      
      Re: Re: #3
      "I believe that any information can be shared no matter what the context, bias, or content is."
      
      So, if I got access to a government employees user name and password, and found a way into the system, you believe I should have the right to publish said information to whomever and however I please? Does that make sense? Where does security of state end and "freedom" begin? Should our "rights" really be that much more important than the security of a governmental body? Don't get me wrong, I'm not saying freedom of speech isn't important, but we as Americans have gone from a unified body to a state where it's all about "me" and not about "us". Twenty years ago they would have been told to be quiet till they got it fixed, and everyone would have agreed it was the right thing to do, but now....
      
      I agree, the two bodies acting disrespectfully to one another. The students should have told MBTA of the discovery and given them proper time to correct it before making the presentation available. And the MBTA shouldn't have filed for the gag. But I do believe they had a right to file, and all intents and purposes, the gag should have been given.
      [ link to this | view in chronology ]
      - DanC, 19 Aug 2008 @ 11:17pm
        
        Re: Re: Re: #3
        The reason the gag order should never have been granted in the first place is perfectly displayed by the MBTA's initial reaction to the MIT students - FBI criminal investigations.
        
        Twenty years ago they would have been told to be quiet till they got it fixed, and everyone would have agreed it was the right thing to do, but now....
        
        The problem, however, is that the timetable for fixing the problem is determined by the company in that case. If you don't have to worry about the initial disclosure of the problem, maybe you can put off fixing it for a year. Or two. Maybe you don't have to actually fix it at all, or you can just say you fixed it. Delaying public knowledge of a problem only encourages delays in fixing the problem.
        
        The release of the vulnerability puts the onus on the company to respond promptly to the problem.
        
        Should our "rights" really be that much more important than the security of a governmental body?
        
        Should? Our rights are more important than the security of a governmental body. If the MBTA uses faulty security measures, they don't have to tell you. And because they don't have to tell you, they can put off fixing the problem, because you don't know about it. And if they can silence anyone who does know, they really don't have a reason to fix the problem in a reasonable amount of time.
        
        Which boils down to the main issue: hiding problems doesn't encourage a company to fix them. It makes those systems less secure, while providing the illusion of security.
        [ link to this | view in chronology ]
      - sean, 20 Aug 2008 @ 11:21am
        
        Re: Re: Re: #3
        "Where does security of state end and "freedom" begin?"
        
        I'm not sure if you are dyslexic but I believe that should have read "Where does security of state begin and "freedom" end?" Since with out freedom there is no need for security only perceived security.
        [ link to this | view in chronology ]
  - Anonymous Coward, 19 Aug 2008 @ 11:34pm
    
    Re: Re:
    So any time the Government is at risk, everyone one should shut up.....
    Stupid people working for the government wasted money buying a stupid system and someone want so to prove it...
    
    So much for a Open Society...
    [ link to this | view in chronology ]
- Nicks AnASS, 19 Aug 2008 @ 11:29pm
  
  Re: Nick
  I love your condescending attitude regarding blue collar workers, these are the same people that work day in and day out to make our life safer and healthier. I believe a salamander is of more use to the world than you are.
  [ link to this | view in chronology ]
Anonymous Coward, 19 Aug 2008 @ 8:22pm

Boston Baked Beans
MBTA needed the extra time to investigate whether this was a hoax device.

For those with a short memory:
http://www.cnn.com/2007/US/02/01/boston.bombscare/
[ link to this | view in chronology ]
Matt Bennett, 19 Aug 2008 @ 9:03pm

And of course, they missed the black hat conference.
[ link to this | view in chronology ]
IanK, 19 Aug 2008 @ 9:27pm

I'd understand a 30 day gag order for Boston transit to quickly check out these issues (albeit not thoroughly). Give them 5 months, and Boston would have fixed the problems as if nothing was ever wrong.
[ link to this | view in chronology ]
Sam, 19 Aug 2008 @ 9:56pm

I have worked for boeing before. I have lots of information. Would you like that too?
[ link to this | view in chronology ]
Anonymous Coward, 19 Aug 2008 @ 11:50pm

What most don't realize is that Mass. probably is more corrupt than almost any state in the US. The MBTA, Turnpike Authority, etc is populated by a bunch of people that couldn't get and HOLD a real job in the real world. 70% of the people couldn't make change in a toll booth without a computer. It isn't Civil Service .. it is Corrupt Service. Having lived in Mass for 40 years, I have no respect for anyone that works in those organizations.

That being said, the idiots that bought the system were not "Blue Color", they were no talent, no skill hacks with some sort of "White Collar" certification (ie, some Community college in MA) that got their jobs for who they knew, not what they knew.

The only way to get rid of corrupt idiots in Mass is for someone to get killed and the public to force the Governor to get pro-bono support from responsible lawyer firm located in Mass to fire the bozo. Even the Governor couldn't get the job done. (Look up the Big Dig firing.)
[ link to this | view in chronology ]
- YouKnowNothing, 20 Aug 2008 @ 6:04am
  
  Re:
  What most don't realize is that Mass. probably is more corrupt than almost any state in the US.
  
  After living in MA for many years, I used to think this way, too.
  
  Until I moved to Rhode Island. There isn't even the attempt to disguise or hide government corruption down here. It's openly acknowledged and mocked as "just the way things are" in RI.
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Aug 2008 @ 7:25am
    
    Re: Re:
    LOL try a nice southern city sometime, Memphis, Birmingham or maybe New Orleans. The politicans down here are far cheaper then they are in Boston I promise you that.
    [ link to this | view in chronology ]
bobbknight, 19 Aug 2008 @ 11:55pm

Stupidity
What Is Stupidity? The MBTA
Sue to stop kids from giving a security lecture.
1) Put all the exploit info in the public domain.
2) Accuse the kids of theft.
A) By the way they had to buy more ride cards than they would have used to ride the system.
Right now someone is riding the MBTA for free.
Me I laugh at the stupid idiots at the MBTA for inuring the Streisand effect.

So here's the story line so far:
MIT kids go to MBTA and say we have found out how to get free rides on the MBTA, and we are going to give a Black Hat presentation on the exploit. We will leave out the secret, and only tell of the net result. MBTA say ok cool and gives no indication of any other intentions.
But before the Black Hat conference MBTA sues the kids and gets an gag order, placing the full exploit with the secret part into the suit, placing it into the public domain.
The gag order gets lifted the day it was to expire. Everyone jumps for joy at the victory for First Amendment rights.

As I see it the kids rights were trampled and they should sue the MBTA and the original judge should be sanctioned.

NO ONE WON HERE
Rights were truncated
The sheeple lost another one to semi government and governmental elites and to the judiciary.

Grady, in both of your paragraphs you are wrong, as I have outlined above.
[ link to this | view in chronology ]
- Sean, 20 Aug 2008 @ 11:37am
  
  Re: Stupidity
  At least they were not arrested for passing out condoms at freshman orientation like a student at Northern Kentucky University was on July 31, 2008.
  [ link to this | view in chronology ]
- Daz, 20 Aug 2008 @ 10:46pm
  
  Re: Stupidity
  Absolutely agree,
  
  this was no win for free speech :(
  
  they were silenced for no good reason - the conference is over the talk will never happen - they were censored without a reason good enough to violate their free speech right.
  [ link to this | view in chronology ]
  - Anonymous Coward, 21 Aug 2008 @ 4:50am
    
    Re: Re: Stupidity
    "they were censored without a reason good enough to violate their free speech right."
    
    Then they should have had the guts to have the talk anyway. Let the chips fall were they may. They may have had a few nights in jail but I doubt much more then that would have come from it.
    [ link to this | view in chronology ]
Dan, 19 Aug 2008 @ 11:57pm

Soooo the MBTA are to lazy to fix their problem and they use a patsy judge as a tool to gag disclosure. Like a little kid with his hands over his eyes saying "you can't see me". Forget that the MIT students offered the MBTA details of the flaws FIRST and got blown off. Now the MBTA is moaning it will take 5 months to fix, maybe they should have in with a smile and an ataboy handshake and dinner instead of kiss off. I said the first judge was an idiot and now we have a higher ruling on the matter.
[ link to this | view in chronology ]
Jesse Cantu, 26 Aug 2008 @ 10:14am

MBTA Thought Analysis
This whole issue really weighs on my mind considering the industry ramfications. Jon Longoria wrote an interesting, albeit brief, article regarding the plausible thought process MBTA took going into this. You can check it out here: http://thereformed.org/2008/08/25/mbta-put-profit-before-security/
[ link to this | view in chronology ]