Friday, August 15, 2008

Court tells students to disclose hacker secrets in T case

A federal judge yesterday refused to lift an order prohibiting three
MIT students from publicly talking about how they allegedly hacked into
the MBTA's automated ticketing system. However, he did order the trio
to privately provide more information to the court about the security
flaws they say they have uncovered.

District Judge George A. O'Toole Jr., granting a request by the MBTA,
ordered Zack Anderson, Alessandro Chiesa, and R.J. Ryan to provide him
with a paper they wrote for a class at MIT and correspondence they had
with the organizers of Defcon, a Las Vegas hacker convention where the
students were slated to speak last Sunday on alleged security flaws in
the MBTA's system.

The judge said he needed to know more to
"enable me to make a sounder decision about the facts of the case." He
ordered the students, who were not present, to provide the information
by 4 p.m. today. He said he'll weigh all the facts, then hold another
hearing Tuesday on whether to dismiss or extend the 10-day restraining
order that was issued Saturday and prevented the students from giving
their presentation at the convention.

The MBTA filed suit last
week, alleging trespass and computer fraud by the students and
negligence by the Massachusetts Institute of Technology after a vendor
spotted promises of "free subway rides for life" on a website
advertising the students' presentation.

After yesterday's
hearing, Jennifer Granick, a San Francisco attorney who represents the
students, dismissed those promises as "puffery" and said the students
had used "florid language" to drum up interest in their presentation.

court, Granick, who is civil liberties director of the Electronic
Frontier Foundation in San Francisco, said the students have already
provided "the entire universe of information," including material they
never intended to release about security flaws, in a 30-page sealed
document provided to the court earlier this week.

Granick argued
that the restraining order is an unconstitutional gag order that has
done "irreparable harm" to the students and the First Amendment.
Granick said the students have acted responsibly and "never intended to
release important information that would allow or teach a bad guy" to
hack into the system.

MBTA spokesman Joe Pesaturo said the
students have not provided the MBTA with enough information for
officials to know whether the system's security is endangered. "We
simply want them to provide the information that's been requested by
the court or the MBTA," he said.

Ieuan G. Mahony, a Boston lawyer
who is representing the MBTA, said after the hearing that some form of
a restraining order is necessary until the agency has fixed any flaws
that may exist.

The MBTA contends that the students had a
responsibility to share their findings with agency officials before
making them public so the agency would have time to fix the problems
before they could be exploited, Mahony said.

After the hearing,
Granick said the restraining order is "preventing them from talking
about what they found, even though there's a public debate. If these
students figured it out, other people could figure it out, too."

said today's deadline would be difficult to meet because Anderson is
not in the country and Ryan and Chiesa are not in Boston.

From :