Things are about to heat up in the debate over three students' rights to publish a flaw they found in Boston's subway system.
The Web's been buzzing with the news for days now.
The students--from MIT--were set to present their discovery at the DEFCON 16 annual hackers' conference in Las Vegas last Sunday. The group had come up with what they called a simple way to hack into the CharlieCard system, used for fares on Boston's "T" transportation rail lines.
The Massachusetts Bay Transportation Authority quickly stepped in, though, filing a federal complaint and scoring a restraining order to keep the students from speaking about the matter. Days later, the full details of the hack hit the Internet as part of public record of the filing.
What's Next
So here's where we're at: A federal judge is scheduled to rule tomorrow on whether to extend the restraining order, currently set to expire on August 19.
The MBTA wants to have the ruling remain in place so it can properly address the security flaw--even though the entire world, it would seem, is already privy to the problem.
The Big Question
The complication comes down to one basic question: Should the students have given their full presentation to the MBTA in advance? The MBTA, for its part, now tells CNET News that the group agreed to do just that--but never did.
The students tell a different story. Responding via the Electronic Frontier Foundation, the students say they had met with the MBTA and "understood that [its] concerns were resolved."
They say they agreed to provide a "confidential vulnerability assessment"--which they did--and that they did not believe the MBTA needed a copy of the full presentation. Incidentally, the PDF file circulating the Internet is that assessment.
Intense Arguments
The next step is ultimately in the judge's hands. The EFF plans to argue that the cat's already out of the bag, so to speak, and that keeping a restraining order in place will serve no practical purpose.
It will also call into question the idea of prior restraint, arguing that silencing the students is out of constitutional bounds. An EFF legal brief argues that the temporary restraining order "restricted the students from providing true, publicly known, legally acquired information about the MBTA's CharlieCards and CharlieTickets in violation of the First Amendment."
A handful of free speech advocates have already signed up to help fight the battle.
Fireworks are sure to fly in the courtroom next Thursday. Is freedom of speech on the line, or is a company's right to protect its assets under assault?
Any thoughts on the subject?
The PDF file you linked to (Defcon Presentation.pdf) is not the confidential assessment. However, the assessment was accidentally filed unsealed with the court, and is now publically available. For instance, a copy is at http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf
The PDF file you linked to (Defcon Presentation.pdf) is not the confidential assessment. However, the assessment was accidentally filed unsealed with the court, and is now publically available. For instance, a copy is at http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf