Is Releasing a Security Flaw an Act of Free Speech?

By Matthew Harwood

Last week, a federal judge issued a temporary restraining order that barred three Massachusetts Institute of Technology (MIT) undergrads from releasing a security flaw that they found in the Massachusetts Bay Transportation Authority's (MBTA) automated fare collection system that would allow travelers a way to get "free subway rides for life."

The hackers were about to release the information at last weekend's hacking conference DEFCON 16 in Las Vegas. According to Boston's Channel 5 News:

The students claimed they had hacked the security features of the computerized “Charlie Card” and were scheduled to present their findings Sunday in Las Vegas at the computer hacking conference.

“The Anatomy of a Subway Hack,” is the description of their presentation on the DEFCON 16 conference Web site. “In this talk we go over weaknesses in common subway fare collection systems. We focus on the Boston T subway, and we present several attacks to completely break the Charlie Card,” the listing read.

The judge's decision to issue the injunction has caused controversy, pitting the hackers' First Amendment rights versus MBTA's interest in fixing the flaw before others discover it and take advantage. The MBTA said it is helping to establish the precedent of  "responsible disclosure." According to's Threat Level Blog:

The MBTA filed its suit in the U.S. District Court in Massachusetts against the three students and their university, stating that the students violated the Computer Fraud and Abuse Act in accessing protected MBTA computers without authorization, for which the MBTA seeks unspecified damages. The MBTA also asserts that MIT and the student's supervisor, computer science professor Ron Rivest, failed to properly supervise the students to prevent them from attacking and harming the transit system.

According to the MBTA's complaint, the release of the security flaw "will cause significant damage to the MBTA's transit system."

Before the MBTA filed its lawsuit, it met with the three MIT students and asked them to give it a copy of their presentation. They refused, but said that their presentation would not reveal the necessary information to cheat the fare card system. The description of their talk, however, did carry the provocative line: "Want free subway rides for life?"

An editorial in The Boston Globe defends the students' right to free speech today, arguing that  while the students most assuredly should have disclosed to MBTA the flaw they found, discovering security flaws is a valuable line of inquiry and the MBTA should not be the arbiter of what constitutes responsible disclosure. Also, the issuance of the temporary restraining order worries the Globe's editorial board.

"US courts have long been highly skeptical of prior restraints on what may be said in a public forum," the editorial said. "[The judge] strayed into dangerous territory by restricting what the students could disclose at the conference."

Marcia Hoffman, an attorney for the Electronic Frontier Foundation (EFF), which is defending the students, agreed. "Basically, what the court is suggesting here is that giving a presentation involving security to other security researchers is a violation of federal law," she said. "As far as I know, this is completely unprecedented, and it has a tremendous chilling effect on sharing this sort of research. . . . And we intend to fight it with everything we've got."

Ultimately, the paper says, the flaw is a design issue that the MBTA is responsible for, not a legal one.

Another hearing is scheduled for today concerning whether the temporary restraining order should be amended or lifted. The Boston Globe says it should be lifted. What do you think?

UPDATE: Eleven computer scientists and researchers from across the country have signed a letter submitted by the Electronic Frontier Foundation (EFF) asking a federal judge to rescind the temporary restraining order issued against the three MIT students.

According to's Threat Level blog, the letter argues the restraining order creates a climate whereby researchers will play it safe and only delve into safe areas of research where they don't have to fear lawsuits. The computer scientists and researchers argue this will create a "dangerous information imbalance" whereby security technology vendors and their customers can claim greater security results than the products warrant, which may lead to the proliferation of security technologies with significant flaws detrimental to the public good.

UPDATE 2: U.S. District Judge George O'Toole has left the temporary restraining order on the three MIT students in place and has ordered them to provide more information on the security flaws they found in the MBTA's automated fare collection system.

O'Toole has demanded the students also hand over e-mail correspondence with DEFCON 16's organizers regarding their presentation as well as the paper submitted to their professor on hacking the MBTA fare card system.

The judge's ruling today only "compounds the problem," said Rebecca Jeschke, media coordinator for the Electronic Frontier Foundation, which is representing the students. Not only have the courts violated the ban on prior restraint by barring the MIT students from discussing their findings at DEFCON 16,  but the ruling today further violates the law by ordering the review of the students' paper before publication, she told Security Management.



Salvatore D'Agostino
IDmachines LLC

Again, this is not new, the vulnerabilities were highlighted after the Mifare classic keys were shown to be able vulnerable to a kitchen table level of attack.

There are various levels of attach possible here, cloning cards ( ), breaking the key via a combination of pattern recognition and short key lengths ( (the kitchen table).

In fact the entire security industry is guilty here. Most of the physical security systems in place today relay on "proprietary" keys of short lengths that are easy game for anyone that wants to go after them.

Yes, security systems (via implementation of exit readers, exception reporting for two entries of the same credential, etc.) can provide a band-aid but fundamentally security vendors and officers are not being honest about the level of security being provided.

Would you rather learn this as a result of a malicious attack where real damage could be done to the enterprise? That is the question that needs to be asked and in that case clearly the white and grey hats are doing a service.

View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.