Wired Campus: MIT Students Are Ordered to Reveal How They Hacked the Boston Subway

Search The Site

Opinion & Forums
The Chronicle Review Commentary Forums Live Discussions

Careers
News & Advice My Career homepage Search jobs by position type by discipline/field by state/region by institution Tools & Resources Employer Profiles

Multimedia

Leadership Forum

Technology Forum

Resource Center

Campus Viewpoints

Services
Help Contact us About The Chronicle Subscribe Day pass Manage your account Advertise with us Rights & permissions Employment opportunities

Get the latest headlines each day:
Wired Campus e-newsletter | RSS

In the Comments

You have to learn to let go. The idea that books, magazines, databases or any form of information source can and should be kept for perpetuity is laughable. Items in a library need to be weeded and space is the major reason why. I know all of you want to keep your precious books, and I do to. But who’s going to pay for it, you?... — the other me

Library Protesters to Ohio State U.: Digital's OK, but Save Our Books!

<script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/wiredblog.che/;abr=!ie;abr=!aol;sz=250x250,300x250;ord=?"> </script> <noscript> <a href="http://ad.doubleclick.net/jump/wiredblog.che/;abr=!ie;abr=!aol;sz=250x250,300x250;ord=?"><img src="http://ad.doubleclick.net/ad/wiredblog.che/;abr=!ie;abr=!aol;sz=250x250,300x250;ord=?" width="300" height="250" border="0"></a> </noscript>

Wired Campus Writers

Josh Fischman
Internet issues, new technology, security, computing

Jennifer Howard
libraries, publishing

Sara Lipka
piracy, student technology use

Marc Parry
distance education, security, the technology marketplace

Jeffrey R. Young
video, audio, how technology is changing scholarship and teaching

Need more tech news?
Read our complete IT section.

Categories

August 15, 2008

MIT Students Are Ordered to Reveal How They Hacked the Boston Subway

First, they were told to be quiet. Now, they are being ordered to squeal. Zack Anderson, Alessandro Chiesa, and R.J. Ryan, three MIT students, were ordered yesterday by a U.S. District Court judge to turn over a paper they wrote for a class in which they described how to hack the Boston subway system. Last week another judge stopped the students from presenting their results at Defcon 16, a hacker’s convention in Las Vegas, the Boston Globe reports.

The trio exploited some vulnerabilities in the computer-chip and magnetic-strip systems used to pay fares on the Boston subway and showed how to get a free ride, according to the Electronic Frontier Foundation, which is providing a lawyer for the students. The students and the EFF say the work was done to show the flaws in the system so they could be fixed before a malicious attacker used them. (The paper got an “A” in an MIT computer-science class, the EFF says.) But the Boston transit system sued to stop the students from talking about the research at Defcon, citing a federal law against computer crime. Their argument was that simply talking about the code publicly was illegal transmission of a computer program intended to do harm, and a judge issued a restraining order.

The students, and their EFF lawyer, argue that the trio’s First Amendment rights are being violated and that this is a clear case of prior restraint. They also note that most of the information about the security flaw is already publicly available.

Yesterday a judge ordered the students to turn over the paper and related documents so he could determine whether the students had really broken a law or whether their rights to free speech were being infringed upon. The court set a hearing on the matter for next Tuesday. —Josh Fischman

Posted on Friday August 15, 2008 | Permalink |

Comments

How much is the Boston transit system paying in lawyers’ fees for this whole fiasco? Wouldn’t it have been simply cheaper and easier to, I don’t know, hire the students as consultants to fix their system?

— Mike Aug 15, 04:57 PM #
I agree with the judge. If the students’ goal was to make visible and point out the security problems, then there was no need to reveal and document the actual code errors outside of the paper they wrote. They should simply turn a copy of their paper over to the transit system. Doing more than that smacks of intent to enable others to bypass the system.

— Al Aug 15, 05:21 PM #
MIT encourages students to explore creative applications of technology. Certainly, exposing security flaws in critical infrastructure is an important application of the students’ research. They had to go public as the response of any organization when confronted with serious security issues is to go after individuals first and plug the leaks last (consider those users who lose laptops and key drives with the personal information of others; why do organizations fire or prosecute the users instead of creating software ‘locks’ that prohibit the insecure use of data in the first place?)

No, Boston; instead of arguing prior restraint, give the MIT students a big “thank you” and fix your security issues.

— Doc Aug 16, 12:23 PM #
This campaign is beginning to move from prior restraint to the punitive, and certainly any student thinking of going into computer security will notice.

If Massachusetts Bay Transit Authority had been genuinely concerned about hackers finding out about and taking advantage of a security breach, they would have handled this much more quietly – and with a carrot rather than a stick. So either MBTA is incompetent, or they are out to make an example of presumptuous students.

What is really alarming is the gullibility (or complicity?!) of Boston judges…

— Greg McColm Aug 18, 09:28 AM #
Do you think they’ll make this into a movie too? Like the one they did about the MIT kids beating the casino system in “21”? :)

— EAR Aug 18, 10:53 AM #
#1 is right. If MBTA authorities had any sense, they would have hired the students as consultants to fix the problem, and investtigate any further weaknesses. They should actually buy the paper —pay the students for their work. But the arrogance is ruling here rather than good business sense.

— Sam Aug 18, 03:48 PM #
The problem is that the transit cards have the money amount on the card, rather than just a reference number to be looked up in a computer. This means that the card can be changed and then you have unlimited funds. The card also needs to be be updated, so it is easy to determine how to do it with a card reader.

No one in their right mind would design such a system, which is part of the reason for trying to keep them silent since it will take a fair bit of word to fix the problem.

Other issues are just common sense, like locking the networking rooms, etc. There is no reason to hire anyone, other than to replace all the people who currently work there so as to get some people who can think a bit.

The talk information is available on the Internet as a pdf file.

— K S Aug 18, 04:40 PM #
“I agree with the judge. If the students’ goal was to make visible and point out the security problems, then there was no need to reveal and document the actual code errors outside of the paper they wrote. They should simply turn a copy of their paper over to the transit system. Doing more than that smacks of intent to enable others to bypass the system.”
The problem is that ‘quietly turning over a copy” will result in no action at all. Without the public outcry the problem would have remained unfixed. This is typical burocratic CYA. The most secure systems are those whose security methods are open and public (note—the methods, not the actual passwords etc.). If the methods aren’t open we have only somebody’s word for it that the system is secure, and it’s either a lazy bureaucrat or a business trying to pull a fast one. Or sometimes both.
Security by obscurity doesn’t work—it invites abuse and circumvention.

— GSN Aug 18, 06:28 PM #

Commenting is closed for this article.

Previous: Librarians' Networking Site Gets New Abilities
Next: Missing Flash Drive From Community College Puts 15,000 at Risk of Identity Theft

Home | Chronicle Careers | The Chronicle Review