The Tech Law Prof Blog and Ars Technica have been reporting on the MIT students who were enjoined from sharing their research into the Massachusetts Bay Transportation Authority’s faulty “Charlie Card” system with hackers at Defcon. Specifically, the students were able to hack their Charlie Cards into reporting incorrect amounts of money.
US District Judge Douglas Wood granted a preliminary ten-day gag order on the students on August 9th. As a result, the students were unable to present their paper as they had planned at Defcon, which took place between August 8-10. Meanwhile, MIT’s student-run newspaper, The Tech, decided to publish the students’ presentation (the document itself is actually a really interesting read if you can get it to load).
At the hearing on Tuesday, Judge George O’Toole refused the MBTA’s motion to extend the injunction by five months. Judge O’Toole did not consider the First Amendment argument presented by the Eletronic Frontier Foundation on behalf of the students. Instead, after reviewing evidence that the students did not actually abuse the system, but had simply discovered a theoretical exploit, the Judge found that the students had not violated the Computer Fraud and Abuse Act.
That brings me to the one point that this entire post was meant to set up.
- Corporations: If hackers have discovered a flaw in your system and are planning on presenting the exploit to a relatively small number of people, you probably shouldn’t slap an injunction on them. It will almost certaintly lead to everyone on the internet (a relatively large number of people) learning about said exploit.
No related posts.
{ 1 comment… read it below or add one }
This whole issue really weighs on my mind considering the industry ramfications. Jon Longoria wrote an interesting, albeit brief, article regarding the plausible thought process MBTA took going into this. You can check it out here: http://thereformed.org/2008/08/25/mbta-put-profit-before-security/