The big story in security circles this week has been the plight of three MIT students all-but-imprisoned by officials of Boston's transport system with the help of a Federal judge who — by all appearances — has somehow missed reading the First Amendment in his twenty-two years on the bench.

The trio were supposed to deliver a presentation on research they conducted for an MIT computer course on Boston's "Charlie" cards and tickets, which control the city's transit system. Specifically, they were able to discover vulnerabilities in the system that could allow an attacker to gain free access to the system. Organizers had scheduled the three students to speak at last Sunday's DefCon conference, but the Massachusetts Bay Transit Authority had other plans. The MBTA — who were apparently provided with the student's findings a week ahead of time — rushed into Federal court on Friday requesting a restraining order against the presentation, which was granted on Saturday in a special session. The MBTA paints the students as malicious hackers, who, if allowed to give their talk, would gladly violate the Computer Fraud and Abuse Act — a law intended to prevent illegal access to computer systems and the spread of malicious software and tools used for illegal hacking — though that claim comes as quite a surprise to the professor who gave them an A for their work, Dr. Ron Rivest. Indeed, the same Ron Rivest who co-invented the RSA algorithm, wrote the MD2, MD4, & MD5 cryptographic hash functions, as well as inventing RC 2, RC4, RC5, and (with others) RC6, received two Lifetime Achievement Awards for his work, and was named the 2007 Marconi Fellow.

Apparently that, and a letter from thirteen other security experts, means little to the Federal court system, as Judge Douglas Woodlock "interpreted" the CFAA to ban even talking about vulnerabilities that could possibly be exploited. He enjoined the trio from discussing anything to do with the system for ten days — the longest the law would allow — and declared that the y had acted "in contravention of best practices" and that there was no harm in gagging them until whenever. We're not experts ourselves, but we'd like to know just what Judge Woodlock — who graduated college the same year the DOD launched ARPANET and RC1 was published — knows about security research best practices that MIT's Viterbi Professor of Computer Science does not. Of course, we're more interested to know why the phrases "prior restraint" and "free speech" seem to have gone AWOL from his vocabulary.

The case didn't stop there, though, as a second judge left the trio in the lurch so he can take his time reviewing "more material" — hopefully, including a copy of the Constitution. Judge George O'Toole — on the bench since just before the Commodore 64 hit the market — refused to do anything but grant the MBTA's request for more documents from the students and Dr. Rivest — documents which the EFF says don't exist. Everything is now on hold until Tuesday, except the non-existent documents, which must be delivered by today. The EFF isn't taking the state of things lying down, though, as they announced yesterday that they will be taking the matter to the First Circuit Court of Appeals — sadly, too late to save the presentation.

Where will it all end? Nobody knows the specifics, but we can suggest a few that we're pretty certain of. The students will be irreparably harmed, as they've lost the opportunity to make their presentation at DefCon, something they may never get to do again, and the importance of which Judge Woodlock was apparently completely unable to see. The MBTA will still have a vulnerable card system, because silencing researchers isn't a valid method for securing your system — something a lot of large bureaucratic and autocratic organizations would do well to learn. As for Judge Woodlock even if his blatant contravention of stare decisis — not to mention the Constitution — is overturned, he'll stay happily on the bench — thanks to his lifetime appointment — conveniently available to trample on someone else's rights.

__________________________
Justin Ryan is News Editor for LinuxJournal.com.
Submit a tip: Email IRC