With lawsuit settled, hackers now working with MBTA
Three Massachusetts Institute of Technology students who were sued earlier this year by the Massachusetts Bay Transit Authority (MBTA) said Monday that they are now working to make the Boston transit system more secure.
The announcement brings to a close a high profile case that pitted the rights of security researchers to freely discuss their findings against the concerns of one of the country's largest transit systems, which worried that this type of information could lead to widespread ticket fraud. "I'm really glad to have it behind me. I think this is really what should have happened from the start," said Zack Anderson, one of the students sued by the MBTA.
Anderson, along with Russell "RJ" Ryan and Alessandro Chiesa, was prevented from giving a talk entitled "The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems" at the Defcon hacker conference last August.
The students had planned to show that they had reverse engineered the MBTA's CharlieTicket magnetic stripe tickets and CharlieCard smartcards. The CharlieCard uses the same Mifare Classic RFID (radio frequency identification) technology that was cracked earlier this year by security researchers.
The MBTA had argued that the presentation could have caused "significant damage" to the transit system, but the students had said that they had no intention of releasing key pieces of information that would have allowed people to hack the system.
On Aug. 19, a judge threw out the MBTA's gag order, but the transit authority could have brought new motions against them, and so the case had been hanging over the MIT researchers.
The settlement ends the matter in an amicable way. "For professional reasons and for public interest reasons, the students wanted to help the MBTA," said Jennifer Granick, a lawyer with the Electronic Frontier Foundation who represents the students.
The case against the three was finally settled on Oct. 7, but this was not publicly announced until Monday, because it took two months for all parties to schedule a public announcement of the settlement, Granick said. The researchers met with MBTA technical staff on Oct. 21 to discuss their findings and are working to improve the transit authority's fare collection system, she added.
The MBTA could not be reached immediately for comment.
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
mit
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
