Gagging order lifted on subway hackers

Three MIT students will be allowed to share their research in hacking subway cards

A US judge has lifted the restraining order on a group of MIT students who hacked the payment cards for the Boston subway system.

The three students had conducted a research project on the security system for the Massachusetts Bay Transit Authority (MBTA) Charlie Card payment system.

The project found ways in which users could modify the cards and avoid payment when riding on MBTA trains and buses.

The students had initially spoken with the MBTA and agreed to provide the agency with their research, parts of which were also set to be shared at the Defcon security conference.

Shortly before the conference, however, the MBTA filed a restraining order against the students, claiming that the trio had not provided it with enough information.

The MBTA also claimed that the presentation would enable others to hack the system, and would thus violate the Computer Fraud and Abuse Act.

A temporary restraining order was granted prohibiting the students from delivering their presentation and prompting the attention of the Electronic Frontier Foundation (EFF).

However, US federal judge George O'Toole ruled on Tuesday that the act of speaking at a conference does not violate the Computer Fraud and Abuse Act and lifted the restraining order.

The students maintain that they had provided the MBTA with all the information it had originally requested, and that the Defcon presentation would have left out key information to prevent any real-world hacks from occurring.

"A presentation at a security conference is not some sort of computer intrusion. It's protected speech and vital to the free flow of information about computer security vulnerabilities," said EFF staff attorney Marcia Hoffmann.

"Silencing researchers does not improve security. The vulnerability was there before the students discovered it and would remain in place regardless of whether the students publicly discussed it or not."