"Anatomy of a Subway Hack"

Three MIT students who discovered a way to counterfeit MBTA tickets are now free to discuss their research.

In federal court yesterday, a judge lifted a gag order imposed on the students last week, after the 'T' sued to block their presentation.

The MBTA admitted in court that the magnetic strip on Charlie tickets can be cloned, and they say it will take five months to fix the problem. Here's WBUR's Monica Brady-Myerov with more on the case.

TEXT OF STORY:

MONICA BRADY-MYEROV: Anatomy of a Subway Hack: It sounds like a thriller novel. But it's the title of a paper three MIT undergraduates planned to present earlier this month to the DEFCON conference of hackers. And now it's all over the Internet, explaining how to clone subway tickets on the MBTA.

The battle over this information was in federal court again yesterday when the T asked a judge to extend the gag order on the students for five months while it fixes the problems. The agency admitted the students got it right and know how to counterfeit the paper Charlie tickets.

Their research on copying the computer chips on Charlie cards hasn't been proven to work by the MBTA. But a judge ruled the students weren't violating federal law with the information and lifted the gag order. Cindy Cohn, of the California based Electronic Frontier Foundation, represented the students, who are away on summer break.

CINDY COHN: The first amendment won today because it fully says that if you are engaged in security research and you are speaking truthful information you get to speak it. It's improper for someone to go to court and try to gag you. The federal law doesn't allow that.

MONICA BRADY-MYEROV: But Cohn says the students don't want to tell everyone how to clone Charlie tickets. She says their presentation has made it onto the internet because the MBTA filed it with court documents.

CINDY COHN: The MIT students never provided the information that would allow someone to give a free ride to the extent that that information got out the bat filed in the public record here. So to the extent that somebody figured out how to do this the MBTA needs to look at itself. Why are you providing this confidential information to the public instead of really trying to address it?

MONICA BRADY-MYEROV: The lawyer for the T refused to comment after the hearing. In court he said the T fears the students would give step by step instructions on how to hack the system. In a statement MBTA General Manager Dan Grabauskas says that now that the court proceedings are done, he invites the students to sit down with them and discuss their findings.

Earlier this month the three students gave a confidential security analysis to the MBTA so it could fix the gaps and told them they wanted to present some of what they found at a national conference. A T security officer gave them the green light. But days later the MBTA filed suit arguing that distributing the information violates the Computer Fraud and Abuse Act.

Yesterday the judge ruled the CFAA, as it's called, is aimed at people who create viruses or worms to attack computer systems. He agreed with the students' lawyer that publishing their information or sharing it with an audience is not the same as transmitting a virus thru a computer to compromise a system.

The ruling is a good thing for the large research community in the Boston area, says John Reinstein, legal director of the American Civil Liberties Union of Massachusetts.

JOHN REINSTEIN: If the statute had been interpreted in the way the MBTA had been arguing I think we correctly argued it would cast a substantial pall on research activities.

MONICA BRADY-MYEROV: The students' presentation also notes that you don't need a degree in computer science to ride the T for free. Entryways are often unguarded, doors are unlocked and turnstile control boxes are open in many stations.

For WBUR I'm Monica Brady-Myerov.