T sues 3 students before hacker show

MIT undergrads say breaches exist

The Massachusetts Bay Transportation Authority is suing a trio of MIT students, saying their plan to unmask potential security flaws in the CharlieCard and Charlie- Ticket systems at a Las Vegas computer conference would cause "significant damage to the transit system."

The T was granted an injunction yesterday in US District Court in Boston that bars Zack Anderson, R.J. Ryan, and Alessandro Chiesa from presenting their methods and findings at the DEFCON hacker convention today.

In court documents filed Friday, the MBTA alleged that the trio claimed to have circumvented the security protocols of the electronic ticketing system. The suit alleges the students publicly offered "free subway rides for life" to people over the Internet, and planned to show others how to duplicate their methods at a DEFCON presentation.

The lawsuit also named the Massachusetts Institute of Technology as a defendant, saying the school failed to "instruct and guide the MIT undergraduates to responsibly disclose information concerning perceived security flaws."

A computer security researcher, Eric Johanson, defended the students in a statement filed in court by MIT, saying none of the information they were planning to disclose was new.

Johanson also said that computer security researchers need to openly discuss the flaws they find in real-world systems so better ones can be built.

He added that "prohibition of open discussion of security vulnerabilities greatly harms the ability of researchers to function and has a chilling effect not only on publication, but on whether some important research is done in the first place, greatly stifling scientific advancement."

The MBTA said it was first made aware of the undergraduates' research on July 30, by a vendor who services the fare collection system. The vendor discovered an Internet posting that advertised the MIT trio's upcoming DEFCON presentation.

The headline read, "Want free subway rides for life?" T officials then contacted the students and the university, arranging a meeting last week. After the meeting, in an apparent conciliatory gesture, the students changed the first line of the posting to read, "The anatomy of a subway hack." The talk was advertised that way yesterday on DEFCON's website.

The T is seeking unspecified financial damages and an extended injunction to prevent the trio from releasing their findings until it can plug any possible security holes.

The T is not sure there is a security problem, but the 10-day injunction will provide time to find out. "The injunction is allowing us to review the research that they have and see if there is any validity to their findings, and take corrective action, if any is even necessary," said Lydia Rivera, a T spokeswoman.

Sixty-eight percent of subway riders use the CharlieCard system, contributing $475,000 in revenue per weekday, the T says.

Created in 1993, DEFCON claims on its website, www.defcon.org, to be the oldest continuously running hacker convention in the world, drawing 3,000 to 5,000 people annually. It began Friday and runs through today.

Lawyers for the defendants did not return calls to their offices seeking comment. MIT said it was the school's policy not to comment on impending litigation.

John Guilfoil can be reached at jguilfoil@globe.com