Jump to content

Massachusetts Bay Transportation Authority v. Anderson: Difference between revisions

Add links
From Wikipedia, the free encyclopedia
Browse history interactively
Content deleted Content added
VisualWikitext
Created page with '{| class="infobox" style="width: 25em; font-size: 95%;" |- ! colspan="2" bgcolor="6699FF" | '''''Massachusetts Bay Transportation Authority v. Anderson''''' |- | ...'
 
 
(182 intermediate revisions by 67 users not shown)
Line 1: Line 1:
{{Short description|Action to block publication of vulnerability}}
{| class="infobox" style="width: 25em; font-size: 95%;"
{{Use American English|date=December 2022}}
|-
{{Use mdy dates|date=December 2022}}
! colspan="2" bgcolor="6699FF" | '''''Massachusetts Bay Transportation Authority v. Anderson'''''
{{Infobox court case
|-
| name = Massachusetts Bay Transportation Authority v. Anderson
| colspan="2" align="center" |
'''[[United States District Court for the District of Massachusetts]]'''
| court = [[United States District Court for the District of Massachusetts]]
| image =
|-
| imagesize = 100px
|'''Filed'''
| caption =
|[[August 8]], [[2008]]
| full name = Massachusetts Bay Transportation Authority v. Zack Anderson, RJ Ryan, Alessandro Chiesa, and the Massachusetts Institute of Technology
|-
| date decided = {{start date|2008|8|19}}
|'''Decided'''
| judges = [[George A. O'Toole, Jr.]]<ref>{{cite web |url=http://www.fjc.gov/servlet/tGetInfo?jid=1805 |title=Judges of the United States Courts - Biography of Judge George A. O'Toole, Jr |publisher=Federal Judicial Center |accessdate=August 15, 2008 |url-status=dead |archiveurl=https://web.archive.org/web/20080921095651/http://www.fjc.gov/servlet/tGetInfo?jid=1805 |archivedate=September 21, 2008 }}</ref>
|''Undecided''
|citations =
|-
|ECLI =
|'''Case name'''
|transcripts =
|''Massachusetts Bay Transportation Authority v. Zach Anderson, RJ Ryan, Alessando Chiesa, and the Massachusetts Institute of Technology''
|number of judges = 1
|-
|decision by =
|'''Citations'''
|concurring =
|''Undecided''
|dissenting =
|
|concur/dissent =
|-
|prior actions = injunction granted {{start date|2008|8|9}} Civil Action No. 08-11364-GAO
|'''Holding'''
|appealed from =
|''Undecided''
|appealed to =
|-
|subsequent actions =
|'''Judge'''
|related actions =
|[[George A. O'Toole, Jr.]]
|opinions = Judge rejected MBTA's request to extend injunction
|-
|keywords = {{hlist |[[Security vulnerability]]| [[First Amendment to the United States Constitution|First Amendment]]|[[Computer Fraud and Abuse Act]]}}
|'''Laws applied'''
}}
|[[United States Constitution|U.S. Const.]] [[First Amendment to the United States Constitution|Amend. 1]]; [[Computer Fraud and Abuse Act]]
|}


'''''Massachusetts Bay Transportation Authority v. Anderson, et al.''''', Civil Action No. 08-11364, was a challenge brought by the [[Massachusetts Bay Transportation Authority]] (MBTA) against three [[Massachusetts Institute of Technology]] students who planned to publicly present a [[security vulnerability]] they discovered in the MBTA's [[Charlie Card]] [[automated fare collection system]]. The case concerns the extent to which the norm of [[responsible disclosure]] can enjoin an individual from revealing information on a security flaw in an computer system.
'''''Massachusetts Bay Transportation Authority v. Anderson, et al.''''', Civil Action No. 08-11364, was a challenge brought by the [[Massachusetts Bay Transportation Authority]] (MBTA) to prevent three [[Massachusetts Institute of Technology]] (MIT) students from publicly presenting a [[security vulnerability]] they discovered in the MBTA's [[CharlieCard]] [[automated fare collection system]]. The case concerns the extent to which the [[responsible disclosure|disclosure of a computer security flaw]] is a form of [[free speech]] protected by the [[First Amendment to the United States Constitution|First Amendment]] to the [[United States Constitution]].

The MBTA claimed that the MIT students violated the [[Computer Fraud and Abuse Act]] (CFAA) and on August 9, 2008, was granted a [[temporary restraining order]] (TRO) against the students to prevent them from presenting information to [[DEF CON (convention)|DEFCON]] conference attendees that could have potentially been used to defraud the MBTA of transit fares. The MIT students contended that submitting their research for review and approval by a government agency before publication is unconstitutional [[prior restraint]].

The case garnered considerable popular and press attention when the injunction unintentionally became a victim of the [[Streisand effect]], increasing the dissemination of the sensitive information of the students' presentation because the slides had been both distributed to conference organizers in the weeks before the injunction as well as inadvertently posted to the district court's public website as exhibits to the MBTA's original complaint.

On August 19, the judge rejected the MBTA's request to extend the restraining order and the TRO likewise expired, thus granting the students the right to discuss and present their findings.<ref name="bare_url">{{cite news|url=https://www.reuters.com/article/us-massachusetts-hackers/judge-backs-hackers-in-boston-subway-dispute-idUSN1930518220080820 |title=Judge backs hackers in Boston subway dispute |last=Malone |first=Scott |date=August 19, 2008 |work=Reuters |accessdate=August 19, 2008}}</ref>


==Background==
==Background==
In December 2007, cautions were published separately by Karsten Nohl<ref>{{cite web |url=http://www.cs.virginia.edu/~kn5f/ |title=Karsten Nohl webpage |publisher=University of Virginia |accessdate=August 15, 2008 |archive-date=February 4, 2020 |archive-url=https://web.archive.org/web/20200204014629/http://www.cs.virginia.edu/~kn5f/ |url-status=dead }}</ref> and Henryk Plotz regarding the [[weak encryption]] and other vulnerabilities of the particular security scheme as implemented on [[NXP Semiconductors|NXP]]'s [[MIFARE]] [[Chipset|chip set]] and [[Proximity card|contactless electronic card]] system.<ref>{{cite journal|last=Plötz |first=Henryk |author2=Meriac, Milosch |url=https://events.ccc.de/camp/2007/Fahrplan/events/1957.en.html |title=Practical RFID Attacks |publisher=Chaos Communication Camp |date=August 2007 |location=Berlin, Germany}}</ref><ref>{{Cite journal|last=Courtois |first=Nicolas T. |author2=Nohl, Karsten |author3=O’Neil, Sean |url=http://eprint.iacr.org/2008/166 |title=Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards |publisher=IACR pre-print archive |date=April 14, 2008 |accessdate=August 15, 2008}}</ref> In March 2008, articles on the vulnerabilities appeared in newspapers and computer trade journals.<ref>{{cite news |url=http://www.virginia.edu/uvatoday/newsRelease.php?id=4321 |title=Group Demonstrates Security Hole in World's Most Popular Smartcard |publisher=UVA Today |date=February 26, 2008 |accessdate=August 15, 2008 |url-status=dead |archiveurl=https://archive.today/20120805181520/http://www.virginia.edu/uvatoday/newsRelease.php?id=4321 |archivedate=August 5, 2012 }}</ref><ref>{{cite magazine|last=Dayal |first=Geeta |url=https://www.computerworld.com/article/2537817/security0/how-they-hacked-it--the-mifare-rfid-crack-explained.html |title=How they hacked it: The MiFare RFID crack explained : A look at the research behind the chip compromise |magazine=[[Computerworld]] |date=March 19, 2008 |accessdate=August 15, 2008}}</ref> A comparable independent [[cryptanalysis]], focused on the [[MIFARE]] Classic chip, was performed at the [[Radboud University Nijmegen]]. On March 7 the scientists were able to recover a [[cryptographic key]] from the [[RFID]] card without using expensive equipment.<ref>{{cite web |url = http://www2.ru.nl/media/pressrelease.pdf |title = Scientists of the Radboud University Nijmegen break the security of the MIFARE Classic cards |access-date = April 29, 2009 |archive-date = March 18, 2021 |archive-url = https://web.archive.org/web/20210318132610/http://www2.ru.nl/media/pressrelease.pdf |url-status = dead }}</ref> With respect to [[responsible disclosure]] the [[Radboud University Nijmegen]] published the article<ref>{{cite web |last=Garcia |first=Flavio D. |author2=Gerhard de Koning Gans |author3=Ruben Muijrers |author4=Peter van Rossum, Roel Verdult |author5=Ronny Wichers Schreur |author6=Bart Jacobs |url=https://www.cs.ru.nl/~flaviog/publications/Dismantling.Mifare.pdf |title=Dismantling MIFARE Classic |publisher=13th European Symposium on Research in Computer Security (ESORICS 2008), LNCS, Springer |date=October 4, 2008 |access-date=July 19, 2020 |archive-date=February 23, 2021 |archive-url=https://web.archive.org/web/20210223113847/https://www.cs.ru.nl/~flaviog/publications/Dismantling.Mifare.pdf |url-status=dead }}</ref> six months later. [[NXP Semiconductors|NXP]] tried to stop the publication of the second article through a preliminary injunction. In [[the Netherlands]], the judge ruled on July 18 that publishing this [[scientific article]] falls under the principle of freedom of expression and that in a democratic society it is of great importance that the results of scientific research can be published.<ref>{{cite web | url = http://zoeken.rechtspraak.nl/ResultPage.aspx?snelzoeken=t&searchtype=ljn&ljn=BD7578 | title = Pronunciation, Primary Claim (dutch) | author = Arnhem Court Judge Services | publisher = Rechtbank Arnhem | date = July 18, 2008 | access-date = April 29, 2009 | archive-date = February 15, 2012 | archive-url = https://web.archive.org/web/20120215225402/http://zoeken.rechtspraak.nl/ResultPage.aspx?snelzoeken=t&searchtype=ljn&ljn=BD7578 | url-status = dead }}</ref>
In May 2008, three MIT students published a final paper in Professor [[Ron Rivest]]'s 6.857 Computer and Network Security class demonstrating weaknesses in the MBTA's automated fare collection system.

In May 2008, MIT students Zack Anderson,<ref>[http://web.mit.edu/zacka/www/ Zack Anderson homepage at MIT]</ref><ref>[http://www.zack-anderson.com/ Zack Anderson personal homepage]</ref> Russell J. Ryan,<ref>[http://www.rustyryan.net/ Russell J. Ryan homepage]</ref> Alessandro Chiesa,<ref>[http://web.mit.edu/alexch/www/ Alessandro Chiesa page at MIT]</ref> and Samuel G. McVeety presented a final paper in Professor [[Ron Rivest]]'s ''6.857: Computer and Network Security'' class demonstrating weaknesses in the MBTA's automated fare collection system. The report identified four problems: the value is stored on the card and not in a secure database, the data on the card can be easily read and overwritten, there is no cryptographic signature algorithm to prevent forgeries, and there is no centralized card verification system.<ref>{{cite news|url=http://www.boston.com/news/local/articles/2008/08/12/mit_students_report_makes_security_recommendations_to_t/ |title=MIT students' report makes security recommendations to T|last=Baxter |first=Christopher |date=August 12, 2008 |newspaper=Boston Globe |accessdate=August 15, 2008}}</ref> Anderson, Ryan, and Chiesa submitted a presentation entitled "Anatomy of a Subway Hack: Breaking Crypto RFID's and Magstripes of Ticketing Systems" to the [[DEF CON (convention)|DEF CON]] [[hacker convention]] which claimed to review and demonstrate how to [[reverse engineer]] the data on the [[magstripe]] card, several attacks to break the MIFARE-based [[Charlie Card]], and brute force attacks using [[Field-programmable gate array|FPGAs]].<ref>{{cite web|url=https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Anderson |title=Speakers for DEFCON 16 |publisher=DEFCON Communications |accessdate=August 16, 2008}}</ref>

Before the complaint was filed in August 2008, [[Bruce Schneier]] wrote on the matter that "Publication of this attack might be expensive for NXP and its customers, but it's good for security overall. Companies will only design security as good as their customers know to ask for."<ref>{{Cite web|url=http://www.schneier.com/blog/archives/2008/08/hacking_mifare.html |last=Schneier |first=Bruce |title=Hacking Mifare Transport Cards |publisher=Schneier on Security newsletter |date=August 7, 2008}}</ref>

==Litigation==

On August 8, 2008, the MBTA filed suit seeking a temporary restraining order, both to prevent the students from presenting or otherwise discussing their findings until its vendors had sufficient time to correct defects and to seek monetary damages. The motion was granted on August 9 by Judge [[Douglas P. Woodlock]]<ref>{{cite web |url=http://www.fjc.gov/servlet/tGetInfo?jid=2643 |title=Judges of the United States Courts - Biography of Judge Douglas Woodlock |publisher=[[Federal Judicial Center]] |accessdate=August 15, 2008 |url-status=dead |archiveurl=https://web.archive.org/web/20080916224334/http://www.fjc.gov/servlet/tGetInfo?jid=2643 |archivedate=September 16, 2008 }}</ref> and while the students appeared as scheduled, they did not speak or present at the convention.<ref>{{cite news|url=http://news.cnet.com/8301-1009_3-10012612-83.html |title=Judge orders halt to Defcon speech on subway card hacking |last=McCullagh |first=Declan |date=August 9, 2008 |accessdate=August 15, 2008 |publisher=CNET News}}</ref><ref name="CB1">{{cite web| last=Lundin|first=Leigh |title=Dangerous Ideas |url=http://criminalbrief.com/?p=1892 |work=MBTA v DefCon 16 |publisher=Criminal Brief |accessdate=October 7, 2010 |date=August 17, 2008 }}</ref> However, the injunction not only garnered more popularity and press attention to the case, but the sensitive information in the students' presentation became even more widely disseminated afterwards (by what is called the [[Streisand effect]]) since it had been both distributed to conference organizers in the weeks before the injunction as well as inadvertently posted to the district court's public website as exhibits to the MBTA's original complaint.<ref>{{cite news|url=http://www.abcnews.go.com/Technology/story?id=5564423&page=1 |title=Injunction to Silence MIT Student Hackers Backfires |date=August 12, 2008 |accessdate=August 15, 2008 |publisher=ABC News |last=Heussner |first=Ki Mae}}</ref><ref>{{cite web|url=http://www.sciam.com/article.cfm?id=call-the-cops-on-second-thought-don-2008-08-14 |archive-url=https://archive.today/20120911062935/http://www.sciam.com/article.cfm?id=call-the-cops-on-second-thought-don-2008-08-14 |url-status=dead |archive-date=September 11, 2012 |title=MIT hackers make Massachusetts officials nervous at Defcon |date=August 14, 2008 |last=Stix |first=Gary |publisher=Scientific American: 60-Second Science Blog |accessdate=August 15, 2008}}</ref>

The MBTA retained [[Holland & Knight]] to represent them and contended that under the norm of [[responsible disclosure]], the students did not provide sufficient information or time before the presentation for the MBTA to correct the flaw and further alleged that the students transmitted programs to cause damage to (or attempted to transmit and damage) MBTA computers in an amount in excess of $5,000 under the [[Computer Fraud and Abuse Act]]. Furthermore, it was contended that this damage constituted a threat to public health and safety and the MBTA would suffer [[irreparable harm]] if the students were allowed to present; that the students [[Conversion (law)|converted]] and [[trespass to chattels|trespassed]] on MBTA property; that the students illegally profited from their activities; and that MIT itself was negligent in supervising the undergraduates and notifying the MBTA.<ref>Complaint, pp. 12–16.</ref>

The MIT students retained the [[Electronic Frontier Foundation]] and [[Fish & Richardson]] to represent them and asserted that the term "transmission" in the CFAA cannot be broadly construed as any form of communication and the restraining order is a [[prior restraint]] infringing their [[First Amendment to the United States Constitution|First Amendment]] right to protected free speech about academic research.<ref>Response, pp. 9–17.</ref><ref>{{cite news|url=https://news.yahoo.com/s/cnet/20080813/tc_cnet/8301100931001611483 |title=Transit agency wants MIT students to stay gagged |last=McCullagh |first=Declan |date=August 13, 2008 |accessdate=August 15, 2008 |publisher=CNET News}} {{Dead link|date=October 2010|bot=H3llBot}}</ref> A letter published by 11 prominent computer scientists on August 11 supported the defendants' assertions and claimed that the precedent of the [[gag order]] will "stifle research efforts and weaken academic computing research programs. In turn, we fear the shadow of the law's ambiguities will reduce our ability to contribute to industrial research in security technologies at the heart of our information infrastructure."<ref>Letter from Computer Science Professors and Computer Scientists, p. 7.</ref>

On August 19, the judge rejected the MBTA's request to extend the restraining order and the TRO likewise expired, thus granting the students the right to discuss and present their findings.<ref name="bare_url" />

==See also==
* [[Security through obscurity]]


==References==
==References==
{{reflist|2}}
{{reflist|30em}}

==Further reading==
* {{cite magazine |first=Andy |last=Greenberg |date=August 10, 2023 |title=Teens Hacked Boston Subway Cards to Get Infinite Free Rides—and This Time, Nobody Got Sued |magazine=[[Wired (magazine)|Wired]] |url=https://www.wired.com/story/mtba-charliecard-hack-defcon-2023/ |access-date=2023-08-10}}
* {{cite web |last1=McGraw-Herdeg |first1=Michael |last2=Vogt |first2=Marissa |url=http://tech.mit.edu/V128/N31/subway.html |title=MBTA Sues Three Students to Stop Speech on Subway Vulnerabilities |work=[[The Tech (newspaper)|The Tech]] |publisher=MIT |volume=128 |issue=31 |date=August 25, 2008 |archive-url=https://web.archive.org/web/20080918074404/http://tech.mit.edu/V128/N31/subway.html |archive-date=2008-09-18}}


==External links==
==External links==
* [http://www.eff.org/cases/mbta-v-anderson Electronic Frontier Foundation case homepage]


===Court documents===
* '''Complaint''': [https://www.eff.org/files/filenode/MBTA_v_Anderson/mbta-v-anderson-complaint.pdf MBTA vs. Anderson, et al.]
* '''Temporary restraining order''': [https://www.eff.org/files/filenode/MBTA_v_Anderson/mbta-temp-restraining-order.pdf August 9 restraining order]
* '''Response''': [https://www.eff.org/files/filenode/MBTA_v_Anderson/studentresponse081208.pdf MIT Students' response and Motion to Modify]
* '''Exhibit''': [https://www.eff.org/files/filenode/MBTA_v_Anderson/letter081208.pdf Letter from Computer Science Professors and Computer Scientists]

===Other links===
* [https://www.eff.org/cases/mbta-v-anderson Electronic Frontier Foundation case homepage]
* [https://web.archive.org/web/20080922195048/http://www.legaltalknetwork.com/modules.php?name=News&file=article&sid=305 Legal Talk Network discussion]


{{DEFAULTSORT}}
{{DEFAULTSORT:Massachusetts Bay Transportation Authority V. Anderson}}
[[Category:2008 in law]]
[[Category:Cryptography case law]]
[[Category:United States District Court for the District of Massachusetts cases]]
[[Category:Cyberlaw]]
[[Category:United States district court cases]]
[[Category:United States Internet case law]]
[[Category:United States internet case law]]
[[Category:United States Free Speech Clause case law]]
[[Category:United States free speech case law]]
[[Category:Electronic Frontier Foundation litigation]]
[[Category:United States education case law]]
[[Category:Massachusetts Bay Transportation Authority]]
[[Category:2008 in United States case law]]
[[Category:2008 in case law]]
[[Category:2008 in rail transport]]
[[Category:United States railway case law]]

Latest revision as of 14:51, 5 October 2024

Massachusetts Bay Transportation Authority v. Anderson
CourtUnited States District Court for the District of Massachusetts
Full case name Massachusetts Bay Transportation Authority v. Zack Anderson, RJ Ryan, Alessandro Chiesa, and the Massachusetts Institute of Technology
DecidedAugust 19, 2008 (2008-08-19)
Case history
Prior actioninjunction granted August 9, 2008 (2008-08-09) Civil Action No. 08-11364-GAO
Court membership
Judge sittingGeorge A. O'Toole, Jr.[1]
Case opinions
Judge rejected MBTA's request to extend injunction
Keywords

Massachusetts Bay Transportation Authority v. Anderson, et al., Civil Action No. 08-11364, was a challenge brought by the Massachusetts Bay Transportation Authority (MBTA) to prevent three Massachusetts Institute of Technology (MIT) students from publicly presenting a security vulnerability they discovered in the MBTA's CharlieCard automated fare collection system. The case concerns the extent to which the disclosure of a computer security flaw is a form of free speech protected by the First Amendment to the United States Constitution.

The MBTA claimed that the MIT students violated the Computer Fraud and Abuse Act (CFAA) and on August 9, 2008, was granted a temporary restraining order (TRO) against the students to prevent them from presenting information to DEFCON conference attendees that could have potentially been used to defraud the MBTA of transit fares. The MIT students contended that submitting their research for review and approval by a government agency before publication is unconstitutional prior restraint.

The case garnered considerable popular and press attention when the injunction unintentionally became a victim of the Streisand effect, increasing the dissemination of the sensitive information of the students' presentation because the slides had been both distributed to conference organizers in the weeks before the injunction as well as inadvertently posted to the district court's public website as exhibits to the MBTA's original complaint.

On August 19, the judge rejected the MBTA's request to extend the restraining order and the TRO likewise expired, thus granting the students the right to discuss and present their findings.[2]

Background

[edit]

In December 2007, cautions were published separately by Karsten Nohl[3] and Henryk Plotz regarding the weak encryption and other vulnerabilities of the particular security scheme as implemented on NXP's MIFARE chip set and contactless electronic card system.[4][5] In March 2008, articles on the vulnerabilities appeared in newspapers and computer trade journals.[6][7] A comparable independent cryptanalysis, focused on the MIFARE Classic chip, was performed at the Radboud University Nijmegen. On March 7 the scientists were able to recover a cryptographic key from the RFID card without using expensive equipment.[8] With respect to responsible disclosure the Radboud University Nijmegen published the article[9] six months later. NXP tried to stop the publication of the second article through a preliminary injunction. In the Netherlands, the judge ruled on July 18 that publishing this scientific article falls under the principle of freedom of expression and that in a democratic society it is of great importance that the results of scientific research can be published.[10]

In May 2008, MIT students Zack Anderson,[11][12] Russell J. Ryan,[13] Alessandro Chiesa,[14] and Samuel G. McVeety presented a final paper in Professor Ron Rivest's 6.857: Computer and Network Security class demonstrating weaknesses in the MBTA's automated fare collection system. The report identified four problems: the value is stored on the card and not in a secure database, the data on the card can be easily read and overwritten, there is no cryptographic signature algorithm to prevent forgeries, and there is no centralized card verification system.[15] Anderson, Ryan, and Chiesa submitted a presentation entitled "Anatomy of a Subway Hack: Breaking Crypto RFID's and Magstripes of Ticketing Systems" to the DEF CON hacker convention which claimed to review and demonstrate how to reverse engineer the data on the magstripe card, several attacks to break the MIFARE-based Charlie Card, and brute force attacks using FPGAs.[16]

Before the complaint was filed in August 2008, Bruce Schneier wrote on the matter that "Publication of this attack might be expensive for NXP and its customers, but it's good for security overall. Companies will only design security as good as their customers know to ask for."[17]

Litigation

[edit]

On August 8, 2008, the MBTA filed suit seeking a temporary restraining order, both to prevent the students from presenting or otherwise discussing their findings until its vendors had sufficient time to correct defects and to seek monetary damages. The motion was granted on August 9 by Judge Douglas P. Woodlock[18] and while the students appeared as scheduled, they did not speak or present at the convention.[19][20] However, the injunction not only garnered more popularity and press attention to the case, but the sensitive information in the students' presentation became even more widely disseminated afterwards (by what is called the Streisand effect) since it had been both distributed to conference organizers in the weeks before the injunction as well as inadvertently posted to the district court's public website as exhibits to the MBTA's original complaint.[21][22]

The MBTA retained Holland & Knight to represent them and contended that under the norm of responsible disclosure, the students did not provide sufficient information or time before the presentation for the MBTA to correct the flaw and further alleged that the students transmitted programs to cause damage to (or attempted to transmit and damage) MBTA computers in an amount in excess of $5,000 under the Computer Fraud and Abuse Act. Furthermore, it was contended that this damage constituted a threat to public health and safety and the MBTA would suffer irreparable harm if the students were allowed to present; that the students converted and trespassed on MBTA property; that the students illegally profited from their activities; and that MIT itself was negligent in supervising the undergraduates and notifying the MBTA.[23]

The MIT students retained the Electronic Frontier Foundation and Fish & Richardson to represent them and asserted that the term "transmission" in the CFAA cannot be broadly construed as any form of communication and the restraining order is a prior restraint infringing their First Amendment right to protected free speech about academic research.[24][25] A letter published by 11 prominent computer scientists on August 11 supported the defendants' assertions and claimed that the precedent of the gag order will "stifle research efforts and weaken academic computing research programs. In turn, we fear the shadow of the law's ambiguities will reduce our ability to contribute to industrial research in security technologies at the heart of our information infrastructure."[26]

On August 19, the judge rejected the MBTA's request to extend the restraining order and the TRO likewise expired, thus granting the students the right to discuss and present their findings.[2]

See also

[edit]

References

[edit]
  1. ^ "Judges of the United States Courts - Biography of Judge George A. O'Toole, Jr". Federal Judicial Center. Archived from the original on September 21, 2008. Retrieved August 15, 2008.
  2. ^ a b Malone, Scott (August 19, 2008). "Judge backs hackers in Boston subway dispute". Reuters. Retrieved August 19, 2008.
  3. ^ "Karsten Nohl webpage". University of Virginia. Archived from the original on February 4, 2020. Retrieved August 15, 2008.
  4. ^ Plötz, Henryk; Meriac, Milosch (August 2007). "Practical RFID Attacks". Berlin, Germany: Chaos Communication Camp. {{cite journal}}: Cite journal requires |journal= (help)
  5. ^ Courtois, Nicolas T.; Nohl, Karsten; O’Neil, Sean (April 14, 2008). "Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards". IACR pre-print archive. Retrieved August 15, 2008. {{cite journal}}: Cite journal requires |journal= (help)
  6. ^ "Group Demonstrates Security Hole in World's Most Popular Smartcard". UVA Today. February 26, 2008. Archived from the original on August 5, 2012. Retrieved August 15, 2008.
  7. ^ Dayal, Geeta (March 19, 2008). "How they hacked it: The MiFare RFID crack explained : A look at the research behind the chip compromise". Computerworld. Retrieved August 15, 2008.
  8. ^ "Scientists of the Radboud University Nijmegen break the security of the MIFARE Classic cards" (PDF). Archived from the original (PDF) on March 18, 2021. Retrieved April 29, 2009.
  9. ^ Garcia, Flavio D.; Gerhard de Koning Gans; Ruben Muijrers; Peter van Rossum, Roel Verdult; Ronny Wichers Schreur; Bart Jacobs (October 4, 2008). "Dismantling MIFARE Classic" (PDF). 13th European Symposium on Research in Computer Security (ESORICS 2008), LNCS, Springer. Archived from the original (PDF) on February 23, 2021. Retrieved July 19, 2020.
  10. ^ Arnhem Court Judge Services (July 18, 2008). "Pronunciation, Primary Claim (dutch)". Rechtbank Arnhem. Archived from the original on February 15, 2012. Retrieved April 29, 2009.
  11. ^ Zack Anderson homepage at MIT
  12. ^ Zack Anderson personal homepage
  13. ^ Russell J. Ryan homepage
  14. ^ Alessandro Chiesa page at MIT
  15. ^ Baxter, Christopher (August 12, 2008). "MIT students' report makes security recommendations to T". Boston Globe. Retrieved August 15, 2008.
  16. ^ "Speakers for DEFCON 16". DEFCON Communications. Retrieved August 16, 2008.
  17. ^ Schneier, Bruce (August 7, 2008). "Hacking Mifare Transport Cards". Schneier on Security newsletter.
  18. ^ "Judges of the United States Courts - Biography of Judge Douglas Woodlock". Federal Judicial Center. Archived from the original on September 16, 2008. Retrieved August 15, 2008.
  19. ^ McCullagh, Declan (August 9, 2008). "Judge orders halt to Defcon speech on subway card hacking". CNET News. Retrieved August 15, 2008.
  20. ^ Lundin, Leigh (August 17, 2008). "Dangerous Ideas". MBTA v DefCon 16. Criminal Brief. Retrieved October 7, 2010.
  21. ^ Heussner, Ki Mae (August 12, 2008). "Injunction to Silence MIT Student Hackers Backfires". ABC News. Retrieved August 15, 2008.
  22. ^ Stix, Gary (August 14, 2008). "MIT hackers make Massachusetts officials nervous at Defcon". Scientific American: 60-Second Science Blog. Archived from the original on September 11, 2012. Retrieved August 15, 2008.
  23. ^ Complaint, pp. 12–16.
  24. ^ Response, pp. 9–17.
  25. ^ McCullagh, Declan (August 13, 2008). "Transit agency wants MIT students to stay gagged". CNET News. Retrieved August 15, 2008. [dead link]
  26. ^ Letter from Computer Science Professors and Computer Scientists, p. 7.

Further reading

[edit]
[edit]

Court documents

[edit]
[edit]
Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=Massachusetts_Bay_Transportation_Authority_v._Anderson&oldid=1249555824"