Slashdot Mirror

← Back to Stories (view on slashdot.org)

MIT Students' Gag Order Lifted

Posted by kdawson on from the common-sense-descends dept.

mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days. "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."

3 of 160 comments (clear)

  1. Good Call by maz2331 · · Score: 5, Insightful

    It looks like the judge made a pretty good call in this case. What he really rejected was the MTBA lawyers' assertion that it was an act prohibited by the law, and not exposing the agency's incompetence.

    Really, bugs aren't fixed by just hiding them.

    FTA:

    MBTA said in documents filed with the court said that fixing the security flaws would take five months. ("Students have the ability to cause significant harm to the CharlieTicket system, during the roughly five-month window that remedial actions will require.")

    Actually, the fact that they implemented a seriously flawed system is the problem, and the students' bringing it to light may suck for MBTA. The proper solution is for them to fix their system and, if necessary, sue the vendor for the costs.

  2. $5000 worth of damages? by Ramses0 · · Score: 5, Insightful

    That's an interesting argument...

    Does a mechanic cause $5000 worth of damage when he points out that your axle is broken and needs replacement?

    Can you cause damage to a system that has intrinsic vulnerabilities?

    Obviously people taking advantage of disclosed vulnerabilities should be punished under applicable laws (as with simple copyright violation) for whatever damages they caused, but I tend to agree that you can't really pin damages on the discloser.

    Now some other b.s. charge about reckless endangerment or speech issues, but probably not damages.

    --Robert

  3. Re:They never signed a non disclosure contract by macdaddy · · Score: 5, Insightful

    Because it's embarrassing to somebody in power. Simple as that.