"Want free subway rides for life?" teased the description of the talk "Anatomy of a Subway Hack" by three MIT students at DefCon this past weekend, where they planned to explain security flaws in the payment system for Boston's T subway. Live! They were going to demo how they cracked the system's CharlieCard smartcards and the mag-stripe on its paper CharlieTickets and offer up open source tools they made while conducting their research, among other gaping holes. Apparently, however, that "constitutes a threat to public health or safety," and "affects a computer system used by a government agency for national security purposes."
At least, that's what the Massachusetts Bay Transportation Authority's lawsuit against the students, their professor and the university claims. They argue that the students actually ran afoul of the federal Computer Fraud and Abuse Act because one of the fare cards "constitutes a computer," and that because the MBTA works with the Department of Homeland Security, national security, yadda yadda. End result, the judge agreed and gagged the students for at least 10 days, so they couldn't give their talk (you can still check out the presentation here though). The students say that they believed the matter had been resolved before the restraining order was filed, and didn't realise that the MBTA wanted a full copy of the presentation.
The Electronic Frontier Foundation is currently repping the students, and says that the judge came to "a very, very wrong conclusion" and that the decision "has a tremendous chilling effect on sharing this sort of research. . . . And we intend to fight it with everything we've got." [Wired, WSJ, The Tech via Alley Insider]