The Massachusetts Bay Transit Authority is a little slow at the draw. It filed a lawsuit last night to stop three MIT students from disclosing flaws in the agency’s electronic payment systems.
A spokeswoman for Defcon confirmed that the suit was filed in federal court in Massachusetts last night and the talk had been withdrawn. But she also said that the paper for the talk had already been given out on CDs distributed to thousands of hackers attending the conference. The suit is like closing the barn door after the jail break.
“It’s not like it’s going to stop the information from getting out,” she said.
The three speakers are Zack Anderson, 21, RJ Ryan, 22 and Alessandro Chiesa, 20. Their paper said that it was trivial to add hundreds of dollars to CharlieCard fare cards that are distributed with magnetic strips or radio frequency identification tags. The MBTA serves about 1.4 million riders a day. The MBTA apparently engaged in negotiations with MIT during the week before filing the suit Friday. In any case, it was late.
Update: A copy of the suit is now in the press room at Defcon. It says that the three researchers offered “free subway rides for life” to interested parties over the Internet and planned to present their paper on Sunday at Defcon. It said MIT was unwilling to put limits on the behavior of the undergrads. The suit also said the students did not notify the agency of the flaws in advance and engage in responsible disclosure, which would have given the agency time to fix any security holes before the publicity.