Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.

LAS VEGAS — At the Defcon security conference today, the Electronic Frontier Foundation held a press conference saying it is representing the MIT hackers who figured out how to get free rides on Boston’s subways. That raises the stakes in a dispute about whether the three undergraduates have the right to describe their work hacking electronic payment cards without violating the federal computer fraud and abuse statute.

At the same time, the EFF confirmed that a federal judge today ordered that the three hackers could not go forward with their scheduled talk on Sunday. Kurt Opsahl, senior staff attorney at the EFF, said the group would appeal the ruling on First Amendment grounds. On Friday, the Massachusetts Bay Transit Authority sued the three students (they also named MIT officials in a motion, but not in the actual lawsuit), alleging that the talk would subject it to hundreds of millions of dollars in losses.

The EFF is defending the hackers as part of its Coder’s Rights project announced earlier in the week and said that the three young men had the First Amendment right to speak about the flaws they found in the CharlieCard magnetic stripe cards and radio-frequency identification tags used by the MBTA.

The problem with the suit’s timing is that it was filed after Defcon organizers had already given out thousands of CDs with the students’ paper on it. The baby-faced students — Zack Anderson, 21, R.J. Ryan, 22, and Alessandro Chiesa, 20 — attended the press conference. Afterward, in a meeting with reporters, they said they were frightened about their legal exposure. Each time they were asked something, they looked over at their attorney to get a nod of approval.


MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

The case has been moving swiftly. The students scheduled the Defcon talk months ago. Their professor, Ron Rivest, a famous cryptographer, agreed to help the students get in touch with the MBTA in late July. Rivest told the students that he was told by the agency that the “FBI was investigating.” On July 30, a vendor notified the MBTA about the content of the talk. On Aug. 5, the students, MIT, and the MBTA’s attorneys held a meeting. The description of the talk changed slightly, with the description of “free rides” deleted.

Opsahl said the students came away from that meeting with the impression that the matter had been resolved. But the MBTA then filed its lawsuit on late Friday. The EFF agreed to represent the students that day and worked all night to prepare for the emergency hearing today.

Opsahl termed the order issued at 1:30 pm Eastern time today by Judge Douglas P. Woodlock a “gag order.” Marcia Hoffman, another staff attorney for the EFF, said the order would have a chilling effect on other security researchers who find bugs and warn companies and the public about them. Despite statements made by the MBTA to Rivest, Opsahl said the students were not the subject of an FBI investigation.

“The court ultimately came to a very very wrong conclusion,” Opsahl said.

During the press conference before hundreds of Defcon attendees, the crowd broke out with hoots as Opsahl noted that the court did not prevent anyone else from distributing information that the students supplied in the paper. Some publications were planning to post the material on the Internet.

Moreover, the Boston Globe and the Boston Herald have already published stories about the flaws in the MBTA electronic payment system. In the Netherlands, the courts declined to grant a request to stop the publication of similar information about hacking the payment system for the rail system there.

“We think they should invest their time in improving the security of their own system,” Opsahl said.

The students declined to answer many questions. But they said they did the work as part of a final project at an MIT class. Opsahl said it was not the intention of the students to disclose exactly how to hack the electronic payment system.

“We believe in the system and would like a resolution,” said Ryan.

“We disagree with the ruling but we are not going to disoebey it,” added Anderson. “Sorry we can’t talk more.”

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.