Court Silences MIT Students Over Subway Hacking

MELISSA BLOCK, host:

From NPR News, this is ALL THINGS CONSIDERED. I'm Melissa Block.

ROBERT SIEGEL, host:

And I'm Robert Siegel.

Now, a story about free speech, high-tech mischief, theft of service and the subway. Three MIT students were scheduled to address a conference of computer hackers in Las Vegas yesterday, but a federal judge issued a restraining order against them. The restraining order was sought by the MBTA, the Massachusetts Bay Transportation Authority. Those are the people who operate the T, Boston's subway system.

The MIT students had evidently figured out how to exploit flaws in the MBTA's CharlieCard and Charlie ticket systems and ride the subway for free. The MIT three were going to discuss their achievement at the conference, which is called Defcon, but the MBTA was not amused and sued. The judge invoked a federal anti-computer crime law to stop them from speaking, raising the question: Is talking about hacking the equivalent of hacking?

Well, joining us is Kim Zetter, a reporter with Wired.com. She's written about this. Welcome onto the program, Kim.

Ms. KIM ZETTER (Reporter, Wired.com): Thank you.

SIEGEL: And first, what did the three MIT students actually do?

Ms. ZETTER: Well, they found flaws in, as you mentioned, the Charlie ticket, which is a magnetic stripe ticket, and the CharlieCard, which is a smart card. And they found flaws that would allow them to clone the cards, so essentially, take one card worth, let's say, $50 value and create six or seven or eight cards also of $50 value. They also found a way that would allow them to take a card and increase the value of the card up to about 600 - a little over $600.

SIEGEL: I know you're not a lawyer, but is this a new way, a novel application of the anti-computer crime law to say these students should not be allowed to speak publicly about what they did?

Ms. ZETTER: Well, it's a misuse of the anti-hacking law because the law is about breaking into a computer, and the judge was using it as speech. So basically, what he is saying is that in talking about a vulnerability, you're essentially aiding and abetting, and that would mean that any research that anyone ever writes about a vulnerability would fall under this precedent.

SIEGEL: But I learned from your reporting on this subject that the three MIT students - who got an A, I gather, in the paper for doing this - they did not, as the critics at least say, that they did not comply with the disclosure guidelines written by the former hacker Rain Forest Puppy.

Ms. ZETTER: Well, this is an - in the hacker community, there are generally acceptable guidelines for responsible disclosure. And those are the - it's not written in stone, but Rain Forest Puppy put these together and they're generally acknowledged or recognized - that if you discover a vulnerability in a system, you contact the vendor before disclosing it publicly and you give the vendor an opportunity to develop a patch for it, so that hackers can't attack the system before it's fixed. And in this case, they didn't do that.

SIEGEL: So this honors the sport of hacking into computers without doing damage to the people who've been hacked?

Ms. ZETTER: Yes, that's to make the distinction between responsible researchers and the malicious hackers.

SIEGEL: It seems, though that Rain Forest Puppy is still a little bit more lenient in these matters than the federal courts are at this point.

Ms. ZETTER: Yes. So, I mean, in terms of the hacker community, how they view this, these are systems that are used by the public. And in the Massachusetts case, where it's taxpayer-supported system, whatever, it does affect everyone. So if the system is losing money, it's losing money, in general, for the state as well.

SIEGEL: What's the difference between what these three MIT students were arguing and, say, a bank robber claiming that, I did the public a service by stealing money from the bank to point out that your money is not entirely safe there because you can break into the bank?

Ms. ZETTER: Well, some people would say that there's no difference there. You know, in this case, they - the students didn't, as far as we know, didn't actually create cards and used them to steal rides. They did what's called a proof of concept, you could say. So they showed that it is possible. I don't know if they actually stole rides. If they did so, that's a different case, and that should be handled between the MBTA and them. But in most legitimate research, what they're showing is a proof of concept that this is something that is possible, you know, this is something that should be fixed.

SIEGEL: Well, Kim Zetter of Wired.com. Thank you very much for talking with us.

Ms. ZETTER: Thanks for having me.

Copyright © 2008 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.