A trio of MIT students found security weaknesses in the MBTA, the Boston public transporation system, colloquially known as “the T”. The students were going to present their findings at Defcon, that is, until a judge ordered them not to.
Of course, the injunction did far more to spread the news than the talk alone would have, including making public the students’ whitepaper about the vulnerabilites. Their slides, Anatomy of a Subway Hack are also online, including a photo of an over-the-top modded shopping cart that they somehow used as part of their work.
How many times do we have to see this story played out? A system is deployed with poor security, someone figures out the weaknesses, tries to talk about it, and is sued to prevent disclosure, only making the information even more available to the public. These injunctions are like putting a flashing red light on top of something: they only attract more attention to the situation. The presentation slides have already been distributed to all Defcon attendees, that toothpaste is not going back in the tube.
The MBTA should either decide that this is not that big a deal (how many people are really going to hack RFID cards to get on the T for free?), or get to work designing improvements. And they should hire these students to crack the new system before it’s deployed.