[Infowarrior] - Federal Judge in DefCon Case Equates Speech with Hacking

[Richard Forno]

Federal Judge in DefCon Case Equates Speech with Hacking
By Kim Zetter EmailAugust 10, 2008 | 6:55:40 AM

http://blog.wired.com/27bstroke6/2008/08/eff-to-appeal-r.html

LAS VEGAS -- Lawyers with the Electronic Frontier Foundation said a  
federal judge who granted a temporary restraining order on Saturday to  
halt a scheduled conference talk about security vulnerabilities came  
to "a very, very wrong conclusion." They said the judge's order  
constituted illegal prior restraint, which violated the speakers'  
First Amendment right to discuss important and legitimate academic  
research.

"When you discuss security issues, if you are telling the truth, that  
should be something protected at the core of the First Amendment,"  
said Kurt Opsahl, senior staff attorney for the non-profit EFF. "If  
you are truthfully telling the world about a dangerous situation, and  
(it is) a situation which is dangerous not because the security  
researcher exposes the vulnerability (but) because the person who made  
the product . . . made the vulnerability, (then) this should be core  
speech."

Opsahl was speaking at a press conference at the DefCon hacker  
conference in Las Vegas on Saturday after District Judge Douglas  
Woodlock of the U.S. District Court in Massachusetts granted a  
temporary restraining order requested by the Massachusetts Bay Transit  
Authority.

The MBTA sought to bar three students enrolled at the Massachusetts  
Institute of Technology -- Zack Anderson, R.J. Ryan and Alessandro  
Chiesa -- from presenting a talk at DefCon about vulnerabilities in  
magnetic stripe tickets and RFID cards that are used in the MBTA's  
payment system. The MBTA feared that the students planned to teach the  
audience how to fraudulently add credit to a payment ticket or card in  
order to ride the transit system for free.

Opsahl said the judge, in making his decision, misinterpreted a part  
of the federal Computer Fraud and Abuse Act that refers to computer  
intruders or hackers. Such a person is described in part in the  
statute as someone who "knowingly causes the transmission of a  
program, information, code, or command to a computer or computer  
system."

Opsahl says the judge, during the hearing, likened the students'  
conference presentation to transmitting code to a computer.

"The statute on its face appears to be discussing sending code or  
similar types of information to a computer," Opsahl said. "It does not  
appear to contemplate somebody who is giving a talk to humans.  
Nevertheless, the court . . . believed that the act of giving a  
presentation to a group of humans was covered by the computer fraud,  
computer intrusion statute. We believe this is wrong."

EFF staff attorney Marcia Hoffman told reporters that the decision set  
a very dangerous precedent.

"Basically, what the court is suggesting here is that giving a  
presentation involving security to other security researchers is a  
violation of federal law," she said. "As far as I know, this is  
completely unprecedented, and it has a tremendous chilling effect on  
sharing this sort of research. . . . And we intend to fight it with  
everything we've got."

The students were scheduled to present their talk on Sunday about  
vulnerabilities in the subway's fare collection system. According to a  
description of the talk in a printed program given to conference  
attendees, the students planned to demonstrate how they reverse- 
engineered the mag stripe on CharlieTickets and cracked the encryption  
on RFID-enabled CharlieCards that are used in the Boston system. They  
also planned to release several open source tools that they created in  
the course of their research.

But the MBTA contended that disclosure of the flaws, before the MBTA  
had a chance to fix them, would cause irreparable harm to the transit  
system, particularly if it allowed someone to increase the amount of  
funds stored on a card or ticket and ride the transit system for free.

The MBTA filed its motion for a restraining order on Friday, August  
9th, but Opsahl and Hofmann said that rather than make an immediate  
decision, District Judge Woodlock ordered a hearing for Saturday  
morning and allowed the EFF, which represented the students, to  
participate by telephone from San Francisco, even though none of the  
non-profit's lawyers is licensed to practice in Massachusetts.

The court's restraining order bars the students from disclosing any  
information for ten days that could allow someone to defraud the  
transit system and ride the subway for free.

EFF lawyers and the students refused to discuss details of the now- 
cancelled presentation but did provide a timeline of events leading up  
to the MBTA's suit and also shed light on how the matter unfolded,  
disputing claims in the MBTA's court filings that the students had  
refused to give the MBTA information about the vulnerabilities they  
discovered.

According to MBTA's court filings, the agency first learned about the  
planned presentation on July 30th. The next day the agency contacted  
MIT computer science professor Ron Rivest, the students' instructor,  
and told him that the FBI was investigating the issue.

"We didn't find that to be a very pleasing way to start a nice  
dialogue with them<" Anderson said. "We got a little concerned about  
what was happening."

A few days later on Monday, August 4, a detective with the transit  
police and an FBI agent met with the MIT students, Rivest, and an MIT  
lawyer to discuss their concerns and inquire about the nature of the  
student's talk. The students say when they left that meeting they  
believed, due to verbal comments made to them during the meeting, that  
the issue had been resolved, and that the MBTA no longer had a problem  
with their talk. [Note: A previous story said the parties had met on  
August 5th, a date listed in MBTA's court filings. The students said  
that date was a misprint.]

The FBI's Boston office did not respond to a call asking to confirm if  
there is an ongoing investigation of the students, but Opsahl said as  
far as he knows, there is no FBI investigation.

Efforts to reach the MBTA for comment were not successful, but  
according to the MBTA's court filings, the students failed to respond  
to a request to provide the transit authority with copies of the  
conference presentation or with details about the vulnerabilities they  
found in the payment card system, and this was the reason for taking  
the students to court.

But the students say this isn't true.

They say the MBTA did ask for some material -- not a copy of their  
conference presentation -- which they provided on Friday, around the  
same time the MBTA was heading to the courthouse to request the  
restraining order.

The material, it turns out, was a confidential vulnerability  
assessment report (.pdf) describing, in a more substantial way than  
the conference presentation slides do, the flaws in the MTBA payment  
system. The report became a public document on Saturday when the MBTA  
included it among other papers it submitted to the court on Saturday.

The students maintain they didn't understand that the MBTA was  
expecting a copy of their presentation until Friday, when they learned  
the MBTA was filing for a restraining order.

"And at that point we declined to provide the slides until we had an  
opportunity to see what the complaint said," Hofmann said.

Even though the MBTA received the vulnerability assessment report at  
that point, the students point out, it did not withdraw the lawsuit.

The students say they had intended to contact the MBTA a week prior to  
July 30th, when the transit authority was still apparently unaware of  
the presentation. They refused to say what occurred at that time to  
prompt them to want to make contact with the MBTA, but said their  
intent was to provide the MBTA with details that they wouldn't be  
discussing in their public talk. Ultimately, however, they didn't act  
on the impulse because Rivest, who agreed to facilitate the contact,  
was out of town at a conference. Shortly thereafter, the MBTA  
discovered the talk and contacted Rivest.

The students maintain that they never intended to teach audience  
members how to de-fraud the transit system, despite provocative  
comments they wrote in the published description of their talk.

A description of their talk that is printed in the conference program  
schedule begins with the sentence "Want free subway rides for life?"  
The line was removed from an online version of the description after  
the MBTA met with the students on August 4th, but the students  
wouldn't comment about why the change was made.

Opsahl called the provocative language "rhetoric" and said it was  
always the students' intention to hold back key details from their  
talk that would help someone attack the MBTA system.

"Please understand that, rhetoric aside, the intention was to provide  
an interesting and useful talk, but not one that would enable people  
to defraud the Massachusetts Bay Transit System," he said.

As it stands now, the next step, before the temporary restraining  
order expires, will be to determine whether or not it should become a  
preliminary injunction to extend the gag for longer, Opsahl said.

Hofmann said it's unclear right now whether the EFF will continue to  
represent the students if further litigation is pursued, given that  
they have no one on staff who can practice in Massachusetts. They will  
have to evaluate the situation when and if it comes up.

As for the students' 1 pm speakers' slot on Sunday, DefCon has  
apparently already found a replacement. Brenno de Winter, a Dutch  
journalist and security consultant, told reporters on Saturday that he  
has offered to fill in -- essentially to give the same or a similar  
talk about vulnerabilities with transit fare cards, thought without  
the focus on the Boston transit system.