Leading Computer Scientists Defend Student Hackers

"The bottom line is independent security research is how we get more secure networks," Kaminsky said. "But because anyone can just say anything, the way we differentiate what's true from what's not is to actually show the details that can be independently verified."

The students emphasize that their objectives were not to defraud the transit authority.

"Our intention … was to find out what vulnerabilities might be present and then determine how those might be fixed," Anderson told ABCNews.com.

Most importantly, he said, the students never planned to reveal the information that would actually permit others to hack the system. The slideshow and presentation did not include the key enabling information.

Anderson said they contacted transit authority officials in late July. The purpose of the meeting was to educate them about the system's flaws and present them with possible solutions.

Early last week, Anderson said, the students met with the transportation officials. After walking representatives through their presentation, the students thought they had allayed the transit authority's fears.

But Aug. 8, they were notified that a federal lawsuit had been filed against them.

"It was a huge shocker," said Anderson.

In a complaint filed Aug. 8 with a U.S. district court in Massachusetts, the transportation authority said the students did not provide it with ample time to address the system's weaknesses. As a result, public disclosure of the flaws could cause significant damage to the transit system.

In an e-mail, a spokesman for the MBTA told ABCNews.com that, at the meeting, the students agreed to provide the transit authority with a copy of the presentation. After several days passed without receiving the information, the MBTA said it had "no choice but to seek assistance from a federal court judge."

The MBTA said it is now "reviewing the information to determine if there is any degree of substance to the claims being made by the students."

Corynne McSherry, a staff attorney with the Electronic Frontier Foundation, said injunctions such as the one requested by the MBTA chill the conversations that protect consumers from computer security threats.

The Electronic Frontier Foundation, a nonprofit group that advocates for civil liberties in the digital world, is defending the three students. The group's lawyers contend that the court violated the students' First Amendment rights to discuss their research.

"The court stopped researchers from speaking about their research – traditional academic research," she said. "[It] essentially decided that talking about security vulnerabilities was somehow forbidden."

Some legal experts have a different view.

"It's one thing, for academic purposes, to do research. It's something entirely different to actually carry it out," said Peter S. Vogel, an attorney with the Dallas office of Gardere Wynne Sewell who specializes in Internet security and e-commerce. He is also an adjunct professor at the Southern Methodist University Dedman Law School.

If transit authority lawyers presented compelling evidence that the students violated state or federal laws while conducting their research, the judge would have been obligated to grant the injunction, Vogel added.

"The First Amendment doesn't protect people from breaking the law. It's a fine line to draw between violating a law and freedom of speech," Vogel said.

-- This embed didnt make it to copy for story id = 5581876. -- This embed didnt make it to copy for story id = 5581876. -- This embed didnt make it to copy for story id = 5581876. -- This embed didnt make it to copy for story id = 5581876. -- This embed didnt make it to copy for story id = 5581876. -- This embed didnt make it to copy for story id = 5581876. -- This embed didnt make it to copy for story id = 5581876. -- This embed didnt make it to copy for story id = 5581876.
Page
  • 1
  • |
  • 2
Join the Discussion
You are using an outdated version of Internet Explorer. Please click here to upgrade your browser in order to comment.
blog comments powered by Disqus
 
You Might Also Like...