Leading Computer Scientists Defend Student Hackers

Eleven of the country's top researchers call judge's order "dangerous."

ByABC News
August 14, 2008, 4:05 PM

Aug. 14, 2008— -- Eleven of the country's top computer scientists have come out in support of the three MIT students who were silenced by a gag order before they were able to tell a hackers conference in Las Vegas how they were able to break into Boston's subway fare collection system.

In an eight-page letter, the researchers argued that the injunction and others like it could have a "dangerous impact" on computer security research.

The temporary restraining order was meant to block discussion of how the students at the Massachusetts Institute of Technology figured out how to evade the computer system's security to change a $1.25 fare card to a $100 fare card.

In the letter filed Tuesday, the researchers, from leading institutions such as the University of California at Berkeley and Columbia University, urged the court to remove the restraining order issued against the students Sunday.

"We are concerned that the pall cast by the temporary restraining order will stifle research efforts and weaken academic computing research programs," the letter said. The students received an A on the project from their MIT professor.

"In this case, the law gives the public a false sense of security, achieved through law, not technical effectiveness," the letter also noted.

Despite the researchers' support, U.S. District Judge George O'Toole Jr. today left the injunction intact.

According to a spokeswoman for the Electronic Frontier Foundation, the civil liberties group defending the students, the judge did not uphold or remove the temporary restraining order. Instead, he postponed the decision to another hearing that will take place Tuesday.

The judge also asked the students to turn over more documentation on their research. By Friday afternoon, the students must hand over the class report that they submitted to their professor, part of the code that was intended to be part of their presentation and e-mail correspondence with organizers of the hacking conference.

The students and their lawyers said they are moving toward the judge's deadline but also plan to appeal the ruling to the U.S. 1st Circuit Court of Appeals.

"These restraints on the students' speech is flatly unconstitutional," said Rebecca Jeschke, a foundation spokeswoman.

Computer security experts say the attempt to gag the alleged hackers has boomeranged -- again.

"Every single time, harassing the researcher ends up spreading the research," said Dan Kaminsky, a computer security consultant for Seattle-based IOActive, Inc.

MIT students Zack Anderson, R.J. Ryan and Alessandro Chiesa were scheduled to present their "Anatomy of a Subway Hack" Sunday at Defcon, the popular Las Vegas hackers convention.

Their trip to the podium, however, was blocked when they were served with an injunction obtained by the Massachusetts Bay Transportation Authority ordering them not to talk about the flaws in the MBTA security system.

But not only had the presentation already been distributed at the Defcon convention, it had been entered into public record when the MBTA filed its complaint. In the blink of a mouse click, the slides were posted on the Internet and hackers were shaking their heads at the MBTA's attempt to block discussion of the information.

"The bottom line is independent security research is how we get more secure networks," Kaminsky said. "But because anyone can just say anything, the way we differentiate what's true from what's not is to actually show the details that can be independently verified."