The MBTA, Boston
Sues MIT students who discovered security flaw
Young computer jocks announce they've discovered a security flaw in a piece of software. What should executives at the software company do?
The normal reaction would be to reach out to them and work to patch the flaw as quickly as possible. But normality is an elusive concept at the MBTA. So when three MIT students said last August that they were going to deliver a presentation on problems with the CharlieCard at a conference in Las Vegas known as DEFCON, the MBTA went to federal court.
As MIT's student newspaper, the Tech, understatedly put it, "The lawsuit surprised many DEFCON attendees, who are accustomed to relatively cordial relations with software companies who are informed of security holes."
In a confluence of Muzzles past, the T, which won a 2006 Muzzle for banning photographers from taking pictures of its facilities (terrorism, you know), was granted a temporary restraining order against the students by US District Court judge Douglas Woodlock, winner of a 2005 Muzzle for approving a protest pen at the previous year's Democratic National Convention, despite likening it to a "concentration camp."
Fortunately, reason ultimately prevailed. Another federal district judge, George O'Toole, lifted the gag order on the students, whose work had earned them an "A" on a class project. The lawsuit was dropped. And by December, the students were meeting with MBTA officials to discuss how to prevent hackers from using the CharlieCard to ride the T for free.
"This is a great opportunity for both the MBTA and the MIT students," said T general manager Dan Grabauskas. "As we continue to research ways to improve the fare system for our customers, we appreciate the cooperative spirit demonstrated by the MIT students."
It took way too long, though, for Grabauskas and company to show the same cooperative spirit.