Subway security exposé stopped

A federal judge ordered three college students to cancel a Sunday presentation at a computer hackers' conference where they planned to show security flaws in the automated fare system used by Boston's subway.

The temporary restraining order, issued by a U.S. district judge in Massachusetts, prevented the Massachusetts Institute of Technology students from demonstrating at the Defcon conference in Las Vegas how to use the vulnerabilities to get free rides.

The Electronics Frontier Foundation, which is representing MIT students Zack Anderson, R.J. Ryan and Alessandro Chiesa, plans to fight the order, said Jennifer Granick, the group's civil liberties director.

The Massachusetts Bay Transportation Authority said in a complaint filed Friday that the students offered to show others how to use the hacks before giving the transit system a chance to fix the flaws. MIT is named in the complaint.

But Granick said Sunday that the students were simply trying to share their research and planned to omit key information that would make things easier for anyone who wanted to hack the payment system.

Electronic copies of the 87-slide presentation circulating the Internet disparaged the transit system's physical security.

The copies showed photographs of unlocked doors, turnstile control boxes and exposed computer monitors at subway stations.

One slide explained that the presentation would teach attendees how to generate fare cards, reverse engineer magnetic stripes on cards and hack radio frequency identification cards.

The next slide said: "And this is very illegal! So the following material is for educational use only."

The presentation was distributed to conference attendees on CDs on Thursday before the conference officially began and the transit system filed the complaint.

Defcon, attended by many of the world's security experts, is an annual showcase of discovered weaknesses in computers, phone equipment and other machines.