Two weeks ago three students from MIT appeared at DEFCON in Las Vegas to present their successful hack of the Massachusetts Transit Authority’s electronic fare system–the “Charlie Card.” The MBTA went to federal court to enjoin publication of students’ presentation, claiming it would violate the Computer Fraud and Abuse Act. The court granted the injunction on August 9, only to lift it yesterday, ruling that the MBTA was not likely to succeed on its CFAA claim. Follow the story’s arc here, here, here, and here–and then read Bruce Schneier’s timely (8/7) essay from The Guardian. Schneier’s piece discusses the successful hack of the London subway’s Oyster smartcard by students from the Netherlands. The Oyster card’s maker, NXP Semiconductors, sued to prevent publication of the hack; it lost. The Oyster card uses the same chip–the “Mifare Classic”–used by Boston and other transit systems. Schneier writes “[t]he security of Mifare Classic is terrible . . . it’s kindergarten cryptography. Anyone with any security experience would be embarrassed to put his name to the design. NXP attempted to deal with this embarrassment by keeping the design secret.” In ruling against NXP the Dutch court said “[d]amage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.” (Emphasis supplied)
These two cases follow a familiar pattern: Company A does a crap job designing or delivering a good or service to Company B; someone blows the the whistle on Company A’s mis- or malfeasance; Company B blames the whistleblower for leaking news of flaw instead of blaming Company A for its lousy performance. Here the Dutch court got it right, and the U.S. court is heading in the right direction.