Today, Richard Sullivan, a Sergeant Detective in the Transit Police of the Massachusetts Bay
Transportation Authority (and the liaison to the FBI), filed a Supplemental Declaration. In his declaration, Det. Sullivan said:
the MIT Undergrads reiterated that they did not exploit the supposed vulnerabilities that they had identified in the MBTA's computer system, they promised that they would not do so in the future, and they promised that they would not teach others how to.
Earlier the MBTA had asserted that "At a meeting last Tuesday involving all the parties, MIT staff and the students agreed to provide the MBTA with a copy of the presentation."
Det. Sullivan, however, says that at the meeting:
I asked the students to prepare a written summary of every vulnerability that they claimed to have discovered and how to fix these vulnerabilities. The MIT Undergrads agreed to provide me with such a paper within two weeks.
While the MBTA had originally requested the information within two weeks of the August 4 meeting (August 18), the students nevertheless provided the MBTA with a confidential vulnerability report on Friday, August 8 (as promised), and a very detailed "Security Analysis" on August 13. After the meeting, the students understood that the MBTA's concerns were resolved, and that the students were to provide a confidential vulnerability assessment by the end of the week.
The disconnect over when to expect further information from the students appears to have been a major factor leading to the lawsuit. According to an MBTA statement: "When no call or information was forthcoming, the MBTA instructed its legal counsel to begin drafting Court papers, so that the MBTA could obtain this information." While we disagree that a lawsuit is the best way to obtain security researcher's work, it appears that this remains a critical purpose of the MBTA's lawsuit.
Det. Sullivan concludes by saying:
On August 6, 2008, both myself and [FBI] Agent Shafer personally met with [MBTA Official] Joseph Kelley and others to discuss the meeting that had taken place. I conveyed to all in attendance that we were confident that the students did not violate any state or federal criminal statues. Moreover, I conveyed that we were both comfortable and confident that the students would honor their declaration to us that they would not disclose any information that would enable others to harm the MBTA. After that meeting, I contacted Professor Rivest to let him know that Mr. Kelley may be reaching out to him.
The students never wanted attackers to have sufficient information to mount an attack. The students left out some key details in the work they did, because they did not want anyone to be able to attack the ticketing system or circumvent the system and get free fares. As security expert Eric Johanson confirmed "key information needed to compromise both the Charlie Ticket and the Charlie Card is not present in the Slides." In any event, the students never gave the talk nor released any software tools.
Unfortunately, it appears that misunderstandings remained. On the late afternoon of August 8, without any advance notice to the students, the MBTA filed a federal lawsuit that falsely asserted that the students violated federal law, were "traveling on the MBTA lines without paying fares," "have instructed others" in riding without paying fares," and "received or will illegally receive money and profits that rightfully belong to MBTA, in the form of lost transit fares." Of course, the students never rode the T for free or helped others do so. Much trouble could have been avoided if these misunderstanding could have been cleared up without the need for litigation.
The students have always been interested in coming to a reasonable resolution, and remain hopeful that the MBTA is willing to be reasonable. In the interim, they have no choice but to litigate.