In the Defcon presentation slides, the students describe a variety of techniques that could be used to gain free access to Boston's transit system, some of which they admit are illegal. They say that the point of the talk is to show the results of a penetration test of the MBTA system, but they were clearly aware that it could have caused legal problems. One slide reads simply "What this talk is not: evidence in court (hopefully)".
The passage in the Defcon show guide describing their talk begins, "Want free subway rides for life?" That line was removed from the description of the talk posted at the Defcon Web site.
The students discuss physical security problems they found with the system, such as unlocked gates and unattended surveillance booths. They say they were able to access fiber switches connecting fare vending machines to the unlocked network, and they also describe techniques to clone and reverse-engineer the MBTA's CharlieTicket magnetic stripe tickets and CharlieCard smartcards.
In court filings, the MBTA says that 68 percent of its riders use the CharlieCard, which brings in about $475,000 to the transit authority each weekday.
An MBTA vendor tipped off the authority on July 30 that the talk was scheduled, the court filing states. According to Opsahl, the students met with MBTA officials on Monday and it was their understanding after that meeting that the situation had been resolved.
The students were "very, very surprised," by the suit, Zack Anderson said in a press conference after the EFF discussion.
"We felt, due to verbal comments that were given to us that the issue was resolved," he said. "They asked for some materials to be submitted to them, which we agreed to, and we did get those to them yesterday."
The students said they tried to contact the MBTA around July 20 through their professor Ron Rivest, who teaches in MIT's Department of Electrical Engineering and Computer Science, but did not actually connect with the agency until around July 30.
It's been a crazy week for Anderson, who looked haggard -- he said it took him 18 hours to travel by air to Defcon and he had not slept since Thursday.
An MBTA lawyer has not returned messages Saturday seeking comment for stories about the matter.
The CharlieCard is based on the same Mifare Classic RFID (radio frequency identification) technology used by many other transit systems around the world. Earlier this year, Mifare's producer, NXP, sued to prevent researchers from presenting research on how to crack this technology. A Dutch court rejected NXP's claims last month.
With an average weekday ridership of 1.4 million commuters, the MBTA is the nation's fifth-largest transit system, according to the lawsuit.
Lawsuits involving Defcon presentations have also occurred in the past. Security researcher Mike Lynn was sued in 2005 after he gave a controversial presentation disclosing flaws in Cisco's routers. In response, the EFF this year started a drop-in service, providing Defcon presenters free legal advice on how to respond to threats of legal action.
Although conference attendees are now speculating that another talk on the MBTA system may replace the cancelled talk, Anderson said he and his fellow researchers say they intend to comply with the court order. "We disagree with the ruling, but we're not going to disobey it," he said.