It looks like the trio of MIT researchers that had been barred from talking about flaws in the Boston subway/ Massachusetts Bay Transportation Authority (MBTA) system fare system can now talk.
The Electronic Frontier Foundation (EFF) which had been vocal on behalf of the three students reported that:
The Court found that the MBTA was not likely to prevail on the merits
of its claim under the federal Computer Fraud and Abuse Act. MBTA had
argued that the CFAA, which prohibits the transmission of a program
that causes damage to a computer, also covers “verbal transmission,”
such as talking to people at conferences. Judge O’Toole, however,
looked closely at the statute, and held that the CFAA does not apply to
security researchers like the students talking to people.
This is an important development.
Security researchers need to be allowed to properly disclose and discuss vulnerabilities. That’s how others (including the vulnerable) learn how to protect themselves. Security by obscurity is a myth.