Massachusetts Bay Transportation Authority v. Anderson et al
Filing
18
EXHIBIT re 16 MOTION to Modify Terms But Not Duration of Temporary Restraining Order by Massachusetts Bay Transportation Authority. (Attachments: # 1 Exhibit 1, # 2 Exhibit 2, # 3 Exhibit 3, # 4 Exhibit 4, # 5 Exhibit 5)(Mahony, Ieuan-Gael)
Exhibit 4
From: Jennifer Granick [mailto:jennifer@eff.org] Sent: Monday, August 11, 2008 12:27 AM To: Mahony, leuan (BOS - X75835) Cc: cindy@eff.org; kurt@eff.org; marcia@eff.org; WMitchell@mbta.com; Subject: Re: CRITICAL INFORMATION: MBTA v Anderson et al
SDarling@mbta.com
Dear leuan: Thank you for your thoughts. I'm surprised your client feels that the Report does not pose a risk, given that it contains information my clients intended to keep confidential. It appears my clients are more cautious about disclosing vulnerability information than yours are. Moving forward, both the slides from our client's intended presentation and the confidential Report are now publicly available. This constitutes more information than the students would have presented at their Defcon talk. Furthermore, your client reportedly does not feel that the security risk posed by the availability of this information warrants emergency measures. Finally, Defcon is over and the students did not give their talk. Under these circumstances, would your client be willing to stipulate to lifting the TRO at this time? While the protection it provides is now moot as to your client's concerns, it continues to hang over our clients' heads, making them uncertain what if anything they can say about their research and this case. Please let me know right away. Thank you, Jennifer
Civil Liberties Director Electronic Frontier Foundation 454 Shotwell Street San Francisco, CA 94110 415.436.9333x134 fax 415.436.9993 Jennifer® sff.. o rg
On Aug 10, 2008, at 12:18 PM, wrote:
Dear Jennifer: Let me address your email and phone call from yesterday, and also return to earlier discussions over a "moving-forward" relationship between the parties. (A) Your Email First, we want to thank you for your concern. Second, as I indicated earlier today, the MBTA, along with a system vendor, has completed its review of your email, and re-reviewed the three page
8/11/2008
summary report attached as Exhibit 1 to Scott Henderson's Declaration (the "Report"). This review does not alter the original assessment of the Report, provided by Mr. Henderson in his declaration. Yet it is the case that (a) the quantity and quality of information provided by the three page Report, standing alone, is less than (b) the quantity and quality of the information provided by the Report read in combination with the Students' 87 page presentation entitled "Anatomy of a Subway Hack" (the "Presentation"). If the MBTA had been given the Presentation when first requested (or even at the time when the Presentation , we understand, was made available to DEFCON attendees), the "(b)" circumstance might have been avoided. In any event, the MBTA's evaluators do not assess the risk of this information at the level you set in your email. The MBTA, with vendor support, has begun work on internal responses to the potential security risks at issue. It is our view that an internal, technical and personnel response is the best long-term solution. Accordingly, we do not share your view that legal "emergency measures" are required. We do not think that seeking court relief on this issue and at this point is appropriate. Again, thank you for your concern. (B) Moving-Forward Relationships We can see from your clients' statements in the press, and the EFF's public statements, that the lawsuit generally, and Temporary Restraining Order in particular, do not from your perspectives represent a fair or balanced situation. From my first conversations with Marcia and Kurt, and then later with you, Jennifer, I stated my view that parties, acting reasonably, will invariably develop and implement a resolution of a dispute that is substantially better tailored to their interests than a resolution imposed on them by an external authority. We think we should continue discussions, to see if we can find a solution that is better tailored to all parties' interests. In my view, Judge Woodlock, in his findings and rulings, directed the parties to work toward a solution perhaps more "creative" and "outside the box" than the standard "keep fighting in court over abstract issues while life goes by". The goal would be to shift from an adversarial mode to a cooperative, discussion mode, if possible. We respect your clients' continued statements that their goal remains to provide solutions to security risks. We propose formal mediation as the process for seeking a more optimal going-forward solution. We think we should reserve a full day, or perhaps two. We suggest that the mediation take place in Boston. Other issues, such as mediator costs, whether formal "written submissions" are exchanged, and the like we can discuss. Let us know your thoughts. Thanks leuan
From: Mahony, leuan (BOS - X75835) Sent: Sunday, August 10, 2008 9:27 AM To: 'Jennifer Granick' Cc: Cindy Cohn; Kurt Opsahl; Marcia Hofmann; Mahony, leuan (BOS - X75835) Subject: RE: CRITICAL INFORMATION: MBTA v Anderson et al Jennifer: The MBTA and one of its vendors have completed review per your email, below. I'll have results to you later today. I'll continue to keep you informed. Thanks leuan
From: Jennifer Granick [mailto:jennifer@eff.org]
Sent: Saturday, August 09, 2008 5:14 PM
To: Mahony, leuan (BOS - X75835) Cc: Cindy Cohn; Kurt Opsahl; Marcia Hofmann Subject: CRITICAL INFORMATION: MBTA v Anderson et al
Dear Mr. Mahony: This email is to follow up on my phone call to you of just a few minutes ago. As you know, Mr. Anderson, Mr. Ryan and Mr. Chiesa provided your client MBTA with a 8/11/2008
confidential three page summary of their research and recommendations for securing the fare collection system. It has just come to our attention through third parties at the Defcon conference that plaintiffs have made this report publicly available on the court's pacer website by filing the document as an exhibit. This confidential document contains the checksum information without which an attacker can not create a forged card. This information is highly sensitive, which is why my clients planned to withhold it from their presentation. We strongly urge you to take emergency measures to have it removed expeditiously. Best wishes, Jennifer Granick
Civil Liberties Director Electronic Frontier Foundation 454 Shotwell Street San Francisco, CA 94110
415.436.9333x134
fax 415.436.9993 jenoifer@eff.org
8/11/2008
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?