Massachusetts Bay Transportation Authority v. Anderson et al

Filing 18

EXHIBIT re 16 MOTION to Modify Terms But Not Duration of Temporary Restraining Order by Massachusetts Bay Transportation Authority. (Attachments: # 1 Exhibit 1, # 2 Exhibit 2, # 3 Exhibit 3, # 4 Exhibit 4, # 5 Exhibit 5)(Mahony, Ieuan-Gael)

Download PDF
Exhibit 5 Page 1 of 5 From: Mahony, leuan (BOS - X75835) Sent: Monday, August 11, 2008 3:36 PM To: 'jennifer@eff.org' Cc: 'cindy@eff.org'; 'kurt@eff.org'; 'marcia@eff.org'; JSwope@eadplaw.com; 'WMitchell@mbta.com'; 'SDarling@mbta.com' Subject: RE: CRITICAL INFORMATION: MBTA v Anderson et al Jennifer: We are unwilling to lift the TRO in the binary "on/off1 manner you state, and respond more fully to your email as follows: (A) Removing the TRO Is Not a Tailored Solution We are willing to discuss tailored solutions to the underlying problem, and have proposed a formal mediation process for these discussions. You have given no response to our proposal for mediation. You recall that I asked for a negotiated solution before the Saturday hearing. I confirmed these inquiries to you in email, and these emails are public record and freely available on the web. See http://www-tech.mit.eduA/128/N30/subway.html. You did not respond meaningfully to those requests, either. (B) Misinformation Threatens To Cloud the Issues In following the DEFCON-related press, it is clear that a large amount of misinformation has been circulated concerning the meaning of the TRO, and related points. For example, you know, because Judge Woodlock asked you these questions in open court, that the primary concern was with the content the students might or might not supply to go with the literal expression embodied in the Presentation, as well as the Report. Press reports suggest that the TRO banned circulation of the paper materials themselves. You know this is incorrect. Yet your email relies on this theme. We made it clear in our papers: based on the information we have (a large part of which you intentionally withheld from us until 4:38 AM Saturday morning) we do not know what your clients have done or are capable of doing. Their broad statements concerning "free subway rides for life" suggest they are capable of a lot. This is the concern. We would like to create an environment, immediately, where all parties can share the information they feel is warranted, in order to quantify and assess this risk. We would like to "re-do" the August 5 (or 4) meeting, but with more sensitivity, hopefully all around, as to the mutual stakes. We think a mediated solution presents mutual benefits. The structure of non-binding mediation assures mutual benefits - or at a minimum a clear assessment of the alternatives to a negotiated solution. In a mediation process, for example, we would hope to discuss and obtain an understanding of the information, if any, the MIT Undgrads hold that might threaten Fare Media System security. We do not set preconditions on a mediation, however, as we stongly believe - 8/11/2008 Page 2 of 5 again - that discussions between reasonable parties toward a resolution are preferable to an externally imposed resolution, where it is possible to avoid such an external resolution. (C) We Are Very Sensitive To Your Clients' Concerns Over The Restraint Finally, we believe we understand the point in your email that the TRO "continues to hang over our clients' heads, making them uncertain what if anything they can say about their research and this case." One goal with a mediated solution, working together, would be to reduce or eliminate uncertainty (to the extent uncertainty from a legal or practical perspective exists). Another goal of a mediated solution would be to determine other parameters of responsible disclosure under these circumstances. Yet another goal with a mediated solution might be to "make amends" on all sides, whatever that might mean here. There are countless examples from large to small of relationships that are polarized and entrenched-hostile because of bad choices by both sides shortly after the rift began. We would like to avoid this here, if possible. We think talking in a non-binding, professionally mediated environment is the best way to avoid further misunderstanding, and potential "bad choices." (D) Conclusion: Renewed Request for Mediation You request, in an "on/off1 manner, that we now "shut off' the TRO. This is traditional advocacy, where the goal is to "win all" and avoid "lose all." With our mediation proposal, we look for, and are willing to accept, gradations between these poles. We believe - whether in light or not in light of recent history - that reasonable "win-win" solutions are available, if the parties meet and work through options. We ask that you confer carefully with your clients, and respond to our mediation proposal. We believe that mediation should commence as soon as possible. We have made this proposal to MIT counsel as well. Let me know leuan From: Mahony, leuan (BOS - X75835) Sent: Monday, August 11, 2008 11:37 AM To: 'jennifer@eff.org' Cc: 'cindy@eff.org'; 'kurt@eff.org'; 'marcia@eff.org'; 'WMitchell@mbta.com'; Subject: Re: CRITICAL INFORMATION: MBTA v Anderson et al 'SDarling@mbta.com' Jennifer: We are considering your proposal. We are having a meeting of senior management on this and related issues this afternoon at 1:30 eastern. I will report our response as soon as it is complete. I will continue to keep you posted, leuan Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) From: Jennifer Granick To: Mahony, leuan (BOS - X75835) Cc: cindy@eff.org ; kurt@eff.org ; marcia@eff.org ; WMitchell@mbta.com ; SDarling@mbta.com Sent: Mon Aug 11 00:26:42 2008 Subject: Re: CRITICAL INFORMATION: MBTA v Anderson et al Dear leuan: Thank you for your thoughts. I'm surprised your client feels that the Report does not pose a risk, given that it contains information my clients intended to keep confidential. It appears my clients are more cautious about disclosing vulnerability information than yours are. Moving forward, both the slides from our client's intended presentation and the confidential Report are now publicly available. This constitutes more information than the students would have presented at their Defcon talk. Furthermore, your client reportedly does not feel that the security risk posed by the availability of this information warrants emergency measures. Finally, Defcon is over and the students did not give their talk. Under these circumstances, would your client 8/11/2008 Page3 of 5 be willing to stipulate to lifting the TRO at this time? While the protection it provides is now moot as to your client's concerns, it continues to hang over our clients' heads, making them uncertain what if anything they can say about their research and this case. Please let me know right away. Thank you, Jennifer Civil Liberties Director Electronic Frontier Foundation 454 Shotwell Street San Francisco, CA 94110 415.436.9333 x 134 fax 415.436.9993 j enni fer@eff. org On Aug 10, 2008, at 12:18 PM, <ieuan.mahony@hklaw.com> <ieuan.niahony@hklaw.com> wrote: Dear Jennifer: Let me address your email and phone call from yesterday, and also return to earlier discussions over a "moving-forward" relationship between the parties. (A) Your Email First, we want to thank you for your concern. Second, as I indicated earlier today, the MBTA, along with a system vendor, has completed its review of your email, and re-reviewed the three page summary report attached as Exhibit 1 to Scott Henderson's Declaration (the "Report"). This review does not alter the original assessment of the Report, provided by Mr. Henderson in his declaration. Yet it is the case that (a) the quantity and quality of information provided by the three page Report, standing alone, is less than (b) the quantity and quality of the information provided by the Report read in combination with the Students' 87 page presentation entitled "Anatomy of a Subway Hack" (the "Presentation"). If the MBTA had been given the Presentation when first requested (or even at the time when the Presentation , we understand, was made available to DEFCON attendees), the "(b)" circumstance might have been avoided. In any event, the MBTA's evaluators do not assess the risk of this information at the level you set in your email. The MBTA, with vendor support, has begun work on internal responses to the potential security risks at issue. It is our view that an internal, technical and personnel response is the best long-term solution. Accordingly, we do not share your view that legal "emergency measures" are required. We do not think that seeking court relief on this issue and at this point is appropriate. Again, thank you for your concern. (B) Moving-Forward Relationships We can see from your clients' statements in the press, and the EFF's public statements, that the lawsuit generally, and Temporary Restraining Order in particular, do not from your perspectives represent a fair or balanced situation. From my first conversations with Marcia and Kurt, and then later with you, Jennifer, I stated my view that parties, acting reasonably, will invariably develop and implement a resolution of a dispute that is substantially better tailored to their interests than a resolution imposed on them by an external authority. We think we should continue discussions, to see if we can find a solution that is better tailored to all parties' interests. In my view, Judge Woodlock, in his findings and rulings, directed the parties to work toward a solution perhaps more "creative" and "outside the box" than the standard "keep fighting in court 8/11/2008 Page 4 of 5 over abstract issues while life goes by". The goal would be to shift from an adversarial mode to a cooperative, discussion mode, if possible. We respect your clients' continued statements that their goal remains to provide solutions to security risks. We propose formal mediation as the process for seeking a more optimal going-forward solution. We think we should reserve a full day, or perhaps two. We suggest that the mediation take place in Boston. Other issues, such as mediator costs, whether formal "written submissions" are exchanged, and the like we can discuss. Let us know your thoughts. Thanks leuan From: Mahony, leuan (BOS - X75835) Sent: Sunday, August 10, 2008 9:27 AM To: 'Jennifer Granick' Cc: Cindy Conn; Kurt Opsahl; Marcia Hofmann; Mahony, leuan (BOS - X75835) Subject: RE: CRITICAL INFORMATION: MBTA v Anderson et al Jennifer: The MBTA and one of its vendors have completed review per your email, below. I'll have results to you later today. I'll continue to keep you informed. Thanks leuan From: Jennifer Granick [mailto:jennifer@eff.org] Sent: Saturday, August 09, 2008 5:14 PM To: Mahony, leuan (BOS - X75835) Cc: Cindy Conn; Kurt Opsahl; Marcia Hofmann Subject: CRITICAL INFORMATION: MBTA v Anderson et al Dear Mr. Mahony: This email is to follow up on my phone call to you of just a few minutes ago. As you know, Mr. Anderson, Mr. Ryan and Mr. Chiesa provided your client MBTA with a confidential three page summary of their research and recommendations for securing the fare collection system. It has just come to our attention through third parties at the Defcon conference that plaintiffs have made this report publicly available on the court's pacer website by filing the document as an exhibit. This confidential document contains the checksum information without which an attacker can not create a forged card. This information is highly sensitive, which is why my clients planned to withhold it from their presentation. We strongly urge you to take emergency measures to have it removed expeditiously. Best wishes, Jennifer Granick 8/11/2008 Page 5 of 5 Civil Liberties Director Electronic Frontier Foundation 454 Shotwell Street San Francisco, CA 94110 415.436.9333x134 fax 415.436.9993 jennifer@eff.orq 8/11/2008

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?