Massachusetts Bay Transportation Authority v. Anderson et al

Filing 31

DECLARATION re 30 Opposition to Motion Second Supplemental Declaration of Ieuan G. Mahony by Massachusetts Bay Transportation Authority. (Attachments: # 1 Exhibit 1)(Mahony, Ieuan-Gael)

Download PDF
Massachusetts Bay Transportation Authority v. Anderson et al Doc. 31 UNITED STATES DISTRICT COURT DISTRICT OF MASSACHUSETTS MASSACHUSETTS BAY TRANSPORTATION AUTHORITY Plaintiff v. ZACK ANDERSON, RJ RYAN, ALESSANDRO CHIESA, and the MASSACHUSETTS INSTITUTE OF TECHNOLOGY Defendants Civil Action No. 08-11364-GAO SECOND SUPPLEMENTAL DECLARATION OF IEUAN G. MAHONY 1. I am a partner at Holland & Knight, LLP, representing the Massachusetts Bay Transportation Authority ("MBTA") in this matter. The following further supplements my earlier Declaration in this matter, and is submitted in opposition to the Individual Defendants' Cross Motion for Reconsideration. 2. Attached as Exhibit 1 is a true and accurate copy of an article published in MIT's The Tech: Online Edition entitled "Students' Subway Security Talk Canceled by Court Order" by Michael McGraw-Herdeg and Marissa Vogt dated, before updating, August 8, 2008. See http://www-tech.mit.edu/V128/N30/subway.html. 3. The Article reads in relevant part: Though the presentation itself has been canceled, the presentation slides and confidential vulnerability report the students wrote for the MBTA are now widely available online. Still unavailable is some key information that would complete the attack and let people copy transit cards or add money to their CharlieTickets. It is unclear whether the students had managed to copy or edit the content of the CharlieCard, but their presentation included a detailed discussion of weaknesses in the card's encryption. Id. at 2 (emphasis added). Dockets.Justia.com 4. The Article further reads in relevant part: Phil Zimmerman, the individual who provided the MIT Undergrads with a Declaration immediately prior to the Security expert Phil Zimmerman said that traditionally researchers give at least a month after notification before they disclose a vulnerability in a software system. In hardware systems such as the MBTA's magnetic-stripe and RFID card system, where fixing the vulnerability could possibly take more time, researchers usually offer more time, he said. "If it was me, I wouldVe tried to give them more time to fix it," Zimmerman said. But, he said, "public disclosure is a good thing," because intense public scrutiny can help force people to fix systems. Id. at 4 (emphasis added). 5. The Article further reads in relevant part: Dan Kaminsky, a security researcher who recently discovered a serious vulnerability in the domain name system underlying the Internet, said that the students' disclosure could have been handled more gracefully. But the MBTA also responded inappropriately, he said, by suing the students instead of just asking for time. Id. at 5 (emphasis added). Signed under the penalties of perjury this 14th day of August, 2008. #5542844 vl

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?