Massachusetts Bay Transportation Authority v. Anderson et al
DECLARATION re 50 MOTION for Preliminary Injunction Supplemental Declaration of Joseph Kelley by Massachusetts Bay Transportation Authority. (Mahony, Ieuan-Gael)
Massachusetts Bay Transportation Authority v. Anderson et al
UNITED STATES DISTRICT COURT DISTRICT OF MASSACHUSETTS MASSACHUSETTS BAY TRANSPORTATION AUTHORITY Plaintiff
Civil Action No. No. 08- 11364-GAO
ZACK ANDERSON et al. Defendants SUPPLEMENTAL DECLARATION OF JOSEPH KELLEY 1. I am the Deputy General Manager for Systemwide Modernization for the plaintiff,
Massachusetts Bay Transportation Authority ("MBTA"). 2. I make this Supplemental Declaration based on my personal knowledge and a
review of MBTA business records concerning the matters set out below. I submit this Supplemental Declaration in support of the MBTA's Motion for Preliminary Injunction. I use the term "MIT Students" to refer to the defendants, Zack Anderson, RJ Ryan, and Alessandro Chiesa. The MBTA's Efforts, Following August 4, 2008 Meeting, To Obtain MIT Students' Presentation Materials 3. I understand that the MIT Students claim that they were unaware of the MBTA's
requests for materials that the MIT Students planned to present at the DEFCON Conference, and that the MBTA's non-receipt of these materials until Saturday morning roughly four hours before the TRO hearing was due to a "misunderstanding." This is incorrect, and I provide additional information concerning internal MBTA decision-making and my own exchanges with Professor Rivest, below, on these points.
I have reviewed the Supplemental Declaration of Richard Sullivan, a Sergeant
Detective in the MBTA Transit Police Department. I met with Sgt. Sullivan and others after the August 4, 2008 meeting Sgt. Sullivan describes in his Supplemental Declaration. The information Sgt. Sullivan provided at this meeting is the basis for the statement, in paragraph 50 of the Complaint, that "[t]he MIT Undergrads stated that they did not intend to harm the MBTA." 5. Sgt. Sullivan was concerned with the criminal aspects of the MIT Students'
conduct. Along with senior MBTA management, I wanted due diligence conducted to ensure that the MIT Students would act as they had promised, and in accordance with responsible disclosure principles. 6. The first step in this diligence was to obtain copies of any presentation materials
and hand-outs the MIT Students planned to provide at the DEFCON Conference. A review of this material would help determine whether the MIT Students, at least in their written materials, were acting consistently with what they told Sgt. Sullivan. 7. Accordingly, on Wednesday, August 6 I contacted and spoke with Professor
Ronald Rivest. I said that we wanted copies of any presentation materials, and wanted to contact the MIT Students. He said that the MIT Students were on their way to DEFCON, but that he would get in touch with them. He said that he would arrange a meeting with the MIT Students at some point, but said that police should not be present. 8. Professor Rivest called back on Wednesday August 6, and said that the MIT
Students would email their presentation materials to me. I gave him my email address, He the said he would call them back, and they would email me. Professor Rivest also said that the MIT Students would be available for a conference call the next day, Thursday August 7.
I did not receive a call, an email, or any other communication from the MIT
Students or from Professor Rivest on Thursday August 7. 10. I then called Professor Rivest at roughly 11:00 AM on the morning of Friday
August 8, 2008. He said he'd contact them. I stated that the MBTA had to speak to the MIT Students before the conference. 11. The MIT Students continue to resist providing materials they planned to present at
the DEFCON Conference. These include the software tools they promised to distribute, as well as other materials that would show the nature of their activities and their planned DEFCON presentation, including whether they were being truthful in claiming (a) they had not and did not intend to harm the MBTA, (b) they had not hacked MTBA computers or exploited the vulnerabilities they saw in the system, and (c) they had not used counterfeit cards on the transit system. The MBTA's Understanding of the Threat, Based On The "Security Analysis" Document 12. I have been overseeing a team of MBTA AFC personnel and outside vendor (the
"Review Team") in their review of the document the MIT Students provided on Wednesday evening, August 13, 2008, entitled "A Security Analysis of the Boston T" (the "Security Analysis"). I understand that the Security Analysis was filed under seal, as Docket No. 32. We have required that each individual given access to the Security Analysis first have a signed nondisclosure and non-use agreement in place. 13. Before receipt of the Security Analysis, it was unclear whether the MIT Students
were able to, or had, in fact compromised some portion or all of the Fare Media System, and it was not possible to reach these conclusions based on the quality and quantity of materials the MIT Students had provided.
Based on the evaluation of the Security Analysis document, conducted by the
Review Team, to a reasonable degree of certainty the MIT Students are able to compromise the security of CharlieTickets, and to clone and counterfeit CharlieTickets. Based on the Security Analysis, the MIT Students have not to date compromised the CharlieCard. 15. In sum, the MIT Students' activities are not a "prank," and represent a real risk to
that portion of the AFC System that relies on CharlieTickets. Signed under the penalties of perjury this 8th day of August, 2008.
# 5 5 4 5 6 0 8 vl
CERTIFICATE OF SERVICE I, leuan G. Mahony, Attorney for the Massachusetts Bay Transportation Authority in connection with the above-captioned proceeding, hereby certify that on this 18th day of August, 2008, the Supplemental Declaration of Joseph Kelley was served via the ECF system on the following interested parties:
Party Zack Anderson, RJ Ryan, and Alessandro Chiesa (the "MIT Undergrads")
Counsel Emily Berger, Esquire Email: firstname.lastname@example.org Jennifer Granick, Esquire Email: email@example.com John Reinstein, Esquire Email: firstname.lastname@example.org Thomas A. Brown Email: email@example.com Cindy Cohn firstname.lastname@example.org Lawrence K. Kolodney kolodney@fr. com Marcia Hoffman email@example.com Adam J. Kessel firstname.lastname@example.org
Massachusetts Institute of Technology ("MIT")
Jeffrey Swope, Esquire Email: JSwope@eapdlaw.com
/s/ leuan G. Mahonv
# 5 5 5 0 2 8 7 vl
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?