Massachusetts Bay Transportation Authority v. Anderson et al
Filing
59
Transcript of Hearing on Motion for Temporary Restraining Order held on August 9, 2008, before Judge Woodlock. Transcribed by Maryann Young at 508/384-2003. The Transcript may be purchased through Maryann Young viewed at the public terminal, or viewed through PACER after it is released. Redaction Request due 9/8/2008. Redacted Transcript Deadline set for 9/16/2008. Release of Transcript Restriction set for 11/14/2008. (Scalfani, Deborah)
Massachusetts Bay Transportation Authority v. Anderson et al
Doc. 59
UNITED STATES DISTRICT COURT DISTRICT OF MASSACHUSETTS MASSACHUSETTS BAY TRANSPORTATION. CIVIL ACTION NO. 08-11364-GAO AUTHORITY . Plaintiff . . v. . BOSTON, MASSACHUSETTS . AUGUST 9, 2008 ZACK ANDERSON, et al . Defendants . ................. TRANSCRIPT OF HEARING ON MOTION FOR TEMPORARY RESTRAINING ORDER BEFORE THE HONORABLE DOUGLAS P. WOODLOCK UNITED STATES DISTRICT JUDGE APPEARANCES: For the plaintiff: Ieuan-Gael Mahony, Esquire Scott Donnelly, Esquire Holland & Knight, LLP 10 St. James Avenue Suite 12 Boston, MA 02116 617-575-5835 ieuan.mahony@hklaw.com Jeffrey Swope, Esquire Palmer & Dodge, LLP 111 Huntington Avenue Boston, MA 0199-7613 jswope@palmerdodge.com Jennifer Stisa Granick, Esq. Marshal Hoffman, Esquire Electronic Frontier Foundation 454 Shotwell St. San Francisco, CA 94110 415-436-9333 jennifer@eff.org
For MIT:
For Individual Defts.:
Court Reporter: Proceedings recorded by electronic sound recording, transcript produced by transcription service.
MARYANN V. YOUNG Certified Court Transcriber Wrentham, MA 02093 (508) 384-2003
Dockets.Justia.com
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Proceedings
INDEX 3
2
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 MBTA.
PROCEEDINGS COURT CALLED INTO SESSION THE CLERK: Calling the case of Civil Action 08-
3
11364, Massachusetts Bay Transportation Authority v. Zack Anderson, et al. the record? MR. MAHONEY: the plaintiff, MBTA. MR. DONNELLY: Scott Donnelly for the plaintiff, Ieuan Mahony from Holland & Knight for Will counsel please identify themselves for
I'm also here with MBTA general counsel, Bill Mitchel,
MBTA deputy general manager for Systemwide Monitorization, Joe Kelly, and Jack McGlaughlin, who is MBTA project director for Systemwide Monitorization, which deals with the Automated Fare Collection system and the CharlieCard system. MR. SWOPE: Good morning, Your Honor, Jeffrey Swope With me is general
from Edwards, Angell, Palmer and Dodge.
counsel for MIT, Gregory Morgan, and other counsel Jay Wilcox. THE COURT: Now, I understand as well that we have on
the phone three attorneys I guess in Las Vegas, Jennifer Granick Opsahl and Marshal Hoffman. Ms. Granick, are you here? MS. GRANICK: Yes, Your Honor, good morning. I'm
actually in San Francisco right now-THE COURT: MS. GRANICK: All right. --and my colleagues are in Las Vegas.
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 present?
4 THE COURT: MS. GRANICK: And are you affiliated with a law firm? We are from the Electronic Frontier
Foundation, which is located in San Francisco. THE COURT: individuals? MS. GRANICK: THE COURT: We are representing them jointly. All right. And I want to be sure you I understand that you And are you separately representing the
understand the ground rules here.
represent that you're representing all of the individuals here. Do you understand that as a consequence you are their agents and that any order that I enter here would be understood to have provided notice to your clients. MS. GRANICK: Do you understand? I
Yes, Your Honor, I understand that.
believe that our clients, Zack Anderson, RJ Ryan and Allesandro Chiesa are on the call listening in from the Las Vegas end of the conversation. THE COURT: MS. GRANICK: All right. So--
They are listening to the proceedings
in this hearing, Your Honor. THE COURT: All right. So Mr. Anderson, are you
MR. ANDERSON: THE COURT: MR. RYAN: THE COURT:
Yes, I am.
Mr. Ryan, are you present? Yes, I am. And, Mr. Chiesa, if I pronounce it
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
5 correctly, are you present? UNIDENTIFIED: THE COURT: MS. GRANICK: Mr. Chiesa? He stepped out of the room.
Mr. Chiesa? I think I hear them say he stepped out
of the room for a moment. THE COURT: All right. As soon as he comes back I'd
like to have him identify himself, so Mr. Anderson and Mr. Ryan, you'll tell him to do that when he comes back in the room? MR. RYAN: THE COURT: Ryan? MR. RYAN: Yes, Your Honor. Yes, Your Honor. I've been presented this Yes, Your Honor. Do you understand that, Mr. Anderson, Mr.
MR. ANDERSON: THE COURT:
All right.
morning with some additional materials filed by the MBTA, in particular a declaration of Mr. Henderson. And in the
Declaration of Mr. Henderson at paragraph 15 he states that he received a voice mail from Mr. Anderson at 6:49 p.m. last night stating that his lawyers had advised him not to send the presentation materials in connection with the DEFCON presentation for Sunday. Is that correct? MS. GRANICK: Yes, Your Honor. We wanted to, when we
realized that the MBTA had filed a lawsuit against our clients
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
6 and wanted to review the materials, we wanted to take an opportunity to go over the materials with our client before providing them to opposing counsel. THE COURT: MS. GRANICK: THE COURT: MS. GRANICK: Have you done so? Of course-Have you done so? Yes. We have reviewed our materials
with our clients and we provided them to opposing counsel late last night by email, and those materials I believe have been attached to Mr. Mahoney's declaration as Exhibit 7. believe they're currently before the Court as well. THE COURT: All right. These are the entire So I
materials that you intend for presentation? MS. GRANICK: THE COURT: Those are the visual materials. Well, is there anything else that is of
substance for the presentation? MS. GRANICK: THE COURT: No, Your Honor. There will be nothing beyond what's shown
on these several slides? MS. GRANICK: No, Your Honor. I think that the
slides are visual and do not, they may not completely, I don't think they're the slides are complete, but they do not constitute as many PowerPoint presentations do bullet points of what will be discussed. slides-MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
So, Your Honor, I think what the
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
7 THE COURT: Just a moment. Is there anything of substance to the presentation, anticipated for the presentation that is not on the slides? MS. GRANICK: THE COURT: No, Your Honor. Mr. Mahony, do you intend to have someone
explain what problems, if any, are presented by these slides? MR. MAHONY: for these materials. THE COURT: MR. MAHONY I don't want to hear history now. That's fine. Your Honor, I spoke with Your Honor, we made numerous requests
Scott Henderson at 6:00 this morning at Logan Airport and with a Daniel Tieran from Shatten Bockman again at 6:00 at Logan Airport before their 8:00 flight to Las Vegas to go over these slides. It was not possible, Your Honor, to obtain any
affidavit, declaration for the Court. THE COURT: MR. MAHONY: What's the representation? The representation is I have materials
that I can take the Court through on an oral basis and walk through those particular slides that cause concern. I also
point out, Your Honor, that my sister has said, and I think this is accurate, that the slides do not provide what will be discussed at the particular presentation. THE COURT: I don't believe that's what she said.
What she said, and if you will confirm this for me, Ms. Granick, is that the slides contain the substance of everything
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
8 that is going to be presented at the hearing, during the presentation of the defendants; is that correct? MS. GRANICK: Yes, Your Honor, that's correct. And I
can elaborate on that to be more concrete.
I want to, Your
Honor, you have seen the slides and so as you know many of them are visual depictions which are depictions of what the presentation will contain, but is not a verbatim transcript. That's the only reason why I'm being a little bit cautious about saying unqualified yet. It's not a transcript, but those
slides are the complete representation of what the talk is about. THE COURT: MS. GRANICK: exactly. MR. MAHONY: Your Honor, if I may as well, just to Well, and the substance of that talk. And the substance of that talk,
get assurances, on page 37 of the slides there's a slide that says demo-THE COURT: MR. MAHONY: THE COURT: MR. MAHONY: Hold on a second. Yes. Okay, go head. The slide says up at the top, Demo, That looks like a
magcard and reverse engining tool kit.
demonstration that is outside the four corners of the slides. THE COURT: MR. MAHONY: All right. So, Ms. Granick?
There's also a point here, wrote--
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 about. Kit. have?
9 THE COURT: Let me do it go step-by-step unless it's necessary for me to hear more of the various objections you have. MR. MAHONY: THE COURT: Thank you, Your Honor. This is the first objection that you
MR. MAHONY: THE COURT: contemplated here? MR. MAHONY: THE COURT:
Correct. That there's some sort of demo
Correct. All right, Ms. Granick? What do I make
of the demo that suggests can now forge cards? MS. GRANICK: Yes. I see the slide we're talking
It's entitled Demo Magcard and Reverse Engineering Tool
THE COURT: MS. GRANICK:
So what are they going to do? They are going to do a demonstration In
that shows that they had now created a card that is forged. other words, one that is not issued by MBTA. THE COURT: MS. GRANICK: All right. And the important part of this
demonstration realizes that this is a demonstration but it is a, the demonstration will be lacking in some critical information which would be required for another person to duplicate this feat and create a card that is a forged card
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
10 that could be used with MBTA. So, Your Honor, if I could talk about just terms of these slides, we have provided a declaration by Erik Johanson who is an expert in the field of RFID and transportation security and he has looked at the slides that our clients are intending to present and, so some of his declaration-MR. MAHONY: THE COURT: that declaration? MR. SWOPE: that it be printed. It was sent to Mr. Wilcox with a request MIT is not offering it as its own, but I Your Honor, if I may-Just a moment. Mr. Swope, do you have
do have the document which might make this easier. THE COURT: All right. Mr. Swope is going to pass up
to me, Ms. Granick, what I gather was sent along to him which is this declaration, and let me take a look at the declaration first. MS. GRANICK: Okay. Your Honor, just let me know
when you're ready for me-THE COURT: MS. GRANICK: THE COURT: PAUSE MS. HOFFMAN: Your Honor, this is Melissa Hoffman Yes. --to address it. I will.
from (inaudible #12:04:11) for Alessandro Chiesa.
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 PAUSE
11 THE COURT: All right. Mr. Chiesa, are you present? Mr. Chiesa, are you present? MR. CHIESA: THE COURT: Present. All right.
THE COURT:
All right.
I've read Mr. Johanson's
affidavit the purport of which I gather is that the presentation of the defendants has nothing knew to add? MS. GRANICK: what you said? THE COURT: Mr. Johanson says the slides do not I'm sorry, Your Honor, could you repeat
describe any new techniques for breaking cartography used by the CharlieCard. MS. GRANICK: THE COURT: That's correct I'm sorry. And he indicates that everything is in
the public record, so what's the need for the presentation? MS. GRANICK: are correct. Well, that's Your Honor, the you
It says that the research techniques are in the
public domain with the exception of one piece of information which is, and the part of the research which is novel performed by the students and that is an application of the research technique to the CharlieTicket, and the way that the CharlieTicket, that the techniques were applied to the CharlieTicket is widely known. What the students discovered is
that there is not adequate additional security on the
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
12 CharlieTicket to prevent them from being compromised according to these already widely known technique. The critical piece of
information that the students have discovered, but which is not included in the presentation and which the students never intended to include in the presentation is the check sum, and the check sum is a security technique that is employed to ensure that the card is, that a card is not in any way tampered with. The slides show the check sum and that the check sum
changes when the ticket is tampered with, but they do not describe how to compute the check sum and an attacker would not be able to replicate the novel portion of their research without knowing how to compute the check sum. So basically what the presentation is is as many academic pieces of work are, is a collection of the materials that are already known in the relevant field and an application of that research to a specific case study in order to learn a little bit more about how security, about how security is implemented and the ways in which security techniques can fail to protect the fare system. THE COURT: So does this add or not to sum of human
knowledge on this subject? MS. GRANICK: I think that-THE COURT: moment. So it adds some increment of just a Your Honor, I believe that it does add.
It adds some increment of information not presently
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
13 available based upon their accessing aspects of the computer system; is that correct? MS. GRANICK: No, Your Honor, it is a piece of
information that was the subject of their research paper with Professor Rivest at MIT, so the professor considered it to be a valid piece of original research. It was accepted by the
DEFCON conference so the conference organizers felt that it was a piece of research that was interesting to the security people that attend that conference. It was not obtained through any It was research that
kind of unauthorized access to computers.
they performed by applying existing commonly used research technique to the mag, to examine the magnetic stripe card and the data that are stored on those cards. But the, one of the
things that the students have discovered but a piece of information which they have not planned to and do not plan to reveal publicly is how to calculate the check sum, and without the check sum, the information that they're going to present cannot be used by an attacker to make fraudulent cards. Which gets me to Your Honor's question about the slide relating to the demo and what the importance is of the demo. The demo allows the student to demonstrate that they have figured out how to calculate the check sum without revealing how they've done it to the people who attend the presentation. So it's a demonstration that the security is
weak and needs improvement but without providing a critical
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
14 ingredient for an attacker. So they have tried to be, by tailoring the presentation this way, they've presented the existing information in their academic field that relates to this. They have presented what new information they done, or
new research that they've done that pushes the envelope of the information that existed before. My advisor in college used to So they show how
call it standing on the shoulders of giants.
they are standing on the shoulders of giants, but they have responsibly decided to withhold a piece of information that would allow anybody, somebody who doesn't have, you know, any kind of academic background or interest in the field and is simply an attacker to make a fraudulent fare card. So that is
their, that was their intention from the beginning and is what they communicated to MBTA when they had their meeting on, you know, earlier in the week. THE COURT: Why isn't the addition of this
information with the focus on check sum an additional piece of information that focuses a potential hacker on places to conduct that hackers own research? MS. GRANICK: I think that if you saw this
presentation you would know that the card has a check sum function on it, but I think that these are, this is information that is already widely known. THE COURT: In fact, it is information--
I'm sorry, Ms. Granick, but you keep
going back and forth between the idea that it's already widely
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
15 known and that it adds something. Now, if it's already widely known, then there's no particular reason for them to be making the presentation. adding? If it is adding something, what is it
It's adding some piece of information that makes it
possible for others to focus their attention on the way in which you can hack into these collection systems. next slide says, are they hackable? MS. GRANICK THE COURT: Yes. So-The very
Well, Your Honor---you know, the short of it is that what
they're doing is providing research, maybe not complete research but research that focuses the attention of those who have an interest in this area who are not all academics on the-MS. GRANICK: THE COURT: Your Honor, that-Just a moment, may I finish? Which is
part of the concern that's expressed in the Computer Fraud and Abuse Act, which we'll get to in a moment, but there's something additional, right or wrong? MS. GRANICK: There is something additional in the
presentation, but the fundamental point that you are relating to which is that there is insecurity in the, MIFARE payment system, that is implemented by MBTA, that information is not new. That information is widely known. There have been news
reports about it in the newspaper and it is widely known in the academic world where the students, that's part of this research
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
16 paper. So yes, it's true that this information, that this That something new is presentation discusses something new.
that this system is in fact vulnerable and that the security mechanism that they put in place is not working and that does let people know that it is possible to defeat the security of the system. I believe that was already widely known, but what
the report adds or what the presentation adds is that they are, that these students have figured out how to do it. I don't, I
respectively disagree that the fact that much of this information maybe, whatever percentage of it, 90% or 95% of it is already known, means that there's no reason for the presentation, that is part of, you know, presenting your work is that there, as I called it, standing on the shoulders of giants, is that you talk about research that's relevant to your field, but I do think that-THE COURT: It does, however, Ms. Granick, go to the
question of balance of harm. MS. GRANICK: THE COURT: Well, I think-Just a moment, just a moment. I think
I've understood the position that you're expressing concerning this. Now I want to hear from the plaintiff on this. So we
have this proposed demo which I understand will not be so much a demo as a report that they could demonstrate if they wanted to. MR. MAHONY: That's correct, Your Honor, and I think
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
17 the fact that this demonstration is, will focus attention on the fact that it's a viable solution that the card is hackable and that these individuals will be up there stating this is possible to do. Your Honor, as the Court said, this is
providing that the research that focuses the attention of those who have the interest in doing this who may not be academics. Your Honor, this is a competitive-THE COURT: conclusions. MR. MAHONY: THE COURT: Yes. I really want to get to the specifics of Look it, I'm really not interested in the
where you say there's a problem and let me, and I'm going to afford them an opportunity to respond. MR. MAHONY: Your Honor, the demo, if we look down in
the next line here, on the same slide 37, wrote python libraries for analyzing mag cards. Python is a programming
language, it's open source and in the announcements the Court may recall that the MIT, the undergrads said that they were going to provide open source software tools to accomplish the hacks. So, this is not simply saying we did it, aren't we It's also providing a tool to help accomplish this.
inventive?
Our understanding is that these would likely be software tools that would make it easier to analyze the cards, and I'll point the Court to analysis component in just a second, but, Your Honor, in terms of, my sister said that it's just the
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
18 presentation, it's just the four corners here. demo as something in addition. We've seen the If the Court takes a look at
the first page of this presentation, so it says, anatomy of subway hack, the Court can see in the bottom it says for updated slides and code. My reading of that, our reading of See this website.
that is that's software code.
So, Your Honor, it's not simply this slide presentation. It's-All right. Now, let me focus on that
THE COURT: issue.
Ms. Granick, what's the reference to code? MS. GRANICK: The reference to code, Your Honor,
relates to the software tools that the students plan to release with the presentation and those software tools are not tools which are targeted for the MBTA system. They are generalized,
generalized tools that are for reading magnetic cards, for analyzing information on cards, and for reading, using software or open source radio software to listen to the signals from RFID cards and those sorts of things. They are not tools that
a malicious attacker could come along and automatically use to crack the check sum security system, the check sum on the MBTA check sum. THE COURT: MS. GARNICK: THE COURT: Let me ask just a moment. And the - I'm sorry. Let me ask two questions. One, is there
any place in the slides where this code is identified and
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
19 referenced? MS. GRANICK: PAUSE MS. GRANICK: Well, they show, they refer to the code Let me take a look, Your Honor.
that they created, the Python written code that's on the slide that we've been looking, wrote the Python library to integrate with the reader/writer, and I can go through the slides and see where the other tools they use are mentioned, Your Honor. I think the important thing if I could give it up, the open source tool book, is that they are not tools which standing alone allow an attacker to make fraudulent fare cards. And I think that the idea that this presentation for these tools are the things that are going to focus an attacker on the weaknesses in the security system is mistaken. There's already
been news reports in the Boston Globe, in the Boston Herald and in on-line magazines about the security weaknesses in the CharlieCard and the cards generally used for the T. THE COURT: Well, I think we can just a moment, Ms. This is your difficult position
Granick, we've been over that.
of saying there's nothing new except what's new and what's new isn't new, and that it seems to me is not something that I find particularly persuasive. MS. GRANICK: THE COURT: So-Well, the a way-Just a moment, just a moment. I think
I've heard what I need to hear with respect to that issue; that
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
20 is, there is something more that they propose to offer those who attend that are not included in the slides. MR. MAHONY: So what else?
And, Your Honor, I just note the Court
had a question of where else is their code in the slides and if the Court were take a look at page 66 and 67, that there's code mentioned here that is for, you know, that focus. Your Honor, if I may-THE COURT: MR. MAHONY: Yes. --refer the Court to the actual It's on page 29.
magstripe information just for a minute.
And, Your Honor, if could just do a short visual because 29 just has a lot of letters and numbers along dark black lines. Your Honor, I've got just a standard credit card here and that the black line on the back is the magnetic stripe. magstripe. That's the
I have my own CharlieTicket here and the black This
stripe on the front is a magnetic stripe as well.
information here, the information that's on the magnetic stripe is not meant to be seen. There isn't coding on the strip. If
the Court were to take a look at page 30, what the MIT undergrads have done is map out the code so that these different codes now associated with bits of data. The Court
can look at the very bottom, right-hand corner to see the phrase check sum and that's what my sister has been referring in part. THE COURT: I'm sorry, that's what?
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
21 MR. MAHONY: THE COURT: MR. MAHONY: THE COURT: MR. MAHONY: My sister has been referring to-Right. --that check sum data. Yes. If the Court were to take a look at the
next page, which is 31, there's the statement forging the CharlieTicket. So forging these magnetic stripe cards and in
32 it has that same data that you just looked and 33 gives another example to show methods for analyzing the data on these magnetic stripes. Now, Your Honor, let me point to another objection. So in other words, Your Honor, the mapping, the specifics, the details of this particular card are exposed so that if the lead time or the investment time, that saves me. If I'm interested
in this investment time to find it out for myself and it's public. Your Honor, on page 35 if I could call the Court's attention to another example of disclosures and activity targeted to the card that, as far as we know, are not in the well, let me explain what's going on here. You can see in the
left, at least what we understand is going on here, in the left hand side, we have a card that's got an issued value of $1.25 so that the user here or the hacker here or the attacker here has spent the $1.25 on this particular card. The card is then
converted using these forging and counterfeiting techniques
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
22 that are disclosed into a card that is worth $100. Again, that's our understanding of what this is illustrating and again, my sister stated that even on the face of the slides, additional verbal explanation is required because the slides are visual. This slide here may require a paragraph or 10
pages worth of textural description to make it clear to an audience. We have no control, idea, assurance, comfort about
what will be said in that two minutes, 30 seconds, 20 minutes of text that is needed to explain this particular slide as one example. Now, Your Honor, there are some additional concerns that are more along the lines of concerns we talked about yesterday. THE COURT: MR. MAHONY: Anything more from the slides? Yes, but Your Honor, these are more -
potentially the Court could view these as puffing or as advertising. not good fun. We think in this context it is not a prank. It is an enticement. It's
It is providing research So for
that focuses the attention on a particular target, us.
example, page 4, the individual defendants state you'll learn, you will learn from this conference, you will learn how to generate these stored value fare cards. The reverse engineer,
the magstripes, and that's the coding that we looked at, to pull out, to map that coding, had attacked the RFID cards, and those are the stored value cards, et cetera.
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
It goes on.
To
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
23 tap into the fare vending network, and we have some concerns about that that I'm going to get to very recently, I mean, in just a minute. And on page 5, Your Honor, the statement is, So the following materials for
and this is very illegal. educational use only.
Your Honor, that appears quite tongue And if the Court were to look on
and cheek, at least to us.
page 24, and I apologize because there's two page 24's, I was not in my memory I, but it's the first page 24, is value stored on the card. In other words, can the card be used as the And it says, if it is, try a cloning
equivalent of cash? attack.
In other words, duplicating the cards, counterfeiting In other words, it's like printing cash. And then,
the cards.
Your Honor, on the second page 24, it says if yes, in other words, if it's a stored value card, then you now have free subway rides for life. Now, Your Honor, let me point the Court to one last objection, specific objection, which is on page 71, actually it starts on page 70. this is talking about network security and This is beyond simply the Fare
this is hacking the network.
Media, Your Honor, that the AFC network includes credit card information. Now, it's encrypted with very strong triple There's a lot of
encryption, but it's there on the network.
data, private data, data proprietary to the T that's on the network. It's well beyond these counterfeiting and forging This is tapping into the MBTA's own network.
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
activities.
Now
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
24 you can see the third point down found unguarded network switches. Now, Your Honor, that phrase, unguarded must be
taken with salt. THE COURT: MR. MAHONY: With what? With salt, Your Honor. These, the If
network switches are within alarmed areas, high security.
they access them they must be very tricky but they certainly knew they weren't supposed to be there. 71, fiber switches in an unlocked room. network switch. Now, we see on page Your Honor, this is a It's core
This is a hub of the network.
computer equipment with software and data and now, Your Honor, on page 71 there's nothing underneath these huge servers. There's no graphic underneath them, but if the Court takes a look at page 72, the Court will see a graphic there and that graphic says wire shark. way to snip a network. all network traffic. What is wire shark? Wire shark is a
It's a way to surreptitiously monitor Now, network traffic on the T system
because it is sensitive is encrypted but even so, Your Honor, this type of equipment, this software can pick up IT addresses, in other words, where the data is originating, where it's going to, who is talking to whom essentially and where this information goes. This is very, this is monitoring.
Your Honor, that is sufficient for current purposes to give the Court our view again since 4:30 this morning of this particular document.
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 PAUSE
25 THE COURT: All right. What I think I'd like to do then is to, we'll work our way through the statute to understand first the jurisdiction here and precisely what it is that you're asking for. Let me start here with the, what I consider to be the jurisdictional issue. in front of you. Ms. Granick, do you have a copy of Section 1030 in front of you? MS. GRANICK: THE COURT: MR. MAHONY: Yes, Your Honor. Okay. Your Honor, I apologize. I I assume you had a copy of Section 1030
unfortunately left some things at home. THE COURT: Code, Title 18. MR. MAHONY: Thank you. Here's a copy of the Federal Criminal
THE COURT:
Okay.
As I understand the thrust of the
argument, and this a federal question case only on the basis of Section 1030. MR. MAHONY: THE COURT: Correct. The diversity, if I don't have federal
jurisdiction, then this case has to be remanded. MR. MAHONY: THE COURT: Correct. Okay. 1030(e)(2)(B) seems to be the
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
26 claim that you're making; that is, a computer which is used in interstate or foreign commerce. In your memorandum you state
that it's in interstate or foreign commerce because the computers are for example used to provide the MBTA services in Rhode Island and Massachusetts and you cite to paragraph 7 of Mr. Kelley's declaration. Paragraph 21 of Mr. Kelley's
declaration indicates that it is not being used for MBTA services in Rhode Island, out of state. MR. MAHONY: Your Honor, I should be clear, I'm
almost positive that that paragraph says the CharlieCards are not being used but the computers themselves are used throughout the system. THE COURT: Well, but we're talking about this
particular use, aren't we? MR. MAHONY: Well, there's CharlieTickets and So the let me just get Yeah, 21,
CharlieCards, Your Honor.
Your Honor, states, although CharlieCards are not currently employed on the MBTA's, and we distinguish between CharlieTickets and CharlieCards-THE COURT: We're are the CharlieTickets shown to be
used for commuter rail? MR. MAHONY: Actually, Your Honor, a simple method
for this, and I may have this wrong, but, Scott? MR. DONNELLY: The commuter rail runs out of
Providence, Rhode Island and the CharlieTickets are used.
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
27 THE COURT: both of them? MR. DONNELLY: THE COURT: Yes, we do. And do you use the same computer for
It's not a separate computer system? No, the same computer system. Now, turning then to the
MR. DONNELLY: THE COURT:
Okay.
suggestions in ways in which there's damage, I don't understand how that works. First you allege damage under (a)(5)(B)(i). Yes. And that is loss of $5,000. There's no
MR. MAHONY: THE COURT:
indication of a loss of $5,000. MR. MAHONY:
No indication of loss at all.
Your Honor, what we have done is state
that the CharlieTicket and the CharlieCard account for 68% of the weekday traffic. THE COURT: You may, but that's not the damage.
Damage, you have to show loss to one or more persons during any one year period resulting from a related use in the course of conduct, aggregating at least $5,000 in value. loss at this point, right? MR. MAHONY: Your Honor, even the statute says that There is no
a loss can include assessment, remedial efforts, all of what-THE COURT: specifically-MR. MAHONY: THE COURT: Yes. --because it is a criminal statute and
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
Look it, we're going to have to go very
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
28 the Rule of Lenity applies in civil proceedings in respect of criminal statutes when they're used as a basis. So you say
that the prospect of loss of at least $5,000 brings it within this provision? MR. MAHONY: THE COURT: MR. MAHONY: THE COURT: That's correct and-Okay. So show me where it says that.
In our papers. Where?
If I refer to Mr. Kelley's declaration, the first paragraph that's referenced says the procurement and installation of the automatic fare collection system cost in excess of $180 million. MR. MAHONY: Yes, that's correct, Your Honor, but to,
but later in Mr. Kelley's affidavit, we have allegations, I'm sorry, statements that pick up the damages as well, Your Honor. THE COURT: you reference. Well, paragraph 19 is the second one that
You talk about 80% of the users using
CharlieCard pass, and CharlieCards accounting for approximately $475,000 of the weekday, per weekday revenues which I recall correctly about $700,000. MR. MAHONY: THE COURT: Yes, that's correct, Your Honor. Okay, but again, where's the loss? Are
you saying that prospectively there's a loss of some amount that is going to be in excess of $5,000; is that what you're saying?
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 correct. PAUSE
29 MR. MAHONY: Correct, Your Honor. And I'm still I'm looking for the provision in Mr. Kelley's affidavit just to make sure that I've exhausted that point as well. MS. GRANICK: THE COURT: to locate it. MS. GRANICK: MR. MAHONY: THE COURT: Thank you. Thank you, Your Honor. You're welcome. Your Honor? Just a moment while I let Mr. Mahony try
MR. MAHONY:
Your Honor, I do not recall a specific The position is
allegation with respect to the $5,000 map.
it's implicit in the statements that this information if disclosed will cause substantial harm to the system. Also
implicit in the statements quantifying the proportion of overall passenger trips that are attributed to the CharlieTicket and the CharlieCard and that those sums well exceed, substantially exceed the $5,000 amount. THE COURT: comes within the (i)? MR. MAHONY: That is one basis for the damage, yes, All right. So the argument is that it
THE COURT:
That's the only basis for the damage,
that prospectively you're going to have more than five, you're going to face more than $5,000 worth of damages if this permits
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
30 people to hack in improperly? MR. MAHONY: THE COURT: Correct. Okay. That's correct.
Now, turning to the next grounds
that you have, you say that it's a threat to public health or safety. MR. MAHONY: THE COURT: MR. MAHONY: Yes. What's that? Your Honor, we go through the volume of
traffic that's provided, the volume of commuter transit that's provided by the system and the system if destabilized-THE COURT: Destabilized simply means that people are
stealing from it and that's your theory of public health and safety is that if the system can't run, it's a threat to public health and safety? MR. MAHONY: THE COURT: MR. MAHONY: Correct, Your Honor. That it? Well, we have felt that declarant,
testimony concerning the funds MBTA receives-THE COURT: Right, that they can't keep their fisc,
you say threatens public safety and security? MR. MAHONY: Correct. lose confidence in the-THE COURT: MR. MAHONY: THE COURT: That's not enough. --fare collection system. That's not enough for physical injury to
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
And that riders lose faith,
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
31 me personally. So I don't find that the (iii) be applicable, or (iv), excuse me. Now, turning to the next one which is damage affecting, (5) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense and national security. Is this
computer system, that is the computer system that deals with the CharlieTicket and the CharlieCard, the computer system that is used by the MBTA in furtherance of the administration of justice, national defense or national security. MR. MAHONY: The same network that runs AFC also runs
the antiterrorism video cameras, and supports the other antiterrorism initiatives at the T, and in paragraph 9 of Mr. Kelley's affidavit, we point to the Homeland Security investment-THE COURT: Right. They've made an investment. The
question is whether or not these computers that we're concerned about. MR. MAHONY: THE COURT: network. Yes. Oh, you say it's connected to the That is, the CharlieCard and
Can this stand alone?
CharlieTicket stand alone without it's networking? MR. MAHONY: No, it relies on the computer network,
Your Honor, to communicate a store value, accept payments, track usage.
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
32 THE COURT: Let me put it differently, can the defense in national security dimensions to the MBTA stand alone without connection to the CharlieCard? MR. MAHONY: THE COURT: No. Why? Is there an answer to this?
MR. DONNELLY: can't stand alone. THE COURT:
No, I can't say that it can't, it
Right now it is interchangeable. When you say interchangeable, you mean
it's part of a network of some sort? MR. DONNELLY: It goes on the same network that the It's all
vending machines and the CharlieCards system goes to. in the same network. THE COURT:
But if we take the term computer as
describing a data storage facility, which is the way it's described in (e)(i), or communications facility directly related to or operating in conjunction with such a device, does that describe from your perspective the CharlieCard, CharlieTicket computer? security and defense? MR. DONNELLY: The camera system was funded by I'm sorry, it's relation to national
Homeland Security grants-THE COURT: I understand that. Here's what I, I
think I understand that.
What I'm focusing on is that there is It
a definition of the term computer for these purposes.
doesn't really refer to network, but let me read it to you just
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
33 so you have a sense of it. It's in (e)(i). It says, "The term computer means an electronic magnetic optical electrochemical or other high speed data processing device, performing logical or mathematic or storage functions. It
includes any data storage facility or communications facility directly relating to or operating in conjunction with such device." Now, we're assuming for present purposes that if you didn't get money from Homeland Security, didn't have any national security role, that you'd have a stand alone computer that is the object of the interest of the defendants? The
question for me is whether or not I assimilate the national security computer that you have to the CharlieCard, CharlieTicket computer and, if so, how I do that. MR. MAHONY: Just before you Jack, are you-What we have is settlement-If you'd just identify
MR. McLAUGHLIN: THE COURT:
Just a moment.
yourself for the record. MR. McLAUGHLIN I'm Jack McLaughlin. THE COURT: I'm sorry. I apologize, Your Honor.
I'm the project director. Right. What we have is a subcomputer
MR. McLAUGHLIN:
systems that takes into account all of our gates, fare machines and equipment, all come back into the central computer system, which is encrypted, testimony has heard is encrypted.
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
The
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
34 video system was installed originally on the equipment and in light of September 11th, we expanded that system with Homeland Security funding and that's a system that goes to various hubs throughout the system. We have five hubs that can actually
take over the system, specific lines in case they go (inaudible - #12:46:53) - so they can switch over. For
example, the hub at North Station can run the entire Orange Line if the need be, so in that respect, yes. THE COURT: All right. So if I understand you you
are saying that it includes the communication facility, communications facility that's directly related to or operates in conjunction with, to the degree that we're talking about, the-MR. McLAUGHLIN: THE COURT: Your Honor--
Let me just, so I can work my way through
this, to the degree that we're talking about a computer system used by or for a government agency in furtherance of the administration of justice, national defense and national security. So it's tied together. MR. McLAUGHLIN: Yes. We have in fact used the video
system now that it's attached to the system in furtherance of investigation by law enforcement agencies-THE COURT: You say video system attached to the
system, meaning, video system attached to the CharlieCard and CharlieTicket?
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
35 MR. McLAUGHLIN: #12:48:07). MR. MAHONY: Your Honor, if could, just in terms of That's right (inaudible -
this connection, if the Court could take a look at page 13 of that slide that you looked at before-THE COURT: MR. MAHONY: Okay. --it's the page that says, state of the This is the surveillance
art surveillance often unattended. system that I'm sorry, page 13. THE COURT: MR. MAHONY: I've got it.
This is the surveillance system that As can be
both Mr. Kelley and Mr. McLaughlin had testified to.
seen by the slides, this is one of the target hacks because it is the same system of the individual defendants. THE COURT: Okay. All right. I don't understand
what it is that you precisely said they are doing improperly, and I guess we have to at that go to 130(a) because that's the grounds for injunctive relief under 130(g). MR. MAHONY: THE COURT: talking about? MR. MAHONY: 5(a)(1), Your Honor. "Knowingly causes Yes. So what particular provisions are we
the transmission of a program, information code or command and as a result of such conduct, intentionally causes damage without authorization to protected computer."
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
36 THE COURT: MR. MAHONY: That's the only one? No, that's one. So this is a program,
information code or command that encompasses what the defendants have done. Item (ii) I'm sorry, Item (iii) is the
other grounds under 5(a) that refers to intentionally accessing a protected computer without authorization and as a result of such conduct causes damage. So we have discussed how these are protected computers, this is the system that these cards are part of and these are being accessed in order to, the cards are counterfeited and their unauthorized access to obtain funds. So that's for 5(a), Your Honor, and then 5(b) we've gone through in terms of the 5,000 amount, the health or safety, et cetera. THE COURT: All right. So, Ms. Granick, if you're
going to be the one speaking to this-MS. GRANICK: THE COURT: Yes, Your Honor. --it is narrowed down in my mind in any
event to prospective loss under 5(d)(1) and a computer system used by a government agency in furtherance of the administration of justice and national defense under 5(b)(v). Is there any question that there is stated here a claim under the act? MS. GRANICK: THE COURT: Yes, Your Honor. Okay. Tell me about it.
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 tomorrow.
37 MS. GRANICK: Okay. The 5, they plaintiff claimed they need to meet the elements under (a)(5)(A). THE COURT: MS. GRANICK: Right. (a)(5)(A)(i) says that they need to
prove that the defendants have knowingly caused the transmission of a program, information, code or command and as a result intentionally caused damage without authorization for the computer. I have read the complaint and I don't know what
the transmission they are alleging is. THE COURT: It's the talk, right now it's the talk
MS. GRANICK: THE COURT:
Okay. It may also consist of chit chat in a
class in which they disclose to others who might be interested in hacking, but the transmission of this information seems to me to be apparent. The question is whether or not it's going
to be broader than it now is. MS. GRANICK: Your Honor, the term transmission under
(5)(A)(i) is referring to transmission of a program, information, code or command to a computer. It is not a
general speech regulation that prevents someone from talking about something-THE COURT: So we turn to page 1 of the proposed
slides which offer the opportunity to access their website and obtain code? So prospectively they're asking for people to use
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
38 the web for purposes of obtaining and for them to transmit code? MS. GRANICK: Your Honor, again, the transmission of
code there would have to be the distribution or execution of the code on a computer, not the distribution of code to other people. There is another provision-THE COURT: Wait a minute. Just a moment, it says It covers all of You tell me that
programmer information, and code or commands. those, program, information, code or command. you have to execute the entire code?
I don't know if that's
true but certainly the language information is broad enough to cover this. MS. GRANICK: Well, I think the transmission has to
be, as a result of the transmission, it has to cause damage to a protected computer. THE COURT: Well, let's start from there. Let me
stop on that for a moment.
I'm treating this as prospective
damage, although there may be damage already in the discussions within the course work or however this was developed under the supervision of an MIT person. MS. GRANICK: Let's look at the definition of damage
under the statute, Your Honor. THE COURT: MS. GRANICK: Okay. It is subdivision (viii) of section
(e), so (e)(viii) and the damage that they must prove is any
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
39 impairment to the integrity or availability of data, of programs, a system or information. THE COURT: You mean to tell me that if someone is
able to compromise the ability to collect revenue that that is not an impairment? MS. GRANICK: That is correct, Your Honor. That is
not an impairment to the integrity or availability of data, a program, a system or information. THE COURT: another argument? MS. GRANICK: Well, Your Honor, if I could just refer This is Okay. I reject that. Now, do you have
you to a previous case that discusses this very issue. a case of a federal criminal prosecution brought by the
Department of Justice, the U.S. Attorney's Office out of the Central District of California, and that was, in that case, United States v. McDaniel, I was the defense attorney on that case, the government claimed that transmission of information to customers of a messaging system informing them about an insecurity in the messaging system was an impairment to the integrity of that system. On appeal to the Ninth Circuit, the
government was forced to admit that that was erroneous, that you can not impair the integrity of a system merely by communicating truthful information about the security status of that system, and the government had to move the Ninth Circuit to dismiss the criminal conviction of the defendant in that
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
40 case. THE COURT: Now, that's not quite this case. So if
someone says we have not provided you with free subway rides for life, that that doesn't constitute an impairment to the system? MS. GRANICK: If someone provided software for
example with the intent to defraud the system, software that was intended to defraud the system, that could be punished under a different provision. If someone provided the means by
which you could get free subway tickets, that could be a school that defrauds the system, but the mere transmission of information telling people that it is possible to circumvent the security of the system-THE COURT: MS. GRANICK: THE COURT: That's not what we're talking---in showing how one would do it---we're not talking about that. We're
talking about someone who holds themselves out and logs their presentation by saying we're going to show you how to have a free subway card for life. That's what their undertakings do,
that your view is that that is not covered by (5)(A)(i). MS. GRANICK: THE COURT: say, I reject it. No, Your Honor, it is not. Okay. I understand the argument. As I
What else? Once, if they establish damage to the
MS. GRANICK:
system, program, information or data, then they have to show
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
41 that that damage has caused loss and the loss element is a separate question from damage-THE COURT: What do you do in the context of a Are you saying that there has to be
preliminary injunction?
loss already experienced or is injunctive relief available to protect against the likelihood of loss? MS. GRANICK: THE COURT: MS. GRANICK: There must already be loss. And is there a case that says that? Because the preliminary injunction or
TRO standard requires proof that the plaintiff is likely to prevail on the merits, they have to show the likelihood of every element of the tort or crime charged, and one of the elements of a violation of the CFAA is that there is loss. In
the absence of loss as defined under the statute the plaintiff cannot prevail. THE COURT: Okay. Is there a case that says that
because it stands on its head, the idea of the availability of injunctive relief? The purpose of injunctive relief is to
prevent loss and so what we're addressing here is whether or not there is a meaningful likelihood of loss in the future if this activity is not restrained. Now, you say there has to be
loss, that is to say the horse has to be outside of the barn before the courts can act under the statute. view? MS. GRANICK: Yes, Your Honor. They have to-Is that your
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
42 THE COURT: MS. GRANICK: would need to take-THE COURT: No, I talking about cases that deal with Okay. Is there a case that says that? I There are cases on defining loss.
the question of injunctive relief? MS. GRANICK: THE COURT: No, Your Honor, not to my knowledge. Okay.
MS. GRANICK: But the statute does say that for a violation involving the loss elements of (a)(5)(A), in other words if the claim is that there's damage to a computer which provides loss, section (g) of 1030 says that damages for a violation involving only conduct described in Section (a)(5)(D)(i), which is the loss provision, are limited to economic damages. So the statute-That is money damages. We're not talking
THE COURT:
about money damages here.
We're talking about equitable,
exercise of equitable powers by the Court to prevent this if it is possible. So I just want to understand if there's anything
else on the question of the equitable dimension of this. You've suggested that what the statute means is that the damages and the equitable relief are co-extensive, that you have to have had damages before you can have equitable relief. Why would you have equitable relief if we've already got damages? MS. GRANICK: The equitable relief prevents further
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
43 loss by the-THE COURT: it? MS. GRANICK: No, but there has to be a showing that So we get one bite at the apple is that
these defendants have caused the damage or loss that the plaintiffs are complaining about and what the, the problem with the way that they've alleged the claim here is that there are no claims that these defendants are causing damage to the integrity or availability of the MBTA system. The claim is
basically that by providing this information to the public, some member of the public might and a way to use this information, it would focus their attention in a way that they could use this information to help them get free subway rides. THE COURT: And isn't that precisely what they've
offered to do; that is, to aide and abet those who engage in that kind of activity, except we're going to, here's how you learn to get a subway pass for life. MS. GRANICK: THE COURT: They may just--
They have not-Just a moment. They may think that that
was cute at the time that they drafted that up but that's what they undertook to do and they have to accept the consequences of that because as far as I'm concerned if someone does end up doing this, they are aiders and abettors, yet, they have undertaken to provide this information. MS. GRANICK: I think that that's, you know, as you
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
44 said earlier, this is a criminal statute and that is the question, I think, is it aiding and abetting to provide this information? Would it be aiding and abetting another party,
because I think that the focus on aiding and abetting says that there is no claim against these defendants. have not compromised the MBTA system. merely-THE COURT: time. We don't know that at the time, at this These defendants
These defendants are
What I see is documentation that shows that they could The question of whether or not they have
if they wanted to.
improperly used the T by augmenting the sums is I suppose a matter for discovery, but I have to tell you that I'm not sure that they've had adequate adult supervision here. You've got We
lawyers who want to test the outer limits of the statute.
have an institution that has had some great difficulties just this year in what its students think of amusing stunts resulting in criminal prosecutions, and I just wonder if someone ought to be counseling them not to become a test case but rather to think more carefully about what their exposure is. MS. GRANICK: THE COURT: Your Honor-Just a moment, I think counsel for MIT
has, the defendant I should say not MIT, has something to say. MR. SWOPE: I'm going to object, Your Honor. Your
Honor has heard no evidence whatsoever what MIT's supervision
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
45 on this matter was. THE COURT: I'd ask you to just suspend judgment-I haven't made any judgment about it.
It's not before me except to say, render some anxious concerns about the idea that someone is drawing these kids close to a violation of federal law and for no particular outside purpose. There is at the end of the memorandum of the MBTA a reference to good practices with respect to the disclosure of vulnerabilities. Now, I suppose that everybody is entitled to
their 10 or 15 minutes of fame, even in Las Vegas, but the short of it is that the way in which you address these kinds of things, if you're really interested in maintaining best practices, is to bring it to the attention directly of the vulnerable entity so that the vulnerable entity can deal with it. MR. SWOPE: Your Honor, I'm not disagreeing with it. I'm saying we don't have any evidence that tells you that MIT is not always said-THE COURT: said it. Well, it may have said it. It may have
It also may have put in place a set of circumstances
in which this kind of exploitation is encouraged-MR. SWOPE: THE COURT: Your Honor-- Just a moment, is encouraged by the way The short of it is I
in which core structures are set up.
don't know why the advisors to these students aren't bringing home not merely the potential but the actuality of one of these
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
46 slides involving a student who was prosecuted in East Boston. I'm looking quickly for the slide, to show that they're aware of the potential illegality. MR. MAHONY: THE COURT: Page 84, Your Honor. And we'll look at page 84 and we
recognize that they are aware that they're running up against the line. So-MR. SWOPE: I don't mean to ask Your Honor to not
make a judgment before you-THE COURT: me. I haven't made judgment. It's not before
I'm making a set of observations which inform my judgment
about whether or not somebody else has to exercise some supervision over these kids. MR. SWOPE: And if there's evidence that MIT has
already done that, then Your Honor should, it should not be presented before our time. THE COURT: MR. SWOPE: THE COURT: Is there? Yes. Sufficient to get them out of making Is it MIT's position that they are
these kinds of disclosures?
not potentially exposing themselves on this? MR. SWOPE: We don't have a position about this
particular case, Your Honor, but they, I mean, the purpose of an educational institution is to teach. students learn.
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
It guarantee their
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
47 THE COURT: But it may not teach them in a fashion that it encourages a violation of criminal law. MR. SWOPE: THE COURT: Absolutely, Your Honor. And so if in the course of its course
work it encourages people to develop mechanisms for hacking and then to disclose those mechanisms of hacking, it may have some exposure. MR. SWOPE: If Your Honor could hear the evidence,
which is not before you today and not subject of this hearing, there would be a different set of facts that would resolve that in Your Honor's-THE COURT: No. All I'm suggesting is that there is
a need apparently to address injunctive relief because of a lack of restraint on the part of the defendants, the individual defendants, that has not been restrained by various, sufficiently adequately restrained by various of their advisors. So the short of it is I have some significant
difficulty taking the view that I should not issue injunctive relief here. I've listened to the discussions which to some
degree seem to me quite airy about the inapplicability of the statute, all of them suggesting that the defendants are prepared to go right up to the edge and perhaps beyond in furtherance of their desire to obtain some publicity for their student undertakings, but-MS. GRANICK: Your Honor, may I address the issue of
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
48 the statute and the publicity for a moment? THE COURT: MS. GRANICK: Yes. Your Honor, I do not think that the This is not something
statute well, let me put it this way.
that is testing the outer limits of the statute or seeking to be a test case. The students did not try to create this
litigation or do something that in anyway is considered to be risky or edge behavior the scientific discipline in which they are studying or-THE COURT: Just a moment, address that issue. Why
is it that they're not making available with a reasonable amount of time to the MBTA the products of their research for purposes of permitting the MBTA to take what steps are necessary to protect itself? Why is it that they want to make
disclosure first before a hacker's convention? MS. GRANICK: Well, what happened here was that they
did contact the MBTA and try to give them information about their presentation in advance of the presentation. So on July
25th before this conference, Mr. Ryan emailed his professor to ask him to help set up a meeting with the MBTA to discuss the research that they did before the DEFCON presentation, and what the complaint alleges is that, and then contacted the professor again, Mr. Ryan contacted the professor again on July 20th, again asked for help in setting up that meeting with the MBTA people, and in those emails the professor said that it was not
MARYANN V. YOUNG Certified Court Transcriber (508) 384-2003
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
49 a good idea to write it, that they needed to contact the people directly so that the letter didn't get, you know, lost in the mail if they sent it to the address that was put on the MBTA website. Now, according to the complaint, the vendor
contacted the MBTA also on July 30th saying that they had noticed that the DEFCON presentation and that they had some concern. So what ended up happening was that Professor Rivest
and the students were contacted by Richard Sullivan, the sergeant detective with the MBTA who said he wanted to meet with the students to discuss the presentation. that meeting and had it on Monday, August 4th. They set up So Monday of
this past week, and then at meeting Agent Sullivan brought an FBI agent with him, Agent Schafer, and the students did not know and Professor Rivest did not know that an FBI agent was going to be brought along. They did not have counsel present
at the meeting, but they continued with the meeting in any case to provide both Mr. Sullivan and Agent Schafer with information about their presentation. At the end of that meeting on
Monday
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?