Although the students had to cancel their talk, the slides that they put together for the presentation were included on a CD given to Defcon attendees and thus have become publicly available.
The EFF has called the restraining order a violation of the students' First Amendment rights as well as a prior restraint on free speech. Along with the filing that requested the lifting of the order, the EFF submitted a letter in support of the students signed by 11 computer science professors and security researchers (download PDF).
David Farber, a professor of computer science and public policy at Carnegie Mellon University's School of Computer Science, was one of the people who signed the letter. He said today that the decision to issue the restraining order was a "bad, bad idea."
Based on the available information, the students appear to have notified MBTA officials about their research and even provided them with confidential information relating to the vulnerabilities, Farber said. The students also appear to have assured the MBTA in advance that their presentation wouldn't provide the level of detail needed for someone to actually exploit the vulnerabilities, he said. For the MBTA to then ask a court to gag the students was totally out of line, according to Farber.
What makes its actions even more egregious, he claimed, is the fact that the paper the students were scheduled to present had been vetted by MIT Professor Ron Rivest, who Farber described as one of more respected figures in the security community.
It could be argued that the students could have worked with the MBTA to fix the issues before publicly disclosing them, Farber acknowledged. But it is unconstitutional to prevent them from speaking about their discoveries just because the MBTA felt that it wasn't given adequate notice, he contended. "In practice," Farber said, "a good middle ground is to keep the courts out of it."
But Gartner analyst John Pescatore said the MBTA wasn't given a reasonable amount of time to fix the problems or develop work-arounds for them.
The intent of disclosing flaws should be to make software and systems more secure, "not to make headlines or sell tickets to security conferences," Pescatore said. In this case, he added, "the students went for publicity."