Earlier this year, the Massachusetts Bay Transit Authority (MBTA) sued a group of MIT students to prevent them from presenting a paper highlighting security flaws within the MBTA's transit fare system. Now, six months later, the transit system authority and the students in question have announced they will collaborate to improve Automated Fare Collection System (also known as CharlieCard) security.

This joint agreement, as described by the EFF, sounds far friendlier than the pre-lawsuit dialog between the two groups. The MBTA did not initially take kindly to being told its much-hyped CharlieCard system had all the security of Swiss cheese, and it expressed a number of concerns over the students' presentation as it existed at that point in time. The MIT group revised their work in an attempt to mollify the MBTA but were unable to do so.

The lawsuit ignited a significant debate online over whether or not the students' original presentation qualified as free speech, the validity of the MBTA's complaint (the MIT team had promised to withhold information that would have allowed attacks to actually occur), and whether or not the group had committed a crime by (allegedly) taking free trips on the subway while researching the flaw in question.

Judge George O'Toole initially imposed a gag order on the MIT students (later rescinded), but ultimately chose to avoid ruling on whether or not MBTA's lawsuit and the following gag order had violated the researchers' First Amendment rights. Today's announcement is an ironic ending to one of the more interesting security stories of 2008, and it introduces one final plot twist of its own—how do you secure an unsecurable system?

CharlieCard's RFID implementation isn't just flawed, it's based on an obsolete, deprecated, and proprietary cryptography standard known as CRYPTO-1. CRYPTO-1 is deployed across all MIFARE Classic cards which, in turn, account for the overwhelming majority of RFID-based payment cards used in mass transit systems. Put simply, the RFID transmitter and cryptography standard that power many of the world's contactless payment transactions isn't even remotely secure.

NXP Semiconductor has developed a secure, backwards-compatible version of MIFARE Classic it has dubbed MIFARE Plus, but these systems won't begin to hit the market until the third quarter of 2009 at the earliest. Backwards compatibility, meanwhile, is maintained by allowing older MIFARE cards to authenticate properly, which provides one heck of a potential back door.

RFID security itself is rather problematic, as we discussed back in October. Based on tests of the RFID solutions employed on both the United States' electronic Passport Card and Washington State's Enhanced Driver's License, researchers have concluded that only users who strictly (and unrealistically) adhere to RFID security best practices can actually keep their cards from being read at a variety of distances.

Kudos to the MTBA for both recognizing its mistake and partnering with the students it first attempted to demonize. The only way to actually address such security flaws is to focus on discovering and repairing them instead of shooting the hapless messengers; such talent does society little good rotting in a jail cell or silenced by a federal gag order.