The students, Zack Anderson, RJ Ryan and Alessandro Chiesa, were scheduled to present their discovery at DEFCON about vulnerabilities in Boston's transit fare payment system. They previously met with The Massachusetts Bay Transit Authority authorities and voluntarily provided a 30-page confidential vulnerability report to the transit agency.

However, the MBTA later sued the students and MIT in U.S. District Court in Massachusetts, claiming that the students violated the Computer Fraud and Abuse Act (CFAA) by delivering information to conference attendees that could be used to defraud the MBTA of transit fares. A different federal judge, meeting in a special Saturday session, ordered the students not to disclose for 10 days any information.

In Tuesday's ruling, the court found that the Massachusetts Bay Transportation Agency (MBTA) had "no likelihood of success on the merits of its claim under the federal computer intrusion law and denied the transit agency's request for a five-month injunction," according to The Electronic Frontier Foundation, which represents the students, and said that their first amendment rights had been violated.

"The judge today correctly found that it was unlikely that the CFAA would apply to security researchers giving an academic talk," said EFF Staff Attorney Marcia Hofmann in a statement. "A presentation at a security conference is not some sort of computer intrusion. It's protected speech and vital to the free flow of information about computer security vulnerabilities. Silencing researchers does not improve security--the vulnerability was there before the students discovered it and would remain in place regardless of whether the students publicly discussed it or not."

According to the EFF, in papers filed Monday, the MBTA acknowledged for the first time that their Charlie Ticket system had vulnerabilities and estimated that it would take five months to fix.

While the gag order has been lifted, the MBTA's litigation against the students still continues, the EFF said, even though the students have offered to meet with the MBTA to discuss the security gaffes and offer suggestions for improvement.

"The only thing keeping the students and the MBTA from working together cooperatively to resolve the fare payment card security issues is the lawsuit itself," said EFF senior staff attorney Kurt Opsahl in a statement. "The MBTA would be far better off focusing on improving the MBTA's fare payment security instead of pursuing needless litigation."