Smart Card flaw suppression not so smart

I've mentioned that I didn't think that legal action against researchers who discover flaws in 'security' products is generally very productive. In this case it was downright unproductive.

Zack Anderson, RJ Ryan, and Alessandro Chiesa, undergraduates at the Massachusetts Institute of Technology were the target of restraining orders by the MBTA (Massachusetts Bay Transportation Authority) to prevent them publishing flaws in the transit ticketing system or Charlie Card which uses the Mifare classic not-so-smart card.

The MBTA has attempted to suppress the findings of undergraduate researchers and prevent them presenting the flaws at a the Defcon conference. Unfortunately the legal filings actually publicised the full details of the attack method, in even greater detail than the researchers had proposed to reveal at the conference.

The result is the flaw is revealed  in more detail and to a wider audience than anyone planned. Perhaps this may have been the wrong type of approach. here were meetings but due to recent legal actions by other 'security' under-providers, the legal team advised them to stick to their guns. A Dutch University recently received similar service and defended their right to publish flaws in the system proposed by their government which led to the suspension of a large deployment. It may have saved them a fortune.

It is one thing for MBTA to want the flaw suppressed but do they really have the right to force the students to reveal their intellectual property with no compensation?

There is a monetary value in these discoveries, and not in relation to performing the hacks for profit, but by building a reputation, a reputation which can earn big dollars. Does the under-performer have a right to steal the the performer's thunder - without paying for it?

Do we just expect them to do it for nothing, or would we prefer to perhaps dwell in the dark?