Transit companies are already forced to raise prices because oil prices have gone up. If they also have to increase spending on IT security and on lawsuits then fares will go up even more. This hurts poorer people who can't afford cars, and benefits only lawyers.
I think those students should try to find other targets to hack.
Though I do agree that they should target something else.
It is there right to publish any information. If the Anarchist Cookbook is legal and protected then explaining a hack should be as well. There is a distinct difference between publishing knowledge and performing an illegal activity.
Absolutely. If they can hack the system, kudos to them. They have every right to publish, and if that helps them get good paying jobs in IT somewhere that's great too.
But, once they find a vulnerability, the responsible approach is to tell the company what they've found, give it a month or so to patch it, and only then go public. That way everybody wins. I really hate it when some people find vulnerabilities (especially in browsers or in Windows) and then just make them public right away, with all the details. That enables even brain-challenged script kiddies to cause damage to lots of innocent people before a patch can be produced.
What you don't know won't hurt you doesn't work. Even if this hole is used nefariously they might not get sued, but that isn't a good reason to ignore a security hole. It would be like Microsoft suing anyone who finds a security hole, just to say Windows has no holes. Instead they workout an update and ask that the finder of the hole wait till the patch is out in the wild before publishing anything.
And set a deadline, afterwards publish. Since users may be loosing info/getting compromised in the wild and nobody knows about it. (Since it's not published!) The vendor just denies it and therefore can't be heald liable.
This actually happened a few years ago at Defcon or Blackhat. Can't remember which. Instead of an attack on Transit it was on the UPS store copy cards. Pretty much exactly the same hack, one major difference was you could cash the card out!! The author of the hack ethicly disclosed it and was told by UPS that no such vulnerability existed. fact is sometimes the company just won't addmit to their short sitedness.