Slashdot Mirror
Blackboard Campus IDs: Security Thru Cease & Desist
Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."
The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.
For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).
At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.
A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)
The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."
Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.
Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.
So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?
If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?
This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").
So, assuming that's not possible -- is the DMCA a viable tool to ensure security?
P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.
P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:
"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."
This in NO WAY implies we live in a police state.
I wish there were a way to accidentally leak the exacty details overseas. There, it would be very difficult to get shut down, and every college using this system would have to deal with it.
While this may be an inconvenience to students, they can get by without buying coke with a swipe of a card for a while.
Moderation: Put your hand inside the puppet head!
How many more times are we going to hear about the DMCA and the extreem mesures some companies and people will go to use it? When will the DMCA start getting some media attention outside of /.? The DMCA strikes down a lot of rights that many people hold near and dear. I don't know about the rest of /. readers but I disgusted by the DMCA.
Well, if you aren't even able to TALK about security flaws *Cough*First Amendment*Cough* they'll never get fixed. The DMCA again makes the net less secure instead of more.
Since when has this country used intellectual elite as a pejorative term?
A corporation is preventing you from doing something, which is their right according to law.
If we lived in a police state, armed thugs would not tell you, "You can't detail the flaws of our product." They'd just beat the living crap out of you and then go home, kick back, and drink a cold Coors 20 ouncer.
The First Amendment most certainly does not grant you the right to say what you want, when you want, and damned be the consequences.
Our school uses blackboard, and last year the machines were shut down for a long time because students used methods to get free stuff out of the snack machines. And I'm not talking cracking a case or making a fake card either. It was really simple too, like swiping really fast after the transaction, if I remember right, and you could get a second item for free. Kinda scary.
It's lame ass people like you that ruin the world.
To answer the question "is the DMCA a viable tool to ensure security?"
Here's an article from the BBC.
and here's a good presentation from toorcon.
and lastly, this is a good article from ITWorld.
Why do I h8 apple?
That freedom has taken a back seat to congress' lust for power and money.
We should look for other ways to take on the DMCA. IANAL, but the following link is to an interesting case, about fedral powers. I have some doubt, but maybe this is a method to bypass the DMCA.
http://supct.law.cornell.edu/supct/html/93-1260
I am very interested in what people think. Any ideas?
Ps: Why aren't techies lawyer? Oh, and why look at http://www.lp.org They hate the DMCA also.
-- Prepared at the direction of, or to be sent to Legal Counsel, in anticipation of litigation. Attorney Client Pri
Cease and decist letters get written when someone threatens anothers money making schemes. To fix the problem costs money, to scare individual X into keeping their info to themselves is much cheaper.
It was originally funded and built by the Sloan School of Business at MIT and has recently been adopted by the University of Heidelberg in Germany, the University of Bergen in Norway and parts of Cambdridge University in England.
This past weekend I attended the dotLRN Seminar in Copenhagen and over 70 people from over 20 institutions worldwide were present. dotLRN's future is very bright!
Also, you can rest assured that no learning institution will ever face silliness such as this.
talli
Say that a random person on the street finds a crack in a banks wall that allows intruders to get in, tack the cash, and run away. Should the person start holding seminars about how there's such a vulnerability, or should the person go tell the bank so it can fix it?
Initially, the later case seems like the thing to do. But what if the bank ignores you? Should someone be allowed to convey information about a problem with a system if the system controllers refuse to fix it? I'd still think not - it'd be one thing to state that there is a vulnerability, and that in good conscience could not state what the vulnerability is, and quite another thing to go explaining the vulnerability to everyone else.
Just my 2 cents, and as always, there's probably more to the story.
F-bacher
... Or does the "land of the free" not have some rather Draconian laws? (Surely, when copyright laws are impose this kind of censorship, things *have* to be wrong.)
Sigh. Thankfully, I live in Canada.
Where I went to undergrad there was a debit card system that was also unsecured (unknown company). This was actually a nice thing, as it effectively meant everything was free for engineering students (vending, meals, ?), with the rest of the student body picking up the tab. I was all for the poor protocols at the time. It?s the administration, not the students or parents that should worry...
And yes I realize this is immoral and wrong, it was more a thrill thing at the time.
Considering the nature of the security flaws and that they are now exposed, can this legal action against Virgil be challenged under SLAPP clauses?
This sig no verb.
Maybe these guys should have called Blackboard and informed them of the vulnerabilities, and worked with them to fix it, instead of taking the exploits into a public forum? If I am Blackboard, and there is a fatal flaw in my product, why wouldn't I want to fix it?
I don't mean to present an opposing viewpoint or anything. Wait... MICROSOFT SUCKS! That better?
If this article confuses you, don't worry. It was posted yesterday in a much clearer fashion.
You know a C&D letter may stop people from disclosing exploits, but will not stop people from disclosing that their are exploits. That's enough for lots of poor, enterprising college students.
A much better plan would of been to let these guys give their talk, to hire them, fix the problems, and them make a bundle in upgrades to existing customers. Come on, if some of these installations are 20 years old we're not talking much more then maintenance revenue. On the other hand system upgrades, especially when demanded by parents, can net a pretty penny. The colleges could have fund drives, hit up alumni societies, all the normal ways to get money when something unexpected walks through the door.
Instead the company gets to look like a fool that knows there are security flaws, aren't fixing them and instead are wasting money on laywers, get getting bad press.
Oh well, I guess there is no such thing as bad press. And that companies would rather think about prestige short term then a better product long term, even if the better product will get them more money.
=Blue(23)
LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
"remove all references to Blackboard and its Transaction System from any website, power point presentation, seminar handouts, or any other promotional materials"
Why so Microsoft centric? does that mean they can use OpenOffice.org "Impress" presentation slides instead? Does that also mean Microsoft can sue the lawers for use of their trademark in their document?
This comment does not represent the views or opinions of the user.
Time to stop being a geek. I'm getting my pencils and paper back out, doing RPGs that way, and selling off my 7 or 8 computers.
I can see the writing on the wall just as easily as anyone else. The joy that I got out of these marvelous toys just isn't worth it anymore. It used to be liberating, now it's just torturous. I can think of dozens of ways to get thrown in prison just by playing around with my system at night after work. Tinkering and exploring are forbidden. I'd rather be an insurance guy or something similarly boring then spending part of my life in a 4x6 cell, or even living in fear of same.
Just proof once again that anytime government gets involved with anything, it sucks all the fun out of it. All in the name of equity and greater corporate profits.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Surely Acidus and his colleagues informed the Universities about this before they went public with this information. That is of course the most effective way to get the system to change. . . Imagine inviting the Dean of Purchasing and Procurement to a Coke and a Apple pie on campus and using a facsimile of his id and account to pay for it. Or even more fun - - getting a sweet new laptop at the bookstore with a hyper-inflated account balance. Most certainly then Blackboard would think about upgrading their machines. Announcing that you are going to circumvent their digitally encrypted system in public, no less, simply gave Blackboard a way to facilitate their illegitimate hardware and polices and making it legitimate under the cover of an unjust law.
As my good old Uncle Scrooge always said: Work Smarrrrrterrrr not harrrrrderrrrr
http://cincyboys.blogspot.com/ Everything Cincinnati. Including the word 'Finnih'
So the legistlation in the US no longer supports freedom of speech? God bless America, again.
You should really consider switch to using GNUnet/Freenet solutions for distributing such information there since it seems the Government there is just too restrictive.
I bet the NSA & Co. are after me now for whatever reason they can come up with... truth hurts yea I know...
- Voice of Ambience -
- Voice of Ambience -
If guns are outlawed, only outlaws will have guns.
If hacking is outlawed (and talking about it), only outlaws will know how to hack.
So who do you get to sue if someone makes a dupe of your ID card and raids your campus debit account, or breaks into your dorm room? The school? The hacker? The company that sold the school the lame ID system they claim is secure but is not?
I would think the schools would like to know why sodas, meals, etc. are disappearing from their supplies. Hmmm.... This Coke machine is empty, but only 5 Cokes were recorded to be bought from it. Hmmm...
This is the worst kind of security through obscurity.
- Jasen.
1.3- About this FAQ
This FAQ was originally written as a supplement my 2600 article "CampusWide Wide
Open." This Article was published in the Spring 2002 issue. Back issues are
available from www.2600.com, or download the article from:
www.yak.net/acidus
The Article caused a lot of stir, which I'll discuss later. This stir allowed me
to talk with some of the CampusWide admins at my school and they told me of
some things that were either incorrect in my article. In addition, they were
several things left out of my article, little bits of tech info. Some theories I
have, new info, etc. Hence the need for the FAQ to make sure this stuff stays
update. But instead of merely having it as a supplement, I figured having all
the information in 1 place would be much more helpful.
1.4- What will I get from this FAQ?
Updated info. I researched the article in the summer of 2001, and finally wrote
it in the spring of 2002. It was as accurate as I could make it. However even
then there was info I had to leave out for length reasons, and others mentioned
in the last section. This FAQ will make sure the info about the system stays
current. You will not find in the article or this FAQ how to cheat/steal. I will
not tell you any info someone could be directly applied to steal from the
system.
2.0 ABOUT THE SYSTEM
2.1- So what is CampusWide?
CampusWide is the mostly widely used card access system in America today. It
sadly is the least secure. CampusWide is ID Card solution originally created by
AT&T, and now owned by Blackboard. It is an ID card that can be used to purchase
things from vending
debt card. Its used to check out books from libraries, open computer labs and
buildings at night, gain access to parking decks, and even get you into sporting
events. The CampusWide system gives everyone a card that lets them access both
unattended and attended card readers and Points of Sale. All these actions and
transactions are sent to a central server which stores all the information in a
database. A confirm or deny signal is sent back to the card reader, and the
transaction goes through or is denied. It is fast becoming the way of life on
college campus around the world. You need it to eat, to get into your dorm, to
get into college events, everything.
2.2- CampusWide? I thought it was called X
The CampusWide system has been called lots and lots of names. AT&T first
developed it and called it the AT&T CampusWide Optim9000 System. It was
generally called CampusWide. When Blackboard bought AT&T's system, in 2000, they
also bought another system called Envision from a company named Icollege.
Blackboard then had 2 products, the Blackboard Optim9000 system, and The
Blackboard Envision System. Blackboard is only selling one system, called
Blackboard: Transaction System. However this new system comes in 2 versions, the
Windows Version and the Unix Version. Since AT&T marketed this thing as
CampusWide for short, and did it for a number of years, and since Blackboard has
been doing it for so few, I call the collective whole system CampusWide. When I
refer specifically to the Unix version, I will say Optim9000, and when I referto
the windows version, I will say Envision.
2.3- Wait. there are 2 systems?
You need to understand that the front end of CampusWide, the card readers and
data lines for both Envision and Optim9000 are the exact same The difference
between Envision and Optim9000 are their operating systems and their databases.
The card readers can't tell the difference. The faults in my article apply to
both systems (though the technical data is for the Optim9000 system).These
faults are for both systems since they both use RS-485 lines.
2.4- What does it look like?
2.4.1- Readers
The CampusWide system is easy to spot. The readers are black metal or plas
If we don't fight for ourselves no one will.
How many more times are we going to hear about the DMCA and the extreem mesures some companies and people will go to use it?
/.?
/. that aren't part of entertainment conglomerates that are pushing the use of the DMCA to "protect" their "content", or by conglomerates that also own proprietary software vendors who are using it to "protect" their software products from reverse engineering, exposure of security flaws, and/or competition.
/. readers but I [am] disgusted by the DMCA.
Probably a couple per week until the damned thing is repealed or struck down.
When will the DMCA start getting some media attention outside of
When there are media outside of
The DMCA strikes down a lot of rights that many people hold near and dear. I don't know about the rest of
Your opinion is widely shared.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
All these cats gotta do is leave their findings in a position where they can be easily "stolen". Some 1337 haxx0r with that information in his hands can do whatever the hell he wants with it, especially if he's outside the US- HE wasn't smacked with a cease and desist, after all...
The worst thing about this situation is that it's now an effective known that the system can be compromised. That fact alone is sufficient motivation for many who would have something to gain from an effective hack- especially since the company is so hellbent on keeping it quiet!
Facts like this should be released on foreign servers outside of US controlled DNS, made publicly available and actively linked to. Why in the flaming hell would I ever want to be in a position to have to use this system when it's been proven insecure and the manufacturer refuses to fix the problems? I'd feel safer running IIS without a firewall- at least the fucking bug fixes are actually released to the public periodically.
Go DMCA.
Seriously. Drop a big flaw like this anonymously on usenet- thoroughly documented and reproduceable- and it'll get fixed by the end of semester.
How come we can post Win2k3 serial keys in the slashdot forums, but no one posts how to get phr33 as in c0ke c0kes? Sheesh. What bullshit.
Come *on*, someone toss a practical exploit in here!
--grendel drago
Laws do not persuade just because they threaten. --Seneca
This is really disgusting.
It's amazing people can sleep at night when they pull off shit like this - to endanger the financial status of students for the sake of saving public face.
I hope this business goes as stone cold as the money that runs through its veins.
Someone, for whom this directly effects needs to stand up and fight these things rather then back out and whine about it! We need a court case to make it to the Supreme court to overturn this idiotic law. Its in clear violation of the First Amendment and even the current Conserative Court can't ignore that. I'm sure who ever takes it that far will be backed by EFF and or ACLU. Someone please take a stand. If this effected me directly I'll be right there.
There are some out there. As a non-technical (no programming) elective for my CS degree, I decided to take a "special topics" class call information law. We covered DMCA, Elrod v Reno, Franklin v Apple, all that fun stuff. The professor was a computer scientist who also is a patent attorney. Although the prof himself was a little loopy (saw him in a bar and didn't even recognize me although I sat in the front row every day), the class was very interesting. I think it'd be great if more colleges would cover this as a non-tech cs elective.
-- (Score:i, Imaginary)
Where does it guarantee no consequences? You mean I can piss on a flag in front of the VA and not get my ass kicked? That I can burn a cross on my lawn in a black community and not be set on fire myself? That I can wear a Nazi uniform in downtown Skokie and walk out of there alive?
No legal consequences, maybe.
--grendel drago
Laws do not persuade just because they threaten. --Seneca
Yes, I'm sure some open source courseware project will kick the pants off of Blackboard, which is a closed-source electronic commerce system for vending machines and POS. Way to go, Einstein.
All the objections to the DCMA are just the same objections to hacking that were used as excuses for breaking in to other people's systems. There is no right to other people's property, and no right to duplicate a key or otherwise bypass a security system to gain access to someone's house or premises. Academic work to prove a method or algorithm is flawed or insecure should certainly not be outlawed, but attempts to crack a specific product or protection scheme are valid actions that can be legislated against.
about 2 years ago, at that.
why don't they fix it? because that requires time and money...
alternative views are wonderful. just don't assume that because you have a different view that you have stumbled upon an insight that everyone else has missed.
My university, BGSU, uses Blackboard for its student web portal. We have ID cards that can be used to buy food, books, etc., but I don't know if that is a Blackboard system. The description on their website sounds like what we have. If this is, in fact, what we're using, this news definitely concerns me. I'd try to find out more about this from IT Services, but they are always reluctant to talk about security, at least with students. Maybe if enough students bugged them, we could find out if they know anything about security flaws, and if they are doing anything about them. I figure we have a right to know; after all, our fees are paying for this. And yes, I'm posting as AC on purpose. I know you guys over in Hayes Hall are reading this.
Is there any public database or way for me to check and see what type of system my University is using? My card doesn't say anything but university specific information on it.
After I left the Ohio State dorms in 1998 (I'm still a student) the university started to put card readers on the dorm entrances (up to that time either you had a key that opened both your dorm room and the main entrance, or you had two separate keys if you lived in a really big dorm.)
:-)
:-)
It does offer some advantages, for instance, all people could be allowed into the dorms at some parts of the day, but other times of the day only people who live in that dorm could gain entry.
Though there are some interesting caveats
*the first one, which I didn't really know well at the time, is the fact that making a copy of the card is far easier than making a copy of the key. Remagnetizing magnetic stripes is not the hardest thing in the world.
*the campuswide system runs off of ethernet to the AT&T9000 computer which administers everything. If a particular door gets disconnected with the central computer, it's default setting is to pretend like everything is normal, and let everyone in, and it has a cache of swipes which it would then transmit back to the central computer when the connection was restored. That seems like a sensible kludge given the circumstances, given a network failure it would be more sensible to allow all in as opposed to all out, especially at a dorm. (Higher security places would have their door failure mode set to allow no one.) On the other hand, as a security concept, it just bugged me. (this is explained in the powerpoint presentations.)
*my big concern at the time was the tracking and auditing abilities, and it still is. the key system had no tracking and auditing. The swipe system allowed the university to keep a record of when students come into the building (and implicitly, when they go.) I pointed out that Ohio law prohibited a government institution from collecting information which were not authorized by law, nor required to achieve a particular purpose...and that the system need not perform the tracking, it only needed to perform the authorization.
The response I got was that the system was not designed with a zero tracking/auditing setting, it needed to perform tracking and auditing as part of its authentication mechanism. I pointed out that I can't help that the university bought a dumbass product, and I threatened to sue them, but I was young, and I threatened to sue everyone.
I got a letter from the university lawyers saying "While we ourselves certainly hope never to need the archived data -- and, fortunately, rarely do -- it can be of unquestionable value in
investigating incidents in the residence halls. It is for this very reason that similar systems are in use at numerous colleges and universities
around the country."
I've however pointed out that any idiot who was gonna do something in the dorms would do what everyone else does, and that is follow someone who swiped before you, and not swipe themselves.
I still hope to work on this issue at some point.
I'd go ahead and let them try to come after me. I don't think that a can of Coke is considered protected copywritten material that they had in mind for the DMCA.
Fight Spammers!
You're thinking of another thing called Blackboard.
Way to read the article, champ.
Quoting the article:
So, Blackboard has known for at least 1.3 years, possibly longer
Chivalry is not dead, it's just frequently misspelt. - M. Langley
I'm a student at the University of Alberta, and I have one of these OneCards.
There are various machines around that let you deposit money onto your OneCard, but there is no "university-approved network" of stores that accept the OneCard as payment.
The OneCard is primarily used for borrowing books from the library, and for operating the photocopiers/printers on campus, and there is exactly one vending machine on campus that allows you to pay with your OneCard.
As for people living in residence who have meal plans (like me), there's a separate card for that, provided by Aramark. To get into our dorms, we have keys. Laundry is coin-operated. The OneCard has absolutely nothing to do with the on-campus residences.
For most finals and midterms, we're required to show our onecards and/or driver's licenses as photo ID, but the OneCards aren't swiped through a card reader or anything, it's just photo ID, nothing more.
There are restricted areas on campus that you can access by swiping your OneCard and punching in a secret code, but as a first year undergrad, I don't have access to any of those places so I can't say what it's like (though for most of the places that aren't top-secret nuclear research facilities, it's almost trivially easy to get in by walking in when somebody else walks out -- we're friendly here in Canada, generally we hold the door open for people we don't know).
So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?
Gee, I dunno. This is Canada, there is no DMCA here (as far as I know, anyway). Hopefully some Canadian security researcher will hear about this, and continue the research here...
Forget the financial problems this has, what about personal safety?
If someone can gain entrance as John Doe, then they could gain entrance as Jane Doe. But with the intent of harming, raping, or killing someone. Whether its someone unknown or a jealous ex-boyfreind, the court should be focusing on the company that made this and forcing them to fix the problem instead of ignoring the danger it poses to students on campus.
Its been nearly 20 years since I was at college and I remember using a lock system were you had to remember the 5 digit key sequence to get into your room. Thats a hell of a lot more secure than this card system, and its 20 years old.
The best intermediate solution to the DMCA should add a provision that recognizes when violations of the DMCA poses a clear threat to the safety and security of people. Then later they can tear the whole thing down.
"Your having a bad day when the voices in your head put you on hold"
What is being challenged through the DMCA? Is it that anyone who tampers with security to exploit the system is to prosecuted?
The problem with that is the reason for checking (tampering with) the security is obviously a sign of malicious intent. How does anyone propose to show that it is not for such? And when giving a talk about vulnerabilities, the DMCA seems to think that you are sharing this information so that everyone will know how to circumvent the security - rather than displaying a problem that needs to be fixed AND avoided by other systems.
Therefore, how could the DMCA be rephrased to show differences in intent, and how do you avoid an abuse of such language - I was only stealing to show how insecure the system was OR no you can't browse my computer files to see if anything there is illegal!
"The difference between stupidity and genius is that genius has its limits." -- Albert Einstein
So.
Instead of fixing the exploit in their keycard system, the company in question finds it easier to have their lawyers drop a house on the students.
Doesn't "Security through Obscurity" create an environment where persons with malicious intent are free to exercise it?
The students discovering the security hole = The Good Guys. The knowledge they posses equal a Munition (or, a firearm.) They were not planning to use their knowledge maliciously.
Essentially the DMCA has turned knowledge into a weapon to be regulated through the legal system. Just be careful what you know, because speaking of it publicly is becoming the 21st century equivalent of pulling a gun out of your pocket at the mall to discuss it's function with another gun enthusiast.
Of course, we all know the gun paradox. Seriously. Increasingly orwellian gun laws !=less crime. Criminals will always find weapons. On the electronic mean streats, crackers & hackers will always find exploits, but unlike the Good Guys, the Bad Guys won't go to a symposium to divulge the PROBLEM, embarassing the company into FIXING IT. Instead, the Bad Guys will EXPLOIT the FUCK OUT OF IT.
I'm not a philosopher, psychologist, ethicist or sociologist by profession, but perhaps the DMCA needs to be re-evaluated by a panel consisting of a few. Right now it seems to favor only the government and very, very large corporations. Oh, and it makes learning a criminal act.
Do you have a permit for your mind?
THIS SPACE INTENTIONALLY LEFT BLANK.
I'm not familiar with what Interz0ne II is, but I'd be willing to bet they are in no way affiliated with any of the companies whose products are affected.
That stated, and please correct me if I'm wrong, I don't think such a forum is an appropriate forum for such a discussion, if the idea behind the presentation is to make the devices/systems more secure.
Now I'm not going to assume, either, what the discussion was supposed to be about, but if the idea really is to make the system more secure, wouldn't the appropriate audience of such a discussion be the people who own and/or run the system?
Bringing this kind of information to a party that doesn't have anything to do with the development/maintenance of these systems doesn't do anything to make the system more secure.
If these people wanted to make the systems more secure, they should bring their findings to the people who made it.
"Ask not what your country can do for you." --John F. Kennedy
Important to note that Blackboard's teaching/learning environment is a very different issue from the commerce & access products. Commerce & access (the piece discussed in the article) was purchased a couple of years ago & still is dealing with legacy crap in the code. Not that it's an excuse for siccing your lawyers on security folks... but absolutely no reason for a blatant ad that has nothing to do with the commerce & access side of Blackboard.
That's nice. It's also not the point. The system being discussed is a card-based security/POS system. It's nothing related to electronic learning or collaboration.
Whowever marked this as insightful is an idiot. If you have mod points, you should read the article before moderating, or at least read other comments.
There is no sig, there is only Zuul.
This is a perfect opportunity to speak about the chilling effects of the DMCA and how it was used in this case as an effective short term "gag" order through a "cease-and-desist" letter. The mere mention of the inability to speak implies too that there's not only something wrong with the DMCA but a security flaw in Blackboard's system. The best solution is to give this presentation as much publicity as possible; only then will the public realize the ramifications of the DMCA. Every such incident should be reported in a big way until it hammers the point into the ground.
rob
Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work,"
Since the technology measure is breakable, it must not be effective, therefore the DMCA doesn't apply?????
Jeebus, no shit, sherlock. You think the constitution can make any guaruntees except about what is LEGAL? You're so fucking insightful.
If they (Blackboard) sell the system as secure and you can prove it isn't, contact the state attorney general or one of their customers (your school) and sue for false advertising. DMCA or not they'll have to face the music.
The "Cease and Desist Letter" was probably perceived as some sort of 'cease and desist order' issued by a court of competent jurisdiction. Even if the lawyer doesn't get the preliminary restraining order he seeks much less a permanent one, he won the moment these two people thought the letter constituted any court order to them.
1. Setup the lecture in Canada 2. ?? 3. Let the fbi get mad!
I've got an idea, lets protect freedom by restricting it...Does this sound like Germany circa 1936 to anyone?
...would make sure those l33t 5cript Kiddi35 never got to know of any of these exploits, right?
Such policies only create false trust in a system, by outlawing bad publicity. But I suppose it's the New American way, to protect the corporations and their profits at all costs. Hopefully the EU, as well as my country realize the blatant abuse the DMCA is used for, and reject the EUCD (aka Euro-DMCA).
Kjella
Live today, because you never know what tomorrow brings
With the high cost of everything on campus, I wouldn't be shocked if some enterprising individuals tried to exploit this. The food service company essentially charges monopoly prices for everything, since there is no alternative place to eat if you don't have a car or can't cook.
Surely, the DMCA only applies to "effective" security measures. The subject of their talk was how Blackboard's system was not effective -- so the DMCA does not apply?
The real "Libtards" are the Libertarians!
IANAL, but could someone sue the company for false advertising? If they say their product is safe and secure, but you feel it isn't and you are a user, then shouldn't your be able to bring a case against them? At that point, you have to present evidence for your claim and (assuming the court records aren't sealed) the exploit becomes public record.
Trade secrets used to be frowned upon by the law. Patents were legally preferable, so that when the patent expired, the knowledge went into the public domain. A trade secret could be lost easily; any publication by anybody erased trade secret status. All trade secret law really did was to put some teeth into confidentiality requirements for employees. It didn't affect outsiders.
All that has changed in the last decade. Between the Economic Espionage Act, the DMCA, and several court rulings, trade secrets now look more like property rights.
This is the contact information of the lawyer who wrote the letter. Gregory S. Smith Counsel Washington Office 202.383.0454 gsmith@sablaw.com
So, assuming that's not possible -- is the DMCA a viable tool to ensure security?
The DMCA isn't about secruity--it's about copyright. Read the DMCA, also known as Chapter 12 of Title 17, USC, and decide for yourself.
IMO, the law should either be moved to a general security law, or it shouldn't be interpreted to cover anything except the aiding and abeiting of real anti-copyright infringment sale aid--that is, unless a device is intended to protect a document that's transmitted / broadcast, the DMCA shouldn't touch it.
Then again, these are new positions for me--reply and you might change me again.
How did you find out that the system used was Blackboard? My university (Brown) has a card authentication system, and if it is Blackboard, I'd definately send an email to the administration to complain about the use of such an insecure system. However, I don't see any indication anywhere who set up our card system, and I don't want to seem like an idiot if we're not using Blackboard.
"The question of whether a computer can think is no more interesting than that of whether a submarine can swim" -EWD
If it's something within the school, then the makers of the system wouldn't really have a DMCA complaint against researchers; the school (user of the blackboard product) would. (Just as MPAA, not DVDCCA, are the ones who had DMCA complaints when knowledge of bypassing CSS got out. It's the copyright holder of content who gets to use DMCA, not the inventor of a protection mechanism.)
Assuming the blackboard lawyers actually see a way to use DMCA and aren't just trying to intimidate (hell of an assumption), then the copyrighed content must be some artistic expression within the Blackboard system itself, rather than something the system is intended to protect.
If the copyrighted expression turns out to just be the serial number on a card, or something like that, then that would be very (*cough*) interesting.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I think that in all fairness, they should have gone first to the company that created the product with the flaw. Perhaps they did, and were ignored. But I didn't see any evidence of this in the posted materials. Companies make mistakes, people kind enough to find these mistakes should also be responsible enough to go to the company first and present them with the opportunity to fix it.
(Score:-1, Wrong)
My school (U of Washington) is a campus that uses this for everything - dorm food, print jobs, access to restricted areas, on and on...
and given how easy it is to scam the system via social networking ($5 and a student ID number gets you a replacement card) - the fact that there are technolgoical insecurities in the network was supposed to be assumed, I thought...
(my personal favorite way to scam the system: When the central server goes down, since ALL of the dorm food is managed through it, they take down student numbers and charge amounts by hand and enter it into the system later - there's no consequences for having a negative account balance due to this.)
It does concern me that because of this Gag Order stuff that the company will not recognize the flaws in the system and it will remain insecure. (my parents do like to dump money in there from time to time.)
But, for those of us wanting 24-hour access to buildings on campus, this could be a good thing.
Didn't 2600 cover these flaws last year?
And props to the moderators, who apparently think anything with links deserves some points. Bah.
FYI, let it be known that these two were WELL PAID for their hacking of Blackboard and were contracted by a direct competitor of Blackboard:
NuVision Networks Corp
http://nuvisionnetworks.com
Strange - this info was posted on his website which has MYSTERIOUSLY disappeared since this article was posted?!?
The only sane thing to do is to patent your exploits before you announce them. :)
Then you have precedence for publishing them, or you just point to the online patent info.
As a bonus, you can sue the companies that fix the holes you're supporting because they've broken that "shall circumvent a technological measure that effectively controls access to a work" line. After all, your exploit controls access, right? Opening a door is controlling access as much as locking it is.
here's a neat article about the security flaws
Q C: www.yak.net/acidus/campuswide/campuswide.txt+oneca rd+security+flaw&hl=en&lr=lang_en&ie=UTF-8
http://216.239.33.100/search?q=cache:fM1kWpR_db
Honestly, if there's a hole, eventually it will be discovered. The recent linux ptrace hole and sendmail hole come to mind in the *NIX world. If this kind of stuff can't be discussed in public, then dark smokey rooms hidden from the public eye will be the only place left. And when that happens and these companies lose millions and millions of dollars because somebody DID figure out how to crack their shitty security implementation on their own and exploit it privately.
I can understand why if you could either publicly disclose this info and risk going to jail for 4 years, or keep it to yourself and exploit the hell out of it at the company's expense and risk going to jail for fraud, you'd choose the latter. Not as honorable, but wtf...baby's gotta eat.
"Hell hath no fury like a woman scorned for SEGA. ..."
This arm of BB is the cards, not the online learning environment. Is there an open source unified card access system?
Reading through the C&D letter, I have to wonder who approved it from Blackboard's perspective and if anybody technical thought through what may be the result of it is.
.ru or .iq) and finally 4) Blackboard's reps get innundated with phone calls, emails and letters complaining that their system is not secure.
There sounds like there is enough information in the letter so that somebody that knows what a 75176 is (I would disagree with the assertions in the paper about RS-485's obscurity), can program a PIC or an 8051 and can use an oscilloscope can reproduce the work done by Messrs. Griffith and Hoffman. Along with this it sounds like the readers are connected to standard cabling via standard connectors.
So, the result I would expect from this letter is, 1) it will be put on the Internet for all to read, 2) boxes throughout the different colleges and universities that use the system will be pulled out of walls and vending machines with many of them stolen or vandalized to see what's actually inside them, next 3) The protocol and hardware will be distributed on a variety of web sites (probably ending with
This begs the question on what Blackboard should have done. (next reply).
myke
Mimetics Inc. Twitter
Georgia State has these things. You can see the wires hanging all around the vending machines, and in many places could easily access them. Good stuff to know :)
This past week, one of the first comments to be modded up as funny is someone claiming to be the Iraqi information minister.
Now, they could have said something like, "There are no holes in the BuzzCard system, and we have repelled the elitist satan dogs who have attempted to break its security!" and it would have finally been funny!
-JDF
how_to_get_coke_for_free_at_school.pdf? WTF?!? Are you trying to publish a security analysis, or are you trying to help people commit theft? Some people might draw conclusions about your intent, from that filename. And you might not like how they act in response to those conclusions.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
One one hand, there is the party line that any security / encryption measure CAN be broken, so that social measures are really what's necessary to achieve desired aims.
On the other, we see slashdot outrage any time a social convention is established / followed that actually attempts to impose social codes of behavior.
(Side notes to all of this include the typical calling whoever developed the security mechanism a moron because of some obscure backdoor that took the investigator 6 dateless months to find but he acts as if it's so obvious.)
The fact of the matter is that the systems these "young security researchers" are ALL at about the state of the art for this stuff as evidenced by the fact that several companies are more or less doing the same thing. It's also evident that without their information being made public, the security systems do a reasonable job of protecting what they need to protect. It's also clear that there WOULD be a greater social benefit if their information was used to make the security systems even better.
However what's bloody obvious as well is that, given their userbase (students), that there is a greater societal harm in releasing the security flaws publicly at this moment. The DMCA, for all its flaws, was designed for exactly this situation. This is a correct application of the DMCA. The young crackers should negotiate a private deal with the providers for a fair amount for the information, intermediated by an intependent arbiter.
When my brother was at Western University (early 90's), he told me how some of his engineering friends were able to put $700 on a printing/photocopying card, so the only reason they needed to get new cards was because the black strip wore out.
J00 ThINk TH3 DMC@ sl0W$ dOWn l33t HAcK3R5 L1K3 u$? w3 d0n'T NeeD NO 5+1Nk1N9 lAwY3R5! we 0WNzOr 4LL J00R c0K3 m@cHinE5!
If Slashdot were chemistry it would look like this:Cadaverine
Yeah right, the DMCA will stick and hold for a long time to come. Lawyers are having a field day. Lawyer wrote the law and therefore they will protect the law. Even though the law sucks.
What will be the result? Easy illegal hackers who steal. The DMCA is setting up a black market of crime. Just like how people "steal" cable. And people will not consider it stealing because it is digital. Oh yeah forgot more lawyer work, to prosecute the illegal people. Can we say DMCA is a make work system?
The DMCA will be struck down once people in the mainstream realize it has no effect. This reminds me of the argument with strong encryption....
Add on the fact that governments these days do not care about the little person. Just the big companies with their lobbies....
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
There are 2 things geeks in college have in abundance: free time and the want to break things. Now that every geek with a heartbeat and a B0x0rz knows there IS a flaw in this card system then they can go ahead and track it down on their own. Free access to EE labs is a beautiful thing. Let's wait and see how long it takes before they are ripped off to the tune of a couple million dollars.
what does the DMCA have anything to do with this??? the company may have PATENTS for the underpinnings of their systems, but copyrights are generally reserved for artistic works. So are flaws in a system a form of artistic expression now???
So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?
The security on the system is almost laughable. Multiple unchecked user input flaws have come over bugtraq in the past couple months that allow one to retrieve MD5 hashed passwords of an account of your choosing, exploitable over the internet. Some of these holes have been patched.(If memory serves its possible to brute force a password that hashes to the same MD5, thereby logging in as anyone who has access to the system) Professors use the system for quizzing, grades and god knows what else. Last I checked even the quizing system's timer was controled by a Javascript countdown timer (need more time to complete that final? No problem, set your system clock back by an hour). We have the ID cards that work like the ones described also, but ours until very recently were encoded with our social security numbers (!!!).
Welcome to Free America...
We all know the constitution of the united states (hopefully), so why in the name of all things holy did these presenters of information cease and desist?
it seems they could have been a good step in fighting the problems presented to us in the DMCA
I go to Cornell University. I have one ID card that swipes *everything*. Access to dorm hall. Attendance count at mandatory lectures. Meal plan. Laundry account. Snack/soda machines. Credit card.
Some people have been asking "what 'University approved network'" in other posts. At least here, we've got an account tied to our cards called "city bucks" that lets us spend a declining balance at local off-campus restaurants, and I think a couple supermarkets too. While City Bucks is Cornell-specific, I'm sure other universities have similar things.
I think there are other accounts too, but I forget them. The point is, I'd like to know if I should complain to someone in administration.
Anyway, we have a server with the Blackboard Courseware website software on it, but that doesn't mean we've got their card system too.. but how can I tell if we do use their card swiping system? (There isn't a logo on my card that would identify it as any particular brand.)
God knows we can't blame the guys for wanting to get on their soapbox, publicize the information, and in exchange for a raging geek hardon let every college kid using this system now exploit the fuck out of it until Bb can get it fixed.
/. geeks will insist that somehow keeping this from being publicized in an open public forum will somehow magically cause more exploits. Assuming, as always, that the company has no interest in fixing the bug ASAP because they are too lazy or incompetent. (Unlike our open source Linux heros!)
Of course, the
These leet dudes could never have just quietly told Blackboard about the bug in advance and given them a deadline to fix it by before they go public. I mean, where's the fame and glory (and the link on Slashdot!) in that???
Could it be perhaps, that Bb wants to minimize the damage of this exploit by keeping it quiet while they create a patch? Nah, all corporations are evil and are full of incompetent programmers and managers who are somehow able to get people to pay for shitty software. Every company is like Microsoft, right?
--
We use Buzzcards here at Georgia Tech. It's been the experience of me and most people I know that the cards are only used for laundry, dining hall meals, and admission to athletic events and facilities. This is the first I've heard of any flaws in the reader system, but to be honest I don't think it affects people too much. There doesn't seem to be many places for students to put money on a Buzzcard, and when someone does, it's usually just enough to do wash their clothes this week and maybe get some snacks from the food court. I just don't see it as being a big issue.
That being said, I don't think that threatening these folks with the DMCA and acting like the situation doesn't exist is the best possible way to make things safer. Hopefully situations like this can help get part or all of that legislation thrown out.
the coolest club on
You mean a company that creates a software system for financial and student transactions doesn't want an open forum on the security flaws contained in that software to be discussed on campus? What utter tyranny....
If I were a student on that campus I wouldn't want people openly talking about the system's flaws. I wouldn't want people cracking the system and tampering with any of my information that it contained - ESPECIALLY if this thing controls my meals, my dorm room and my exams.
Also, if I were the genius that found all of these system flaws, I would use it as a marketing opportunity to apply for a job at the company that wrote the software, supplying them with a detailed description of the problem and a proposed solution.
Why must this whole thing be so combative? Why is it so critical for this public forum to be held? If you find problems with the system, go to the company about it, not the public.
"On the Internet, nobody knows you're a dog!" - a dog
This is the worst kind of security through obscurity.
Why are people so down on "security through obscurity?" Do any of you have any idea what the inside of Fort Knox looks like? No? Has it ever been successfully robbed? No? Sounds like "security through obscurity" is working GREAT to me. Ditto for the pentagon, the security protocols for Air Force One, and a thousand other installations that require "Top Secret" security control.
I will concede that there are some situations where a security model can benefit from open review and grow stronger, but why do some people refuse to believe that there can also exist some circumstances where open public knowledge would WEAKEN the system?
Take my Fort Knox example again. None of us know what it looks like inside. If we hoped to rob it, we'd have our work cut out for us. On the other hand, if it had been designed by an open forum, then the architecture and security practices within would be public knowledge, and it would be comparitively easier to launch a robbery attack on it. The only way it could be otherwise is if cost was ignored, and the open solution that was adopted was something along the lines of "construct the vault 200 feet underground, with a single entrance, guarded 24/7 by 8 multilingual guards, all of whom are former secret service, CIA, NSA, or Navy Seal operatives."
Sometimes, obscurity *is* feasible. How many people do you think would have liked to have seen McVeigh's execution? It was broadcast to two locations via closed-circuit TV, using some type of encryption and authentication that was, of course, not public knowledge. Now if it *had* been a public protocol, then you might be able to log onto Kazaa today and do a quick search for "McVeigh Lethal Injection" and come up with something, but since it was a closed, private implementation ("security through obscurity"), your logic suggests that the video would be rampant on the net, but the opposite is true. The video wasn't leaked. We'll never see that video, because security through obscurity worked.
Like woodworking? Build your own picture frames.
sure they OP was off the mark on the orignal product in question, but it is the same company (blackboard inc) that is pushing the lawyers.
while the security issues for the commerce system probably are larger than those for the collaborative system, the company (and its lame attitude) is the same.
I'm just waiting for a security company to send all of the crowbar manufacturers a CD letter. They DO after all make a security circumvention device.
It's a good thing the world sucks or we'd all fall off.
Seriously though. Does it ever occur to people that sometimes they have to FIGHT to get things their way? Not fighting in the sense of a debate-club discussion, but rather a nasty bar brawl; you are gonna get hurt a bit, but [hopefully] the other guy gets hurt more.
How did civil rights come about? Did Martin Luther King bitch to his fellow oppressed on the local bulletin board (ahem), write a congressman, and then go home? As I recall, he spent more than a few nights in jail, and eventually got shot to boot.
I'd rather be an insurance guy or something similarly boring then spending part of my life in a 4x6 cell, or even living in fear of same.
Well instead of a 4x6 cell you can have a 100x100 subdivision in some godless plastic suburb somewhere. You'll be safe there, have a fun life!
-----------
Together, we will drive the rats from the tundra.
oops, my bad. figured they were the same system. sorry bout that. oh, and fuck you too, asshole.
If guns are outlawed, only outlaws will have guns.
Isn't that a simple consequence of the fact that the guns would be outlawed? Simply, everybody who has a gun will be an outlaw. Same applies to hackers, students, water drinkers and air breathers.
My school has card system. It's used by everybody as a photo ID for on-campus checks (nobody else really accepts that - the picture is pretty obscure and they are valid for 5 years). Students pay with it for meals in one (1) eatery. I'm not sure about dorms. I haven't ever seen any soda dispensers operated with cards - everything around uses coins. Simple - I don't that the system was advertised as highly secure (it might be now - with all new "security bubble" that seems to be growing fast) - it's just a card ID system. Whoever wants to use it as a highly secure thing is responsible for any problems that come out of that.
iThink iHate iMod
This is a follow up to my previous response asking who read over the letter (because anybody halfway competent could have figured out what was done even if the web mirrors were taken out).
Hiding behind DMCA is clearly not the answer. It destroys credibility for the company and ultimately for the law itself. If these cards are used for purchasing products/services than potentially millions of dollars are at risk - nobody can realistically expect a simple law to protect against theft of tangible items as well as theft of intellectual property.
But, how much does a letter from a lawyer cost? From the company's perspective, this is the most cost effective way to deal with the problem.
The second most cost effective way of dealing with the problem is to hire two guys to show Virgil and Acidus the errors in their ways (preferably from the perspective of the inside of a Cadillac's trunk).
I would suspect that this would be a bit more expensive than a lawyer's letter, but almost certainly more effective.
If either of the first two methods don't work, then Blackboard could, gasp, fix their product. I disagree that the encryption couldn't be built into the individual boxes - there are some very clever things that can be done that would make figuring out the communications very difficult.
This is the most expensive option, but the one that would have the least amount of liability for Blackboard and could establish them as the brand owner (get rid of all those pesky ATT labeled boxes).
Comments?
myke
Mimetics Inc. Twitter
Do what you want, being a sociopath is okay in my book (I am). Just learn to control it, or create your own system of morals. This way your never in conflict (unless you really are nuts and like being a hypocrite, a la the republican party).
lol...
Here is the info on the lawyer that wrote the letter: Gregory S. Smith Counsel, Washington Office 202.383.0454 gsmith@sablaw.com Bio at this page And Blackboard corporate communications: Michael Stanton Senior Director, Corporate Communications Blackboard Inc. Ph: 202.463.4860 x305 FAX: 202.463.4863
"Blackboard offers all of the mission critical applications for today's digital campus"
If mission critical means "easily circumvented" then they are correct.
If I recall, the RIAA/MPAA cartel tried the same shit on Dr. Felton didn't they? Then they dropped it when he cancelled his talk and sued them. That went to court and the judge threw it out claiming "No harm done". It seems to me that I see a pattern happening here. Big companies are abusing the DMCA by threatening to sue, which clearly abuses the Educatuional exception that Congress put into the DMCA. Then, once the talk is cancelled, they say: "OOPS! we goofed...we were never planning to sue you!" THEN the court agrees with them. The problem is this is a variant of the "shoot, ready, aim" philosophy. This stuff they're pulling is a dangerous incursion into free speech....but then again, free speech means NOTHING in the Post 911 Bush dictatorship!
Seriously. If these people felt so strongly about the flaws in this system to hold a public seminar on it, why did they backdown when they got a letter? They should have held the seminar anyways. They might go to jail, but think of what they could accomplish.
1) Get the information they wanted presented to the public.
2) Get media attention
3) Bring the insanity of the DMCA to the courts.
T Money
World Domination with a plastic spoon since 1984
I seem to recall that Taoism mentions that laws only effect the moral people in a society - criminals are not effected by laws.
I think this just proves that point.
"The large print giveth, and the small print taketh away" -- "Step Right Up", Tom Waits
Use ASCII text. The reasons should be obvious. If they aren't obvious to you, and you feel like an educational experience, go ahead and use PDF or Microsoft Word when you anonymously upload your files.
Enough said.
We had the Onecard system at my school. Best hack we found was with the printing system. Insert a card with $30 on it in the machine toy print for $0.10 say this is my print job, wait for it to read amount on card. take out the card and put in a card with $0 on it. hit yes to print. $29.90 will be wrote to the card. Everyone I knew had $100 on the card in no time once we "borrowed" a profs card. We also got to print at half price by taking a copy of his card.
People also spent time sniffing the one card network, but as far as I know no one had found anything interesting yet. this was 4 years ago, so I'd assume the entire thing is solved by now.
I don't know what MIT is using right now, but I know that a few years ago I noticed This Site at MIT as well as this security assesment. From my personal experience (not at MIT, but elsewhere) often in some situations you will be expected to leave your student ID at places such as the dorm front desk if you check out, say, a vaccum cleaner. (This of course gets really ironic since in my dorm we need the card to get from where the desk is back into the 'main dorm') I know from some playing with my card that our cards basically contain the following information. A question mark, our full name, social security numbre, followed by a sequencing number and then a semicolon. The system connects to the main campus server using a standard ip address (although it may have been moved to a VPN, I haven't played with it since freshman year) over tcpip. While I imagine network security is fairly lapse, I wouldn't worry too much, because beyond dorm access and meal plan I don't use my card that much. In all honesty, I'd be more afraid of somebody grabbing one of the many lists that different campus organizations are given (such as dining services) that have all of our personal information such as our social security number and are often sitting right next to the terminals at retail locations run by the campus or in drawers. There is a possibility of identity theft en masse if someone stole one of these. They are trying to improve the system however. When I first came to my university, everything was SSN based, but now they are moving to a 'net id' (based on your initials and a number) however some professors will still ask for your social, and the grade system as well as the card system are still based on the ssn, and I don't see them changing any time soon.
[Something witty and intelligent should have appeared here.]
{Traicovn}
P.S. Virgil tells me that he has a good lawyer.
As opposed to paying money for bad lawyers? (Is that a double negative?)
"Times may change, but standards must remain the same." - George Carlin.
Reminds me of an episode in "Surely You're Joking, Mr. Feynman!": Adventures of a Curious Character. Richard Feynman pointed out problems with security of file cabinets containing secret documents at Los Alamos. The "solution" to the problem? Easy! Keep Feynman away from the cabinets!
The main page:
http://216.239.37.100/search?q=cache:aCrSrlgFxsYC
Text document covering network infrastructure, database, servers, etc. for blackboard system:
http://216.239.39.100/search?q=cache:fM1kWpR_dbQC
These are the old cached ATT webpages, full of Technical details Blackboard wished weren't floating around:
http://216.239.37.100/search?q=cache:www.yak.net/
Acidus' card system FAQ:
http://216.239.37.100/search?q=cache:www.yak.net/
Creative use of cut and paste within the google cache should let you hit any of the other links within those pages that you may be interested in.
If don't know exact what information is encoded only the cards, but I'll bet long odds that it on identification and account information about the student. That isn't copyrightable information.
However, the government/corporate complex reserves the right to make sure you can only do so in an 8'x6' room, for the rest of your life.
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
Hi, I am a user of the Bb system at Montclair University. News of a cease and desist order has reached our campus regarding Blackboard security. This is very troubling for 2 reasons. First, the existence of a security flaw, and worse, BlackBoards attempt to hide this flaw rather then work with the security community to rectify it is very troubling. Second, as an educational facility, using what it considers to be educational software, it is very alarming that Blackboard is using the DMCA in a way antithetical to academic and scientific progress. Censoring information not only leads to increased unreliability and appearence of security flaws, but to a steady degeneration of the process which our institutions are designed to promote.
The problem with this is that it is far reaching and vague. If there is a true security issue with this system, should not consumers be made aware of the potential problem. Imagine where the world would be if products that caused harm could have hidden. Mercury, DDT, and other toxic things. Let the people hear the word and then the companies will be forced to fix the problem!
If you find a crack in the bank's wall, chances are someone else has found that crack too... or someone will. Despite the most American notion that we are special, knowledge of that nature is not exclusive to one person if all that person had access to was public knowledge. A contractor who finds a flaw in a safe that makes it possible to crack through in a specific location by shooting a hole in the wall should tell the bank but otherwise keep quiet... If you are demonstratably the only person who can know about a vulnerability, that greatly reduces the chances that somebody likely to use the exploit will find it.
However, if you stumble across public knowledge that the bank is a demonstratably unsafe place to put your money, it would be immoral to not spread that knowledge to other people who may lose out due to the bank's incompetence. If you stumble across a security hole that a sensitive organization refuses to fix, chances are this is a policy decision on their part and there are other insecurities they are simply hoping will go away. The only way to prove there is a problem is to explain how to do it... this is also perhaps the only thing that gets some companies to move on problems. You have now increased the number of people who are confirmed to know about the problem from one to thousands, which negates the possibility that the institution can continue to bury their head in the sand.
The same is as true for your network as your bank. If you are sending sensitive information through an insecure network, you want to know about it, don't you?
The ______ Agenda
As a US citizen, I'm depressed (I should be outraged) at this sad state of affairs. However in-your-face this particular presentation was to be, the stated goal was to expose the flaws of the system through hand-on research & controlled experimentation. Research. It was NOT to distribute hacking tools for actual implementation to facilitate illegal or illicit purposes. But ballsy kids in an academic environment who want to improve the technology and processes that surround them? They're stymied by corporate protecionism ensconsed in federal law. That's sad. It's wrong, immoral, and ultimately ineffectual. But the real tragedy is that it depresses the level of creativity in academia and creates fear for those that think too hard.
As a security professional, the fact that any cheeseball company can successfully hide their shoddy product behind a federal law is an embarassment. It induces even more cognitive dissonance when I work with federal and state goverment security staff who are well aware of good security principles, and then think about laws such as the DMCA which are diametrically opposed to known-good principles of improving security technology and processes.
It's a lose-lose proposition: News of an exploit always gets out, and is propogated fastest within the community which has little fear of the DMCA. But invocation of the DMCA causes relatively-innocent people -- those that were willing to stand up and state their names -- to tremble and retreat. As I said: it's wrong, immoral, and ultimately ineffectual. I spend my days educating people about the dangers of security by obscurity, and exposing the risks associated with snake-oil solutions such as Blackboard's "secure" transactions. I'm doing my part to educate as many people as I can, but with Grand Moff Ashcroft at the legal helm of the country (and with US federal/foreign policy changed to match the prosecutorial principles of "pre-crime"), I'm afraid it's like spitting into the Mojave.
The first time that some predator clones the card of a victim (or a patsy) in order to gain access to a building and rape/murder someone, I wonder... Will the appropriate law enforcement be able to effectively investigate/prosecute such a crime if the computing research community is prohibited from supporting them? Would Blackboard be content to sit on known security flaws and let a patsy get convicted? Again: wrong, immoral, and ultimately ineffectual. It ought to be illegal to *withhold* security flaws, at least from those who depend on/are subject to them. Feh.
J
I think not...(*poof*)
When you pass IP law based on the US rules, your companies and your people lose!
Novel theory: Modern Man evolved from psychopath
The SEC has all kinds of rules to sue them for this fraud.
Stockholders can be next.
Lots of lawyers working for money managemnet firms.
Never trust a man wearing a coat and tie!
If hacking is outlawed (and talking about it), only outlaws will know how to hack.
Which of course is the whole point of making ever more laws. But ah, someone else can put it better than me:
I'm no big Ayn Rand fun, but it got some things right.
Belief is the currency of delusion.
Some companies will be interested in finding out the security flaws -- others will not.
The solution is to always presume that they will want to know. However, one slipup, one cease-and-desist letter, and they go onto the list of recalcitrant companies. At that point, there is no cooperation from the community--just anonymous publication-- until such time as the recalcitrant company fires (not releases, but fires for nonperformance) its entire management staff, all presidents, vice presidents, financial officers, and legal officers.
I must be missing something. Has a lawyer sent them a cease and desist letter? Or has a restraining order been granted against them by a court?
Because, all the links point to a cease and desist letter, which are as cheap as lawsuits in the United States. Any schmoe can send a cease and desist letter. Hell, I could send CmdrTaco a letter claming that the space aliens he keeps in his laundry hamper are interfering with the workings of my tin-foil reflector beanie. You certainly don't have to do what the cease and desist letter tells you to do, any more than I have to follow instructions from the little voices in my head. Sometimes the little voices in my head give me good practical advice, like "change your socks." But you would be a fool to follow the advice of either the voices in my head or a random lawyer's cease and desist letter without question.
But, I understand a restraining order as an entirely different thing. A restraining is handed out by a court, and unless you're fond of the inside of jail cells you would be well advised to follow it to the letter.
So, did these people actually get a restraining order against them? Or is this just another badly misleading slashdot article?
Slashdot is jumping the shark. I'm just driving the boat.
Construction company X makes a standard fault for its bank customers.
One day you go to the bank to make a deposit. The teller takes longer than usual, so you look around, trying to avoid boredom. As you glance across the bank vault, you notice that the hinges on the vault can be easily taken off from the outside. Just then, the teller walks up with your receipt, breaking your train of thought, so you never mention the problem to the bank itself.
A week later, you are visiting another bank. Your elderly mother needed to withdraw some money, and she asked you to go because she doesn't like leaving the house alone. Of course, you can't help but look around while you wait. Once again, you notice the vault hinges can be taken off from the outside with little trouble. This sparks some interest. You decide to research the issue.
Fast forward a bit. After visiting several dozen banks, you've concluded two things: a) every vault was made by company x and b) every vault has the same security flaw. You decide to bring the problem up with company x. As could be expected, you get a "it would cost too much to do anything about it" routine.
Now... what do you do? Should you keep your mouth shut, or hold a security conference for banks, explaining the security issue to those banks that have the problem?
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
I believe 2600 magazine published an article regarding this topic on their Spring 2002 edition. The article title was "CampusWide Wide Open."
You can't lie under oath.
You can be sued for libel and slander.
Lying in a contract is a no-no.
Making false claims in ads is frowned upon.
Yelling FIRE in a theater is not in the cards.
The Secret Service will come after you if you make threats against givernment officials.
What part about make no law don't you understand?
Infuriate left and right
Perhaps not so valuable after all...
It's not wasting time, I'm educating myself.
Ok, I'll bite. In this case, the system is neither secure nor obscure. Thus the "worst kind" of security through obscurity.
I don't know the specifics, but it sounds like foiling this Blackboard thingy is not too hard (not secure), and, I'll take a WAG that at least several thousand students are relying on it (not obscure).
I agree if security or obscurity are high, there's little problem. As either of those values go down, the other one becomes more important.
- Jasen.
There was an article in 2600 about 4 issues ago that had complete details on this system I believe, and how to hack into it.
If I can remember which issue it was I'll post it here. If anyone else remembers, feel free to remind me. I remember though it basically showed how with no effort the system can be cracked.
** To avoid DMCA lawsuits, etc. I did not write this article or am involved with it's creation whatsoever. **
~ kjrose
The rant about STO isn't that the obscurity is completely useless .
It's that trying to depend on obscurity, and obscurity ALONE, is useless.
Fort Knox isn't just depending on obscurity (your example of the lack of knowledge of the internal layout). It also has armed guards, locks, alarms, etc, etc. The obscurity is just another layer on top of everything.
In these computing cases, however, some people already know a way to avoid the guards, the locks, and the alarms. They have the complete plans, but since "only a couple guys" have it - there's no need to change anything, right?
THAT is depending on the obscurity alone, and is obviously not going to work.
Is it now illegal to find out whether a product you've bought does what it says.
..."circumvent a technological measure that effectively controls access to a work,"
... and sue anyone who tells me they can break it or dares to talk about how it works?
Presumably if you buy a product designed to ensure security, the only way you could test it would to be to attempt to
If so, does this mean I can sell a 'secure e-mail encryption system' using the code a=26, b=25
VLC Remote for iPhone and Android
All politics is local. I would think that every student newspaper where these cards are used would be interested in this story.
FreeSpeech.org
What if I take a piss on a cross? Is that illegal? Probably.
If I put a cross on it's side so that it is an X, will I be allowed to burn it then?
It is funny that we can burn our flag but not a cross - just goes to show you how the Bush regime is a bunch of fundamentalist Christian wackos.
"All the objections to the DCMA are just the same objections to hacking that were used as excuses for breaking in to other people's systems."
...
You do not have the clarity of mind to create run on sentences like that
I say that Blackboard's system is notorious for being insecure. When I'm asked what is wrong with it, I whip out my copy of the cease and desist letter. "More than my jobs worth to tell you", I say. "but it will void your fire insurance if you buy a security system from Blackboard".
One less bidder for me to compete with.
Hey, wait a minute. Insurance contracts are based on utmost good faith. If you don't tell your insurers about problems with your access control system, they can refuse to pay. If you know that there are problems, but cannot find out what they are, you are obliged to inform your insurer, who may wish to alter your premium. I remember after 9/11, the insurance was limited to $3.5billion per incident. The insurers went to court to claim that the two planes should be considered a single incident, and thus halve the pay out.
If there is a fire and a big loss, flaws in the access control system that were concealed from the insurers could get real messy
does that mean that it would no longer be legal
to publish the bible? Otherwise anybody could
read the bible and know how to decrypt certain
cyphers...
http://www.sablaw.com/profiles/bio.asp?ID=00003225 1170
While not everything about Fort Knox is public, the US Mint has made quite a bit of information about it available to the public. This includes information on the architecture and on some of the the security practices,.
Excerpts:
1502-2001-0011-0567-8051-1627
I think we can safely forget about oxy, you are a moron.
What you are probably thinking of in terms of keeping records on students is FERPA (Family Education Rights and Privacy Act - http://www.ed.gov/offices/OM/fpco/ferpa/ ).
If you think about it, the last command on your campus server could be considered a violation of this since it has student records (login times).
As long as your records are restricted to school staff, you shouldn't be violating FERPA. However, IANAL so this is just my interpretation.
I am the sys admin of a "OneCard" server, though I try not to touch it since it has tons of propritary configurations on it. I do know that security was a large concern of mine because of FERPA. However, encryption on the network, and other things, I haven't looked into. (And from my possition it wouldn't do me much good since the decision to go with the product was made 6 months before I heard about it).
Do not put the recognizable sarcasm in the final parapagraph ... I press reply long before I get to that bit.
Anyone know what the copyrighted content that is protected by this technological measure, could possibly be?
How about the instruction manual to the system? If you can't get in the door, you can't look at the instruction manual.
Will I retire or break 10K?
The first time someone uses the exploit to commit a rape or murder, the kneejerk reaction of the corportation will be to point at the students who knew the exploit and told officials about it as the scapegoats.
"They told us that we didn't leave our door locked, since naturally it was intrusive to check our door to see if it was locked (even though it affected the security of the people telling us) we told the students to scram and forbid them to tell anyone that our doors were open. Unfortunately yesterday we had a sad epsiode on campus where someone entered through our unlocked doors and commited a heinous crime, sadly the conclusion to be derived from this is definite - those infiltrators that went checking our doors must have relayed the information to their despicable accomplices. The University declines any assumption of guilt or failure of any kind. Thank you."
Face it, people suck and they don't ever stop sucking. The world is run by imbeciles to protect imbeciles, and the intelligent are their favorite food group unless they are creating more ways to create morons or joining the pack in their cannabilistic orgy of idiocy.
Wouldn't any communication system designed to use Internet protocols to handle financial transactions make use of secure http?
I've always been of the opinion that the best way to build better locks is to hire the people that can break them ...
"Stop whining!" - Arnold, as Mr. Kimble
Wow, you have no idea what you're talking about, do you?
The problem with your examples (all of them) is that you assume that what is obscure remains obscure forever.
The problem with obscurity as a primary means of security is that too many people know things, and the odds on one person speaking out of turn or being duped into revealing a secret is non-trivial. Take, for example, the cases of Kevin Mitnick. He got a lot of his information about unlocked PSTN switches by calling up the maintenance centers for Sprint or whatever and impersonating a repair person in the field.
I'm sure the security at Fort Knox is well understood ("simple" circuits, cameras, and locks). If you ask me, the fact that it's a real fort with lots of troops around making it kind of hard to, for example, sneak in a truck or dozen that you'd need to cart of gold (it's kinda heavy :) ) has more to do with the fact that there hasn't been a break in.
The point of the anti-obscurity argument is that relying on obscurity as the main means of security a system is almost never effective against a determined attacker, because obscurity can be eliminated. Systems designed in the light of day, or at least with collaboration outside of a single interested entity, tend to be more secure because it eliminates those "in the know" short cuts.
Sujal
politics, food, music, life: FatMixx
To me this is a non-story.
All security systems that are based on magnetic stripe cards are inherently insecure and can easily be circumvented. Just ask a credit card company. They go to great lengths to try to get around this problem. That's why credit cards have an extra security number printed on the back of them. That's why some shops will manually enter the first four digits of your card after they've swiped it. That's why some modern ATMs will read the embossed numbers on a card. That's why there's details on the mag stripe of a credit card that aren't printed on the card itself. That's why virtually all European banks now issue smart cards.
Copying a magnetic stripe is trivial for people with some technical knowledge. The parts are easily available. Just do a quick search on the internet and you're sorted.
Man in the middle attacks are just one way of obtaining card details. "Borrowing" a card is another.
We used this type of system. All controlled via S.S.# Unencrypted on the card, that was it. If you had a cardmaker, and someoes social security number, You can go to town. Use their card for soda, get into their building, you name it.
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
Wow... That seems like a direct violation of Fair Use. Your school is a cowardly orafice of corporate stooging -- not that I think it is different from any other public institute. The school really should have stood up for you and the interests of freedom of information. In fact, if your school put you in the meeting w/o warning you prior to the meeting, and allowing you to have your lawyer present or advising you that you may have a lawyer present, you should sue your school after you graduate. I'm all for realizing what battles can be won and which ones cannot, but that is a flagrant disregard for your civil rights. Also, your school should have acted as a guadarian of your rights as your accademic institution. I hope that you don't ever give them any money after you get out. Frankly, your professor and the school's administration behaved in a manner that did not fulfill their Ethical Obligations to society as members of an instititute of higher learning. They should be put on a commie mutant traitor black-list for being cowards.
A system used in at least two nations and incorporating the exact or essentially similar methods to "secure" grades, private living access, meals, and in some cases businesses that have nothing, besides an eagerness to make a buck, to do with dozens, hundreds or thousands of University Campuses is as far from "obscure" as you can get.
Each campus writing it's own security software/implementing it's own security hardware and never divulging how it works or what it does is one possible example of security by obscurity. Buying your system off the shelf from a vendor whose business model is to sell one to everybody (ie every university) is the exact opposite.
In fact, buying ANY security system that even one other person could buy off the shelf is already at least one step away from obscure; if it actually sells then the chance it can accurately be described as obscure quickly moves to zero.
If I decide, by myself, without hearing about this "idea" from anyone and rejecting all ideas I have heard from anyone, to rig my car so that touching the brake without first turning the wipers on then off again causes a GPS tracker and a cellcall to the cops with a prerecorded message that says something like "automated response, this car is stolen and is here" and never tell anyone or even comment that I have some security, that's obscure.
Note: since I am posting this publicly, this method is no longer obscure (I won't even go into whether it's a good idea to begin with). But if you like it and want security by obscurity, figure out another method yourself.
At my school, the recently mentioned McMaster University, our residence meal plan could be used at local restaurants which had a deal with the Univerisity, like East Side Marios, Pizza Hut, and equivalent places.
Thing was, while they were mainly restaurants, some of these restaurants had bars in them, and we found early on that the system did not discriminate between what one ordered from these places.
So basically, one could use mommy and daddy's meal plan money. I think they eliminated this loophole since my first year, but it was good(by which I mean very very bad) while it lasted :)
+4 Troll.
That's some good trolling.
....can this crack be used to pay my tuition bill?
In this case, as in mine, the card number would be the "access device" and the computer (or even a laundry iron) would be "access device making equipment." Since this is a computer network one would also be well advised to read 18 USC 1030, which deals with computer hacking. Did you ever wonder why the phone company hands out cards in the first place? It was to promote the idea that phone card phracking was the same as making your own Visa card (the original intent of the law.) Why else would they embose your phone number on a slab of plastic when there was never a valid reason to run it through a credit card imprinter?
-- I have a private email server in my basement.
No doubt, you are aware that Student newspapers are more prone to censorship than *real* journalist publications. A number of the local universities' newspapers are answerable to Student Advisory Council (SAC), Faculty Advisory Council (FAC) and even the University president and some alumni groups. Articles generally have to go through approval before being published, by groups that each have their own agenda. Most of the time, these groups take a hands-off approach, but there have been incidents where articles were pulled because they weren't in the best interests of the school. Publishing an article that practically invites legal action would probably set off some red flags in one of the councils.
Well, if they can convince the ATMS on the campus network to dispense funds through the security hole, they can afford lawyers.
"I'm not impatient. I just hate waiting." - My Dad
I go to a school in the northeast that relies heavily on Blackboard. (I also work computing support here, so I know what a pain it is on the backend, but I digress.)
Oddly enough...I had a discussion about this with a CS prof a while back. Turns out he and another tenured prof figured out how to make all the vending machines (which are on the card) spit out free stuff by using a card with purposely malformed data.
This worked so well that the machines would dispense free stuff until somebody came along and unplugged/restarted them...
But anyway, if Blackboard wants to, two highly respected, published CS profs could be prosecuted under the DMCA.
Another problem popped up a couple years ago that never became common knowledge: if your account balance was between 0 and $0.05, you could buy as much as you wanted, and your balance would never change. I'm not sure if that was a Blackboard bug or something else we did here.
Another one of those through-the-grapevine stories that I suspect is true--the host "machines", whatever they are, for the locks operated by these cards communicate via TCP/IP with a central server. Last year a CS student figured this out and started sending a variety of packets at one of the hosts, crashed it, and summarily locked 200 students out of their dorm.
Ah, Blackboard, how I love thee.
And I've just committed multiple crimes under the DMCA, I believe...
Get a Reader.. Get the raw data. Send the data back to the reader. It will decrypt it for you. Done. This is how the security is broken. BTW those 4 sentences are illegal.
After we went public, the admin. apologized, but said this was not a security risk because each student's account was protected by not only that 9 digit (now public) number but also a 4 digit numerical password. This didn't make me feel very secure. The ID + passwd combination was used to add/drop classes, find out grades, administer financial aid, etc.
The cards themselves were made by AT and T; you could put money on them over the web using your credit card, then buy food, etc.
A much more detailed and informative discussion of this issue can be found on Prof. Dave Touretzky's page dealing with lawyers from the Church of Scientology.
--FP
It seems to me like the basic problem with the DMCA is that we, as technologists, can readily turn speech into technologies. Thus, our speech (or speech to us) discussing the situation is, in the mind of the lawyers and legislators, technology. Since we can turn it into technology readily.
Here, the simple statement "There are serious security flaws in the Blackboard system." can (assuming it's true,) by a competent engineer, be readily turned into a device to circumvent that technology. Therefore the statement itself (without any explanation of mechanism, since we can fidn that out for ourselves with a few days/weeks/months of investigation) is technology to do so, and is in violation. The closer that statement gets to something that can be interpreted directly by an engineer ("There's a problem with the encryption." "There's a susceptability to cyclic keys." "If you encrypt one key with another, and then use that to encrypt a third, you can deduce the original key.") the fewer the steps. But we can turn any such statement into a technology, and even the simple ones ("There's a flaw") increase the circumvention technology's possibility by a few orders of magnitude.
If I came out tomorrow with a simple algorithm to find the prime factorization of any integer in a fixed (and reasonably short, say 2 hour) time, you (some of you at least) could turn that into a technology to circumvent huge swaths of security. You'd be able to turn it into technology faster than I'd be able to turn these guys observations into technology, certainly. Therefore, such a vitally important finding would be considered circumventing technology even though it is not described as such, or planned for implementation in any way.
That is, IMHO, the fundamental flaw with the DMCA, the idea that because savvy technologists can implement spech or ideas as technology, the ideas themselves become technology and are therefore verboten if the technology offends "the man." In effect, they are afraid of what engineers can do with the ideas, so our speech is less valuable.
I sure hope these guys take this thing to the top. This seems like a perfect case to get the DMCA thrown out on first amendment grounds.
BTW...We use our BuckIDs for dining halls, vending machines, restaurants, access to residence halls, and even printing in our computer labs.
just the fact that we now know the Blackboard system is flawed is enough for someone to take advantage of the system, so DMCA really didn't change anything, sure they prevented the information from being widely distributed, but now others may become curious and hack the system the same way they did.
/. and other news organizations had DMCA not stepped in. Now there's millions more people out there who know the system is flawed, and perhaps thousands with the knowledge and determination to hack the system for (essentially) free money. I've seen kids hack systems for much less incentive, so no doubt Blackboard is very appealing.
So, in effect, DMCA really didn't do anything. Actually DMCA made it worse, since this information probably wouldn't have shown up on
The DMCA just fucked itself. Should have just kept DMCA out of it, let the news lauch quietly, then the owners of Blackboard could have announced a "patch" a week later. Even if there wasn't a patch some people wouldn't bother attempting to hack the system after hearing a patch was made.
my karma will be here long after I'm gone
Most of the card reader systems used in arcades (a-la Dave/Busters, Gattitown, et al) use a RS-485 network as well.
When these units need to be repaired, they are plugged into a "dumb server". This server basically takes ANY card input, and sends back an "OK" to the reader to allow it to start up a game.
The only critical knowledge needed is the location/site ID code the reader is setup for, and (obviously) the format that particular manufacturer/provider uses for their network.
I can't imagine it would be difficult at all to do the same thing for a coke machine, or any other device, on a CampusWide Network.
- litz
...now carry subpoenas. Easier to replace a door than go broke with all the frivolous legal action.
They say the first thing to go is your penis. Well, it's either that or your brain. I forget which...
"remove all references to Blackboard and its Transaction System from any website, power point presentation, seminar handouts, or any other promotional materials"
The obvious solution is to give the presentation using a blackboard (lower case blackboard the kind with chalk) as this was not covered by the C&D letter.
In 1997, after four years of research, a French cryptographer, Serge Humpich, found a flaw in the widely used French smart card, which requires owners to type a PIN on a payment terminal for all credit card and ATM transactions. He found that 1.the PIN was verified by the chip on the card, 2. some terminals didn't really check what chip they were talking to, and 3. If the chip told the terminal "yes, the PIN is right", the terminal would blindly accept the confirmation and allow the transaction. Such a card is called a "yes-card"
Humpich contacted the Carte Bleue consortium, an association of 200 banks managing the French smart cards, and told them about the flaw. They refused to believe him. So he made a yes-card out of spare parts and went to a Parisian metro station. There, he bought a few metro tickets and send them, along with the payment receipt, to the Carte Bleue people. They immediately contacted the police.
Humpich was arrested in September 1999 and jailed for several months. In 2000, he was given a suspended 10-month jail sentence and a $2600 fine. All his equipment and documentation was confiscated. Now he has a criminal indictment that bars him from a number of jobs.
Of course, the French and US laws are different. But if anything, I suspect a US court will actually be harsher, especially now that the DMCA has been used in several precedents. Heck, the DMCA makes it almost mandatory to jail you if you figure out a way to program your VCR without reading the obviously encrypted documentation!
So I really don't think it's a good idea to show the problem exists. Blackboard knows, the people who selected them as a supplier know, and if you show them that they're effectively slobs, they'll crush you to cover their asses.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
Big Brother says you can not have this information.
He will do everything to keep our ROT-13 encryption secrit.
thoughtcrime will be punished.
Privacy is terrorism.
here's the contact info for the lawyer who sent the cease and desist letter.
http://www.sablaw.com/profiles/bio.asp?ID=00003
Replicate their research and post it anonymously on the Net. We have enough information to do this without too much trouble. And once the information is posted, action against Acidus and Virgil becomes moot. Oh, and it won't hurt if you guys contribute to the EFF for their legal defense.
We all know that the DMCA will be left alone until one day when the US Stock market gets hacked/taken down because of an exploit someone found. When the government officials who just lost several million dollars each along with the majority of people's pensions (like the Enron incident), only then will there be any kind of thought that the DMCA might be a bad thing and in need of some revisions. If the general public ever found out that an incident like that could have been prevented if some college students from MIT didn't get DMCA-ed into silence, we will see a whole bunch of congressional hearings and a majority of the elected officials hell bent on removing/revising the DMCA. I find it particularly sad that even though a scenario like this could be prevented now, it most likely won't be till a whole lot of people lose a whole lot of money.
so why not go on... uh... vacation?
;)
oops. i guess 802.11b isn't as secure as we thought either
got root?
From the timeline at Acidus:
Heh, I don't think the OIT guy will be talking to that particular white hat anytime again soon. Hint for Acidus: I don't think "off the record" means what you think it means...
I sure hope this won't diminish the spirit of the young researchers out there. These kids are building our future whether we allow them to or not. Stifling their growth will only give us a dysfunctional future.
US Democracy:The best person for the job (among These pre-selected choices...)
Let's implant GPS tracking devices into everybody at birth. Then, there will never be any ambiguity about who was where when. I mean, hell, all in the name of security and justice, right? After all, you (yes, I mean you) might go out and rape someone.
The slides comment (at the end) that Torx screws would be better than "flathead" screws. I found this pretty funny, since at least in Austria and Switzerland (and possibly more European countries) Torx is now commonly used in wood screws that are intended to be screwed in with a hand-held electrical drill. Consequently you can get Torx bits and screwdrivers almost everywhere....
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
Maybe that's how police states work in your native, ignorant, Hollywood view of the world. In real life, police states don't usually bother with beating people up--it's way too much effort--and it's not necessary. They control people through implicit and subtle threats to their liberty, livelihood, and privileges, as well as similar threats to their families. They only resort to force when people absolutely don't comply--but so does law enforcement everywhere.
You don't agree with the party line? Sorry, you or your kids can't go to college. You don't return from your trip abroad? Well, to compensate the state for your misdeeds, your home will be confiscated; too bad about your family. In some areas of US law enforcement, it's getting frighteningly close to that (drug seizures, computer seizures, etc.).
Police states aren't anarchies. They operate orderly and according to laws, they just happen to be laws that limit freedoms excessively. And it's very easy to move from the rule of law in a free society to the rule of law in a police state.
That only matters if the state involved
has an anti-SLAPP measure.
"A commercial, and in some respects a social, doubt has been started within the
last year or two, whether or not it is right to discuss so openly the security
or insecurity of locks. Many well-meaning persons suppose that the discus-
sion respecting the means for baffling the supposed safety of locks offers a
premium for dishonesty, by showing others how to be dishonest. This is a fal-
lacy. Rogues are very keen in their profession, and already know much more
than we can teach them respecting their several kinds of roguery. Rogues knew
a good deal about lockpicking long before locksmiths discussed it among them-
selves, as they have lately done. If a lock -- let it have been made in what-
ever country, or by whatever maker -- is not so inviolable as it has hitherto
been deemed to be, surely it is in the interest of *honest* persons to know
this fact, because the *dishonest* are tolerably certain to be the first to
apply the knowledge practically; and the spread of knowledge is necessary to
give fair play to those who might suffer by ignorance. It cannot be too ear-
nestly urged, that an acquaintance with real facts will, in the end, be better
for all parties."
-- Charles Tomlinson's Rudimentary Treatise on the Construction of Locks,
published around 1850
"and they all say that it can't work and isn't a vulnerability. Therefore, here's my incorrect research into security of what I wrongly thought were security holes in smart cards. Since the work itself is useless, what do people like and not like about how I have the paper formatted?"
fencepost
just a little off
Looking at this guy Acidus' web page, he seems to have all the information pretty well looked up. Besides his odd "manifesto" (which indicates he goes to tech), it pretty much is embarassing to know that my school took absolutely no measures to ensure the safety of this system. Read this guy's mirror, they seem to love hiding it and shutting him up to keep it secure. A cease and desist letter isn't gonna work here. By doing this they just created more publicity to let people like me know that their school is screwed.
-- A gatech student.
There's a reason why these security-types choose to disclose this stuff. Let's use an analogy here. Let's say the turnstiles in the subway (you know, the little things where you put the token in, and then it makes the little bar let you through) will just let you through without a token if you give them a fairly solid nudge with your thigh. This is because the turnstile company is making shitty equipment and charging a bundle for it. As a society, we can let the turnstile company slap lawsuits on anyone who is talking about the crappy turnstiles, or we can force them to fix the damn turnstiles. Clever people will figure it out for themselves, regardless of whether it's disclosed to society. Would you rather people stealthily stealing trolley rides forever? Or would you rather have the company who made the shitty turnstiles take the beating? Sure, most companies want to be able to make crappy security and get away with it. They want to be able to threaten people who will make it difficult to sell crappy security, just like the rapist might like to be able to intimidate his victims into silence. Sure, when it hits the news that you can just get into the subway by pushing on the bar, no one's going to pay until they're fixed. Sure, if they hold this press conference, people are going to be stealing cokes (and worse) left and right. However, that's not my problem. It's the problem of the universities who didn't buy a secure product, and the manufacturer that didn't make a secure product. None of that is any reason for me to give up my right to freedom to peacably assemble, and freedom of speech. You can either preserve the ability of corporations to hush up flawed products, or you can preserve our constiutional rights. It's as simple as that.
But there is another kind of evil that we must fear most... and that is the indifference of good men.
There is a big difference between a Cease and Desist letter and a Restraining Order. A Cease and Desist letter can be written by anybody and is just a threat. If you ignore such a letter, the sender will have to take legal action to enforce it. A Restraining Order is issued by a court. Violating it can get you in legal trouble, even if it was improperly issued. The article is fast and loose as to what was involved.
woot! A link to one of Je77's swikis, and now Billy's mentioned specifically if not by name. Neato!
Think for a moment... What is the right thing to do when you discover a security hole?
Do you:
A) Give the company an anonymous tip regarding the flaw in their security, and tell them to fix it?
OR
B) Make a presentation in front of a bunch of college students, 90% of which will use the exploit to give themselfes free money, booze, and swag?
The cease and desist was a perfectly acceptable course of action for the company to take, seeing as if the presentation was made, they would have a security issue that was now widespread and post-urgent. I would not be surprised at all if the students were also approached by the company and asked to explain, to the people who could fix it, what the security hole was.
Y2K Compliant since the late 1890s
At least there is one free country left in north america. People there would LOVE to hear the talk and then post the details online for everyone else.
--adam smith
Posting this anonymously for obvious reasons.
You don't even have to try and hack the buzzcard system. A few friends of mine discovered that certain Clayton College and State University id cards (same Blackboard system? I don't know) can be swiped in Georgia Tech vending machines. Apparently, whoever last used their buzzcard on the machine gets charged. GT doesn't lose any money on it, but students can get screwed. Hence why I keep $20 on my card now instead of $200.
Those Darn Fools! They let the
secret out! NOW HOW am I going
to be able to afford meals and
books!! geez
Hi
We run Blackboard LS 5.6 at the institution where I work, and I can honestly say that they are the worst company I have ever had to deal with. Not only is the customer support useless and they fail to deliver ALL products on date but when they do claim they have a fix (as posted in their own knowledgebase) they send an excuse and say that they made a mistake and the bug still exists. If it wasn't for the fact that we have been using the system for two years know I'd say stuff them and keep the 2 x $50000 we are paying them PER YEAR!!!
Cheers
Easiest exploit ever:
There used to be one pop machine at Carnegie Mellon where, if you tried to buy a can of coke and had less than the cost on balance on your card, the card balance rolled around to about $511
It was like playing Asteroids.
It made me wonder if (god knows why), anyone honestly tried to add over $512 cash to their card, if it would roll around to $0.
This was eventually fixed.
Can anyone tell me how to set my sig on Slashdot?
I thought it was a crappy idea 10 years ago--pretty funny that it's still in use today. I took pride in the all-cash (occasionally no-cash) ethic as a student. It's strangely satisfying when your paranoia is justified.
Building access?!? I used to love walking into pretty much any random academic building at 2AM to study (or at least get some sensation back in my extremities). Now it sounds like the Pentagon!
Amen on the semi-final game, though. Still, what a great f*#%ing season! The BC game was unreal....
As many of us had suspected the DMCA was going to be used to quell free speech, and thus it has. If we recall sever people and group had toried to file 'pre-emptive' suits in order to get legal cover from the DMCA to discuss security topics. As I recall all the judges in those cases said there was no reasonable expectation that ther would be a legal problem and dismissed the cases. Well the fears of those people have come to pass. I hope those judges are taking a hard look at their missed oppertunity to sure up the constitutional right to free speech. The could have gone down in the law books as the first to take a proactive stand on this.. and they really failed to do their larger duty to justice.
Why are people so down on "security through obscurity?" Do any of you have any idea what the inside of Fort Knox looks like? No? Has it ever been successfully robbed? No? Sounds like "security through obscurity" is working GREAT to me. Ditto for the pentagon, the security protocols for Air Force One, and a thousand other installations that require "Top Secret" security control.
Fort Knox is neither obscure nor insecure, and what obscurity is there is not the primary means of protection. The real security behind it is the same as with any closed military installation. Lots of people paid to point high power weaponry with live ammunition at all and sundry, including their commanding officers until they duly identify themselves.
How many people do you know of that are ordered by their boss to tell their boss to shove off, and given the force to back it up (temporarily, granted)?
You can hire your own thugs for far cheaper then a lawers. Or you can just do it yourself, if the thugs are not too.. say.. thuggish..
<^>_<(ô ô)>_<^>
Lets just hope that they get some sense before someone releases THE Virus and wipes the entire internet out of existance.
Mostly it was the freshman and sophomore lockers, because they were the oldest and worst quality. So that happened all the time, whether it was to get into a friends locker, to open a random locker, or just to open yours when you forgot the combo. My point is, stuff could get stolen. Stuff did get stolen, obviously. The administration's response? "Lockers cannot be opened without destroying them with a crowbar or by knowing the combination. So don't give out your combination."
Obviously, they were idiots. I don't know if they were merely ignorant (stupid!), or just didn't have a solution so they ignored it. Obviously replacing all the lockers would be expensive, and it might not even fix the problem. I don't know if anyone ever confronted them about it, but if I was a student who confronted my university about unknown charges or what have you with my account, and the administration said too bad, I'd be pretty mad. I realize that this is not the colleges themselves, but rather a 3rd party corporation, but I can't imagine the colleges dropping Blackboard just for this--it would be way too expensive.
but unless the paying customers...read THE PARENTS, get access to it, we are all wasting our time and energy...err that's right this IS slashdot :)
errr....umm...*whooosh* *whoosh* Is this thing on ?
When I was a student, the universities student guild implemented a debit card system across campus. It allowed purchase at vending machines, from guild run shops, at the Student Pub, use of photocopiers etc. Unfortunately for them they did nothing in the way of testing the system too strongly. 3 days after the system was rushed into use, it became known that there was a way to reset the cards the cards to $999.99 credit. It worked only if you had taken the balance to less than a dollar but this was simple as most people bought the cards for a dollar and then filled them up. (Just buy the card and make a photocopy and it would be ready for resetting.)
The cards sold out on that friday night (after only 3-4 jours of the problem being found) and the vast majority were reset. Being the first week of semester there was loads of new students and the clothing and bookshops on campus noted a large swell in expensive purchases but didn't immeadiately catch on. Guild management was not operating over the weekend and it was only on the Monday afternoon that they stopped the system cold. They had sold out of clothing, almost all the snacks were gone and the Pub had seen almost all of it's bulk supplies for the first 2 weeks of parties sold in case lots.
The cause was simple, place annonymous debit card in the reader while less than a dollar in credit and turn off then on or on the photocopiers press the green eject button and the red cancel button at the same time. The reader system reset the cards to $999.99 while the Photocopier readers reset them to $99.99.
I lived off campus so only found out about it after the fact. I have no idea if I would of abused the system if I had been there but it would of been tempting.
I had a friend who bought an entire wardrobe and all his texts and stationary. There was stories, that I believe, of the Pub selling semester long quantities of alcohol to some students, and I saw a dorm room with over 20 cases of beer under the beds over a month later.
Legally the guild was in trouble because most of the cards were still legal and so they tried to ban any cards with more than 100 dollars on them. A number of students claimed that they had in fact put the money on and even had parental support etc, but the guild was able to show that the adding process would only work upto $100 dollars. The actual number of offending students was not large with most from just the one college/dorm so there was a number of deals made to get the reset cards out of circulation. There was some interesting attempts at justification though, with one girl in particular trying to justify her posession of over 100 cards with exactly 999.99 dollars on them. Eventually the guild was forced to re-accept the cards but was able to get the cards with more than $100 value banned. There was though 3 photocopiers in the comp sci area that never got changed and that continued to work with the reset cards.
They have only now after 10 years reinstitued a similar system and it has a hard maximum limit of 49 dollars and the cards are unique to students. They really learnt their lesson about testing.
My campus is having problems with cards being "stolen". No matter how hard the cafeteria employees look at the picture IDs on the cards, funds still keep coming up missing from students' cards. I tend to believe that there is a serious problem with the system, and it makes it very easy for one to duplicate a card.
Also, we frequently experience outages and fund transfer difficulties. I was never fond of the system, and its problematic nature has proven me to be right about it all along.
Personally, I'm not convinced a smartcard is possibly an extremely secure device in the long-run. Look at all the smartcards used for Satellite TV receivers. Pretty much all hacked, or in the process of being hacked, despite 4+ generations of revisions, all supposedly "unbreakable this time around".
With current technologies in use, smartcards are pretty limited in their storage space. (Typically, code on them is 4K or maybe 8K in size!) Sure, more capacity is technically possible, but at what cost? Remember, smartcards have to be very inexpensive to produce - since they're being issued to every user (and the recipients would generally balk at having to actually pay an up-front fee to use the card).
Maybe I'm missing something here, but it seems like any code-base consisting of under 100K total, including whatever actual data/figures are being held in it, is relatively "hackable" by nature. There's just not THAT much to disassemble and analyze/decompile/decrypt.
They don't have to publish an exploit. They just have to publish a story similar to the headline here on /. Just the facts, Ma'am.
Articles generally have to go through approval before being published, by groups that each have their own agenda. Most of the time, these groups take a hands-off approach, but there have been incidents where articles were pulled because they weren't in the best interests of the school. Publishing an article that practically invites legal action would probably set off some red flags in one of the councils.
Sounds just like every other local daily newspaper.
FreeSpeech.org
This system is used already used to steal from students here at SDSU. I'm talking about the administration, not the students, though. And that's beyond the already-exhorbinant prices they charge (1.05$ for a 20oz soda from the machine, and varying amounts for their food in the cafeteria).
.05 flash on the LCDs of the cafeteria cash registers right before the meal charge did (at least before they replaced them with newer registers this past fall).
I started to notice my money was disappearing from my meal plan my first year here, since I tend to pay pretty close attention to things of that vein and am generally able to keep pretty good mental track of where my money goes. For the next couple weeks I kept records of the funds in my meal account (and my 'HoboDough"), and noticed that each transaction deducted an additional 5 cents from the 'advertised' price on the product right before the actual price was charged, and a quick eye could catch the
Nowhere is this mentioned in meal plans, and very few people raelize that it's being done; those that do realize it's being done don't really care. "It's only 5 cents"... but it's still stealing, and adds up to be about 40$ per student per year (given a 2 meal-a-day basis). With 9 thousand students (as this school as), that's $360,000.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Such irE
This system was implemented at GWU in 1997. We did have off campus partners who would install dial up machines that would swipe your card, and conduct the transaction.
Interestingly, in the laundry rooms, the card swipe has a control panel which you would enter the number of the washer or dryer you wanted to use, and then swipe the card. the card swipe would then approve the transaction over the network (rs-485 to ip), and then send a signal to a control box, directly above the swipe. the control box's only security was a thumbscrew, and would give you access to the relays, which would close to send pulses to the various laundry machines. there would also be a wire that would be high, indicating if the machine was in use. all you had to do was apply the correct voltage to the screws in the terminal junctions where the control box connected to the laundry machines.
no need to even hack the rs-485 or ip layer.
we would sometimes have problems when the network went down in some of the dorms. the entrance required a swipe. it would then turn off the electromagnet mounted behind the top inside of the door. it would attract a metal plate mounted to the door. on the inside of the door(they were double doors) was an infrared motion sensor, all mounted near the electric magnet. if it was tripped, it would turn of the magnet, so people leaving would not neeed to swipe a card to exit, only enter. this was easily circumvented by folding a long piece of paper (club flyer from buzz, hatchet) and slipping it in between the cracks of where the two doors met. it would reflect the ir light, trip the motion sensor, and open the doors.
things get a little tougher once you are in the dorm, because access to the ground floor elevators and stairwells require yet another card swipe. if the network was down, you would have to call someone in the dorm and tell them to go to the elevator, and push the ground floor to send the 'vator down.
of course all transaction points (anywhere there was a card swipe) had survaillance cameras recording all activity (ecept in the laundry rooms, and at off-campus partners). these were time lapse recordings, done 24 hours a day.
if you think the DMCA applied to this is bad, listen to this. Someone stole my card and went to their dorm room and ordered dominoe's pizza with my card. they were able to catch the guy who did it. using the database of the card transactions, they were able to tell what time my card was used to purchase the pizza. then they ran aq query over the entire student telephone system of who called dominoe's at that specific time, and had the video of the kid accepting delivery in the foyer.
so, to all college students who have these systems installed: be aware, every transaction you make is being logged, every on campus phone call you make is being logged, and every time you swipe your card at an entry point, the location and time is being logged. and if they have surveillance cameras, well they pretty much can track you anytime, anywhere on campus.
either move off campus, or go to a public university. pretty fucking scary if you ask me.
since you do go to a private university, most of your legal rights to due process and privacy are void within the university and it's administrative hearings.
good thing you pay $30,000 a year, huh? well, it's your parents money, but still.
Posted anonymously because there are people on here who would know my nick.
:)
We have it and it is a joke. They ship the machines out all "configured". The desktops come with w2k and a default admin password that is so guessable it's not funny.
The HP that runs the card system is also so vulnerable to go knows what it's scary. It is usually "managed" by people who have zero clue. So what if every user has rw access to the whole system and they all have the same home directory (which is the main program directory.)
I'm surprised these systems don't get owned more often. Guess I'll be having free soda's tomorrow
I wish I didn't have to post this as an AC, but I have reasons (mainly legal).
Acidus has been telling Blackboard about the flaws in their products for at least 18 months.
I saw Acidus' talk at both Interz0ne I and PhreakNIC6, plus the 2600 article has been out for a while too. Blackboard has known that people were discussing these flaws for quite some time and chose to ignore it.
At Interz0ne II, a cease and desist email was received by the con chair on Friday night, and two FedEx packages arrived at the con hotel Saturday morning. Inside were paper copies of the email, plus restraining orders, unsigned by a judge. A courier arrived Saturday afternoon with signed restraining orders; I was in the lobby and personally witnessed this, saw the paperwork, etc. I couldn't read the Judge's signature before the organizers left with the papers, but I did see "DeKalb County" on the restraining orders, so I assume that's where they came from (the con was in DeKalb County as well).
Acidus and Virgil were not sure of their legal status. Neither were the con organizers. Try finding a lawyer or getting in touch with someone from the EFF, ACLU, etc, at 4pm on a Saturday; their talk was scheduled at 7pm. If I was an evil bastard lawyer, I would have timed it that way too. Organizers, have a good-guy lawyer or three onhand at all times during future cons, ok?
They erred on the side of caution, which probably kept them all from actually getting arrested (as one of the con organizers pointed out, someone reporting to Blackboard or the law firm had to have been attending the con, otherwise they wouldn't know if the cease and desist and restraining orders had been observed).
Keep checking the Interz0ne website for updates, and there will hopefully be further talks at DefCon, Dragoncon and PhreakNIC7 this year.
I am not Virgil, Acidus or any of the con organizers (Rockit, JohnnyX, Iridium, etc).
www.socialfreedom.net has some information on the black board system not included in the mirrors on the other sites
Find a local action group, and Start.
A successful constitutional amendment is only about a 10 year effort!
-- Tom
Why are people so down on "security through obscurity?"
Because it sucks as the only form of security.
Do any of you have any idea what the inside of Fort Knox looks like? No? Has it ever been successfully robbed? No? Sounds like "security through obscurity" is working GREAT to me.
Security through obscurity is NOT the ONLY security for Fort Know, idiot.
Ditto for the pentagon, the security protocols for Air Force One, and a thousand other installations that require 'Top Secret' security control.
And ditto what I said above- Security through obscurity is NOT the ONLY security for those things.
Isn't that a simple consequence of the fact that the guns would be outlawed? Simply, everybody who has a gun will be an outlaw.
All the 'law abiding citizens' will turn in their guns. Leaving only three armed groups: the criminals, the police and those folks who are otherwise law-abiding, but chose to break this particular law.
If the police would only concentrate on the criminals, and leave the third group alone....
All 'safe encrypted technologies' of the future will be based on ROT13 in a few years time because all programmers are too lazy to find a better algorythm, or they won't find any info anymore to learn how to make a better algorythm, and it'll be safe because no-one may test it.
DMCA is basically the same as installing the same lock on every door in the country and it'll be safe because people are not allowed by law to try if the key to their house also works on the lock of their neighbours door..
Learn about pinball machines on www.flippers.be
- Research the 'secure' system.
- Discover the holes.
- Design and document the attacks.
- Develop and proove revisions to the original system, to close the hole(s).
- Patent and copyright the entire work.
For them, it's then a simple matter of, erm, "licensing" that IP to the original company to use the patented IP.Novel approach. Makes them a decent living, too. This should give enough protection for publishing the work. (IANAL,yy)
And I sure hope that some malicious people start to produce cards with fake money on them. And then simply spread them like wildfire. Maybe someone could wake up then?
What these guys are trying to do is not sabotage, they are doing a public service. This would be analogue to put the journalist that found out that the new Mercedes A-klass tips over really easily behind bars.
This is a flawed product, I do not see how keeping quiet about it can help the public. And after all, the goverment should be on the publics side, not the greedy companies side (there are also good companies trying their best to make good products and make a living, don't forget about that).
I think it is about time the fight for freedom is started in the US as well, it is time you win your own freedom for once.
It appears from the PowerPoint (get it while Google still has it) that the system is irredeemably fubared and that only an idiot would use it either to handle money or for access control.
Don't bother complaining to the company. Let them find out for themselves that everyone likely to be asked to provide an opinion on the worth of their products has flunked them.
Get the word out that they are not only selling the equivalent of papier-mache door locks as steel, but trying to hide this fact from potential customers by suing whistleblowers into oblivion.
Who knows of better off-the-shelf alternatives using real crypto-based authentication? Open Source would be preferable, but anything better will do.
I think this is a good response to anybody who tries to sue or jail people to provide the obscurity in which crap "security" solutions can prosper, i.e. where only the bad guys know there's a problem.
Tech Public Policy stuff
This side discussion on police states made me wonder, is it illegal to distribute this information to the government? IANAL, but perhaps the DMCA (or whatever laws were applicable in this case) doesn't prevent distribution to the government, particularly parts of it with the power to investigate the company. If thats the case, I'd recommend a simple course of action whenever a company prevents disclosure of a security vulnerability: send copies of the writeup, with a nice cover letter requesting an investigation, to all appropriate places, such as state legislatures, state AG offices, city councils, any official related to where the company does business that might possibly be able to investigate.
For to end yet again.
ha ha ha, you sure made yourself look like an ass.
the first amendment is always valid unless you have something to say...
if the sites slashdot links to get slashdoted, how come slashdot itself never gets slashdoted??
...we used these two wonderful inventions called "keys" and "cash". I finished my MSc in 2000 so it wasn't that long ago either. All buildings were secure (the keys were of a type that key-copying shops couldn't duplicate) and I never failed to be able to buy a can of soda - provided I hadn't wasted all my money on beer and girls.
Bob
Listen to my latest album here
I love American English. :-)
Why don't the students at some of these Universities start a grass roots campaign to inform the rest of the student body about this. Make a flyer and post it EVERYWHERE! Especially on the coke machines, entry control devices, etc. that use this system. Let the students know how the law is being abused for so called 'security' reasons, and how it will ultimately worsen security. Otherwise, it will quietly die, and nobody will notice on campus. Does the law prevent someone from saying that the system is insecure as long as you don't give details on how to exploit the insecurity?
Any idiot can make a claim (the net too often proves that). Presenting a lecture on the specifics of the security flaws is about the only way to effectively PROOVE that you're not one of those idiots from the tinfoil hat brigade.
Sorry, but invoking the name of the DMCA here is ridiculous. It may have shown up in the C&D letter, but that doesn't really mean anything. Everyone who is complaining about how the DMCA stifles free speech and security research is right, but it's not relevant to this case--I suppose they are too busy to read the actual complaint. (The complaint doesn't mention the DMCA at all.)
The important phrase left out of the summary of 17 USC 1201 above is "... protected under this title." Title 17 is about copyright, and so the DMCA only applies to copyrighted works. There is no issue of copyright here!
I'll be the LAST person to defend the DMCA, and in a way it's good to have a 4-letter acronym we can all rally against, but misunderstanding it doesn't help anyone.
look on http://se2600.org/acidus for the real version
These people are not the only ones in the world who can figure this out. Now that they've introduced the idea to the world, someone else will try it. Some university will lose thousnads of dollars, possibly someone will gain entry to a dorm and rape, kill or steal, and Blackboard will get sued for millions of dollars for willfull negligence (as it is pretty clear that they know about the problem).
By ignoring their own security issues, they put the security of others at risk. I just pray that when it happens the victim comes out ok.
-- "Man is born free, and everywhere he is in chains." Jean Jacques Rousseau
One of my roomates works for the IT department of an Educational Institution in Mexico and is involved in several projects that use what blackboard calls their "Learning System".
Is basically a course delivery tool which is VERY expensive both on licencing fees as in the infrastructure it requires.
It seems that BB Inc. is getting a lot of business in our country and believe me, we aint big on that kind of investments. Technology is still on the 10 year plan for most universities.
And well, of course that when you use the learning system they try to get you to use the transaction system also, I wouldnt be surprised if I start seeing their cards around campus sometime soon... better learn about it before it gets here!
I attend the same University as Virgil and this really puts our security and the effects of the DMCA into perspective. You don't think that this applies directly to you till you hear that it happened to a classmate who was trying to prove the system has a major flaw. I bet now that they issued the c&d, our school won't update this system for another 2-3 years. I think I'll empty my debit account early next semester.
> Possession of tools for picking a lock is a crime in most places
Fortunately, possession of a tool that may be used to commit rape is not illegal yet.
(Not a troll, just an observation that criminalizing posession is, er, counter-productive.)
So if the technological measure has been circumvented, then it wasn't an effective one... therefore circumventing it is not illegal.
WTAMU has one of those systems.. and from what everyone knows about their "network security".. it has probably already been taken advantage of...
j sp
- go ldcard.html
d .s html
http://www.buffalogoldcard.com
and the IP address of some of the components are
onecard.wtamu.edu (165.95.31.200)
goldcardreader.wtamu.edu (165.95.33.136)
BTW: their whole DNS zone file is listable via an
ls -d wtamu.edu > zone.txt
from a win2k nslookup...
and it also contains the full HINFO and TXT records giving some interesting details...
http://www.buffalogoldcard.com/making_deposits.
http://www.wtamu.edu/prairie/stories/091802/ope
http://www.wtamu.edu/library/circulation/bufgcr
If anyone that is implementing this stuff (the tcp/network communications of it anyways) had not been using vlans then they should be sent to network security 101...
Washington Post weighs in on the Blackboard item. http://www.washingtonpost.com/wp-dyn/articles/A482 14-2003Apr17.html
Imagine their surprise when learning that higher education sometimes has the tendency to attract smart people! *gasp*