Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blackboard Campus IDs: Security Thru Cease & Desist

Posted by jamie on from the cease-and-desist dept.

On Saturday night, Virgil and Acidus, two young security researchers, were scheduled to give a talk at Interz0ne II on security flaws they'd found in a popular ID card system for universities. It's run by Blackboard, formerly by AT&T, and you may know it as OneCard, CampusWide, or BuzzCard. On Saturday, instead of the talk, attendees got to hear an Interz0ne official read the Cease and Desist letter sent by corporate lawyers. The DMCA, among other federal laws including the Economic Espionage Act, were given as the reasons for shutting down the talk (but -- update -- see the P.P.S below). I spoke with Virgil this morning.

Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."

The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.

For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).

At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.

A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)

The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."

Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.

Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.

So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?

If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?

This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").

So, assuming that's not possible -- is the DMCA a viable tool to ensure security?

P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.

P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:

"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."

21 of 653 comments (clear)

  1. Remember, Citizens by RLiegh · · Score: 5, Funny

    This in NO WAY implies we live in a police state.

  2. Re:I say publish all the details overseas by Anonymous Coward · · Score: 5, Funny

    I wish there were a way to accidentally leak the exacty details overseas. There, it would be very difficult to get shut down, and every college using this system would have to deal with it. While this may be an inconvenience to students, they can get by without buying coke with a swipe of a card for a while.

    Yeah, I wish we had some sort of global communication network where you could instantly and anonymously post a piece of information, and people anywhere in the world could see it. Wouldn't that totally rock?

  3. Hey! by Grendel+Drago · · Score: 4, Funny

    How come we can post Win2k3 serial keys in the slashdot forums, but no one posts how to get phr33 as in c0ke c0kes? Sheesh. What bullshit.

    Come *on*, someone toss a practical exploit in here!

    --grendel drago

    --
    Laws do not persuade just because they threaten. --Seneca
    1. Re:Hey! by mkldev · · Score: 3, Funny
      Well, first you take a crowbar... no, wait. :-)

      --
      120 character sigs suck. Make it 250.
    2. Re:Hey! by yack0 · · Score: 4, Funny

      From: The law firm of Dewey Cheatem and Howe
      To: mkldev
      Subject: Cease and desist

      Sir/Madam,

      Due to your recent post on the 'news' site 'Slashdot', we issue this cease and desist hereby ordering you to refrain from describing any manner of breaking security methods for refreshment beverage machines. Your suggestion of "...first you take a crowbar..." is in violation of the Digital Millenium Copyright Act.

      or something like that ;)

      --
      -- There is no sig line, only Zuul.
  4. Effectively Controls... by Anonymous Coward · · Score: 1, Funny

    Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work,"

    Since the technology measure is breakable, it must not be effective, therefore the DMCA doesn't apply?????

  5. Patent your exploits by scrotch · · Score: 5, Funny

    The only sane thing to do is to patent your exploits before you announce them. :)

    Then you have precedence for publishing them, or you just point to the online patent info.

    As a bonus, you can sue the companies that fix the holes you're supporting because they've broken that "shall circumvent a technological measure that effectively controls access to a work" line. After all, your exploit controls access, right? Opening a door is controlling access as much as locking it is.

  6. Re:it's over by dubl-u · · Score: 2, Funny

    Time to stop being a geek. I'm getting my pencils and paper back out, doing RPGs that way,

    Uh, I hate to tell you, but if you're tring to stop being a geek you're on the wrong track. :-)

    I'd rather be an insurance guy or something similarly boring then spending part of my life in a 4x6 cell,

    Man, you must not have spent much time at an insurance company. 40 years at an insurance company is roughly the same number of hours you'd spend in a 10-year prison sentence, and the cells are about the same size. And at an insurance company, nobody ever gets time off for good behavior.

  7. Slack-ass bastards! by foxtrot · · Score: 2, Funny

    This past week, one of the first comments to be modded up as funny is someone claiming to be the Iraqi information minister.

    Now, they could have said something like, "There are no holes in the BuzzCard system, and we have repelled the elitist satan dogs who have attempted to break its security!" and it would have finally been funny!

    -JDF

  8. College students by BobRooney · · Score: 2, Funny

    There are 2 things geeks in college have in abundance: free time and the want to break things. Now that every geek with a heartbeat and a B0x0rz knows there IS a flaw in this card system then they can go ahead and track it down on their own. Free access to EE labs is a beautiful thing. Let's wait and see how long it takes before they are ripped off to the tune of a couple million dollars.

  9. Crowbars? by Asmodean · · Score: 1, Funny

    I'm just waiting for a security company to send all of the crowbar manufacturers a CD letter. They DO after all make a security circumvention device.

    --
    It's a good thing the world sucks or we'd all fall off.
  10. Re:I say publish all the details overseas by Anonymous Coward · · Score: 5, Funny

    Ah, I've often shouted "POST IT ON USENET!" at the television screen whenever there's a movie or x-files/whatever episode where the hero is running away with the evidence/HotInfo trying to keep it from the Evil Conspirators.

    They almost never do.

  11. Re:I say publish all the details overseas by Flabby+Boohoo · · Score: 2, Funny

    No, those chips are implanted in Trojan condums.

  12. Re:Duh... by JimDabell · · Score: 2, Funny

    Ummm, no. If Neo-nazis can parade down the street, hate-mongers can publish their diatribes, crosses can be burnt, and flags defecated on then by God the first amendment should protect academic discussion on security holes and their implications.

    Yes but none of this has an impact on a specific company's bottom line, it can't be quenched with a lawsuit, and you can't discredit the Neo-nazis by calling them "hackers".

    Or are you under the impression that individual rights are as important as those of a corporation? What kind of commie are you?

    Note to the less intelligent and more rabid Slashdotters: no I am not serious.

  13. Re:I say publish all the details overseas by Dylan+Zimmerman · · Score: 3, Funny

    No, no, no! If you want people do download it, you have to name it something like Naughty_(coeds|nurses|whatever)_hot_and_wet_4_U.pd f.

  14. Re:I say publish all the details overseas by Pharmboy · · Score: 2, Funny

    Just get 2600.com to link to it.

    *duck*

    --
    Tequila: It's not just for breakfast anymore!
  15. Re:Duh... by TC+(WC) · · Score: 2, Funny

    and you can't discredit the Neo-nazis by calling them "hackers".

    The easier method would probably be to discredit them by calling them Nazis.

  16. Financing by uberdave · · Score: 2, Funny

    Well, if they can convince the ATMS on the campus network to dispense funds through the security hole, they can afford lawyers.

    --
    "I'm not impatient. I just hate waiting." - My Dad
  17. Re:my experience with it... by limekiller4 · · Score: 2, Funny

    JimBobJoe writes:
    "Typical lawyer response, trying to appear I was addressing one thing while I was addressing something else."

    It wasn't signed "Iraqi Information Minister," was it?

    --
    My .02,
    Limekiller
  18. Re:I know a little about this... by Blue+Stone · · Score: 4, Funny

    The sentence "The sentence "swiping really fast after the transaction" is a violation of the DMCA. Seriously." is also a violation of the DMCA.
    Repeat ad infinitum.

    --
    Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
  19. At My University... by CowboyBob500 · · Score: 2, Funny

    ...we used these two wonderful inventions called "keys" and "cash". I finished my MSc in 2000 so it wasn't that long ago either. All buildings were secure (the keys were of a type that key-copying shops couldn't duplicate) and I never failed to be able to buy a can of soda - provided I hadn't wasted all my money on beer and girls.

    Bob

    --
    Listen to my latest album here