Blackboard Campus IDs: Security Thru Cease & Desist
Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."
The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.
For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).
At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.
A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)
The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."
Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.
Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.
So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?
If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?
This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").
So, assuming that's not possible -- is the DMCA a viable tool to ensure security?
P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.
P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:
"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."
Well, if you aren't even able to TALK about security flaws *Cough*First Amendment*Cough* they'll never get fixed. The DMCA again makes the net less secure instead of more.
Since when has this country used intellectual elite as a pejorative term?
It is trivial to leak this kind of information. Walk into an internet cafe (or walk by any of millions of open 802.11b network) and upload the information to USENET. Problem solved.
Now of course, I wouldn't have had this reaction if the company had taken steps working with the discoverers of the security flaw. If anything, they should hire/pay these researchers for their work, fix the problem, implement it, and then publish what went wrong. And who knows, maybe they even tried. I doubt it though, when a cease-and-desist can have the same effect.
Moderation: Put your hand inside the puppet head!
actually, it does. Thats the point of a free press. An informed public is necessary to maintain ones freedoms, but i guess we already missed the "informed public" boat too early to avoid draconian laws like the DMCA anyhow.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
You know a C&D letter may stop people from disclosing exploits, but will not stop people from disclosing that their are exploits. That's enough for lots of poor, enterprising college students.
A much better plan would of been to let these guys give their talk, to hire them, fix the problems, and them make a bundle in upgrades to existing customers. Come on, if some of these installations are 20 years old we're not talking much more then maintenance revenue. On the other hand system upgrades, especially when demanded by parents, can net a pretty penny. The colleges could have fund drives, hit up alumni societies, all the normal ways to get money when something unexpected walks through the door.
Instead the company gets to look like a fool that knows there are security flaws, aren't fixing them and instead are wasting money on laywers, get getting bad press.
Oh well, I guess there is no such thing as bad press. And that companies would rather think about prestige short term then a better product long term, even if the better product will get them more money.
=Blue(23)
LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
If guns are outlawed, only outlaws will have guns.
If hacking is outlawed (and talking about it), only outlaws will know how to hack.
So who do you get to sue if someone makes a dupe of your ID card and raids your campus debit account, or breaks into your dorm room? The school? The hacker? The company that sold the school the lame ID system they claim is secure but is not?
I would think the schools would like to know why sodas, meals, etc. are disappearing from their supplies. Hmmm.... This Coke machine is empty, but only 5 Cokes were recorded to be bought from it. Hmmm...
This is the worst kind of security through obscurity.
- Jasen.
chances are that they knew _exactly_ how bad the system was, and maybe just hadn't care when they first made the system, maybe thinking that it would be such niche system or so it wouldn't need to be secure, or maybe it was some other system adapted to use where security would have paid off..
world was created 5 seconds before this post as it is.
So.
Instead of fixing the exploit in their keycard system, the company in question finds it easier to have their lawyers drop a house on the students.
Doesn't "Security through Obscurity" create an environment where persons with malicious intent are free to exercise it?
The students discovering the security hole = The Good Guys. The knowledge they posses equal a Munition (or, a firearm.) They were not planning to use their knowledge maliciously.
Essentially the DMCA has turned knowledge into a weapon to be regulated through the legal system. Just be careful what you know, because speaking of it publicly is becoming the 21st century equivalent of pulling a gun out of your pocket at the mall to discuss it's function with another gun enthusiast.
Of course, we all know the gun paradox. Seriously. Increasingly orwellian gun laws !=less crime. Criminals will always find weapons. On the electronic mean streats, crackers & hackers will always find exploits, but unlike the Good Guys, the Bad Guys won't go to a symposium to divulge the PROBLEM, embarassing the company into FIXING IT. Instead, the Bad Guys will EXPLOIT the FUCK OUT OF IT.
I'm not a philosopher, psychologist, ethicist or sociologist by profession, but perhaps the DMCA needs to be re-evaluated by a panel consisting of a few. Right now it seems to favor only the government and very, very large corporations. Oh, and it makes learning a criminal act.
Do you have a permit for your mind?
THIS SPACE INTENTIONALLY LEFT BLANK.
Think of America as the 'politically correct' police state. While the jackbooted-gestapo isn't kicking the door down and beating you. . . (yet) . . . they are instead getting law degrees, dressing in nice suits and suing you. It's much more profitable. It ultimately achieves the same goal. You tend to keep your opinions / comments to yourself.
So which one of your examples is this? He's not yelling fire in a crowded theater... He originally tried to tell the company their theater was on fire, and when they refused to give a damn, he decided to tell the people inside the theater about the fire.
That's when they Cease and Desisted him, and told him that the burning theater was their little secret.
Personally, I'd wanna know, but hey, I'm obviously not normal. Stay asleep if you want, everybody. It's still a free country - but you better check back with me tomorrow just in case.
----
www.whatreallyhappened.com is interesting.
The trouble is, how can you win a false advertising law suit it no-one is prepared to do the research to find the product is insecure ?
Interesting, isn't it, in these days of terrorism paranoia, that laws like this ARE going to result in worse security ? Well worse security for the USA, relative to every other country in the world that doesn't (yet) have these sort of laws.
Hello. Stupid. The corporation is using the law to prevent speech. The law is stopping someone from speaking. A prior restraint, stupid. This is the hallmark of a police state -- laws being used to silence the voice of individuals. Armed thugs will beat the shit out of him if he speaks -- they will attempt to kidnap him, imprison him, and extort money from him for this sin in the guise of arrest, detention, and fines by the police and court system. You have no idea what you are talking about, AC.
As a US citizen, I'm depressed (I should be outraged) at this sad state of affairs. However in-your-face this particular presentation was to be, the stated goal was to expose the flaws of the system through hand-on research & controlled experimentation. Research. It was NOT to distribute hacking tools for actual implementation to facilitate illegal or illicit purposes. But ballsy kids in an academic environment who want to improve the technology and processes that surround them? They're stymied by corporate protecionism ensconsed in federal law. That's sad. It's wrong, immoral, and ultimately ineffectual. But the real tragedy is that it depresses the level of creativity in academia and creates fear for those that think too hard.
As a security professional, the fact that any cheeseball company can successfully hide their shoddy product behind a federal law is an embarassment. It induces even more cognitive dissonance when I work with federal and state goverment security staff who are well aware of good security principles, and then think about laws such as the DMCA which are diametrically opposed to known-good principles of improving security technology and processes.
It's a lose-lose proposition: News of an exploit always gets out, and is propogated fastest within the community which has little fear of the DMCA. But invocation of the DMCA causes relatively-innocent people -- those that were willing to stand up and state their names -- to tremble and retreat. As I said: it's wrong, immoral, and ultimately ineffectual. I spend my days educating people about the dangers of security by obscurity, and exposing the risks associated with snake-oil solutions such as Blackboard's "secure" transactions. I'm doing my part to educate as many people as I can, but with Grand Moff Ashcroft at the legal helm of the country (and with US federal/foreign policy changed to match the prosecutorial principles of "pre-crime"), I'm afraid it's like spitting into the Mojave.
The first time that some predator clones the card of a victim (or a patsy) in order to gain access to a building and rape/murder someone, I wonder... Will the appropriate law enforcement be able to effectively investigate/prosecute such a crime if the computing research community is prohibited from supporting them? Would Blackboard be content to sit on known security flaws and let a patsy get convicted? Again: wrong, immoral, and ultimately ineffectual. It ought to be illegal to *withhold* security flaws, at least from those who depend on/are subject to them. Feh.
J
I think not...(*poof*)
The problem is that uploading the information to usenet is exactly what's going to happen. Corporate-types don't read usenet, but hacker-types do. What does that lead to? Some bored kid stealing all of my money, and only THEN is there a reaction from the company. I attend Cornell University, and I have to say, Blackboard is EVERYWHERE. We call it CornellCard. It controls all of the vending machines and meal plans. At least one door on each academic building and all the doors on the newer dorms are controlled by it. Not only can it be used to charge money out of our debit account (called Big Red Bucks), but it can be used to charge however much you want to your parents' bursar bill. The card isn't the only product Blackboard provides to schools. They also sell Cornell a web service called MyBlackboard. It allows teachers to set up websites for their classes. In addition to trivial stuff like assignments and lecture notes, the teachers use this interface to post test scores. Imagine all the havoc that could be brought upon this huge system simply because some exec decided it was more "cost-effective" to send out the attack lawyers than to fix their shoddy product.
Indeed. If they'd just thrown the information onto usenet in the
first place, no lawyer action would have had any effect at all.
The problem is, people[1] who find security flaws don't generally
*want* to post them to usenet: they want to work with the vendor
and the security community to get the problems _fixed_.
So here's the question: will these sorts of responses from vendors
force the security community into just giving up on all pretenses
of working with the vendor and just leaking everything to the
general public immediately upon discovery? That would be bad for
all concerned, but it might be better than being lawyered to death.
It's pretty easy to arrange to get something posted to usenet
with a reasonable degree of anonymity, and there's absolutely no
way to suppress anything that has been posted to a big-8 or alt
group, short of destroying the whole planet. But I don't think
I trust the security of a product whose vendor is sufficiently
uncooperative as to motivate a discoverer[1] of a vulnerability
to do things that way.
Maybe people who discover such vulnerabilities should discreetly
communicate everything they know to some third party overseas
first before doing anything else...? But you still have the
problem that if you try to work with the vendor they know who
you are and can laywer you, and you can be held responsible for
communicating the information to the third party.
Ah... but what if the original discoverer remained anonymous
and communicated to someone _else_ who would try to work with
the vendor, and if that failed the original discoverer or some
third party he communicates with could release the information
to the security community (and, in the process, the general
public)? This would be harder for the discoverer, who would
have to anonymously contact a trusted third party in the first
place whom he would have to trust to make a good-faith attempt
to work with the vendor. But if the vendor tried to laywer
the non-anonymous person, they'd run into "I just found out
from this here anonymous email and was trying to work with
you; this leak must have been perpetrated by the evil person
who circumvented your effective measure in the first place,
probably the same dude who sent this email, which seems to
have come to me from an evil open relay in southeast Asia,
one of the same ones the spammers use to send me special
offers for reduced-price copies of your products, which they're
probably pirating. Gosh, you should really go after those
open relays, they're all kinds of trouble."
[1] Security people, I mean. I'm not talking about blackhats.
Cut that out, or I will ship you to Norilsk in a box.
" A corporation who distributes flawed merchandise or software has every right to tell me to be quiet."
but that doesn't mean you should have to respect that wish.
How many things only get better because someone talks to the press?
The Kruger Dunning explains most post on
The first time someone uses the exploit to commit a rape or murder, the kneejerk reaction of the corportation will be to point at the students who knew the exploit and told officials about it as the scapegoats.
"They told us that we didn't leave our door locked, since naturally it was intrusive to check our door to see if it was locked (even though it affected the security of the people telling us) we told the students to scram and forbid them to tell anyone that our doors were open. Unfortunately yesterday we had a sad epsiode on campus where someone entered through our unlocked doors and commited a heinous crime, sadly the conclusion to be derived from this is definite - those infiltrators that went checking our doors must have relayed the information to their despicable accomplices. The University declines any assumption of guilt or failure of any kind. Thank you."
Face it, people suck and they don't ever stop sucking. The world is run by imbeciles to protect imbeciles, and the intelligent are their favorite food group unless they are creating more ways to create morons or joining the pack in their cannabilistic orgy of idiocy.
My thoughts exactly (for quite some time now). The true criminals won't care it's illegal. They will get and USE the information anyway, leaving someone else to take the blame. (Honest officer, it wasn't me who swiped the card to break into the dorm and rob people.) And since the system is <sarcasm> so secure</sarcasm>, who's going to believe the victim? Of course, defending yourself without access to the information that shows how insecure the system really is is going to be a <sarcasm>cake walk</sarcasm>.
It's been my experience (and looking at history, I'm not alone) that trying to ignore a problem (bring in the lawyers!) only makes it worse and more expensive. Sadly, common sense seems so uncommon nowadays.
Maybe that's how police states work in your native, ignorant, Hollywood view of the world. In real life, police states don't usually bother with beating people up--it's way too much effort--and it's not necessary. They control people through implicit and subtle threats to their liberty, livelihood, and privileges, as well as similar threats to their families. They only resort to force when people absolutely don't comply--but so does law enforcement everywhere.
You don't agree with the party line? Sorry, you or your kids can't go to college. You don't return from your trip abroad? Well, to compensate the state for your misdeeds, your home will be confiscated; too bad about your family. In some areas of US law enforcement, it's getting frighteningly close to that (drug seizures, computer seizures, etc.).
Police states aren't anarchies. They operate orderly and according to laws, they just happen to be laws that limit freedoms excessively. And it's very easy to move from the rule of law in a free society to the rule of law in a police state.