Blackboard Campus IDs: Security Thru Cease & Desist

On Saturday night, Virgil and Acidus, two young security researchers, were scheduled to give a talk at Interz0ne II on security flaws they'd found in a popular ID card system for universities. It's run by Blackboard, formerly by AT&T, and you may know it as OneCard, CampusWide, or BuzzCard. On Saturday, instead of the talk, attendees got to hear an Interz0ne official read the Cease and Desist letter sent by corporate lawyers. The DMCA, among other federal laws including the Economic Espionage Act, were given as the reasons for shutting down the talk (but -- update -- see the P.P.S below). I spoke with Virgil this morning.

Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."

The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.

For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).

At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.

A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)

The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."

Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.

Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.

So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?

If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?

This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").

So, assuming that's not possible -- is the DMCA a viable tool to ensure security?

P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.

P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:

"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."

I say publish all the details overseas

[Marx_Mrvelous]

I wish there were a way to accidentally leak the exacty details overseas. There, it would be very difficult to get shut down, and every college using this system would have to deal with it.

While this may be an inconvenience to students, they can get by without buying coke with a swipe of a card for a while.

Re:I say publish all the details overseas

[Acidic_Diarrhea]

Why isn't there a way? It seems like it wouldn't be that hard to drop a .pdf file onto a p2p network (call it how_to_get_coke_for_free_at_school.pdf) and watch the downloads begin. The point is that by doing it in this manner, the flow of information is limited to those people who are tech-saavy enough (I know, I know - you wouldn't have to know very much to download and view a .pdf file) to get the file. This prevents many of the people who really need this information, the administrators and parents, from getting it. The college kids can still find out because they've grown up with computers but the people pulling the strings won't know their system is insecure because their knowledge of computers starts and stops with Solitaire.

Re:I say publish all the details overseas

[archeopterix]

Now of course, I wouldn't have had this reaction if the company had taken steps working with the discoverers of the security flaw. If anything, they should hire/pay these researchers for their work, fix the problem, implement it, and then publish what went wrong. And who knows, maybe they even tried. I doubt it though, when a cease-and-desist can have the same effect.

Sadly, the reaction of Blackboard is a big hint to the future discoverers of security flaws: don't even try to contact the company - wear gloves, attach a fake beard, go to an internet cafe, publish your exploits on Freenet, Usenet, foreign haxx0r sites and whatever else comes to your mind, grin evilly (this part is optional).

Re:I say publish all the details overseas

[skillet-thief]

The same kind of thing happened in France. (Maybe it was on /., it was a few years ago...)

A guy figured out how to manipulate the chip on the smart cards used for credit cards. He contacted whatever company makes the cards to try to get them to hire him. They didn't believe him, so to prove his point he bought about $7.00 worth of metro tickets from an automatic distributor.

And then what?

They busted his ass big time. I think it totally destroyed the guy's career, life, etc. Then the company upgraded their encryption...

Re:I say publish all the details overseas

[mcheu]

Maybe, but with the current global environment, Freedom of the Press seems to be getting the short end a lot whenever the DCMA and its international clones come into play. Even now, when the DeCSS code is pretty much obsolete, they still can't publish the source code to it (though it's still easily found).

How much of a story would it be if the NYT and 60 minutes aren't able to disclose any details?

Re:I say publish all the details overseas

The system was designed 15-20 years ago, when people were mostly just happy to be getting information over a wire. Encryption isn't part of the ethernet standard either, and it's even easier to sniff. Strong encryption has only become a hot issue lately, and BlackBoard has new readers and converters that communicate over IP and use strong (AES and/or Blowfish) encryption.

I don't even know why BlackBoard bothered with a cease-and-desist. The system is no more insecure than many other systems designed decades ago, despite the insecurities there's been remarkably little fraud, and their new products don't send anything in the clear. If anything, this'll just help them sell upgrades.

Say, maybe they want this publicity...

Re:I say publish all the details overseas

[Spunk]

I'm surprised there isn't an alt.dmca.violation or something yet.

No, it doesn't.

A corporation is preventing you from doing something, which is their right according to law.

If we lived in a police state, armed thugs would not tell you, "You can't detail the flaws of our product." They'd just beat the living crap out of you and then go home, kick back, and drink a cold Coors 20 ouncer.

Re:No, it doesn't.

[nehumanuscrede]

A corporation who distributes flawed merchandise or software has every right to tell me to be quiet. I also have every right to a functional secure product that they claim to be pawing off on you. Perhaps hitting the corporation with a false advertisement lawsuit ( we sell a secure product, we swear ) in return would wake them up. ( Doubtful ) With our sorry ass congress/senate passing these bills as fast as they can, it's probably our only recourse until we boot the entire lawmaking body out of office and get someone with some sense.

Re:No, it doesn't.

[Hanno]

If we lived in a police state...

You alreay do live in a police state. Welcome to the real world.

Nazi Germany, which my grandparents and the older ones among my aunts and uncles lived in and can still talk about, was a police state. I guess you'd agree with that. It had thugs, sure, and beatings, sure, but most of the oppression in the first years of Nazi Germany was done through laws and intimidation.

Nazi Germany is known for its slaughter of its German-Jewish population, but they didn't go for that right from the start. First, they stripped the Jews and other unwanted individuals such as communists and members of the opposition from their jobs, their offices, their personal belongings, etc. It was a subtle step-by-step way of humiliating them, to take away their rights as citizens of a formerly democratic country. Because the Nazis could. Through laws.

Remember that while there was a majority of Germans who supported Hitler (I know that my grandparents were Nazis, and I'm not exactly proud about it), the German population was nonetheless afraid of being the next ones the state put an eye on. State-organzied neighbourhood watch was an easy method of intimidating the population into following party orders. Suddenly, your neighbours could turn you in, and the laws were broad enough that simple things became violations of the law. At some time it was forbidden to listen to non-German radio and news. Older Germans still talk about how afraid they were each time they listened to news or jazz music on the BBC, afraid that some neighbour might tell the police about it.

Watching what is going on the United States right now is a very frightening thing for someone who has a personal perspective on fascism.

I consider the US a great country and a great concept, I have the highest respect for the US, but never have I been more afraid of your government than now. The laws and rules that your government is putting into effect now - with surprisingly little complaining by the general population - is indeed the road to a police state. You're already halfway there, and it is getting worse.

I know a little about this...

[Probius]

Our school uses blackboard, and last year the machines were shut down for a long time because students used methods to get free stuff out of the snack machines. And I'm not talking cracking a case or making a fake card either. It was really simple too, like swiping really fast after the transaction, if I remember right, and you could get a second item for free. Kinda scary.

Re:I know a little about this...

[orthancstone]

Do you know what your school did after the incident? Did they do anything to try and increase security for the system for future prevention?

Re:Again?

[MKalus]

Not anytime soon.

Most people in their daily lives aren't directly affected by it (or not to their knowledge at least).

Most of the places that bump into the DMCA right now are the academics. Why? Because they are a bit ahead of the curve, the idea to undstand things is integral to them. Most people though are just consuming the final product, as such they won't be affected for a while.

Wait a bit longer until the product Johnny wants to buy (or an update to a Software he is using) can't be had anymore because the developer wasn't allowed to incorporate the functionality because of the DMCA.

Of course by then the question is if the masses will still care (I bet not).

M.

Is this SLAPP?

[dacarr]

Considering the nature of the security flaws and that they are now exposed, can this legal action against Virgil be challenged under SLAPP clauses?

"Power Point" is a trade mark, not a thing

[t_allardyce]

"remove all references to Blackboard and its Transaction System from any website, power point presentation, seminar handouts, or any other promotional materials"

Why so Microsoft centric? does that mean they can use OpenOffice.org "Impress" presentation slides instead? Does that also mean Microsoft can sue the lawers for use of their trademark in their document?

it's over

[HBI]

Time to stop being a geek. I'm getting my pencils and paper back out, doing RPGs that way, and selling off my 7 or 8 computers.

I can see the writing on the wall just as easily as anyone else. The joy that I got out of these marvelous toys just isn't worth it anymore. It used to be liberating, now it's just torturous. I can think of dozens of ways to get thrown in prison just by playing around with my system at night after work. Tinkering and exploring are forbidden. I'd rather be an insurance guy or something similarly boring then spending part of my life in a 4x6 cell, or even living in fear of same.

Just proof once again that anytime government gets involved with anything, it sucks all the fun out of it. All in the name of equity and greater corporate profits.

Re:it's over

[HisMother]

I can think of dozens of ways to get thrown in prison just by playing around with my system at night after work.

The same could be said of cameras, chef's knives, wood chippers, and table saws. Does this mean that photographers should live in fear of accidentally creating child pornography, or chefs of accidentally dismembering their lovers? Nope. C'mon, buddy, you've got free will, you may recall. If you're not interested in fighting the laws, then just keep your nose clean. It's not rocket science, and it ain't the end of the frickin' world.

Is this the most correct channel?

[sabinm]

Surely Acidus and his colleagues informed the Universities about this before they went public with this information. That is of course the most effective way to get the system to change. . . Imagine inviting the Dean of Purchasing and Procurement to a Coke and a Apple pie on campus and using a facsimile of his id and account to pay for it. Or even more fun - - getting a sweet new laptop at the bookstore with a hyper-inflated account balance. Most certainly then Blackboard would think about upgrading their machines. Announcing that you are going to circumvent their digitally encrypted system in public, no less, simply gave Blackboard a way to facilitate their illegitimate hardware and polices and making it legitimate under the cover of an unjust law.

As my good old Uncle Scrooge always said: Work Smarrrrrterrrr not harrrrrderrrrr

Oh no! Not again! (And again, and again, ...)

[Ungrounded+Lightning]

How many more times are we going to hear about the DMCA and the extreem mesures some companies and people will go to use it?

Probably a couple per week until the damned thing is repealed or struck down.

When will the DMCA start getting some media attention outside of /.?

When there are media outside of /. that aren't part of entertainment conglomerates that are pushing the use of the DMCA to "protect" their "content", or by conglomerates that also own proprietary software vendors who are using it to "protect" their software products from reverse engineering, exposure of security flaws, and/or competition.

The DMCA strikes down a lot of rights that many people hold near and dear. I don't know about the rest of /. readers but I [am] disgusted by the DMCA.

Your opinion is widely shared.

Re:What about this analogy

[tulare]

I actually had something like this happen once. I went to a drive-up ATM at a bank I once used, and the machine was literally unlocked - there was a sort of swing-door arrangement where the whole ATM would open on a hinge sort of like some switch stacks do, and it was broken open. I decided not to stick my card in the machine and instead drove away to a payphone and called the bank.

Amazingly, the people on the other end gave me attitude when I called to tell them that their ATM was broken open - the attitude switched between "it's not my problem" and "you must have done it." At no time did I believe that they were actually going to do anything about it.

Two months later, when I was back in that town, I went to the same ATM, and the lock was still jimmied - it was closed, but obviously broken so that it would be a matter of prying with a screwdriver to open it again. I guess a couple of thousand bucks in cash and whatever private details can be gleaned from endorsed checks and deposit slips are unimportant to bancs of, um America.

my experience with it...

[JimBobJoe]

After I left the Ohio State dorms in 1998 (I'm still a student) the university started to put card readers on the dorm entrances (up to that time either you had a key that opened both your dorm room and the main entrance, or you had two separate keys if you lived in a really big dorm.)

It does offer some advantages, for instance, all people could be allowed into the dorms at some parts of the day, but other times of the day only people who live in that dorm could gain entry.

Though there are some interesting caveats

*the first one, which I didn't really know well at the time, is the fact that making a copy of the card is far easier than making a copy of the key. Remagnetizing magnetic stripes is not the hardest thing in the world.

*the campuswide system runs off of ethernet to the AT&T9000 computer which administers everything. If a particular door gets disconnected with the central computer, it's default setting is to pretend like everything is normal, and let everyone in, and it has a cache of swipes which it would then transmit back to the central computer when the connection was restored. That seems like a sensible kludge given the circumstances, given a network failure it would be more sensible to allow all in as opposed to all out, especially at a dorm. (Higher security places would have their door failure mode set to allow no one.) On the other hand, as a security concept, it just bugged me. (this is explained in the powerpoint presentations.)

*my big concern at the time was the tracking and auditing abilities, and it still is. the key system had no tracking and auditing. The swipe system allowed the university to keep a record of when students come into the building (and implicitly, when they go.) I pointed out that Ohio law prohibited a government institution from collecting information which were not authorized by law, nor required to achieve a particular purpose...and that the system need not perform the tracking, it only needed to perform the authorization.

The response I got was that the system was not designed with a zero tracking/auditing setting, it needed to perform tracking and auditing as part of its authentication mechanism. I pointed out that I can't help that the university bought a dumbass product, and I threatened to sue them, but I was young, and I threatened to sue everyone. :-)

I got a letter from the university lawyers saying "While we ourselves certainly hope never to need the archived data -- and, fortunately, rarely do -- it can be of unquestionable value in
investigating incidents in the residence halls. It is for this very reason that similar systems are in use at numerous colleges and universities
around the country."

I've however pointed out that any idiot who was gonna do something in the dorms would do what everyone else does, and that is follow someone who swiped before you, and not swipe themselves.

I still hope to work on this issue at some point. :-)

How dangerous will this get?

[immortal]

Forget the financial problems this has, what about personal safety?

If someone can gain entrance as John Doe, then they could gain entrance as Jane Doe. But with the intent of harming, raping, or killing someone. Whether its someone unknown or a jealous ex-boyfreind, the court should be focusing on the company that made this and forcing them to fix the problem instead of ignoring the danger it poses to students on campus.

Its been nearly 20 years since I was at college and I remember using a lock system were you had to remember the 5 digit key sequence to get into your room. Thats a hell of a lot more secure than this card system, and its 20 years old.

The best intermediate solution to the DMCA should add a provision that recognizes when violations of the DMCA poses a clear threat to the safety and security of people. Then later they can tear the whole thing down.

A gagged presentation.

[CPgrower]

This is a perfect opportunity to speak about the chilling effects of the DMCA and how it was used in this case as an effective short term "gag" order through a "cease-and-desist" letter. The mere mention of the inability to speak implies too that there's not only something wrong with the DMCA but a security flaw in Blackboard's system. The best solution is to give this presentation as much publicity as possible; only then will the public realize the ramifications of the DMCA. Every such incident should be reported in a big way until it hammers the point into the ground.

rob

DMCA how?

[Sloppy]

Anyone know what the copyrighted content that is protected by this technological measure, could possibly be?

If it's something within the school, then the makers of the system wouldn't really have a DMCA complaint against researchers; the school (user of the blackboard product) would. (Just as MPAA, not DVDCCA, are the ones who had DMCA complaints when knowledge of bypassing CSS got out. It's the copyright holder of content who gets to use DMCA, not the inventor of a protection mechanism.)

Assuming the blackboard lawyers actually see a way to use DMCA and aren't just trying to intimidate (hell of an assumption), then the copyrighed content must be some artistic expression within the Blackboard system itself, rather than something the system is intended to protect.

If the copyrighted expression turns out to just be the serial number on a card, or something like that, then that would be very (*cough*) interesting.

Re:DMCA how?

Anyone know what the copyrighted content that is protected by this technological measure, could possibly be?

Books at the school bookstores.

It's the copyright holder of content who gets to use DMCA, not the inventor of a protection mechanism.)

Please read 17 USC 1203 (a) again:

Any person injured by a violation of section 1201 or 1202 may bring a civil action in an appropriate United States district court for such violation.

I presume Blackboard is a technical company?

[mykepredko]

Reading through the C&D letter, I have to wonder who approved it from Blackboard's perspective and if anybody technical thought through what may be the result of it is.

There sounds like there is enough information in the letter so that somebody that knows what a 75176 is (I would disagree with the assertions in the paper about RS-485's obscurity), can program a PIC or an 8051 and can use an oscilloscope can reproduce the work done by Messrs. Griffith and Hoffman. Along with this it sounds like the readers are connected to standard cabling via standard connectors.

So, the result I would expect from this letter is, 1) it will be put on the Internet for all to read, 2) boxes throughout the different colleges and universities that use the system will be pulled out of walls and vending machines with many of them stolen or vandalized to see what's actually inside them, next 3) The protocol and hardware will be distributed on a variety of web sites (probably ending with .ru or .iq) and finally 4) Blackboard's reps get innundated with phone calls, emails and letters complaining that their system is not secure.

This begs the question on what Blackboard should have done. (next reply).

myke

What a strange filename

[Sloppy]

how_to_get_coke_for_free_at_school.pdf? WTF?!? Are you trying to publish a security analysis, or are you trying to help people commit theft? Some people might draw conclusions about your intent, from that filename. And you might not like how they act in response to those conclusions.

Re:What a strange filename

[Acidic_Diarrhea]

Purely for marketing purposes chief. If the suits realize the kids are ripping off the system, the system will get fixed really quickly. On the other hand, how many college kids are going to download security_analysis_of_collegecard_system.pdf? Come on now, it's MARKETING.

Doesn't the DMCA have exemptions for this?

[Newer+Guy]

If I recall, the RIAA/MPAA cartel tried the same shit on Dr. Felton didn't they? Then they dropped it when he cancelled his talk and sued them. That went to court and the judge threw it out claiming "No harm done". It seems to me that I see a pattern happening here. Big companies are abusing the DMCA by threatening to sue, which clearly abuses the Educatuional exception that Congress put into the DMCA. Then, once the talk is cancelled, they say: "OOPS! we goofed...we were never planning to sue you!" THEN the court agrees with them. The problem is this is a variant of the "shoot, ready, aim" philosophy. This stuff they're pulling is a dangerous incursion into free speech....but then again, free speech means NOTHING in the Post 911 Bush dictatorship!

Why did they desist?

[MoneyT]

Seriously. If these people felt so strongly about the flaws in this system to hold a public seminar on it, why did they backdown when they got a letter? They should have held the seminar anyways. They might go to jail, but think of what they could accomplish.

1) Get the information they wanted presented to the public.

2) Get media attention

3) Bring the insanity of the DMCA to the courts.

free printing

[strider3700]

We had the Onecard system at my school. Best hack we found was with the printing system. Insert a card with $30 on it in the machine toy print for $0.10 say this is my print job, wait for it to read amount on card. take out the card and put in a card with $0 on it. hit yes to print. $29.90 will be wrote to the card. Everyone I knew had $100 on the card in no time once we "borrowed" a profs card. We also got to print at half price by taking a copy of his card.

People also spent time sniffing the one card network, but as far as I know no one had found anything interesting yet. this was 4 years ago, so I'd assume the entire thing is solved by now.

Re:Disgusting

[MalleusEBHC]

RTFA

This is not about protecting the students. This is about Blackboard being too lazy/stupid to fix a flaw that they know about.

Acidus has tried since 2001 to get them to fix this. I'm pretty sure that if I dropped my credit card in 2001 and you told me about it, I would have things fixed by now. By this point, it is obvious that Blackboard is being negligient and is thus putting students at a greater risk.

To put this all in context for you, my school uses Blackboard for our grading system as well as dining services, housing access, etc. I know for one that I am NOT happy about this C&D and feel much less safe now.

On a lighter note, you know the worst damn part about this? We are a stupid Pepsi campus so stealing from the vending machines is pointless!

My response...

Hi, I am a user of the Bb system at Montclair University. News of a cease and desist order has reached our campus regarding Blackboard security. This is very troubling for 2 reasons. First, the existence of a security flaw, and worse, BlackBoards attempt to hide this flaw rather then work with the security community to rectify it is very troubling. Second, as an educational facility, using what it considers to be educational software, it is very alarming that Blackboard is using the DMCA in a way antithetical to academic and scientific progress. Censoring information not only leads to increased unreliability and appearence of security flaws, but to a steady degeneration of the process which our institutions are designed to promote.

2600 Magazine

[MarvinMouse]

There was an article in 2600 about 4 issues ago that had complete details on this system I believe, and how to hack into it.

If I can remember which issue it was I'll post it here. If anyone else remembers, feel free to remind me. I remember though it basically showed how with no effort the system can be cracked.

** To avoid DMCA lawsuits, etc. I did not write this article or am involved with it's creation whatsoever. **

Re:How do you know?

[zsazsa]

How did you find out that the system used was Blackboard?

Look for an AT&T or Blackboard logo on the devices that you swipe your ID through. (Soda machines, POS terminals, dining halls, copy machines...)

My university (University of Missouri) has TONS of these things. And most of them are totally unsecure. The RS-485 lines are there, ripe for the picking. I've seen many soda machines and copiers, many in low-traffic areas, simply plugged into an RJ11 jack in the wall with no conduit protecting it. It's ridiculous.

Re:1v1 slashdot shibboleths.

One one hand, there is the party line that any security / encryption measure CAN be broken, so that social measures are really what's necessary to achieve desired aims.

Wait a minute, you're basing your argument on a false assumption. We're not talking about DRM here. When I get an encrypted CD, I have to get the unencrypted content at some point so I can listen to it. That's what makes it an unworkable system.

The security for this card system is much different. You simply need to authenticate a person and transfer a piece of information to a centralized computer in such a way that it can't be tampered with or replayed.

That's a solved problem, while the DRM solution can never be solved (unless you put a trusted encryption module in people's brains).

What makes these company's actions so shameful is that it is possible to pull parts off the shelf (hardware, software, etc) and put together a workable secure system, but they choose to do things "the easy way" and then not even reveal the details to the public.

In our society today, we are highly dependent on technology and computers. We absolutely have the right to know exactly how these things work.

Imagine you bought a shoddy-built car. You pop the hood and you see exactly what's shoddy about it. So does Consumer Reports and CNN. They all report that the hoses are loose and the gas tank leaks. Another car company comes along and makes a n equivalent well-built car, and people start buying it instead. Free markets and capitalism work their magic because people KNOW what they are buying. They are informed about the products available in the market.

Why can't computer and security systems have the same openness? Well, right now, BAD laws like the DMCA make it possible for these companies to simply "blow off" these kids, knowing full well they can sue them later.

The fact of the matter is...

Ah, my favorite phrase. I hear it all the time on TV talk shows. The more assertive the speaker is that he is speaking "facts", the more subjective and arbitrary they are.

It's also evident that without their information being made public, the security systems do a reasonable job of protecting what they need to protect.

I'm sorry, but if it is possible to make a secure system, they really should make a secure system, and not rely on "wishful thinking".

I guess that's the way it is in this country these days: nobody installs a burglar alarm until they've been robbed, nobody shreds their credit card receipts until someone's taken them from the trash can, and nobody does background checks on people from known terrorist-supporting countries until after they've been attacked. "It won't happen to me", "It can't happen here", "Why would someone want to go through MY trash?", "There's nothing of value on my home computer".

I work in computer security and the first thing I do is try and "cure" people of this belief that "bad security is good enough". If they don't believe me at first, they usually call me up later after they get hacked.

Oh well. Maybe these kids really should keep it to themselves. When I was in college in 1997, we had a card-swipe system to unlock the dorm doors. I figured out a simple way to unlock the dorm doors without my ID card (which I forgot all the time). Each time, I hoped nobody else figured it out and told the school...these days, I wouldn't even think about it, since I have fear of the DMCA.

Spend your meal card cash on Beer!

[cookie_cutter]

Maybe readers who go to schools that use such a system can expand on how that system is used.

At my school, the recently mentioned McMaster University, our residence meal plan could be used at local restaurants which had a deal with the Univerisity, like East Side Marios, Pizza Hut, and equivalent places.

Thing was, while they were mainly restaurants, some of these restaurants had bars in them, and we found early on that the system did not discriminate between what one ordered from these places.

So basically, one could use mommy and daddy's meal plan money. I think they eliminated this loophole since my first year, but it was good(by which I mean very very bad) while it lasted :)

Re:Restraining Order

[khallow]

It's a ceast and desist letter. Perhaps, it's just a bluff, or an opening move in a nasty legal fight. Note that the letter in question is dated April 11, 2003 the day before the seminar (at the Interz0ne conference) and is directed to the conference chair and not the participants in question. Could you, in 24 hours or less, work out whether you (as conference chair) should go ahead with that seminar given that you probably don't know what the participants in question were doing? Looks like a cheap but effective maneuver to me.

18 USC 1029

[Nethead]

This would be one law that very much applies to the topic. The Secret Service provides the enforcement behind the law. I know the law very well, having spent over 3 years in Federal custody because of it. Back in 1987 I was the fourth person charged under the law for finding phone card numbers with a C64 and some off-board chips.

In this case, as in mine, the card number would be the "access device" and the computer (or even a laundry iron) would be "access device making equipment." Since this is a computer network one would also be well advised to read 18 USC 1030, which deals with computer hacking. Did you ever wonder why the phone company hands out cards in the first place? It was to promote the idea that phone card phracking was the same as making your own Visa card (the original intent of the law.) Why else would they embose your phone number on a slab of plastic when there was never a valid reason to run it through a credit card imprinter?

ID Card "Security" at UCLA

[gnarly]

I was a member of the UCLA Grad. student gov't (GSA) at a time when the Admin. sent out a mass email to all students in blocks of about 200 students at a time which included in the CC section of the email, the email address and Registration ID numbers of the recipient and 200 other students. By collating a few dozen such emails I and other GSA members were able to obtain ID #'s for over 3,000 unique students.

After we went public, the admin. apologized, but said this was not a security risk because each student's account was protected by not only that 9 digit (now public) number but also a 4 digit numerical password. This didn't make me feel very secure. The ID + passwd combination was used to add/drop classes, find out grades, administer financial aid, etc.

The cards themselves were made by AT and T; you could put money on them over the web using your credit card, then buy food, etc.

DMCA is worthless

[iamhassi]

just the fact that we now know the Blackboard system is flawed is enough for someone to take advantage of the system, so DMCA really didn't change anything, sure they prevented the information from being widely distributed, but now others may become curious and hack the system the same way they did.

So, in effect, DMCA really didn't do anything. Actually DMCA made it worse, since this information probably wouldn't have shown up on /. and other news organizations had DMCA not stepped in. Now there's millions more people out there who know the system is flawed, and perhaps thousands with the knowledge and determination to hack the system for (essentially) free money. I've seen kids hack systems for much less incentive, so no doubt Blackboard is very appealing.

The DMCA just fucked itself. Should have just kept DMCA out of it, let the news lauch quietly, then the owners of Blackboard could have announced a "patch" a week later. Even if there wasn't a patch some people wouldn't bother attempting to hack the system after hearing a patch was made.

Tried that, went to jail.

[SysKoll]

Actually, someone tried that already. He ended up in jail.

In 1997, after four years of research, a French cryptographer, Serge Humpich, found a flaw in the widely used French smart card, which requires owners to type a PIN on a payment terminal for all credit card and ATM transactions. He found that 1.the PIN was verified by the chip on the card, 2. some terminals didn't really check what chip they were talking to, and 3. If the chip told the terminal "yes, the PIN is right", the terminal would blindly accept the confirmation and allow the transaction. Such a card is called a "yes-card"

Humpich contacted the Carte Bleue consortium, an association of 200 banks managing the French smart cards, and told them about the flaw. They refused to believe him. So he made a yes-card out of spare parts and went to a Parisian metro station. There, he bought a few metro tickets and send them, along with the payment receipt, to the Carte Bleue people. They immediately contacted the police.

Humpich was arrested in September 1999 and jailed for several months. In 2000, he was given a suspended 10-month jail sentence and a $2600 fine. All his equipment and documentation was confiscated. Now he has a criminal indictment that bars him from a number of jobs.

Of course, the French and US laws are different. But if anything, I suspect a US court will actually be harsher, especially now that the DMCA has been used in several precedents. Heck, the DMCA makes it almost mandatory to jail you if you figure out a way to program your VCR without reading the obviously encrypted documentation!

So I really don't think it's a good idea to show the problem exists. Blackboard knows, the people who selected them as a supplier know, and if you show them that they're effectively slobs, they'll crush you to cover their asses.

-- SysKoll

GT Buzzcard flaws

Posting this anonymously for obvious reasons.

You don't even have to try and hack the buzzcard system. A few friends of mine discovered that certain Clayton College and State University id cards (same Blackboard system? I don't know) can be swiped in Georgia Tech vending machines. Apparently, whoever last used their buzzcard on the machine gets charged. GT doesn't lose any money on it, but students can get screwed. Hence why I keep $20 on my card now instead of $200.

Bad Company

Hi

We run Blackboard LS 5.6 at the institution where I work, and I can honestly say that they are the worst company I have ever had to deal with. Not only is the customer support useless and they fail to deliver ALL products on date but when they do claim they have a fix (as posted in their own knowledgebase) they send an excuse and say that they made a mistake and the bug still exists. If it wasn't for the fact that we have been using the system for two years know I'd say stuff them and keep the 2 x $50000 we are paying them PER YEAR!!!

Cheers

Re:Duh...

[lar3ry]

Telling the company that you've found a flaw in their software is likely your best bet.

And, according to the story, they did that and... THE FUCKING COMPANY BLEW THEM OFF when they told them about the flaw months ago!

So... what do you do then? The company doesn't want to hear that it has an insecure product. And people are still using the product as if it were secure.

What do you do then? Simply shrug your shoulders and say, "Well, I tried to tell them. Let others worry about it, now." It's a sad fact that most people would actually do this... they are afraid of sticking their necks out for this very reason... it gives a very nice target for the lawyers' guillotines. Amerikan citizens have turned into domesticated puppies.

But the people that are willing to stand on principle... they are the unfortunate target of the DMCA: people that are actually tring to do the right thing!

I think the fact that this can happen is a sad state of affairs in the United Coporate States of Amerika.