Slashdot Mirror
Blackboard Campus IDs: Security Thru Cease & Desist
Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."
The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.
For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).
At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.
A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)
The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."
Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.
Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.
So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?
If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?
This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").
So, assuming that's not possible -- is the DMCA a viable tool to ensure security?
P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.
P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:
"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."
This in NO WAY implies we live in a police state.
I wish there were a way to accidentally leak the exacty details overseas. There, it would be very difficult to get shut down, and every college using this system would have to deal with it.
While this may be an inconvenience to students, they can get by without buying coke with a swipe of a card for a while.
Moderation: Put your hand inside the puppet head!
Well, if you aren't even able to TALK about security flaws *Cough*First Amendment*Cough* they'll never get fixed. The DMCA again makes the net less secure instead of more.
Since when has this country used intellectual elite as a pejorative term?
A corporation is preventing you from doing something, which is their right according to law.
If we lived in a police state, armed thugs would not tell you, "You can't detail the flaws of our product." They'd just beat the living crap out of you and then go home, kick back, and drink a cold Coors 20 ouncer.
Our school uses blackboard, and last year the machines were shut down for a long time because students used methods to get free stuff out of the snack machines. And I'm not talking cracking a case or making a fake card either. It was really simple too, like swiping really fast after the transaction, if I remember right, and you could get a second item for free. Kinda scary.
To answer the question "is the DMCA a viable tool to ensure security?"
Here's an article from the BBC.
and here's a good presentation from toorcon.
and lastly, this is a good article from ITWorld.
Why do I h8 apple?
That freedom has taken a back seat to congress' lust for power and money.
We should look for other ways to take on the DMCA. IANAL, but the following link is to an interesting case, about fedral powers. I have some doubt, but maybe this is a method to bypass the DMCA.
http://supct.law.cornell.edu/supct/html/93-1260
I am very interested in what people think. Any ideas?
Ps: Why aren't techies lawyer? Oh, and why look at http://www.lp.org They hate the DMCA also.
-- Prepared at the direction of, or to be sent to Legal Counsel, in anticipation of litigation. Attorney Client Pri
actually, it does. Thats the point of a free press. An informed public is necessary to maintain ones freedoms, but i guess we already missed the "informed public" boat too early to avoid draconian laws like the DMCA anyhow.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
Cease and decist letters get written when someone threatens anothers money making schemes. To fix the problem costs money, to scare individual X into keeping their info to themselves is much cheaper.
Say that a random person on the street finds a crack in a banks wall that allows intruders to get in, tack the cash, and run away. Should the person start holding seminars about how there's such a vulnerability, or should the person go tell the bank so it can fix it?
Initially, the later case seems like the thing to do. But what if the bank ignores you? Should someone be allowed to convey information about a problem with a system if the system controllers refuse to fix it? I'd still think not - it'd be one thing to state that there is a vulnerability, and that in good conscience could not state what the vulnerability is, and quite another thing to go explaining the vulnerability to everyone else.
Just my 2 cents, and as always, there's probably more to the story.
F-bacher
Not anytime soon.
Most people in their daily lives aren't directly affected by it (or not to their knowledge at least).
Most of the places that bump into the DMCA right now are the academics. Why? Because they are a bit ahead of the curve, the idea to undstand things is integral to them. Most people though are just consuming the final product, as such they won't be affected for a while.
Wait a bit longer until the product Johnny wants to buy (or an update to a Software he is using) can't be had anymore because the developer wasn't allowed to incorporate the functionality because of the DMCA.
Of course by then the question is if the masses will still care (I bet not).
M.
If you want to e-mail me, use my PGP Key.
Where I went to undergrad there was a debit card system that was also unsecured (unknown company). This was actually a nice thing, as it effectively meant everything was free for engineering students (vending, meals, ?), with the rest of the student body picking up the tab. I was all for the poor protocols at the time. It?s the administration, not the students or parents that should worry...
And yes I realize this is immoral and wrong, it was more a thrill thing at the time.
Considering the nature of the security flaws and that they are now exposed, can this legal action against Virgil be challenged under SLAPP clauses?
This sig no verb.
You know a C&D letter may stop people from disclosing exploits, but will not stop people from disclosing that their are exploits. That's enough for lots of poor, enterprising college students.
A much better plan would of been to let these guys give their talk, to hire them, fix the problems, and them make a bundle in upgrades to existing customers. Come on, if some of these installations are 20 years old we're not talking much more then maintenance revenue. On the other hand system upgrades, especially when demanded by parents, can net a pretty penny. The colleges could have fund drives, hit up alumni societies, all the normal ways to get money when something unexpected walks through the door.
Instead the company gets to look like a fool that knows there are security flaws, aren't fixing them and instead are wasting money on laywers, get getting bad press.
Oh well, I guess there is no such thing as bad press. And that companies would rather think about prestige short term then a better product long term, even if the better product will get them more money.
=Blue(23)
LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
"remove all references to Blackboard and its Transaction System from any website, power point presentation, seminar handouts, or any other promotional materials"
Why so Microsoft centric? does that mean they can use OpenOffice.org "Impress" presentation slides instead? Does that also mean Microsoft can sue the lawers for use of their trademark in their document?
This comment does not represent the views or opinions of the user.
Time to stop being a geek. I'm getting my pencils and paper back out, doing RPGs that way, and selling off my 7 or 8 computers.
I can see the writing on the wall just as easily as anyone else. The joy that I got out of these marvelous toys just isn't worth it anymore. It used to be liberating, now it's just torturous. I can think of dozens of ways to get thrown in prison just by playing around with my system at night after work. Tinkering and exploring are forbidden. I'd rather be an insurance guy or something similarly boring then spending part of my life in a 4x6 cell, or even living in fear of same.
Just proof once again that anytime government gets involved with anything, it sucks all the fun out of it. All in the name of equity and greater corporate profits.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Surely Acidus and his colleagues informed the Universities about this before they went public with this information. That is of course the most effective way to get the system to change. . . Imagine inviting the Dean of Purchasing and Procurement to a Coke and a Apple pie on campus and using a facsimile of his id and account to pay for it. Or even more fun - - getting a sweet new laptop at the bookstore with a hyper-inflated account balance. Most certainly then Blackboard would think about upgrading their machines. Announcing that you are going to circumvent their digitally encrypted system in public, no less, simply gave Blackboard a way to facilitate their illegitimate hardware and polices and making it legitimate under the cover of an unjust law.
As my good old Uncle Scrooge always said: Work Smarrrrrterrrr not harrrrrderrrrr
http://cincyboys.blogspot.com/ Everything Cincinnati. Including the word 'Finnih'
So the legistlation in the US no longer supports freedom of speech? God bless America, again.
You should really consider switch to using GNUnet/Freenet solutions for distributing such information there since it seems the Government there is just too restrictive.
I bet the NSA & Co. are after me now for whatever reason they can come up with... truth hurts yea I know...
- Voice of Ambience -
- Voice of Ambience -
If guns are outlawed, only outlaws will have guns.
If hacking is outlawed (and talking about it), only outlaws will know how to hack.
So who do you get to sue if someone makes a dupe of your ID card and raids your campus debit account, or breaks into your dorm room? The school? The hacker? The company that sold the school the lame ID system they claim is secure but is not?
I would think the schools would like to know why sodas, meals, etc. are disappearing from their supplies. Hmmm.... This Coke machine is empty, but only 5 Cokes were recorded to be bought from it. Hmmm...
This is the worst kind of security through obscurity.
- Jasen.
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.
Sounds to me like "you can say what you want, when you want, and no consequences" to me.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
And you know very well that this is not the first time this sort of thing has happened.
Dyolf Knip
How many more times are we going to hear about the DMCA and the extreem mesures some companies and people will go to use it?
/.?
/. that aren't part of entertainment conglomerates that are pushing the use of the DMCA to "protect" their "content", or by conglomerates that also own proprietary software vendors who are using it to "protect" their software products from reverse engineering, exposure of security flaws, and/or competition.
/. readers but I [am] disgusted by the DMCA.
Probably a couple per week until the damned thing is repealed or struck down.
When will the DMCA start getting some media attention outside of
When there are media outside of
The DMCA strikes down a lot of rights that many people hold near and dear. I don't know about the rest of
Your opinion is widely shared.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
How come we can post Win2k3 serial keys in the slashdot forums, but no one posts how to get phr33 as in c0ke c0kes? Sheesh. What bullshit.
Come *on*, someone toss a practical exploit in here!
--grendel drago
Laws do not persuade just because they threaten. --Seneca
This is a snippet from Acidus' old website. It relates the timeline of events. I hope you enjoy.
Sorry for posting AC but since this does come from Acidus' website ....
After I left the Ohio State dorms in 1998 (I'm still a student) the university started to put card readers on the dorm entrances (up to that time either you had a key that opened both your dorm room and the main entrance, or you had two separate keys if you lived in a really big dorm.)
:-)
:-)
It does offer some advantages, for instance, all people could be allowed into the dorms at some parts of the day, but other times of the day only people who live in that dorm could gain entry.
Though there are some interesting caveats
*the first one, which I didn't really know well at the time, is the fact that making a copy of the card is far easier than making a copy of the key. Remagnetizing magnetic stripes is not the hardest thing in the world.
*the campuswide system runs off of ethernet to the AT&T9000 computer which administers everything. If a particular door gets disconnected with the central computer, it's default setting is to pretend like everything is normal, and let everyone in, and it has a cache of swipes which it would then transmit back to the central computer when the connection was restored. That seems like a sensible kludge given the circumstances, given a network failure it would be more sensible to allow all in as opposed to all out, especially at a dorm. (Higher security places would have their door failure mode set to allow no one.) On the other hand, as a security concept, it just bugged me. (this is explained in the powerpoint presentations.)
*my big concern at the time was the tracking and auditing abilities, and it still is. the key system had no tracking and auditing. The swipe system allowed the university to keep a record of when students come into the building (and implicitly, when they go.) I pointed out that Ohio law prohibited a government institution from collecting information which were not authorized by law, nor required to achieve a particular purpose...and that the system need not perform the tracking, it only needed to perform the authorization.
The response I got was that the system was not designed with a zero tracking/auditing setting, it needed to perform tracking and auditing as part of its authentication mechanism. I pointed out that I can't help that the university bought a dumbass product, and I threatened to sue them, but I was young, and I threatened to sue everyone.
I got a letter from the university lawyers saying "While we ourselves certainly hope never to need the archived data -- and, fortunately, rarely do -- it can be of unquestionable value in
investigating incidents in the residence halls. It is for this very reason that similar systems are in use at numerous colleges and universities
around the country."
I've however pointed out that any idiot who was gonna do something in the dorms would do what everyone else does, and that is follow someone who swiped before you, and not swipe themselves.
I still hope to work on this issue at some point.
Congress shall make no law [...] abridging the freedom of speech, or of the press; [...]
Sounds to me like "you can say what you want, when you want, and no consequences" to me.
What you want, yes.
When you want, yes.
No consequences, no.
The amendment has been interpreted to mean that the congress can't stop you ahead of time, but can set up rules for punishing you after the fact if your speech meets certain criteria. (Like harming others, soliciting crimes, or otherwise interfering with a "compelling state interest".)
While I'm with you on this one (the GOVERNMENT shouldn't be setting up any content-based penalties for speech, before or after the act), the Supreme Court says otherwise. And there's no appeal beyond the supreme court - which is why it gets to rule on the constitutionality of laws and have the rules stick.
(Oh, well. They say two out of three ain't bad...)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
You're thinking of another thing called Blackboard.
Way to read the article, champ.
I'm a student at the University of Alberta, and I have one of these OneCards.
There are various machines around that let you deposit money onto your OneCard, but there is no "university-approved network" of stores that accept the OneCard as payment.
The OneCard is primarily used for borrowing books from the library, and for operating the photocopiers/printers on campus, and there is exactly one vending machine on campus that allows you to pay with your OneCard.
As for people living in residence who have meal plans (like me), there's a separate card for that, provided by Aramark. To get into our dorms, we have keys. Laundry is coin-operated. The OneCard has absolutely nothing to do with the on-campus residences.
For most finals and midterms, we're required to show our onecards and/or driver's licenses as photo ID, but the OneCards aren't swiped through a card reader or anything, it's just photo ID, nothing more.
There are restricted areas on campus that you can access by swiping your OneCard and punching in a secret code, but as a first year undergrad, I don't have access to any of those places so I can't say what it's like (though for most of the places that aren't top-secret nuclear research facilities, it's almost trivially easy to get in by walking in when somebody else walks out -- we're friendly here in Canada, generally we hold the door open for people we don't know).
So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?
Gee, I dunno. This is Canada, there is no DMCA here (as far as I know, anyway). Hopefully some Canadian security researcher will hear about this, and continue the research here...
Forget the financial problems this has, what about personal safety?
If someone can gain entrance as John Doe, then they could gain entrance as Jane Doe. But with the intent of harming, raping, or killing someone. Whether its someone unknown or a jealous ex-boyfreind, the court should be focusing on the company that made this and forcing them to fix the problem instead of ignoring the danger it poses to students on campus.
Its been nearly 20 years since I was at college and I remember using a lock system were you had to remember the 5 digit key sequence to get into your room. Thats a hell of a lot more secure than this card system, and its 20 years old.
The best intermediate solution to the DMCA should add a provision that recognizes when violations of the DMCA poses a clear threat to the safety and security of people. Then later they can tear the whole thing down.
"Your having a bad day when the voices in your head put you on hold"
So.
Instead of fixing the exploit in their keycard system, the company in question finds it easier to have their lawyers drop a house on the students.
Doesn't "Security through Obscurity" create an environment where persons with malicious intent are free to exercise it?
The students discovering the security hole = The Good Guys. The knowledge they posses equal a Munition (or, a firearm.) They were not planning to use their knowledge maliciously.
Essentially the DMCA has turned knowledge into a weapon to be regulated through the legal system. Just be careful what you know, because speaking of it publicly is becoming the 21st century equivalent of pulling a gun out of your pocket at the mall to discuss it's function with another gun enthusiast.
Of course, we all know the gun paradox. Seriously. Increasingly orwellian gun laws !=less crime. Criminals will always find weapons. On the electronic mean streats, crackers & hackers will always find exploits, but unlike the Good Guys, the Bad Guys won't go to a symposium to divulge the PROBLEM, embarassing the company into FIXING IT. Instead, the Bad Guys will EXPLOIT the FUCK OUT OF IT.
I'm not a philosopher, psychologist, ethicist or sociologist by profession, but perhaps the DMCA needs to be re-evaluated by a panel consisting of a few. Right now it seems to favor only the government and very, very large corporations. Oh, and it makes learning a criminal act.
Do you have a permit for your mind?
THIS SPACE INTENTIONALLY LEFT BLANK.
This is a perfect opportunity to speak about the chilling effects of the DMCA and how it was used in this case as an effective short term "gag" order through a "cease-and-desist" letter. The mere mention of the inability to speak implies too that there's not only something wrong with the DMCA but a security flaw in Blackboard's system. The best solution is to give this presentation as much publicity as possible; only then will the public realize the ramifications of the DMCA. Every such incident should be reported in a big way until it hammers the point into the ground.
rob
We are standing up and fighting it. In the past 48 hours, the local CBS station (who would be doing more, but needs more validated information which they don't yet have), Salon.com and a few other _news_ organizations have been very interested.
Subscribe to root@se2600.org (root-subscribe@se2600.org) if you want to chat with the locals about this... or have tips. The con organizers for likely reasons can't comment on enough information, but other people have... more information.
-Iridium (on that list)
"During times of universal deceit, telling the truth becomes a revolutionary act" -- George Orwell
IANAL, but could someone sue the company for false advertising? If they say their product is safe and secure, but you feel it isn't and you are a user, then shouldn't your be able to bring a case against them? At that point, you have to present evidence for your claim and (assuming the court records aren't sealed) the exploit becomes public record.
Trade secrets used to be frowned upon by the law. Patents were legally preferable, so that when the patent expired, the knowledge went into the public domain. A trade secret could be lost easily; any publication by anybody erased trade secret status. All trade secret law really did was to put some teeth into confidentiality requirements for employees. It didn't affect outsiders.
All that has changed in the last decade. Between the Economic Espionage Act, the DMCA, and several court rulings, trade secrets now look more like property rights.
So, assuming that's not possible -- is the DMCA a viable tool to ensure security?
The DMCA isn't about secruity--it's about copyright. Read the DMCA, also known as Chapter 12 of Title 17, USC, and decide for yourself.
IMO, the law should either be moved to a general security law, or it shouldn't be interpreted to cover anything except the aiding and abeiting of real anti-copyright infringment sale aid--that is, unless a device is intended to protect a document that's transmitted / broadcast, the DMCA shouldn't touch it.
Then again, these are new positions for me--reply and you might change me again.
It doesn't.
You are not allowed to shout "fire!" in a crowded theater.
You are not allowed to using "fighting words" (words intended to incite violence).
You are not allowed to threaten people.
You are not allowed to libel or slander people.
You are not allowed to be "obscene".
http://www.educause.edu/ir/library/html/cem9732.ht ml
If it's something within the school, then the makers of the system wouldn't really have a DMCA complaint against researchers; the school (user of the blackboard product) would. (Just as MPAA, not DVDCCA, are the ones who had DMCA complaints when knowledge of bypassing CSS got out. It's the copyright holder of content who gets to use DMCA, not the inventor of a protection mechanism.)
Assuming the blackboard lawyers actually see a way to use DMCA and aren't just trying to intimidate (hell of an assumption), then the copyrighed content must be some artistic expression within the Blackboard system itself, rather than something the system is intended to protect.
If the copyrighted expression turns out to just be the serial number on a card, or something like that, then that would be very (*cough*) interesting.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
The only sane thing to do is to patent your exploits before you announce them. :)
Then you have precedence for publishing them, or you just point to the online patent info.
As a bonus, you can sue the companies that fix the holes you're supporting because they've broken that "shall circumvent a technological measure that effectively controls access to a work" line. After all, your exploit controls access, right? Opening a door is controlling access as much as locking it is.
Reading through the C&D letter, I have to wonder who approved it from Blackboard's perspective and if anybody technical thought through what may be the result of it is.
.ru or .iq) and finally 4) Blackboard's reps get innundated with phone calls, emails and letters complaining that their system is not secure.
There sounds like there is enough information in the letter so that somebody that knows what a 75176 is (I would disagree with the assertions in the paper about RS-485's obscurity), can program a PIC or an 8051 and can use an oscilloscope can reproduce the work done by Messrs. Griffith and Hoffman. Along with this it sounds like the readers are connected to standard cabling via standard connectors.
So, the result I would expect from this letter is, 1) it will be put on the Internet for all to read, 2) boxes throughout the different colleges and universities that use the system will be pulled out of walls and vending machines with many of them stolen or vandalized to see what's actually inside them, next 3) The protocol and hardware will be distributed on a variety of web sites (probably ending with
This begs the question on what Blackboard should have done. (next reply).
myke
Mimetics Inc. Twitter
This past week, one of the first comments to be modded up as funny is someone claiming to be the Iraqi information minister.
Now, they could have said something like, "There are no holes in the BuzzCard system, and we have repelled the elitist satan dogs who have attempted to break its security!" and it would have finally been funny!
-JDF
how_to_get_coke_for_free_at_school.pdf? WTF?!? Are you trying to publish a security analysis, or are you trying to help people commit theft? Some people might draw conclusions about your intent, from that filename. And you might not like how they act in response to those conclusions.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Yeah right, the DMCA will stick and hold for a long time to come. Lawyers are having a field day. Lawyer wrote the law and therefore they will protect the law. Even though the law sucks.
What will be the result? Easy illegal hackers who steal. The DMCA is setting up a black market of crime. Just like how people "steal" cable. And people will not consider it stealing because it is digital. Oh yeah forgot more lawyer work, to prosecute the illegal people. Can we say DMCA is a make work system?
The DMCA will be struck down once people in the mainstream realize it has no effect. This reminds me of the argument with strong encryption....
Add on the fact that governments these days do not care about the little person. Just the big companies with their lobbies....
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
First, the standard IANAL but I play one on /., and seek legal advice regularly.
Now for an example, yelling about a fire or a bomb in a movie theater is a violation of the Constitutional protection on speech. The courts have been working on establishing the guidelines for different classes of speech that are protect and that are not, such as informational (IE: a book about ways to kill people) and those that are functional, or produce actions (a book that entices people to kill others). Informational speach is protected, functional speach may be restricted.
The same is true for technical issues, although I wouldn't want to be a lawyer in that case. Arguing on first-ammendment lines, you would have to demonstrate that the claims are purely factual, that the research was conducted legally (many laws explicitly allow exemptions for researchers), and that the paper is purely informational and not functional. If the paper were functional, then it might be interpreted as being restricted by the various laws.
But then, as other posters have said, if a student or university does lose money due to this flaw (which is likely) then they can take it back to the company and sue it for not repairing or disclosing a fatal, known flaw in their systems.
[sigh]
Maybe someday we will be free from the IP garbage that has been spewed out over the past decade. Or maybe we'll get a utopian world where everyone will be honest and do the 'right thing'. No more need for security systems, and software flaws will be presented, evaluated, and repaired quickly...
frob.
//TODO: Think of witty sig statement
There are 2 things geeks in college have in abundance: free time and the want to break things. Now that every geek with a heartbeat and a B0x0rz knows there IS a flaw in this card system then they can go ahead and track it down on their own. Free access to EE labs is a beautiful thing. Let's wait and see how long it takes before they are ripped off to the tune of a couple million dollars.
I almost agree with this post. Almost.
Let's bring this into the physical world rather than the ethereal world of bits and bytes.
Stealing cars is illegal. I don't think there's any debate as to whether or not it should stay that way.
Figuring out how to break into cars and publishing that information is not illegal. (Well, it might be now undere the DMCA.) Especially if Ford makes a car that all you have to do is pull the handle four times real fast, or kick the corner of the door while pushing down the right spot, or some other reasonably trivial method to open a "locked" car.
Such information (how to, and how easy it is or isn't) on breaking into cars is valuable to consumers. They can choose to buy a car from a different manufacturer. They can install an alarm system. They can move to a safer neighborhood where they don't have to worry about people breaking into their car.
The same holds true in the digital world. If I as a consumer put some level of trust in a security system, I want to know how reliable that system is. In this specific case, if Blackboard's security is very weak, then I'll make sure never to have more than $100 in my debit account; as a school, I'll put cameras up to catch students stealing sodas with bogus cards, etc.
The bad guys out there WILL exploit any and all security holes they can find. As a consumer (whether a business buying an enterprise wide security solution, or a soccer mom hooking up to the Internet) it is in my best interest to know that people are out there actively trying to break anything that claims to protect me.
The act of breaking into someone else's machine, or using a bogus ID to steal products, is still illegal. And should be. But people need to know how easy it is or isn't to bypass any security measure so they can make an informed decision how far to trust that measure and what additional measures they may wish to employ.
- Jasen.
Tim Robbins and Martin Sheen seem to think so. As did the Dixie Chicks, but they learned better.
"You've got an invalid haircut" -Warren Zevon - Life'll Kill Ya
So which one of your examples is this? He's not yelling fire in a crowded theater... He originally tried to tell the company their theater was on fire, and when they refused to give a damn, he decided to tell the people inside the theater about the fire.
That's when they Cease and Desisted him, and told him that the burning theater was their little secret.
Personally, I'd wanna know, but hey, I'm obviously not normal. Stay asleep if you want, everybody. It's still a free country - but you better check back with me tomorrow just in case.
----
www.whatreallyhappened.com is interesting.
I go to Cornell University. I have one ID card that swipes *everything*. Access to dorm hall. Attendance count at mandatory lectures. Meal plan. Laundry account. Snack/soda machines. Credit card.
Some people have been asking "what 'University approved network'" in other posts. At least here, we've got an account tied to our cards called "city bucks" that lets us spend a declining balance at local off-campus restaurants, and I think a couple supermarkets too. While City Bucks is Cornell-specific, I'm sure other universities have similar things.
I think there are other accounts too, but I forget them. The point is, I'd like to know if I should complain to someone in administration.
Anyway, we have a server with the Blackboard Courseware website software on it, but that doesn't mean we've got their card system too.. but how can I tell if we do use their card swiping system? (There isn't a logo on my card that would identify it as any particular brand.)
They did - or more precisely, Acidus did. This is not the first go-around with Blackboard. Read the FAQ. The first time he published the exploits of Blackboard, they stonewalled him, all the while claiming to their customers, "Anyone with half a brain knows these exploits aren't possible." The only problem was that most of their customers had full brains - and understood that Blackboard was bullshitting them (and contacted Acidus directly to confirm this).
We use Buzzcards here at Georgia Tech. It's been the experience of me and most people I know that the cards are only used for laundry, dining hall meals, and admission to athletic events and facilities. This is the first I've heard of any flaws in the reader system, but to be honest I don't think it affects people too much. There doesn't seem to be many places for students to put money on a Buzzcard, and when someone does, it's usually just enough to do wash their clothes this week and maybe get some snacks from the food court. I just don't see it as being a big issue.
That being said, I don't think that threatening these folks with the DMCA and acting like the situation doesn't exist is the best possible way to make things safer. Hopefully situations like this can help get part or all of that legislation thrown out.
the coolest club on
You mean a company that creates a software system for financial and student transactions doesn't want an open forum on the security flaws contained in that software to be discussed on campus? What utter tyranny....
If I were a student on that campus I wouldn't want people openly talking about the system's flaws. I wouldn't want people cracking the system and tampering with any of my information that it contained - ESPECIALLY if this thing controls my meals, my dorm room and my exams.
Also, if I were the genius that found all of these system flaws, I would use it as a marketing opportunity to apply for a job at the company that wrote the software, supplying them with a detailed description of the problem and a proposed solution.
Why must this whole thing be so combative? Why is it so critical for this public forum to be held? If you find problems with the system, go to the company about it, not the public.
"On the Internet, nobody knows you're a dog!" - a dog
Actually you are allowed to yell "fire!" in a crowded theater, provided there really is a fire.
So yelling "that card system is insecure" might be considered bad were it not actually true.
And you are allowed to threaten people. Lawyers threaten people all the time using cease and desist letters.
Coding Blog
Seriously though. Does it ever occur to people that sometimes they have to FIGHT to get things their way? Not fighting in the sense of a debate-club discussion, but rather a nasty bar brawl; you are gonna get hurt a bit, but [hopefully] the other guy gets hurt more.
How did civil rights come about? Did Martin Luther King bitch to his fellow oppressed on the local bulletin board (ahem), write a congressman, and then go home? As I recall, he spent more than a few nights in jail, and eventually got shot to boot.
I'd rather be an insurance guy or something similarly boring then spending part of my life in a 4x6 cell, or even living in fear of same.
Well instead of a 4x6 cell you can have a 100x100 subdivision in some godless plastic suburb somewhere. You'll be safe there, have a fun life!
-----------
Together, we will drive the rats from the tundra.
Here is the info on the lawyer that wrote the letter: Gregory S. Smith Counsel, Washington Office 202.383.0454 gsmith@sablaw.com Bio at this page And Blackboard corporate communications: Michael Stanton Senior Director, Corporate Communications Blackboard Inc. Ph: 202.463.4860 x305 FAX: 202.463.4863
If I recall, the RIAA/MPAA cartel tried the same shit on Dr. Felton didn't they? Then they dropped it when he cancelled his talk and sued them. That went to court and the judge threw it out claiming "No harm done". It seems to me that I see a pattern happening here. Big companies are abusing the DMCA by threatening to sue, which clearly abuses the Educatuional exception that Congress put into the DMCA. Then, once the talk is cancelled, they say: "OOPS! we goofed...we were never planning to sue you!" THEN the court agrees with them. The problem is this is a variant of the "shoot, ready, aim" philosophy. This stuff they're pulling is a dangerous incursion into free speech....but then again, free speech means NOTHING in the Post 911 Bush dictatorship!
Seriously. If these people felt so strongly about the flaws in this system to hold a public seminar on it, why did they backdown when they got a letter? They should have held the seminar anyways. They might go to jail, but think of what they could accomplish.
1) Get the information they wanted presented to the public.
2) Get media attention
3) Bring the insanity of the DMCA to the courts.
T Money
World Domination with a plastic spoon since 1984
We had the Onecard system at my school. Best hack we found was with the printing system. Insert a card with $30 on it in the machine toy print for $0.10 say this is my print job, wait for it to read amount on card. take out the card and put in a card with $0 on it. hit yes to print. $29.90 will be wrote to the card. Everyone I knew had $100 on the card in no time once we "borrowed" a profs card. We also got to print at half price by taking a copy of his card.
People also spent time sniffing the one card network, but as far as I know no one had found anything interesting yet. this was 4 years ago, so I'd assume the entire thing is solved by now.
Hmm... Can't use fighting words or threaten people? And what, pray tell, is the content of that Cease and Desist letter. Sure sounds threatening to me.
On the other hand, claiming that your product is "safe and secure" when it's easily provable to be otherwise would seem to violate any number of state and Federal statutes long on the books before the advent of DMCA, etc. I'd think that you could at least make a reasonable case for several flavors of fraud.
Any REAL lawyers out there to comment on that?
Reminds me of an episode in "Surely You're Joking, Mr. Feynman!": Adventures of a Curious Character. Richard Feynman pointed out problems with security of file cabinets containing secret documents at Los Alamos. The "solution" to the problem? Easy! Keep Feynman away from the cabinets!
RTFA
This is not about protecting the students. This is about Blackboard being too lazy/stupid to fix a flaw that they know about.
Acidus has tried since 2001 to get them to fix this. I'm pretty sure that if I dropped my credit card in 2001 and you told me about it, I would have things fixed by now. By this point, it is obvious that Blackboard is being negligient and is thus putting students at a greater risk.
To put this all in context for you, my school uses Blackboard for our grading system as well as dining services, housing access, etc. I know for one that I am NOT happy about this C&D and feel much less safe now.
On a lighter note, you know the worst damn part about this? We are a stupid Pepsi campus so stealing from the vending machines is pointless!
Really? How do you know a user's intent? It's been established time and time again that you DO NOT need to decrypt the content of a DVD to copy it. What is inherently illegal about a software DVD player that isn't part of the DVDCCA cabal?
The main page:
http://216.239.37.100/search?q=cache:aCrSrlgFxsYC
Text document covering network infrastructure, database, servers, etc. for blackboard system:
http://216.239.39.100/search?q=cache:fM1kWpR_dbQC
These are the old cached ATT webpages, full of Technical details Blackboard wished weren't floating around:
http://216.239.37.100/search?q=cache:www.yak.net/
Acidus' card system FAQ:
http://216.239.37.100/search?q=cache:www.yak.net/
Creative use of cut and paste within the google cache should let you hit any of the other links within those pages that you may be interested in.
As a US citizen, I'm depressed (I should be outraged) at this sad state of affairs. However in-your-face this particular presentation was to be, the stated goal was to expose the flaws of the system through hand-on research & controlled experimentation. Research. It was NOT to distribute hacking tools for actual implementation to facilitate illegal or illicit purposes. But ballsy kids in an academic environment who want to improve the technology and processes that surround them? They're stymied by corporate protecionism ensconsed in federal law. That's sad. It's wrong, immoral, and ultimately ineffectual. But the real tragedy is that it depresses the level of creativity in academia and creates fear for those that think too hard.
As a security professional, the fact that any cheeseball company can successfully hide their shoddy product behind a federal law is an embarassment. It induces even more cognitive dissonance when I work with federal and state goverment security staff who are well aware of good security principles, and then think about laws such as the DMCA which are diametrically opposed to known-good principles of improving security technology and processes.
It's a lose-lose proposition: News of an exploit always gets out, and is propogated fastest within the community which has little fear of the DMCA. But invocation of the DMCA causes relatively-innocent people -- those that were willing to stand up and state their names -- to tremble and retreat. As I said: it's wrong, immoral, and ultimately ineffectual. I spend my days educating people about the dangers of security by obscurity, and exposing the risks associated with snake-oil solutions such as Blackboard's "secure" transactions. I'm doing my part to educate as many people as I can, but with Grand Moff Ashcroft at the legal helm of the country (and with US federal/foreign policy changed to match the prosecutorial principles of "pre-crime"), I'm afraid it's like spitting into the Mojave.
The first time that some predator clones the card of a victim (or a patsy) in order to gain access to a building and rape/murder someone, I wonder... Will the appropriate law enforcement be able to effectively investigate/prosecute such a crime if the computing research community is prohibited from supporting them? Would Blackboard be content to sit on known security flaws and let a patsy get convicted? Again: wrong, immoral, and ultimately ineffectual. It ought to be illegal to *withhold* security flaws, at least from those who depend on/are subject to them. Feh.
J
I think not...(*poof*)
I must be missing something. Has a lawyer sent them a cease and desist letter? Or has a restraining order been granted against them by a court?
Because, all the links point to a cease and desist letter, which are as cheap as lawsuits in the United States. Any schmoe can send a cease and desist letter. Hell, I could send CmdrTaco a letter claming that the space aliens he keeps in his laundry hamper are interfering with the workings of my tin-foil reflector beanie. You certainly don't have to do what the cease and desist letter tells you to do, any more than I have to follow instructions from the little voices in my head. Sometimes the little voices in my head give me good practical advice, like "change your socks." But you would be a fool to follow the advice of either the voices in my head or a random lawyer's cease and desist letter without question.
But, I understand a restraining order as an entirely different thing. A restraining is handed out by a court, and unless you're fond of the inside of jail cells you would be well advised to follow it to the letter.
So, did these people actually get a restraining order against them? Or is this just another badly misleading slashdot article?
Slashdot is jumping the shark. I'm just driving the boat.
You can't lie under oath.
You can be sued for libel and slander.
Lying in a contract is a no-no.
Making false claims in ads is frowned upon.
Yelling FIRE in a theater is not in the cards.
The Secret Service will come after you if you make threats against givernment officials.
What part about make no law don't you understand?
Infuriate left and right
An informed public is necessary to maintain ones freedoms, but i guess we already missed the "informed public" boat too early to avoid draconian laws like the DMCA anyhow.
Now that most people get their information from TV, the notion of an "informed public" has ceased to exist. For example, to attract ratings, Headline News now has some sort of worthless "Entertainment Tonight" segment, constant mentions of "We're the most trusted name in news", constant interruptions to learn that Jessica Lynch brushed her teeth this morning, and on and on. If I watch it for more than five minutes, I get angry at how absurd "news" has become and turn off the TV in disgust.
There's a reason Homer Simpson gets so many laughs...it's because he's so damn accurate, anymore, that we are laughing at ourselves!
Healthcare article at Kuro5hin
There was an article in 2600 about 4 issues ago that had complete details on this system I believe, and how to hack into it.
If I can remember which issue it was I'll post it here. If anyone else remembers, feel free to remind me. I remember though it basically showed how with no effort the system can be cracked.
** To avoid DMCA lawsuits, etc. I did not write this article or am involved with it's creation whatsoever. **
~ kjrose
How did you find out that the system used was Blackboard?
Look for an AT&T or Blackboard logo on the devices that you swipe your ID through. (Soda machines, POS terminals, dining halls, copy machines...)
My university (University of Missouri) has TONS of these things. And most of them are totally unsecure. The RS-485 lines are there, ripe for the picking. I've seen many soda machines and copiers, many in low-traffic areas, simply plugged into an RJ11 jack in the wall with no conduit protecting it. It's ridiculous.
On the contrary: what we see here is a moral innovation -- an attempt at creating new and nontraditional codes -- which severely contradicts several established, traditional moral codes.
One of those established, traditional moral codes is called freedom of speech. It holds that it is morally wrong for those in power to restrict others' telling of the truth or proclaiming of beliefs. It does not authorize just any speech: for instance, false speech such as slander is beyond its pale. However, to threaten a person with prosecution for stating the (ugly) truth violates this moral principle.
Another moral code violated here, more recent but still established, is called the public's right to know. It is similar to freedom of speech: it holds that it is morally wrong to allow those in power to hold the general public in a state of ignorance for private benefit. The Blackboard company is in a position to benefit from the public's ignorance if it is not held responsible for its violation of its clients' trust by selling them vulnerable software. If it can suppress the fact of the vulnerability from public disclosure, it is gaining an immoral benefit. Those capable of denying it this ill-gotten gain are obligated to do so.
An instantiation of these moral codes online, a recent but also well-known moral principle, is called full disclosure. It holds that since the harm to the public caused by ignorance of security problems outweighs the harm caused by their exposure; and since vendors such as Blackboard must be prevented from benefiting from the public ignorance; that those who discover security flaws should reveal them in a responsible fashion to the public. One step of this disclosure is to notify the vendor; but when the vendor refuses to take moral responsibility, it is fully acceptable and desired to go to the public with the full and ugly truth.
To advocate protecting the Blackboard company from its responsibility to its clients (universities and students) and the general public is not a moral position. It is precisely an amoral one: one which defends the status quo, or the position of an entity with power, against justified moral claims by others. Please refrain from standing on a pseudo-moral high horse when you are in fact advocating "might makes right" and damning the public's and individuals' rights.
The first time someone uses the exploit to commit a rape or murder, the kneejerk reaction of the corportation will be to point at the students who knew the exploit and told officials about it as the scapegoats.
"They told us that we didn't leave our door locked, since naturally it was intrusive to check our door to see if it was locked (even though it affected the security of the people telling us) we told the students to scram and forbid them to tell anyone that our doors were open. Unfortunately yesterday we had a sad epsiode on campus where someone entered through our unlocked doors and commited a heinous crime, sadly the conclusion to be derived from this is definite - those infiltrators that went checking our doors must have relayed the information to their despicable accomplices. The University declines any assumption of guilt or failure of any kind. Thank you."
Face it, people suck and they don't ever stop sucking. The world is run by imbeciles to protect imbeciles, and the intelligent are their favorite food group unless they are creating more ways to create morons or joining the pack in their cannabilistic orgy of idiocy.
Wow, you have no idea what you're talking about, do you?
The problem with your examples (all of them) is that you assume that what is obscure remains obscure forever.
The problem with obscurity as a primary means of security is that too many people know things, and the odds on one person speaking out of turn or being duped into revealing a secret is non-trivial. Take, for example, the cases of Kevin Mitnick. He got a lot of his information about unlocked PSTN switches by calling up the maintenance centers for Sprint or whatever and impersonating a repair person in the field.
I'm sure the security at Fort Knox is well understood ("simple" circuits, cameras, and locks). If you ask me, the fact that it's a real fort with lots of troops around making it kind of hard to, for example, sneak in a truck or dozen that you'd need to cart of gold (it's kinda heavy :) ) has more to do with the fact that there hasn't been a break in.
The point of the anti-obscurity argument is that relying on obscurity as the main means of security a system is almost never effective against a determined attacker, because obscurity can be eliminated. Systems designed in the light of day, or at least with collaboration outside of a single interested entity, tend to be more secure because it eliminates those "in the know" short cuts.
Sujal
politics, food, music, life: FatMixx
At my school, the recently mentioned McMaster University, our residence meal plan could be used at local restaurants which had a deal with the Univerisity, like East Side Marios, Pizza Hut, and equivalent places.
Thing was, while they were mainly restaurants, some of these restaurants had bars in them, and we found early on that the system did not discriminate between what one ordered from these places.
So basically, one could use mommy and daddy's meal plan money. I think they eliminated this loophole since my first year, but it was good(by which I mean very very bad) while it lasted :)
In this case, as in mine, the card number would be the "access device" and the computer (or even a laundry iron) would be "access device making equipment." Since this is a computer network one would also be well advised to read 18 USC 1030, which deals with computer hacking. Did you ever wonder why the phone company hands out cards in the first place? It was to promote the idea that phone card phracking was the same as making your own Visa card (the original intent of the law.) Why else would they embose your phone number on a slab of plastic when there was never a valid reason to run it through a credit card imprinter?
-- I have a private email server in my basement.
Well, if they can convince the ATMS on the campus network to dispense funds through the security hole, they can afford lawyers.
"I'm not impatient. I just hate waiting." - My Dad
I go to a school in the northeast that relies heavily on Blackboard. (I also work computing support here, so I know what a pain it is on the backend, but I digress.)
Oddly enough...I had a discussion about this with a CS prof a while back. Turns out he and another tenured prof figured out how to make all the vending machines (which are on the card) spit out free stuff by using a card with purposely malformed data.
This worked so well that the machines would dispense free stuff until somebody came along and unplugged/restarted them...
But anyway, if Blackboard wants to, two highly respected, published CS profs could be prosecuted under the DMCA.
Another problem popped up a couple years ago that never became common knowledge: if your account balance was between 0 and $0.05, you could buy as much as you wanted, and your balance would never change. I'm not sure if that was a Blackboard bug or something else we did here.
Another one of those through-the-grapevine stories that I suspect is true--the host "machines", whatever they are, for the locks operated by these cards communicate via TCP/IP with a central server. Last year a CS student figured this out and started sending a variety of packets at one of the hosts, crashed it, and summarily locked 200 students out of their dorm.
Ah, Blackboard, how I love thee.
And I've just committed multiple crimes under the DMCA, I believe...
After we went public, the admin. apologized, but said this was not a security risk because each student's account was protected by not only that 9 digit (now public) number but also a 4 digit numerical password. This didn't make me feel very secure. The ID + passwd combination was used to add/drop classes, find out grades, administer financial aid, etc.
The cards themselves were made by AT and T; you could put money on them over the web using your credit card, then buy food, etc.
just the fact that we now know the Blackboard system is flawed is enough for someone to take advantage of the system, so DMCA really didn't change anything, sure they prevented the information from being widely distributed, but now others may become curious and hack the system the same way they did.
/. and other news organizations had DMCA not stepped in. Now there's millions more people out there who know the system is flawed, and perhaps thousands with the knowledge and determination to hack the system for (essentially) free money. I've seen kids hack systems for much less incentive, so no doubt Blackboard is very appealing.
So, in effect, DMCA really didn't do anything. Actually DMCA made it worse, since this information probably wouldn't have shown up on
The DMCA just fucked itself. Should have just kept DMCA out of it, let the news lauch quietly, then the owners of Blackboard could have announced a "patch" a week later. Even if there wasn't a patch some people wouldn't bother attempting to hack the system after hearing a patch was made.
my karma will be here long after I'm gone
Most of the card reader systems used in arcades (a-la Dave/Busters, Gattitown, et al) use a RS-485 network as well.
When these units need to be repaired, they are plugged into a "dumb server". This server basically takes ANY card input, and sends back an "OK" to the reader to allow it to start up a game.
The only critical knowledge needed is the location/site ID code the reader is setup for, and (obviously) the format that particular manufacturer/provider uses for their network.
I can't imagine it would be difficult at all to do the same thing for a coke machine, or any other device, on a CampusWide Network.
- litz
In 1997, after four years of research, a French cryptographer, Serge Humpich, found a flaw in the widely used French smart card, which requires owners to type a PIN on a payment terminal for all credit card and ATM transactions. He found that 1.the PIN was verified by the chip on the card, 2. some terminals didn't really check what chip they were talking to, and 3. If the chip told the terminal "yes, the PIN is right", the terminal would blindly accept the confirmation and allow the transaction. Such a card is called a "yes-card"
Humpich contacted the Carte Bleue consortium, an association of 200 banks managing the French smart cards, and told them about the flaw. They refused to believe him. So he made a yes-card out of spare parts and went to a Parisian metro station. There, he bought a few metro tickets and send them, along with the payment receipt, to the Carte Bleue people. They immediately contacted the police.
Humpich was arrested in September 1999 and jailed for several months. In 2000, he was given a suspended 10-month jail sentence and a $2600 fine. All his equipment and documentation was confiscated. Now he has a criminal indictment that bars him from a number of jobs.
Of course, the French and US laws are different. But if anything, I suspect a US court will actually be harsher, especially now that the DMCA has been used in several precedents. Heck, the DMCA makes it almost mandatory to jail you if you figure out a way to program your VCR without reading the obviously encrypted documentation!
So I really don't think it's a good idea to show the problem exists. Blackboard knows, the people who selected them as a supplier know, and if you show them that they're effectively slobs, they'll crush you to cover their asses.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
here's the contact info for the lawyer who sent the cease and desist letter.
http://www.sablaw.com/profiles/bio.asp?ID=00003
I sure hope this won't diminish the spirit of the young researchers out there. These kids are building our future whether we allow them to or not. Stifling their growth will only give us a dysfunctional future.
US Democracy:The best person for the job (among These pre-selected choices...)
Maybe that's how police states work in your native, ignorant, Hollywood view of the world. In real life, police states don't usually bother with beating people up--it's way too much effort--and it's not necessary. They control people through implicit and subtle threats to their liberty, livelihood, and privileges, as well as similar threats to their families. They only resort to force when people absolutely don't comply--but so does law enforcement everywhere.
You don't agree with the party line? Sorry, you or your kids can't go to college. You don't return from your trip abroad? Well, to compensate the state for your misdeeds, your home will be confiscated; too bad about your family. In some areas of US law enforcement, it's getting frighteningly close to that (drug seizures, computer seizures, etc.).
Police states aren't anarchies. They operate orderly and according to laws, they just happen to be laws that limit freedoms excessively. And it's very easy to move from the rule of law in a free society to the rule of law in a police state.
"A commercial, and in some respects a social, doubt has been started within the
last year or two, whether or not it is right to discuss so openly the security
or insecurity of locks. Many well-meaning persons suppose that the discus-
sion respecting the means for baffling the supposed safety of locks offers a
premium for dishonesty, by showing others how to be dishonest. This is a fal-
lacy. Rogues are very keen in their profession, and already know much more
than we can teach them respecting their several kinds of roguery. Rogues knew
a good deal about lockpicking long before locksmiths discussed it among them-
selves, as they have lately done. If a lock -- let it have been made in what-
ever country, or by whatever maker -- is not so inviolable as it has hitherto
been deemed to be, surely it is in the interest of *honest* persons to know
this fact, because the *dishonest* are tolerably certain to be the first to
apply the knowledge practically; and the spread of knowledge is necessary to
give fair play to those who might suffer by ignorance. It cannot be too ear-
nestly urged, that an acquaintance with real facts will, in the end, be better
for all parties."
-- Charles Tomlinson's Rudimentary Treatise on the Construction of Locks,
published around 1850
There's a reason why these security-types choose to disclose this stuff. Let's use an analogy here. Let's say the turnstiles in the subway (you know, the little things where you put the token in, and then it makes the little bar let you through) will just let you through without a token if you give them a fairly solid nudge with your thigh. This is because the turnstile company is making shitty equipment and charging a bundle for it. As a society, we can let the turnstile company slap lawsuits on anyone who is talking about the crappy turnstiles, or we can force them to fix the damn turnstiles. Clever people will figure it out for themselves, regardless of whether it's disclosed to society. Would you rather people stealthily stealing trolley rides forever? Or would you rather have the company who made the shitty turnstiles take the beating? Sure, most companies want to be able to make crappy security and get away with it. They want to be able to threaten people who will make it difficult to sell crappy security, just like the rapist might like to be able to intimidate his victims into silence. Sure, when it hits the news that you can just get into the subway by pushing on the bar, no one's going to pay until they're fixed. Sure, if they hold this press conference, people are going to be stealing cokes (and worse) left and right. However, that's not my problem. It's the problem of the universities who didn't buy a secure product, and the manufacturer that didn't make a secure product. None of that is any reason for me to give up my right to freedom to peacably assemble, and freedom of speech. You can either preserve the ability of corporations to hush up flawed products, or you can preserve our constiutional rights. It's as simple as that.
But there is another kind of evil that we must fear most... and that is the indifference of good men.
...we used these two wonderful inventions called "keys" and "cash". I finished my MSc in 2000 so it wasn't that long ago either. All buildings were secure (the keys were of a type that key-copying shops couldn't duplicate) and I never failed to be able to buy a can of soda - provided I hadn't wasted all my money on beer and girls.
Bob
Listen to my latest album here
Threat and warning are similar. I would draw the distinction here:
The company has a choice whether it will prosecute the DMCA violation. This is not a capital crime where the state must prosecute. Therefore, the company's letter is a statement of "we will drop rocks on you" more than one of "rocks will fall on you."
Sigmentation fault - core dumped