Slashdot Mirror
Disclosure of Major Software Exploits by Students?
school-hacker asks: "I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide. Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code. Naturally, I want to share this information with their software engineers, and would even be nice enough and suggest a means to fixing it. However, with the state of current intellectual property and reverse-engineering laws, I hesitate to do so out of fear of litigation or academic disciplinary action. As an ethical geek, what do -you- do?" While the responses from an earlier story might prove useful, here, there is always the possibility of the university making things harder for the person reporting the problem. How can students avoid both legal and academic trouble, when trying to notify their university of security problems?
be an Anonymous Coward for a day!
still better, post the expolits here , we will make sure they come to know.
Siggy Say, Siggy Do
Don't forget to wear dark glasses.
Treehugger? Treehugger... Treehugger!
and help college students across America 'correct' their grades.
Allah thanks you.
comment about it anonymously
Your best bet is to do something similar to what you have done here. Submit the information to them via an anyonymous channel, perhaps mailing a CD (which you handled using gloves, no less) with an explanation and machine-readable exploit code. You don't have to make it known that it was you, just that someone figured it out.
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
Anonymously... no credit but at least the "geek ethics" are upheld
... You've earned it. :-)
Seriously, I'd take this slow. Perhaps writing something up in printed form and submitting it via snail mail would be smarter than having executable code lying around on a computer you own or have access to.
The Future of Human Evolution: Autonomy
duh : anonymous email with a threat to go public.
Like the big boys do it.
You could always try approaching your advisor or some other trusted faculty member.
...anonymity is the key. My crystal ball (i.e. an application of Murphy's Law) states that if you try to formally inform the universities of the flaw, you'll get hushed up, blamed and generally blusted. Just write anonymous letters to the companies who develop the software and the universities about the problems. If they don't take action, then feel guiltfree about giving yourself arbitrary scores. Remember: if you don't get caught, it's not illegal.
Bash script for FP whores
Posting anonymously to a mailing list like bugtraq could help but it could also mean that it could fall on wrong hands. What about just an anonymous report to the software company that developed it?
--- I w00t, therefore I'm l33t.
*looks shady* You can trust us!
Michael "Hughesey" Hughes
Head Editor/S
The best approach to a security "evaluation" is to ask the admins responsible for permission first. This lets them know that "something" might be going on soon so if they detect your attempts they won't panic and send the cops to your house/dorm room.
This also makes it obvious that you were really trying to help find/enhance security rather than just hacking into the system for your own benefit.
You send me the code.. and I will "examine" it to see if it would be legal. I'll get back to you about it after next semester? :D
Release the code to script kiddies. They will get the word out of the security holes....
This is probably having to do with "blackboard" software, i.e. learn.vt.edu.
This software tries to be everything to everyone, and all most teachers use it for is posting grades.
It doesn't surprise me that there are bugs in it, though. There have been several show up on astalavista.box.sk, and those were fixed, but the design of the program doesn't strike me as being particularlly sound.
~Will
sig?
better don;t do anything, or send it to the company anonymously. With the current state of affairs, you might get in trouble, and it;s certainly not worth it. Besides, it' their job to find their bugs.
Find someone who will or is better able to the local student newspaper.
Grab a reporter, show him it, let him follow up.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
.. I wouldn't like my name to be published, because my grades would drop significantly.
By releasing these exploits, I am merely getting rid of any competition - people get suspicious, when many students get very good grades.
Best parts I will still be keeping to myself, excluding the backdoor I've written in the proof-of-concept code.
You gotta at least tell us how to do the exploit! Some source code, or a step-by-step guide, or something, just don't tempt us and then leave us hanging like that! Dude!
if the school gives you a hard time, just change your mark to compensate for the hardship...
Goto a prof with your suspicions (but you don't know yet, how could you?) and get assigned to find out for one of your papers. You've already done the work, so it should be an easy grade.
you could try just e-mail the software company telling them to look for some bugs without being specific. if they don't, their lose.
I would advise not bothering,
since it is not worth your effort to help anyone
who would be such a "class-act" as to give you trouble for your efforts instead of praise.
If you wanted to, send them a very carefully worded letter, stating that you may have reason to belive there is an exploit, but you are not certain, and that you would have to know in detail how they would react to:
1. You having found an exploit
2. You having found a fix
3. You submitting the fix
And if they send a nice reply, get something in writing before helping them.
I'd anonymously email the company that develops the software. Get a free hotmail account or some such and send them a full disclosure of the exploit with proof of concept code all in the body of a plain-text no attachment email.
Hopefully it gets someone's attention, it gets patched, and admins at schools apply the patch. Will you get credit for your findings? No. Will you stand a chance at getting the hole fixed without any real fear of retribution? Yes.
-----
That's a good way to look at the world. Why'd you post this advice to the story? What's in it for you?
Just write a nice e-mail about how you happened to find the exploits. I did this with some security focused database software. I got an e-mail back with a lot of thanks (no money), and a few weeks later they released a fix. Of course, I'm not in your position, the place where I work is interested in buying the software, so making the product better helped me, right? Plus I got golden contacts. My feature requests get more weight. It's how you want to handle it. I doubt there will be litigation involved, especially if you present the case as a way of helping them... if you hold them for ransom, well, you can expect to hear from the law.
I was almost kicked out of college when I discovered a flaw in the online grading system.
whats in it for him? higher test scores of course!
Unfortunately the law is set up so that you're nearly as likely to get in trouble for reporting a problem as you are using it for personal gain, so from a cost-benefit perspective, one might argue that it's better to keep the secret for your own uses.
on newsgroups, slashdot, the inquirer, and of course a mass mailing to all the students on your college campus.
;-)
don't forget to do that last one anonymously.
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
The best way to anonymozie yourself would be to go to a web cafe and rent some time (with cash!). Setup a new Hotmal/Yahoo acccount. Post to Bugtraq (or whatever mailing list) and the maker of the software. Then walk away from the computer and completely forget about the account.
:)
(P.S. Don't forget to wear gloves so they can't lift your prints from the computer keyboard.
print it out 4x, put each in an envelope, no retutn address, send it to the provost, the IT head and the CEO and chief engineer of the company that makes this thing. demand nothing and tell them it's simply fyi. hard for four peop[le to keep a secret - you'll get action somewhere. keep a copy in case nothing happens. no harm, no foul. it's just doing the right thing for no gain.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
you go to slashdot and brag about it.
I passed the Turing test.
You choose a different nickname from "school-hacker" :-)
Since you've tested it...
Be afraid. Whatever you do, do it anonymously, and do _not_ take advantage of it. Especially since if you do anything really noticable, they will trace it to you.
If your university has an academic integrity board and some sort of code of conduct, you're probably afoul of it. Forget everything you know about due process. It doesn't work that way in Universities. You are not tenured, you are not a delicate flower that needs to be nurtured. You may be run out on a rail.
Your best bet may be to anon-email it (not from campus) to a full disclosure list, and hope that the white hats find out before the blackhats.
Give the company a call. Hear what they have to say about a hypothetical situation where a student wants to examine their program for security problems and then wants to report his/her findings back to the company.
If they give you that reverse engineering, IP crap. Post it anonymously somewhere.
If they're cool, then the next step is to approach your college with the same question. Repeat previous step. Just be careful not to get your weenie whacked!
Tell them that you know how to do it and refuse to give them the details unless they can provide you with federal, state and local documents guaranteeing that you, your friends, and your family will not be prosecuted now or in the future for any illegal activity relating to this exploit, exploits of other academic software, or exploits of any software relating to anyone who ever atended college or anyone who knows someone who attended college. Be sure to specify that Arab Americans cannot be excluded from these guarantees.
/.)
Also demand that the school indemnify you against any civil actions. While you're at it, you might as well require a statement that no military action will be taken.
Finally, offer them your consulting services at $500/hr, minimum 10 hours.
Disclaimer: IANAL, BIPOOSD (but I play one os
...use it to your advantage, muhahahaha!
...change your grade to give yourself an "A" in gym
Was that the purpose of your assignement? Do you believe that by any means such creative work will be tollerated? I doubt it. Keep you mouth shut and get on with what you are supposed to do. Be sure that you haven't excercised your exploits on their system, or by any means had such thoughts.
Of course, that's your arsehole, and that's you to decide for how long you planning to keep it tight.
Dont try to be a Sklyrov wannabe. Pick up others and not losers like that fuck. By the way, what a fucker ah? Instead of contacting the right people directly he tried to become DefCon's celebrity.
As much as I would love to say go tell someone and show that there is a fault. Just the fact that you know about it might implicate you and make any of your marks in suspect. University bureaucracies are known for making stupid decisions.
If you can send something anonymously then I think you have done what you can.
Don't jepordize your future over a good deed.
Also: what do you have to gain, aside from some kudos? You have far more to loose if someone takes what you do the wrong way.
Remember: Good deeds don't go unpunished.
Being a member of the secuirty scene (not a very skilled memeber but im tryin! ;) ) The standard way would be to email the vendor. If you want to do it anonomously pm me and I can set you up a POP3 account ;)
Briefly state the issues, and the holes, how the exploit works, and inform them that if no repsonse is made you will foward the exploit and the security brief to the proper mailling lists.
It is law in California now that any security breach must be made public so just remind them of that.
Normally they will repsond asking for futher details, foward them your proof-of-concept and again warn them if corrective measures are not made you will announce it publicly. It should result in a patch, in which case make your findings public with information on how to patch or where to obtain the patch for the software.
If all communications fails there is the [FULL-DISCLOSER] and the [INCIDENTS] mailing lists. Again if you are worried about your school and/or IP laws the best thing would be to spoof an email to the lists (if it comes down to that) or use a Email account that your name IS NOT attached to. Most companies will thank you for informing them before going public, and It is the right thing to do =)
Also try digging thru your AUP and TOS for the network at school, in there it may state some legalities about breaking into to systems, hacking, sniffing, ect.
If all else fails, forward your finding to a trusted source, and have them take the actions required. Remember you are not required by any law to make your findings public, so if you really feel uneasy just forget about the whole thing.
While young and inexperienced (read University student) how many of us were sure we'd found major bugs and exploits?
Anything more embarrassing than being put on the right path (shown to be a dumbass) because there was never anything there?
I'd bet dollars to donuts that this "exploit" actually can't be compromised.
You could always pull a frame up an have it look like a group of students pulled of the exploit. Or find someone that you really don't like, who doesn't like you, drop down your grades and accuse them of tampering with them.
In all seriousness we live in such a paranoid culture that there isn't really a right answer that anyone can give you. It's nice to see that someone out in America has a conscience but my paranoid mind is telling me that if a student came over and told me that there were exploits in the software, I would begin thinking that he might have done something about it. You might just try an anonymous note to the people in charge of the program.
I'm not a student anymore, and I could give a crap.. My company could use the press. go to my web site (in my sig), my address is listed. (424 S. Division Chenoa, IL 61726) send me a CD via snail mail, I'll copy it, destroy the original and contact the company in question.
meh
Most universities have well published an Acceptable Use Policy. Before making any disclosures, become intimately familiar with this document. As long as you've done nothing to compromise this document, you should be on safe ground.
What would be their concern in punishing you? To dissuade every wanna-be cracker on campus from poking around the innards of the computer network. Though we all know security through obscurity does not work, your school does not want everybody trying to eliminate that obscurity.
When you compose your statement of disclosure, include a statement which argues for your concern and your compliance with the AUP. Cite it, quote it, and argue for your concern for staying within the published regulations of the University. So long as you have not used this exploit to your advantage and so long as you show concern for the things they are concerned about, you should be fine.
-jag
http://starboard.flowtheory.net/
Only tell the people that matter. Don't go to the director of the IT department and tell he/she that you can break into their system. They might not understand, they will just see you as a hacker, which could lead to trouble. Tell the net admin or someone that understands the problem and help them take the proper steps to fix it.
"The Internet is a fad" -WB --> Actual quote from an IT director BTW
A clever person solves a problem. A wise person avoids it. -- Einstein
One, don't notify the university directly. If you do, you create a political situation where they still have the ability to shut you up by putting pressure on you. Keep in mind, the university wouldn't make life hard for you because they're run by Darth Vader, they'd make life hard for you to keep you from disclosing.
Two, do notify the vendor, BUT use the disclosure guidelines provided by Rain Forest Puppy (called RFPolicy). This is the best template for fair and equitable disclosure I've ever seen, and I feel it's even a hair better than the policy put forth by @Stake (although theirs is pretty good too). Set up a hushmail account that cannot be traced back to you for this purpose, and proceed from there.
Three, do NOT disclose the proof-of-concept exploit code. Disclosing a vulnerability is enough, there is no reason to automate attacks that take advantage of it.
By the time the university knows anything, they will no longer be able to accomplish anything by making your life hard. Furthermore, you will be in a position of strength, having taken the high road in disclosure and given all parties every opportunity to protect themselves properly.
For your security, this post has been encrypted with ROT-13, twice.
I had this problem a while back with java.sun.com.
n c
They were running a comment system that did server side includes. The URL pattern was
http://java.sun.com/foo.jsp?url=relative/path.i
The obvious hack would be to enter a file: URL and see if it worked and sure enough I could browse through the whole file system as long as I knew the path.
Stupid Java engineers.
Anyway... I contacted a few VPs at SUN and just told them that I had discovered a severe security hole in their webserver and that because of the DMCA I couldn't report it.
They were quick to respond telling me that they WOULDN'T prosecute if i were to give them the security disclosure so they could fix the issue.
Most people won't care as long as you are white hat. If they freak out then don't reveal the information
Kevin
so be careful. Maybe you better just send them 699.99 right now to cover yourself. Then you'll be free to do what you want with it, without the fear of litigation.
As an ethical geek, what do -you- do?
Duck to avoid the cameras that are watching you in the university computer cluster. And, once you've released it, cover your ass. Releasing it to responsible parties is the "right" thing to do. Just don't expect to be appreciated.
Here is some advice..
Remember you wil be dealign with two or three groups that have different motives for their existence; ie IT group of your college, college Management, and the software vendor...
You do not have enough power or pull to report this on your own and should not do so as it woudl put your college studies in danger, head this warning!
Waht you need to do is find a tenured CS faculty member that will be a guinea pig fro a blind computer experiment..blind in that he or she does not know ahead of time the directions you will be giving..
The directions must be in the form of question of:
Waht happens if I do this what will occur..in other worsd you are leading the faculty member on the trail of discovery..
Once they get to the end its is then their responsibility fo reporting the security hack and thus your college studies are protected..
Don't Tread on OpenSource
I would definitely talk to a lawyer before I did anything. You have to be very careful in this day and age.
If history is any guide: They aren't going to take you seriously unless you release a working exploit. If you tell 'em about it they'll just try to silence you with threats -- and then you can't choose anonymous release, because they'll go after you.
If you release the exploit anonymously, you'll get things fixed. If you release it with your name attached, you'll get things fixed and bring a shitstorm down on your head -- your choice if you want the notoriety and its consequences.
Release it to the public, anonymously. :)
The problem will solve itself.
And packetstorm, of course.
-Adam
You should forget about the whole thing. There is no good that can come of this. I understand wanting to be a good samaritan and all, but some people just don't take kindly to that. Considering the risks here (if the company gets pissed off at you, you end up with a computer crimes charge on your record and are basically blacklisted from the industry) I'd say you should delete any copies of any proof-of-concept code you have and forget about the whole thing. Either that or sell it to a fraternity or the football/basketball program at your school.. I'm sure they'd LOVE to get their hands on something like that.
I need to pass this semester. Don't ruin this for me.
"It's the little touches that make a future solid enough to be destroyed" --William S. Bourroughs
if it is about this blackboard software portal then it is a significant finding. The code is java based and i havnt come a lot of exploits for java based architectures.
Siggy Say, Siggy Do
good advice! however i would like to an a "business" angle to this.
for $10 a piece this dude could sell his services to his peers for the privilege of having higher test scores - money raised would pay for sex, drugs, and alcohol for the whole freshman year!
Maybe I'm completely nieve, but what the hell is going on?! Has everyone on slashdot hacked or cracked some 31337 prog/dbase/bank ... Why is anonymity supposedly the best policy?! As long as you haven't changed your grades or exploited code (your teachers/the school will be able to tell) then you'll be fine. Are you afraid of getting busted for something else? I mean, it seems completely rational to e-mail the company, print a copy, mail it to yourself (if you are as paranoid as everyone else) and then, if problems arise, mail the university.
.. :P rediculous
Remember: The university cares about a student paying 20k+ a year to be there, the software company is costing the U money, who would they rather attack?
Anonymity is for spammers. You'll probably get some recognition in the CS department if you say something about it... unless your teachers are all secretly black hat, and hate your guts for exposing yourself
I remember hearing that blank CDs include individual ID numbers and burners will include the serial number of the burner in a special location on the CD. Is this true or is my paranoid memory making things up? A brief online search turned up nothing.
Going through an Attorney means that your identity is constitutionally protected. Whereas hotmail can forced to give up your address (RIAA got names from IP addresses), the lawyer cannot.
:)
Secondly, an attorney lends an air of credibility to your cause, where being a student with an exploit may not. Obviously you should be taken seriously, but I'm concerned that you may not be. The attorney is also better at threatening lawsuits.
Being a student, you'll probably want to shop this as an opportunity for "pro bono" work. Remember that this could be a great opportunity for an up and coming IP attorney to make a name for themself.
If you don't have other connections start with your school's law school. Stanford's IP faculty is well represented on the activist side (Grannick, Lessig). A California firm called Townsend & Townsend & Crew (www.townsend.com) has built a decent reputation defending the "little guy" against large corporations (imho).
Hopefully, you'll be able to have a professional letter from a big firm sent to the company, and they happily fix the problem and feel they've avoided a lawsuit. One last tidbit from me. If you do give them working code, please request that they post a free patch.
This isn't legal advice
Cheers,
Dave
Is there a professor that you know well enough to approach about this? I would tell them the facts and ask them what to do.
It is highly likely that they will be willing to approach the PTB about the issue--leaving you entirely out of it. At most universities, such a software vendor won't try to get your identity from a prof, they know where their bread is buttered.
If all else fails, drop me an email at roberts period six-two-eight period osu period edu. I'm a prof at Ohio State and I'll be happy to lend a hand.
I'll be doing some 'research' of my own next semester on how to 'improve' my grades ;-)
The unofficial
Have you NOT figured it out yet...THERE IS NO ANONYMOUS on the net...sorry guys, I assure you SOMEONE has logs, your ISP the border routers along the way, If someone, say the government or a deep pockets corp wants that, they will pull an RIAA and get it...If you want to REALLY be anonymous go to the library, use a type writer, send a snail mail from another zip code and DON'T go into the post office to do it...otherwise just get a business license and approach them as a LICENSED contractor with a proposal at the business level...or just watch it all FALL TO PIECES...
:( Thanks DMCA, brought to you by the US Gestapo, protecting our homeland from ourselves...
Remember even LAME infant like encryption is now a federally protected item
errr....umm...*whooosh* *whoosh* Is this thing on ?
A lot of people here have advocated alerting people about this anonymously. Whether or not you feel this is the correct thing to do, consider including a PGP public key with whaterver submissions you turn over to relevant parties. This way, if it becomes advantageous at a later time to take credit for your actions, you can prove that you were the anonymous whistle-blower.
Try an anonymous remailer to let the developers and BugTraq know. You won't get famous or anything, but you'll be contributing without exposing your identity, and thus evading punishment. Its a shame that some of those who fight to make everything in this world better get puished for our good deeds. Unfortunatly, that will probably never change.
-Cold Drink
You'll fuck up my 4.0.
In teh event of an actual emergency this space might provide useful information.
I'm taking bets. $2 to play
1. The sploit is M$
2. The sploit is *nix
Drop the info in an envelope and mail it to the university... anonymously...
Don't leave fingerprints on the paper - wear latex rubber gloves when printing it out. Buy a fresh ream of paper with cash and open it only after putting on the gloves. Buy a cheap inkjet to print it out on so they can't trace your printer ink. Melt the printer and ink carts down when you're done and dispose of them discreetly. Take some kind of public transportation - either a bus or a train - to a post office that's at least 25 miles away from the school and drop the envelope (while still wearing the gloves) into the out-of-town mail drop - this ensures that many many people handle the envelope before it gets to the school.
After you prepare your documents, get a program like bcwipe and do a DoD-style erasure of your hard disk and any other media onto which you may have saved your exploits. DO NOT, NO MATTER HOW TEMPTING, make a backup or keep the material anywhere. Be sure to clean up where the printer was as there will be paper fibers everywhere. Ideally, you should seal the ream of paper and printer in a large plastic bag before you open the paper. This is difficult, but it prevents residue from the ink and/or paper from getting on things.
Don't forget, pay cash for everything, and make the purchases at different stores, which should ideally be far apart, on different days, preferably over a 2 or 3 week period. Don't buy any two items at the same place. Be sure not to use the stock ink carts that come with the printer - buy new ones at some store other than the one you bought the printer at. Preferably, take a different form of transportation on the return trip than you did on the forward trip to the post office.
Even doing all of this, their TIA-type database mining might still get you - even though you paid cash for everything. One thing you can do is purchase items with these things that you need that you don't need. For example, a female engaged in this activity might buy jock-itch powder, beer, or other distinctly mens' products. Likewise, a male might buy hair remover, pantyhose, or other distintly womens' products. Be sure to think of creative ways to confuse a database search algorithm into thinking that DIFFERENT PEOPLE bought these things.
I wrote a delf-destructing script to post this from a local library, where I didn't check anything out, a few minutes after I left. I also turned down the job offer from the CIA because I didn't believe I could really be as anonymous as I wanted...
Leverage this to make Microsoft release a Linux client for the Xbox!
/sig
don't show them how you do it. If your "...-selftested proof-of-concept exploit code..." actually works, proving to them that there is an exploit shouldn't be too dificult - tell them (software company and the Dean) what grades you are going to change, and then run the program and change some grades - but make sure you keep all your source cod encrypted.
If bugs are kept secret, the secrets get held in the hands of the few. The unethical hacker [cracker] will eventually exploit the code and use it to their advantage.
If it weren't for FD, we'd have more 0day exploits because companies would not feel the pressure to release timely updates. It chews up development cycles to go back and put an emergency fix in place for insecure code, test it, and release it. Do you think companies would do this voluntarily? I think not. Too expensive. They'll include it with their next major update and charge for the upgrade or some crap like that.
I say the medicine is bad, but the disease is worse. Full Disclosure is the Medicine, bad coding the disease.
We are going to continue down this road of FD debate until software vendors (M$ et al.) start writing secure code. I have said it many times; Requiring patches to achieve security is fundamentally flawed. Coders need to write secure code. The onus is on them. Don't blame the hackers/crackers for airing their dirty laundry. If M$ or whoever loses market share because they consistantly release insecure code that is repeatedly being compromised then that is their fault.
It was only after being repeatedly beat over the head with the proverbial lead pipe by the hacker community that good ole Bill Gates sent out a memo stating that Security is becoming Microsofts #1 priority. Do you really think he would have done that if we didn't have the Full Disclosure in place? We should not rely on 'security by obscurity' by keeping the exploits secret, or keeping the information reserved for the security elite.
Send a confidential email to the network administrators and to the company that created the software. State that you will give them adequate time to respond and to release a patch. State that the exploit will undergo full disclosure in two months, or if they request extra time, ask them what measures are being taken to insure the integrity of the information being stored on these computers. If you can hack into the system to raise your grades, others could hack in to lower the hard earned grades of others. Hell, at that point, they should start selling diplomas at the bookstore.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
That's exactly how Stefan Puffer got indicted in Houston Texas last year. He provided a demonstration of an insecure county wireless system in front of a newpaper reporter and a county IT employee. He was later no-billed by the county but I'm sure his attorney's bill was a few $$$. -rick
... address it from somebody who pissed you off, or ran off with that girl you fancied.
Ho you think your tutor or lecturer has never seen any of your work before? Do you think s/he is going to get suss when you turn in junk day after day and then all of a sudden you marks get bumped up? Do you think that seeing your tutor/lecturer about the issue is going to prove to them the intelligence you have in the IT subjects you are doing (highly likely!) If you can do this kind of crap you can get A's any time you want.
If you're really worried, make a hotmail accont, and mail them. The only problem with that approach is come exam day if you are sick, you fail.... if the lecturer knows you and knows your work you'll be cut some slack. I know. I used to be one.
In my next incarnation, I hope to come back as a code monkey.
To begin, it doesn't seem as if you are maliciously trying to hurt the engineers or give yourself an advantage over the students. It also doesn't seem like you were purposely trying to find flaws. I would talk to a teacher, academic advisor, or even the tech people in the library to find out what you can do. Explain that you are only trying to make things better and not publish exploits. The suggestion about sending something in the regular mail could be a good one. I would type up a professional and respectful letter saying how you found it, what the repercussions are of such an exploit, suggestions on how to fix it, and possibly include a CD with your code on it. You don't need a return address and its anonymous so you don't have to be so nervous.
...and have him report it, dumass! Orbetter yet just let it go and hopefully a couple of retards will exploit it. Lazy ass profs need to learn how to grade and not let corps encroach on our lives anymore.
Their java forum has XSS hole in it it can be used to execute arbitrary javascript, in effect stealing session cookie you can effectively get credentials of anyone who reads your post to the forum (discussion board or whatever they call it).
-ClawFingerZ
Well personally I would have cracked into the program, using the exploit and dumped the exploit, and a file explaining it in a conspicuous location. That's sure to get their attention!
When Argumentum ad Hominem falls short, try Argumentum ad Matrem
Report it via email from a throw-away hotmail address using a computer at the public library. It's still possible for them to trace you but I doubt it'd be worth the trouble to them.
Another possible solution is put the executable source code on cd, with whatever other information you want to include in plain text format and slip it under the door of a computer lab manager, or professor, or whoever you think would be most likely to deal with it.
First, create a disclosure document for your IP attorney, then immediately file a method patent application on the bugfix.
:)
Then, once your provisonal patent application is received, you can offer to license the bugfix (and since it was a method patent, they can't program around you) to the school for a modest fee.
"Method and Program for closing a known security hole in grade reporting software"
or something like that... I'd say you'd be a rich man, just don't forget to send me my cut
Dont tell anyone. Graduate, then go for your PHD.
Your thesis is staring you in the face. So simple.
I can understand wanting to cover your backside with this. Especially since you have 'tested' the exploit. Going to the university may mean the end of your academic career. Going to the company may result in the same in a round about way. The company may feel obligated to report you to the said university.
If you are serious about getting the expoit fixed then there are a lot of good points already made in the replies:
- Send it to the company anonymously.
- Send it to the university IT dept. anonymously.
Do both and that should get it where you want it to go.Now for my take on this (if you were one of my students)...
You are supplying the source of the proof of concepts, right? I accept no binaries from unkown source, escpecially with your story. You have to convince me that you are not only legit. but being honest. If you approach me you had better be able to prove that you have not altered your grades. This is not due to my morals but due to my obligations to the university.
I have dealt with students bringing up exploits to me that they have found work in our system. First I have to verify their claim, second I have to consider the damage they may have done (purposefully or not). If this means a call to security then I am obligated to do that. After that I have to consider fixing my system and damage control.
Note about security: I need not bring security into it but I must document everything incase the incident becomes a concern in the future... Example, next year you suddenly become a honor student.
A comment by 'has' bothers me... if this is you then you could be in deeper then you want to be... I would suggest cleaning up your act, taking an ethics course and getting on with your degree. This type of un-ethical, and probably illegal (fraud?) activity will eventually catch up with you if continued. Enough preaching.
Take the suggestions regarding anonymous submissions if your serious about helping.
Merlin.
Interesting to say the least. If you slack off all semester then use this exploit to change your grade, you'd better keep quiet. I'm sure the prof has non-online records to double check your actual grade if he/she gets word of the exploit. You should actually maybe talk to a lawyer, maybe they can help you draft a letter in terms that don't sound threatening... or at least in so much legalese that they won't even be able to decipher who you are.
;-)
Best bet (at the risk of being modded redundant) would be to anonymously contact the company. If you want to avoid suspicion, bomb the class a little first so your grade kinda sucks. Just make sure you have a way to bring it back up again
There are only 10 kinds of people in this world... those who understand binary and those who don't
Come across? Like you woke up one morning and found them in your mailbox, between credit card offers?
Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code.
Now I'm thinking - did you have a legal copy of the software you were "testing"? If not, do you know the person/entity who has the legal copy? Did you get their permission to poke around?
I would expect the litigation or academic discipline, if you pursued your experiment without a legal copy, or at least the permission of the person who owned the licensed copy. Or at least asked a professor to act as advisor for your experiments.
As an ethical geek, what do -you- do?
Ask permission from the target company before pursuing exploits.
I may be reading too much into the poster's brief notes (or maybe the poster's name), but I have a feeling that there are several illegal (and possibly unethical) things that have been done so far. The best way to avoid a situation like this is to plan to be ethical, legal, and open from the beginning. Get the company's permission, the schools permission, etc., and no one will be suprised when you get some results. Otherwise, they may say "Thank you, now please come to court in two weeks", and you have little recourse except to hire a lawyer.
Which the poster should probably do, anyway. It's a shame - with the proper authorization, this could have been an interesting senior project.
What to do
You could always try approaching your advisor or some other trusted faculty member.
but of course...
This sums up the story quite well, doesn't it?you go to slashdot and brag about it.
Start your own website based off of the exploit. Students pay you, you fix their grades, you get paid, and forget about the hole being patched!!! But then there is that darn ethics thing. Document the error and report it directly to the company. If they give you the brush, no big deal--you've done your duty. If they litigate, I think you'll have no prob getting help. And besides, the attention will start a career if that's your goal. Make sure you can the proof of concept code though, that'll get you in trouble. The DMCA is in full effect, just document the error, and tell what is exposed. No other details.
Why can't all fpga/microcontroller manufacturers just release free optimizing compilers???
Sure, it's probably Blackboard which most colleges use, but if it's not Bb, it could also be Banner by SCT which plenty of schools also use.
;) )
Compromising Banner is far more dangerous than Blackboard (Bb).... Most schools that use Banner use it as their student management system, which records official transcript, program requirements met, class registration, etc. etc.
In my last undergrad semester, my team developed a website that interfaced directly w/ the Banner system and even found some loopholes in it which we exploited to allow our website to do a better job at calculating program requirements met and suggested offerings to complete it. (This was for an Advanced Software Project Mgmt class)
Needless to say, the Registrars office people were very intrigued by our exploration into the limits of the current system. I imagine a less cooperative school administration would be more punitive.. (But I went to a business school, so they know we just get motivated by $$
You can inform several independent trusted parties via an anonymous remailer. These can include independent security research companies, the author of the software, and the dean of your college. I recommend Mixmaster for doing this. This will protect your identity, should the author(s) of the software choose to take legal recourse against you for finding and disclosing the vulnerability in their software.
If you decide to pursue the route of getting something done about it, I'd suggest:
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
If you're worried about repricussions, then use a public library terminal and a new hotmail type free mail account. Most public libraries intentionally do not keep traffic logs these days anyway (because of the privacy issues involved with turning over those logs if they are subpoenaed).
But, I'm a security admin at a university... I occasionally have students bring vulnerabilities to me. Often I already know about it, but I still welcome the input and am thankful for the extra eyes watching the network. I've just got too many nodes to keep up with to catch every computer.
----------
perl -e 'print(pack("H*","646176652e7761676e657240676d616
Today I ran across 2-3 holes (cross site scripting with remote execution, sql injection with code exposure, and account hijacking) in the blackboard system which I am currently working to exploit... for a proof of concept. if this is the same system your talking about, I want to talk with you. maybe with enough amunition they will listen to the both of us more than they would listen to one.
email me.
The Code Ninja is swift with his tool, precise in his delivery, and deadly accurate in his execution.
cough cough......webct....cough cough
"Personal ownership is a hallmark of conservative capitalism. And I don't believe I am entitled to anything that I did n
1) Abuse the hell out of it and secretly release the exploits when you get tired of getting multiple PhD/MSc/BSc in various subjects.
:)
:P
2) Contact the most famous security firms around, tell them about your foundings and get an early employment contract before your graduation.
Option 1 sounds attractive but option 2 can save you from getting your ass into federal prison.
I liked Matthrew Broderick's IMSAI 8080 dial-up system in Wargames better.
Help fight continental drift.
Freenet Project
:)
And then give yourself an A.
For the online quizzes for the class I'm taking now, the textbook publisher's website asks for the student's email address and the professor's email address. That's it. It then sends the results to those addresses and notes the correct answers to whatever was missed. Near as I can tell you can enter anything you want for those email addresses.
:-).
The instructor gets the usual username/password combo and he assumed that students had to set up accounts tied to his class because the publisher knows that students might be tempted to cheat, right?
In all fairness, maybe they just figured that securing an open book do-at-home quiz wasn't possible anyhow. But I'm honest, antisocial, and getting decent grades anyhow so I let the professor know.
To the guy who suggested selling higher grades to the football team or fraternities: forget that. Trade with the cheerleaders
Open up a phony hotmail account from a lab workstation in school.
I call bullshit -- if you were smart enough to find exploits, you'd be smart enough to figure that out.
Conformity is the jailer of freedom and enemy of growth. -JFK
In short, the very fact that you asked this question indicates that you suspect you have gone too far already. Discovering an exploit raises the question how you found it. If you did so innocently, that's fine -- report the potential risk, and offer services under written authority to make your "proof of concept."
But realistically, if you are testing an exploit to bring the point home, you have already put yourself at risk. Until you are invited to the party, it is very dangerous to expose those risks.
At least, take care to "go through the channels," before you do some subculture hacking. If you do the latter, be prepared to stay with the subculture -- whether you be white hat or black hat, your personal sense of ethics don't necessarily comport with your agreements with the University or the law.
I am not saying that you should support security through obscurity, or refrain from exposing security risks. I'm suggesting that if you want to do that, there is a far safer protocol than taking everything into your own hands.
Yes, this is insane, but it's also how it is.
--True, if you take the right approach, have the right kind of charisma, (ie, express honesty and even explain your concerns up front about how other people before you being punished for having done the right thing in the past,) you might be able to pull it off. I wouldn't count on it though. The sheep behind the glass are getting colder every day, and even a smooth talker like me has been really having to sweat in order to earn my best intentions. It's getting tough out there.
So in this instance, and others like it, I wouldn't bother.
And just to be clear, I wouldn't use the exploit either. --Chances are, if you do, you'll really end up in hot water. Indeed, I strongly suspect that some cases of these kinds of exploits are designed to discover those who are not sheep-like enough so that they can be flagged for later. . , uh, disposal. (Same goes for things like performing acts of geurilla advertising, and ad-defacement of particularly nasty posters and billboards around your town. That sort of thing is monitored.)
--Which, of course, means that if you try in earnest to bring the hole in the code to the attention of the 'masters of the universe', then somebody, somewhere will be all pissed off with you for ruining their entrapment scheme.
My advice? Sit tight. --The furthest you might want to go is to discuss it openly to anybody who cares to listen, saying you heard about it on the net from some anonymous coward. Wide open honesty is usually the best way to screw evil plans without bringing down reprisal and brimstone on your head. Works for me.
-FL
Am I the only one who was about to submit:
;)" ..as a joke, but then erased it after imagining homeland defense troopers with pitchforks and with various illegible (and infamous to Slashdot groupies), BILLS and ACTS in their mouths, showing up at my doorstep? Good.
;) THINK ABOUT IT!
"Don't tell YET, I've still got one more semester left
I'm just kidding, I am anti-cheating and this should be announced asap. This should hit the major media, THUS showing people this particular market is not dominated yet, and giving us nerds jobs to make competing products
Cover your eyes and click this link!
I would argue that there are several answers depending on the poster's goal. Is he interested in working for Blackboa...I mean, the software he is discussing (and/or any other company) and wanting to show his prowess? Or is it truly out of the kindness of his heart? Regardless, I would completely bypass the school. Contact the software company directly as they understand the issue better. It would be your luck that a random administrator at your school would hear about this and label you a h4x0r and a menace to society -- remember that people hate what they cannot understand.
This is my digital signature. 10011011001
With the current political climate, your best bet is to do absolutely nothing. People are arrested for expressing opinions, others are denied due process for free speech, and still others are deemed terrorists for even the slightest questioning of a government's actions. Corporations mandate what can and cannot be done and are happily funded by a more sheepish and numbed people, armed with a more sheepish and willing set of so-called representatives.
Do nothing. Sure, you can pat yourself on the back for your ingenuity, but file your discoveries away in your mind. The world cannot tolerate them now.
Sad. But true.
Fix the bug, then sue them for stealing your code! Works for SCO
(but keep a backup of the original) That should get their attention.
You might get away with this as a respectable adult in higher education, but if you were a high school student, I would say don't even think about taking credit for any computer work, security related or otherwise. Many high school are extremely hacker paranoid. I was suspended for teaching a kid how to use a boot disk freshman year. This goes for other subjects in school too, unless you are a nice strait preppy kid, play stupid.
Go to legal counsel immediately. Like don't pass go don't collect $200. With current psycho DMCA people out and about looking to make a quick buck from someone such as yourself and make themselves look like the smart ones and not be played the fool. Have the lawyer send the company a letter stating your intentions.
Colin Dean Go a year without DRM
All I'm saying is that he shouldn't take a chance, he doesn't know how they will react so why risk it and for what?
When I was in college I busted root on the computer that kept track of all the grades. I showed everyone in the dorm and the next day I called the computer lab folks. They were pissed I showed everyone. Oh well.
post it with a sharpie marker on the bathroom wall of the men's room.
I accidentally left a hole like this on a server I was working with once. I'd actually had checks to ensure such a thing didn't happen, but disabled then when I was debugging and forgot to uncomment the code (dumb dumb dumb). Luckily, that particular server didn't have anything overly special, though the ability to view users in the passwd file (which contained fullnames) was annoying.
I must say that I greatly appreciated when somebody informed me of the hole, though I felt like an idiot afterwards. Not everybody is an asshole about such things. I'd expect also that there would be some form of sysadmin that you might be able to contact (anonymously or otherwise), and he might appreciate it more than perhaps an exec who has no clue about security.
One of my best friends is one of the lead programmers for blackboard. So I would like to extremely biased, and tell you that it can't be Blackboard that has issues!
Can't we blame this on Microsoft somehow instead?
Sig.i>
This is a serious suggestion. Don't report it, just pick classes at random each semester and fail all the students in them. 10 or so should be enough. The administration will freak out, and they will get the company's attention for you. Use an anonymous remailer to tell the company where the problem is, but never release any exploit code.
The fact is, with this sort of thing, the squeaky wheel gets whacked with a sack of doorknobs.
In Soviet America the banks rob you!
...is to keep your mouth shut, use your superior intellect to cheat your way out of college, and tell your grandkids about it.
It seems to me you can view this as a technical problem or as a legal problem (your grades and the grades of others not being properly safeguarded).
Talk to a lawyer, but don't start the conversation with "I have found a technical flaw". Start the conversation with "I fear the University's negligence is harming me."
I bet things go much better that way, even if all you want is for them to fix the flaw!
To the school's It department, cc: to the Dean
(or campus principal as the case may be)
both from a temporary hotmail/yahoo account.
Include the example code, obfuscated to hide
your coding style, (coders familiar with you,
and instructors likewise, would pick you
out from your coding style) and leave it at
that. If they are too damn ignorant to test it
out, well, it's their problem, they've been
warned.
canuck_wingnut
-:
I am very surpised no one has mentioned this! Find yourself a small, start-up security firm somewhere. Coordinate with them to release the vulnerability information in a proffesional manner. You get the annonimity you need, and the small security firm gets recognition!
Win-win for both of you!
Sig.i>
What is the world coming to that this question even needs to be asked?
I am not an American, nor do I live in the US, but I have always respected the foundations and principles that the US was founded on. Principles which have all but been flushed down the toilet.
Here we have "the land of the free and the home fo the brave" turning into the "land of the closely monitored and the home of the scared to something beneficial, or in fact anything at all."
This makes me wonder when we are going to have masses of Americans defecting to Russia for political Asylum.
Who really won the cold war...or perhaps the people at the top are all the same anyways....hold on there is a knock at the door.....Ahhhhhh they are coming to take me away hah hah!
This makes sense to me! All of the other posts leave you with no gain for your discovery!
I took a class from the full time dean of tech at my school and I work for her dept as a student asst (really a resnet technician) so I am pretty sure If I were to discover something like that I would be safe in approaching her about it. In addition one of my more immediate supervisors is the son of the former president of the school so I am sure I could secure my safety. But then again why would I help my school for free, they don't help me for free.
I ran into a similar situation some years back at Carnegie Mellon University. A friend of mine discovered a means of acquiring AFS authentication tokens belonging to other students. (The tokens were not being destroyed properly. The technique involved editing the boot image (vmunix) with emacs.)
This was a significant security hole. Every year, a couple of idiots try to cheat. With the ability to become any other user, well, Pandora's box was wide open.
My friend asked for my advice on how to proceed. Should he contact the administration? I told him, flat out, if he went to the administration, he could expect to have his computer accounts immediately terminated. Without them, he would receive a forced-fail in all his computer science classes. He could also expect to face a "rubber-stamp" academic review board, and either a suspension or outright expulsion from the school.
This is, unfortunately, not idle speculation. Some years earlier, my best friend at CMU (Jeff) had created a subdirectory. Well, several subdirectories, actually. Nested. The professor (Phil) was a complete loon who couldn't code his way out of a paper bag. He decided Jeff's subdirectories had crashed the system. We accessed the logfiles. Jeff didn't have anything to do with that system going down. That didn't stop the termination of all his computer accounts, the forced-fails, or the academic review board and suspension. My one big regret was that Jeff never filed a lawsuit against CMU.
So, getting back to the AFS hole: I'm a member of the local Alpha Phi Omega chapter. At that time, one of our advisors was an upper echelon hacker, an absolute wizard, who was responsible for a large chunk of the actual implementation on the systems involved. I arranged for a private meeting between the three of us. The details were discussed openly and frankly, along with possible solutions. A trivial fix was put into place.
To the best of my knowledge, no one else, and specifically no one in the administration, was ever notified. My friend continued his education uninterrupted, and eventually obtained his degree.
-D.
Step 1:Use http://riot.eu.org/anon/ to send the administration a friendly "what if" letter. Be sure to include things like "I have reason to suspect" and "Theoretically speaking is a student were to find a backdoor". Be as vague as possible but make sure you get the point across that you want to help them. Tell them to mail an official response as to what their course of action would be "if" a student were to come across such a flaw in the code. Step 2: Find a computer store with a few models with online access. Set up a hotmail or yahoo account containing absolutely all fake information. Step 3: Have the administration mail the "official" response to that address. Step 4: Find a new(stress "new") place with internet access(like an internet cafe) that allows floppy use. Copy the entire page onto the floppy. Oh yeah and make sure to pay with cash always. Shut down the e-mail account. Step 5: Make a few copies of the disk, and depending on what their "official" response was either take in the exploitation code along with the floppy in to the administration or repeat steps 1-4 with the software company. ---If all else fails submit the stuff to a bug traking site(preferably many)
Creative Demolition
There is nothing worse then getting kicked out of University for a year and having to wait 7 years until your record is clean.
All I recommmend is stop and don't ever do anymore 'testing'. It just isn't worth it.
Don't learn from experience like I did.
Print the exploit up on flyiers and post them around the campus in the middle of the night. A few 100 of them should get the attention of the campus IS people who'll talk to company and they'll issue the fix.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
1) Watch WARGAMES
2) Copycat
3) Get laid
1) Make a couple copies of a detailed explanation, along with code necessary to do the exploit, and put on CD.
2) Mail to CEO, IT director of offending company, student advocate and IT director of university, and one or two newspapers. Make sure that everyone knows that the others are receiving identical copies of the same CD.
3) Get a lawyer. You'll be thankful you retained one, even if nothing ever comes of this event.
4) Encourage everyone (except newspapers, those are your backup) to sit down on campus for a meeting. Bring your lawyer. Bring your professor (I assume that only 1 class uses this system) and make sure that he validates that your grade has not been changed. Once that's done, make sure they realize that you're doing this as a service for their benefit. (both company and university don't need bad press)
5) Get the student newspaper in on it, but don't expect anything.
Hopefully, the exploit will be fixed in a short amount of time, nobody will sue you, and you'll get the pat on the back you expected (nothing more, except maybe a job offer if you're especially golden.)
2) Next, go to No-ID.com, an anonymous remailer that masks the source of emails.
3) Email messages to the college and software creators, notifying that they have 2 months to fix the problem before you post the vulnerability to the Full Disclosure mailing list.
They will be able to reply to your emails using the remailer service. You WILL remain completely anonymous and your integrity will never have an opportunity to be called into question.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
White Hat or not, you're confessing to having committed a felony under the DMCA, so you're at the mercy of anyone who finds out who you are and wants to cover their butt by shutting you up. And that will include your university and the company providing the software. Whatever you decide to do, do it anonymously, and make sure nobody can track you down by finding incriminating code on your computer (keeping in mind the daily system backups).
If you do decide to (anonymously) notify key university and company officials, include an explanation of why you are, and will continue to remain, anonymous. CC your own elected federal representatives and all members of the US House Intellectual Property Committee.
If you have done what I think you have, then you are quite probably screwed no matter what course of action you choose.
If you do report the problem, the IT administrators will be obliged to perform a damage assessment. They will scan their logs for behavior possibly taking advantage of this exploit. That you say you have proof of concept code, and presumably have tested it, if IT discovers that you have so much as tried to take advantage of this or a related exploit, it will almost certainly result in your dismissal for that Semester, criminal charges, and possibly the end of your academic career.
It won't help to go through a professor. If IT comes back and says that they have evidence that you tried to take advantage of the exploit (by 'testing'), you will not be spared, and the professor will either be unwilling or unable to protect you.
If you do not report the problem, you risk IT discovering the exploit on their own or through a security update from the vendor, and similarly performing damage assessment to discover whether or not their systems or data have been compromised, or attempted to have been compromised.
Don't scoff at this. If it is a significant exploit, and given that there is now a story on Slashdot about it, there is a significant possibility that IT will perform a damage assessment.
Further, depending upon how you found or 'tested' this exploit, IT may find you out whether or not they realize or are alerted to the nature of the exploit.
It is really up to you. Only you know the nature of your investigative activities and testing. If discovering these exploits required behavior which went beyond the normal use of the system, then you have a very serious problem.
How do you explain why you were doing this in the first place? You can't, and quite honestly, there is almost certainly no excuse for it. If you were concerned about the security of the system, you should have gone through official channels to get clearance to look for vulnerabilities, and report the sort of investigative techniques you would be using, and do only this.
If you have not done this, then you have one course of action:
- Find out how long of a period IT keeps logs for. If you are a technically inclined, student, then surely you have aquaintences -- students -- who work in IT.
- If the logs of your activity are gone, then you are in the clear. Report the vulnerability anonymously the next time you are off campus. Unfortunately, from the few academic IT departments I am familiar with, they keeps logs for a very long time, because of issues just like these.
- If, on the other hand, the logs of your activity are not gone, then weigh the possibility of your activity being found out before the logs will be cycled or destroyed.
If the logs will be around for months still, then you are quite possibly in serious trouble. If the logs will be around for a year or more, then you are almost certainly in very serious trouble.
If you report your activities, then you are are almmost certainly in very serious trouble.
Personally, I would go with the first option, and hope that your IT department will not perform damage assessment, or that they will not find out above the exploit until next semester, and will not be interested in logs from the previous semester, or perhaps from the previous academic year.
.sig Realistic fines for copyright in
The last University that I attended in West Palm Beach FL (they can trace this back to me... see if I care) has some shitty network admins. Their network is anything but secure.
... vualla no test that day.
/hr so I told them that they can go f**k themselves (in a nice way). They wanted me to setup servers (SMTP, DNS, Webserver etc...), apply a security policy and write custom code for them.
....
:o)
;o)
I found plenty of problems with their network security... I (as a regular user on their systems) had access to a lot of things that I shouldn't have had. I actually used one of these exploits to my advantage. We had a test that I didn't study for (all tests were handled by a CGI script on an insecure inhouse server). I shutdown the box, and
I sent an e-mail to the heads of the school,
I ended up talking to them and asking for a job, they wanted to give me $5
I just ended up telling my teacher about the security vulnerabilities (he was real cool about it), he fixed the exploits that I knew off the top of my head. I corrected some of his code... now he sends me job oppertunities.
In a different situation in high school, I wrote a lot of code for my school, it was supposed to be a system where teachers and parents could view students grades and such securely... the school ended up expelling me for not going to detentions (I was working as a developer after school for a firm down here in FL). Every bit of code was encrypted with GnuPG so they didn't get one bit out of me.
BTW: if u found an exploit on a school's computer and u write a patch on the school's computer (ITS OWNED BY THE SCHOOL), they will try and screw u over, schools are just like that.
My advice is - they won't hire you or they will want to pay minimum wage, and just either talk to a teacher that you TRUST. They might appreciate it and send you work that comes their way
oh ya, first change your grades though...
Regards,
- Mick
(o> Web developer / designer
( ) UNIX Systems Admin
--- ~ www.mickweiss.com ~
Don't ask Slashdot... just go ask your lawyer... I'm pretty darn sure it's a lot safer :)
I'm really addicted to slashdot and I think it's really great but I wouldn't trust it with my freedom or my academic life.
Slip a letter under a few of your professors' doors, or do a hit-and-run drop off at your university's help desk, if you're really worried about retaliation.
"I'll say it again for the logic-impaired." -- Larry Wall.
Make no mistake, your academic career is shot if somebody takes issue with your action. Even if your University initially backed your position, a lawsuit against them could turn the tide in a New York Minute. Contact a knowledgeable expert with a great familiarity with defending against the heat, like Ed Felton at Princeton, and disclose it to him and utilize his expertise as your defense and leverage.
You will gain legitimacy by using an intermediary who is an undisputed academic expert in his field with a real interest in security.
You could lose your shirt just for exploring the expolit. Students are bright and young and have the reputation of showing hubris for their independent ideas, and are not adept at covering their proverbial buttocks. You would not be the first student to get slaughtered at the trough due to lack of experience in dealing with the powers that be.
1)Full discloser .
Tell everyone all at once . Submitt to slashdot , security focus , local campus news , local news paper , campus radio station , et all . Make sure to do it from a non campus computer , an internet cafe would do (and use a fake address along with a re-mailer).
2)Tell the school
Once again do it anonymously. This probably wont work (trust me)
3)Tell the company
If you send it the company ; tell them your giving them a heads up before you do number 1. Give them a specific amount of time.
As for legal implications of this ; slashdot is not the place for those kinds of questions . Personally I favour number 3 , with a 72 hour lead time (or whatever you think is reasonable) , coupled by number 1 if they do not fix the problem . If they send threats back to the e-mail you used (if you decide not to use a re-mailer) send them to all local media outlets (and national , but they probably would not care) .
get yourself a cheap wireless card(for your laptop or PDA) go around town for free wireless access. Post the exploit.
Let them know about the problem in the software. Provide examples. Demand that they do not reveal their sources.
AFAIR, CERT exists exactly for these sorts of problems, when you want to tell, but you don't want to get in trouble for misunderstanding.
-- dieman - Scott Dier
1. find yourself a unsecured WiFi or other wireless connection in your area
2. get some kind of bogus email address
3. get in contact with them,state your demands,make sure they understand you mean business and that you won't take any shit from them.
4. give them a reasonable time period for them to fix their shit,30 days?
5. wait,see what happens
6. ok,they fixed the shit? good! they didn't? shit, now you are going to release ALL the info!
7. find another unsecured WiFi, release the info!
8. go back home and watch the fireworks!
release it to the public. Full disclosure.
The exploit I found was in an accounting program which kept a running record of accounting problems finished in a saved file with the student's name "encrypted" so that when the answers were printed the student's name would be on the paper. The instructor told us that although we all should have identical answers to be 100% correct, we should get any ideas about printing out 1 paper for each of us since the author's name would be at the top of every sheet.
I looked into the "encryption" and it was simply a list of ASCII numbers representing the name. It was easily modified in the file, thus we all could turn in the same paper as anyone else by typing in our names as ASCII in the same file then printing it.
This was for "Gold Run snowmobile Inc." for MS windows Third Edition by Leland Mansueltti and Keith Weldkamp.
Irwin/McGraw-Hill
I think all "Peach Tree Accounting" software has this major flaw. but you know what, if I had cheated (I never cheat!) I deserve it since the authors charged me over 100 bucks for their book/software. If moron-publishers get paid for this and I can outsmart them, then I say fuck em. When the student can outsmart the master it is time to change roles.
I would never waste my time on proprietary software. I have found bugs/exploits in commersial stuff (incl OS's) but never reported anything. They make money off the stuff, keep it closed sourced....Nope, wont help them. Sooner or later the bugs/exploits gets discoverd by malicious ppl, and someone (who didn't use OSS) get their balls busted. If you gets hurt in the process, you should not blame me. Blame the idiots using using the stuff!!(picture me calling the bank and whine about the choice of their SW :)
Anyhow, I consider me a part of the OSS movement and will not aid the greedy (but mostly stupid) closed source guys.
The borgs and psychopaths have taken over...
You shut up...
You don't report this. Simply you don't. You are too vulnerable.
After you graduate, if you want to report it, send hard copy source listings to admins of the system at the college, the company that runs the software, and several professors in the technical areas of your college. You then forget this and don't ever think of it again.
Destroy the computer the harddrive the printout you had was created on. This is so you cannot be determined to have cheated at your degree if you ever DID get "located".
I suggest wiping it with the software that PGP comes with then taking a road trip to celebrate graduation to a couple states away. If you're in California, visit Iowa. If you're in New York, I would have to say GA is nice in May. Leave it in a dumpster somewhere mixed in with nothing else of yours.
I think in 10 years there will be a system of computer ethics, or a government board that you can report this stuff to with a condition of amnestey. Its all too new to too many people for that to work right now, so you just have to practice silence.
Want to see every step I took to start my company? http://www.rowdylabs.com/blogs/pitchtothegods
I rembere in Highschool where I figured out a way to gain entry to the school's VAX server(remote offsite, connected to the guidence office by fiber), that stored grades/schedules/libary catalog etc.
Since I knew the IT admin very well, and he was not a nazi admin, I told him about the hole.
Although not as a direct result of my actions, the hole is fixed, etc.
It's tempting to modify your grades, but why bother? When you go off to the real world, your coding ability/problem solving ability/people skills will speak for them selves. I find it better to pay attention in class and study for knowledge.(I could give a shit about my grades)
I'd recommend what others have already said. Get some legal council. I know most school's offer student legal counicl for free, but I suggest out side un-biased help. (Someone who wouldn't be tempted to use this info for personal gain or agaist you)
If the software company resonsible for this, denies you. Your choice of either, shutting up, or Re-mailers.
Imporant code like this should be peer-reviewed, I'm getting sick of companies claiming that it's the EU's fault for problems w/ their security, and saying that they should deal w/ it.
I see knowledge as something everyone should have, which is why, instincivly I would say release the holes now. Although I prefer that the company be given the chance to fix the holes. Along w/ DMCA idiocy... ugh.
Get a good outside lawyer expeinced in DMCA/Computer Software etc. Not one from the school (be easier to figure out who you are for campus ppl). If your parnoid, (which I recommend till this is settled) don't do communications about this over school networks (phone/data) or even use public terminals to talk about it (again that can be logged, i've seen kids get busted for malicous hacks but police while sitting at public terminals, not your case but indicates most sane schools monitor accounts closely)
Good Luck
Stay anonymous. Do the COST-BENEFIT analysis (seriously).
In this climate, you have everything to loose and very VERY LITTLE to gain no matter how cool you think it is.
The school must follow no laws but it's own and can expell you, and I PROMISE you that somewhere somehow you violated their AUP or TOS.
The vendor can sue you, and even if you beat them you are stuck with a HUGE legal bill.
You can get some overzealous local DA trying to move up the ladder to take you on. If you don't have a lot of money you are a tempting target for obvious reasons.
You need to understand the DMCA (and companies who file suit under it) claiming that attempts at circumvention are illegal.
And what would you gain? I think you'd be surprised at how very little unless you want to work for a security company, and even then that is tough. Folks with hacking pasts are often radioactive in the IT world, and with big companies especially so. You'll have a very hard time getting a background clearance.
I'd notify the vendor and some lists 100% anonymously (and not just spoofing an email). If they don't act in the reasonable time frame full disclosure and it will be sure to get fixed. You've done your part, with none of the baggage.
You need to think through how limited the upside is. College kids love the challenge, and want to feel proud for doing the right thing. Commercial companies hate to be embarrassed, and will sic their lawyers on you if given half a chance.
Blackboard already went down this route I think with some kid they sued to convince him that he hadn't found a vulnerability. Much of the business world does not particularly care about right and wrong, what they do care about is $$ and lawyers.
College is wonderful, don't let it fool you.
And frankly, given that the industry has forced through so many rediculous laws (UCITA anyone?), give them a fair 30 days but then go full-disclosure. What goes around comes around.
The technologies for releasing sensitive and dangerous information (i.e. in some cases, "whistleblowing") are out there. You simply have to use them.
If I were in your position, I would simply do this. Package your documentation of vulnerability, along with exploit, and everything else that you've compiled on the subject. Take this document, sign it with a private strong encryption key, and upload it to Freenet. Then, once it's out there, see that the freenet "key" falls into the right hands (i.e. university, software developer, security lists, etc). This part can be done anonymously either using anonymous remailers or just going to some internet cafe and using one of their machines. Once it's out on freenet, simply knowing the key is no proof that you are the author of the exploit, even if someone were miraculously able to track you down for posting the key.
Then, at some later date, once the heat has died down (and you've graduated), you always have the private key used to sign the initial vulnerability and you can prove rightful credit for finding it, if that is important to you.
I.E. in short, publish it anonymously, but sign it cryptographically so if at a later date you wish to prove that you were responsible, you can in a way that can't be refuted.
These are great days for whistleblowers.
Why not just go to them and tell them you have found a couple of very serious exploits, and refuse to tell them what they are until you have determined whether or not they will try to prosecute/disipline, whatever. They surely can't do anything to you if they have no proof that you really have done anything. Actually, I have reported bugs to Admins of MSN Chat without a problem, as well as to a large regional ISP (Which I was doing tech support for at the time). In both situations, I was used as a resource, and I continue to confer with them on security issues occasionally.
... or one of his employes, such as the campus priest or rabbi.
IANAL, I think a "confession" and request for guidance would be obligate him to protect your anonymity.
Give the priest the same disclosure information you were going to supply by other methods, along with a printout of this thread so he can understand the issues you are dealing with. Let him deal with informing the university, IT department, etc.
Before you go public with the software exploits, be sure to contact www.thefire.org. They offer legal advice for FREE. They are very useful.
Enjoy.
Then you've dirtied your hands, and
that could be linked back to you, once they figure out that person didn't send it, a probable hypothesis would be that someone like you did it to
get at them.
...can you make such a trivial thing as bug reporting a complex legal issue.
I would just contact the local admin, tell him whats wrong, hand out the proof-of-concept and let him sort it out with the developer company.
Bot Assisted Blogging
If its WTAMU or one of the A&M schools, then RUN AWAY... They have a long history of blaming "innocent/whire hats" people that inform them of the security holes that they have when those holes are exploited by real black hats.....
You know you've been doing tech support for too long when seeing "169 of 254 comments" makes you laugh.
They don't hesitate when it comes to ripping off others so they can live like kings. It's their job to make it secure, not yours. If you do anything to hurt them, they'll do what they can to screw you. You simply can't trust wealthy people as they've already sold out. My advice, bury it or use a mixmaster remailer to publicly post it for all to see.
Money is the root of all evil. Those with money are rooted in evil, no matter if they understand or not. Greed and power corrupt all. A camel has an easier time climbing through the eye of a needle than a rich man through the gates of heaven.
God save America, it's the only chance we have left.
Just in case you forgot, almost every professor out there keeps a copy of their grades ON PAPER. If they suspect anything has been changed on Black Board, er the online system, they'll reference their paper copy. Hence forth, you're screwed.
Self realization: I was thinking of the immortal words of Socrates, who said: "I drank what?"
Remember the Kobayashi Maru? The no-win scenario?
Kirk cheated.
That's what I suggest be done here. If we can re-program the simulation to come out on top, I see no reason why we shouldn't get a commendation for original thinking.
Kirk didn't like to lose. Neither should we.
Is this truly the only Earth I can live on?
It's getting very sad. People can not identify a problem and bring it out in the open. People are scare shitless to speak of any problem for fear of being destroyed. Why can't people just come forth and tell the party involved that they have discovered a problem with the software. This guy knows about a problem, yet most likely will not tell anyone. The problem will exist forever. This is why the world does not better itself. Problems only exist because they are fostered and promoted. This is another example of FEAR. Sad... Very Sad....
I've found that frank and immediate disclosure is the best policy. I've found several security issues at both my highschools, plus an issue or two with the University network. Before, I would hesitate on reporting, but then later got in trouble for it. Now, I'll immediately notify the IT staff of the issue. They take me seriously, and there has never been an issue with getting into trouble.
Having already written a proof of concept might bring you trouble, but be open about that too. Tell it to the highest guy up that has a clue about computers, and isn't afraid of them (like most management).
He who laughs last is stuck in a time dilation bubble.
That's easy. My desire to live a peaceful life and tendancy to avoid very serious situations would force me to do one thing:
:-)
Not tell anyone. Screw it.. If our nation feels it needs the DMCA so bad, then let it reap the consequences. There is no point in putting your future in jeopardy over trying to appear as smarty, ethical hacker.
This isn't Hackers or Sneakers, it's real life. Screw up and you might not have another shot of something so nice as a college education.
Silly kids these days. They always have their head in the clouds.
do like the FBI did to him.
SHUT THE FUCK UP!!!
in other words, keep it to yourself, unless you want the feds to put you away for hacker terrorism for 20 years.
What about a clearance level for those admins who need to know how to access software bugs. These would have to be federal and recognized by all academic institutions as superceding school level laws. This would be 'given out' like a DOD level clearance and policed the same way. Corporations would sponsor this clearance. Educational institutions would be able to have fees waived / absorbed by corporations. Anyone with this clearance can be contacted by someone reporting a bug / exploit activities. Alternatively have a submission form that would handle disclosure and reporting to necessary party. Submitter is immune to legal ramifications of detection and noted in the trusted system for future, along with all identifying information so that if a school questions this activity, the school will be able to rapidly learn of the student's having followed the correct procedure. Recipient will filter the bug into the system. Make it policy to release submitted information (after a certain time period) to bugtraq/etc to motivate / ensure the rapid response of the party whose work has been knowingly, officially compromised. Thoughts...
There was a city in Texas, Dallas I think, who's city clerk's office had a wide open AP. A wardriver is nice enough to point it out, but gets smacked down with criminal hacking charges, probably because the idiots were embarrassed about being own3d by a Pringles can.
Moral of the story: Forget being nice. Knowing more than "they" do will only land you in trouble. Either give yourself an "A" or forget about the whole thing.
-R
I happen to know a lot of people in the IT departments at Va Tech, where they use Banner. I can tell you that Banner is HATED there. A recurring comment is that the people who made Banner must consider compilation a proof of success. Worse, I've heard it said repeatedly that Banner is the worst spent money many of them have ever seen... and that's saying a lot at a state institution.
I've found that my posts don't format quite right w/o a sig.
Given that an unscrupulous person finding out about the exploit could really mess up the marks in your class, I'd say that it's a good idea for you to notify them of the problem in some way or another.
Free Software: Like love, it grows best when given away.
CERT, or a similar agency can contact the relevant software distributor and the university but still keep your anonymity. They have a better chance of giving a trusted opinion that does not involve lawsuits.
I'm making the assumption that the software you found a problem in is Blackboard. I apologize if that is not the
case, however, I would still be happy to take your discovery to the vendors of whatever software it is on your
behalf.
I work for a major university as the Blackboard programmer/administrator. I've been working on the
Blackboard code for years, making substantial modifications to the Bb system to suit our university. I've found
my share of bugs, problems, and more than one gaping hole. Blackboard is riddled with XSS, input validation, SQL
insertion, replay, predictable sequences, and I'm sure countless other vulnerabilities. Quite frankly I'm amazed
at how few breaches I hear about.
I think you're right to be careful, but try to not get carried away. At least in our department, we're eager to
hear about problems and fix them. We're not interested in ruining someone's college education. However, you
should be careful about who you contact. At our university, the usual IT people are paranoid. You need to
get as close to the people who deal with Bb as you possibly can. Contacting a suit in upper IT would likely get
you the slapdown. Start lower. You're looking for the geeky programmer who deals with Bb all day long and would
drop everything they are doing to fix a hole in their system.
If you are not comfortable contacting representatives at your university, feel free to contact me about your
discovery. This sort of stuff is what I do, and besides, I'm already on Blackboard's shit list. I have another
issue to report to Bb, (the afore mentioned gaping hole) and I'd be happy to send your information along with it,
with or without your name. jeff (somewhere near) jsnider.net
What more needs to be said?
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
No it dosn't.
Funny how, in a post joking about Latin spelling and grammar, you manage to misspell a simple word.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
obviously you shouldn't use CD, it might get lost in the mail! Instead, post full exploit source code (essential) and any other information (also important) to many high-profile newsgroups from an anonymous computer - say, at a local library or internet cafe - and watch 'em sit up and take notice real fast. Even if the program isn't fixed, you've managed to relay the importance of using SECURE, OPEN software to all concerned. Right? Right!
> Naturally, I want to share this information with
> their software engineers, and would even be nice
> enough and suggest a means to fixing it.
Drop the ego!
Go to a public library and email the appropriate people anonymously.
If you still want to show off your skills to your buddies, then gpg sign your email, so that later you can prove that you wrote it.
--
jpa
- the time (5 years? I'm rather sleepy headed now) is reset upon payoff even if 1 day before the 5 year period/expire
- said blotch on your credit report is a category 1
- You will end up paying for any collection activities and "padding" outside of the actual interest
- the credit card agency has already counted off your amount as a business loss
- If at the end of the time period you do not pay, then you are "in the clear"
This concludes with: Their system is obviously not geared to assist you in doing the right thing. When attempting to speak with their collection (internal) folks they are very rude, belligerant and well... just plain illogical and patronizing. They will say things (in word and in print) like, "If you pay amount X in 14 days (the usual scare tactic time) we will consider removing the negligent status on your record."What they fail to mention is that while the "negligent status" is removed, the actual record (as mentioned earlier) is still on your record for a period that has now been reset at the time you paid. They clearly have no problems with this and do not understand how it is not conducive to them getting their money. Dead beats are one thing, but so vehemently punishing those who either eventually come to their senses or just happened across this crap and want to make good, is just foolish.
Ahh, the bureaucratic mind...
YOu make it sound as if he has the hiding places of both Osama Bin Laden and Saddam Hussein, but won't tell. Were you by any chance the inspiration for a character in "Enemy of the State"?
Even if the University understands that reporting these bugs probably means you didn't want to exploit them, they have an obligation to investigate if you, or anyone else that has found these bugs have done so anyway. And if they have your ID, you're an easy "target" of the investigation.
So you don't give them ID. If it's reasonably hard to get your ID, they'll most likely revert to actually checking the vunerable systems instead. But you don't have to go all cloak-and-dagger about it.
Kjella
Live today, because you never know what tomorrow brings
PS: I am SO Not a Lawyer...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
In this situation, the best thing to do is panic. Throw your arms up, scream at the heavens, run around naked and panic.
-Yim
yessir
Wansu, th' chinese sailor
I'll take good care of it for you
First of all, ethics has nothing to do with this.
You're not worried about the ethics of the matter,
if you were, you would've checked _FIRST_ to see whether what you were about to do was ehtical.
The real question you ask is: "how do I get away
with blowing the whistle?"
It would, of course, be unethical to not notify the software makers, or the university, about such a vulnerability, but you should've talked to them about your suspicions in order to be ethical.
After all, who knows what you could've broken in the process?
So you sent yourself up a certain waterway without a certain instrument, and that's just too bad for you.
Original idea.
Well, mostly.
I was working on a site for a client, and discovered a vulnerability that was easily exploitable in a Credit Card interface for a large, well-known company.
I sent details of the exploit, complete with working code samples to the company in a carefully written, detailed, email.
About 2 weeks later, I got a phone call from a *very* agitated man who kept saying over and over: "it's not really a problem". I simply listened; I had nothing to say since it'd already been said. I didn't say anything, and he eventually hung up on one of the weirdest phone calls I've ever had.
The vulnerability allows me to buy anything I want from any client site of said large, well-known company.
So, speak your piece. Send the details to the company/vendor, along with full details, exploit code, everything you know. Make it clear that you are not going to publish it, or at least make clear the conditions that would make you feel it necessary to publish, and put the onus on them.
I did, and I have a clear conscience.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I think he should submit his information via a mailfriend from a FOREIGN COUNTRY. Send it to him (preferably by snail mail, because that's harder to trace back to you) and have him mail it to whoever it should be sent to. Even safer than most attempts to remain anonymous (Everything on the Internet is logged and any letters you write have your fingerprints and maybe your handwriting on them) and it gives you a return channel, should they want to contact you. And they won't be able to touch your friend unless they can convince George W Bush that your exploit is a WMD and that he should declare war on your friend's country. (I wanted to put a smiley here, but something tells me that this remark is not as funny as it should be.)
Simple, submit the info of the exploit and fix to CERT and they will take care of the rest.
use the exploit extensively! ...
:)
:)
until it gets really really anoying.
then leak the exploit code with details anonymously
that should get them of their butts
oh, and use a acoustic coupler and a public phone
Firstly, you have to deal with the issue that you tested it.
If you are not confident that you left no traces then shut up about it:)
If you are confident, use several remailers to email the exploit to them. (You must be anonymous)
Let them know, that you expect them to post the fixes on bugtraq withing 2 months or so (Give a specific date). Let them know if they don't submit it by then you will. That gives them time to save their ass, and lets you know whether they've done anything about it without risking your ass by running the exploit again.
Good Luck. Hope all goes well
"you had better be able to prove that you have not altered your grades"
Er, what? This is the guy who's trying to stop everyone else doing it. As if he's really going to go in and set himself up a bunch of As then tell you how he did it.
"If this means a call to security then I am obligated to do that"
You'll call in the cops. This guy is trying to HELP. Get your head out of your ass for a change.
"Example, next year you suddenly become a honor student"
And supposing you've chosen to do nothing, and his - that is the chap who's being honest here and trying to HELP, read that last word again: HELP, as opposed to HINDER - grades do suddenly leap, (a) he could be putting in a load of extra work; it doesn't automatically mean he's cheating (b) how do you know it wasn't one of his unethical colleages deciding to make things difficult for him, especially if he's trying to stop him from increasing his own grades and he (the unethical one) now has an axe to grind?
To the OP - what I would do is one of the following:
(a) Don't publish at all. Let others cheat. After all, if your final grade is determined by absolute score, rather than relative score, which IIRC is the case at university (and was the case in the UK when I got my degree, although admittedly that was last century), then you have nothing to lose by everyone else getting a 1st.
(b) Post anonymously. I wouldn't bother with the PGP public key, it won't become advantageous to come forward for the credit; you will automatically fall under suspicion and everyone (as evidenced by the STUPID rant I'm replying to) will automatically assume you're guilty.
My identification so you know I'm not full of shit: -- http://features.slashdot.org/features/03/04/14/184 6250.shtml
They will sue you immediately. Being students, we are in VERY different positions from 'respected' researchers at larger corporations. You are a small student with low cash resources, you do not have the ability to fight small legal battles, let alone those against a large company in a high-tech case requiring very expensive tech-law specialist lawyers so you don't goto jail.
As you likely want to publish it anyway, (which is udnerstandable) I recommend a few options: 1) Publish anonymously, preferably in the underground. Bugtraq, 2600, and other such resources are recommendations.
2) Find some professor or at least some person with a respected position to publish with.
3) Get word of the security vulnerability strictly to the company (i.e. Mass Fax Spam, phone calls, etc.) After that go blackhat if they do not fix the vulnerability. (They won't BTW)
Bottom line: DO NOT PUBLISH IN A PUBLIC FORUM UNLESS YOU HAVE A PROFESSOR OR SOME OTHER SECURITY PERSON MUCH HIGHER UP TO PUBLISH WITH YOU. And under _NO_ circumstances, should you publish with full disclosure. Students doing full-disclosure almost demands for a lawsuit which will break you. Go blackhat long before you go full disclosure.
E-mail me virgilNO_a,t_yak_SPAM_do,t_net if you'd like to talk more about this.
Goodluck,
-Virgil
If you allow me to push my 2 cents down the stack, then my opinion is the following:
You certainly need to somehow notify the vendors and
the users of the software(schools).
But they may sue you (they freaks), so you should better do this anonymously. You may be a clever security analyst, but I surely don't think you're alone, and I alse don't think the others who are clever in reverse engineering ain't reading Slashdot.
So, they interest may only be boosted by your article and the bug will soon be exploited whether
you want it or not.
I would suggest you follow the following strategy:
- Inform the vendor about the bug including all details anonymously (via a chain of cypherpunk remailers), threatening full disclosure in 15 days
- After 15 days, post (anonymously again) all the gory details on some software security mailing list, like BUGTRAQ.
You might also contact CERT.
I hate the country where people wishing to help are ending up being sued for wishing to help.
P.S. Make sure there is no SCO code in the accounting software! If there is, the vendor is already deep in sh*t.
Alexander Svadkovsky
Post the exploit as A/C on slashdot.
1. Post notices on campus saying that you can help people improve their grades. :) :) :)
2.
3. Profit.
Future Wiki -- If you don't think about the future, you cannot have one.
Along the lines of what some of the others have already mentioned about finding a professor that you can trust.
I'd suggest communicating with a well known, respected, professor from outside of your country (which im assuming is the US) I can suggest one from England who has written multiple books, some of which im informed are used by many US Universities as course books, admittedly he isnt a software professor, he is on the hardware side of things, but he does have some pretty sizeable influence in computing in general, i wont reveal where he has this influence or who he is as I'd prefer not to name him at the current time, ie he might not like his name being brought into this, though i could act as a go between if needed.
The advantage of this is it becomes a little harder to track you down, and some laws are different over here (I not exactly sure if these would make a difference though)
Two years ago at my University, a major exploit in the grade system was found. A business major called the IT dept and claimed to be a professor who had forgotten her password. She then took her newly supplied pass and fixed her grade. Unfortunatley this girl was too stupid to keep it low key and got caught, but I'm sure that many before her hacked the system the easy way.
If you are looking to change your graded you might as well do it the easy way.
Uuhhhhh
You are identifying with Kirk as a real world persona. You are using a made-up story to justify things in the real world
You need a REALITY CHECK!
The funniest thing is, the poster in question was moderated up...
You should not have written any code.
Instead, report your findings and suspicions to the school. That's where your responsibility ends. It is not your responsibility to find a way to counter the exploit or to expose those behind it.
When people take the law into their own hands they're called vigilantes, and they expose themselves to unknown legal risks.
-- Slashdot: When Public Access TV Says "No"
if I had points I'd mod this up.
Who makes you Sig?
I reported an exploit to MS. They came up with a fix. It's been over a year and they still haven't released the fix to the public.
This reminds me when we had an interviewee who pointed out a vulnerability in our web server (one guess: IIS) and said that if we hired him he would fix it for us. We told him he was lucky we didn't persue legal action against him and to never contact the company again. If he had been more tactful about it, we probably would have hired him for reasons other than the vulnerability. The vulnerability was already well-known anyway.
-----
Web Hosting @ HostForADollar.com
He should delete all his "exploits", keep his mouth shut, and if somebody challenges him, he should deny it like hell.
The kid is trying to do the right thing, but the laws and rules are stacked against him.
Keep your mouth shut, your head down, and just wait a few months. If the campus police show up, get a lawyer, and deny deny deny deny.
Admit nothing.
...or arbitrary frags number?
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Don't report the problem. Just be sure to give yourself straight As or whatever the equivalent is at your location.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
True story-
Problem with servers discovered. Problem tested, shown reproduceable, reported to school IT department (CS really).
Result: Academic probation followed up by academic dismissal for hacking.
Do NOT turn the code in, simply anon remail it if you have to.
Use one of the anonymous remailers to inform the software company of the exploit (and any ideas you have for a fix), with a promise that if a fix isn't forthcoming within a reasonable (and specified) timeframe the exploit (and any ideas you have for a fix) will be posted to a full-disclosure mailing list.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
if you are a trusted person, and the school administrators know you as a good guy, then tell them that you "saw" a known exploit and want to double check the software for this. IN FRONT OF THEM... this is the key. Then show them that you can change failing students grade to an A, and go from there.
Security holes I've discovered,
The records of grades are now mine.
What once was a one point five average,
Is now a three point nine nine!
I'm amazed that this is still a question any Slashdot reader may still have. The answer is remarkably easy.
The law does not want your help in making other companies' software secure. End of story. In fact, the law wants to put you in prison and throw away the key for making other companies' software more secure.
Do not exploit the weakness unless it is a normal part of the software's operation, and do not distribute the exploit for the software. Do not tell the software maker that you discovered the flaw, as you are more likely to be sued than thanked.
If you needed to do any reverse engineering to discover the flaw, then do not discuss the flaw, do not tell your teacher you found the flaw, and do not attempt to alter your grades by exploiting the flaw (unless, as stated above, the flaw can be exploited by using the software in its normal course of operation, without resorting to outside tools).
At least at the college I went to that seemed to be the case. I remember I started logging all the security problems I found just with just some simple lazy man's poking around:
-No firewall at all
-Old HP-UX e-mail system with weak DES hashed non-shadowed passwords (Hello John the Ripper)
-Wide open Lexmark laser printers (MarkVision heaven)
-Unpatched lab computers everywhere (Winnuke heaven)
-Windows NT pre SP4 Servers
-Open relay SMTP
-Managed switches with default passwords
Then I sent an e-mail to the admin warning him of what I had found in a few days of poking around. His response was and I paraphrase but almost quote "You are a computer science student and have the ability to exploit those problems but the average student doesn't."
That was fine. I thought I would level the playing field by writing an article for the school newspaper outlining the holes and even gave URL's to download software to test out the problems. Literally within a few weeks a firewall was installed, default passwords changed, printers were locked down and all e-mail passwords were required to be changed with much greater restrictions on length and complexity.
As a side note I applied for a job after graduating with the school IT department. I never even got a call. Small price to pay to help save the poor hapless students from getting their PC's owned.
I have written and -selftested proof-of-concept exploit code.
This part bothers me, but I am not clear on whether you tested this on your university's live system. If so, you have committed a crime.
If this is the case, I would recommend you turn yourself in, find the university computing services staff member who is responsible for the system, and talk to them in person. Tell them you have found a security problem, and that you have altered data on their system. Specify what data you have changed (i.e. your grades, or whatever).
You are in the role of damage control, if you have made unauthorized access to a system you do not have the authorization to modify. You may have broken the law. If this is the case, cooperate in an attempt to get no charges laid, and get the problem fixed.
If you have not attacked the university's systems, find a technical contact with the software manufactorer, and inform them you believe there are security problems with ___. Do not mention any exploit code in early conversations.
If the company does not response to you informing them of security flaws, follow the full disclosure policy as outlined by RainForestPuppy's RFPolicy.
Strongly avoid releasing exploit code while there is no fix. That should be a last ditch attempt at forcing them to admit there is a problem. Also give them lots of time to get their fix out, once they do acknowledge there is a problem and want to fix it.
The ethical thing to do is to take resonability for your own actions, then to help serve the public good by reducing the security risk to all those vulrenable system by attempting to get a security fix released.
Don't do anything about it at all. If a student is clever enough to figure out how to give themselves higher grades, then they probably deserve them. ;)
quidquid latine dictum sit altum videtur.
1- (said by others) By taking the focus on the student, you discourage any other altruistic (he would give the time he invested in this) and useful discoveries. Starting a witchhunt does nothing productive.
2- you are only concerned about covering your ass. This is horrible, especially because the security hole is NOT your fault! Do you measure the consequences for that guy??? You would break his career(before it started) for helping you!
You are an irresponsible bastard, and if you were my sysadmin, I would FIRE you. You job is making the system secure, wherever the info you use come from. You probably are the type of guy who does not want to go to "hacker sites" even if the info is crucial to your job.
You're not old until regret takes the place of your dreams.
... then turn them in.
Nobody will believe them. End of story.
I'm working on the assumption that you're working in a CS or engineering program at your university. If that's the case, hopefully you've got a professor (or even a Graduate Asst./TA type of person) whom you trust and respect and who hopefully respects you. I would suggest talking to such a person, lay out some of the details of the discovery of the exploit, tell him/her that you've got a working exploit and that you're concerned with getting it into the hands of the company so that they can fix it but that you're also afraid of the consequences.
Hopefully, the school should also want to get it fixed before you drop the exploit bomb on Bugtraq (all of a sudden, every CS student graduates Magna Cum Laude) and maybe you can find a sympathetic administration-type person to help you through this potential minefield.
You might also look into talking to someone at the (assuming your school has one) law school. You'll be more likely to find a sympathetic and understanding ear in the legal academic community than in the school's legal department.
Good luck.
BFL
There's one thing computing teaches you, and that's that there's no point to remembering everything.
--Doug Copland
Shut up, I've been using that vulnerability for the last two years. If you let it out of the bag, thousands of students around the country will be looking for you.
Go to the university, not the software company. If they treat their vendors the way typical corporate customers do they'll get that fix done fast.
* Please do not read my signature.
Since you are concerned with how they will react to you, I suggest you allow someone else to approach them. Hushmail is one way, but another is to disclose the details to me. As the NTBugtraq Editor, I frequently approach Vendors with exploits that are, at the time, unpublished. I phone them, find the appropriate person to speak with (usually within their Management, not tech support) and apprise them of the issue. With the right person's email in hand, I forward the issue to them (from my address, with your information completely removed). I expect, and get, a reaction within 2 business days, and then move on to the resolution phase. I get them to explain how long it will take to fix, and why, and keep after them monitoring the progress of the fix. When a fix is ready, I get a copy before they go public to test.
Of course throughout this process I send you a copy of all communication with the Vendor. In your case, I'd ask them how they would react to the person who discovered the issue, so you'd be able to see what their reaction would be. You're free to jump in the communication any time you want.
I seek no credit in the affair, and any publication of the issue would bear your name (or nym, whatever you prefer).
Once the fix is done, you can write up any explanation you deem appropriate. I encourage people to do this responsibly, and not disclose sample exploit code and/or complete details on how to exploit the issue. It should be easy to describe the issue sufficiently to provide an accurate indication of the threat without such details, but its your call. Again, you can use your own address to send the write up, or I can do it for you.
You can read my short disclosure policy at http://www.ntbugtraq.com/policy.asp
Cheers,
Russ - NTBugtraq Editor
Russ.Cooper@rc.on.ca
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
As with most vulnerabilities:
:-)
Notify the vendor via e-mail. Include all that you know about the vulnerability. Make at least several attempts to contact them.
If for some reason the vendor does not respond in a reasonable amount of time, post the vulnerability on the Bug Traq Mailing list www.securityfocus.com many software bugs are posted here along with their fixes. State that the vendor failed to contact you regarding a fix.
Use the media sparingly, if they are rude to you - let them have it. Considering the debacle with Diebold and the voting software the media would certainly like to have a story about automated grading being haxered.
I'd suggest remaining anonymous during this process. No one likes to be told their software sucks
Good Luck
If your College/University has a law school then you might be able to look there for advice. If the university has such a school then it is possible that they may have one or two professors who can advise you in this matter. Unlike the School's Legal staff they are not bound to protect the school in the same way.
I would still be wary when approaching them, you don't want one of them to cause trouble any more than any other. But it might be a good direction to turn.
I don't know what your school is like (and I would consider such things on a school by school basis) but I know my brother was once accused of hacking when he showed his employer that you can get through windows 95's password prompt by clicking cancel. I'm guess the network admin didn't want to admit to having been so inept.
Edd
At worst, you can boot a terminal in single-user or with Knoppix and
I hereby place the above post in the public domain.
Okay, so two stories, one from Jr. High, one from Highschool.
In Jr. High, someone was giving out the admin password pass FoolProof (a mac protection software that was incredably simple to bypass at the time.) Anyways, I tried to inform the IT guy, and he blew me off, saying that I didn't really know the password. So I put on a little app that made the computer belch.
Someone snitched, and I ended up in the principal's office. I tried to plead my case, it wasn't like I hadn't tried to do the right thing, and when they wouldn't listen I gave them something they couldn't ignore. Detention 4 weeks.
I should have learned from my first experince but I didn't. In Highschool, the network was completely unsecure. You could print to any class room across the whole school district, and everything was named quite nicely. Once again, I was blown off when I tried to say this was a bad thing.
Not only were all the printers there, but a number of computers were open with read access to everything. So I opened a network connection to every shared disk along the network and started a find for everything. The IT guy in the lab looked over my shoulder and asked what I was doing. Detention again, this time for "Slowing the hard drives down."
If only more people got into trouble for changing the laws of phyics.
=================
Unix is very user friendly, it's just picky about who its friends are.
If you send CERT anonymous mail it is in their interest to handle the problem and it is in their interest not to try and figure out who you are.
CERT however only really works out well if the vendors will co-operate. It is nevertheless a responsible starting point, and if you want to motivate them be sure to tell them you have witnesses that you told them and of the date you told them.
Also understand that most college people won't want to know. They have what government likes to call "plausible deniability" if it comes out. If they've been provably told the system is insecure and then people hack grades and the values of degrees from that body go down then they get all upset about class action lawsuit issues.
I've been in the same situation before.
My school used to use RM (a supposedly security enhancing program) to keep people from using too much space and running every program they wanted to.
I found several very critical bugs in it, that allowed me to do anything, change people's settings to browse and change things on the server. I told my comp. sci. teacher (this was highschool) and after hefty explaining, he watched over my shoulder as I proved it. With a little more tinkering I found other ways of getting in, and ultimately changing everything from schedules to marks. Most teachers understood and trusted me not to share this, and I didn't until they switched their systems.
Except for one teacher.. who tried to get me kicked out. She is a comp. sci. teacher, though she has no clue what's going on. Started to accuse me of stealing, and of messing with the system. Thankfully nothing happened, because most other teachers knew me. School approached me and asked me what to use, I said use Linux, it's free, and waaay more secure then all this.
They ended up using WindowsXP (and depleting most of the comp. sci. budget), with an addon called Visual Castle. Well.. I've found several bugs in it again, and I can see marks and change anything I want. I haven't.. and never intend to do so, and don't intend to tell anyone I can do this.
My suggestion? clear your hands of it all, and forget about it. Not worth loosing your future over this, whatever they change, probably won't make much of a difference. There is always another bug, or misconfiguration lurking.
Including a PGP key is sort of overkill. Just include the hash of some random number, concatenated with your name. Your knowledge of that value proves your hand in the exploit. A key has basically no advantages over a hash in this case, as either could be changed by some party wishing to deny your involvement.
If you really wanted to make sure you could prove your involvement (IMHO there is little point in this), you could mail it through a timestamping service (eg stamper@itconsult.co.uk); they will publish (and mail to you, if you specify an account; maybe Hotmail?) a signature that they remailed it on that date.
I hereby place the above post in the public domain.
Anonymous letters work very well. First, send it to the developers with the problem and the solution. If they don't do anything in a reasonable amount of time, send it to the Deans. Then send it to the University President. Then send it to the press. If none of those work (which I doubt), file a civil complaint against the developers or take the matter to the police. That should put some fire under their arses.
At all times, keep copies for your records to prove that you were acting as a good samaritan and that you were giving plenty of time for the problem to be addressed. This should cover your legal bases and the anonymity will protect you even more if someone gets into a litigation state of mind. I don't personally see any reason for litigation here, though. You aren't acting as a criminal, and there are whistleblower laws that, with the help of a good lawyer, could be used to protect you if it ever came to that point.
+1 Insightful, -1 Troll. What can I say, I'm an Insightful Troll.
The way things are now, you'd probably be best off if you forget the whole thing, delete all the exploit code, walk away, and never refer to this again.
I don't recommend you actually do this, though. Actually, I don't have any recommendations at all. (I have to put this in to cover my own ass.)
I'm not a lawyer, either.
And you really want the admins to fix the problem.
And you really do have a fix.
Write a report. Save it as a plain text file!!! (I don't know what editor you use, but some windows products have a nasty habit of including some data you DID NOT WANT to be in your document!).
tar up your exploit code and your suggested bugfix. You should send source, which, again can be plain text. If you must send compiled code, be careful as above.
Email it to the person(s) responsible for the product. Start with the vendor. Give the vendor some time (30 days? whatever you think is appropriate), after which the customers will be notified. Indicate that this notification WILL take place on such and such a date, so they'd better have a plan in place if they don't want to be embarrassed.
Repeat the process down the line. Next send a similar email to the IT department of the university, telling them you'll email the administration within 30 days and this is their fair warning and chance to save face.
Next, university faculty.
Finally the public. This last one is solely to motivate the people in charge to get off their butts.
Follow Good Security Practices when you do this. This does not mean using private idaho, mixmaster, or a hotmail account from a public terminal. Those tools are useful, and I encourage you to look into them. But...Good security practices mean Keep your farkin' mouth shut.. Don't brag about this to anyone.
If you seek legal counsel or public advice on this, remember phrases like "Hypothetically, if someone..." "It is my opinion that the law should allow..." Provide no traceable details. Never say "I would", "I did", "I could", "I know"...
If you don't rat yourself out, you'll be fine. You'll accomplish your ethically laudable goal, and you won't suffer retribution for doing good.
D'oh! Maybe you already blew it. Hope the account you posted this with is not traceable!
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
SHOOT THE HOSTAGE!
Everyone knows that.
Vertical
72 CD D7 52 D0 7E D8 47 44 91 D5 84 D1 59 F1 A9-This is my 128bit integer. There are many like it, but this one is mine.
This story from The Register records what can go awry with a plan to inform someone of their security weaknesses.
The short of it: The lad's served his 18 months and is appealing to rescue his reputation.
Be Careful.
Help stamp out iliturcy.
If you want, email them to me. Chances are either we work with the software in question (if it's the leading college software application, than we do) or one of my bosses has direct experience with it. I'll make sure they go through the proper channels.
Dacels Jewelers can't be trusted.
I've probably posted this too late for anyone to notice, but it wouldn't be a bad idea to simply tell your professor, who wouldn't feel inclined to sue, explain to him why you didn't tell the company themselves, and request that he tell the company himself, and that he suggest he was told anonymously, so that he can't be forced to implicate you (if they do get sue-happy, they might subpoena him).
Moo
Try cert@cert.org -- they commonly act as honest brokers on this kind of thing.
if you tell them, they will lash out at you in ways you can't imagine. They will fuck you over. You are better off staying quiet, and laughing at their incompetance.
~
I had actually labeled my chair 'Joe hates Banner' at one point. My final breaking point was after the 4.x upgrade, when I had asked the SCT contractors to make a change to their system -- wrap some tags around the output, so that I could make all of the info text italic (wasn't my idea...the registrar wanted it). I was told to change the data, rather than the program, so they wouldn't have to keep changing it every upgrade.
Unfortunately, the standard SCT upgrade procedures are to completely wipe the existing database, replacing it with what they call 'SEED', and then reapply every change made. This includes changes made through Web Tailor, which would be all of the changes that I spent a week making.
If the problem is Banner, however, that's more than just a student issue, as it also handles salary information at some places.
Oh...and if it's not Blackboard or Banner, it might be Prometheus, which was bought by Blackboard last year.
Build it, and they will come^Hplain.
You've probably got at least one CS professor on campus who at least dabbles in security. If you're lucky, you'll find one who specializes in it. Talk with them. They'll know about safely making security vulnerability announcements. Heck, they may encourage you to write up a paper on the vulnerability (perhaps after it has been fixed).
Search 2010 Gen Con events
Under the current climate (thanks to the DMCA), you should release this to the students who use the system.
I'm writing with sincere advice to not give up anonymity. I was a senior @ Phillips Exeter Academy in the beginning of the 2001-2002 school year. Exeter is one of the highest reputed and elite boarding high schools in the world. While I was there, the incompetant IT department screwed up their switch configuration so bad that for months it was as if they were running hubs. I discovered the problem innocently, I am to this day a White Hat, I was testing a daemon I was writing, and used ngrep. Since I had no other open connections and just needed a quick test, I did not specify a filter for libpcap, expecting to see maybe one Windows Networking broadcast. I started seeing SAT scores, medical information, college recomendations, personal E-Mail, payroll, not to mention passwords flying down my screen. I made the mistake of coming forward and reporting the problem to the principal of my institution. I left under a medical leave a couple months later after being unfairly targetted and having my network activity selectively investigated, my privacy violated. Throughout the whole Discipline process the school acted unfairly. I was not allowed to present my case to the D.C., The charge against me was changed after I handed in my written narrative of the incident, the only evidence I was allowed to submit. My Dorm Head recommended 'No Action,' or basically to throw out the case. I had strong recommendations from the Computer Science Department and one Math faculty, also, to throw out the case. I was a cohead of tech. for the Student Councel, and had won the C.S. department's highest prize.
It was only too late that I realized fairness and common sense had nothing to do with the case. It was entirely political. The IT department there has taken fire for years, and for good reason, the head of the department was amazed when I showed her a traceroute, she had never seen it before, and had no grasp of any of the critical IT concepts: subnetting, routing, NAT, etc.
I had made them look incompetant, and even dangerous. Their only way out was to play the White Knights, haunted by an evil hacker. If I was just an unethical hacker violating the rules, then they would be good guys by opposite association. People would be slower to hold them responsible for the problem, and faster to offer them sympothy. I was found guilty, but not expelled. However, in order to pass 'review' I would have had to write a letter saying I was wrong and had learned my lesson. I left the academy the day after the case, never to return to class, never to receive the covetted Exeter Diploma, and never to write that mother******* letter. School life at boarding schools and colleges is a political world, and many of the same people who preech justice, democracy and ethical behavior are simply hypocrites.
It is also worth noting the problem went unfixed for at least 3 months after I had left. This, if anything, proves the incompetance of the IT staff there.
In hindsight, I should not have made myself known, or better yet, not have matriculated to such an institution in the first place.
I do not want to seem angry or spiteful, but I have seen this kind of thing happen over and over again to fellow programmers at schools throughout the U.S.
What you do with the information is up to you, you might want to consider finding an open, unlogged, SMTP relay and sending a brief description of the problem and your exploit code to the company that wrote the software, and leaving your school out of it. Eventually the patches will probably trickle down to your institution.
If you do decide to go forward, and they try to screw you, remember that no school can ruin your life, and no diploma or degree is necessary in order to be succesful. I returned home to my public high school, graduated, and left college early into my freshman year. I am now the Sr. Systems Integration Engineer for a successful hosting and home automation LLC. I make more than those who I fought at Exeter 2 years ago, most of whom are still there.
Just remember, people in this industry hav
Mail an anonymous letter and a disk containing your proof of concept software to you techncal administrator. He or she would hopefully do something about it.
--
Adobe's anti-counterfeiting softw
I am sure it's been commercialized. Drexel University in Philadelphia, for one, has licensed it and is encouraging all faculty to use it for their classes.
The preceding comments reflect the author's personal opinion and are public domain, unless explicitly stated otherwise.
I would use an anonymous remailer to send a complete document on this to the manufacturer; if you don't see a fix within two weeks, post it to slashdot. You might want to tell them in advance you are going to do that.
Hmmm ...
/. Amazed if they don't.
Well, I would imagine that SOMEONE at the business reads
Or what would happen if they were simply sent a link to these postings?
Who's to decide what's "ethical" and "moral." No sane professor would use such a system for something as important as large grades. Quizes and stuff hardly make up any of your grade at college, so if you take the time to discover this vulnerability and exploit it, you diserve it. However, if you're at some other school and find out about this because it's published, and your professor is stupid and hasn't upgraded to a fixed version, do you deserve to be able to exploit this? Don't release stuff like this, sypathize with your fellow man. There are stoned, drunk, creative coders who love life more than class and deserve easy quiz grades for their time spent hacking. Don't take it on yourself to have stuff like this fixed, just enjoy knowing you have skillz and the developer doesn't (a professor nonetheless... they should be 31337++). Screw the institutions, use your skillz to better yourself and leave the opportunity for someone else, in a different situation than you.
why do you care? forget it
I agree that Kirk's cheating is probably not the thing to emulate here, but using fictional characters as role models and learning by example from fictional situations has been useful to societies for thousands of years. You just have to hope that the stories actually contain some transcendent truth. This was pretty reliable when the myths themselves were written for that purpose. Screenplays are iffy at best. I would not, for instance, take my daily dose of learnin' from an episode of Friends, but Star Trek still has more bankable life lessons than Slashdot.
taken! (by Davidleeroth) Thanks Bingo Foo!