Slashdot Mirror

← Back to Stories (view on slashdot.org)

Disclosure of Major Software Exploits by Students?

Posted by Cliff on from the good-deeds-that-always-seem-to-be-punished dept.

school-hacker asks: "I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide. Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code. Naturally, I want to share this information with their software engineers, and would even be nice enough and suggest a means to fixing it. However, with the state of current intellectual property and reverse-engineering laws, I hesitate to do so out of fear of litigation or academic disciplinary action. As an ethical geek, what do -you- do?" While the responses from an earlier story might prove useful, here, there is always the possibility of the university making things harder for the person reporting the problem. How can students avoid both legal and academic trouble, when trying to notify their university of security problems?

26 of 503 comments (clear)

  1. the Slashdot way by ramzak2k · · Score: 4, Funny

    be an Anonymous Coward for a day!

    still better, post the expolits here , we will make sure they come to know.

    --

    Siggy Say, Siggy Do
    1. Re:the Slashdot way by magores · · Score: 2, Funny

      Black - Change your grade. Release it systematically, and quietly, to the wild next semester.

      Grey - Change your grade. Give it to the proper officials next semester.

      White - Uhhhh.... Ummm.... //scratches head\\... Hmm.

  2. Please post the exploit here by Anonymous Coward · · Score: 5, Funny

    and help college students across America 'correct' their grades.

    Allah thanks you.

  3. How about.... by kisielk · · Score: 5, Funny

    You send me the code.. and I will "examine" it to see if it would be legal. I'll get back to you about it after next semester? :D

  4. but of course... by meshko · · Score: 4, Funny

    you go to slashdot and brag about it.

    --
    I passed the Turing test.
  5. $.02 by Alien+Being · · Score: 3, Funny

    Tell them that you know how to do it and refuse to give them the details unless they can provide you with federal, state and local documents guaranteeing that you, your friends, and your family will not be prosecuted now or in the future for any illegal activity relating to this exploit, exploits of other academic software, or exploits of any software relating to anyone who ever atended college or anyone who knows someone who attended college. Be sure to specify that Arab Americans cannot be excluded from these guarantees.

    Also demand that the school indemnify you against any civil actions. While you're at it, you might as well require a statement that no military action will be taken.

    Finally, offer them your consulting services at $500/hr, minimum 10 hours.

    Disclaimer: IANAL, BIPOOSD (but I play one os /.)

  6. Re:Anon by gfody · · Score: 5, Funny

    don't forget to include a hefty ransom, and instructions for where to leave the money in exchange for the "master" copy of the code. remember, no cops.

    --

    bite my glorious golden ass.
  7. SCO's code probably made it into the exploit.. by dtperik · · Score: 2, Funny

    so be careful. Maybe you better just send them 699.99 right now to cover yourself. Then you'll be free to do what you want with it, without the fear of litigation.

  8. YOU DON"T TELL ANYONE by Dragon218 · · Score: 3, Funny

    I need to pass this semester. Don't ruin this for me.

    --

    "It's the little touches that make a future solid enough to be destroyed" --William S. Bourroughs
  9. Are blank CDs anonymous? by Anonymous Coward · · Score: 1, Funny

    I remember hearing that blank CDs include individual ID numbers and burners will include the serial number of the burner in a special location on the CD. Is this true or is my paranoid memory making things up? A brief online search turned up nothing.

    1. Re:Are blank CDs anonymous? by ArsonPanda · · Score: 2, Funny

      Well, even if this wasn't the result of a standing EM waveform inside your foil hat, how would they know that this particular burner ID belongs to you? you did pay for in cash didn't you?

      --

      --I don't want the world, I just want your half.
  10. Re:If you want to avoid getting into trouble... by Anonymous Coward · · Score: 2, Funny
    the nail that sticks up gets beat down.
    This reminds me of a wonderful de-motivational poster...
  11. Use it to disclose it by donscarletti · · Score: 2, Funny

    Well personally I would have cracked into the program, using the exploit and dumped the exploit, and a file explaining it in a conspicuous location. That's sure to get their attention!

    --
    When Argumentum ad Hominem falls short, try Argumentum ad Matrem
  12. Re:Anonymous WHAT ?!?! by MillionthMonkey · · Score: 5, Funny

    Living in a police state doesn't have to be oppressive- it can be fun-pressive!

    The Internet offers no anonymity. So just print out the code on a locally connected printer (not a network printer). Wait until nightfall, then go to a conspicuous area on campus that is free of security cameras. Buy a can of spray paint (NOT online- that would be stupid!) and spray the working exploit code onto a wall of a building.

    Be sure to provide comments and please make sure the code compiles before you spray it.

    Then go home and throw your computer into a vat of nitric acid. And that's that!

  13. Re:How about.... by Xoro · · Score: 2, Funny

    I'll get back to you about it after next semester? :D

    Make that:

    I'll get back to you about it after next semester? :A

    --
    Kill, Tux, kill!
  14. Re:Find a professor you trust... by cliffy2000 · · Score: 2, Funny

    You know, every time I hear "quid pro quo," I can't help but think of this 8-bit Theater strip.

  15. Re:Anonymous WHAT ?!?! by Kenja · · Score: 2, Funny
    We call the Romans they go the house?

    It says Romans go home.

    No it dosn't.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  16. Re:Give Yourself an A by shmert · · Score: 5, Funny

    No, give your arch nemesis an A+++ 150% average, then sit back and watch. Everything will sort itself out nicely.

    --
    You drank my drink, you drunk!
  17. Not Blackboard! by LucidityZero · · Score: 2, Funny

    One of my best friends is one of the lead programmers for blackboard. So I would like to extremely biased, and tell you that it can't be Blackboard that has issues!

    Can't we blame this on Microsoft somehow instead?


    --
    Sig.i>
  18. Re:Anonymous WHAT ?!?! by mwilliamson · · Score: 1, Funny

    It is possible, just difficult to post anonymously. I like to use stolen carrier pigeons for this. If you use your own birds, it doesn't work so well. You can get a couple MB of source onto microfiche ya know. Seriously, ever hear of cyberpunk remailers? Ever seen a lab / library / wireless network with no access control?

  19. Re:Give Yourself an A by Drakonian · · Score: 4, Funny

    A+++++++++! Superb student! Would teach again!!!!

    --
    Random is the New Order.
  20. Re:If you want to avoid getting into trouble... by PetWolverine · · Score: 2, Funny

    Nobody knows the passwords...

    This must lead to endless support calls from teachers.

    --
    I found the meaning of life the other day, but I had write-only access.
  21. Re:What's in it for me? by Stuart+Gibson · · Score: 4, Funny
    get assigned to find out for one of your papers. You've already done the work, so it should be an easy grade
    And if it isn't, well, you know what to do.

    Goblin
    --
    It's all fun and games until a 200' robot dinosaur shows up and trashes Neo-Tokyo... Again
  22. Re:Anonymous WHAT ?!?! by clarkcox3 · · Score: 2, Funny

    Sure there is, do it like the spammers do -- find an open SMTP relay somewhere in China or Korea, and send it through there.

    --
    There are no tiger attacks in my area and it's all because this rock I'm holding keeps the tigers away.
  23. Re:Anonymous WHAT ?!?! by wirelessbuzzers · · Score: 3, Funny
    Dunno, source code to exploits can be pretty long. It would be embarassing if:

    The grades system is insecure. I have a marvelous exploit of this, but this wall is too small to contain it.


    --
    I hereby place the above post in the public domain.
  24. Re:simple? by robi2106 · · Score: 3, Funny

    While mailing the letters, do not ever handle the paper with your skin exposed so there is no chance of your fingerprints or dna being deposited on the enveoples.

    Don't use your handwriting. Use a widly available laser printer, and a toner cartrige bought in a different state than the University involved. Purchase the envelope, paper, and toner cartrige with cash only. Do not keep any receipts.

    Mail the letters from a public drop box where no ATMs, drive up windows, or gas stations are near by so you don't accidentally get on a security camera. Mail the letters on a high volume day, preferable 4 days before a major holiday (Christmas, Easter, Mothers/Fathers Day, Valentines Day, Thanksgiving Day).

    In case a camera may catch you walking buy (never drive to the mail box), buy large baggy clothes you don't normally wear (with cash of course) and a wig / facial hair for your trip to the mail box.

    Destroy the clothes either by burning them far out of town in a campfire (don't drive near the cam fire, bury the ashes), or by throwing them away in separate dumpsters on seperate days of the week, in seperate towns (preferably towns that do not send their trash to the same land fill.

    If you take these precautions then you should be ok.

    That or just don't mail the notifications.

    robi