Slashdot Mirror


Disclosure of Major Software Exploits by Students?

school-hacker asks: "I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide. Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code. Naturally, I want to share this information with their software engineers, and would even be nice enough and suggest a means to fixing it. However, with the state of current intellectual property and reverse-engineering laws, I hesitate to do so out of fear of litigation or academic disciplinary action. As an ethical geek, what do -you- do?" While the responses from an earlier story might prove useful, here, there is always the possibility of the university making things harder for the person reporting the problem. How can students avoid both legal and academic trouble, when trying to notify their university of security problems?

13 of 503 comments (clear)

  1. the Slashdot way by ramzak2k · · Score: 4, Funny

    be an Anonymous Coward for a day!

    still better, post the expolits here , we will make sure they come to know.

    --

    Siggy Say, Siggy Do
  2. Please post the exploit here by Anonymous Coward · · Score: 5, Funny

    and help college students across America 'correct' their grades.

    Allah thanks you.

  3. How about.... by kisielk · · Score: 5, Funny

    You send me the code.. and I will "examine" it to see if it would be legal. I'll get back to you about it after next semester? :D

  4. but of course... by meshko · · Score: 4, Funny

    you go to slashdot and brag about it.

    --
    I passed the Turing test.
  5. $.02 by Alien+Being · · Score: 3, Funny

    Tell them that you know how to do it and refuse to give them the details unless they can provide you with federal, state and local documents guaranteeing that you, your friends, and your family will not be prosecuted now or in the future for any illegal activity relating to this exploit, exploits of other academic software, or exploits of any software relating to anyone who ever atended college or anyone who knows someone who attended college. Be sure to specify that Arab Americans cannot be excluded from these guarantees.

    Also demand that the school indemnify you against any civil actions. While you're at it, you might as well require a statement that no military action will be taken.

    Finally, offer them your consulting services at $500/hr, minimum 10 hours.

    Disclaimer: IANAL, BIPOOSD (but I play one os /.)

  6. Re:Anon by gfody · · Score: 5, Funny

    don't forget to include a hefty ransom, and instructions for where to leave the money in exchange for the "master" copy of the code. remember, no cops.

    --

    bite my glorious golden ass.
  7. YOU DON"T TELL ANYONE by Dragon218 · · Score: 3, Funny

    I need to pass this semester. Don't ruin this for me.

    --

    "It's the little touches that make a future solid enough to be destroyed" --William S. Bourroughs
  8. Re:Anonymous WHAT ?!?! by MillionthMonkey · · Score: 5, Funny

    Living in a police state doesn't have to be oppressive- it can be fun-pressive!

    The Internet offers no anonymity. So just print out the code on a locally connected printer (not a network printer). Wait until nightfall, then go to a conspicuous area on campus that is free of security cameras. Buy a can of spray paint (NOT online- that would be stupid!) and spray the working exploit code onto a wall of a building.

    Be sure to provide comments and please make sure the code compiles before you spray it.

    Then go home and throw your computer into a vat of nitric acid. And that's that!

  9. Re:Give Yourself an A by shmert · · Score: 5, Funny

    No, give your arch nemesis an A+++ 150% average, then sit back and watch. Everything will sort itself out nicely.

    --
    You drank my drink, you drunk!
  10. Re:Give Yourself an A by Drakonian · · Score: 4, Funny

    A+++++++++! Superb student! Would teach again!!!!

    --
    Random is the New Order.
  11. Re:What's in it for me? by Stuart+Gibson · · Score: 4, Funny
    get assigned to find out for one of your papers. You've already done the work, so it should be an easy grade
    And if it isn't, well, you know what to do.

    Goblin
    --
    It's all fun and games until a 200' robot dinosaur shows up and trashes Neo-Tokyo... Again
  12. Re:Anonymous WHAT ?!?! by wirelessbuzzers · · Score: 3, Funny
    Dunno, source code to exploits can be pretty long. It would be embarassing if:

    The grades system is insecure. I have a marvelous exploit of this, but this wall is too small to contain it.


    --
    I hereby place the above post in the public domain.
  13. Re:simple? by robi2106 · · Score: 3, Funny

    While mailing the letters, do not ever handle the paper with your skin exposed so there is no chance of your fingerprints or dna being deposited on the enveoples.

    Don't use your handwriting. Use a widly available laser printer, and a toner cartrige bought in a different state than the University involved. Purchase the envelope, paper, and toner cartrige with cash only. Do not keep any receipts.

    Mail the letters from a public drop box where no ATMs, drive up windows, or gas stations are near by so you don't accidentally get on a security camera. Mail the letters on a high volume day, preferable 4 days before a major holiday (Christmas, Easter, Mothers/Fathers Day, Valentines Day, Thanksgiving Day).

    In case a camera may catch you walking buy (never drive to the mail box), buy large baggy clothes you don't normally wear (with cash of course) and a wig / facial hair for your trip to the mail box.

    Destroy the clothes either by burning them far out of town in a campfire (don't drive near the cam fire, bury the ashes), or by throwing them away in separate dumpsters on seperate days of the week, in seperate towns (preferably towns that do not send their trash to the same land fill.

    If you take these precautions then you should be ok.

    That or just don't mail the notifications.

    robi