Slashdot Mirror

← Back to Stories (view on slashdot.org)

Disclosure of Major Software Exploits by Students?

Posted by Cliff on from the good-deeds-that-always-seem-to-be-punished dept.

school-hacker asks: "I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide. Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code. Naturally, I want to share this information with their software engineers, and would even be nice enough and suggest a means to fixing it. However, with the state of current intellectual property and reverse-engineering laws, I hesitate to do so out of fear of litigation or academic disciplinary action. As an ethical geek, what do -you- do?" While the responses from an earlier story might prove useful, here, there is always the possibility of the university making things harder for the person reporting the problem. How can students avoid both legal and academic trouble, when trying to notify their university of security problems?

4 of 503 comments (clear)

  1. Blackboard by zerocool^ · · Score: 5, Informative

    This is probably having to do with "blackboard" software, i.e. learn.vt.edu.

    This software tries to be everything to everyone, and all most teachers use it for is posting grades.

    It doesn't surprise me that there are bugs in it, though. There have been several show up on astalavista.box.sk, and those were fixed, but the design of the program doesn't strike me as being particularlly sound.

    ~Will

    --
    sig?
  2. Re:the Slashdot way by The+Old+Burke · · Score: 5, Informative
    Or use husmail.com
    Send the mail with exploit to abuse/contact/CEO@companywithexploit.com
    Tell them that you will release the exploit within 30/60/90 days on Bugtraq, Freenet and Slashdot unless they fix it.

    Make sure you also send the mail to:
    -Local/regional newspapers.
    -The school/school council/principal/teachers/newspaper.
    -Local government official(s).

    If they don't fix the shit after this, release the exploit *anonymously*.

    --
    Proud patriot and republican voter.
  3. blackboard? not necessarily.. by Mobster75 · · Score: 5, Informative

    Sure, it's probably Blackboard which most colleges use, but if it's not Bb, it could also be Banner by SCT which plenty of schools also use.

    Compromising Banner is far more dangerous than Blackboard (Bb).... Most schools that use Banner use it as their student management system, which records official transcript, program requirements met, class registration, etc. etc.

    In my last undergrad semester, my team developed a website that interfaced directly w/ the Banner system and even found some loopholes in it which we exploited to allow our website to do a better job at calculating program requirements met and suggested offerings to complete it. (This was for an Advanced Software Project Mgmt class)

    Needless to say, the Registrars office people were very intrigued by our exploration into the limits of the current system. I imagine a less cooperative school administration would be more punitive.. (But I went to a business school, so they know we just get motivated by $$ ;) )

  4. Contact Me by jsnider · · Score: 5, Informative

    I'm making the assumption that the software you found a problem in is Blackboard. I apologize if that is not the
    case, however, I would still be happy to take your discovery to the vendors of whatever software it is on your
    behalf.

    I work for a major university as the Blackboard programmer/administrator. I've been working on the
    Blackboard code for years, making substantial modifications to the Bb system to suit our university. I've found
    my share of bugs, problems, and more than one gaping hole. Blackboard is riddled with XSS, input validation, SQL
    insertion, replay, predictable sequences, and I'm sure countless other vulnerabilities. Quite frankly I'm amazed
    at how few breaches I hear about.

    I think you're right to be careful, but try to not get carried away. At least in our department, we're eager to
    hear about problems and fix them. We're not interested in ruining someone's college education. However, you
    should be careful about who you contact. At our university, the usual IT people are paranoid. You need to
    get as close to the people who deal with Bb as you possibly can. Contacting a suit in upper IT would likely get
    you the slapdown. Start lower. You're looking for the geeky programmer who deals with Bb all day long and would
    drop everything they are doing to fix a hole in their system.

    If you are not comfortable contacting representatives at your university, feel free to contact me about your
    discovery. This sort of stuff is what I do, and besides, I'm already on Blackboard's shit list. I have another
    issue to report to Bb, (the afore mentioned gaping hole) and I'd be happy to send your information along with it,
    with or without your name. jeff (somewhere near) jsnider.net