Disclosure of Major Software Exploits by Students?

school-hacker asks: "I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide. Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code. Naturally, I want to share this information with their software engineers, and would even be nice enough and suggest a means to fixing it. However, with the state of current intellectual property and reverse-engineering laws, I hesitate to do so out of fear of litigation or academic disciplinary action. As an ethical geek, what do -you- do?" While the responses from an earlier story might prove useful, here, there is always the possibility of the university making things harder for the person reporting the problem. How can students avoid both legal and academic trouble, when trying to notify their university of security problems?

like the big boys

duh : anonymous email with a threat to go public.

Like the big boys do it.

What to do

[tugfoigel]

You could always try approaching your advisor or some other trusted faculty member.

Re:What to do

[Phattypants]

Indeed, if you trust a faculty member implicitly you should approach them about it. Not just any faculty member now, go to one in the CS department or your equivalent. Another option would be to speak to someone who actually deals with campus network security, as they too will have a good deal of clout with the administration.

Take it from someone who has been a computer lab assistant, technician, and web developer successively (that'd be me). IT faculty are pretty receptive to this kind of thing.

Now if the key is to lucratively enjoy the fruits of your labour then you should take someone else's advice.

If you want to avoid getting into trouble...

[James+A.+A.+Joyce]

...anonymity is the key. My crystal ball (i.e. an application of Murphy's Law) states that if you try to formally inform the universities of the flaw, you'll get hushed up, blamed and generally blusted. Just write anonymous letters to the companies who develop the software and the universities about the problems. If they don't take action, then feel guiltfree about giving yourself arbitrary scores. Remember: if you don't get caught, it's not illegal.

Re:If you want to avoid getting into trouble...

[BJZQ8]

I used to work for a school district that had major security problems with its grading system. They would tape passwords to the bottom of their keyboards...and put files with lists of teacher passwords in a publically-accessible folder on the network. I attempted to tell my boss (who was getting paid $80,000 per year) about all of this, and was basically told it was not a big deal. I watched a student change his grade from D to B...and nobody ever knew. I told a few more people and was basically told to shut up...and I could feel their eyes turning to me as the problem. So I shut up...and it continues to this day. Just remember that with ultra-conservative computer administrative nazis, the nail that sticks up gets beat down.

Unfortunately

[interiot]

Unfortunately the law is set up so that you're nearly as likely to get in trouble for reporting a problem as you are using it for personal gain, so from a cost-benefit perspective, one might argue that it's better to keep the secret for your own uses.

Re:What's in it for me?

[at_kernel_99]

Goto a prof with your suspicions (but you don't know yet, how could you?) and get assigned to find out for one of your papers. You've already done the work, so it should be an easy grade.

Yeah, what he said. Do you have a prof that you respect & have a good relationship with? Hey, maybe thats a dumb question, but I went to a small school. Anyway, you can potentially turn it into a proof of knowledge in subject matter & get credit. Also, having a faculty member on your side should mitigate the potential downsides of the administration saying "and tell us again why you were hacking into the system in the first place?"

Suggestion #1

[sabNetwork]

You choose a different nickname from "school-hacker" :-)

Re:Give Yourself an A

[Johnny+Mnemonic]

Since you've done work for someone else--that they should be willing to pay for--I would argue that you should be compensated. However, I would also recommend legal counsel as to how you can present this offer without it sounding like extortion. And, even if you're willing to give it away, I would still seek said counsel--consider charging the application manufacturer only enough to cover your counsel.

I would watch it, because you could certainly get into legal trouble--I believe that the Russian hackers mentioned a while back only wanted to work in IT, but made clumsy attempts to break into the field. It's easy to take a genuine offer as an extortion, although I think by rights you are due compensation.

Good deeds don't go unpunished

[Strych9]

As much as I would love to say go tell someone and show that there is a fault. Just the fact that you know about it might implicate you and make any of your marks in suspect. University bureaucracies are known for making stupid decisions.

If you can send something anonymously then I think you have done what you can.
Don't jepordize your future over a good deed.

Also: what do you have to gain, aside from some kudos? You have far more to loose if someone takes what you do the wrong way.

Remember: Good deeds don't go unpunished.

How about...

[softspokenrevolution]

You could always pull a frame up an have it look like a group of students pulled of the exploit. Or find someone that you really don't like, who doesn't like you, drop down your grades and accuse them of tampering with them.

In all seriousness we live in such a paranoid culture that there isn't really a right answer that anyone can give you. It's nice to see that someone out in America has a conscience but my paranoid mind is telling me that if a student came over and told me that there were exploits in the software, I would begin thinking that he might have done something about it. You might just try an anonymous note to the people in charge of the program.

some advice whether you want it or not

[linuxislandsucks]

Here is some advice..

Remember you wil be dealign with two or three groups that have different motives for their existence; ie IT group of your college, college Management, and the software vendor...

You do not have enough power or pull to report this on your own and should not do so as it woudl put your college studies in danger, head this warning!

Waht you need to do is find a tenured CS faculty member that will be a guinea pig fro a blind computer experiment..blind in that he or she does not know ahead of time the directions you will be giving..

The directions must be in the form of question of:

Waht happens if I do this what will occur..in other worsd you are leading the faculty member on the trail of discovery..

Once they get to the end its is then their responsibility fo reporting the security hack and thus your college studies are protected..

If you want progress, release it.

[russotto]

If history is any guide: They aren't going to take you seriously unless you release a working exploit. If you tell 'em about it they'll just try to silence you with threats -- and then you can't choose anonymous release, because they'll go after you.

If you release the exploit anonymously, you'll get things fixed. If you release it with your name attached, you'll get things fixed and bring a shitstorm down on your head -- your choice if you want the notoriety and its consequences.

If past experiences have taught us nothing..

[Ryan+Amos]

You should forget about the whole thing. There is no good that can come of this. I understand wanting to be a good samaritan and all, but some people just don't take kindly to that. Considering the risks here (if the company gets pissed off at you, you end up with a computer crimes charge on your record and are basically blacklisted from the industry) I'd say you should delete any copies of any proof-of-concept code you have and forget about the whole thing. Either that or sell it to a fraternity or the football/basketball program at your school.. I'm sure they'd LOVE to get their hands on something like that.

if blackboard

[ramzak2k]

if it is about this blackboard software portal then it is a significant finding. The code is java based and i havnt come a lot of exploits for java based architectures.

Re:Not willing to fight your own battles?

[reynaert]

And you'll wind up with a very freaked out administration. What you want to do is to bring the problem to the attention of one of the techies that run the system, they might react sanely.

What's even better is to send the developers an anonymous bug report (not from a university IP etc.), and, if they don't react, to BugTraq or another security list.

You might also want to wait until you're graduated :)

Talk to a Professor

[PseudononymousCoward]

Is there a professor that you know well enough to approach about this? I would tell them the facts and ask them what to do.

It is highly likely that they will be willing to approach the PTB about the issue--leaving you entirely out of it. At most universities, such a software vendor won't try to get your identity from a prof, they know where their bread is buttered.

If all else fails, drop me an email at roberts period six-two-eight period osu period edu. I'm a prof at Ohio State and I'll be happy to lend a hand.

Anonymous WHAT ?!?!

[Archfeld]

Have you NOT figured it out yet...THERE IS NO ANONYMOUS on the net...sorry guys, I assure you SOMEONE has logs, your ISP the border routers along the way, If someone, say the government or a deep pockets corp wants that, they will pull an RIAA and get it...If you want to REALLY be anonymous go to the library, use a type writer, send a snail mail from another zip code and DON'T go into the post office to do it...otherwise just get a business license and approach them as a LICENSED contractor with a proposal at the business level...or just watch it all FALL TO PIECES...

Remember even LAME infant like encryption is now a federally protected item :( Thanks DMCA, brought to you by the US Gestapo, protecting our homeland from ourselves...

Better than anonymous

[MalleusEBHC]

A lot of people here have advocated alerting people about this anonymously. Whether or not you feel this is the correct thing to do, consider including a PGP public key with whaterver submissions you turn over to relevant parties. This way, if it becomes advantageous at a later time to take credit for your actions, you can prove that you were the anonymous whistle-blower.

Re:Give Yourself an A

[reynaert]

Don't ever change your score, even if you give yourself a lower score, even if it's just for a demonstration. Any university will go berserk if a student does that, even if he acts in good faith.

Re:the Slashdot way

[reynaert]

Make sure you also send the mail to:
-Local/regional newspapers.
-The school/school council/principal/teachers/newspaper.
-Local government official(s).

Err, don't do that, unless as a last resort, if they don't fix the bug months after you've posted the exploit to bugtraq. You want them to fix the bug, not to sue you. Also remember you'll have to give up your anonimity before any of those three groups will listen to you.

Find a professor you trust...

[Goonie]

I am a postgraduate student (hopefully) not that far away from finishing. I have been a casual tutor for years at two different universities; I am also on the board of a university-affiliated institution (an "academic college"). I've been involved in some very nasty catfights, so I've been around the block.

If you decide to pursue the route of getting something done about it, I'd suggest:

• don't even discuss the idea of a quid pro quo, be it monetary or academic. It makes you sound like you're trying to blackmail your university or the companies involved. Unless that's what you want to do, of course...in which case I hope you enjoy a short and unsuccessful career as a criminal.
• Get somebody with muscle and who understands the situation on your side. A tenured academic who understands the technology and the geek ethic is ideal. If you don't know them directly, maybe a TA or another more advanced student that you do know directly will.
• They may want it solved on the quiet. Will you be prepared to accept that, or do you want glory?
• If it doesn't get solved, then you might consider taking it to the student paper. All journalists love a juicy story, and most student papers (if they've got enough editorial independance) love sticking it to the uni admins, so they are a good option. If that's not an option, there is the local media, but if it goes that far you really want help - you can never be sure which way a journo is going to spin a story, particularly one like this, and a professor sounds a whole lot more credible on TV than a scruffy college student. I know that's not fair, but that's the way it works.

Use a library terminal

[Whomever]

If you're worried about repricussions, then use a public library terminal and a new hotmail type free mail account. Most public libraries intentionally do not keep traffic logs these days anyway (because of the privacy issues involved with turning over those logs if they are subpoenaed).

But, I'm a security admin at a university... I occasionally have students bring vulnerabilities to me. Often I already know about it, but I still welcome the input and am thankful for the extra eyes watching the network. I've just got too many nodes to keep up with to catch every computer.

What is the goal?

[lpret]

I would argue that there are several answers depending on the poster's goal. Is he interested in working for Blackboa...I mean, the software he is discussing (and/or any other company) and wanting to show his prowess? Or is it truly out of the kindness of his heart? Regardless, I would completely bypass the school. Contact the software company directly as they understand the issue better. It would be your luck that a random administrator at your school would hear about this and label you a h4x0r and a menace to society -- remember that people hate what they cannot understand.

Re:What is the goal?

[Czyl]

I concur wholeheartedly with the parent and caution you to be extremely cautious in going about this correctly. I work as a student lawyer of sorts at a major US university and defend students involved in disciplinary/judicial incidents with the university. Last year I represented a student who was ultimately expelled for exploring (not exploiting) severe security vulnerabilities on a campus library network with an eye to pointing out to someone higher-up that the school had massive holes in its architecture. Bureaucratic admins and faculty are hard-pressed to understand that the way to check system security is to carry out the same probes a h4xj0r would. My recommendations: 1) Cover your back. Document what you are doing and notify someone you trust (a faculty member in the CS department would be great) about your plans and benign intentions. 2) Contact the -company-, not the school, and notify them that you'll be issuing the exploit to BugTraq within a set time frame if the bug isn't corrected. Don't let your school even find out about this if you can help it. No need to be anonymous when contacting the company. They oughta thank you, really. 3) Publish the exploit on Slashdot unless the company specifically tells you why they cannot correct the problem during the set time frame. You don't even need to be anonymous. Legal action against security whistleblowers ought to be illegal, but at least here /.ers will die by the hundreds to defend you.

DO NOTHING

[YetAnotherName]

With the current political climate, your best bet is to do absolutely nothing. People are arrested for expressing opinions, others are denied due process for free speech, and still others are deemed terrorists for even the slightest questioning of a government's actions. Corporations mandate what can and cannot be done and are happily funded by a more sheepish and numbed people, armed with a more sheepish and willing set of so-called representatives.

Do nothing. Sure, you can pat yourself on the back for your ingenuity, but file your discoveries away in your mind. The world cannot tolerate them now.

Sad. But true.

Re:Give Yourself an A

[bigsteve@dstc]

Don't attempt to obtain compensation!

• As the previous poster said, an attempt to solicit compensation from the software vendor for "work done" could constitute attempted extortion, and as such could be illegal.
• Even if you do this in a legal way, you stand a good chance of being portrayed in the media as an evil money grubbing bastard.
• If you get branded as evil, other people who are looking for a exploits as a genuine public service will also tend to be "tarred with the same brush". That is likely to put them off doing this important work, which would be a BAD THING!!

If you are nervous about the whole position, your best bet is to inform your school. (Do it in such a way that you don't give them any evidence they could use against you until you know that they will treat you fairly.)

Your school has a vested interest in not having students hack the marking software they use. They won't want their grading schemes to be publicly called into question. They should also have the resources to deal with the question. If they decide to ignore the issue, they may get into legal trouble later on when they are sued by ex-students whose degrees have been "devalued".

As a student....this is a really simple case.

[gte910h]

You don't report this. Simply you don't. You are too vulnerable.

After you graduate, if you want to report it, send hard copy source listings to admins of the system at the college, the company that runs the software, and several professors in the technical areas of your college. You then forget this and don't ever think of it again.

Destroy the computer the harddrive the printout you had was created on. This is so you cannot be determined to have cheated at your degree if you ever DID get "located".

I suggest wiping it with the software that PGP comes with then taking a road trip to celebrate graduation to a couple states away. If you're in California, visit Iowa. If you're in New York, I would have to say GA is nice in May. Leave it in a dumpster somewhere mixed in with nothing else of yours.

I think in 10 years there will be a system of computer ethics, or a government board that you can report this stuff to with a condition of amnestey. Its all too new to too many people for that to work right now, so you just have to practice silence.

Re:This is what I did when it happened to me

[Stephen+Samuel]

In a different situation in high school, I wrote a lot of code for my school, it was supposed to be a system where teachers and parents could view students grades and such securely... the school ended up expelling me for not going to detentions (I was working as a developer after school for a firm down here in FL). Every bit of code was encrypted with GnuPG so they didn't get one bit out of me.

Doing good coding can get you some nice job references (as per your teacher at University), and some good friends down the line, but it doesn't excuse you from the rules per detention, etc. (what the detention was about is a different issue, so I just won't go there).

Encrypting the code is, at best, bad karma. It could come back to haunt you years down the road when an important contract is nixed because a friend of a friend remembers what you did way back when. Relationships are one of the most important things we have in life, and when you burn enough bridges life just gets less and less pleasant. I'm sometimes shocked by where the contacts I've built up over the years have taken me.

BTW: If you were actually paid to develop that school code that you encrypted, my guess is that the only reason they didn't sue your ass of is that you didn't have any money in your pants.

Re:Its called Full Disclosure...

[bmajik]

Your assessment of Microsoft's interest in security is not accurate. Full disclosure did not cause microsoft to give a damn about security. Security became important at MS when customers started saying "we care about security, your shit sucks, we're not buying it anymore". MS doesn't give a damn about a bunch of egotistical self-serving "researchers" that are looking to sell their name as a brand and shop around for consulting dollars. Security is a priority now at MS because customers have finally said that they want it, and are willing to pay for it. It's that simple.

MS doesn't as a general rule try and make poor software. It doesn't try to make insecure systems. I'm sure MS loses more sleep and money over its security problems then you do. When you own 50 million lines of the worlds most widely deployed code and never have to issue a security patch, im sure MS will pay you whatever amount of money you can think of to tell them how to do it.

Incidentally, the ideal system from MS' point of view is staggered disclosure -- exactly what you describe.

Even people on full disclosure lists are starting to play along with this and realize that releasing exploit code without giving vendors and more importantly people running the affected systems time to patch first is doing the entire internet a huge disservice. It simply isn't responsible, and people making this an emotional or idealistic issue rather than a pragmatic one are the sort of "security people" that i hope eventually fade away...

Re:the Slashdot way

[No+Such+Agency]

Sending notice to third parties is INSURANCE. What local paper wouldn't love a feature story about the local school screwing over a smart, observant student who was only trying to help them? Sure beats covering the local dog show... again. This goes double for the STUDENT paper.

Re:the Slashdot way

[adrianbaugh]

The traditional reason for not listening to anonymous sources has been that they tend to be unreliable; however, if you provide a working exploit when you write to the school, press and/or officials they will have no reason to doubt the veracity of your claims. They might doubt your motives, but that's a different matter - if there's something broken and it's been proved to them, then regardless of the source they may wish to pursue the matter.

Re:This is what I did when it happened to me

well, you can tell he never took french, or it would be voila, as you have pointed out. You can also tell that the original poster is a pile of shit who I would never want to work with. He might have some coding skill, but he has no business sense or ethics. Basically he is a failure at life, and i s a load that should have been swallowed.

Law School.

[Irvu]

If your College/University has a law school then you might be able to look there for advice. If the university has such a school then it is possible that they may have one or two professors who can advise you in this matter. Unlike the School's Legal staff they are not bound to protect the school in the same way.

I would still be wary when approaching them, you don't want one of them to cause trouble any more than any other. But it might be a good direction to turn.

I've been in there..

[teval]

I've been in the same situation before.
My school used to use RM (a supposedly security enhancing program) to keep people from using too much space and running every program they wanted to.
I found several very critical bugs in it, that allowed me to do anything, change people's settings to browse and change things on the server. I told my comp. sci. teacher (this was highschool) and after hefty explaining, he watched over my shoulder as I proved it. With a little more tinkering I found other ways of getting in, and ultimately changing everything from schedules to marks. Most teachers understood and trusted me not to share this, and I didn't until they switched their systems.

Except for one teacher.. who tried to get me kicked out. She is a comp. sci. teacher, though she has no clue what's going on. Started to accuse me of stealing, and of messing with the system. Thankfully nothing happened, because most other teachers knew me. School approached me and asked me what to use, I said use Linux, it's free, and waaay more secure then all this.

They ended up using WindowsXP (and depleting most of the comp. sci. budget), with an addon called Visual Castle. Well.. I've found several bugs in it again, and I can see marks and change anything I want. I haven't.. and never intend to do so, and don't intend to tell anyone I can do this.

My suggestion? clear your hands of it all, and forget about it. Not worth loosing your future over this, whatever they change, probably won't make much of a difference. There is always another bug, or misconfiguration lurking.

Timely news from El Reg

[symbolset]

This story from The Register records what can go awry with a plan to inform someone of their security weaknesses.
The short of it: The lad's served his 18 months and is appealing to rescue his reputation.
Be Careful.