Disclosure of Major Software Exploits by Students?

school-hacker asks: "I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide. Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code. Naturally, I want to share this information with their software engineers, and would even be nice enough and suggest a means to fixing it. However, with the state of current intellectual property and reverse-engineering laws, I hesitate to do so out of fear of litigation or academic disciplinary action. As an ethical geek, what do -you- do?" While the responses from an earlier story might prove useful, here, there is always the possibility of the university making things harder for the person reporting the problem. How can students avoid both legal and academic trouble, when trying to notify their university of security problems?

What to do

[tugfoigel]

You could always try approaching your advisor or some other trusted faculty member.

Re:What to do

[Phattypants]

Indeed, if you trust a faculty member implicitly you should approach them about it. Not just any faculty member now, go to one in the CS department or your equivalent. Another option would be to speak to someone who actually deals with campus network security, as they too will have a good deal of clout with the administration.

Take it from someone who has been a computer lab assistant, technician, and web developer successively (that'd be me). IT faculty are pretty receptive to this kind of thing.

Now if the key is to lucratively enjoy the fruits of your labour then you should take someone else's advice.

If you want to avoid getting into trouble...

[James+A.+A.+Joyce]

...anonymity is the key. My crystal ball (i.e. an application of Murphy's Law) states that if you try to formally inform the universities of the flaw, you'll get hushed up, blamed and generally blusted. Just write anonymous letters to the companies who develop the software and the universities about the problems. If they don't take action, then feel guiltfree about giving yourself arbitrary scores. Remember: if you don't get caught, it's not illegal.

Re:If you want to avoid getting into trouble...

[BJZQ8]

I used to work for a school district that had major security problems with its grading system. They would tape passwords to the bottom of their keyboards...and put files with lists of teacher passwords in a publically-accessible folder on the network. I attempted to tell my boss (who was getting paid $80,000 per year) about all of this, and was basically told it was not a big deal. I watched a student change his grade from D to B...and nobody ever knew. I told a few more people and was basically told to shut up...and I could feel their eyes turning to me as the problem. So I shut up...and it continues to this day. Just remember that with ultra-conservative computer administrative nazis, the nail that sticks up gets beat down.

Re:What's in it for me?

[at_kernel_99]

Goto a prof with your suspicions (but you don't know yet, how could you?) and get assigned to find out for one of your papers. You've already done the work, so it should be an easy grade.

Yeah, what he said. Do you have a prof that you respect & have a good relationship with? Hey, maybe thats a dumb question, but I went to a small school. Anyway, you can potentially turn it into a proof of knowledge in subject matter & get credit. Also, having a faculty member on your side should mitigate the potential downsides of the administration saying "and tell us again why you were hacking into the system in the first place?"

Suggestion #1

[sabNetwork]

You choose a different nickname from "school-hacker" :-)

Re:Give Yourself an A

[Johnny+Mnemonic]

Since you've done work for someone else--that they should be willing to pay for--I would argue that you should be compensated. However, I would also recommend legal counsel as to how you can present this offer without it sounding like extortion. And, even if you're willing to give it away, I would still seek said counsel--consider charging the application manufacturer only enough to cover your counsel.

I would watch it, because you could certainly get into legal trouble--I believe that the Russian hackers mentioned a while back only wanted to work in IT, but made clumsy attempts to break into the field. It's easy to take a genuine offer as an extortion, although I think by rights you are due compensation.

some advice whether you want it or not

[linuxislandsucks]

Here is some advice..

Remember you wil be dealign with two or three groups that have different motives for their existence; ie IT group of your college, college Management, and the software vendor...

You do not have enough power or pull to report this on your own and should not do so as it woudl put your college studies in danger, head this warning!

Waht you need to do is find a tenured CS faculty member that will be a guinea pig fro a blind computer experiment..blind in that he or she does not know ahead of time the directions you will be giving..

The directions must be in the form of question of:

Waht happens if I do this what will occur..in other worsd you are leading the faculty member on the trail of discovery..

Once they get to the end its is then their responsibility fo reporting the security hack and thus your college studies are protected..

If you want progress, release it.

[russotto]

If history is any guide: They aren't going to take you seriously unless you release a working exploit. If you tell 'em about it they'll just try to silence you with threats -- and then you can't choose anonymous release, because they'll go after you.

If you release the exploit anonymously, you'll get things fixed. If you release it with your name attached, you'll get things fixed and bring a shitstorm down on your head -- your choice if you want the notoriety and its consequences.

Re:Not willing to fight your own battles?

[reynaert]

And you'll wind up with a very freaked out administration. What you want to do is to bring the problem to the attention of one of the techies that run the system, they might react sanely.

What's even better is to send the developers an anonymous bug report (not from a university IP etc.), and, if they don't react, to BugTraq or another security list.

You might also want to wait until you're graduated :)

Talk to a Professor

[PseudononymousCoward]

Is there a professor that you know well enough to approach about this? I would tell them the facts and ask them what to do.

It is highly likely that they will be willing to approach the PTB about the issue--leaving you entirely out of it. At most universities, such a software vendor won't try to get your identity from a prof, they know where their bread is buttered.

If all else fails, drop me an email at roberts period six-two-eight period osu period edu. I'm a prof at Ohio State and I'll be happy to lend a hand.

Better than anonymous

[MalleusEBHC]

A lot of people here have advocated alerting people about this anonymously. Whether or not you feel this is the correct thing to do, consider including a PGP public key with whaterver submissions you turn over to relevant parties. This way, if it becomes advantageous at a later time to take credit for your actions, you can prove that you were the anonymous whistle-blower.

Re:Give Yourself an A

[reynaert]

Don't ever change your score, even if you give yourself a lower score, even if it's just for a demonstration. Any university will go berserk if a student does that, even if he acts in good faith.

Re:the Slashdot way

[reynaert]

Make sure you also send the mail to:
-Local/regional newspapers.
-The school/school council/principal/teachers/newspaper.
-Local government official(s).

Err, don't do that, unless as a last resort, if they don't fix the bug months after you've posted the exploit to bugtraq. You want them to fix the bug, not to sue you. Also remember you'll have to give up your anonimity before any of those three groups will listen to you.

Find a professor you trust...

[Goonie]

I am a postgraduate student (hopefully) not that far away from finishing. I have been a casual tutor for years at two different universities; I am also on the board of a university-affiliated institution (an "academic college"). I've been involved in some very nasty catfights, so I've been around the block.

If you decide to pursue the route of getting something done about it, I'd suggest:

• don't even discuss the idea of a quid pro quo, be it monetary or academic. It makes you sound like you're trying to blackmail your university or the companies involved. Unless that's what you want to do, of course...in which case I hope you enjoy a short and unsuccessful career as a criminal.
• Get somebody with muscle and who understands the situation on your side. A tenured academic who understands the technology and the geek ethic is ideal. If you don't know them directly, maybe a TA or another more advanced student that you do know directly will.
• They may want it solved on the quiet. Will you be prepared to accept that, or do you want glory?
• If it doesn't get solved, then you might consider taking it to the student paper. All journalists love a juicy story, and most student papers (if they've got enough editorial independance) love sticking it to the uni admins, so they are a good option. If that's not an option, there is the local media, but if it goes that far you really want help - you can never be sure which way a journo is going to spin a story, particularly one like this, and a professor sounds a whole lot more credible on TV than a scruffy college student. I know that's not fair, but that's the way it works.

What is the goal?

[lpret]

I would argue that there are several answers depending on the poster's goal. Is he interested in working for Blackboa...I mean, the software he is discussing (and/or any other company) and wanting to show his prowess? Or is it truly out of the kindness of his heart? Regardless, I would completely bypass the school. Contact the software company directly as they understand the issue better. It would be your luck that a random administrator at your school would hear about this and label you a h4x0r and a menace to society -- remember that people hate what they cannot understand.

Re:What is the goal?

[Czyl]

I concur wholeheartedly with the parent and caution you to be extremely cautious in going about this correctly. I work as a student lawyer of sorts at a major US university and defend students involved in disciplinary/judicial incidents with the university. Last year I represented a student who was ultimately expelled for exploring (not exploiting) severe security vulnerabilities on a campus library network with an eye to pointing out to someone higher-up that the school had massive holes in its architecture. Bureaucratic admins and faculty are hard-pressed to understand that the way to check system security is to carry out the same probes a h4xj0r would. My recommendations: 1) Cover your back. Document what you are doing and notify someone you trust (a faculty member in the CS department would be great) about your plans and benign intentions. 2) Contact the -company-, not the school, and notify them that you'll be issuing the exploit to BugTraq within a set time frame if the bug isn't corrected. Don't let your school even find out about this if you can help it. No need to be anonymous when contacting the company. They oughta thank you, really. 3) Publish the exploit on Slashdot unless the company specifically tells you why they cannot correct the problem during the set time frame. You don't even need to be anonymous. Legal action against security whistleblowers ought to be illegal, but at least here /.ers will die by the hundreds to defend you.

DO NOTHING

[YetAnotherName]

With the current political climate, your best bet is to do absolutely nothing. People are arrested for expressing opinions, others are denied due process for free speech, and still others are deemed terrorists for even the slightest questioning of a government's actions. Corporations mandate what can and cannot be done and are happily funded by a more sheepish and numbed people, armed with a more sheepish and willing set of so-called representatives.

Do nothing. Sure, you can pat yourself on the back for your ingenuity, but file your discoveries away in your mind. The world cannot tolerate them now.

Sad. But true.

Re:Give Yourself an A

[bigsteve@dstc]

Don't attempt to obtain compensation!

• As the previous poster said, an attempt to solicit compensation from the software vendor for "work done" could constitute attempted extortion, and as such could be illegal.
• Even if you do this in a legal way, you stand a good chance of being portrayed in the media as an evil money grubbing bastard.
• If you get branded as evil, other people who are looking for a exploits as a genuine public service will also tend to be "tarred with the same brush". That is likely to put them off doing this important work, which would be a BAD THING!!

If you are nervous about the whole position, your best bet is to inform your school. (Do it in such a way that you don't give them any evidence they could use against you until you know that they will treat you fairly.)

Your school has a vested interest in not having students hack the marking software they use. They won't want their grading schemes to be publicly called into question. They should also have the resources to deal with the question. If they decide to ignore the issue, they may get into legal trouble later on when they are sued by ex-students whose degrees have been "devalued".

Re:This is what I did when it happened to me

[Stephen+Samuel]

In a different situation in high school, I wrote a lot of code for my school, it was supposed to be a system where teachers and parents could view students grades and such securely... the school ended up expelling me for not going to detentions (I was working as a developer after school for a firm down here in FL). Every bit of code was encrypted with GnuPG so they didn't get one bit out of me.

Doing good coding can get you some nice job references (as per your teacher at University), and some good friends down the line, but it doesn't excuse you from the rules per detention, etc. (what the detention was about is a different issue, so I just won't go there).

Encrypting the code is, at best, bad karma. It could come back to haunt you years down the road when an important contract is nixed because a friend of a friend remembers what you did way back when. Relationships are one of the most important things we have in life, and when you burn enough bridges life just gets less and less pleasant. I'm sometimes shocked by where the contacts I've built up over the years have taken me.

BTW: If you were actually paid to develop that school code that you encrypted, my guess is that the only reason they didn't sue your ass of is that you didn't have any money in your pants.