Disclosure of Major Software Exploits by Students?

school-hacker asks: "I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide. Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code. Naturally, I want to share this information with their software engineers, and would even be nice enough and suggest a means to fixing it. However, with the state of current intellectual property and reverse-engineering laws, I hesitate to do so out of fear of litigation or academic disciplinary action. As an ethical geek, what do -you- do?" While the responses from an earlier story might prove useful, here, there is always the possibility of the university making things harder for the person reporting the problem. How can students avoid both legal and academic trouble, when trying to notify their university of security problems?

Re:Not willing to fight your own battles?

[reynaert]

And you'll wind up with a very freaked out administration. What you want to do is to bring the problem to the attention of one of the techies that run the system, they might react sanely.

What's even better is to send the developers an anonymous bug report (not from a university IP etc.), and, if they don't react, to BugTraq or another security list.

You might also want to wait until you're graduated :)

Talk to a Professor

[PseudononymousCoward]

Is there a professor that you know well enough to approach about this? I would tell them the facts and ask them what to do.

It is highly likely that they will be willing to approach the PTB about the issue--leaving you entirely out of it. At most universities, such a software vendor won't try to get your identity from a prof, they know where their bread is buttered.

If all else fails, drop me an email at roberts period six-two-eight period osu period edu. I'm a prof at Ohio State and I'll be happy to lend a hand.

Re:Give Yourself an A

[reynaert]

Don't ever change your score, even if you give yourself a lower score, even if it's just for a demonstration. Any university will go berserk if a student does that, even if he acts in good faith.

Find a professor you trust...

[Goonie]

I am a postgraduate student (hopefully) not that far away from finishing. I have been a casual tutor for years at two different universities; I am also on the board of a university-affiliated institution (an "academic college"). I've been involved in some very nasty catfights, so I've been around the block.

If you decide to pursue the route of getting something done about it, I'd suggest:

• don't even discuss the idea of a quid pro quo, be it monetary or academic. It makes you sound like you're trying to blackmail your university or the companies involved. Unless that's what you want to do, of course...in which case I hope you enjoy a short and unsuccessful career as a criminal.
• Get somebody with muscle and who understands the situation on your side. A tenured academic who understands the technology and the geek ethic is ideal. If you don't know them directly, maybe a TA or another more advanced student that you do know directly will.
• They may want it solved on the quiet. Will you be prepared to accept that, or do you want glory?
• If it doesn't get solved, then you might consider taking it to the student paper. All journalists love a juicy story, and most student papers (if they've got enough editorial independance) love sticking it to the uni admins, so they are a good option. If that's not an option, there is the local media, but if it goes that far you really want help - you can never be sure which way a journo is going to spin a story, particularly one like this, and a professor sounds a whole lot more credible on TV than a scruffy college student. I know that's not fair, but that's the way it works.

DO NOTHING

[YetAnotherName]

With the current political climate, your best bet is to do absolutely nothing. People are arrested for expressing opinions, others are denied due process for free speech, and still others are deemed terrorists for even the slightest questioning of a government's actions. Corporations mandate what can and cannot be done and are happily funded by a more sheepish and numbed people, armed with a more sheepish and willing set of so-called representatives.

Do nothing. Sure, you can pat yourself on the back for your ingenuity, but file your discoveries away in your mind. The world cannot tolerate them now.

Sad. But true.

Re:What is the goal?

[Czyl]

I concur wholeheartedly with the parent and caution you to be extremely cautious in going about this correctly. I work as a student lawyer of sorts at a major US university and defend students involved in disciplinary/judicial incidents with the university. Last year I represented a student who was ultimately expelled for exploring (not exploiting) severe security vulnerabilities on a campus library network with an eye to pointing out to someone higher-up that the school had massive holes in its architecture. Bureaucratic admins and faculty are hard-pressed to understand that the way to check system security is to carry out the same probes a h4xj0r would. My recommendations: 1) Cover your back. Document what you are doing and notify someone you trust (a faculty member in the CS department would be great) about your plans and benign intentions. 2) Contact the -company-, not the school, and notify them that you'll be issuing the exploit to BugTraq within a set time frame if the bug isn't corrected. Don't let your school even find out about this if you can help it. No need to be anonymous when contacting the company. They oughta thank you, really. 3) Publish the exploit on Slashdot unless the company specifically tells you why they cannot correct the problem during the set time frame. You don't even need to be anonymous. Legal action against security whistleblowers ought to be illegal, but at least here /.ers will die by the hundreds to defend you.