Disclosure of Major Software Exploits by Students?

school-hacker asks: "I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide. Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code. Naturally, I want to share this information with their software engineers, and would even be nice enough and suggest a means to fixing it. However, with the state of current intellectual property and reverse-engineering laws, I hesitate to do so out of fear of litigation or academic disciplinary action. As an ethical geek, what do -you- do?" While the responses from an earlier story might prove useful, here, there is always the possibility of the university making things harder for the person reporting the problem. How can students avoid both legal and academic trouble, when trying to notify their university of security problems?

Consult your AUP

[rainmanjag]

Most universities have well published an Acceptable Use Policy. Before making any disclosures, become intimately familiar with this document. As long as you've done nothing to compromise this document, you should be on safe ground.

What would be their concern in punishing you? To dissuade every wanna-be cracker on campus from poking around the innards of the computer network. Though we all know security through obscurity does not work, your school does not want everybody trying to eliminate that obscurity.

When you compose your statement of disclosure, include a statement which argues for your concern and your compliance with the AUP. Cite it, quote it, and argue for your concern for staying within the published regulations of the University. So long as you have not used this exploit to your advantage and so long as you show concern for the things they are concerned about, you should be fine.

-jag

Three things

[Shoten]

One, don't notify the university directly. If you do, you create a political situation where they still have the ability to shut you up by putting pressure on you. Keep in mind, the university wouldn't make life hard for you because they're run by Darth Vader, they'd make life hard for you to keep you from disclosing.

Two, do notify the vendor, BUT use the disclosure guidelines provided by Rain Forest Puppy (called RFPolicy). This is the best template for fair and equitable disclosure I've ever seen, and I feel it's even a hair better than the policy put forth by @Stake (although theirs is pretty good too). Set up a hushmail account that cannot be traced back to you for this purpose, and proceed from there.

Three, do NOT disclose the proof-of-concept exploit code. Disclosing a vulnerability is enough, there is no reason to automate attacks that take advantage of it.

By the time the university knows anything, they will no longer be able to accomplish anything by making your life hard. Furthermore, you will be in a position of strength, having taken the high road in disclosure and given all parties every opportunity to protect themselves properly.

Its called Full Disclosure...

[JRHelgeson]

This is a debate that has been taking place in the security industry for some time now. Does Full Disclosure hurt or help the industry. I am of the position that full disclosure helps.

If bugs are kept secret, the secrets get held in the hands of the few. The unethical hacker [cracker] will eventually exploit the code and use it to their advantage.

If it weren't for FD, we'd have more 0day exploits because companies would not feel the pressure to release timely updates. It chews up development cycles to go back and put an emergency fix in place for insecure code, test it, and release it. Do you think companies would do this voluntarily? I think not. Too expensive. They'll include it with their next major update and charge for the upgrade or some crap like that.

I say the medicine is bad, but the disease is worse. Full Disclosure is the Medicine, bad coding the disease.

We are going to continue down this road of FD debate until software vendors (M$ et al.) start writing secure code. I have said it many times; Requiring patches to achieve security is fundamentally flawed. Coders need to write secure code. The onus is on them. Don't blame the hackers/crackers for airing their dirty laundry. If M$ or whoever loses market share because they consistantly release insecure code that is repeatedly being compromised then that is their fault.

It was only after being repeatedly beat over the head with the proverbial lead pipe by the hacker community that good ole Bill Gates sent out a memo stating that Security is becoming Microsofts #1 priority. Do you really think he would have done that if we didn't have the Full Disclosure in place? We should not rely on 'security by obscurity' by keeping the exploits secret, or keeping the information reserved for the security elite.

Send a confidential email to the network administrators and to the company that created the software. State that you will give them adequate time to respond and to release a patch. State that the exploit will undergo full disclosure in two months, or if they request extra time, ask them what measures are being taken to insure the integrity of the information being stored on these computers. If you can hack into the system to raise your grades, others could hack in to lower the hard earned grades of others. Hell, at that point, they should start selling diplomas at the bookstore.

As a university sysadmin....

[WasteOfAmmo]

I can understand wanting to cover your backside with this. Especially since you have 'tested' the exploit. Going to the university may mean the end of your academic career. Going to the company may result in the same in a round about way. The company may feel obligated to report you to the said university.

If you are serious about getting the expoit fixed then there are a lot of good points already made in the replies:

• Send it to the company anonymously.
• Send it to the university IT dept. anonymously.

Do both and that should get it where you want it to go.

Now for my take on this (if you were one of my students)...

You are supplying the source of the proof of concepts, right? I accept no binaries from unkown source, escpecially with your story. You have to convince me that you are not only legit. but being honest. If you approach me you had better be able to prove that you have not altered your grades. This is not due to my morals but due to my obligations to the university.

I have dealt with students bringing up exploits to me that they have found work in our system. First I have to verify their claim, second I have to consider the damage they may have done (purposefully or not). If this means a call to security then I am obligated to do that. After that I have to consider fixing my system and damage control.

Note about security: I need not bring security into it but I must document everything incase the incident becomes a concern in the future... Example, next year you suddenly become a honor student.

A comment by 'has' bothers me... if this is you then you could be in deeper then you want to be... I would suggest cleaning up your act, taking an ethics course and getting on with your degree. This type of un-ethical, and probably illegal (fraud?) activity will eventually catch up with you if continued. Enough preaching.

Take the suggestions regarding anonymous submissions if your serious about helping.

Merlin.