Slashdot Mirror
Disclosure of Major Software Exploits by Students?
school-hacker asks: "I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide. Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code. Naturally, I want to share this information with their software engineers, and would even be nice enough and suggest a means to fixing it. However, with the state of current intellectual property and reverse-engineering laws, I hesitate to do so out of fear of litigation or academic disciplinary action. As an ethical geek, what do -you- do?" While the responses from an earlier story might prove useful, here, there is always the possibility of the university making things harder for the person reporting the problem. How can students avoid both legal and academic trouble, when trying to notify their university of security problems?
be an Anonymous Coward for a day!
still better, post the expolits here , we will make sure they come to know.
Siggy Say, Siggy Do
Don't forget to wear dark glasses.
Treehugger? Treehugger... Treehugger!
and help college students across America 'correct' their grades.
Allah thanks you.
Your best bet is to do something similar to what you have done here. Submit the information to them via an anyonymous channel, perhaps mailing a CD (which you handled using gloves, no less) with an explanation and machine-readable exploit code. You don't have to make it known that it was you, just that someone figured it out.
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
... You've earned it. :-)
Seriously, I'd take this slow. Perhaps writing something up in printed form and submitting it via snail mail would be smarter than having executable code lying around on a computer you own or have access to.
The Future of Human Evolution: Autonomy
duh : anonymous email with a threat to go public.
Like the big boys do it.
You could always try approaching your advisor or some other trusted faculty member.
...anonymity is the key. My crystal ball (i.e. an application of Murphy's Law) states that if you try to formally inform the universities of the flaw, you'll get hushed up, blamed and generally blusted. Just write anonymous letters to the companies who develop the software and the universities about the problems. If they don't take action, then feel guiltfree about giving yourself arbitrary scores. Remember: if you don't get caught, it's not illegal.
Bash script for FP whores
Posting anonymously to a mailing list like bugtraq could help but it could also mean that it could fall on wrong hands. What about just an anonymous report to the software company that developed it?
--- I w00t, therefore I'm l33t.
The best approach to a security "evaluation" is to ask the admins responsible for permission first. This lets them know that "something" might be going on soon so if they detect your attempts they won't panic and send the cops to your house/dorm room.
This also makes it obvious that you were really trying to help find/enhance security rather than just hacking into the system for your own benefit.
You send me the code.. and I will "examine" it to see if it would be legal. I'll get back to you about it after next semester? :D
Release the code to script kiddies. They will get the word out of the security holes....
This is probably having to do with "blackboard" software, i.e. learn.vt.edu.
This software tries to be everything to everyone, and all most teachers use it for is posting grades.
It doesn't surprise me that there are bugs in it, though. There have been several show up on astalavista.box.sk, and those were fixed, but the design of the program doesn't strike me as being particularlly sound.
~Will
sig?
better don;t do anything, or send it to the company anonymously. With the current state of affairs, you might get in trouble, and it;s certainly not worth it. Besides, it' their job to find their bugs.
Find someone who will or is better able to the local student newspaper.
Grab a reporter, show him it, let him follow up.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
Goto a prof with your suspicions (but you don't know yet, how could you?) and get assigned to find out for one of your papers. You've already done the work, so it should be an easy grade.
I would advise not bothering,
since it is not worth your effort to help anyone
who would be such a "class-act" as to give you trouble for your efforts instead of praise.
If you wanted to, send them a very carefully worded letter, stating that you may have reason to belive there is an exploit, but you are not certain, and that you would have to know in detail how they would react to:
1. You having found an exploit
2. You having found a fix
3. You submitting the fix
And if they send a nice reply, get something in writing before helping them.
I'd anonymously email the company that develops the software. Get a free hotmail account or some such and send them a full disclosure of the exploit with proof of concept code all in the body of a plain-text no attachment email.
Hopefully it gets someone's attention, it gets patched, and admins at schools apply the patch. Will you get credit for your findings? No. Will you stand a chance at getting the hole fixed without any real fear of retribution? Yes.
-----
That's a good way to look at the world. Why'd you post this advice to the story? What's in it for you?
Just write a nice e-mail about how you happened to find the exploits. I did this with some security focused database software. I got an e-mail back with a lot of thanks (no money), and a few weeks later they released a fix. Of course, I'm not in your position, the place where I work is interested in buying the software, so making the product better helped me, right? Plus I got golden contacts. My feature requests get more weight. It's how you want to handle it. I doubt there will be litigation involved, especially if you present the case as a way of helping them... if you hold them for ransom, well, you can expect to hear from the law.
Unfortunately the law is set up so that you're nearly as likely to get in trouble for reporting a problem as you are using it for personal gain, so from a cost-benefit perspective, one might argue that it's better to keep the secret for your own uses.
on newsgroups, slashdot, the inquirer, and of course a mass mailing to all the students on your college campus.
;-)
don't forget to do that last one anonymously.
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
print it out 4x, put each in an envelope, no retutn address, send it to the provost, the IT head and the CEO and chief engineer of the company that makes this thing. demand nothing and tell them it's simply fyi. hard for four peop[le to keep a secret - you'll get action somewhere. keep a copy in case nothing happens. no harm, no foul. it's just doing the right thing for no gain.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
you go to slashdot and brag about it.
I passed the Turing test.
You choose a different nickname from "school-hacker" :-)
Give the company a call. Hear what they have to say about a hypothetical situation where a student wants to examine their program for security problems and then wants to report his/her findings back to the company.
If they give you that reverse engineering, IP crap. Post it anonymously somewhere.
If they're cool, then the next step is to approach your college with the same question. Repeat previous step. Just be careful not to get your weenie whacked!
Tell them that you know how to do it and refuse to give them the details unless they can provide you with federal, state and local documents guaranteeing that you, your friends, and your family will not be prosecuted now or in the future for any illegal activity relating to this exploit, exploits of other academic software, or exploits of any software relating to anyone who ever atended college or anyone who knows someone who attended college. Be sure to specify that Arab Americans cannot be excluded from these guarantees.
/.)
Also demand that the school indemnify you against any civil actions. While you're at it, you might as well require a statement that no military action will be taken.
Finally, offer them your consulting services at $500/hr, minimum 10 hours.
Disclaimer: IANAL, BIPOOSD (but I play one os
...use it to your advantage, muhahahaha!
...change your grade to give yourself an "A" in gym
As much as I would love to say go tell someone and show that there is a fault. Just the fact that you know about it might implicate you and make any of your marks in suspect. University bureaucracies are known for making stupid decisions.
If you can send something anonymously then I think you have done what you can.
Don't jepordize your future over a good deed.
Also: what do you have to gain, aside from some kudos? You have far more to loose if someone takes what you do the wrong way.
Remember: Good deeds don't go unpunished.
Being a member of the secuirty scene (not a very skilled memeber but im tryin! ;) ) The standard way would be to email the vendor. If you want to do it anonomously pm me and I can set you up a POP3 account ;)
Briefly state the issues, and the holes, how the exploit works, and inform them that if no repsonse is made you will foward the exploit and the security brief to the proper mailling lists.
It is law in California now that any security breach must be made public so just remind them of that.
Normally they will repsond asking for futher details, foward them your proof-of-concept and again warn them if corrective measures are not made you will announce it publicly. It should result in a patch, in which case make your findings public with information on how to patch or where to obtain the patch for the software.
If all communications fails there is the [FULL-DISCLOSER] and the [INCIDENTS] mailing lists. Again if you are worried about your school and/or IP laws the best thing would be to spoof an email to the lists (if it comes down to that) or use a Email account that your name IS NOT attached to. Most companies will thank you for informing them before going public, and It is the right thing to do =)
Also try digging thru your AUP and TOS for the network at school, in there it may state some legalities about breaking into to systems, hacking, sniffing, ect.
If all else fails, forward your finding to a trusted source, and have them take the actions required. Remember you are not required by any law to make your findings public, so if you really feel uneasy just forget about the whole thing.
You could always pull a frame up an have it look like a group of students pulled of the exploit. Or find someone that you really don't like, who doesn't like you, drop down your grades and accuse them of tampering with them.
In all seriousness we live in such a paranoid culture that there isn't really a right answer that anyone can give you. It's nice to see that someone out in America has a conscience but my paranoid mind is telling me that if a student came over and told me that there were exploits in the software, I would begin thinking that he might have done something about it. You might just try an anonymous note to the people in charge of the program.
I'm not a student anymore, and I could give a crap.. My company could use the press. go to my web site (in my sig), my address is listed. (424 S. Division Chenoa, IL 61726) send me a CD via snail mail, I'll copy it, destroy the original and contact the company in question.
meh
Most universities have well published an Acceptable Use Policy. Before making any disclosures, become intimately familiar with this document. As long as you've done nothing to compromise this document, you should be on safe ground.
What would be their concern in punishing you? To dissuade every wanna-be cracker on campus from poking around the innards of the computer network. Though we all know security through obscurity does not work, your school does not want everybody trying to eliminate that obscurity.
When you compose your statement of disclosure, include a statement which argues for your concern and your compliance with the AUP. Cite it, quote it, and argue for your concern for staying within the published regulations of the University. So long as you have not used this exploit to your advantage and so long as you show concern for the things they are concerned about, you should be fine.
-jag
http://starboard.flowtheory.net/
Only tell the people that matter. Don't go to the director of the IT department and tell he/she that you can break into their system. They might not understand, they will just see you as a hacker, which could lead to trouble. Tell the net admin or someone that understands the problem and help them take the proper steps to fix it.
"The Internet is a fad" -WB --> Actual quote from an IT director BTW
A clever person solves a problem. A wise person avoids it. -- Einstein
One, don't notify the university directly. If you do, you create a political situation where they still have the ability to shut you up by putting pressure on you. Keep in mind, the university wouldn't make life hard for you because they're run by Darth Vader, they'd make life hard for you to keep you from disclosing.
Two, do notify the vendor, BUT use the disclosure guidelines provided by Rain Forest Puppy (called RFPolicy). This is the best template for fair and equitable disclosure I've ever seen, and I feel it's even a hair better than the policy put forth by @Stake (although theirs is pretty good too). Set up a hushmail account that cannot be traced back to you for this purpose, and proceed from there.
Three, do NOT disclose the proof-of-concept exploit code. Disclosing a vulnerability is enough, there is no reason to automate attacks that take advantage of it.
By the time the university knows anything, they will no longer be able to accomplish anything by making your life hard. Furthermore, you will be in a position of strength, having taken the high road in disclosure and given all parties every opportunity to protect themselves properly.
For your security, this post has been encrypted with ROT-13, twice.
I had this problem a while back with java.sun.com.
n c
They were running a comment system that did server side includes. The URL pattern was
http://java.sun.com/foo.jsp?url=relative/path.i
The obvious hack would be to enter a file: URL and see if it worked and sure enough I could browse through the whole file system as long as I knew the path.
Stupid Java engineers.
Anyway... I contacted a few VPs at SUN and just told them that I had discovered a severe security hole in their webserver and that because of the DMCA I couldn't report it.
They were quick to respond telling me that they WOULDN'T prosecute if i were to give them the security disclosure so they could fix the issue.
Most people won't care as long as you are white hat. If they freak out then don't reveal the information
Kevin
so be careful. Maybe you better just send them 699.99 right now to cover yourself. Then you'll be free to do what you want with it, without the fear of litigation.
Here is some advice..
Remember you wil be dealign with two or three groups that have different motives for their existence; ie IT group of your college, college Management, and the software vendor...
You do not have enough power or pull to report this on your own and should not do so as it woudl put your college studies in danger, head this warning!
Waht you need to do is find a tenured CS faculty member that will be a guinea pig fro a blind computer experiment..blind in that he or she does not know ahead of time the directions you will be giving..
The directions must be in the form of question of:
Waht happens if I do this what will occur..in other worsd you are leading the faculty member on the trail of discovery..
Once they get to the end its is then their responsibility fo reporting the security hack and thus your college studies are protected..
Don't Tread on OpenSource
If history is any guide: They aren't going to take you seriously unless you release a working exploit. If you tell 'em about it they'll just try to silence you with threats -- and then you can't choose anonymous release, because they'll go after you.
If you release the exploit anonymously, you'll get things fixed. If you release it with your name attached, you'll get things fixed and bring a shitstorm down on your head -- your choice if you want the notoriety and its consequences.
Release it to the public, anonymously. :)
The problem will solve itself.
And packetstorm, of course.
-Adam
You should forget about the whole thing. There is no good that can come of this. I understand wanting to be a good samaritan and all, but some people just don't take kindly to that. Considering the risks here (if the company gets pissed off at you, you end up with a computer crimes charge on your record and are basically blacklisted from the industry) I'd say you should delete any copies of any proof-of-concept code you have and forget about the whole thing. Either that or sell it to a fraternity or the football/basketball program at your school.. I'm sure they'd LOVE to get their hands on something like that.
I need to pass this semester. Don't ruin this for me.
"It's the little touches that make a future solid enough to be destroyed" --William S. Bourroughs
if it is about this blackboard software portal then it is a significant finding. The code is java based and i havnt come a lot of exploits for java based architectures.
Siggy Say, Siggy Do
Maybe I'm completely nieve, but what the hell is going on?! Has everyone on slashdot hacked or cracked some 31337 prog/dbase/bank ... Why is anonymity supposedly the best policy?! As long as you haven't changed your grades or exploited code (your teachers/the school will be able to tell) then you'll be fine. Are you afraid of getting busted for something else? I mean, it seems completely rational to e-mail the company, print a copy, mail it to yourself (if you are as paranoid as everyone else) and then, if problems arise, mail the university.
.. :P rediculous
Remember: The university cares about a student paying 20k+ a year to be there, the software company is costing the U money, who would they rather attack?
Anonymity is for spammers. You'll probably get some recognition in the CS department if you say something about it... unless your teachers are all secretly black hat, and hate your guts for exposing yourself
I remember hearing that blank CDs include individual ID numbers and burners will include the serial number of the burner in a special location on the CD. Is this true or is my paranoid memory making things up? A brief online search turned up nothing.
Is there a professor that you know well enough to approach about this? I would tell them the facts and ask them what to do.
It is highly likely that they will be willing to approach the PTB about the issue--leaving you entirely out of it. At most universities, such a software vendor won't try to get your identity from a prof, they know where their bread is buttered.
If all else fails, drop me an email at roberts period six-two-eight period osu period edu. I'm a prof at Ohio State and I'll be happy to lend a hand.
I'll be doing some 'research' of my own next semester on how to 'improve' my grades ;-)
The unofficial
Have you NOT figured it out yet...THERE IS NO ANONYMOUS on the net...sorry guys, I assure you SOMEONE has logs, your ISP the border routers along the way, If someone, say the government or a deep pockets corp wants that, they will pull an RIAA and get it...If you want to REALLY be anonymous go to the library, use a type writer, send a snail mail from another zip code and DON'T go into the post office to do it...otherwise just get a business license and approach them as a LICENSED contractor with a proposal at the business level...or just watch it all FALL TO PIECES...
:( Thanks DMCA, brought to you by the US Gestapo, protecting our homeland from ourselves...
Remember even LAME infant like encryption is now a federally protected item
errr....umm...*whooosh* *whoosh* Is this thing on ?
A lot of people here have advocated alerting people about this anonymously. Whether or not you feel this is the correct thing to do, consider including a PGP public key with whaterver submissions you turn over to relevant parties. This way, if it becomes advantageous at a later time to take credit for your actions, you can prove that you were the anonymous whistle-blower.
I'm taking bets. $2 to play
1. The sploit is M$
2. The sploit is *nix
Leverage this to make Microsoft release a Linux client for the Xbox!
/sig
don't show them how you do it. If your "...-selftested proof-of-concept exploit code..." actually works, proving to them that there is an exploit shouldn't be too dificult - tell them (software company and the Dean) what grades you are going to change, and then run the program and change some grades - but make sure you keep all your source cod encrypted.
If bugs are kept secret, the secrets get held in the hands of the few. The unethical hacker [cracker] will eventually exploit the code and use it to their advantage.
If it weren't for FD, we'd have more 0day exploits because companies would not feel the pressure to release timely updates. It chews up development cycles to go back and put an emergency fix in place for insecure code, test it, and release it. Do you think companies would do this voluntarily? I think not. Too expensive. They'll include it with their next major update and charge for the upgrade or some crap like that.
I say the medicine is bad, but the disease is worse. Full Disclosure is the Medicine, bad coding the disease.
We are going to continue down this road of FD debate until software vendors (M$ et al.) start writing secure code. I have said it many times; Requiring patches to achieve security is fundamentally flawed. Coders need to write secure code. The onus is on them. Don't blame the hackers/crackers for airing their dirty laundry. If M$ or whoever loses market share because they consistantly release insecure code that is repeatedly being compromised then that is their fault.
It was only after being repeatedly beat over the head with the proverbial lead pipe by the hacker community that good ole Bill Gates sent out a memo stating that Security is becoming Microsofts #1 priority. Do you really think he would have done that if we didn't have the Full Disclosure in place? We should not rely on 'security by obscurity' by keeping the exploits secret, or keeping the information reserved for the security elite.
Send a confidential email to the network administrators and to the company that created the software. State that you will give them adequate time to respond and to release a patch. State that the exploit will undergo full disclosure in two months, or if they request extra time, ask them what measures are being taken to insure the integrity of the information being stored on these computers. If you can hack into the system to raise your grades, others could hack in to lower the hard earned grades of others. Hell, at that point, they should start selling diplomas at the bookstore.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
That's exactly how Stefan Puffer got indicted in Houston Texas last year. He provided a demonstration of an insecure county wireless system in front of a newpaper reporter and a county IT employee. He was later no-billed by the county but I'm sure his attorney's bill was a few $$$. -rick
... address it from somebody who pissed you off, or ran off with that girl you fancied.
Ho you think your tutor or lecturer has never seen any of your work before? Do you think s/he is going to get suss when you turn in junk day after day and then all of a sudden you marks get bumped up? Do you think that seeing your tutor/lecturer about the issue is going to prove to them the intelligence you have in the IT subjects you are doing (highly likely!) If you can do this kind of crap you can get A's any time you want.
If you're really worried, make a hotmail accont, and mail them. The only problem with that approach is come exam day if you are sick, you fail.... if the lecturer knows you and knows your work you'll be cut some slack. I know. I used to be one.
In my next incarnation, I hope to come back as a code monkey.
To begin, it doesn't seem as if you are maliciously trying to hurt the engineers or give yourself an advantage over the students. It also doesn't seem like you were purposely trying to find flaws. I would talk to a teacher, academic advisor, or even the tech people in the library to find out what you can do. Explain that you are only trying to make things better and not publish exploits. The suggestion about sending something in the regular mail could be a good one. I would type up a professional and respectful letter saying how you found it, what the repercussions are of such an exploit, suggestions on how to fix it, and possibly include a CD with your code on it. You don't need a return address and its anonymous so you don't have to be so nervous.
Well you're fucking up their v1.0!
Well personally I would have cracked into the program, using the exploit and dumped the exploit, and a file explaining it in a conspicuous location. That's sure to get their attention!
When Argumentum ad Hominem falls short, try Argumentum ad Matrem
Report it via email from a throw-away hotmail address using a computer at the public library. It's still possible for them to trace you but I doubt it'd be worth the trouble to them.
Another possible solution is put the executable source code on cd, with whatever other information you want to include in plain text format and slip it under the door of a computer lab manager, or professor, or whoever you think would be most likely to deal with it.
First, create a disclosure document for your IP attorney, then immediately file a method patent application on the bugfix.
:)
Then, once your provisonal patent application is received, you can offer to license the bugfix (and since it was a method patent, they can't program around you) to the school for a modest fee.
"Method and Program for closing a known security hole in grade reporting software"
or something like that... I'd say you'd be a rich man, just don't forget to send me my cut
Dont tell anyone. Graduate, then go for your PHD.
Your thesis is staring you in the face. So simple.
I can understand wanting to cover your backside with this. Especially since you have 'tested' the exploit. Going to the university may mean the end of your academic career. Going to the company may result in the same in a round about way. The company may feel obligated to report you to the said university.
If you are serious about getting the expoit fixed then there are a lot of good points already made in the replies:
- Send it to the company anonymously.
- Send it to the university IT dept. anonymously.
Do both and that should get it where you want it to go.Now for my take on this (if you were one of my students)...
You are supplying the source of the proof of concepts, right? I accept no binaries from unkown source, escpecially with your story. You have to convince me that you are not only legit. but being honest. If you approach me you had better be able to prove that you have not altered your grades. This is not due to my morals but due to my obligations to the university.
I have dealt with students bringing up exploits to me that they have found work in our system. First I have to verify their claim, second I have to consider the damage they may have done (purposefully or not). If this means a call to security then I am obligated to do that. After that I have to consider fixing my system and damage control.
Note about security: I need not bring security into it but I must document everything incase the incident becomes a concern in the future... Example, next year you suddenly become a honor student.
A comment by 'has' bothers me... if this is you then you could be in deeper then you want to be... I would suggest cleaning up your act, taking an ethics course and getting on with your degree. This type of un-ethical, and probably illegal (fraud?) activity will eventually catch up with you if continued. Enough preaching.
Take the suggestions regarding anonymous submissions if your serious about helping.
Merlin.
Interesting to say the least. If you slack off all semester then use this exploit to change your grade, you'd better keep quiet. I'm sure the prof has non-online records to double check your actual grade if he/she gets word of the exploit. You should actually maybe talk to a lawyer, maybe they can help you draft a letter in terms that don't sound threatening... or at least in so much legalese that they won't even be able to decipher who you are.
;-)
Best bet (at the risk of being modded redundant) would be to anonymously contact the company. If you want to avoid suspicion, bomb the class a little first so your grade kinda sucks. Just make sure you have a way to bring it back up again
There are only 10 kinds of people in this world... those who understand binary and those who don't
Come across? Like you woke up one morning and found them in your mailbox, between credit card offers?
Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code.
Now I'm thinking - did you have a legal copy of the software you were "testing"? If not, do you know the person/entity who has the legal copy? Did you get their permission to poke around?
I would expect the litigation or academic discipline, if you pursued your experiment without a legal copy, or at least the permission of the person who owned the licensed copy. Or at least asked a professor to act as advisor for your experiments.
As an ethical geek, what do -you- do?
Ask permission from the target company before pursuing exploits.
I may be reading too much into the poster's brief notes (or maybe the poster's name), but I have a feeling that there are several illegal (and possibly unethical) things that have been done so far. The best way to avoid a situation like this is to plan to be ethical, legal, and open from the beginning. Get the company's permission, the schools permission, etc., and no one will be suprised when you get some results. Otherwise, they may say "Thank you, now please come to court in two weeks", and you have little recourse except to hire a lawyer.
Which the poster should probably do, anyway. It's a shame - with the proper authorization, this could have been an interesting senior project.
Start your own website based off of the exploit. Students pay you, you fix their grades, you get paid, and forget about the hole being patched!!! But then there is that darn ethics thing. Document the error and report it directly to the company. If they give you the brush, no big deal--you've done your duty. If they litigate, I think you'll have no prob getting help. And besides, the attention will start a career if that's your goal. Make sure you can the proof of concept code though, that'll get you in trouble. The DMCA is in full effect, just document the error, and tell what is exposed. No other details.
Why can't all fpga/microcontroller manufacturers just release free optimizing compilers???
Sure, it's probably Blackboard which most colleges use, but if it's not Bb, it could also be Banner by SCT which plenty of schools also use.
;) )
Compromising Banner is far more dangerous than Blackboard (Bb).... Most schools that use Banner use it as their student management system, which records official transcript, program requirements met, class registration, etc. etc.
In my last undergrad semester, my team developed a website that interfaced directly w/ the Banner system and even found some loopholes in it which we exploited to allow our website to do a better job at calculating program requirements met and suggested offerings to complete it. (This was for an Advanced Software Project Mgmt class)
Needless to say, the Registrars office people were very intrigued by our exploration into the limits of the current system. I imagine a less cooperative school administration would be more punitive.. (But I went to a business school, so they know we just get motivated by $$
Comments like that make me think you work for Microsof
If you decide to pursue the route of getting something done about it, I'd suggest:
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
I'll get back to you about it after next semester? :D
Make that:
I'll get back to you about it after next semester? :A
Kill, Tux, kill!
If you're worried about repricussions, then use a public library terminal and a new hotmail type free mail account. Most public libraries intentionally do not keep traffic logs these days anyway (because of the privacy issues involved with turning over those logs if they are subpoenaed).
But, I'm a security admin at a university... I occasionally have students bring vulnerabilities to me. Often I already know about it, but I still welcome the input and am thankful for the extra eyes watching the network. I've just got too many nodes to keep up with to catch every computer.
----------
perl -e 'print(pack("H*","646176652e7761676e657240676d616
Ya dude ya like gotta at least ya know let us be lazy bastards im like i dont wanna learn i want good grades so my parents will love me
(no im not trying to be an asshole it just happens something to do with all that crap yes of course hes going to post it the code to slashdot i believe you may have missed some part of the article head)
Today I ran across 2-3 holes (cross site scripting with remote execution, sql injection with code exposure, and account hijacking) in the blackboard system which I am currently working to exploit... for a proof of concept. if this is the same system your talking about, I want to talk with you. maybe with enough amunition they will listen to the both of us more than they would listen to one.
email me.
The Code Ninja is swift with his tool, precise in his delivery, and deadly accurate in his execution.
cough cough......webct....cough cough
"Personal ownership is a hallmark of conservative capitalism. And I don't believe I am entitled to anything that I did n
1) Abuse the hell out of it and secretly release the exploits when you get tired of getting multiple PhD/MSc/BSc in various subjects.
:)
:P
2) Contact the most famous security firms around, tell them about your foundings and get an early employment contract before your graduation.
Option 1 sounds attractive but option 2 can save you from getting your ass into federal prison.
I liked Matthrew Broderick's IMSAI 8080 dial-up system in Wargames better.
Help fight continental drift.
Freenet Project
:)
And then give yourself an A.
For the online quizzes for the class I'm taking now, the textbook publisher's website asks for the student's email address and the professor's email address. That's it. It then sends the results to those addresses and notes the correct answers to whatever was missed. Near as I can tell you can enter anything you want for those email addresses.
:-).
The instructor gets the usual username/password combo and he assumed that students had to set up accounts tied to his class because the publisher knows that students might be tempted to cheat, right?
In all fairness, maybe they just figured that securing an open book do-at-home quiz wasn't possible anyhow. But I'm honest, antisocial, and getting decent grades anyhow so I let the professor know.
To the guy who suggested selling higher grades to the football team or fraternities: forget that. Trade with the cheerleaders
Open up a phony hotmail account from a lab workstation in school.
I call bullshit -- if you were smart enough to find exploits, you'd be smart enough to figure that out.
Conformity is the jailer of freedom and enemy of growth. -JFK
In short, the very fact that you asked this question indicates that you suspect you have gone too far already. Discovering an exploit raises the question how you found it. If you did so innocently, that's fine -- report the potential risk, and offer services under written authority to make your "proof of concept."
But realistically, if you are testing an exploit to bring the point home, you have already put yourself at risk. Until you are invited to the party, it is very dangerous to expose those risks.
At least, take care to "go through the channels," before you do some subculture hacking. If you do the latter, be prepared to stay with the subculture -- whether you be white hat or black hat, your personal sense of ethics don't necessarily comport with your agreements with the University or the law.
I am not saying that you should support security through obscurity, or refrain from exposing security risks. I'm suggesting that if you want to do that, there is a far safer protocol than taking everything into your own hands.
Yes, this is insane, but it's also how it is.
--True, if you take the right approach, have the right kind of charisma, (ie, express honesty and even explain your concerns up front about how other people before you being punished for having done the right thing in the past,) you might be able to pull it off. I wouldn't count on it though. The sheep behind the glass are getting colder every day, and even a smooth talker like me has been really having to sweat in order to earn my best intentions. It's getting tough out there.
So in this instance, and others like it, I wouldn't bother.
And just to be clear, I wouldn't use the exploit either. --Chances are, if you do, you'll really end up in hot water. Indeed, I strongly suspect that some cases of these kinds of exploits are designed to discover those who are not sheep-like enough so that they can be flagged for later. . , uh, disposal. (Same goes for things like performing acts of geurilla advertising, and ad-defacement of particularly nasty posters and billboards around your town. That sort of thing is monitored.)
--Which, of course, means that if you try in earnest to bring the hole in the code to the attention of the 'masters of the universe', then somebody, somewhere will be all pissed off with you for ruining their entrapment scheme.
My advice? Sit tight. --The furthest you might want to go is to discuss it openly to anybody who cares to listen, saying you heard about it on the net from some anonymous coward. Wide open honesty is usually the best way to screw evil plans without bringing down reprisal and brimstone on your head. Works for me.
-FL
Am I the only one who was about to submit:
;)" ..as a joke, but then erased it after imagining homeland defense troopers with pitchforks and with various illegible (and infamous to Slashdot groupies), BILLS and ACTS in their mouths, showing up at my doorstep? Good.
;) THINK ABOUT IT!
"Don't tell YET, I've still got one more semester left
I'm just kidding, I am anti-cheating and this should be announced asap. This should hit the major media, THUS showing people this particular market is not dominated yet, and giving us nerds jobs to make competing products
Cover your eyes and click this link!
I would argue that there are several answers depending on the poster's goal. Is he interested in working for Blackboa...I mean, the software he is discussing (and/or any other company) and wanting to show his prowess? Or is it truly out of the kindness of his heart? Regardless, I would completely bypass the school. Contact the software company directly as they understand the issue better. It would be your luck that a random administrator at your school would hear about this and label you a h4x0r and a menace to society -- remember that people hate what they cannot understand.
This is my digital signature. 10011011001
With the current political climate, your best bet is to do absolutely nothing. People are arrested for expressing opinions, others are denied due process for free speech, and still others are deemed terrorists for even the slightest questioning of a government's actions. Corporations mandate what can and cannot be done and are happily funded by a more sheepish and numbed people, armed with a more sheepish and willing set of so-called representatives.
Do nothing. Sure, you can pat yourself on the back for your ingenuity, but file your discoveries away in your mind. The world cannot tolerate them now.
Sad. But true.
Fix the bug, then sue them for stealing your code! Works for SCO
(but keep a backup of the original) That should get their attention.
All I'm saying is that he shouldn't take a chance, he doesn't know how they will react so why risk it and for what?
Doesn't matter - sending the mail will give the originating IP.
if the answer isn't violence, neither is your silence / freedom of expression doesn't make it alright
I accidentally left a hole like this on a server I was working with once. I'd actually had checks to ensure such a thing didn't happen, but disabled then when I was debugging and forgot to uncomment the code (dumb dumb dumb). Luckily, that particular server didn't have anything overly special, though the ability to view users in the passwd file (which contained fullnames) was annoying.
I must say that I greatly appreciated when somebody informed me of the hole, though I felt like an idiot afterwards. Not everybody is an asshole about such things. I'd expect also that there would be some form of sysadmin that you might be able to contact (anonymously or otherwise), and he might appreciate it more than perhaps an exec who has no clue about security.
One of my best friends is one of the lead programmers for blackboard. So I would like to extremely biased, and tell you that it can't be Blackboard that has issues!
Can't we blame this on Microsoft somehow instead?
Sig.i>
This is a serious suggestion. Don't report it, just pick classes at random each semester and fail all the students in them. 10 or so should be enough. The administration will freak out, and they will get the company's attention for you. Use an anonymous remailer to tell the company where the problem is, but never release any exploit code.
The fact is, with this sort of thing, the squeaky wheel gets whacked with a sack of doorknobs.
In Soviet America the banks rob you!
To the school's It department, cc: to the Dean
(or campus principal as the case may be)
both from a temporary hotmail/yahoo account.
Include the example code, obfuscated to hide
your coding style, (coders familiar with you,
and instructors likewise, would pick you
out from your coding style) and leave it at
that. If they are too damn ignorant to test it
out, well, it's their problem, they've been
warned.
canuck_wingnut
-:
Wow, Slashdotters seem to have the sortest memories I've ever encountered. I've seen so many posts with "there is no annonymous e-mail, they all have the IP" that it's scary.
Is everyone forgetting WiFi? My university provides WiFi free to all students. It uses 128-bit encryption, but that's easy enough to crack. There's also (by a conservative count) 300 open hotspots within skating distance of the university (laptop in the backpack finds many wonderful things). If I wanted to send a truly anonymous e-mail, I'd set up a Hotmail account via one of these hotspots, and every time I wanted to check my/send mail, I'd use a different hotspot. For the real paranoid fanatic, drive to different parts of the city each time. It would be damn near impossible to nail me down. The best they could do is "we know what CITY s/he lives in..."
A man who can't pronouce "nuclear arsenal" shouldn't have one -sig ends here.
I am very surpised no one has mentioned this! Find yourself a small, start-up security firm somewhere. Coordinate with them to release the vulnerability information in a proffesional manner. You get the annonimity you need, and the small security firm gets recognition!
Win-win for both of you!
Sig.i>
What is the world coming to that this question even needs to be asked?
I am not an American, nor do I live in the US, but I have always respected the foundations and principles that the US was founded on. Principles which have all but been flushed down the toilet.
Here we have "the land of the free and the home fo the brave" turning into the "land of the closely monitored and the home of the scared to something beneficial, or in fact anything at all."
This makes me wonder when we are going to have masses of Americans defecting to Russia for political Asylum.
Who really won the cold war...or perhaps the people at the top are all the same anyways....hold on there is a knock at the door.....Ahhhhhh they are coming to take me away hah hah!
> Is everyone forgetting WiFi? My university provides WiFi free to all students.
Yes, Cal State Berkeley? Yes, yes, go Bears. I need to know what MAC address had been assigned an IP registered to your university's AirBear system... Oh, a hacker, sir, a very dangerous antisocial miscreant. Oh, yes you do have to; DMCA. Look, we can do this the easy way, or I can get a subpoena.
You don't keep logs? I don't believe that, surely you're aware that you're liable for everything that comes out of your network. I'd rather believe you've destroyed such logs, which we can turn into destruction of evidence charges...
Oh, you'll cooperate? Good boy.
if the answer isn't violence, neither is your silence / freedom of expression doesn't make it alright
I took a class from the full time dean of tech at my school and I work for her dept as a student asst (really a resnet technician) so I am pretty sure If I were to discover something like that I would be safe in approaching her about it. In addition one of my more immediate supervisors is the son of the former president of the school so I am sure I could secure my safety. But then again why would I help my school for free, they don't help me for free.
I ran into a similar situation some years back at Carnegie Mellon University. A friend of mine discovered a means of acquiring AFS authentication tokens belonging to other students. (The tokens were not being destroyed properly. The technique involved editing the boot image (vmunix) with emacs.)
This was a significant security hole. Every year, a couple of idiots try to cheat. With the ability to become any other user, well, Pandora's box was wide open.
My friend asked for my advice on how to proceed. Should he contact the administration? I told him, flat out, if he went to the administration, he could expect to have his computer accounts immediately terminated. Without them, he would receive a forced-fail in all his computer science classes. He could also expect to face a "rubber-stamp" academic review board, and either a suspension or outright expulsion from the school.
This is, unfortunately, not idle speculation. Some years earlier, my best friend at CMU (Jeff) had created a subdirectory. Well, several subdirectories, actually. Nested. The professor (Phil) was a complete loon who couldn't code his way out of a paper bag. He decided Jeff's subdirectories had crashed the system. We accessed the logfiles. Jeff didn't have anything to do with that system going down. That didn't stop the termination of all his computer accounts, the forced-fails, or the academic review board and suspension. My one big regret was that Jeff never filed a lawsuit against CMU.
So, getting back to the AFS hole: I'm a member of the local Alpha Phi Omega chapter. At that time, one of our advisors was an upper echelon hacker, an absolute wizard, who was responsible for a large chunk of the actual implementation on the systems involved. I arranged for a private meeting between the three of us. The details were discussed openly and frankly, along with possible solutions. A trivial fix was put into place.
To the best of my knowledge, no one else, and specifically no one in the administration, was ever notified. My friend continued his education uninterrupted, and eventually obtained his degree.
-D.
Step 1:Use http://riot.eu.org/anon/ to send the administration a friendly "what if" letter. Be sure to include things like "I have reason to suspect" and "Theoretically speaking is a student were to find a backdoor". Be as vague as possible but make sure you get the point across that you want to help them. Tell them to mail an official response as to what their course of action would be "if" a student were to come across such a flaw in the code. Step 2: Find a computer store with a few models with online access. Set up a hotmail or yahoo account containing absolutely all fake information. Step 3: Have the administration mail the "official" response to that address. Step 4: Find a new(stress "new") place with internet access(like an internet cafe) that allows floppy use. Copy the entire page onto the floppy. Oh yeah and make sure to pay with cash always. Shut down the e-mail account. Step 5: Make a few copies of the disk, and depending on what their "official" response was either take in the exploitation code along with the floppy in to the administration or repeat steps 1-4 with the software company. ---If all else fails submit the stuff to a bug traking site(preferably many)
Creative Demolition
Print the exploit up on flyiers and post them around the campus in the middle of the night. A few 100 of them should get the attention of the campus IS people who'll talk to company and they'll issue the fix.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
1) Make a couple copies of a detailed explanation, along with code necessary to do the exploit, and put on CD.
2) Mail to CEO, IT director of offending company, student advocate and IT director of university, and one or two newspapers. Make sure that everyone knows that the others are receiving identical copies of the same CD.
3) Get a lawyer. You'll be thankful you retained one, even if nothing ever comes of this event.
4) Encourage everyone (except newspapers, those are your backup) to sit down on campus for a meeting. Bring your lawyer. Bring your professor (I assume that only 1 class uses this system) and make sure that he validates that your grade has not been changed. Once that's done, make sure they realize that you're doing this as a service for their benefit. (both company and university don't need bad press)
5) Get the student newspaper in on it, but don't expect anything.
Hopefully, the exploit will be fixed in a short amount of time, nobody will sue you, and you'll get the pat on the back you expected (nothing more, except maybe a job offer if you're especially golden.)
2) Next, go to No-ID.com, an anonymous remailer that masks the source of emails.
3) Email messages to the college and software creators, notifying that they have 2 months to fix the problem before you post the vulnerability to the Full Disclosure mailing list.
They will be able to reply to your emails using the remailer service. You WILL remain completely anonymous and your integrity will never have an opportunity to be called into question.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
If you have done what I think you have, then you are quite probably screwed no matter what course of action you choose.
If you do report the problem, the IT administrators will be obliged to perform a damage assessment. They will scan their logs for behavior possibly taking advantage of this exploit. That you say you have proof of concept code, and presumably have tested it, if IT discovers that you have so much as tried to take advantage of this or a related exploit, it will almost certainly result in your dismissal for that Semester, criminal charges, and possibly the end of your academic career.
It won't help to go through a professor. If IT comes back and says that they have evidence that you tried to take advantage of the exploit (by 'testing'), you will not be spared, and the professor will either be unwilling or unable to protect you.
If you do not report the problem, you risk IT discovering the exploit on their own or through a security update from the vendor, and similarly performing damage assessment to discover whether or not their systems or data have been compromised, or attempted to have been compromised.
Don't scoff at this. If it is a significant exploit, and given that there is now a story on Slashdot about it, there is a significant possibility that IT will perform a damage assessment.
Further, depending upon how you found or 'tested' this exploit, IT may find you out whether or not they realize or are alerted to the nature of the exploit.
It is really up to you. Only you know the nature of your investigative activities and testing. If discovering these exploits required behavior which went beyond the normal use of the system, then you have a very serious problem.
How do you explain why you were doing this in the first place? You can't, and quite honestly, there is almost certainly no excuse for it. If you were concerned about the security of the system, you should have gone through official channels to get clearance to look for vulnerabilities, and report the sort of investigative techniques you would be using, and do only this.
If you have not done this, then you have one course of action:
- Find out how long of a period IT keeps logs for. If you are a technically inclined, student, then surely you have aquaintences -- students -- who work in IT.
- If the logs of your activity are gone, then you are in the clear. Report the vulnerability anonymously the next time you are off campus. Unfortunately, from the few academic IT departments I am familiar with, they keeps logs for a very long time, because of issues just like these.
- If, on the other hand, the logs of your activity are not gone, then weigh the possibility of your activity being found out before the logs will be cycled or destroyed.
If the logs will be around for months still, then you are quite possibly in serious trouble. If the logs will be around for a year or more, then you are almost certainly in very serious trouble.
If you report your activities, then you are are almmost certainly in very serious trouble.
Personally, I would go with the first option, and hope that your IT department will not perform damage assessment, or that they will not find out above the exploit until next semester, and will not be interested in logs from the previous semester, or perhaps from the previous academic year.
.sig Realistic fines for copyright in
The last University that I attended in West Palm Beach FL (they can trace this back to me... see if I care) has some shitty network admins. Their network is anything but secure.
... vualla no test that day.
/hr so I told them that they can go f**k themselves (in a nice way). They wanted me to setup servers (SMTP, DNS, Webserver etc...), apply a security policy and write custom code for them.
....
:o)
;o)
I found plenty of problems with their network security... I (as a regular user on their systems) had access to a lot of things that I shouldn't have had. I actually used one of these exploits to my advantage. We had a test that I didn't study for (all tests were handled by a CGI script on an insecure inhouse server). I shutdown the box, and
I sent an e-mail to the heads of the school,
I ended up talking to them and asking for a job, they wanted to give me $5
I just ended up telling my teacher about the security vulnerabilities (he was real cool about it), he fixed the exploits that I knew off the top of my head. I corrected some of his code... now he sends me job oppertunities.
In a different situation in high school, I wrote a lot of code for my school, it was supposed to be a system where teachers and parents could view students grades and such securely... the school ended up expelling me for not going to detentions (I was working as a developer after school for a firm down here in FL). Every bit of code was encrypted with GnuPG so they didn't get one bit out of me.
BTW: if u found an exploit on a school's computer and u write a patch on the school's computer (ITS OWNED BY THE SCHOOL), they will try and screw u over, schools are just like that.
My advice is - they won't hire you or they will want to pay minimum wage, and just either talk to a teacher that you TRUST. They might appreciate it and send you work that comes their way
oh ya, first change your grades though...
Regards,
- Mick
(o> Web developer / designer
( ) UNIX Systems Admin
--- ~ www.mickweiss.com ~
Don't ask Slashdot... just go ask your lawyer... I'm pretty darn sure it's a lot safer :)
I'm really addicted to slashdot and I think it's really great but I wouldn't trust it with my freedom or my academic life.
Slip a letter under a few of your professors' doors, or do a hit-and-run drop off at your university's help desk, if you're really worried about retaliation.
"I'll say it again for the logic-impaired." -- Larry Wall.
1)Full discloser .
Tell everyone all at once . Submitt to slashdot , security focus , local campus news , local news paper , campus radio station , et all . Make sure to do it from a non campus computer , an internet cafe would do (and use a fake address along with a re-mailer).
2)Tell the school
Once again do it anonymously. This probably wont work (trust me)
3)Tell the company
If you send it the company ; tell them your giving them a heads up before you do number 1. Give them a specific amount of time.
As for legal implications of this ; slashdot is not the place for those kinds of questions . Personally I favour number 3 , with a 72 hour lead time (or whatever you think is reasonable) , coupled by number 1 if they do not fix the problem . If they send threats back to the e-mail you used (if you decide not to use a re-mailer) send them to all local media outlets (and national , but they probably would not care) .
get yourself a cheap wireless card(for your laptop or PDA) go around town for free wireless access. Post the exploit.
Let them know about the problem in the software. Provide examples. Demand that they do not reveal their sources.
AFAIR, CERT exists exactly for these sorts of problems, when you want to tell, but you don't want to get in trouble for misunderstanding.
-- dieman - Scott Dier
Yes, Cal State Berkely? Yes, we did receive the info you've provided. We appreciate your co-operation. There is something else, however. According to your logs, the MAC address for the assigned IP address implicates the Dean. We're going to have to take him into custody. Oh, you'll get his lawyer on the line? Great.
Yes, Mr Very Expensive Lawyer, this is the FBI. Oh, your position is that the MAC address was spoofed? Oh, dang. Well, I suppose we can let the Dean go... THIS time.
That's also assuming that the guy uses his university WiFi. He could always find some nice, open Linksys AP's. In my town, I've found close to 150 open Linksys ones that seem to have all the defaults enabled (default SSID, default chan, so default security settings can be assumed - user:admin, pass:admin), so IF logging is turned on (isn't by default), it can be turned off easily. Hell, these things are everywhere. I've even found a hearing aid store with a wide open AP.
Besides, how easy would it be to track someone if all you knew was the university they attend and their MAC address? You would need the co-operation of each and every student on campus. Good freakin' luck!
A man who can't pronouce "nuclear arsenal" shouldn't have one -sig ends here.
I would never waste my time on proprietary software. I have found bugs/exploits in commersial stuff (incl OS's) but never reported anything. They make money off the stuff, keep it closed sourced....Nope, wont help them. Sooner or later the bugs/exploits gets discoverd by malicious ppl, and someone (who didn't use OSS) get their balls busted. If you gets hurt in the process, you should not blame me. Blame the idiots using using the stuff!!(picture me calling the bank and whine about the choice of their SW :)
Anyhow, I consider me a part of the OSS movement and will not aid the greedy (but mostly stupid) closed source guys.
The borgs and psychopaths have taken over...
You don't report this. Simply you don't. You are too vulnerable.
After you graduate, if you want to report it, send hard copy source listings to admins of the system at the college, the company that runs the software, and several professors in the technical areas of your college. You then forget this and don't ever think of it again.
Destroy the computer the harddrive the printout you had was created on. This is so you cannot be determined to have cheated at your degree if you ever DID get "located".
I suggest wiping it with the software that PGP comes with then taking a road trip to celebrate graduation to a couple states away. If you're in California, visit Iowa. If you're in New York, I would have to say GA is nice in May. Leave it in a dumpster somewhere mixed in with nothing else of yours.
I think in 10 years there will be a system of computer ethics, or a government board that you can report this stuff to with a condition of amnestey. Its all too new to too many people for that to work right now, so you just have to practice silence.
Want to see every step I took to start my company? http://www.rowdylabs.com/blogs/pitchtothegods
Stay anonymous. Do the COST-BENEFIT analysis (seriously).
In this climate, you have everything to loose and very VERY LITTLE to gain no matter how cool you think it is.
The school must follow no laws but it's own and can expell you, and I PROMISE you that somewhere somehow you violated their AUP or TOS.
The vendor can sue you, and even if you beat them you are stuck with a HUGE legal bill.
You can get some overzealous local DA trying to move up the ladder to take you on. If you don't have a lot of money you are a tempting target for obvious reasons.
You need to understand the DMCA (and companies who file suit under it) claiming that attempts at circumvention are illegal.
And what would you gain? I think you'd be surprised at how very little unless you want to work for a security company, and even then that is tough. Folks with hacking pasts are often radioactive in the IT world, and with big companies especially so. You'll have a very hard time getting a background clearance.
I'd notify the vendor and some lists 100% anonymously (and not just spoofing an email). If they don't act in the reasonable time frame full disclosure and it will be sure to get fixed. You've done your part, with none of the baggage.
You need to think through how limited the upside is. College kids love the challenge, and want to feel proud for doing the right thing. Commercial companies hate to be embarrassed, and will sic their lawyers on you if given half a chance.
Blackboard already went down this route I think with some kid they sued to convince him that he hadn't found a vulnerability. Much of the business world does not particularly care about right and wrong, what they do care about is $$ and lawyers.
College is wonderful, don't let it fool you.
And frankly, given that the industry has forced through so many rediculous laws (UCITA anyone?), give them a fair 30 days but then go full-disclosure. What goes around comes around.
The technologies for releasing sensitive and dangerous information (i.e. in some cases, "whistleblowing") are out there. You simply have to use them.
If I were in your position, I would simply do this. Package your documentation of vulnerability, along with exploit, and everything else that you've compiled on the subject. Take this document, sign it with a private strong encryption key, and upload it to Freenet. Then, once it's out there, see that the freenet "key" falls into the right hands (i.e. university, software developer, security lists, etc). This part can be done anonymously either using anonymous remailers or just going to some internet cafe and using one of their machines. Once it's out on freenet, simply knowing the key is no proof that you are the author of the exploit, even if someone were miraculously able to track you down for posting the key.
Then, at some later date, once the heat has died down (and you've graduated), you always have the private key used to sign the initial vulnerability and you can prove rightful credit for finding it, if that is important to you.
I.E. in short, publish it anonymously, but sign it cryptographically so if at a later date you wish to prove that you were responsible, you can in a way that can't be refuted.
These are great days for whistleblowers.
Why not just go to them and tell them you have found a couple of very serious exploits, and refuse to tell them what they are until you have determined whether or not they will try to prosecute/disipline, whatever. They surely can't do anything to you if they have no proof that you really have done anything. Actually, I have reported bugs to Admins of MSN Chat without a problem, as well as to a large regional ISP (Which I was doing tech support for at the time). In both situations, I was used as a resource, and I continue to confer with them on security issues occasionally.
... or one of his employes, such as the campus priest or rabbi.
IANAL, I think a "confession" and request for guidance would be obligate him to protect your anonymity.
Give the priest the same disclosure information you were going to supply by other methods, along with a printout of this thread so he can understand the issues you are dealing with. Let him deal with informing the university, IT department, etc.
...can you make such a trivial thing as bug reporting a complex legal issue.
I would just contact the local admin, tell him whats wrong, hand out the proof-of-concept and let him sort it out with the developer company.
Bot Assisted Blogging
Just in case you forgot, almost every professor out there keeps a copy of their grades ON PAPER. If they suspect anything has been changed on Black Board, er the online system, they'll reference their paper copy. Hence forth, you're screwed.
Self realization: I was thinking of the immortal words of Socrates, who said: "I drank what?"
Remember the Kobayashi Maru? The no-win scenario?
Kirk cheated.
That's what I suggest be done here. If we can re-program the simulation to come out on top, I see no reason why we shouldn't get a commendation for original thinking.
Kirk didn't like to lose. Neither should we.
Is this truly the only Earth I can live on?
It's getting very sad. People can not identify a problem and bring it out in the open. People are scare shitless to speak of any problem for fear of being destroyed. Why can't people just come forth and tell the party involved that they have discovered a problem with the software. This guy knows about a problem, yet most likely will not tell anyone. The problem will exist forever. This is why the world does not better itself. Problems only exist because they are fostered and promoted. This is another example of FEAR. Sad... Very Sad....
I've found that frank and immediate disclosure is the best policy. I've found several security issues at both my highschools, plus an issue or two with the University network. Before, I would hesitate on reporting, but then later got in trouble for it. Now, I'll immediately notify the IT staff of the issue. They take me seriously, and there has never been an issue with getting into trouble.
Having already written a proof of concept might bring you trouble, but be open about that too. Tell it to the highest guy up that has a clue about computers, and isn't afraid of them (like most management).
He who laughs last is stuck in a time dilation bubble.
That's easy. My desire to live a peaceful life and tendancy to avoid very serious situations would force me to do one thing:
:-)
Not tell anyone. Screw it.. If our nation feels it needs the DMCA so bad, then let it reap the consequences. There is no point in putting your future in jeopardy over trying to appear as smarty, ethical hacker.
This isn't Hackers or Sneakers, it's real life. Screw up and you might not have another shot of something so nice as a college education.
Silly kids these days. They always have their head in the clouds.
What about a clearance level for those admins who need to know how to access software bugs. These would have to be federal and recognized by all academic institutions as superceding school level laws. This would be 'given out' like a DOD level clearance and policed the same way. Corporations would sponsor this clearance. Educational institutions would be able to have fees waived / absorbed by corporations. Anyone with this clearance can be contacted by someone reporting a bug / exploit activities. Alternatively have a submission form that would handle disclosure and reporting to necessary party. Submitter is immune to legal ramifications of detection and noted in the trusted system for future, along with all identifying information so that if a school questions this activity, the school will be able to rapidly learn of the student's having followed the correct procedure. Recipient will filter the bug into the system. Make it policy to release submitted information (after a certain time period) to bugtraq/etc to motivate / ensure the rapid response of the party whose work has been knowingly, officially compromised. Thoughts...
There was a city in Texas, Dallas I think, who's city clerk's office had a wide open AP. A wardriver is nice enough to point it out, but gets smacked down with criminal hacking charges, probably because the idiots were embarrassed about being own3d by a Pringles can.
Moral of the story: Forget being nice. Knowing more than "they" do will only land you in trouble. Either give yourself an "A" or forget about the whole thing.
-R
I happen to know a lot of people in the IT departments at Va Tech, where they use Banner. I can tell you that Banner is HATED there. A recurring comment is that the people who made Banner must consider compilation a proof of success. Worse, I've heard it said repeatedly that Banner is the worst spent money many of them have ever seen... and that's saying a lot at a state institution.
I've found that my posts don't format quite right w/o a sig.
Given that an unscrupulous person finding out about the exploit could really mess up the marks in your class, I'd say that it's a good idea for you to notify them of the problem in some way or another.
Free Software: Like love, it grows best when given away.
I'm making the assumption that the software you found a problem in is Blackboard. I apologize if that is not the
case, however, I would still be happy to take your discovery to the vendors of whatever software it is on your
behalf.
I work for a major university as the Blackboard programmer/administrator. I've been working on the
Blackboard code for years, making substantial modifications to the Bb system to suit our university. I've found
my share of bugs, problems, and more than one gaping hole. Blackboard is riddled with XSS, input validation, SQL
insertion, replay, predictable sequences, and I'm sure countless other vulnerabilities. Quite frankly I'm amazed
at how few breaches I hear about.
I think you're right to be careful, but try to not get carried away. At least in our department, we're eager to
hear about problems and fix them. We're not interested in ruining someone's college education. However, you
should be careful about who you contact. At our university, the usual IT people are paranoid. You need to
get as close to the people who deal with Bb as you possibly can. Contacting a suit in upper IT would likely get
you the slapdown. Start lower. You're looking for the geeky programmer who deals with Bb all day long and would
drop everything they are doing to fix a hole in their system.
If you are not comfortable contacting representatives at your university, feel free to contact me about your
discovery. This sort of stuff is what I do, and besides, I'm already on Blackboard's shit list. I have another
issue to report to Bb, (the afore mentioned gaping hole) and I'd be happy to send your information along with it,
with or without your name. jeff (somewhere near) jsnider.net
What more needs to be said?
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
No it dosn't.
Funny how, in a post joking about Latin spelling and grammar, you manage to misspell a simple word.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
> Naturally, I want to share this information with
> their software engineers, and would even be nice
> enough and suggest a means to fixing it.
Drop the ego!
Go to a public library and email the appropriate people anonymously.
If you still want to show off your skills to your buddies, then gpg sign your email, so that later you can prove that you wrote it.
--
jpa
YOu make it sound as if he has the hiding places of both Osama Bin Laden and Saddam Hussein, but won't tell. Were you by any chance the inspiration for a character in "Enemy of the State"?
Even if the University understands that reporting these bugs probably means you didn't want to exploit them, they have an obligation to investigate if you, or anyone else that has found these bugs have done so anyway. And if they have your ID, you're an easy "target" of the investigation.
So you don't give them ID. If it's reasonably hard to get your ID, they'll most likely revert to actually checking the vunerable systems instead. But you don't have to go all cloak-and-dagger about it.
Kjella
Live today, because you never know what tomorrow brings
PS: I am SO Not a Lawyer...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
In this situation, the best thing to do is panic. Throw your arms up, scream at the heavens, run around naked and panic.
-Yim
yessir
Wansu, th' chinese sailor
I'll take good care of it for you
First of all, ethics has nothing to do with this.
You're not worried about the ethics of the matter,
if you were, you would've checked _FIRST_ to see whether what you were about to do was ehtical.
The real question you ask is: "how do I get away
with blowing the whistle?"
It would, of course, be unethical to not notify the software makers, or the university, about such a vulnerability, but you should've talked to them about your suspicions in order to be ethical.
After all, who knows what you could've broken in the process?
So you sent yourself up a certain waterway without a certain instrument, and that's just too bad for you.
Well, mostly.
I was working on a site for a client, and discovered a vulnerability that was easily exploitable in a Credit Card interface for a large, well-known company.
I sent details of the exploit, complete with working code samples to the company in a carefully written, detailed, email.
About 2 weeks later, I got a phone call from a *very* agitated man who kept saying over and over: "it's not really a problem". I simply listened; I had nothing to say since it'd already been said. I didn't say anything, and he eventually hung up on one of the weirdest phone calls I've ever had.
The vulnerability allows me to buy anything I want from any client site of said large, well-known company.
So, speak your piece. Send the details to the company/vendor, along with full details, exploit code, everything you know. Make it clear that you are not going to publish it, or at least make clear the conditions that would make you feel it necessary to publish, and put the onus on them.
I did, and I have a clear conscience.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Simple, submit the info of the exploit and fix to CERT and they will take care of the rest.
My identification so you know I'm not full of shit: -- http://features.slashdot.org/features/03/04/14/184 6250.shtml
They will sue you immediately. Being students, we are in VERY different positions from 'respected' researchers at larger corporations. You are a small student with low cash resources, you do not have the ability to fight small legal battles, let alone those against a large company in a high-tech case requiring very expensive tech-law specialist lawyers so you don't goto jail.
As you likely want to publish it anyway, (which is udnerstandable) I recommend a few options: 1) Publish anonymously, preferably in the underground. Bugtraq, 2600, and other such resources are recommendations.
2) Find some professor or at least some person with a respected position to publish with.
3) Get word of the security vulnerability strictly to the company (i.e. Mass Fax Spam, phone calls, etc.) After that go blackhat if they do not fix the vulnerability. (They won't BTW)
Bottom line: DO NOT PUBLISH IN A PUBLIC FORUM UNLESS YOU HAVE A PROFESSOR OR SOME OTHER SECURITY PERSON MUCH HIGHER UP TO PUBLISH WITH YOU. And under _NO_ circumstances, should you publish with full disclosure. Students doing full-disclosure almost demands for a lawsuit which will break you. Go blackhat long before you go full disclosure.
E-mail me virgilNO_a,t_yak_SPAM_do,t_net if you'd like to talk more about this.
Goodluck,
-Virgil
If you allow me to push my 2 cents down the stack, then my opinion is the following:
You certainly need to somehow notify the vendors and
the users of the software(schools).
But they may sue you (they freaks), so you should better do this anonymously. You may be a clever security analyst, but I surely don't think you're alone, and I alse don't think the others who are clever in reverse engineering ain't reading Slashdot.
So, they interest may only be boosted by your article and the bug will soon be exploited whether
you want it or not.
I would suggest you follow the following strategy:
- Inform the vendor about the bug including all details anonymously (via a chain of cypherpunk remailers), threatening full disclosure in 15 days
- After 15 days, post (anonymously again) all the gory details on some software security mailing list, like BUGTRAQ.
You might also contact CERT.
I hate the country where people wishing to help are ending up being sued for wishing to help.
P.S. Make sure there is no SCO code in the accounting software! If there is, the vendor is already deep in sh*t.
Alexander Svadkovsky
Post the exploit as A/C on slashdot.
1. Post notices on campus saying that you can help people improve their grades. :) :) :)
2.
3. Profit.
Future Wiki -- If you don't think about the future, you cannot have one.
Along the lines of what some of the others have already mentioned about finding a professor that you can trust.
I'd suggest communicating with a well known, respected, professor from outside of your country (which im assuming is the US) I can suggest one from England who has written multiple books, some of which im informed are used by many US Universities as course books, admittedly he isnt a software professor, he is on the hardware side of things, but he does have some pretty sizeable influence in computing in general, i wont reveal where he has this influence or who he is as I'd prefer not to name him at the current time, ie he might not like his name being brought into this, though i could act as a go between if needed.
The advantage of this is it becomes a little harder to track you down, and some laws are different over here (I not exactly sure if these would make a difference though)
Two years ago at my University, a major exploit in the grade system was found. A business major called the IT dept and claimed to be a professor who had forgotten her password. She then took her newly supplied pass and fixed her grade. Unfortunatley this girl was too stupid to keep it low key and got caught, but I'm sure that many before her hacked the system the easy way.
If you are looking to change your graded you might as well do it the easy way.
You should not have written any code.
Instead, report your findings and suspicions to the school. That's where your responsibility ends. It is not your responsibility to find a way to counter the exploit or to expose those behind it.
When people take the law into their own hands they're called vigilantes, and they expose themselves to unknown legal risks.
-- Slashdot: When Public Access TV Says "No"
if I had points I'd mod this up.
Who makes you Sig?
This reminds me when we had an interviewee who pointed out a vulnerability in our web server (one guess: IIS) and said that if we hired him he would fix it for us. We told him he was lucky we didn't persue legal action against him and to never contact the company again. If he had been more tactful about it, we probably would have hired him for reasons other than the vulnerability. The vulnerability was already well-known anyway.
-----
Web Hosting @ HostForADollar.com
...or arbitrary frags number?
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Don't report the problem. Just be sure to give yourself straight As or whatever the equivalent is at your location.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
True story-
Problem with servers discovered. Problem tested, shown reproduceable, reported to school IT department (CS really).
Result: Academic probation followed up by academic dismissal for hacking.
Do NOT turn the code in, simply anon remail it if you have to.
Use one of the anonymous remailers to inform the software company of the exploit (and any ideas you have for a fix), with a promise that if a fix isn't forthcoming within a reasonable (and specified) timeframe the exploit (and any ideas you have for a fix) will be posted to a full-disclosure mailing list.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
Security holes I've discovered,
The records of grades are now mine.
What once was a one point five average,
Is now a three point nine nine!
I'm amazed that this is still a question any Slashdot reader may still have. The answer is remarkably easy.
The law does not want your help in making other companies' software secure. End of story. In fact, the law wants to put you in prison and throw away the key for making other companies' software more secure.
Do not exploit the weakness unless it is a normal part of the software's operation, and do not distribute the exploit for the software. Do not tell the software maker that you discovered the flaw, as you are more likely to be sued than thanked.
If you needed to do any reverse engineering to discover the flaw, then do not discuss the flaw, do not tell your teacher you found the flaw, and do not attempt to alter your grades by exploiting the flaw (unless, as stated above, the flaw can be exploited by using the software in its normal course of operation, without resorting to outside tools).
At least at the college I went to that seemed to be the case. I remember I started logging all the security problems I found just with just some simple lazy man's poking around:
-No firewall at all
-Old HP-UX e-mail system with weak DES hashed non-shadowed passwords (Hello John the Ripper)
-Wide open Lexmark laser printers (MarkVision heaven)
-Unpatched lab computers everywhere (Winnuke heaven)
-Windows NT pre SP4 Servers
-Open relay SMTP
-Managed switches with default passwords
Then I sent an e-mail to the admin warning him of what I had found in a few days of poking around. His response was and I paraphrase but almost quote "You are a computer science student and have the ability to exploit those problems but the average student doesn't."
That was fine. I thought I would level the playing field by writing an article for the school newspaper outlining the holes and even gave URL's to download software to test out the problems. Literally within a few weeks a firewall was installed, default passwords changed, printers were locked down and all e-mail passwords were required to be changed with much greater restrictions on length and complexity.
As a side note I applied for a job after graduating with the school IT department. I never even got a call. Small price to pay to help save the poor hapless students from getting their PC's owned.
I have written and -selftested proof-of-concept exploit code.
This part bothers me, but I am not clear on whether you tested this on your university's live system. If so, you have committed a crime.
If this is the case, I would recommend you turn yourself in, find the university computing services staff member who is responsible for the system, and talk to them in person. Tell them you have found a security problem, and that you have altered data on their system. Specify what data you have changed (i.e. your grades, or whatever).
You are in the role of damage control, if you have made unauthorized access to a system you do not have the authorization to modify. You may have broken the law. If this is the case, cooperate in an attempt to get no charges laid, and get the problem fixed.
If you have not attacked the university's systems, find a technical contact with the software manufactorer, and inform them you believe there are security problems with ___. Do not mention any exploit code in early conversations.
If the company does not response to you informing them of security flaws, follow the full disclosure policy as outlined by RainForestPuppy's RFPolicy.
Strongly avoid releasing exploit code while there is no fix. That should be a last ditch attempt at forcing them to admit there is a problem. Also give them lots of time to get their fix out, once they do acknowledge there is a problem and want to fix it.
The ethical thing to do is to take resonability for your own actions, then to help serve the public good by reducing the security risk to all those vulrenable system by attempting to get a security fix released.
Don't do anything about it at all. If a student is clever enough to figure out how to give themselves higher grades, then they probably deserve them. ;)
quidquid latine dictum sit altum videtur.
1- (said by others) By taking the focus on the student, you discourage any other altruistic (he would give the time he invested in this) and useful discoveries. Starting a witchhunt does nothing productive.
2- you are only concerned about covering your ass. This is horrible, especially because the security hole is NOT your fault! Do you measure the consequences for that guy??? You would break his career(before it started) for helping you!
You are an irresponsible bastard, and if you were my sysadmin, I would FIRE you. You job is making the system secure, wherever the info you use come from. You probably are the type of guy who does not want to go to "hacker sites" even if the info is crucial to your job.
You're not old until regret takes the place of your dreams.
... then turn them in.
Nobody will believe them. End of story.
I'm working on the assumption that you're working in a CS or engineering program at your university. If that's the case, hopefully you've got a professor (or even a Graduate Asst./TA type of person) whom you trust and respect and who hopefully respects you. I would suggest talking to such a person, lay out some of the details of the discovery of the exploit, tell him/her that you've got a working exploit and that you're concerned with getting it into the hands of the company so that they can fix it but that you're also afraid of the consequences.
Hopefully, the school should also want to get it fixed before you drop the exploit bomb on Bugtraq (all of a sudden, every CS student graduates Magna Cum Laude) and maybe you can find a sympathetic administration-type person to help you through this potential minefield.
You might also look into talking to someone at the (assuming your school has one) law school. You'll be more likely to find a sympathetic and understanding ear in the legal academic community than in the school's legal department.
Good luck.
BFL
There's one thing computing teaches you, and that's that there's no point to remembering everything.
--Doug Copland
Go to the university, not the software company. If they treat their vendors the way typical corporate customers do they'll get that fix done fast.
* Please do not read my signature.
Since you are concerned with how they will react to you, I suggest you allow someone else to approach them. Hushmail is one way, but another is to disclose the details to me. As the NTBugtraq Editor, I frequently approach Vendors with exploits that are, at the time, unpublished. I phone them, find the appropriate person to speak with (usually within their Management, not tech support) and apprise them of the issue. With the right person's email in hand, I forward the issue to them (from my address, with your information completely removed). I expect, and get, a reaction within 2 business days, and then move on to the resolution phase. I get them to explain how long it will take to fix, and why, and keep after them monitoring the progress of the fix. When a fix is ready, I get a copy before they go public to test.
Of course throughout this process I send you a copy of all communication with the Vendor. In your case, I'd ask them how they would react to the person who discovered the issue, so you'd be able to see what their reaction would be. You're free to jump in the communication any time you want.
I seek no credit in the affair, and any publication of the issue would bear your name (or nym, whatever you prefer).
Once the fix is done, you can write up any explanation you deem appropriate. I encourage people to do this responsibly, and not disclose sample exploit code and/or complete details on how to exploit the issue. It should be easy to describe the issue sufficiently to provide an accurate indication of the threat without such details, but its your call. Again, you can use your own address to send the write up, or I can do it for you.
You can read my short disclosure policy at http://www.ntbugtraq.com/policy.asp
Cheers,
Russ - NTBugtraq Editor
Russ.Cooper@rc.on.ca
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
And please don't use your version of scripture to back up your point. I'm a fundamentalist Christian, and I find that terribly offensive. Here's what you misquoted: You can have money and not love it. You can be successful and still serve God faithfully. You can be dirt poor and still exhibit the sort of pride in yourself that the passage from Matthew 19 you reference is referring to.
As with most vulnerabilities:
:-)
Notify the vendor via e-mail. Include all that you know about the vulnerability. Make at least several attempts to contact them.
If for some reason the vendor does not respond in a reasonable amount of time, post the vulnerability on the Bug Traq Mailing list www.securityfocus.com many software bugs are posted here along with their fixes. State that the vendor failed to contact you regarding a fix.
Use the media sparingly, if they are rude to you - let them have it. Considering the debacle with Diebold and the voting software the media would certainly like to have a story about automated grading being haxered.
I'd suggest remaining anonymous during this process. No one likes to be told their software sucks
Good Luck
If your College/University has a law school then you might be able to look there for advice. If the university has such a school then it is possible that they may have one or two professors who can advise you in this matter. Unlike the School's Legal staff they are not bound to protect the school in the same way.
I would still be wary when approaching them, you don't want one of them to cause trouble any more than any other. But it might be a good direction to turn.
I don't know what your school is like (and I would consider such things on a school by school basis) but I know my brother was once accused of hacking when he showed his employer that you can get through windows 95's password prompt by clicking cancel. I'm guess the network admin didn't want to admit to having been so inept.
Edd
At worst, you can boot a terminal in single-user or with Knoppix and
I hereby place the above post in the public domain.
Okay, so two stories, one from Jr. High, one from Highschool.
In Jr. High, someone was giving out the admin password pass FoolProof (a mac protection software that was incredably simple to bypass at the time.) Anyways, I tried to inform the IT guy, and he blew me off, saying that I didn't really know the password. So I put on a little app that made the computer belch.
Someone snitched, and I ended up in the principal's office. I tried to plead my case, it wasn't like I hadn't tried to do the right thing, and when they wouldn't listen I gave them something they couldn't ignore. Detention 4 weeks.
I should have learned from my first experince but I didn't. In Highschool, the network was completely unsecure. You could print to any class room across the whole school district, and everything was named quite nicely. Once again, I was blown off when I tried to say this was a bad thing.
Not only were all the printers there, but a number of computers were open with read access to everything. So I opened a network connection to every shared disk along the network and started a find for everything. The IT guy in the lab looked over my shoulder and asked what I was doing. Detention again, this time for "Slowing the hard drives down."
If only more people got into trouble for changing the laws of phyics.
=================
Unix is very user friendly, it's just picky about who its friends are.
If you send CERT anonymous mail it is in their interest to handle the problem and it is in their interest not to try and figure out who you are.
CERT however only really works out well if the vendors will co-operate. It is nevertheless a responsible starting point, and if you want to motivate them be sure to tell them you have witnesses that you told them and of the date you told them.
Also understand that most college people won't want to know. They have what government likes to call "plausible deniability" if it comes out. If they've been provably told the system is insecure and then people hack grades and the values of degrees from that body go down then they get all upset about class action lawsuit issues.
I've been in the same situation before.
My school used to use RM (a supposedly security enhancing program) to keep people from using too much space and running every program they wanted to.
I found several very critical bugs in it, that allowed me to do anything, change people's settings to browse and change things on the server. I told my comp. sci. teacher (this was highschool) and after hefty explaining, he watched over my shoulder as I proved it. With a little more tinkering I found other ways of getting in, and ultimately changing everything from schedules to marks. Most teachers understood and trusted me not to share this, and I didn't until they switched their systems.
Except for one teacher.. who tried to get me kicked out. She is a comp. sci. teacher, though she has no clue what's going on. Started to accuse me of stealing, and of messing with the system. Thankfully nothing happened, because most other teachers knew me. School approached me and asked me what to use, I said use Linux, it's free, and waaay more secure then all this.
They ended up using WindowsXP (and depleting most of the comp. sci. budget), with an addon called Visual Castle. Well.. I've found several bugs in it again, and I can see marks and change anything I want. I haven't.. and never intend to do so, and don't intend to tell anyone I can do this.
My suggestion? clear your hands of it all, and forget about it. Not worth loosing your future over this, whatever they change, probably won't make much of a difference. There is always another bug, or misconfiguration lurking.
Including a PGP key is sort of overkill. Just include the hash of some random number, concatenated with your name. Your knowledge of that value proves your hand in the exploit. A key has basically no advantages over a hash in this case, as either could be changed by some party wishing to deny your involvement.
If you really wanted to make sure you could prove your involvement (IMHO there is little point in this), you could mail it through a timestamping service (eg stamper@itconsult.co.uk); they will publish (and mail to you, if you specify an account; maybe Hotmail?) a signature that they remailed it on that date.
I hereby place the above post in the public domain.
Anonymous letters work very well. First, send it to the developers with the problem and the solution. If they don't do anything in a reasonable amount of time, send it to the Deans. Then send it to the University President. Then send it to the press. If none of those work (which I doubt), file a civil complaint against the developers or take the matter to the police. That should put some fire under their arses.
At all times, keep copies for your records to prove that you were acting as a good samaritan and that you were giving plenty of time for the problem to be addressed. This should cover your legal bases and the anonymity will protect you even more if someone gets into a litigation state of mind. I don't personally see any reason for litigation here, though. You aren't acting as a criminal, and there are whistleblower laws that, with the help of a good lawyer, could be used to protect you if it ever came to that point.
+1 Insightful, -1 Troll. What can I say, I'm an Insightful Troll.
And you really want the admins to fix the problem.
And you really do have a fix.
Write a report. Save it as a plain text file!!! (I don't know what editor you use, but some windows products have a nasty habit of including some data you DID NOT WANT to be in your document!).
tar up your exploit code and your suggested bugfix. You should send source, which, again can be plain text. If you must send compiled code, be careful as above.
Email it to the person(s) responsible for the product. Start with the vendor. Give the vendor some time (30 days? whatever you think is appropriate), after which the customers will be notified. Indicate that this notification WILL take place on such and such a date, so they'd better have a plan in place if they don't want to be embarrassed.
Repeat the process down the line. Next send a similar email to the IT department of the university, telling them you'll email the administration within 30 days and this is their fair warning and chance to save face.
Next, university faculty.
Finally the public. This last one is solely to motivate the people in charge to get off their butts.
Follow Good Security Practices when you do this. This does not mean using private idaho, mixmaster, or a hotmail account from a public terminal. Those tools are useful, and I encourage you to look into them. But...Good security practices mean Keep your farkin' mouth shut.. Don't brag about this to anyone.
If you seek legal counsel or public advice on this, remember phrases like "Hypothetically, if someone..." "It is my opinion that the law should allow..." Provide no traceable details. Never say "I would", "I did", "I could", "I know"...
If you don't rat yourself out, you'll be fine. You'll accomplish your ethically laudable goal, and you won't suffer retribution for doing good.
D'oh! Maybe you already blew it. Hope the account you posted this with is not traceable!
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
SHOOT THE HOSTAGE!
Everyone knows that.
Vertical
72 CD D7 52 D0 7E D8 47 44 91 D5 84 D1 59 F1 A9-This is my 128bit integer. There are many like it, but this one is mine.
This story from The Register records what can go awry with a plan to inform someone of their security weaknesses.
The short of it: The lad's served his 18 months and is appealing to rescue his reputation.
Be Careful.
Help stamp out iliturcy.
If you want, email them to me. Chances are either we work with the software in question (if it's the leading college software application, than we do) or one of my bosses has direct experience with it. I'll make sure they go through the proper channels.
Dacels Jewelers can't be trusted.
I've probably posted this too late for anyone to notice, but it wouldn't be a bad idea to simply tell your professor, who wouldn't feel inclined to sue, explain to him why you didn't tell the company themselves, and request that he tell the company himself, and that he suggest he was told anonymously, so that he can't be forced to implicate you (if they do get sue-happy, they might subpoena him).
Moo
Try cert@cert.org -- they commonly act as honest brokers on this kind of thing.
if you tell them, they will lash out at you in ways you can't imagine. They will fuck you over. You are better off staying quiet, and laughing at their incompetance.
~
I had actually labeled my chair 'Joe hates Banner' at one point. My final breaking point was after the 4.x upgrade, when I had asked the SCT contractors to make a change to their system -- wrap some tags around the output, so that I could make all of the info text italic (wasn't my idea...the registrar wanted it). I was told to change the data, rather than the program, so they wouldn't have to keep changing it every upgrade.
Unfortunately, the standard SCT upgrade procedures are to completely wipe the existing database, replacing it with what they call 'SEED', and then reapply every change made. This includes changes made through Web Tailor, which would be all of the changes that I spent a week making.
If the problem is Banner, however, that's more than just a student issue, as it also handles salary information at some places.
Oh...and if it's not Blackboard or Banner, it might be Prometheus, which was bought by Blackboard last year.
Build it, and they will come^Hplain.
You've probably got at least one CS professor on campus who at least dabbles in security. If you're lucky, you'll find one who specializes in it. Talk with them. They'll know about safely making security vulnerability announcements. Heck, they may encourage you to write up a paper on the vulnerability (perhaps after it has been fixed).
Search 2010 Gen Con events
Mail an anonymous letter and a disk containing your proof of concept software to you techncal administrator. He or she would hopefully do something about it.
--
Adobe's anti-counterfeiting softw
I am sure it's been commercialized. Drexel University in Philadelphia, for one, has licensed it and is encouraging all faculty to use it for their classes.
The preceding comments reflect the author's personal opinion and are public domain, unless explicitly stated otherwise.
Er, what? This is the guy who's trying to stop everyone else doing it. As if he's really going to go in and set himself up a bunch of As then tell you how he did it.
You would be surprised at what some people will do and for what reasons. As I have already stated: if you are going to report something, for your own good, make sure you can prove your case. To many innocent persons have gotten burned due to things going farther then they every should have. This has nothing to do with me or my position and everything to do with the fact that as the person bring something to the "officials" attentions, you have no idea what the outcome will be.
"If this means a call to security then I am obligated to do that"
You'll call in the cops. This guy is trying to HELP. Get your head out of your ass for a change. To be more clear: IF it looks like the exploit is real AND it looks like the person is not legitimate AND it looks like far more damage has been, or could be, done then their story indicates AND the incident affects far more than the students account in my department THEN I have to consider passing the information on to other parties which MAY include or MAY NOT include security.
"Example, next year you suddenly become a honor student"
And supposing you've chosen to do nothing, and his - that is the chap who's being honest here and trying to HELP, read that last word again: HELP, as opposed to HINDER - grades do suddenly leap, (a) he could be putting in a load of extra work; it doesn't automatically mean he's cheating (b) how do you know it wasn't one of his unethical colleages deciding to make things difficult for him, especially if he's trying to stop him from increasing his own grades and he (the unethical one) now has an axe to grind?
I don't have a clue whether the student is legitimate or not and, frankly, I don't care as it is not my job to monitor such situations. In the case that I mentioned above what I did not mention are the circumstances where I would suddenly be involved:
Let say a student did come to me with some random exploit and I dealt with it without bringing anyone else into the picture (which can and has happened). Even though I did not report the incident I would have documented it in my logs. Now, next term the students academic profile suddenly changes and somebody gets suspicious (would not be me as I have no interest in monitoring students academic profile). The somebody then reports their suspicions and the investigation is on. Knowing that the student worked on my systems the investigator decides to query me for any information I may have. At this point I will fully disclose all relevant information I have regarding the investigation. This is my obligation as the policies I work under dictate. I have no choice in the matter IF I am to take my job seriously and perform my assigned duties to the best of my abilities. Does that make it clearer?
To the OP - what I would do is one of the following:
(a) Don't publish at all. Let others cheat. After all, if your final grade is determined by absolute score, rather than relative score, which IIRC is the case at university (and was the case in the UK when I got my degree, although admittedly that was last century), then you have nothing to lose by everyone else getting a 1st.
Have to disagree with you for a number of ethical and moral reasons which I will not get into here.
(b) Post anonymously. I wouldn't bother with the PGP public key, it won't become advantageous to come forward for the credit; you will automatically fall under suspicion and everyone (as evidenced by the STUPID rant I'm replying to) will automatically assume you're guilty.
I agree as I stated outright: submit a full disclosure anonymously to the company and the school. But I disagree with your second point. Not all will assume you're guilty but you w
I would use an anonymous remailer to send a complete document on this to the manufacturer; if you don't see a fix within two weeks, post it to slashdot. You might want to tell them in advance you are going to do that.
I agree that Kirk's cheating is probably not the thing to emulate here, but using fictional characters as role models and learning by example from fictional situations has been useful to societies for thousands of years. You just have to hope that the stories actually contain some transcendent truth. This was pretty reliable when the myths themselves were written for that purpose. Screenplays are iffy at best. I would not, for instance, take my daily dose of learnin' from an episode of Friends, but Star Trek still has more bankable life lessons than Slashdot.
taken! (by Davidleeroth) Thanks Bingo Foo!