Slashdot Mirror
Disclosure of Major Software Exploits by Students?
school-hacker asks: "I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide. Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code. Naturally, I want to share this information with their software engineers, and would even be nice enough and suggest a means to fixing it. However, with the state of current intellectual property and reverse-engineering laws, I hesitate to do so out of fear of litigation or academic disciplinary action. As an ethical geek, what do -you- do?" While the responses from an earlier story might prove useful, here, there is always the possibility of the university making things harder for the person reporting the problem. How can students avoid both legal and academic trouble, when trying to notify their university of security problems?
be an Anonymous Coward for a day!
still better, post the expolits here , we will make sure they come to know.
Siggy Say, Siggy Do
and help college students across America 'correct' their grades.
Allah thanks you.
Your best bet is to do something similar to what you have done here. Submit the information to them via an anyonymous channel, perhaps mailing a CD (which you handled using gloves, no less) with an explanation and machine-readable exploit code. You don't have to make it known that it was you, just that someone figured it out.
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
... You've earned it. :-)
Seriously, I'd take this slow. Perhaps writing something up in printed form and submitting it via snail mail would be smarter than having executable code lying around on a computer you own or have access to.
The Future of Human Evolution: Autonomy
You could always try approaching your advisor or some other trusted faculty member.
...anonymity is the key. My crystal ball (i.e. an application of Murphy's Law) states that if you try to formally inform the universities of the flaw, you'll get hushed up, blamed and generally blusted. Just write anonymous letters to the companies who develop the software and the universities about the problems. If they don't take action, then feel guiltfree about giving yourself arbitrary scores. Remember: if you don't get caught, it's not illegal.
Bash script for FP whores
You send me the code.. and I will "examine" it to see if it would be legal. I'll get back to you about it after next semester? :D
This is probably having to do with "blackboard" software, i.e. learn.vt.edu.
This software tries to be everything to everyone, and all most teachers use it for is posting grades.
It doesn't surprise me that there are bugs in it, though. There have been several show up on astalavista.box.sk, and those were fixed, but the design of the program doesn't strike me as being particularlly sound.
~Will
sig?
Find someone who will or is better able to the local student newspaper.
Grab a reporter, show him it, let him follow up.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
Goto a prof with your suspicions (but you don't know yet, how could you?) and get assigned to find out for one of your papers. You've already done the work, so it should be an easy grade.
print it out 4x, put each in an envelope, no retutn address, send it to the provost, the IT head and the CEO and chief engineer of the company that makes this thing. demand nothing and tell them it's simply fyi. hard for four peop[le to keep a secret - you'll get action somewhere. keep a copy in case nothing happens. no harm, no foul. it's just doing the right thing for no gain.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
you go to slashdot and brag about it.
I passed the Turing test.
You choose a different nickname from "school-hacker" :-)
Tell them that you know how to do it and refuse to give them the details unless they can provide you with federal, state and local documents guaranteeing that you, your friends, and your family will not be prosecuted now or in the future for any illegal activity relating to this exploit, exploits of other academic software, or exploits of any software relating to anyone who ever atended college or anyone who knows someone who attended college. Be sure to specify that Arab Americans cannot be excluded from these guarantees.
/.)
Also demand that the school indemnify you against any civil actions. While you're at it, you might as well require a statement that no military action will be taken.
Finally, offer them your consulting services at $500/hr, minimum 10 hours.
Disclaimer: IANAL, BIPOOSD (but I play one os
Being a member of the secuirty scene (not a very skilled memeber but im tryin! ;) ) The standard way would be to email the vendor. If you want to do it anonomously pm me and I can set you up a POP3 account ;)
Briefly state the issues, and the holes, how the exploit works, and inform them that if no repsonse is made you will foward the exploit and the security brief to the proper mailling lists.
It is law in California now that any security breach must be made public so just remind them of that.
Normally they will repsond asking for futher details, foward them your proof-of-concept and again warn them if corrective measures are not made you will announce it publicly. It should result in a patch, in which case make your findings public with information on how to patch or where to obtain the patch for the software.
If all communications fails there is the [FULL-DISCLOSER] and the [INCIDENTS] mailing lists. Again if you are worried about your school and/or IP laws the best thing would be to spoof an email to the lists (if it comes down to that) or use a Email account that your name IS NOT attached to. Most companies will thank you for informing them before going public, and It is the right thing to do =)
Also try digging thru your AUP and TOS for the network at school, in there it may state some legalities about breaking into to systems, hacking, sniffing, ect.
If all else fails, forward your finding to a trusted source, and have them take the actions required. Remember you are not required by any law to make your findings public, so if you really feel uneasy just forget about the whole thing.
Most universities have well published an Acceptable Use Policy. Before making any disclosures, become intimately familiar with this document. As long as you've done nothing to compromise this document, you should be on safe ground.
What would be their concern in punishing you? To dissuade every wanna-be cracker on campus from poking around the innards of the computer network. Though we all know security through obscurity does not work, your school does not want everybody trying to eliminate that obscurity.
When you compose your statement of disclosure, include a statement which argues for your concern and your compliance with the AUP. Cite it, quote it, and argue for your concern for staying within the published regulations of the University. So long as you have not used this exploit to your advantage and so long as you show concern for the things they are concerned about, you should be fine.
-jag
http://starboard.flowtheory.net/
One, don't notify the university directly. If you do, you create a political situation where they still have the ability to shut you up by putting pressure on you. Keep in mind, the university wouldn't make life hard for you because they're run by Darth Vader, they'd make life hard for you to keep you from disclosing.
Two, do notify the vendor, BUT use the disclosure guidelines provided by Rain Forest Puppy (called RFPolicy). This is the best template for fair and equitable disclosure I've ever seen, and I feel it's even a hair better than the policy put forth by @Stake (although theirs is pretty good too). Set up a hushmail account that cannot be traced back to you for this purpose, and proceed from there.
Three, do NOT disclose the proof-of-concept exploit code. Disclosing a vulnerability is enough, there is no reason to automate attacks that take advantage of it.
By the time the university knows anything, they will no longer be able to accomplish anything by making your life hard. Furthermore, you will be in a position of strength, having taken the high road in disclosure and given all parties every opportunity to protect themselves properly.
For your security, this post has been encrypted with ROT-13, twice.
I had this problem a while back with java.sun.com.
n c
They were running a comment system that did server side includes. The URL pattern was
http://java.sun.com/foo.jsp?url=relative/path.i
The obvious hack would be to enter a file: URL and see if it worked and sure enough I could browse through the whole file system as long as I knew the path.
Stupid Java engineers.
Anyway... I contacted a few VPs at SUN and just told them that I had discovered a severe security hole in their webserver and that because of the DMCA I couldn't report it.
They were quick to respond telling me that they WOULDN'T prosecute if i were to give them the security disclosure so they could fix the issue.
Most people won't care as long as you are white hat. If they freak out then don't reveal the information
Kevin
Here is some advice..
Remember you wil be dealign with two or three groups that have different motives for their existence; ie IT group of your college, college Management, and the software vendor...
You do not have enough power or pull to report this on your own and should not do so as it woudl put your college studies in danger, head this warning!
Waht you need to do is find a tenured CS faculty member that will be a guinea pig fro a blind computer experiment..blind in that he or she does not know ahead of time the directions you will be giving..
The directions must be in the form of question of:
Waht happens if I do this what will occur..in other worsd you are leading the faculty member on the trail of discovery..
Once they get to the end its is then their responsibility fo reporting the security hack and thus your college studies are protected..
Don't Tread on OpenSource
If history is any guide: They aren't going to take you seriously unless you release a working exploit. If you tell 'em about it they'll just try to silence you with threats -- and then you can't choose anonymous release, because they'll go after you.
If you release the exploit anonymously, you'll get things fixed. If you release it with your name attached, you'll get things fixed and bring a shitstorm down on your head -- your choice if you want the notoriety and its consequences.
I need to pass this semester. Don't ruin this for me.
"It's the little touches that make a future solid enough to be destroyed" --William S. Bourroughs
Maybe I'm completely nieve, but what the hell is going on?! Has everyone on slashdot hacked or cracked some 31337 prog/dbase/bank ... Why is anonymity supposedly the best policy?! As long as you haven't changed your grades or exploited code (your teachers/the school will be able to tell) then you'll be fine. Are you afraid of getting busted for something else? I mean, it seems completely rational to e-mail the company, print a copy, mail it to yourself (if you are as paranoid as everyone else) and then, if problems arise, mail the university.
.. :P rediculous
Remember: The university cares about a student paying 20k+ a year to be there, the software company is costing the U money, who would they rather attack?
Anonymity is for spammers. You'll probably get some recognition in the CS department if you say something about it... unless your teachers are all secretly black hat, and hate your guts for exposing yourself
Is there a professor that you know well enough to approach about this? I would tell them the facts and ask them what to do.
It is highly likely that they will be willing to approach the PTB about the issue--leaving you entirely out of it. At most universities, such a software vendor won't try to get your identity from a prof, they know where their bread is buttered.
If all else fails, drop me an email at roberts period six-two-eight period osu period edu. I'm a prof at Ohio State and I'll be happy to lend a hand.
A lot of people here have advocated alerting people about this anonymously. Whether or not you feel this is the correct thing to do, consider including a PGP public key with whaterver submissions you turn over to relevant parties. This way, if it becomes advantageous at a later time to take credit for your actions, you can prove that you were the anonymous whistle-blower.
If bugs are kept secret, the secrets get held in the hands of the few. The unethical hacker [cracker] will eventually exploit the code and use it to their advantage.
If it weren't for FD, we'd have more 0day exploits because companies would not feel the pressure to release timely updates. It chews up development cycles to go back and put an emergency fix in place for insecure code, test it, and release it. Do you think companies would do this voluntarily? I think not. Too expensive. They'll include it with their next major update and charge for the upgrade or some crap like that.
I say the medicine is bad, but the disease is worse. Full Disclosure is the Medicine, bad coding the disease.
We are going to continue down this road of FD debate until software vendors (M$ et al.) start writing secure code. I have said it many times; Requiring patches to achieve security is fundamentally flawed. Coders need to write secure code. The onus is on them. Don't blame the hackers/crackers for airing their dirty laundry. If M$ or whoever loses market share because they consistantly release insecure code that is repeatedly being compromised then that is their fault.
It was only after being repeatedly beat over the head with the proverbial lead pipe by the hacker community that good ole Bill Gates sent out a memo stating that Security is becoming Microsofts #1 priority. Do you really think he would have done that if we didn't have the Full Disclosure in place? We should not rely on 'security by obscurity' by keeping the exploits secret, or keeping the information reserved for the security elite.
Send a confidential email to the network administrators and to the company that created the software. State that you will give them adequate time to respond and to release a patch. State that the exploit will undergo full disclosure in two months, or if they request extra time, ask them what measures are being taken to insure the integrity of the information being stored on these computers. If you can hack into the system to raise your grades, others could hack in to lower the hard earned grades of others. Hell, at that point, they should start selling diplomas at the bookstore.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
I can understand wanting to cover your backside with this. Especially since you have 'tested' the exploit. Going to the university may mean the end of your academic career. Going to the company may result in the same in a round about way. The company may feel obligated to report you to the said university.
If you are serious about getting the expoit fixed then there are a lot of good points already made in the replies:
- Send it to the company anonymously.
- Send it to the university IT dept. anonymously.
Do both and that should get it where you want it to go.Now for my take on this (if you were one of my students)...
You are supplying the source of the proof of concepts, right? I accept no binaries from unkown source, escpecially with your story. You have to convince me that you are not only legit. but being honest. If you approach me you had better be able to prove that you have not altered your grades. This is not due to my morals but due to my obligations to the university.
I have dealt with students bringing up exploits to me that they have found work in our system. First I have to verify their claim, second I have to consider the damage they may have done (purposefully or not). If this means a call to security then I am obligated to do that. After that I have to consider fixing my system and damage control.
Note about security: I need not bring security into it but I must document everything incase the incident becomes a concern in the future... Example, next year you suddenly become a honor student.
A comment by 'has' bothers me... if this is you then you could be in deeper then you want to be... I would suggest cleaning up your act, taking an ethics course and getting on with your degree. This type of un-ethical, and probably illegal (fraud?) activity will eventually catch up with you if continued. Enough preaching.
Take the suggestions regarding anonymous submissions if your serious about helping.
Merlin.
Come across? Like you woke up one morning and found them in your mailbox, between credit card offers?
Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code.
Now I'm thinking - did you have a legal copy of the software you were "testing"? If not, do you know the person/entity who has the legal copy? Did you get their permission to poke around?
I would expect the litigation or academic discipline, if you pursued your experiment without a legal copy, or at least the permission of the person who owned the licensed copy. Or at least asked a professor to act as advisor for your experiments.
As an ethical geek, what do -you- do?
Ask permission from the target company before pursuing exploits.
I may be reading too much into the poster's brief notes (or maybe the poster's name), but I have a feeling that there are several illegal (and possibly unethical) things that have been done so far. The best way to avoid a situation like this is to plan to be ethical, legal, and open from the beginning. Get the company's permission, the schools permission, etc., and no one will be suprised when you get some results. Otherwise, they may say "Thank you, now please come to court in two weeks", and you have little recourse except to hire a lawyer.
Which the poster should probably do, anyway. It's a shame - with the proper authorization, this could have been an interesting senior project.
Sure, it's probably Blackboard which most colleges use, but if it's not Bb, it could also be Banner by SCT which plenty of schools also use.
;) )
Compromising Banner is far more dangerous than Blackboard (Bb).... Most schools that use Banner use it as their student management system, which records official transcript, program requirements met, class registration, etc. etc.
In my last undergrad semester, my team developed a website that interfaced directly w/ the Banner system and even found some loopholes in it which we exploited to allow our website to do a better job at calculating program requirements met and suggested offerings to complete it. (This was for an Advanced Software Project Mgmt class)
Needless to say, the Registrars office people were very intrigued by our exploration into the limits of the current system. I imagine a less cooperative school administration would be more punitive.. (But I went to a business school, so they know we just get motivated by $$
Living in a police state doesn't have to be oppressive- it can be fun-pressive!
The Internet offers no anonymity. So just print out the code on a locally connected printer (not a network printer). Wait until nightfall, then go to a conspicuous area on campus that is free of security cameras. Buy a can of spray paint (NOT online- that would be stupid!) and spray the working exploit code onto a wall of a building.
Be sure to provide comments and please make sure the code compiles before you spray it.
Then go home and throw your computer into a vat of nitric acid. And that's that!
If you decide to pursue the route of getting something done about it, I'd suggest:
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
Yes, this is insane, but it's also how it is.
--True, if you take the right approach, have the right kind of charisma, (ie, express honesty and even explain your concerns up front about how other people before you being punished for having done the right thing in the past,) you might be able to pull it off. I wouldn't count on it though. The sheep behind the glass are getting colder every day, and even a smooth talker like me has been really having to sweat in order to earn my best intentions. It's getting tough out there.
So in this instance, and others like it, I wouldn't bother.
And just to be clear, I wouldn't use the exploit either. --Chances are, if you do, you'll really end up in hot water. Indeed, I strongly suspect that some cases of these kinds of exploits are designed to discover those who are not sheep-like enough so that they can be flagged for later. . , uh, disposal. (Same goes for things like performing acts of geurilla advertising, and ad-defacement of particularly nasty posters and billboards around your town. That sort of thing is monitored.)
--Which, of course, means that if you try in earnest to bring the hole in the code to the attention of the 'masters of the universe', then somebody, somewhere will be all pissed off with you for ruining their entrapment scheme.
My advice? Sit tight. --The furthest you might want to go is to discuss it openly to anybody who cares to listen, saying you heard about it on the net from some anonymous coward. Wide open honesty is usually the best way to screw evil plans without bringing down reprisal and brimstone on your head. Works for me.
-FL
I would argue that there are several answers depending on the poster's goal. Is he interested in working for Blackboa...I mean, the software he is discussing (and/or any other company) and wanting to show his prowess? Or is it truly out of the kindness of his heart? Regardless, I would completely bypass the school. Contact the software company directly as they understand the issue better. It would be your luck that a random administrator at your school would hear about this and label you a h4x0r and a menace to society -- remember that people hate what they cannot understand.
This is my digital signature. 10011011001
With the current political climate, your best bet is to do absolutely nothing. People are arrested for expressing opinions, others are denied due process for free speech, and still others are deemed terrorists for even the slightest questioning of a government's actions. Corporations mandate what can and cannot be done and are happily funded by a more sheepish and numbed people, armed with a more sheepish and willing set of so-called representatives.
Do nothing. Sure, you can pat yourself on the back for your ingenuity, but file your discoveries away in your mind. The world cannot tolerate them now.
Sad. But true.
If you have done what I think you have, then you are quite probably screwed no matter what course of action you choose.
If you do report the problem, the IT administrators will be obliged to perform a damage assessment. They will scan their logs for behavior possibly taking advantage of this exploit. That you say you have proof of concept code, and presumably have tested it, if IT discovers that you have so much as tried to take advantage of this or a related exploit, it will almost certainly result in your dismissal for that Semester, criminal charges, and possibly the end of your academic career.
It won't help to go through a professor. If IT comes back and says that they have evidence that you tried to take advantage of the exploit (by 'testing'), you will not be spared, and the professor will either be unwilling or unable to protect you.
If you do not report the problem, you risk IT discovering the exploit on their own or through a security update from the vendor, and similarly performing damage assessment to discover whether or not their systems or data have been compromised, or attempted to have been compromised.
Don't scoff at this. If it is a significant exploit, and given that there is now a story on Slashdot about it, there is a significant possibility that IT will perform a damage assessment.
Further, depending upon how you found or 'tested' this exploit, IT may find you out whether or not they realize or are alerted to the nature of the exploit.
It is really up to you. Only you know the nature of your investigative activities and testing. If discovering these exploits required behavior which went beyond the normal use of the system, then you have a very serious problem.
How do you explain why you were doing this in the first place? You can't, and quite honestly, there is almost certainly no excuse for it. If you were concerned about the security of the system, you should have gone through official channels to get clearance to look for vulnerabilities, and report the sort of investigative techniques you would be using, and do only this.
If you have not done this, then you have one course of action:
- Find out how long of a period IT keeps logs for. If you are a technically inclined, student, then surely you have aquaintences -- students -- who work in IT.
- If the logs of your activity are gone, then you are in the clear. Report the vulnerability anonymously the next time you are off campus. Unfortunately, from the few academic IT departments I am familiar with, they keeps logs for a very long time, because of issues just like these.
- If, on the other hand, the logs of your activity are not gone, then weigh the possibility of your activity being found out before the logs will be cycled or destroyed.
If the logs will be around for months still, then you are quite possibly in serious trouble. If the logs will be around for a year or more, then you are almost certainly in very serious trouble.
If you report your activities, then you are are almmost certainly in very serious trouble.
Personally, I would go with the first option, and hope that your IT department will not perform damage assessment, or that they will not find out above the exploit until next semester, and will not be interested in logs from the previous semester, or perhaps from the previous academic year.
.sig Realistic fines for copyright in
Doing good coding can get you some nice job references (as per your teacher at University), and some good friends down the line, but it doesn't excuse you from the rules per detention, etc. (what the detention was about is a different issue, so I just won't go there).
Encrypting the code is, at best, bad karma. It could come back to haunt you years down the road when an important contract is nixed because a friend of a friend remembers what you did way back when. Relationships are one of the most important things we have in life, and when you burn enough bridges life just gets less and less pleasant. I'm sometimes shocked by where the contacts I've built up over the years have taken me.
BTW: If you were actually paid to develop that school code that you encrypted, my guess is that the only reason they didn't sue your ass of is that you didn't have any money in your pants.
Free Software: Like love, it grows best when given away.
I'm making the assumption that the software you found a problem in is Blackboard. I apologize if that is not the
case, however, I would still be happy to take your discovery to the vendors of whatever software it is on your
behalf.
I work for a major university as the Blackboard programmer/administrator. I've been working on the
Blackboard code for years, making substantial modifications to the Bb system to suit our university. I've found
my share of bugs, problems, and more than one gaping hole. Blackboard is riddled with XSS, input validation, SQL
insertion, replay, predictable sequences, and I'm sure countless other vulnerabilities. Quite frankly I'm amazed
at how few breaches I hear about.
I think you're right to be careful, but try to not get carried away. At least in our department, we're eager to
hear about problems and fix them. We're not interested in ruining someone's college education. However, you
should be careful about who you contact. At our university, the usual IT people are paranoid. You need to
get as close to the people who deal with Bb as you possibly can. Contacting a suit in upper IT would likely get
you the slapdown. Start lower. You're looking for the geeky programmer who deals with Bb all day long and would
drop everything they are doing to fix a hole in their system.
If you are not comfortable contacting representatives at your university, feel free to contact me about your
discovery. This sort of stuff is what I do, and besides, I'm already on Blackboard's shit list. I have another
issue to report to Bb, (the afore mentioned gaping hole) and I'd be happy to send your information along with it,
with or without your name. jeff (somewhere near) jsnider.net
I hereby place the above post in the public domain.
Okay, so two stories, one from Jr. High, one from Highschool.
In Jr. High, someone was giving out the admin password pass FoolProof (a mac protection software that was incredably simple to bypass at the time.) Anyways, I tried to inform the IT guy, and he blew me off, saying that I didn't really know the password. So I put on a little app that made the computer belch.
Someone snitched, and I ended up in the principal's office. I tried to plead my case, it wasn't like I hadn't tried to do the right thing, and when they wouldn't listen I gave them something they couldn't ignore. Detention 4 weeks.
I should have learned from my first experince but I didn't. In Highschool, the network was completely unsecure. You could print to any class room across the whole school district, and everything was named quite nicely. Once again, I was blown off when I tried to say this was a bad thing.
Not only were all the printers there, but a number of computers were open with read access to everything. So I opened a network connection to every shared disk along the network and started a find for everything. The IT guy in the lab looked over my shoulder and asked what I was doing. Detention again, this time for "Slowing the hard drives down."
If only more people got into trouble for changing the laws of phyics.
=================
Unix is very user friendly, it's just picky about who its friends are.