Slashdot Mirror
Disclosure of Major Software Exploits by Students?
school-hacker asks: "I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide. Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code. Naturally, I want to share this information with their software engineers, and would even be nice enough and suggest a means to fixing it. However, with the state of current intellectual property and reverse-engineering laws, I hesitate to do so out of fear of litigation or academic disciplinary action. As an ethical geek, what do -you- do?" While the responses from an earlier story might prove useful, here, there is always the possibility of the university making things harder for the person reporting the problem. How can students avoid both legal and academic trouble, when trying to notify their university of security problems?
be an Anonymous Coward for a day!
still better, post the expolits here , we will make sure they come to know.
Siggy Say, Siggy Do
and help college students across America 'correct' their grades.
Allah thanks you.
... You've earned it. :-)
Seriously, I'd take this slow. Perhaps writing something up in printed form and submitting it via snail mail would be smarter than having executable code lying around on a computer you own or have access to.
The Future of Human Evolution: Autonomy
You could always try approaching your advisor or some other trusted faculty member.
You send me the code.. and I will "examine" it to see if it would be legal. I'll get back to you about it after next semester? :D
This is probably having to do with "blackboard" software, i.e. learn.vt.edu.
This software tries to be everything to everyone, and all most teachers use it for is posting grades.
It doesn't surprise me that there are bugs in it, though. There have been several show up on astalavista.box.sk, and those were fixed, but the design of the program doesn't strike me as being particularlly sound.
~Will
sig?
Find someone who will or is better able to the local student newspaper.
Grab a reporter, show him it, let him follow up.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
print it out 4x, put each in an envelope, no retutn address, send it to the provost, the IT head and the CEO and chief engineer of the company that makes this thing. demand nothing and tell them it's simply fyi. hard for four peop[le to keep a secret - you'll get action somewhere. keep a copy in case nothing happens. no harm, no foul. it's just doing the right thing for no gain.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
you go to slashdot and brag about it.
I passed the Turing test.
You choose a different nickname from "school-hacker" :-)
don't forget to include a hefty ransom, and instructions for where to leave the money in exchange for the "master" copy of the code. remember, no cops.
bite my glorious golden ass.
Most universities have well published an Acceptable Use Policy. Before making any disclosures, become intimately familiar with this document. As long as you've done nothing to compromise this document, you should be on safe ground.
What would be their concern in punishing you? To dissuade every wanna-be cracker on campus from poking around the innards of the computer network. Though we all know security through obscurity does not work, your school does not want everybody trying to eliminate that obscurity.
When you compose your statement of disclosure, include a statement which argues for your concern and your compliance with the AUP. Cite it, quote it, and argue for your concern for staying within the published regulations of the University. So long as you have not used this exploit to your advantage and so long as you show concern for the things they are concerned about, you should be fine.
-jag
http://starboard.flowtheory.net/
One, don't notify the university directly. If you do, you create a political situation where they still have the ability to shut you up by putting pressure on you. Keep in mind, the university wouldn't make life hard for you because they're run by Darth Vader, they'd make life hard for you to keep you from disclosing.
Two, do notify the vendor, BUT use the disclosure guidelines provided by Rain Forest Puppy (called RFPolicy). This is the best template for fair and equitable disclosure I've ever seen, and I feel it's even a hair better than the policy put forth by @Stake (although theirs is pretty good too). Set up a hushmail account that cannot be traced back to you for this purpose, and proceed from there.
Three, do NOT disclose the proof-of-concept exploit code. Disclosing a vulnerability is enough, there is no reason to automate attacks that take advantage of it.
By the time the university knows anything, they will no longer be able to accomplish anything by making your life hard. Furthermore, you will be in a position of strength, having taken the high road in disclosure and given all parties every opportunity to protect themselves properly.
For your security, this post has been encrypted with ROT-13, twice.
I had this problem a while back with java.sun.com.
n c
They were running a comment system that did server side includes. The URL pattern was
http://java.sun.com/foo.jsp?url=relative/path.i
The obvious hack would be to enter a file: URL and see if it worked and sure enough I could browse through the whole file system as long as I knew the path.
Stupid Java engineers.
Anyway... I contacted a few VPs at SUN and just told them that I had discovered a severe security hole in their webserver and that because of the DMCA I couldn't report it.
They were quick to respond telling me that they WOULDN'T prosecute if i were to give them the security disclosure so they could fix the issue.
Most people won't care as long as you are white hat. If they freak out then don't reveal the information
Kevin
Here is some advice..
Remember you wil be dealign with two or three groups that have different motives for their existence; ie IT group of your college, college Management, and the software vendor...
You do not have enough power or pull to report this on your own and should not do so as it woudl put your college studies in danger, head this warning!
Waht you need to do is find a tenured CS faculty member that will be a guinea pig fro a blind computer experiment..blind in that he or she does not know ahead of time the directions you will be giving..
The directions must be in the form of question of:
Waht happens if I do this what will occur..in other worsd you are leading the faculty member on the trail of discovery..
Once they get to the end its is then their responsibility fo reporting the security hack and thus your college studies are protected..
Don't Tread on OpenSource
I used to work for a school district that had major security problems with its grading system. They would tape passwords to the bottom of their keyboards...and put files with lists of teacher passwords in a publically-accessible folder on the network. I attempted to tell my boss (who was getting paid $80,000 per year) about all of this, and was basically told it was not a big deal. I watched a student change his grade from D to B...and nobody ever knew. I told a few more people and was basically told to shut up...and I could feel their eyes turning to me as the problem. So I shut up...and it continues to this day. Just remember that with ultra-conservative computer administrative nazis, the nail that sticks up gets beat down.
Maybe I'm completely nieve, but what the hell is going on?! Has everyone on slashdot hacked or cracked some 31337 prog/dbase/bank ... Why is anonymity supposedly the best policy?! As long as you haven't changed your grades or exploited code (your teachers/the school will be able to tell) then you'll be fine. Are you afraid of getting busted for something else? I mean, it seems completely rational to e-mail the company, print a copy, mail it to yourself (if you are as paranoid as everyone else) and then, if problems arise, mail the university.
.. :P rediculous
Remember: The university cares about a student paying 20k+ a year to be there, the software company is costing the U money, who would they rather attack?
Anonymity is for spammers. You'll probably get some recognition in the CS department if you say something about it... unless your teachers are all secretly black hat, and hate your guts for exposing yourself
Is there a professor that you know well enough to approach about this? I would tell them the facts and ask them what to do.
It is highly likely that they will be willing to approach the PTB about the issue--leaving you entirely out of it. At most universities, such a software vendor won't try to get your identity from a prof, they know where their bread is buttered.
If all else fails, drop me an email at roberts period six-two-eight period osu period edu. I'm a prof at Ohio State and I'll be happy to lend a hand.
A lot of people here have advocated alerting people about this anonymously. Whether or not you feel this is the correct thing to do, consider including a PGP public key with whaterver submissions you turn over to relevant parties. This way, if it becomes advantageous at a later time to take credit for your actions, you can prove that you were the anonymous whistle-blower.
If bugs are kept secret, the secrets get held in the hands of the few. The unethical hacker [cracker] will eventually exploit the code and use it to their advantage.
If it weren't for FD, we'd have more 0day exploits because companies would not feel the pressure to release timely updates. It chews up development cycles to go back and put an emergency fix in place for insecure code, test it, and release it. Do you think companies would do this voluntarily? I think not. Too expensive. They'll include it with their next major update and charge for the upgrade or some crap like that.
I say the medicine is bad, but the disease is worse. Full Disclosure is the Medicine, bad coding the disease.
We are going to continue down this road of FD debate until software vendors (M$ et al.) start writing secure code. I have said it many times; Requiring patches to achieve security is fundamentally flawed. Coders need to write secure code. The onus is on them. Don't blame the hackers/crackers for airing their dirty laundry. If M$ or whoever loses market share because they consistantly release insecure code that is repeatedly being compromised then that is their fault.
It was only after being repeatedly beat over the head with the proverbial lead pipe by the hacker community that good ole Bill Gates sent out a memo stating that Security is becoming Microsofts #1 priority. Do you really think he would have done that if we didn't have the Full Disclosure in place? We should not rely on 'security by obscurity' by keeping the exploits secret, or keeping the information reserved for the security elite.
Send a confidential email to the network administrators and to the company that created the software. State that you will give them adequate time to respond and to release a patch. State that the exploit will undergo full disclosure in two months, or if they request extra time, ask them what measures are being taken to insure the integrity of the information being stored on these computers. If you can hack into the system to raise your grades, others could hack in to lower the hard earned grades of others. Hell, at that point, they should start selling diplomas at the bookstore.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
I can understand wanting to cover your backside with this. Especially since you have 'tested' the exploit. Going to the university may mean the end of your academic career. Going to the company may result in the same in a round about way. The company may feel obligated to report you to the said university.
If you are serious about getting the expoit fixed then there are a lot of good points already made in the replies:
- Send it to the company anonymously.
- Send it to the university IT dept. anonymously.
Do both and that should get it where you want it to go.Now for my take on this (if you were one of my students)...
You are supplying the source of the proof of concepts, right? I accept no binaries from unkown source, escpecially with your story. You have to convince me that you are not only legit. but being honest. If you approach me you had better be able to prove that you have not altered your grades. This is not due to my morals but due to my obligations to the university.
I have dealt with students bringing up exploits to me that they have found work in our system. First I have to verify their claim, second I have to consider the damage they may have done (purposefully or not). If this means a call to security then I am obligated to do that. After that I have to consider fixing my system and damage control.
Note about security: I need not bring security into it but I must document everything incase the incident becomes a concern in the future... Example, next year you suddenly become a honor student.
A comment by 'has' bothers me... if this is you then you could be in deeper then you want to be... I would suggest cleaning up your act, taking an ethics course and getting on with your degree. This type of un-ethical, and probably illegal (fraud?) activity will eventually catch up with you if continued. Enough preaching.
Take the suggestions regarding anonymous submissions if your serious about helping.
Merlin.
Sure, it's probably Blackboard which most colleges use, but if it's not Bb, it could also be Banner by SCT which plenty of schools also use.
;) )
Compromising Banner is far more dangerous than Blackboard (Bb).... Most schools that use Banner use it as their student management system, which records official transcript, program requirements met, class registration, etc. etc.
In my last undergrad semester, my team developed a website that interfaced directly w/ the Banner system and even found some loopholes in it which we exploited to allow our website to do a better job at calculating program requirements met and suggested offerings to complete it. (This was for an Advanced Software Project Mgmt class)
Needless to say, the Registrars office people were very intrigued by our exploration into the limits of the current system. I imagine a less cooperative school administration would be more punitive.. (But I went to a business school, so they know we just get motivated by $$
Living in a police state doesn't have to be oppressive- it can be fun-pressive!
The Internet offers no anonymity. So just print out the code on a locally connected printer (not a network printer). Wait until nightfall, then go to a conspicuous area on campus that is free of security cameras. Buy a can of spray paint (NOT online- that would be stupid!) and spray the working exploit code onto a wall of a building.
Be sure to provide comments and please make sure the code compiles before you spray it.
Then go home and throw your computer into a vat of nitric acid. And that's that!
If you decide to pursue the route of getting something done about it, I'd suggest:
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
Yes, this is insane, but it's also how it is.
--True, if you take the right approach, have the right kind of charisma, (ie, express honesty and even explain your concerns up front about how other people before you being punished for having done the right thing in the past,) you might be able to pull it off. I wouldn't count on it though. The sheep behind the glass are getting colder every day, and even a smooth talker like me has been really having to sweat in order to earn my best intentions. It's getting tough out there.
So in this instance, and others like it, I wouldn't bother.
And just to be clear, I wouldn't use the exploit either. --Chances are, if you do, you'll really end up in hot water. Indeed, I strongly suspect that some cases of these kinds of exploits are designed to discover those who are not sheep-like enough so that they can be flagged for later. . , uh, disposal. (Same goes for things like performing acts of geurilla advertising, and ad-defacement of particularly nasty posters and billboards around your town. That sort of thing is monitored.)
--Which, of course, means that if you try in earnest to bring the hole in the code to the attention of the 'masters of the universe', then somebody, somewhere will be all pissed off with you for ruining their entrapment scheme.
My advice? Sit tight. --The furthest you might want to go is to discuss it openly to anybody who cares to listen, saying you heard about it on the net from some anonymous coward. Wide open honesty is usually the best way to screw evil plans without bringing down reprisal and brimstone on your head. Works for me.
-FL
I would argue that there are several answers depending on the poster's goal. Is he interested in working for Blackboa...I mean, the software he is discussing (and/or any other company) and wanting to show his prowess? Or is it truly out of the kindness of his heart? Regardless, I would completely bypass the school. Contact the software company directly as they understand the issue better. It would be your luck that a random administrator at your school would hear about this and label you a h4x0r and a menace to society -- remember that people hate what they cannot understand.
This is my digital signature. 10011011001
With the current political climate, your best bet is to do absolutely nothing. People are arrested for expressing opinions, others are denied due process for free speech, and still others are deemed terrorists for even the slightest questioning of a government's actions. Corporations mandate what can and cannot be done and are happily funded by a more sheepish and numbed people, armed with a more sheepish and willing set of so-called representatives.
Do nothing. Sure, you can pat yourself on the back for your ingenuity, but file your discoveries away in your mind. The world cannot tolerate them now.
Sad. But true.
Doing good coding can get you some nice job references (as per your teacher at University), and some good friends down the line, but it doesn't excuse you from the rules per detention, etc. (what the detention was about is a different issue, so I just won't go there).
Encrypting the code is, at best, bad karma. It could come back to haunt you years down the road when an important contract is nixed because a friend of a friend remembers what you did way back when. Relationships are one of the most important things we have in life, and when you burn enough bridges life just gets less and less pleasant. I'm sometimes shocked by where the contacts I've built up over the years have taken me.
BTW: If you were actually paid to develop that school code that you encrypted, my guess is that the only reason they didn't sue your ass of is that you didn't have any money in your pants.
Free Software: Like love, it grows best when given away.
I'm making the assumption that the software you found a problem in is Blackboard. I apologize if that is not the
case, however, I would still be happy to take your discovery to the vendors of whatever software it is on your
behalf.
I work for a major university as the Blackboard programmer/administrator. I've been working on the
Blackboard code for years, making substantial modifications to the Bb system to suit our university. I've found
my share of bugs, problems, and more than one gaping hole. Blackboard is riddled with XSS, input validation, SQL
insertion, replay, predictable sequences, and I'm sure countless other vulnerabilities. Quite frankly I'm amazed
at how few breaches I hear about.
I think you're right to be careful, but try to not get carried away. At least in our department, we're eager to
hear about problems and fix them. We're not interested in ruining someone's college education. However, you
should be careful about who you contact. At our university, the usual IT people are paranoid. You need to
get as close to the people who deal with Bb as you possibly can. Contacting a suit in upper IT would likely get
you the slapdown. Start lower. You're looking for the geeky programmer who deals with Bb all day long and would
drop everything they are doing to fix a hole in their system.
If you are not comfortable contacting representatives at your university, feel free to contact me about your
discovery. This sort of stuff is what I do, and besides, I'm already on Blackboard's shit list. I have another
issue to report to Bb, (the afore mentioned gaping hole) and I'd be happy to send your information along with it,
with or without your name. jeff (somewhere near) jsnider.net
Goblin
It's all fun and games until a 200' robot dinosaur shows up and trashes Neo-Tokyo... Again
Okay, so two stories, one from Jr. High, one from Highschool.
In Jr. High, someone was giving out the admin password pass FoolProof (a mac protection software that was incredably simple to bypass at the time.) Anyways, I tried to inform the IT guy, and he blew me off, saying that I didn't really know the password. So I put on a little app that made the computer belch.
Someone snitched, and I ended up in the principal's office. I tried to plead my case, it wasn't like I hadn't tried to do the right thing, and when they wouldn't listen I gave them something they couldn't ignore. Detention 4 weeks.
I should have learned from my first experince but I didn't. In Highschool, the network was completely unsecure. You could print to any class room across the whole school district, and everything was named quite nicely. Once again, I was blown off when I tried to say this was a bad thing.
Not only were all the printers there, but a number of computers were open with read access to everything. So I opened a network connection to every shared disk along the network and started a find for everything. The IT guy in the lab looked over my shoulder and asked what I was doing. Detention again, this time for "Slowing the hard drives down."
If only more people got into trouble for changing the laws of phyics.
=================
Unix is very user friendly, it's just picky about who its friends are.