Slashdot Mirror
Disclosure of Major Software Exploits by Students?
school-hacker asks: "I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide. Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code. Naturally, I want to share this information with their software engineers, and would even be nice enough and suggest a means to fixing it. However, with the state of current intellectual property and reverse-engineering laws, I hesitate to do so out of fear of litigation or academic disciplinary action. As an ethical geek, what do -you- do?" While the responses from an earlier story might prove useful, here, there is always the possibility of the university making things harder for the person reporting the problem. How can students avoid both legal and academic trouble, when trying to notify their university of security problems?
and help college students across America 'correct' their grades.
Allah thanks you.
You send me the code.. and I will "examine" it to see if it would be legal. I'll get back to you about it after next semester? :D
This is probably having to do with "blackboard" software, i.e. learn.vt.edu.
This software tries to be everything to everyone, and all most teachers use it for is posting grades.
It doesn't surprise me that there are bugs in it, though. There have been several show up on astalavista.box.sk, and those were fixed, but the design of the program doesn't strike me as being particularlly sound.
~Will
sig?
don't forget to include a hefty ransom, and instructions for where to leave the money in exchange for the "master" copy of the code. remember, no cops.
bite my glorious golden ass.
Most universities have well published an Acceptable Use Policy. Before making any disclosures, become intimately familiar with this document. As long as you've done nothing to compromise this document, you should be on safe ground.
What would be their concern in punishing you? To dissuade every wanna-be cracker on campus from poking around the innards of the computer network. Though we all know security through obscurity does not work, your school does not want everybody trying to eliminate that obscurity.
When you compose your statement of disclosure, include a statement which argues for your concern and your compliance with the AUP. Cite it, quote it, and argue for your concern for staying within the published regulations of the University. So long as you have not used this exploit to your advantage and so long as you show concern for the things they are concerned about, you should be fine.
-jag
http://starboard.flowtheory.net/
Send the mail with exploit to abuse/contact/CEO@companywithexploit.com
Tell them that you will release the exploit within 30/60/90 days on Bugtraq, Freenet and Slashdot unless they fix it.
Make sure you also send the mail to:
-Local/regional newspapers.
-The school/school council/principal/teachers/newspaper.
-Local government official(s).
If they don't fix the shit after this, release the exploit *anonymously*.
Proud patriot and republican voter.
One, don't notify the university directly. If you do, you create a political situation where they still have the ability to shut you up by putting pressure on you. Keep in mind, the university wouldn't make life hard for you because they're run by Darth Vader, they'd make life hard for you to keep you from disclosing.
Two, do notify the vendor, BUT use the disclosure guidelines provided by Rain Forest Puppy (called RFPolicy). This is the best template for fair and equitable disclosure I've ever seen, and I feel it's even a hair better than the policy put forth by @Stake (although theirs is pretty good too). Set up a hushmail account that cannot be traced back to you for this purpose, and proceed from there.
Three, do NOT disclose the proof-of-concept exploit code. Disclosing a vulnerability is enough, there is no reason to automate attacks that take advantage of it.
By the time the university knows anything, they will no longer be able to accomplish anything by making your life hard. Furthermore, you will be in a position of strength, having taken the high road in disclosure and given all parties every opportunity to protect themselves properly.
For your security, this post has been encrypted with ROT-13, twice.
And you'll wind up with a very freaked out administration. What you want to do is to bring the problem to the attention of one of the techies that run the system, they might react sanely.
What's even better is to send the developers an anonymous bug report (not from a university IP etc.), and, if they don't react, to BugTraq or another security list.
You might also want to wait until you're graduated :)
Is there a professor that you know well enough to approach about this? I would tell them the facts and ask them what to do.
It is highly likely that they will be willing to approach the PTB about the issue--leaving you entirely out of it. At most universities, such a software vendor won't try to get your identity from a prof, they know where their bread is buttered.
If all else fails, drop me an email at roberts period six-two-eight period osu period edu. I'm a prof at Ohio State and I'll be happy to lend a hand.
Don't ever change your score, even if you give yourself a lower score, even if it's just for a demonstration. Any university will go berserk if a student does that, even if he acts in good faith.
If bugs are kept secret, the secrets get held in the hands of the few. The unethical hacker [cracker] will eventually exploit the code and use it to their advantage.
If it weren't for FD, we'd have more 0day exploits because companies would not feel the pressure to release timely updates. It chews up development cycles to go back and put an emergency fix in place for insecure code, test it, and release it. Do you think companies would do this voluntarily? I think not. Too expensive. They'll include it with their next major update and charge for the upgrade or some crap like that.
I say the medicine is bad, but the disease is worse. Full Disclosure is the Medicine, bad coding the disease.
We are going to continue down this road of FD debate until software vendors (M$ et al.) start writing secure code. I have said it many times; Requiring patches to achieve security is fundamentally flawed. Coders need to write secure code. The onus is on them. Don't blame the hackers/crackers for airing their dirty laundry. If M$ or whoever loses market share because they consistantly release insecure code that is repeatedly being compromised then that is their fault.
It was only after being repeatedly beat over the head with the proverbial lead pipe by the hacker community that good ole Bill Gates sent out a memo stating that Security is becoming Microsofts #1 priority. Do you really think he would have done that if we didn't have the Full Disclosure in place? We should not rely on 'security by obscurity' by keeping the exploits secret, or keeping the information reserved for the security elite.
Send a confidential email to the network administrators and to the company that created the software. State that you will give them adequate time to respond and to release a patch. State that the exploit will undergo full disclosure in two months, or if they request extra time, ask them what measures are being taken to insure the integrity of the information being stored on these computers. If you can hack into the system to raise your grades, others could hack in to lower the hard earned grades of others. Hell, at that point, they should start selling diplomas at the bookstore.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
I can understand wanting to cover your backside with this. Especially since you have 'tested' the exploit. Going to the university may mean the end of your academic career. Going to the company may result in the same in a round about way. The company may feel obligated to report you to the said university.
If you are serious about getting the expoit fixed then there are a lot of good points already made in the replies:
- Send it to the company anonymously.
- Send it to the university IT dept. anonymously.
Do both and that should get it where you want it to go.Now for my take on this (if you were one of my students)...
You are supplying the source of the proof of concepts, right? I accept no binaries from unkown source, escpecially with your story. You have to convince me that you are not only legit. but being honest. If you approach me you had better be able to prove that you have not altered your grades. This is not due to my morals but due to my obligations to the university.
I have dealt with students bringing up exploits to me that they have found work in our system. First I have to verify their claim, second I have to consider the damage they may have done (purposefully or not). If this means a call to security then I am obligated to do that. After that I have to consider fixing my system and damage control.
Note about security: I need not bring security into it but I must document everything incase the incident becomes a concern in the future... Example, next year you suddenly become a honor student.
A comment by 'has' bothers me... if this is you then you could be in deeper then you want to be... I would suggest cleaning up your act, taking an ethics course and getting on with your degree. This type of un-ethical, and probably illegal (fraud?) activity will eventually catch up with you if continued. Enough preaching.
Take the suggestions regarding anonymous submissions if your serious about helping.
Merlin.
Sure, it's probably Blackboard which most colleges use, but if it's not Bb, it could also be Banner by SCT which plenty of schools also use.
;) )
Compromising Banner is far more dangerous than Blackboard (Bb).... Most schools that use Banner use it as their student management system, which records official transcript, program requirements met, class registration, etc. etc.
In my last undergrad semester, my team developed a website that interfaced directly w/ the Banner system and even found some loopholes in it which we exploited to allow our website to do a better job at calculating program requirements met and suggested offerings to complete it. (This was for an Advanced Software Project Mgmt class)
Needless to say, the Registrars office people were very intrigued by our exploration into the limits of the current system. I imagine a less cooperative school administration would be more punitive.. (But I went to a business school, so they know we just get motivated by $$
Living in a police state doesn't have to be oppressive- it can be fun-pressive!
The Internet offers no anonymity. So just print out the code on a locally connected printer (not a network printer). Wait until nightfall, then go to a conspicuous area on campus that is free of security cameras. Buy a can of spray paint (NOT online- that would be stupid!) and spray the working exploit code onto a wall of a building.
Be sure to provide comments and please make sure the code compiles before you spray it.
Then go home and throw your computer into a vat of nitric acid. And that's that!
If you decide to pursue the route of getting something done about it, I'd suggest:
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
No, give your arch nemesis an A+++ 150% average, then sit back and watch. Everything will sort itself out nicely.
You drank my drink, you drunk!
With the current political climate, your best bet is to do absolutely nothing. People are arrested for expressing opinions, others are denied due process for free speech, and still others are deemed terrorists for even the slightest questioning of a government's actions. Corporations mandate what can and cannot be done and are happily funded by a more sheepish and numbed people, armed with a more sheepish and willing set of so-called representatives.
Do nothing. Sure, you can pat yourself on the back for your ingenuity, but file your discoveries away in your mind. The world cannot tolerate them now.
Sad. But true.
I concur wholeheartedly with the parent and caution you to be extremely cautious in going about this correctly. I work as a student lawyer of sorts at a major US university and defend students involved in disciplinary/judicial incidents with the university. Last year I represented a student who was ultimately expelled for exploring (not exploiting) severe security vulnerabilities on a campus library network with an eye to pointing out to someone higher-up that the school had massive holes in its architecture. Bureaucratic admins and faculty are hard-pressed to understand that the way to check system security is to carry out the same probes a h4xj0r would. My recommendations: 1) Cover your back. Document what you are doing and notify someone you trust (a faculty member in the CS department would be great) about your plans and benign intentions. 2) Contact the -company-, not the school, and notify them that you'll be issuing the exploit to BugTraq within a set time frame if the bug isn't corrected. Don't let your school even find out about this if you can help it. No need to be anonymous when contacting the company. They oughta thank you, really. 3) Publish the exploit on Slashdot unless the company specifically tells you why they cannot correct the problem during the set time frame. You don't even need to be anonymous. Legal action against security whistleblowers ought to be illegal, but at least here /.ers will die by the hundreds to defend you.
I'm making the assumption that the software you found a problem in is Blackboard. I apologize if that is not the
case, however, I would still be happy to take your discovery to the vendors of whatever software it is on your
behalf.
I work for a major university as the Blackboard programmer/administrator. I've been working on the
Blackboard code for years, making substantial modifications to the Bb system to suit our university. I've found
my share of bugs, problems, and more than one gaping hole. Blackboard is riddled with XSS, input validation, SQL
insertion, replay, predictable sequences, and I'm sure countless other vulnerabilities. Quite frankly I'm amazed
at how few breaches I hear about.
I think you're right to be careful, but try to not get carried away. At least in our department, we're eager to
hear about problems and fix them. We're not interested in ruining someone's college education. However, you
should be careful about who you contact. At our university, the usual IT people are paranoid. You need to
get as close to the people who deal with Bb as you possibly can. Contacting a suit in upper IT would likely get
you the slapdown. Start lower. You're looking for the geeky programmer who deals with Bb all day long and would
drop everything they are doing to fix a hole in their system.
If you are not comfortable contacting representatives at your university, feel free to contact me about your
discovery. This sort of stuff is what I do, and besides, I'm already on Blackboard's shit list. I have another
issue to report to Bb, (the afore mentioned gaping hole) and I'd be happy to send your information along with it,
with or without your name. jeff (somewhere near) jsnider.net