Slashdot Mirror
Student Attempting To Improve School Security Suspended
TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"
It seems obvious that the suspension is a favor done by the university. A person of this caliber could do better in the workforce or a better university instead of TEACHING the university...
Anyone in the software biz should know: don't do security research (look for vulnerabilities) in commercial software or commercial websites if you want to be in the US. If you find a vulnerability, like a website that lets you launch missiles by putting &loggedIn=true in the URL, the best thing to do is to laugh to yourself about it, and forget it. Failing that, use some secure anonymous service and post the vulnerability somewhere. Doing the responsible thing, like informing the vendor, is absolutely thankless and likely to result in nothing but problems. Be smart, don't be a hero. Don't try to improve the security of others.
Guess I *won't* be doing that automated WiFi stumbler as a senior project...
Paleotechnologist and connoisseur of pretty shiny things.
TFA isn't really clear on what sort of "break-in" this was. It looks like it was, at most, a proof of concept break-in, and may have been as little as figuring out how to break the system without actually doing it.
In any case, he didn't go around giving out exploit code, and he even worked on the problem of patching the hole (as well as solving other problems with the CCA software), with the intent of full diclosure of the patch and upgrades. This isn't really a punishment for breaking things, it's a DMCA-style punishment for figuring out how someone might break things.
(IANAL)
He should have brought this to the IT department's attention. People writing software to bypass security and installing it without permission on someone's network should have their fingers glued together so they can't type anymore. This guy deserves to have an example made out of him.
This just doesnt bother me at all.
When I started at as a freshman at the University of South Carolina 2 years ago, they were already using CCA. It's main intrusion was the fact that the University demanded that we use McAffee regardless of any other (superior) software we may have already purchased. Personally, I used Symantec Antivirus (Corporate) that I got through my internship. Regardless, it forced McAffee down my throat. I couldn't use the two side by side, as XP would freeze on startup with both installed. I noticed that the policy for CCA usage only applied to Windows computers, and that Linux and Mac users were exempt. So I booted my SuSe installation and launched Firefox to discover a web-gate type login, a form that I had to put my CCA user and pass into. Once entered, it said I was logged in for 7 days. I thought, well there's really only one way they're seperating out Windows, Mac's and Linux boxes: the user-agent. All it took to bypass was a custom Firefox deployment package pre-configured with User Agent Switcher. You didn't even need CCA installed. Every 7 days you got the web-gate login. All you had to do was switch to the pre-configured Linux user-agent and login, upon which you could change back to the default and continue on your merry way for 7 days. In about a week everyone in my dorm was using it, and it still works today. They just ban the user-agent when they catch on, and we come up with new ones. I'm not sure this guy's University may differ, but it really shouldn't take any kind of sexy software hackery to bypass it. PS. wtf is up with slashdot's server? It took me like 15 minutes to get this posted
mmm...muffins
I bet he's reconsidering helping them now.
I was wondering whether or not schools had written policies about this type of thing, and whether this punishment was according to the book or just made up out of thin air.
It seems that most of the time when school officials are faced with an issue like this, they have no idea what they ought to do and either let it slide completely, or overreact and deal a much harder punishment than necessary. This case seems like the latter, as there doesn't appear to be any malicious intent.
The article goes over it pretty well, but Cisco Clean Access Agent, in my experience at my college is more of a headache than it's worth. If someone has the slightest problem with Anti-virus updates, they get locked out every week, (I actually have to download the smart installer for them, and then patch it manually). Plus, a lot of good antiviruses aren't recognized by CCA agent as being acceptable. I currently run Windows 2003 server as a desktop, and CCA agent doesn't play nice with me either - I have to trick CCA agent by using a virtual machine for logins. Frankly, if there was a link to this program, I'd be using it right now...
Though, its starting to sound like anyone who tries to use their hacking powers to show vulnerability's, they are suddenly the bad guy.
I'd like to say I'm surprised at a school acting like this, but honestly it's about the expected behavior. Companies, schools, and institutions in general typically take the approach that if they deny it exists it will go away.
On a completely unrelated note, did anyone else notice that the read more page seemed to be down? I was getting 503 errors clicking on it.
Curiosity was framed, Ignorance killed the cat.
Maybe it's just me but isn't the statement that he was going to inform Cisco sometime this summer pretty vague? What was holding him back?
~S
I pointed out 2 widely known vulns in my universities network and I'm still serving my suspension...2 semesters left!
Not criticizing him.
Article links to what looks like a student newspaper, "The Beacon". It's nice to see articles of this quality in a student publication; the first link does a good job explaining the situation and reporting it without bias, while the second is a well written editorial style piece that criticizes the university response.
The only problem I can see with their site is that the poll "How did you spend most of your Easter Break?" is missing a Cowboy Neil option...
Much Madness is divinest Sense --
To a discerning Eye --
Much Sense -- the starkest Madness
If you look at it out of context, their decision makes some sense, however, as soon as you apply ANY logic to it, their reaction is way too far. What is the result? I would never do research there or even TOUCH anything security related. Imagine if you got suspended because you left your lab's back door open, while there was still a guard on duty. Someone COULD break in, but there's a guard. This is similar to what he did...the security was never compromised, it may not have been the MAX (which is also a farce, because the university itself wasn't up to the most current version). Using their own logic, they should suspend their director of IT for one year for knowingly having a system not most up to date (which is what the kid did).
Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says.
While I'm all for white-hat hacking, it's unfortunate that every time someone is busted, they suddenly put the white hat on. In this case, I have to ask:
Why didn't he go to Cisco with the vulnerability YESTERDAY?
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
Steve Jobs openly admits to phone phreaking and calling the Pope. Both he and Bill Gates eventually dropped out of school. It's clear that, to become a person of substance, you have to be willing to challenge authority once in a while. Are we trying to raise a generation of corporate drones who are so obedient they can never pose a competitive threat to existing oligarchy. Are we so insane we let disturbed students stay in school and own guns, but suspend ones who are merely using university's property, paid for by their tuition, more efficiently than average?
He should have talked to the campus IT guys about this "research" before conducting it on live campus systems. I worked in campus IT at Stanford and my experience is that they might be open to seeing what you're working on and allowing it.
/. conveniently left off the next paragraph:
The article summary posted here on
Maass' program was in use for approximately seven months before the University froze his UP account.
So he ran this thing for most of the school year and gave it away to his friends and put up a facebook page about it without telling Cisco? At some point it starts to look like the, "I was about to tell Cisco!" claim is just an excuse to get out of trouble. Once he had a working demonstration he should have approached Cisco, not distributed it while he put off talking to the vendor for half a year.
Still, it seems like the uni is going overboard on the punishment.
Lasers Controlled Games!
Nobody wants things to work right or work well, if it means upsetting the status quo.
They'd rather things disappear and get bitten in the ass for it in the future, than deal with it now, if it means someone's going to get embarrassed. There's no intellectual honesty anymore..
We are the fire that lights our world.. and we are the fire that consumes it.
And I thought school was where you went when you wanted to learn about things, test things, build new things, and in general broaden your horizons and expand what you are capable of doing.
Wait, that is the lie people have been telling us forever.
School (high school and univ) in my opinion is a very poor excuse for "preparation" for the real world. In all of the jobs that I've had, identifying, working through, and solving problems is what its all about. Of course in school, the students are rarely if ever tasked with the first step of identifying a problem (the professors assign the homework), working through problems is an exercise of taking notes (not thinking about the problem just verbatim listing what the professor says), and solving problems normally is left to the TAs to babysit 90% of the students through anything that requires even the slightest bit of rational thought.
This guy is guilty of breaking that mold, he identified, worked through, and solved problems all on his own with no intervention from the school. Thus proving that the school is indeed useless. Because he proved that the school was a redundant and useless institution they had to punish him.
story after story, its "this student scared us - lets git 'em!".
why is this country SO AFRAID of students and so into controlling them? I'm not sure I could survive in a modern high school or even college environment now. I'd be too angry all the time at how badly they are mismanaging our youth.
I am quickly losing all my faith and trust in the so-called 'education system' we have in the US. its becoming not much more than babysitting and nannying.
and I fear for the kind of young adults we are going to produce from this brainwashing factory we call 'school'.
anyway, what good is there in suspending this kid? what does that accomplish? the fact that he found YOUR security flaw embarassed you? is that a reason to punish him?
perhaps the school does not DESERVER your funding. yes, YOU fund the school - they work FOR YOU. its not the other way around. YOU are the consumer. if school-A is giving you crap, why not take your business elsewhere? yes, school IS a business - very much so.
--
"It is now safe to switch off your computer."
Summary information is incorrect. Michael Maass has not been suspended for a whole year, but rather for just a single semester, following completion of the current semester.
"...following an appeal process in which he was supported by many friends and faculty, the University ruled that Maass will be allowed to finish out the rest of this semester, but will be suspended through next semester."
Still a shame that the school even went that far. Here's to hoping that there are some further appeals processes he can follow up on.
TFA says he was running this program for seven months, and was planning on alerting cisco "this summer", and he also spread the program to his friends. Doesn't really sound like security research to me, more like bypassing the security for your own convenience. You really don't "research" a security flaw for seven months, and even spread it to other people.
Doolittle :
Bomb no.20 : To explode of course.
Here's a more detailed follow-up on this story: http://www.networkworld.com/news/2007/042607-cisco -nac-unversity-portland.html?t51hb
Early only we ran into some policy issues at the university.
The solution...
Take the engineering department off of the campus network and maintain it ourselves.
It worked out fairly well when I was there, but resulted in some equipment deficiencies. We ended up getting the backend of the upgrade cycle, but that was fine as we were allowed to "blow them up."
This would not have worked without volunteer work and when I had returned I was already a competent admin. It probably wouldn't scale too well, but it's a good learning experience for some.
It does lead to issues though...
At one point, a professor proclaims the network seems to be having issues and at that point I poked my head up.
"Um, no it's not... I'm putting in dDNS... because it looked like fun."
Things were back up momentarily. (Hey I was young!)
The best was probably the day I rooted the servers and updated the motd.
"Under new management -- cylix"
This was of course the policy for gaining administration for maintaining systems. The final system I had to social engineer my way into... sorta... I basically made it into the server room with the prof maintaining things and he left to go get some papers. He knew I was after the final system and just wouldn't let me take it over without a fight. He had to know what I was going to do and probably just wanted to see how fast I could get my hands into the system. The moment he stepped out I tackled the keyboard like it was a drunken cheerleader.
The only catch was no denial of service. So, if you were going to bring something down... no one could notice.
Fun times!
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
Let's see, if you're writing a program that will circumvent security measures, if he had gone to IT and said "I'm writing a program to test CCA..." he wouldn't have been in deep water as opposed to trying to explain why he did it "No, I wasn't trying to hack the network, I was writing a *test application* and then go to cisco"..
If he had nothing to hide in the first place, then he shouldn't have hid it in the first place.
U of P is a Catholic school with no particular engineering focus. I think he would have stood a better chance of a reasonable response had he been attending a "real" engineering school. There's nothing wrong with Catholic school, or in studying engineering at such a school, but I think this poor guy should have seen it coming... If you're going to do research like this, do it at home. If he wanted to inform Cisco of the problems, he should have just done so directly. I feel bad for the guy but it's not surprising.
If I did something like that and got caught I would say I was planning to come clean as well.
Which brings up your main, and correct, point. It's sad when we penalize so harshly for students just being clever. Would they have suspended him for a year for putting a penny in the dorm elevator (in effect locking it on a single floor during early morning rush time)??? I often joke, and I'm sadly accurate: If I did half of what I did 20 years ago in highschool and later college....today...I'd be a multiple strike felon...and yet no one or any property was really ever hurt
Total? -9 points. Not good. The university had no choice. For reference, here is the scale:
Too bad the guy may lose his scholarship. He presented it wrong, especially giving it out and not telling Cisco immediately, along with running it himself. But it doens't deserve a full suspension for a semester.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
To those who are saying "CCA doesn't recognize perfectly good antivirus packages" (and other sorts of comments). Most, if not all, of that is configurable on the backend. If your school forces McAfee, they likely removed (or never added) other products to the CCA server. The college for which I work supports Symantec, McAfee (which we give away to students), AVG, and at least a few others.
If your CCA isn't acceping an antivirus scanner you like, why not go through the proper channels to find out *why* it's not supported and see about getting that fixed?
bork bork bork!
http://www.mgridley.com/rogueUP/Rogue_Blog/Archive .html
Its a technically unwinnable war. Obviously NAC, CCA...whatever is broken and can be circumvented by a not so determined advasary this will never not be the case nor is it necessarily a problem.
... but on second thought these systems were designed more for CYA and enforcement of preventative maintenance a very good thing rather than a technically secure solution... at least thats my thinking and I don't doubt its at odds with advertising.
The purpose is to foster a sane environment by requiring certain levels of patching and network protection software. While this does not guarantee a system can not be compromised it helps a little by demanding software be installed and kept up to date.
Once a system is compromised then the system breaks down into basically asking a liar if their telling the truth... which from a security POV is not useful.
The first time I heard about schemes such as these was at a MS conference in Redmond years ago where the PM for RAS touted the scan / quarantine features in an update for server 2003.
My immediate reaction was you've got to be kidding me from a technical POV
The only secure solution is a fully trusted system which if existed these solutions would not be necessary in the first place.
It falls right into line with the concept of there being any reasonable expectation of protection from the use firewalls and virus scanners. From a technical security POV this is not realistic.
Once a system fails in a way that bad code is in a position to be executed the *game is over* right there. Scanners only work to mitigate what happenes when something that shouldn't happen in the first place does. They will never be in a position to provide security gurantees.
I just finished working with the CCIE who implemented the CCA at U of P today and he said the student wasn't suspended for circumventing the CCA but rather distributing it to other students, which in my book is malicious. And for the record I work for a University around 30 miles away from U of P.
Many of the arguments we use to - justly - defend security researchers seem like they may not apply in this case.
* He used the software to bypass the security check for seven months
* He distributed the software to several other students and a professor
* He did not disclose the vulnerability to the vendor before releasing his exploit
* He did not ask permission
Now, this is not to say that the University's use of CCA is wise or it's reaction was reasonably proportionate to the damage done. (If the damage and the policy violation is as minimal as the article claims, a 1-year suspension is insane.) But Mr. Maass did not do a good job of covering his ass, either.
Let this be a lesson to the next guy.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
All one needs to do is spoof a browser's user-agent string (Linux or Mac), login, and make sure you have a firewall that can restrict communication to/from the clean access server to just HTTP(S).
If you need to do more manipulation, theres always greasemonkey.
My University uses CCA, and to bypass it... you can either not use Windows, or use Firefox and install a plug-in that allows you to modify the User-Agent to identify itself as if it were running Linux/OSX. This might not work in all cases, though.
Gates Announces Security Death Squads
I feel like death on a soda cracker.
He should have a written statement notarized and put in a sealed envelope beforehand. I once saw an interview with a journalist who was trying to expose some airport security hole and that's what he did.
Clearly you haven't learned from the movie "Catch Me If You Can".
These people can outsmart you every minute of the day if you give them reason to. Why not just employ them and get on their side?
Oh right, this isn't about security, this is another stupid power struggle.
Regardless of the student's ethics (or lack thereof), this illustrates a fallacy of trust in computing that often goes overlooked, especially in software security products: transitive (implicit) trust.
... If the administrator (of the University, some enterprise, or even a home network) cannot state anything about the trustworthiness of an unfamiliar computer, how can that same administrator trust the output of some software program designed to assert the trustworthiness of an otherwise untrusted computer?
Think about it logically for a second
Trusted input (e.g. Cisco Clean Access)
+ Untrusted computation (unknown host)
!= Trusted output (i.e. an assertion from the CCA that the computer is trustworthy)
The nature of this equation is that the untrusted computer is implicitly trusted to compute its own trustworthiness. What ramifications does that have on the real world analogies?
Banker: Can I trust that you'll repay this loan for $1 Billion?
Some joe off the street: [Hides "will work for food" cardboard sign behind his back.] Uh, sure.
And yet, how many NAC/NAP vendors actually try to challenge the unknown host (java applet, activeX control, native code, etc.)? Answer is: nearly all of them, unfortunately. Even if Cisco fixes this hole, what will happen next? This is not unlike Cisco trying to sell a perpetual motion machine-- this simply defies the "natural laws" of security.
--
NAC is not the answer. How about those good ol' 3270 connections?
But more malicious = forcing me to uninstall the A/V I know and trust and install some crap before I can access the #1 source of malware (the internet)?! I'm doing just fine on my own, thank you. Congrats to the student for not tolerating that crap.
Turning coffee into code.
If this "kid" REALLY intended to bring his findings to Cisco, then he should have been documenting not only his intent but also his findings and techniques used and this should be enough to prevent a suspension. Unless he came up with this idea of 'going to Cisco' after he got busted.
I have a hard time believing his story without some proof he'd been discussing visiting Cisco or interning there well in advance of getting busted for spoofing their APIs.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
Would you care to quote the policy you claim he broke?
No, it sounds like he embarassed the University IT administration, so they closed ranks and used a kangaroo court to express their displeasure. Dean Wormer put him on double secret probation first, I'm sure.
"National Security is the chief cause of national insecurity." - Celine's First Law
I work in the IT department at a university that uses CCA. If you live on-campus you're required to use CCA to connect to the University network. IIRC, the setup here doesn't check for much: anti-virus and XP SP2 if you're on Windows, and Linux users are ignored.
Support calls from students have fallen by more than 50% since CCA was put into use. Simply requiring anti-virus and SP2 has tremendously reduced the amount of garbage infecting Windows users machines. CCA has been a real boon, even if there are a plethora of ways around it.
This is truly a failure of the education system. Whenever someone wants to be innovative or do something productive with his or her education, the school system shuts that person down.
"I was planning on going to Cisco with the vulnerability this summer," Maass says. '"
Added Maass, "Right after they let me out of prison."
I wasn't buglarizing this house, I was just checking the home security system for holes!
OK this story is sensationalist BS. Maybe the summary should have stated that he USED IT FOR SEVEN MONTHS and GAVE IT OUT TO FRIENDS!? Come on, only when he gets caught does he say he was going to share his results. Yeah, that's like embezzling and then saying you were going to give all the money back when you get caught.
My university imposed this crapola on all dorm residents during the summer to test it out. I wasn't there, but my girlfriend's computer suffered the consequences of it. They forced her to uninstall the AVG antivirus and Comodo firewall that I configured, and during the transition her computer was massively hijacked. I'll admit, the dorm networks there are atrocious and this type of software might have been a good idea. Worms/viruses were absolutely rampant; two or three times a day AVG would popup saying it found a threat in some random temporary folder, and the firewall would report numerous "intrusion attempts". However, they didn't even warn people that they would be COMPLETELY unprotected while they are installing the new protection software. If I was there I would have unplugged the network cable during all this. Opening the ports for even five minutes proved disastrous. Needless to say I ended up reformatting.
They never did implement CCA after the trial. Now, the dorm network is simply bandwidth-throttled and packet-shaped to oblivion. Dial-up is faster, I am sure. It's still a security risk, but so slow that no one gives a shit.
All of you are forgetting that the STUDENT owns this hardware and has the right to install or not install any software he damn well pleases.
The responsibility of him disclosing the 'vulnerability' to Cisco is academic. Does the University have a documented policy that you are required to use CCA to access their residential network? If they do not, then he wasn't in violation of anything. If they do, then he was.
CCA is fundamentally flawed because it is, no matter what, running on a hostile host, and there will always be ways to defeat it. It's like asking some random guy off the street if you can trust them. Of course they're going to say yes.
Regardless of how long he used it (keep in mind, again, this is HIS hardware, and that in almost every case, you are not permitted to opt out of the University-provided service and install something else, due to alleged 'wiring issues' (which is code for 'we don't want you to'), and even if you CAN, you can't get a refund for the Internet access your fees paid for.
The argument that he using this software somehow could bring down the entire network is absolutely ludicrous on its face, networks survived without CCA before, and Macs and Linux computers (or computers appearing as such) don't have to go through the 'validation' process anyway. Antivirus software is not a panacea, and does not detect every virus. All CCA does is let needledicked IT administrators continue to exert control over the only part of the network they know they can get away with - the student network, because students have no political power at a University. Amazingly, CCA is never required for professor's machines, or on lab machines, even though the alleged goal of CCA is for 'safety' of the whole network. Professors must just be safe by default, right?
This guy was being clever disabling the security software, nothing more. He got caught and now he's whining.
It may be unpopular, but when you connect your computer to some networks you do so under agreement which may limit what you can do, may require you to consent to monitoring, and may require you to install software to enforce the terms of that agreement. Tampering with the software may be a violation of that agreement, it doesn't matter if it's "your" computer, we're talking contracts here.
There's nothing extraordinary about someone with physical access and superuser/administrative access rights being able to modify the software on their own machine. And if you can debug a client app, then you can write your own app that can pretend to be that client when talking to the corresponding server.
If he was a security professional then he would have done this in a lab, not on his own machine, and would have reported the results in a timely fashion, not "I was going to get around to it", and would not have distributed exploit code to his friends.
This guy's behavior violated pretty much any acceptable use policy I've ever seen or written, and he got a punishment probably on the stiffer end of the scale because his behavior doesn't appear to show any mitigating circumstance.
All week I been reading how the kid at Virginia Tech couldn't be dismissed from school even though he stalked, threatened and oozed a violent psyche to the point of having 2 professors ask the university for help with him. Universities should only protect students as vigorously as they seem to protect themselves in this case.
These days, access to the campus network is a right, not a priviledge. Access is required in order to do research, use learning management systems, communicate, ad infinitum. Any student denied access to this vital resource without probable cause should sue.
While it is certainly within the university administrator's rights to deny network access to computers causing network problems; telling students that they must install software that effectively gives the university administrative control over the student's own property is an egregious violation of their privacy, and a security blunder just waiting for an exploit. When that exploit is found, and it will be, students should hold the university liable for the breach and subsequent damages. Students do not pay thousands of dollars for screaming hardware just so their word processor might still barely function after all the other cycles have been consumed by overzealous anti-virus crap.
Teacher, leave those kids alone.
From what I gather, the breach occurred on his own computer!? Since when does keeping your own computer private from the intrusive eyes of others count as a computer crime?
Essentially, what the university is asking for is the root password to your own machine, in exchange for network access. I think I'd rather do without the university network if I had to run snoopware.
And on what ethical principle does the university believe they have a right to own a machine for which they haven't paid? I can understand they are trying to combat network problems caused by viruses, but the correct response is not to install spyware, but rather simply to cut off the network connections of those machines infected. They have no right to install backdoors on machines they don't own.
And even so, he doesn't deserve to be punished for effectively taking control over his own machine. It belongs to him, not the university!
The society for a thought-free internet welcomes you.
"mess with a teacher's mind: that's a paddlin', too"
--
"It is now safe to switch off your computer."
They have enough money and power and shares....
If any thing, give the info to a smaller competitor so they can exploit it in marketing.
Unless you know the IT admin or department head personally, dont go being a hero and make them look bad.
If they arent your friend, they are your enemy
Liberty freedom are no1, not dicks in suits.
is secured beyond the basic yoyo windows software and lives on either a separate network or on secure servers on the network.
They would have gunned down that Korean dude.
Either way, there are ways to attack someone who has a gun without a gun, and actually WIN.
1. Find a fire hose, and spray the whole floor so its slippery when running, you can even spray it directly on him to make him fall.
2. Get a fire extinguisher and spray him/hall way/room like hell so its so foggy you cannot see anything, and breathing those chemicals in is
not nice either.
Liberty freedom are no1, not dicks in suits.
When things like this happen, people are always saying how horrible it is that the poor guy got in trouble. After all he wasn't doing anything wrong, just trying to help their security get better. Using the same logic, I guess I shouldn't have a problem with someone picking the lock to my house and walking around, even if they say they were going to write the lock company about how they did it. I know not related to the article's situation, but I'm tired of people jumping immediately to the side of the hacker/cracker. As far as the University "owning" your computer for use of their network, if you AGREED to the contract, I can understand why they'd be mad if you broke your end. AND do you really want students in your institution who don't have the integrity to honor contracts that THEY signed into? It would be one thing to do this in a controlled laboratory type setting, but this man obviously did not. I honestly have no sympathy for him. Oh and for the poster who says we want to raise our children to be corporate drones when it pays for Jobs to be somewhat anti-authority: We only want those who are smart enugh to NOT GET CAUGHT.
University IT staff are almost all dork sysadmins. They handle the unknown almost superstitiously just a bit more advanced than using lucky charms to aid them. When something like this happens they freak and pull out their "lucky" conviction charm.
Democracy Now! - uncensored, anti-establishment news
The system is broken when it makes more sense to make the vulnerability known on an blackhat IRC channel than with the proper people that should know what it broken. At least the blackhats won't throw you in jail or suspend you. If anything, you might come out ahead.
Persay? What is persay?
Is it some kind of margarine? Something you put in your hair?
why this student would be involved in a "power struggle"?
What I learned from the movie was "Use your powers for good instead of evil."
It's a Catholic School. Of course they are terrorizing the students over something trivial, and the students are too terrified to give their names when criticizing the school.
I'm surprised they aren't beating everyone involved and requiring them to recite the rosary 50 times while kneeling on a board full of nails.
For those of you who can't read, what the summary neglects to mention is that the guy was running this kind of reverse-rootkit for 6 months. 6 months is a long time to "test" a vulnerability. In all likelihood he just started yapping to cover his own ass, when in truth he probably never intended to go public with the vulnerability and just wanted to go on being "leet" clandestinely. I agree it's a shame that top-dollar commercial products used by the largest organizations have such glaring holes, but this kid was no Jesus Christ of Cisco, he was yet another ePeen going down the wrong path. Had he wanted to help improve network security, he would have worked with Cisco or his IT department since day one, and probably gotten great kudos for it. Instead he got suspended and will have to look for exploits in a burger joint.
-Billco, Fnarg.com
Many posters seem to miss the point about WHY this is bullshit. The articles are basically missing the point, too. It's not bullshit because he was "planning" on reporting it, everyone agrees there. It's bullshit because all he was doing was disabling software that ran on his own computer. HIS OWN COMPUTER. HE DID NOT HACK INTO ANY SCHOOL COMPUTER. He didn't want to run the school's required AV software so he made it look like he was using Linux. Or he made had Firefox hide the OS he was running completely. Either technique works fine, except that Cisco recently blocked the second by default in the newer CCA releases. That's it. He just changed his user-agent in Firefox and wrote a program that made it easy for other people to change their user-agent through the firefox config. IN ESSENCE HE IS BEING SUSPENDED FROM SCHOOL AND POTENTIALLY LOSING HIS ROTC SCHOLARSHIP FOR DISTRIBUTING A PROGRAM THAT MAKES IT EASY TO EDIT A TEXT FILE. That, my friends, is a great example of university administration stupidity. I once had a friend who worked as a molecular biologist at a Michigan university, he always said that "[upper] school is the center of all bullshit in the universe." Too funny...
Anyways, Cisco added a technique to detect a faked user-agent a while ago. Now they do an OS fingerprinting scan to root out Windows machines. With the long boot of times of this Cisco program, it makes using Windows on the university network into a huge pain in the ass, which is probably a good thing anyways. But it's laughable that anyone could be suspended for trying to fool it. It's like suspending someone who drives a Honda to school with a fake type-R tag and rear "spoiler".
Way to go, University of Dumbass.
Yeah my Uni has something like this for windows. Bradford Network Agent, which forces TrendMicro AV down your throat. (You must uninstall all other AVs...) Now I'm all for security, but there wasn't any granular control to speak of. "A false positive. Hmmm... Well surely there is an exclusion option..." 20 minutes later, and guess what? Still no exclusion. So I say, screw that. Block the heartbeat ping they have on the network at my firewall, remove network agent. No problems so far. Go to remove their Trend Micro... And guess what? I need a password. I need THEIR permission to remove a program on MY 2000 dollar machine. Needless to say I removed it re-booted to *nix, authenticated and no worries.
What a crock-o-blank,
i ndows XP\SP3\KB918439\Filelist\]
;-)
Typical University IT people not knowing what the hell they are dealing with. Think this "breach" was a big deal? Think again.
Know how to use the Windows Registry? You'll love how simple this is...
Cisco Clean Access looks for several registry keys that determine which Windows patches are installed and which are not. It also looks for registry info to give the system a look at what anti-virus package they are running and which DAT file they have. Basically, all his program would need to do is create entries in the registry in the locations where Clean Access would look. It would defeat the security check and the remediation process very easily.
This is not a vulnerability, it is the means in which the system works.
1. User connects to the network. When a browser is launched, the user is redirected and prompted to install the Clean Access Agent from the Clean Access Server.
2. The user is presented with a login box where he/she would log into the system.
3. The Clean Access Agent checks for several registry flags to determine which Windows Updates are installed and what anti-virus/anti-spyware is installed. It will also check the registry for anti-virus/anti-spyware DAT/REG file date and versions.
4. If the system is not up to date, they are passed to a temporary role (remediation stage) where they are only permitted to selected sites to download the updates they need.
5. Users are left in the temporary role until they fulfill the logon requirements. Once the requirements have been completed, they are passed to the main role allowing full access to the network.
Now...for the easy part...
Wanna get around the CCA check without installing patch KB918439? Create the following registry keys ending with Filelist.
[\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\W
How about getting around AV installation (McAfee VirusScan Enterprise as an example)? Create the following registry keys ending with VirusScan Enterprise.
[\HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\]
How about getting around a forced DAT update? Create the following registry keys ending with CurrentVersion. Also create a string value called szVirDefVer with the value greater than 5018.
[\HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\]
Heh...that wasn't so bad...was it?
I read the article and still am not clear on what the program was supposed to do. Apparently there was a piece of software in place that monitored the computers for security reasons. Lets for simplicity sakes call it a virus scanner.
Now did he write a program that DISABLED the virus scanner in some ways?
Did his own program then REPLACE this virus scanner with his own?
If so, then he is indeed in the wrong.
He should instead have written a virus scanner sitting behind or in front of the existing one to augment its capabilities. Then nothing would be wrong, the required software is still in place and working BUT his own software would be making it more secure, always presuming offcourse that his own software IS in fact more secure.
This is the crux of the matter, who says his software was better and that by him replacing the default software he made the system more secure? We got only his word for that.
See it like this, say that the dorms are required to have a fire extinguisher in every room. Now a person comes along and says that the devices ain't good enough, too small and don't work in certain conditions. What should he then do? Replace them with a model he claims to be better OR put that model NEXT to them.
I can argue till I am blue in the face with the local firechief but replacing mandated equipment and facilities is NOT going to be accepted. ADDING to them is. Just because only a handheld bottle of eye-washer is needed doesn't mean I can't install the full shower version. Just as long the bottle is still there. Just because the helmet is required at the building site doesn't mean I can't wear ear/eye protection as well, just as long as I still wear the helmet.
Granted there are problems with this, it could be that policy requires you to use the small fire extinguisher first, that you know won't work, to fight a fire and that you cannot touch your own that does work because by then you will have burnt to death.
if the existing virus scanner has an exploit weakness having your own program behind it don't work. If the policy requires the exiting security software to be the first in line, and if it itself can be exploited so that a second program behind it never gets a chance to stop the intrusion you are screwed.
Setting your own software in FRONT is probably against policy, after all if your own software is flawed then it can be exploited before the required software has a change.
It is difficult but frankly that is what you get when departments get too large. You need rules but will inevitably find that the rules restrict legitimate use. The answer? Don't use them.
What I think is however far more likely in this case is that we are talking the ancient and dreaded evil of the crushed ego. Who wants to take a bet that someone at the IT department didn't just feel peeved to have the software he/she choose as being secure exposed as being insecure? Yeah, sure, YOU would use such a comment to learn and implement a better solution. You are a saint to be sure but most people would just come down like a ton of bricks on the messenger, less their supervisor starts asking just what you are getting payed for.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Granted, he broke University network AUP and/or security policy...but that's it. "disrespect for authority, disrespect for property, disorderly conduct and fraud" are ridiculous charges created by a kangaroo court established by a University administration going overboard because they think this guy is some sort of hacker doing damage to their networkz. They obviously are A) embarrassed and B) ignorant of what he even did.
And just what did he do? Disable software on his machine designed to check for patches/updates/antivirus/etc. That's it. He disabled a piece of monitoring software on his own machine. His machine was probably up to date, running antivirus, and secure. If this is the case, there was no greater risk to any University systems. Nothing changed except effectively spray painting over a camera aimed at his computer screen.
He was probably just exploiting flaws in the very design of CCA. You own the box, it's not hard to imagine fooling some stupid software that you have other software installed. CCA seems like an expensive waste of IT resources to me. If these network admins were competent they wouldn't need CCA to protect their network and other students attached to it from infected systems.
Obviously some discipline is in order for breaking network policy, but I'd probably stop at suspending his network access. Why should he suffer academically (and probably financially) for bypassing some lame computer monitoring software on his machine? It's completely stupidity in academia like this that sours me on the whole thing. I'm half way through college myself, and I already feel bitter about the whole thing.
Oh, and it isn't "The Law" either: just a local policy.
Your rules are after the event demands.
I (the student) was told before I decided on your school that I would be provided with access to your network. The school forces me to use the network for homework and many other things. I was not told of the unreasonable demand that you require admin access on my machine.
This adds up to a demand for admin access or else.
"Hopefully, he learns something about the importance of organizational policies, the law, and the potential impact of his own actions."
No, that would be the wrong lesson. The lessons in increasing order:
1) Don't tell anyone you did it.
2) If you want to have fun, just release this anonymously
3) People who run networks have little to no power, so when they get in the position to hold something over you, they will
4) Because people who run networks by and large aren't very competent. They passed some Cisco tests and don't really have an inherent feel for what is good policy and what is a placebo.
Lastly (and arguably most important), he should also learn that
5) Some people always try to do the "...and he should be thrown in jail for those terrible actions..." thing on the internet (kind of like you right now) because they think it gives them the moral high ground. In fact, it just shows that they're likely a network administrator who always has users laughing at them.
Please. /. is going to swing on this: " Student Attempting To Improve School Security Suspended"
Firstly, the title of the article shows which way
Attempting to improve security? Really? How precisely was he 'attempting' to improve anything. It reads to me that he found an exploit AND EXPLOITED IT. He didn't immediately approach CISCO, or an academic advisor, or anyone.
Other posters in this thread talk about oppression and crap - what a laugh. It's the Townsend defense: Yes, officer, I was looking through pedophilic pron because I wanted to catch these darn bad guys, I was JUST about to come tell you about it.
It's very simple to do white hat research.
1) tell someone what you're doing. If you feel you might want to 'sell' the idea or there's some reason you don't want to be too specific, don't be. But TELL someone - even a discussion with your lawyer can later be used as strong evidence about your ORIGINAL INTENT
2) document what you're doing
3) if someone interrupts you and says "aha, we caught a criminal" you have a paper trail AND at least one witness that you laid the groundwork for something non-criminal beforehand.
The problem is that actions like this look JUST LIKE the crimes they purport to prevent. So much so, it's very, very easy to claim that's what you were doing after the fact. So the burden is upon YOU to prove that your explanation is not just after-the-fact rationalization.
-Styopa
I manage a part of a university IT department. I am dumbfounded about exactly how dense students are about computers - these are non-cs/engineering students btw - students were shocked that I could tell (even when the clicked the little 'encryption' checkbox) that they were using BitTorrent. That I had their username and if I cared - which I don't - I could have a whole lot of information about what they were doing.
Our problem is the opposite - students are too stupid (or simply embrace a kind of self-interest that is rather short sighted) to update their virus protection software, or patch their OS or set their passwords to something that isn't easy to guess. So we do need something to enforce these kinds of policies - We have looked at Cisco's product (for the first two) and aside from being ridiculously expensive it's a pain. The fact that there is no standardized way of querying antivirus software over a network is also annoying. In the end we may end up writing some client software of our own and combining it with packet fence.
In short I'm familiar with the problem that this Uni is trying to solve but I don't really view students like this as the problem.
Rigorous testing before releasing code to its intended recipients is something you should be ENcouraging in your employees, not DIScouraging -- your real name isn't "Gates" is it?
CCA, and other NAC solutions, are designed to be used in a business environment (i.e. the same AV, the same anti-spyware, the same firewall, the same patch levels, etc are all in use by all the workstations). It works well in this case (a homogeneous environment). It is impractical for a situation when you don't control the software load on all of the workstations you are subjecting to it. However, if a school decides that to connect to their network, you need to be protected with a minimal set of "security" software, this is the only way to enforce that right now. So what is the school to do? Require everyone to run an up-to-date version of specific software or let students connect machines with god-knows-what, increasing the risk to everyone on the network? Not a clear-cut answer.
...without permission.
This is akin to finding someone sitting in your house, the entire place apparently untouched, and they explain "Oh, I was just checking the security on your locks; turns out it's fairly bad. I was going to tell you later...", and it's not okay.
If you think you've seen a security hole, stop, tell the person responsible _immediately_. With luck, they can give you a dummy system to test it on without risking getting yourself into trouble.
If the people responsible for security ignore you, get someone else to back you up. In this case, talk to one of the staff who is knowledgeable about computers, or the student newspaper.
How many Portlocks does it take to administer university policy?
None,they still haven't figured out how how to interpret common sense.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
This letter sheds more light on the situation at the University of Portland:
http://www.mgridley.com/rogueUP/Rogue_Blog/9BD8422 D-41DE-4D2B-8ED9-4857FB490BAC.html
Anonymous Letter to President
Saturday, April 21, 2007
This is a letter written to the president of the university. The letter expresses a current senior's concerns regarding The VP of IS and the dissent shown in the school due to the administrative decisions.
"Mr. [President],
As I sat down to write this letter, it dawned on me that I had the recipient wrong. My first intention was to address this letter to [the VP of IS] himself, but seeing as how any dissent within this school is now met with his iron fist, I feel it may be more effective to address it to someone of higher stature and character.
As I prepare to graduate from this University I can't help but look back on the past years here with regret and disappointment for what should have been a great experience at the University of Portland. Day in and day out, as I proceed from class to class and socialize with the many students that I come into contact with, it is abundantly clear that [the VP of IS] is completely despised by not only the student body of this school, but the faculty as well. Unfortunately, the latter is not in a position to which they can voice their opposition to his actions, as he has made it abundantly clear that disagreement of his ridiculous policies is not tolerated.
Year after year, the school raises tuitions and increases technology fees, and proportionally students get less and less in return. Technology fees were raised to pay for printing costs (at an absurd rate of 5 cents per page), yet that unused printing money is kept by the school at the end of the year. Computer labs with non-functioning computers are the norm in the Engineering building, as are unreliable wireless connections. I am well aware that the wireless is relatively new, but for the $30,000+ students pay in tuition, they have a right to expect uninterrupted, reliable, and fast systems. The fact that half of the computers in the EGR labs don't work is simply unacceptable.
Recently, the IS division began taking it upon themselves to decide what internet content is appropriate for students to access. Students are no longer able to download torrents of free and community driven Linux distributions. Open-source software such as this is at the root of what a computer science program is based on. [The VP of IS], with his "information technology" degrees, does not seem to understand what it means to collaborate with other research minds to further progress the field and benefit the community as a whole.
While students in campus owned housing are living with mold, rats, and other dangerous conditions (due to a lack of funds, according to res-life) -- our tuition money is now being spent on appliances to actively support the RIAA and MPAA, two private entities which have no legal authority. Additional money is being spent on hardware to actively block Access Points on campus, which unfortunately blocks AP's for off-campus residents in the surrounding neighborhood as well. Due to a lack of response from [the VP of IS], this situation is now being reported by the victim to the FCC and other state and federal agencies as we speak, as this is completely illegal per Title 18 of the COMPUTER FRAUD AND ABUSE ACT and referenced multiple times in the USA PATRIOT ACT.
The Cisco Clean Access/Michael Maass situation has been well documented through multiple articles in the beacon, and there's nothing I can add that hasn't already been voiced by other students here. I know of no other school and no other person who would go to such great lengths to throw the PATRIOT ACT against one of their own students (as if he's a terrorist) for something so easily rectified with a warning and a clarification of policies. It is simply one more instance of this s
Stop helping the retarded fools, fuck them, be one of the bad guys.
LEET LEET LEET LEET LEET K-Rad! I'll bet those lecturers were really cross...
The purpose of existence is to make money.
If any virus-infested machine can take down your network by merely connecting to it, you obviously don't own your network. You just think you do.
Ok, it's trollish, I'll admit, but I'm disgusted with network admins that push the responsibility for their network back onto the users. I'm a professional engineer, and people expect my stuff to work, even under adverse circumstances. Is it too much to ask the same of a network admin?
The society for a thought-free internet welcomes you.
If only he'd been a Slashdot reader before now, he'd know never to do an institution or corporation a favour. That's like pointing out their weaknesses, and they'd rather just have everyone believe they're already perfect.