Slashdot Mirror
Student Attempting To Improve School Security Suspended
TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"
Guess I *won't* be doing that automated WiFi stumbler as a senior project...
Paleotechnologist and connoisseur of pretty shiny things.
Early only we ran into some policy issues at the university.
The solution...
Take the engineering department off of the campus network and maintain it ourselves.
It worked out fairly well when I was there, but resulted in some equipment deficiencies. We ended up getting the backend of the upgrade cycle, but that was fine as we were allowed to "blow them up."
This would not have worked without volunteer work and when I had returned I was already a competent admin. It probably wouldn't scale too well, but it's a good learning experience for some.
It does lead to issues though...
At one point, a professor proclaims the network seems to be having issues and at that point I poked my head up.
"Um, no it's not... I'm putting in dDNS... because it looked like fun."
Things were back up momentarily. (Hey I was young!)
The best was probably the day I rooted the servers and updated the motd.
"Under new management -- cylix"
This was of course the policy for gaining administration for maintaining systems. The final system I had to social engineer my way into... sorta... I basically made it into the server room with the prof maintaining things and he left to go get some papers. He knew I was after the final system and just wouldn't let me take it over without a fight. He had to know what I was going to do and probably just wanted to see how fast I could get my hands into the system. The moment he stepped out I tackled the keyboard like it was a drunken cheerleader.
The only catch was no denial of service. So, if you were going to bring something down... no one could notice.
Fun times!
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
Total? -9 points. Not good. The university had no choice. For reference, here is the scale:
Too bad the guy may lose his scholarship. He presented it wrong, especially giving it out and not telling Cisco immediately, along with running it himself. But it doens't deserve a full suspension for a semester.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
I wasn't buglarizing this house, I was just checking the home security system for holes!
I did the responsible thing. I was walking down the street checking the front doors of my neighbors. Of course I wasn't in my neighborhood being as how that area was boring to me. I found an open door and felt it was necessary to check the house to see if they had left anything else unlocked or exposed where someone who was malicious could find it. Unfortunately the police showed up and as I tried to explain that I was just helping by relocating the valuables to a safe location until I could inform the owners of their security diffect. They refused to believe me so I came here to tell my story so I could get the support I need. Thanks guys.