Slashdot Mirror

← Back to Stories (view on slashdot.org)

Student Attempting To Improve School Security Suspended

Posted by Zonk on from the no-good-deed-goes-unpunished dept.

TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"

3 of 282 comments (clear)

  1. University of Portland by pclminion · · Score: 3, Informative

    U of P is a Catholic school with no particular engineering focus. I think he would have stood a better chance of a reasonable response had he been attending a "real" engineering school. There's nothing wrong with Catholic school, or in studying engineering at such a school, but I think this poor guy should have seen it coming... If you're going to do research like this, do it at home. If he wanted to inform Cisco of the problems, he should have just done so directly. I feel bad for the guy but it's not surprising.

  2. Re:This summer? by mark-t · · Score: 3, Informative

    ....or.... I could *READ* the TFA and discover he had been using it for seven months and given copies to his friends.

    I take back what I said before.

    The idea that he was about to tell Cisco about it is a pretty weak cover story, given his behaviour.

    --
    File under 'M' for 'Manic ranting'
  3. From the misleading headline department by peacefinder · · Score: 3, Informative

    Many of the arguments we use to - justly - defend security researchers seem like they may not apply in this case.

    * He used the software to bypass the security check for seven months
    * He distributed the software to several other students and a professor
    * He did not disclose the vulnerability to the vendor before releasing his exploit
    * He did not ask permission

    Now, this is not to say that the University's use of CCA is wise or it's reaction was reasonably proportionate to the damage done. (If the damage and the policy violation is as minimal as the article claims, a 1-year suspension is insane.) But Mr. Maass did not do a good job of covering his ass, either.

    Let this be a lesson to the next guy.

    --
    With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd