Slashdot Mirror

← Back to Stories (view on slashdot.org)

Student Attempting To Improve School Security Suspended

Posted by Zonk on from the no-good-deed-goes-unpunished dept.

TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"

9 of 282 comments (clear)

  1. University doing a favor by Anonymous Coward · · Score: 5, Insightful

    It seems obvious that the suspension is a favor done by the university. A person of this caliber could do better in the workforce or a better university instead of TEACHING the university...

    1. Re:University doing a favor by bfizzle · · Score: 5, Insightful

      I wouldn't want to hire someone who wrote a piece of software that clearly violates University Policy and used it for 6 months. Its one thing to write the software, distribute it as a proof of concept and let Cisco or the University fix it. Its a whole other to write the said software and use it to exploit the hole for an extended period of time then claim you were going to tell Cisco months later. His actions sing a whole different song than his words.

  2. Don't do security research in the US by Anonymous Coward · · Score: 5, Insightful

    Anyone in the software biz should know: don't do security research (look for vulnerabilities) in commercial software or commercial websites if you want to be in the US. If you find a vulnerability, like a website that lets you launch missiles by putting &loggedIn=true in the URL, the best thing to do is to laugh to yourself about it, and forget it. Failing that, use some secure anonymous service and post the vulnerability somewhere. Doing the responsible thing, like informing the vendor, is absolutely thankless and likely to result in nothing but problems. Be smart, don't be a hero. Don't try to improve the security of others.

  3. Stop instituationalizing young people by iamacat · · Score: 5, Insightful
    It's unavoidable that a bright C.Sci student will bypass some university security measures, for some of the following reasons

    • Bypass cloying "for your own protection" software that he and his computer-literate friends do not need anyway. Besides, what security updates if you have Mac/Linux?
    • Impress a girl by resetting her lost password or re-enabling account in her undergrad school
    • Explore a realistic network structure and challenges of its administration
    • Repair the system when it's down, admin can not be bothered and final project is due tomorrow at 8:30


    Steve Jobs openly admits to phone phreaking and calling the Pope. Both he and Bill Gates eventually dropped out of school. It's clear that, to become a person of substance, you have to be willing to challenge authority once in a while. Are we trying to raise a generation of corporate drones who are so obedient they can never pose a competitive threat to existing oligarchy. Are we so insane we let disturbed students stay in school and own guns, but suspend ones who are merely using university's property, paid for by their tuition, more efficiently than average?
  4. Re:Getting past two imflammatory headlines by yali · · Score: 5, Insightful

    In any case, he didn't go around giving out exploit code...

    From TFA:

    "I was planning on going to Cisco with the vulnerability this summer," Maass says. Maass' program was in use for approximately seven months before the University froze his UP account. Additionally, he gave the program to several friends and one professor.

    Also from TFA:

    Moreover, [fellow student] Vandermeulen said, many people are frustrated with CCA. CCA has sometimes taken up to 20 minutes to load on Vandermeulen's computer, he said. "I hear so many complaints (that) I'm not surprised that someone would go ahead and try to write something that would completely bypass it," he added.

    I don't think this guy deserved the punishment he got. But the whole, "I was just trying to help them" argument sounds fishy. Seems more likely that the uni put cumbersome security requirements on students, this guy tried to circumvent them, and the IT folks caught him and overreacted.

  5. This illustrates "transitive trust" fallacies by malcomvetter · · Score: 4, Insightful

    Regardless of the student's ethics (or lack thereof), this illustrates a fallacy of trust in computing that often goes overlooked, especially in software security products: transitive (implicit) trust.

    Think about it logically for a second ... If the administrator (of the University, some enterprise, or even a home network) cannot state anything about the trustworthiness of an unfamiliar computer, how can that same administrator trust the output of some software program designed to assert the trustworthiness of an otherwise untrusted computer?

    Trusted input (e.g. Cisco Clean Access)
    + Untrusted computation (unknown host)
    != Trusted output (i.e. an assertion from the CCA that the computer is trustworthy)

    The nature of this equation is that the untrusted computer is implicitly trusted to compute its own trustworthiness. What ramifications does that have on the real world analogies?

    Banker: Can I trust that you'll repay this loan for $1 Billion?
    Some joe off the street: [Hides "will work for food" cardboard sign behind his back.] Uh, sure.

    And yet, how many NAC/NAP vendors actually try to challenge the unknown host (java applet, activeX control, native code, etc.)? Answer is: nearly all of them, unfortunately. Even if Cisco fixes this hole, what will happen next? This is not unlike Cisco trying to sell a perpetual motion machine-- this simply defies the "natural laws" of security.

    --
    NAC is not the answer. How about those good ol' 3270 connections?

  6. RTFA before commenting... by msauve · · Score: 4, Insightful

    "There was nothing in [the policies] that stood out to me that I would be in violation of," Maass said of his thinking at the time he authored the program.

    Maass was charged with "violations of the Acceptable Use Policy, the Network Security Policy, disrespect for authority, disrespect for property, disorderly conduct and fraud," according to a letter he received from the University Judicial Board...

    "A lot of these policies are written to be very vague and flexible so that they can be [used] in whatever situation they (the University) need to use them in," he [Maass] says...

    Goldrick [ vice president of student services] declined to comment on issues concerning policies.

    Would you care to quote the policy you claim he broke?

    No, it sounds like he embarassed the University IT administration, so they closed ranks and used a kangaroo court to express their displeasure. Dean Wormer put him on double secret probation first, I'm sure.
    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  7. Bait and Switch by litewoheat · · Score: 4, Insightful

    OK this story is sensationalist BS. Maybe the summary should have stated that he USED IT FOR SEVEN MONTHS and GAVE IT OUT TO FRIENDS!? Come on, only when he gets caught does he say he was going to share his results. Yeah, that's like embezzling and then saying you were going to give all the money back when you get caught.

  8. Re:This summer? by dgatwood · · Score: 4, Insightful

    OTOH, if he were smart enough to break this thing and he were malicious, he would have instead sold it to some Russian hacking group to put into new viruses. He didn't. He didn't crack anybody else's machines with it. He didn't run it on university equipment. He didn't do any of the thousands of truly malicious things he could have done. Based on that, I see no reason to believe that the guy didn't intend to tell Cisco about it... but probably not until after he graduated so that he wouldn't have to deal with a bug-fixed version of the software that disabled his workaround....

    Instead of using the software maliciously (which would have been relatively easy by comparison), the guy just ran it on his own personal machines and gave it to other people to willingly run on their own personal machines so that they could use the network without the interference of an overbearing piece of security software. All the guy did was write software that made it look like he was running the stupid tool that the uni required him to run in order to use the network without actually having to run it. That's hardly malicious behavior, and if the guy was running reasonable antivirus protection software and was keeping up-to-date with security patches without the "assistance" of the tool in question, it really didn't create any significant security risk, either.

    No, this is a typical knee-jerk reaction by bureaucrats. I would expect nothing better from most universities, but it's still a shame every time someone's life is needlessly wrecked because of a bunch of pencil pushers.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.