Slashdot Mirror

← Back to Stories (view on slashdot.org)

Student Attempting To Improve School Security Suspended

Posted by Zonk on from the no-good-deed-goes-unpunished dept.

TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"

5 of 282 comments (clear)

  1. University doing a favor by Anonymous Coward · · Score: 5, Insightful

    It seems obvious that the suspension is a favor done by the university. A person of this caliber could do better in the workforce or a better university instead of TEACHING the university...

    1. Re:University doing a favor by bfizzle · · Score: 5, Insightful

      I wouldn't want to hire someone who wrote a piece of software that clearly violates University Policy and used it for 6 months. Its one thing to write the software, distribute it as a proof of concept and let Cisco or the University fix it. Its a whole other to write the said software and use it to exploit the hole for an extended period of time then claim you were going to tell Cisco months later. His actions sing a whole different song than his words.

  2. Don't do security research in the US by Anonymous Coward · · Score: 5, Insightful

    Anyone in the software biz should know: don't do security research (look for vulnerabilities) in commercial software or commercial websites if you want to be in the US. If you find a vulnerability, like a website that lets you launch missiles by putting &loggedIn=true in the URL, the best thing to do is to laugh to yourself about it, and forget it. Failing that, use some secure anonymous service and post the vulnerability somewhere. Doing the responsible thing, like informing the vendor, is absolutely thankless and likely to result in nothing but problems. Be smart, don't be a hero. Don't try to improve the security of others.

  3. Stop instituationalizing young people by iamacat · · Score: 5, Insightful
    It's unavoidable that a bright C.Sci student will bypass some university security measures, for some of the following reasons

    • Bypass cloying "for your own protection" software that he and his computer-literate friends do not need anyway. Besides, what security updates if you have Mac/Linux?
    • Impress a girl by resetting her lost password or re-enabling account in her undergrad school
    • Explore a realistic network structure and challenges of its administration
    • Repair the system when it's down, admin can not be bothered and final project is due tomorrow at 8:30


    Steve Jobs openly admits to phone phreaking and calling the Pope. Both he and Bill Gates eventually dropped out of school. It's clear that, to become a person of substance, you have to be willing to challenge authority once in a while. Are we trying to raise a generation of corporate drones who are so obedient they can never pose a competitive threat to existing oligarchy. Are we so insane we let disturbed students stay in school and own guns, but suspend ones who are merely using university's property, paid for by their tuition, more efficiently than average?
  4. Re:Getting past two imflammatory headlines by yali · · Score: 5, Insightful

    In any case, he didn't go around giving out exploit code...

    From TFA:

    "I was planning on going to Cisco with the vulnerability this summer," Maass says. Maass' program was in use for approximately seven months before the University froze his UP account. Additionally, he gave the program to several friends and one professor.

    Also from TFA:

    Moreover, [fellow student] Vandermeulen said, many people are frustrated with CCA. CCA has sometimes taken up to 20 minutes to load on Vandermeulen's computer, he said. "I hear so many complaints (that) I'm not surprised that someone would go ahead and try to write something that would completely bypass it," he added.

    I don't think this guy deserved the punishment he got. But the whole, "I was just trying to help them" argument sounds fishy. Seems more likely that the uni put cumbersome security requirements on students, this guy tried to circumvent them, and the IT folks caught him and overreacted.