Slashdot Mirror
Student Attempting To Improve School Security Suspended
TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"
It seems obvious that the suspension is a favor done by the university. A person of this caliber could do better in the workforce or a better university instead of TEACHING the university...
Anyone in the software biz should know: don't do security research (look for vulnerabilities) in commercial software or commercial websites if you want to be in the US. If you find a vulnerability, like a website that lets you launch missiles by putting &loggedIn=true in the URL, the best thing to do is to laugh to yourself about it, and forget it. Failing that, use some secure anonymous service and post the vulnerability somewhere. Doing the responsible thing, like informing the vendor, is absolutely thankless and likely to result in nothing but problems. Be smart, don't be a hero. Don't try to improve the security of others.
Guess I *won't* be doing that automated WiFi stumbler as a senior project...
Paleotechnologist and connoisseur of pretty shiny things.
TFA isn't really clear on what sort of "break-in" this was. It looks like it was, at most, a proof of concept break-in, and may have been as little as figuring out how to break the system without actually doing it.
In any case, he didn't go around giving out exploit code, and he even worked on the problem of patching the hole (as well as solving other problems with the CCA software), with the intent of full diclosure of the patch and upgrades. This isn't really a punishment for breaking things, it's a DMCA-style punishment for figuring out how someone might break things.
(IANAL)
When I started at as a freshman at the University of South Carolina 2 years ago, they were already using CCA. It's main intrusion was the fact that the University demanded that we use McAffee regardless of any other (superior) software we may have already purchased. Personally, I used Symantec Antivirus (Corporate) that I got through my internship. Regardless, it forced McAffee down my throat. I couldn't use the two side by side, as XP would freeze on startup with both installed. I noticed that the policy for CCA usage only applied to Windows computers, and that Linux and Mac users were exempt. So I booted my SuSe installation and launched Firefox to discover a web-gate type login, a form that I had to put my CCA user and pass into. Once entered, it said I was logged in for 7 days. I thought, well there's really only one way they're seperating out Windows, Mac's and Linux boxes: the user-agent. All it took to bypass was a custom Firefox deployment package pre-configured with User Agent Switcher. You didn't even need CCA installed. Every 7 days you got the web-gate login. All you had to do was switch to the pre-configured Linux user-agent and login, upon which you could change back to the default and continue on your merry way for 7 days. In about a week everyone in my dorm was using it, and it still works today. They just ban the user-agent when they catch on, and we come up with new ones. I'm not sure this guy's University may differ, but it really shouldn't take any kind of sexy software hackery to bypass it. PS. wtf is up with slashdot's server? It took me like 15 minutes to get this posted
mmm...muffins
I bet he's reconsidering helping them now.
I was wondering whether or not schools had written policies about this type of thing, and whether this punishment was according to the book or just made up out of thin air.
It seems that most of the time when school officials are faced with an issue like this, they have no idea what they ought to do and either let it slide completely, or overreact and deal a much harder punishment than necessary. This case seems like the latter, as there doesn't appear to be any malicious intent.
The article goes over it pretty well, but Cisco Clean Access Agent, in my experience at my college is more of a headache than it's worth. If someone has the slightest problem with Anti-virus updates, they get locked out every week, (I actually have to download the smart installer for them, and then patch it manually). Plus, a lot of good antiviruses aren't recognized by CCA agent as being acceptable. I currently run Windows 2003 server as a desktop, and CCA agent doesn't play nice with me either - I have to trick CCA agent by using a virtual machine for logins. Frankly, if there was a link to this program, I'd be using it right now...
Though, its starting to sound like anyone who tries to use their hacking powers to show vulnerability's, they are suddenly the bad guy.
I'd like to say I'm surprised at a school acting like this, but honestly it's about the expected behavior. Companies, schools, and institutions in general typically take the approach that if they deny it exists it will go away.
On a completely unrelated note, did anyone else notice that the read more page seemed to be down? I was getting 503 errors clicking on it.
Curiosity was framed, Ignorance killed the cat.
Maybe it's just me but isn't the statement that he was going to inform Cisco sometime this summer pretty vague? What was holding him back?
~S
I pointed out 2 widely known vulns in my universities network and I'm still serving my suspension...2 semesters left!
Article links to what looks like a student newspaper, "The Beacon". It's nice to see articles of this quality in a student publication; the first link does a good job explaining the situation and reporting it without bias, while the second is a well written editorial style piece that criticizes the university response.
The only problem I can see with their site is that the poll "How did you spend most of your Easter Break?" is missing a Cowboy Neil option...
Much Madness is divinest Sense --
To a discerning Eye --
Much Sense -- the starkest Madness
If you look at it out of context, their decision makes some sense, however, as soon as you apply ANY logic to it, their reaction is way too far. What is the result? I would never do research there or even TOUCH anything security related. Imagine if you got suspended because you left your lab's back door open, while there was still a guard on duty. Someone COULD break in, but there's a guard. This is similar to what he did...the security was never compromised, it may not have been the MAX (which is also a farce, because the university itself wasn't up to the most current version). Using their own logic, they should suspend their director of IT for one year for knowingly having a system not most up to date (which is what the kid did).
Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says.
While I'm all for white-hat hacking, it's unfortunate that every time someone is busted, they suddenly put the white hat on. In this case, I have to ask:
Why didn't he go to Cisco with the vulnerability YESTERDAY?
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
Steve Jobs openly admits to phone phreaking and calling the Pope. Both he and Bill Gates eventually dropped out of school. It's clear that, to become a person of substance, you have to be willing to challenge authority once in a while. Are we trying to raise a generation of corporate drones who are so obedient they can never pose a competitive threat to existing oligarchy. Are we so insane we let disturbed students stay in school and own guns, but suspend ones who are merely using university's property, paid for by their tuition, more efficiently than average?
He should have talked to the campus IT guys about this "research" before conducting it on live campus systems. I worked in campus IT at Stanford and my experience is that they might be open to seeing what you're working on and allowing it.
/. conveniently left off the next paragraph:
The article summary posted here on
Maass' program was in use for approximately seven months before the University froze his UP account.
So he ran this thing for most of the school year and gave it away to his friends and put up a facebook page about it without telling Cisco? At some point it starts to look like the, "I was about to tell Cisco!" claim is just an excuse to get out of trouble. Once he had a working demonstration he should have approached Cisco, not distributed it while he put off talking to the vendor for half a year.
Still, it seems like the uni is going overboard on the punishment.
Lasers Controlled Games!
Nobody wants things to work right or work well, if it means upsetting the status quo.
They'd rather things disappear and get bitten in the ass for it in the future, than deal with it now, if it means someone's going to get embarrassed. There's no intellectual honesty anymore..
We are the fire that lights our world.. and we are the fire that consumes it.
And I thought school was where you went when you wanted to learn about things, test things, build new things, and in general broaden your horizons and expand what you are capable of doing.
Wait, that is the lie people have been telling us forever.
School (high school and univ) in my opinion is a very poor excuse for "preparation" for the real world. In all of the jobs that I've had, identifying, working through, and solving problems is what its all about. Of course in school, the students are rarely if ever tasked with the first step of identifying a problem (the professors assign the homework), working through problems is an exercise of taking notes (not thinking about the problem just verbatim listing what the professor says), and solving problems normally is left to the TAs to babysit 90% of the students through anything that requires even the slightest bit of rational thought.
This guy is guilty of breaking that mold, he identified, worked through, and solved problems all on his own with no intervention from the school. Thus proving that the school is indeed useless. Because he proved that the school was a redundant and useless institution they had to punish him.
story after story, its "this student scared us - lets git 'em!".
why is this country SO AFRAID of students and so into controlling them? I'm not sure I could survive in a modern high school or even college environment now. I'd be too angry all the time at how badly they are mismanaging our youth.
I am quickly losing all my faith and trust in the so-called 'education system' we have in the US. its becoming not much more than babysitting and nannying.
and I fear for the kind of young adults we are going to produce from this brainwashing factory we call 'school'.
anyway, what good is there in suspending this kid? what does that accomplish? the fact that he found YOUR security flaw embarassed you? is that a reason to punish him?
perhaps the school does not DESERVER your funding. yes, YOU fund the school - they work FOR YOU. its not the other way around. YOU are the consumer. if school-A is giving you crap, why not take your business elsewhere? yes, school IS a business - very much so.
--
"It is now safe to switch off your computer."
TFA says he was running this program for seven months, and was planning on alerting cisco "this summer", and he also spread the program to his friends. Doesn't really sound like security research to me, more like bypassing the security for your own convenience. You really don't "research" a security flaw for seven months, and even spread it to other people.
Doolittle :
Bomb no.20 : To explode of course.
Here's a more detailed follow-up on this story: http://www.networkworld.com/news/2007/042607-cisco -nac-unversity-portland.html?t51hb
Early only we ran into some policy issues at the university.
The solution...
Take the engineering department off of the campus network and maintain it ourselves.
It worked out fairly well when I was there, but resulted in some equipment deficiencies. We ended up getting the backend of the upgrade cycle, but that was fine as we were allowed to "blow them up."
This would not have worked without volunteer work and when I had returned I was already a competent admin. It probably wouldn't scale too well, but it's a good learning experience for some.
It does lead to issues though...
At one point, a professor proclaims the network seems to be having issues and at that point I poked my head up.
"Um, no it's not... I'm putting in dDNS... because it looked like fun."
Things were back up momentarily. (Hey I was young!)
The best was probably the day I rooted the servers and updated the motd.
"Under new management -- cylix"
This was of course the policy for gaining administration for maintaining systems. The final system I had to social engineer my way into... sorta... I basically made it into the server room with the prof maintaining things and he left to go get some papers. He knew I was after the final system and just wouldn't let me take it over without a fight. He had to know what I was going to do and probably just wanted to see how fast I could get my hands into the system. The moment he stepped out I tackled the keyboard like it was a drunken cheerleader.
The only catch was no denial of service. So, if you were going to bring something down... no one could notice.
Fun times!
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
Let's see, if you're writing a program that will circumvent security measures, if he had gone to IT and said "I'm writing a program to test CCA..." he wouldn't have been in deep water as opposed to trying to explain why he did it "No, I wasn't trying to hack the network, I was writing a *test application* and then go to cisco"..
If he had nothing to hide in the first place, then he shouldn't have hid it in the first place.
U of P is a Catholic school with no particular engineering focus. I think he would have stood a better chance of a reasonable response had he been attending a "real" engineering school. There's nothing wrong with Catholic school, or in studying engineering at such a school, but I think this poor guy should have seen it coming... If you're going to do research like this, do it at home. If he wanted to inform Cisco of the problems, he should have just done so directly. I feel bad for the guy but it's not surprising.
If I did something like that and got caught I would say I was planning to come clean as well.
Which brings up your main, and correct, point. It's sad when we penalize so harshly for students just being clever. Would they have suspended him for a year for putting a penny in the dorm elevator (in effect locking it on a single floor during early morning rush time)??? I often joke, and I'm sadly accurate: If I did half of what I did 20 years ago in highschool and later college....today...I'd be a multiple strike felon...and yet no one or any property was really ever hurt
Total? -9 points. Not good. The university had no choice. For reference, here is the scale:
Too bad the guy may lose his scholarship. He presented it wrong, especially giving it out and not telling Cisco immediately, along with running it himself. But it doens't deserve a full suspension for a semester.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
To those who are saying "CCA doesn't recognize perfectly good antivirus packages" (and other sorts of comments). Most, if not all, of that is configurable on the backend. If your school forces McAfee, they likely removed (or never added) other products to the CCA server. The college for which I work supports Symantec, McAfee (which we give away to students), AVG, and at least a few others.
If your CCA isn't acceping an antivirus scanner you like, why not go through the proper channels to find out *why* it's not supported and see about getting that fixed?
bork bork bork!
http://www.mgridley.com/rogueUP/Rogue_Blog/Archive .html
I just finished working with the CCIE who implemented the CCA at U of P today and he said the student wasn't suspended for circumventing the CCA but rather distributing it to other students, which in my book is malicious. And for the record I work for a University around 30 miles away from U of P.
Many of the arguments we use to - justly - defend security researchers seem like they may not apply in this case.
* He used the software to bypass the security check for seven months
* He distributed the software to several other students and a professor
* He did not disclose the vulnerability to the vendor before releasing his exploit
* He did not ask permission
Now, this is not to say that the University's use of CCA is wise or it's reaction was reasonably proportionate to the damage done. (If the damage and the policy violation is as minimal as the article claims, a 1-year suspension is insane.) But Mr. Maass did not do a good job of covering his ass, either.
Let this be a lesson to the next guy.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
My University uses CCA, and to bypass it... you can either not use Windows, or use Firefox and install a plug-in that allows you to modify the User-Agent to identify itself as if it were running Linux/OSX. This might not work in all cases, though.
Gates Announces Security Death Squads
I feel like death on a soda cracker.
Clearly you haven't learned from the movie "Catch Me If You Can".
These people can outsmart you every minute of the day if you give them reason to. Why not just employ them and get on their side?
Oh right, this isn't about security, this is another stupid power struggle.
Regardless of the student's ethics (or lack thereof), this illustrates a fallacy of trust in computing that often goes overlooked, especially in software security products: transitive (implicit) trust.
... If the administrator (of the University, some enterprise, or even a home network) cannot state anything about the trustworthiness of an unfamiliar computer, how can that same administrator trust the output of some software program designed to assert the trustworthiness of an otherwise untrusted computer?
Think about it logically for a second
Trusted input (e.g. Cisco Clean Access)
+ Untrusted computation (unknown host)
!= Trusted output (i.e. an assertion from the CCA that the computer is trustworthy)
The nature of this equation is that the untrusted computer is implicitly trusted to compute its own trustworthiness. What ramifications does that have on the real world analogies?
Banker: Can I trust that you'll repay this loan for $1 Billion?
Some joe off the street: [Hides "will work for food" cardboard sign behind his back.] Uh, sure.
And yet, how many NAC/NAP vendors actually try to challenge the unknown host (java applet, activeX control, native code, etc.)? Answer is: nearly all of them, unfortunately. Even if Cisco fixes this hole, what will happen next? This is not unlike Cisco trying to sell a perpetual motion machine-- this simply defies the "natural laws" of security.
--
NAC is not the answer. How about those good ol' 3270 connections?
But more malicious = forcing me to uninstall the A/V I know and trust and install some crap before I can access the #1 source of malware (the internet)?! I'm doing just fine on my own, thank you. Congrats to the student for not tolerating that crap.
Turning coffee into code.
If this "kid" REALLY intended to bring his findings to Cisco, then he should have been documenting not only his intent but also his findings and techniques used and this should be enough to prevent a suspension. Unless he came up with this idea of 'going to Cisco' after he got busted.
I have a hard time believing his story without some proof he'd been discussing visiting Cisco or interning there well in advance of getting busted for spoofing their APIs.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
Would you care to quote the policy you claim he broke?
No, it sounds like he embarassed the University IT administration, so they closed ranks and used a kangaroo court to express their displeasure. Dean Wormer put him on double secret probation first, I'm sure.
"National Security is the chief cause of national insecurity." - Celine's First Law
I work in the IT department at a university that uses CCA. If you live on-campus you're required to use CCA to connect to the University network. IIRC, the setup here doesn't check for much: anti-virus and XP SP2 if you're on Windows, and Linux users are ignored.
Support calls from students have fallen by more than 50% since CCA was put into use. Simply requiring anti-virus and SP2 has tremendously reduced the amount of garbage infecting Windows users machines. CCA has been a real boon, even if there are a plethora of ways around it.
I wasn't buglarizing this house, I was just checking the home security system for holes!
OK this story is sensationalist BS. Maybe the summary should have stated that he USED IT FOR SEVEN MONTHS and GAVE IT OUT TO FRIENDS!? Come on, only when he gets caught does he say he was going to share his results. Yeah, that's like embezzling and then saying you were going to give all the money back when you get caught.
...and that does what?
My university imposed this crapola on all dorm residents during the summer to test it out. I wasn't there, but my girlfriend's computer suffered the consequences of it. They forced her to uninstall the AVG antivirus and Comodo firewall that I configured, and during the transition her computer was massively hijacked. I'll admit, the dorm networks there are atrocious and this type of software might have been a good idea. Worms/viruses were absolutely rampant; two or three times a day AVG would popup saying it found a threat in some random temporary folder, and the firewall would report numerous "intrusion attempts". However, they didn't even warn people that they would be COMPLETELY unprotected while they are installing the new protection software. If I was there I would have unplugged the network cable during all this. Opening the ports for even five minutes proved disastrous. Needless to say I ended up reformatting.
They never did implement CCA after the trial. Now, the dorm network is simply bandwidth-throttled and packet-shaped to oblivion. Dial-up is faster, I am sure. It's still a security risk, but so slow that no one gives a shit.
This guy was being clever disabling the security software, nothing more. He got caught and now he's whining.
It may be unpopular, but when you connect your computer to some networks you do so under agreement which may limit what you can do, may require you to consent to monitoring, and may require you to install software to enforce the terms of that agreement. Tampering with the software may be a violation of that agreement, it doesn't matter if it's "your" computer, we're talking contracts here.
There's nothing extraordinary about someone with physical access and superuser/administrative access rights being able to modify the software on their own machine. And if you can debug a client app, then you can write your own app that can pretend to be that client when talking to the corresponding server.
If he was a security professional then he would have done this in a lab, not on his own machine, and would have reported the results in a timely fashion, not "I was going to get around to it", and would not have distributed exploit code to his friends.
This guy's behavior violated pretty much any acceptable use policy I've ever seen or written, and he got a punishment probably on the stiffer end of the scale because his behavior doesn't appear to show any mitigating circumstance.
All week I been reading how the kid at Virginia Tech couldn't be dismissed from school even though he stalked, threatened and oozed a violent psyche to the point of having 2 professors ask the university for help with him. Universities should only protect students as vigorously as they seem to protect themselves in this case.
proves you aren't just saying "i was going to tell them it was broken" to get out of trouble and you HAD the intentions to do so. But you would still probably get in trouble
Dan
From what I gather, the breach occurred on his own computer!? Since when does keeping your own computer private from the intrusive eyes of others count as a computer crime?
Essentially, what the university is asking for is the root password to your own machine, in exchange for network access. I think I'd rather do without the university network if I had to run snoopware.
And on what ethical principle does the university believe they have a right to own a machine for which they haven't paid? I can understand they are trying to combat network problems caused by viruses, but the correct response is not to install spyware, but rather simply to cut off the network connections of those machines infected. They have no right to install backdoors on machines they don't own.
And even so, he doesn't deserve to be punished for effectively taking control over his own machine. It belongs to him, not the university!
The society for a thought-free internet welcomes you.
"mess with a teacher's mind: that's a paddlin', too"
--
"It is now safe to switch off your computer."
They have enough money and power and shares....
If any thing, give the info to a smaller competitor so they can exploit it in marketing.
Unless you know the IT admin or department head personally, dont go being a hero and make them look bad.
If they arent your friend, they are your enemy
Liberty freedom are no1, not dicks in suits.
is secured beyond the basic yoyo windows software and lives on either a separate network or on secure servers on the network.
They would have gunned down that Korean dude.
Either way, there are ways to attack someone who has a gun without a gun, and actually WIN.
1. Find a fire hose, and spray the whole floor so its slippery when running, you can even spray it directly on him to make him fall.
2. Get a fire extinguisher and spray him/hall way/room like hell so its so foggy you cannot see anything, and breathing those chemicals in is
not nice either.
Liberty freedom are no1, not dicks in suits.
When things like this happen, people are always saying how horrible it is that the poor guy got in trouble. After all he wasn't doing anything wrong, just trying to help their security get better. Using the same logic, I guess I shouldn't have a problem with someone picking the lock to my house and walking around, even if they say they were going to write the lock company about how they did it. I know not related to the article's situation, but I'm tired of people jumping immediately to the side of the hacker/cracker. As far as the University "owning" your computer for use of their network, if you AGREED to the contract, I can understand why they'd be mad if you broke your end. AND do you really want students in your institution who don't have the integrity to honor contracts that THEY signed into? It would be one thing to do this in a controlled laboratory type setting, but this man obviously did not. I honestly have no sympathy for him. Oh and for the poster who says we want to raise our children to be corporate drones when it pays for Jobs to be somewhat anti-authority: We only want those who are smart enugh to NOT GET CAUGHT.
Because he's kewl, you see. IT is "the man", and he stuck it to him! w00t
+5 Insightful, really!
Or it says that you were planning on doing something bad and just in case you got caught in the act you were preparing your story ahead of time...
For those of you who can't read, what the summary neglects to mention is that the guy was running this kind of reverse-rootkit for 6 months. 6 months is a long time to "test" a vulnerability. In all likelihood he just started yapping to cover his own ass, when in truth he probably never intended to go public with the vulnerability and just wanted to go on being "leet" clandestinely. I agree it's a shame that top-dollar commercial products used by the largest organizations have such glaring holes, but this kid was no Jesus Christ of Cisco, he was yet another ePeen going down the wrong path. Had he wanted to help improve network security, he would have worked with Cisco or his IT department since day one, and probably gotten great kudos for it. Instead he got suspended and will have to look for exploits in a burger joint.
-Billco, Fnarg.com
Yeah my Uni has something like this for windows. Bradford Network Agent, which forces TrendMicro AV down your throat. (You must uninstall all other AVs...) Now I'm all for security, but there wasn't any granular control to speak of. "A false positive. Hmmm... Well surely there is an exclusion option..." 20 minutes later, and guess what? Still no exclusion. So I say, screw that. Block the heartbeat ping they have on the network at my firewall, remove network agent. No problems so far. Go to remove their Trend Micro... And guess what? I need a password. I need THEIR permission to remove a program on MY 2000 dollar machine. Needless to say I removed it re-booted to *nix, authenticated and no worries.
.....installing it without permission on someone's network ......
He didn't install anything anywhere but on his own computer. He didn't cause any harm to anyone either, except to the pride of the University's IT staff. There are some web sites that refuse to recognize any browser except IE. Am I doing something wrong when I tell my Mac to inform their server that this particular request is coming from a Windows machine running IE? Some of these same web sites then work just fine with Safari on the Mac. This student did in effect do the same thing. He instructed his computer to lie to the server and tell that stupid server what it wanted to hear, so the young man could get on with his work.
All theory is gray
What a crock-o-blank,
i ndows XP\SP3\KB918439\Filelist\]
;-)
Typical University IT people not knowing what the hell they are dealing with. Think this "breach" was a big deal? Think again.
Know how to use the Windows Registry? You'll love how simple this is...
Cisco Clean Access looks for several registry keys that determine which Windows patches are installed and which are not. It also looks for registry info to give the system a look at what anti-virus package they are running and which DAT file they have. Basically, all his program would need to do is create entries in the registry in the locations where Clean Access would look. It would defeat the security check and the remediation process very easily.
This is not a vulnerability, it is the means in which the system works.
1. User connects to the network. When a browser is launched, the user is redirected and prompted to install the Clean Access Agent from the Clean Access Server.
2. The user is presented with a login box where he/she would log into the system.
3. The Clean Access Agent checks for several registry flags to determine which Windows Updates are installed and what anti-virus/anti-spyware is installed. It will also check the registry for anti-virus/anti-spyware DAT/REG file date and versions.
4. If the system is not up to date, they are passed to a temporary role (remediation stage) where they are only permitted to selected sites to download the updates they need.
5. Users are left in the temporary role until they fulfill the logon requirements. Once the requirements have been completed, they are passed to the main role allowing full access to the network.
Now...for the easy part...
Wanna get around the CCA check without installing patch KB918439? Create the following registry keys ending with Filelist.
[\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\W
How about getting around AV installation (McAfee VirusScan Enterprise as an example)? Create the following registry keys ending with VirusScan Enterprise.
[\HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\]
How about getting around a forced DAT update? Create the following registry keys ending with CurrentVersion. Also create a string value called szVirDefVer with the value greater than 5018.
[\HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\]
Heh...that wasn't so bad...was it?
I read the article and still am not clear on what the program was supposed to do. Apparently there was a piece of software in place that monitored the computers for security reasons. Lets for simplicity sakes call it a virus scanner.
Now did he write a program that DISABLED the virus scanner in some ways?
Did his own program then REPLACE this virus scanner with his own?
If so, then he is indeed in the wrong.
He should instead have written a virus scanner sitting behind or in front of the existing one to augment its capabilities. Then nothing would be wrong, the required software is still in place and working BUT his own software would be making it more secure, always presuming offcourse that his own software IS in fact more secure.
This is the crux of the matter, who says his software was better and that by him replacing the default software he made the system more secure? We got only his word for that.
See it like this, say that the dorms are required to have a fire extinguisher in every room. Now a person comes along and says that the devices ain't good enough, too small and don't work in certain conditions. What should he then do? Replace them with a model he claims to be better OR put that model NEXT to them.
I can argue till I am blue in the face with the local firechief but replacing mandated equipment and facilities is NOT going to be accepted. ADDING to them is. Just because only a handheld bottle of eye-washer is needed doesn't mean I can't install the full shower version. Just as long the bottle is still there. Just because the helmet is required at the building site doesn't mean I can't wear ear/eye protection as well, just as long as I still wear the helmet.
Granted there are problems with this, it could be that policy requires you to use the small fire extinguisher first, that you know won't work, to fight a fire and that you cannot touch your own that does work because by then you will have burnt to death.
if the existing virus scanner has an exploit weakness having your own program behind it don't work. If the policy requires the exiting security software to be the first in line, and if it itself can be exploited so that a second program behind it never gets a chance to stop the intrusion you are screwed.
Setting your own software in FRONT is probably against policy, after all if your own software is flawed then it can be exploited before the required software has a change.
It is difficult but frankly that is what you get when departments get too large. You need rules but will inevitably find that the rules restrict legitimate use. The answer? Don't use them.
What I think is however far more likely in this case is that we are talking the ancient and dreaded evil of the crushed ego. Who wants to take a bet that someone at the IT department didn't just feel peeved to have the software he/she choose as being secure exposed as being insecure? Yeah, sure, YOU would use such a comment to learn and implement a better solution. You are a saint to be sure but most people would just come down like a ton of bricks on the messenger, less their supervisor starts asking just what you are getting payed for.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Please. /. is going to swing on this: " Student Attempting To Improve School Security Suspended"
Firstly, the title of the article shows which way
Attempting to improve security? Really? How precisely was he 'attempting' to improve anything. It reads to me that he found an exploit AND EXPLOITED IT. He didn't immediately approach CISCO, or an academic advisor, or anyone.
Other posters in this thread talk about oppression and crap - what a laugh. It's the Townsend defense: Yes, officer, I was looking through pedophilic pron because I wanted to catch these darn bad guys, I was JUST about to come tell you about it.
It's very simple to do white hat research.
1) tell someone what you're doing. If you feel you might want to 'sell' the idea or there's some reason you don't want to be too specific, don't be. But TELL someone - even a discussion with your lawyer can later be used as strong evidence about your ORIGINAL INTENT
2) document what you're doing
3) if someone interrupts you and says "aha, we caught a criminal" you have a paper trail AND at least one witness that you laid the groundwork for something non-criminal beforehand.
The problem is that actions like this look JUST LIKE the crimes they purport to prevent. So much so, it's very, very easy to claim that's what you were doing after the fact. So the burden is upon YOU to prove that your explanation is not just after-the-fact rationalization.
-Styopa
I manage a part of a university IT department. I am dumbfounded about exactly how dense students are about computers - these are non-cs/engineering students btw - students were shocked that I could tell (even when the clicked the little 'encryption' checkbox) that they were using BitTorrent. That I had their username and if I cared - which I don't - I could have a whole lot of information about what they were doing.
Our problem is the opposite - students are too stupid (or simply embrace a kind of self-interest that is rather short sighted) to update their virus protection software, or patch their OS or set their passwords to something that isn't easy to guess. So we do need something to enforce these kinds of policies - We have looked at Cisco's product (for the first two) and aside from being ridiculously expensive it's a pain. The fact that there is no standardized way of querying antivirus software over a network is also annoying. In the end we may end up writing some client software of our own and combining it with packet fence.
In short I'm familiar with the problem that this Uni is trying to solve but I don't really view students like this as the problem.
CCA, and other NAC solutions, are designed to be used in a business environment (i.e. the same AV, the same anti-spyware, the same firewall, the same patch levels, etc are all in use by all the workstations). It works well in this case (a homogeneous environment). It is impractical for a situation when you don't control the software load on all of the workstations you are subjecting to it. However, if a school decides that to connect to their network, you need to be protected with a minimal set of "security" software, this is the only way to enforce that right now. So what is the school to do? Require everyone to run an up-to-date version of specific software or let students connect machines with god-knows-what, increasing the risk to everyone on the network? Not a clear-cut answer.
...without permission.
This is akin to finding someone sitting in your house, the entire place apparently untouched, and they explain "Oh, I was just checking the security on your locks; turns out it's fairly bad. I was going to tell you later...", and it's not okay.
If you think you've seen a security hole, stop, tell the person responsible _immediately_. With luck, they can give you a dummy system to test it on without risking getting yourself into trouble.
If the people responsible for security ignore you, get someone else to back you up. In this case, talk to one of the staff who is knowledgeable about computers, or the student newspaper.
How many Portlocks does it take to administer university policy?
None,they still haven't figured out how how to interpret common sense.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
Stop helping the retarded fools, fuck them, be one of the bad guys.
LEET LEET LEET LEET LEET K-Rad! I'll bet those lecturers were really cross...
The purpose of existence is to make money.
If any virus-infested machine can take down your network by merely connecting to it, you obviously don't own your network. You just think you do.
Ok, it's trollish, I'll admit, but I'm disgusted with network admins that push the responsibility for their network back onto the users. I'm a professional engineer, and people expect my stuff to work, even under adverse circumstances. Is it too much to ask the same of a network admin?
The society for a thought-free internet welcomes you.
Apparently it's a line of biometric speaker verification products.
I guess Clean Access doesn't put any constraints on it, so that's good to know.
https://www.eff.org/https-everywhere
I said "almost all"
I've rarely met IT staff (and SysAdmins) that were human. I understand Woz's old comment about killing his kid if they grew up to be a SysAdmin. The education system and small business seems to pull in the really bad ones.
The educated and competent ones seem to be rare and they are usually good. A CS degree isn't a clear enough filter, there are too many with CS degrees.
Democracy Now! - uncensored, anti-establishment news