Slashdot Mirror

← Back to Stories (view on slashdot.org)

Student Attempting To Improve School Security Suspended

Posted by Zonk on from the no-good-deed-goes-unpunished dept.

TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"

29 of 282 comments (clear)

  1. University doing a favor by Anonymous Coward · · Score: 5, Insightful

    It seems obvious that the suspension is a favor done by the university. A person of this caliber could do better in the workforce or a better university instead of TEACHING the university...

    1. Re:University doing a favor by bfizzle · · Score: 5, Insightful

      I wouldn't want to hire someone who wrote a piece of software that clearly violates University Policy and used it for 6 months. Its one thing to write the software, distribute it as a proof of concept and let Cisco or the University fix it. Its a whole other to write the said software and use it to exploit the hole for an extended period of time then claim you were going to tell Cisco months later. His actions sing a whole different song than his words.

    2. Re:University doing a favor by rblancarte · · Score: 3, Insightful

      I don't know if I would fully agree with not wanting to hire this guy. He is clearly smart and knows what he is doing. As a programmer, he could be a valuable employee.

      NOW, that being said, I am the first that will say - if you do something like this, know that you are breaking the rules and be prepared to pay the consequences (the guy is ROTC, and probably is going to own the Air Force some money). If you stumble upon something, that is one thing. But to blatantly break the rules for SEVEN months - bad idea.

      And the guy can say "I was planning on going to Cisco with the vulnerability this summer," But that is just talk. Yes, it could be true, but it also could be something he is saying to try to cover his butt since he was found out. Sorry, paint me skeptical.

      RonB

      --
      It is human nature to take shortcuts in thinking.
    3. Re:University doing a favor by rblancarte · · Score: 3, Insightful

      Three words - Social Security Numbers

      As someone who has fallen victim of University ID theft (SSN taken from a University computer), this guy could have been putting information at risk. Sorry, do not pass go, do not collect $200.

      RonB

      --
      It is human nature to take shortcuts in thinking.
    4. Re:University doing a favor by hazem · · Score: 3, Insightful

      Actually, it's the University that's putting the information at risk by choosing to use an insecure program and calling is security.

      There should be no connection between computers in dorms, labs, and classrooms, and any computer that has secure/financial information. They shouldn't have to rely on a crappy program from Cisco to give them the illusion of security.

      Sorry about your ID theft. I'm a veteran who uses the VA, and I'm sure my SSN was one of those 26 million that were recently compromised. Got a nice letter saying they were sorry but I shouldn't worry. Of course, no credit monitoring, no ability to "freeze" my credit reports... just sit back and wait and hope nothing happens. Kind of like the University in this case... but not by choice.

    5. Re:University doing a favor by tomhudson · · Score: 3, Insightful

      You obviously didn't read the articles. He did nothing that people with Macs or Linux or BSD on their computer are allowed to do. Its only Windows computers that they force users to run Cisco Clean Access ... and they also force them to us Symantec Antivirus instead of letting them choose ther own AV product.

      Considering that Symantec AV is not the only antivirus out there, if you were running a different antivirus, you would have to bypass CCA as well.

      Check out the article - CCA was taking up to 20 minutes to load - who wouldn't bypass that?

      Also, it is not clear that it "violates university policy" to write such a program, if you're a computer major, and your class work involves looking at vulnerabilities in software - which is what he learned in class. Then again, those who can, do - those who can't - teach.

      FTFA:

      Maass was charged with "violations of the Acceptable Use Policy, the Network Security Policy, disrespect for authority, disrespect for property, disorderly conduct and fraud," according to a letter he received from the University Judicial Board

      "Disrespect for authority?" "Disorderly conduct?" Aren't they part of what yo go to university for - to question the "accepted wisdom"? Or are universities becoming enclaves where they'll start teaching that women have fewer teeth then men, because Aristotle taught that, and it must be true... (in this case Aristotle was clearly an idiot - he was married - twice - and never bothered to check!!! Sort of like the university's VP of IT, because they don't understand the difference between a program a student runs on his own computer, and "hacking their system.")

      So, are they going to suspend every student who goes on a kegger? Flips the bird at a politician? Refuses to let their computer be hijacked by a buggy program? Sounds like a great place not to get an education.

      BTW - his actions exactly suit his words - of course he'd withhold giving it to Cisco until he was ready to ask for a summer job / internship. Your uninformed criticism of him, on the other hand, shows you're real university administration material.

    6. Re:University doing a favor by tomhudson · · Score: 3, Insightful

      First, any computer user can get around CCA just by using Firefox and using the user agent switcher to say that its running Linux - and this is very well known, has been for a long time, so CCA isn't about security; its about promoting a cover-your-ass mentality.

      Second, CCA is part of the problem, not part of the solution. CCA isn't a cure - it's a "feel good because we're doing something about it" thing. A cure, on the other hand, will only come about if people get cut off the network because their Windows box is p0wned. Then maybe they'll switch to a real operating system, and everyone will be ahead. The longer people continue to insist on their "right" to use a proven crappy toy operating system, and the longer its tolerated, the harder it gets to fix everything.

      Third, nobody was asking the school IT department to support "any software package" - if you had bothered to follow all the links, and then do some more research, you'd have found out that the VP of IT is despised by students and faculty, in part because of the crappy "support" for essentials (like half the computers in engineering don't work, AND they're not available after hours), but still finding time to force everyone to use CCA spyware.

      Fourth, he wasn't "hacking a production network." He wasn't trying to break into a database, or steal sensitive information, or access the network on conditions different from any mac or linux user ... or any windows user running firefox and user agent switcher. Get a grip. Be less pompous. CCA is a piece of shit. Its KNOWN to be a piece of shit. Anyone who thinks they're secure because they run CCA is incompetent and should be fired - which is what a lot of people are saying about this particular VP of IT, for this and other problems.

      Fifth, its a university network. If its not there for the student's education, WFT IS it there for? (aside from downloading pr0n, that is). Its already "insecure" (CCA is readily bypassable by the firefox user agent trick) so what's the harm of pointing out other ways that CCA fails in its purpose? Or are you one of those who actually believes "security through obscurity and SLAPP lawsuits" works?

      Sixth, we already know that monocultures are a bad thing. Requiring that all Windows users use the same brand of antivirus is just f*cked up. This was a stupid decision, because CCA can be configured to accept a list of AV packages. Bypassing CCA in this case is necessary if you want to avoid the problems of a monoculture within a monoculture.

  2. Don't do security research in the US by Anonymous Coward · · Score: 5, Insightful

    Anyone in the software biz should know: don't do security research (look for vulnerabilities) in commercial software or commercial websites if you want to be in the US. If you find a vulnerability, like a website that lets you launch missiles by putting &loggedIn=true in the URL, the best thing to do is to laugh to yourself about it, and forget it. Failing that, use some secure anonymous service and post the vulnerability somewhere. Doing the responsible thing, like informing the vendor, is absolutely thankless and likely to result in nothing but problems. Be smart, don't be a hero. Don't try to improve the security of others.

  3. Ookaaay then by FlyByPC · · Score: 4, Funny

    Guess I *won't* be doing that automated WiFi stumbler as a senior project...

    --
    Paleotechnologist and connoisseur of pretty shiny things.
  4. Getting past two imflammatory headlines by Lockejaw · · Score: 3, Insightful

    TFA isn't really clear on what sort of "break-in" this was. It looks like it was, at most, a proof of concept break-in, and may have been as little as figuring out how to break the system without actually doing it.
    In any case, he didn't go around giving out exploit code, and he even worked on the problem of patching the hole (as well as solving other problems with the CCA software), with the intent of full diclosure of the patch and upgrades. This isn't really a punishment for breaking things, it's a DMCA-style punishment for figuring out how someone might break things.

    --
    (IANAL)
    1. Re:Getting past two imflammatory headlines by yali · · Score: 5, Insightful

      In any case, he didn't go around giving out exploit code...

      From TFA:

      "I was planning on going to Cisco with the vulnerability this summer," Maass says. Maass' program was in use for approximately seven months before the University froze his UP account. Additionally, he gave the program to several friends and one professor.

      Also from TFA:

      Moreover, [fellow student] Vandermeulen said, many people are frustrated with CCA. CCA has sometimes taken up to 20 minutes to load on Vandermeulen's computer, he said. "I hear so many complaints (that) I'm not surprised that someone would go ahead and try to write something that would completely bypass it," he added.

      I don't think this guy deserved the punishment he got. But the whole, "I was just trying to help them" argument sounds fishy. Seems more likely that the uni put cumbersome security requirements on students, this guy tried to circumvent them, and the IT folks caught him and overreacted.

  5. Not impressed by Adam+Zweimiller · · Score: 5, Interesting

    When I started at as a freshman at the University of South Carolina 2 years ago, they were already using CCA. It's main intrusion was the fact that the University demanded that we use McAffee regardless of any other (superior) software we may have already purchased. Personally, I used Symantec Antivirus (Corporate) that I got through my internship. Regardless, it forced McAffee down my throat. I couldn't use the two side by side, as XP would freeze on startup with both installed. I noticed that the policy for CCA usage only applied to Windows computers, and that Linux and Mac users were exempt. So I booted my SuSe installation and launched Firefox to discover a web-gate type login, a form that I had to put my CCA user and pass into. Once entered, it said I was logged in for 7 days. I thought, well there's really only one way they're seperating out Windows, Mac's and Linux boxes: the user-agent. All it took to bypass was a custom Firefox deployment package pre-configured with User Agent Switcher. You didn't even need CCA installed. Every 7 days you got the web-gate login. All you had to do was switch to the pre-configured Linux user-agent and login, upon which you could change back to the default and continue on your merry way for 7 days. In about a week everyone in my dorm was using it, and it still works today. They just ban the user-agent when they catch on, and we come up with new ones. I'm not sure this guy's University may differ, but it really shouldn't take any kind of sexy software hackery to bypass it. PS. wtf is up with slashdot's server? It took me like 15 minutes to get this posted

    --
    mmm...muffins
    1. Re:Not impressed by bahwi · · Score: 3, Interesting

      Well, there's not really just one way to split up the OS'es, see nmap TCP/IP OS fingerprinting, but it's kind of disheartening that Cisco is using the UA for that, as it's the least secure thing you could possibly do. Kind of a name badge, "Hi My name is: CEO of Your Company" and security letting him pass without a card swipe or ID check because he says it so it must be true. Nmap OS Fingerprinting is really very cool if you haven't checked it out before. OpenBSD hides itself pretty well and FreeBSD does ok with certain switches turned on. But of course the detection just gets better each time too.

    2. Re:Not impressed by logan@bitsmart.com · · Score: 5, Interesting

      Heh... I reported this via Bugtraq on August 19, 2005, and CISCO responded to it 3 days later...

      http://www.securityfocus.com/archive/1/408603/30/0 /threaded

      As in, they've known about this for at least 20 months...

  6. Cisco Clean Access Agent... by TheGreatHegemon · · Score: 4, Interesting

    The article goes over it pretty well, but Cisco Clean Access Agent, in my experience at my college is more of a headache than it's worth. If someone has the slightest problem with Anti-virus updates, they get locked out every week, (I actually have to download the smart installer for them, and then patch it manually). Plus, a lot of good antiviruses aren't recognized by CCA agent as being acceptable. I currently run Windows 2003 server as a desktop, and CCA agent doesn't play nice with me either - I have to trick CCA agent by using a virtual machine for logins. Frankly, if there was a link to this program, I'd be using it right now...

  7. Stop instituationalizing young people by iamacat · · Score: 5, Insightful
    It's unavoidable that a bright C.Sci student will bypass some university security measures, for some of the following reasons

    • Bypass cloying "for your own protection" software that he and his computer-literate friends do not need anyway. Besides, what security updates if you have Mac/Linux?
    • Impress a girl by resetting her lost password or re-enabling account in her undergrad school
    • Explore a realistic network structure and challenges of its administration
    • Repair the system when it's down, admin can not be bothered and final project is due tomorrow at 8:30


    Steve Jobs openly admits to phone phreaking and calling the Pope. Both he and Bill Gates eventually dropped out of school. It's clear that, to become a person of substance, you have to be willing to challenge authority once in a while. Are we trying to raise a generation of corporate drones who are so obedient they can never pose a competitive threat to existing oligarchy. Are we so insane we let disturbed students stay in school and own guns, but suspend ones who are merely using university's property, paid for by their tuition, more efficiently than average?
  8. I hope he has his assertion well documented by John+Harrison · · Score: 3, Insightful

    He should have talked to the campus IT guys about this "research" before conducting it on live campus systems. I worked in campus IT at Stanford and my experience is that they might be open to seeing what you're working on and allowing it.

    The article summary posted here on /. conveniently left off the next paragraph:
    Maass' program was in use for approximately seven months before the University froze his UP account.

    So he ran this thing for most of the school year and gave it away to his friends and put up a facebook page about it without telling Cisco? At some point it starts to look like the, "I was about to tell Cisco!" claim is just an excuse to get out of trouble. Once he had a working demonstration he should have approached Cisco, not distributed it while he put off talking to the vendor for half a year.

    Still, it seems like the uni is going overboard on the punishment.

    --
    Lasers Controlled Games!
  9. lets just suspend ALL students and save time by TheGratefulNet · · Score: 4, Interesting

    story after story, its "this student scared us - lets git 'em!".

    why is this country SO AFRAID of students and so into controlling them? I'm not sure I could survive in a modern high school or even college environment now. I'd be too angry all the time at how badly they are mismanaging our youth.

    I am quickly losing all my faith and trust in the so-called 'education system' we have in the US. its becoming not much more than babysitting and nannying.

    and I fear for the kind of young adults we are going to produce from this brainwashing factory we call 'school'.

    anyway, what good is there in suspending this kid? what does that accomplish? the fact that he found YOUR security flaw embarassed you? is that a reason to punish him?

    perhaps the school does not DESERVER your funding. yes, YOU fund the school - they work FOR YOU. its not the other way around. YOU are the consumer. if school-A is giving you crap, why not take your business elsewhere? yes, school IS a business - very much so.

    --

    --
    "It is now safe to switch off your computer."
  10. University of Portland by pclminion · · Score: 3, Informative

    U of P is a Catholic school with no particular engineering focus. I think he would have stood a better chance of a reasonable response had he been attending a "real" engineering school. There's nothing wrong with Catholic school, or in studying engineering at such a school, but I think this poor guy should have seen it coming... If you're going to do research like this, do it at home. If he wanted to inform Cisco of the problems, he should have just done so directly. I feel bad for the guy but it's not surprising.

  11. wow, excellent points by JohnnyComeLately · · Score: 4, Interesting
    Your reply hits many points, dead on (pardon the pun when combined with the guns reference). Technically, I "broke" Sprint PCS security policy by showing them a hole in 3G data services (around 98/99). The security guys were certain they were applying the layers of security but forgot about a fundamental shift in types of traffic (tunneling within a tunnel) used in 3G. I said, "OK, if it's secure, how is it I can ping the billing server from my "public" computer".....I could technically have been in the same boat as some others (not this kid...he was clever).

    Which brings up your main, and correct, point. It's sad when we penalize so harshly for students just being clever. Would they have suspended him for a year for putting a penny in the dorm elevator (in effect locking it on a single floor during early morning rush time)??? I often joke, and I'm sadly accurate: If I did half of what I did 20 years ago in highschool and later college....today...I'd be a multiple strike felon...and yet no one or any property was really ever hurt

    1. Re:wow, excellent points by ScrewMaster · · Score: 5, Interesting

      When I was in college thirty-odd years ago, my University only allocated 2,000 minutes per quarter per student of mainframe time. Not enough (obviously) and they refused to give me any more. So I wrote a simple fake-login program that would log the user's name and password, and cough up a realistic "system is down" message. Matter of fact, I exactly duplicated the normal logon procedure, including any nominal pauses and delays that occurred. Even fooled the system operators a couple of times. I ran the thing on forty or fifty terminals simultaneously, and I would watch in case someone called one of the admins over to ask why the system wasn't working. Whenever that happened, I'd hit a key on my terminal that would immediately log all the other systems off, so it would work normally at the next login attempt. It wasn't often: most people just shrugged, got up and left to go about their business. Occasionally some busybody would call an administrator over, so I had to keep an eye on things.

      In under a week I had captured the accounts of every active student user on the system, plus all the supervisory accounts. It was pretty unbelievable (as in, "holy SHIT Jesus Mary mother of God" unbelievable) and I couldn't understand why there were no precautions taken against that sort of thing. Needless to say I had no problems with account time after that. That was on the one mainframe: there was another guy, pretty sharp coder, that figured out what I was doing. At first I thought I was screwed, but he was delighted by the idea and duplicated it on the bigger system (this was years before the word "pwned" came in to the popular lexicon but it's no less applicable.) No surprise, a few days later and he had the run of that machine. So far as I'm aware, nobody ever figured out what we'd done. The big system was the one that had everything administrative on it from student grades to paper clips and we could have wreaked havoc if we'd wanted to. As it was, though, we just wanted more computer time to do our homework.

      A couple of years later my father testified in front of my State's legislature regarding a new "computer crime" bill they were shopping around. It was one of those ridiculous "zero tolerance" laws that make the lawmakers look "tough on crime" but end up shafting a lot of people that don't deserve it. Dad pointed out to these idiots that, if passed, their brain-child would immediately criminalize 90% of the best and brightest students in our engineering and computer science curricula. They backed off in a hurry and came back with a more reasonable bill, which never got passed anyway.

      That was then. Nowadays, I don't think our lawmakers would bat an eye if they put half our smartest engineering students in jail. They're just engineers, after all, and ... who the fuck needs those.

      --
      The higher the technology, the sharper that two-edged sword.
  12. Re:This summer? by mark-t · · Score: 3, Informative

    ....or.... I could *READ* the TFA and discover he had been using it for seven months and given copies to his friends.

    I take back what I said before.

    The idea that he was about to tell Cisco about it is a pretty weak cover story, given his behaviour.

    --
    File under 'M' for 'Manic ranting'
  13. From the misleading headline department by peacefinder · · Score: 3, Informative

    Many of the arguments we use to - justly - defend security researchers seem like they may not apply in this case.

    * He used the software to bypass the security check for seven months
    * He distributed the software to several other students and a professor
    * He did not disclose the vulnerability to the vendor before releasing his exploit
    * He did not ask permission

    Now, this is not to say that the University's use of CCA is wise or it's reaction was reasonably proportionate to the damage done. (If the damage and the policy violation is as minimal as the article claims, a 1-year suspension is insane.) But Mr. Maass did not do a good job of covering his ass, either.

    Let this be a lesson to the next guy.

    --
    With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
  14. Catch me if you can by electrosoccertux · · Score: 3, Insightful

    Clearly you haven't learned from the movie "Catch Me If You Can".

    These people can outsmart you every minute of the day if you give them reason to. Why not just employ them and get on their side?

    Oh right, this isn't about security, this is another stupid power struggle.

  15. This illustrates "transitive trust" fallacies by malcomvetter · · Score: 4, Insightful

    Regardless of the student's ethics (or lack thereof), this illustrates a fallacy of trust in computing that often goes overlooked, especially in software security products: transitive (implicit) trust.

    Think about it logically for a second ... If the administrator (of the University, some enterprise, or even a home network) cannot state anything about the trustworthiness of an unfamiliar computer, how can that same administrator trust the output of some software program designed to assert the trustworthiness of an otherwise untrusted computer?

    Trusted input (e.g. Cisco Clean Access)
    + Untrusted computation (unknown host)
    != Trusted output (i.e. an assertion from the CCA that the computer is trustworthy)

    The nature of this equation is that the untrusted computer is implicitly trusted to compute its own trustworthiness. What ramifications does that have on the real world analogies?

    Banker: Can I trust that you'll repay this loan for $1 Billion?
    Some joe off the street: [Hides "will work for food" cardboard sign behind his back.] Uh, sure.

    And yet, how many NAC/NAP vendors actually try to challenge the unknown host (java applet, activeX control, native code, etc.)? Answer is: nearly all of them, unfortunately. Even if Cisco fixes this hole, what will happen next? This is not unlike Cisco trying to sell a perpetual motion machine-- this simply defies the "natural laws" of security.

    --
    NAC is not the answer. How about those good ol' 3270 connections?

  16. RTFA before commenting... by msauve · · Score: 4, Insightful

    "There was nothing in [the policies] that stood out to me that I would be in violation of," Maass said of his thinking at the time he authored the program.

    Maass was charged with "violations of the Acceptable Use Policy, the Network Security Policy, disrespect for authority, disrespect for property, disorderly conduct and fraud," according to a letter he received from the University Judicial Board...

    "A lot of these policies are written to be very vague and flexible so that they can be [used] in whatever situation they (the University) need to use them in," he [Maass] says...

    Goldrick [ vice president of student services] declined to comment on issues concerning policies.

    Would you care to quote the policy you claim he broke?

    No, it sounds like he embarassed the University IT administration, so they closed ranks and used a kangaroo court to express their displeasure. Dean Wormer put him on double secret probation first, I'm sure.
    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  17. Honest Your Honor! by Stormy+Dragon · · Score: 3, Funny

    I wasn't buglarizing this house, I was just checking the home security system for holes!

  18. Bait and Switch by litewoheat · · Score: 4, Insightful

    OK this story is sensationalist BS. Maybe the summary should have stated that he USED IT FOR SEVEN MONTHS and GAVE IT OUT TO FRIENDS!? Come on, only when he gets caught does he say he was going to share his results. Yeah, that's like embezzling and then saying you were going to give all the money back when you get caught.

  19. Re:This summer? by dgatwood · · Score: 4, Insightful

    OTOH, if he were smart enough to break this thing and he were malicious, he would have instead sold it to some Russian hacking group to put into new viruses. He didn't. He didn't crack anybody else's machines with it. He didn't run it on university equipment. He didn't do any of the thousands of truly malicious things he could have done. Based on that, I see no reason to believe that the guy didn't intend to tell Cisco about it... but probably not until after he graduated so that he wouldn't have to deal with a bug-fixed version of the software that disabled his workaround....

    Instead of using the software maliciously (which would have been relatively easy by comparison), the guy just ran it on his own personal machines and gave it to other people to willingly run on their own personal machines so that they could use the network without the interference of an overbearing piece of security software. All the guy did was write software that made it look like he was running the stupid tool that the uni required him to run in order to use the network without actually having to run it. That's hardly malicious behavior, and if the guy was running reasonable antivirus protection software and was keeping up-to-date with security patches without the "assistance" of the tool in question, it really didn't create any significant security risk, either.

    No, this is a typical knee-jerk reaction by bureaucrats. I would expect nothing better from most universities, but it's still a shame every time someone's life is needlessly wrecked because of a bunch of pencil pushers.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.