Slashdot Mirror

← Back to Stories (view on slashdot.org)

Student Attempting To Improve School Security Suspended

Posted by Zonk on from the no-good-deed-goes-unpunished dept.

TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"

8 of 282 comments (clear)

  1. University doing a favor by Anonymous Coward · · Score: 5, Insightful

    It seems obvious that the suspension is a favor done by the university. A person of this caliber could do better in the workforce or a better university instead of TEACHING the university...

    1. Re:University doing a favor by bfizzle · · Score: 5, Insightful

      I wouldn't want to hire someone who wrote a piece of software that clearly violates University Policy and used it for 6 months. Its one thing to write the software, distribute it as a proof of concept and let Cisco or the University fix it. Its a whole other to write the said software and use it to exploit the hole for an extended period of time then claim you were going to tell Cisco months later. His actions sing a whole different song than his words.

  2. Don't do security research in the US by Anonymous Coward · · Score: 5, Insightful

    Anyone in the software biz should know: don't do security research (look for vulnerabilities) in commercial software or commercial websites if you want to be in the US. If you find a vulnerability, like a website that lets you launch missiles by putting &loggedIn=true in the URL, the best thing to do is to laugh to yourself about it, and forget it. Failing that, use some secure anonymous service and post the vulnerability somewhere. Doing the responsible thing, like informing the vendor, is absolutely thankless and likely to result in nothing but problems. Be smart, don't be a hero. Don't try to improve the security of others.

  3. Not impressed by Adam+Zweimiller · · Score: 5, Interesting

    When I started at as a freshman at the University of South Carolina 2 years ago, they were already using CCA. It's main intrusion was the fact that the University demanded that we use McAffee regardless of any other (superior) software we may have already purchased. Personally, I used Symantec Antivirus (Corporate) that I got through my internship. Regardless, it forced McAffee down my throat. I couldn't use the two side by side, as XP would freeze on startup with both installed. I noticed that the policy for CCA usage only applied to Windows computers, and that Linux and Mac users were exempt. So I booted my SuSe installation and launched Firefox to discover a web-gate type login, a form that I had to put my CCA user and pass into. Once entered, it said I was logged in for 7 days. I thought, well there's really only one way they're seperating out Windows, Mac's and Linux boxes: the user-agent. All it took to bypass was a custom Firefox deployment package pre-configured with User Agent Switcher. You didn't even need CCA installed. Every 7 days you got the web-gate login. All you had to do was switch to the pre-configured Linux user-agent and login, upon which you could change back to the default and continue on your merry way for 7 days. In about a week everyone in my dorm was using it, and it still works today. They just ban the user-agent when they catch on, and we come up with new ones. I'm not sure this guy's University may differ, but it really shouldn't take any kind of sexy software hackery to bypass it. PS. wtf is up with slashdot's server? It took me like 15 minutes to get this posted

    --
    mmm...muffins
    1. Re:Not impressed by logan@bitsmart.com · · Score: 5, Interesting

      Heh... I reported this via Bugtraq on August 19, 2005, and CISCO responded to it 3 days later...

      http://www.securityfocus.com/archive/1/408603/30/0 /threaded

      As in, they've known about this for at least 20 months...

  4. Stop instituationalizing young people by iamacat · · Score: 5, Insightful
    It's unavoidable that a bright C.Sci student will bypass some university security measures, for some of the following reasons

    • Bypass cloying "for your own protection" software that he and his computer-literate friends do not need anyway. Besides, what security updates if you have Mac/Linux?
    • Impress a girl by resetting her lost password or re-enabling account in her undergrad school
    • Explore a realistic network structure and challenges of its administration
    • Repair the system when it's down, admin can not be bothered and final project is due tomorrow at 8:30


    Steve Jobs openly admits to phone phreaking and calling the Pope. Both he and Bill Gates eventually dropped out of school. It's clear that, to become a person of substance, you have to be willing to challenge authority once in a while. Are we trying to raise a generation of corporate drones who are so obedient they can never pose a competitive threat to existing oligarchy. Are we so insane we let disturbed students stay in school and own guns, but suspend ones who are merely using university's property, paid for by their tuition, more efficiently than average?
  5. Re:Getting past two imflammatory headlines by yali · · Score: 5, Insightful

    In any case, he didn't go around giving out exploit code...

    From TFA:

    "I was planning on going to Cisco with the vulnerability this summer," Maass says. Maass' program was in use for approximately seven months before the University froze his UP account. Additionally, he gave the program to several friends and one professor.

    Also from TFA:

    Moreover, [fellow student] Vandermeulen said, many people are frustrated with CCA. CCA has sometimes taken up to 20 minutes to load on Vandermeulen's computer, he said. "I hear so many complaints (that) I'm not surprised that someone would go ahead and try to write something that would completely bypass it," he added.

    I don't think this guy deserved the punishment he got. But the whole, "I was just trying to help them" argument sounds fishy. Seems more likely that the uni put cumbersome security requirements on students, this guy tried to circumvent them, and the IT folks caught him and overreacted.

  6. Re:wow, excellent points by ScrewMaster · · Score: 5, Interesting

    When I was in college thirty-odd years ago, my University only allocated 2,000 minutes per quarter per student of mainframe time. Not enough (obviously) and they refused to give me any more. So I wrote a simple fake-login program that would log the user's name and password, and cough up a realistic "system is down" message. Matter of fact, I exactly duplicated the normal logon procedure, including any nominal pauses and delays that occurred. Even fooled the system operators a couple of times. I ran the thing on forty or fifty terminals simultaneously, and I would watch in case someone called one of the admins over to ask why the system wasn't working. Whenever that happened, I'd hit a key on my terminal that would immediately log all the other systems off, so it would work normally at the next login attempt. It wasn't often: most people just shrugged, got up and left to go about their business. Occasionally some busybody would call an administrator over, so I had to keep an eye on things.

    In under a week I had captured the accounts of every active student user on the system, plus all the supervisory accounts. It was pretty unbelievable (as in, "holy SHIT Jesus Mary mother of God" unbelievable) and I couldn't understand why there were no precautions taken against that sort of thing. Needless to say I had no problems with account time after that. That was on the one mainframe: there was another guy, pretty sharp coder, that figured out what I was doing. At first I thought I was screwed, but he was delighted by the idea and duplicated it on the bigger system (this was years before the word "pwned" came in to the popular lexicon but it's no less applicable.) No surprise, a few days later and he had the run of that machine. So far as I'm aware, nobody ever figured out what we'd done. The big system was the one that had everything administrative on it from student grades to paper clips and we could have wreaked havoc if we'd wanted to. As it was, though, we just wanted more computer time to do our homework.

    A couple of years later my father testified in front of my State's legislature regarding a new "computer crime" bill they were shopping around. It was one of those ridiculous "zero tolerance" laws that make the lawmakers look "tough on crime" but end up shafting a lot of people that don't deserve it. Dad pointed out to these idiots that, if passed, their brain-child would immediately criminalize 90% of the best and brightest students in our engineering and computer science curricula. They backed off in a hurry and came back with a more reasonable bill, which never got passed anyway.

    That was then. Nowadays, I don't think our lawmakers would bat an eye if they put half our smartest engineering students in jail. They're just engineers, after all, and ... who the fuck needs those.

    --
    The higher the technology, the sharper that two-edged sword.