Blackboard Campus IDs: Security Thru Cease & Desist

On Saturday night, Virgil and Acidus, two young security researchers, were scheduled to give a talk at Interz0ne II on security flaws they'd found in a popular ID card system for universities. It's run by Blackboard, formerly by AT&T, and you may know it as OneCard, CampusWide, or BuzzCard. On Saturday, instead of the talk, attendees got to hear an Interz0ne official read the Cease and Desist letter sent by corporate lawyers. The DMCA, among other federal laws including the Economic Espionage Act, were given as the reasons for shutting down the talk (but -- update -- see the P.P.S below). I spoke with Virgil this morning.

Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."

The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.

For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).

At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.

A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)

The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."

Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.

Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.

So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?

If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?

This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").

So, assuming that's not possible -- is the DMCA a viable tool to ensure security?

P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.

P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:

"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."

Remember, Citizens

This in NO WAY implies we live in a police state.

Re:No, it doesn't.

A corporation who distributes flawed merchandise or software has every right to tell me to be quiet. I also have every right to a functional secure product that they claim to be pawing off on you. Perhaps hitting the corporation with a false advertisement lawsuit ( we sell a secure product, we swear ) in return would wake them up. ( Doubtful ) With our sorry ass congress/senate passing these bills as fast as they can, it's probably our only recourse until we boot the entire lawmaking body out of office and get someone with some sense.

Re:No, it doesn't.

Think of America as the 'politically correct' police state. While the jackbooted-gestapo isn't kicking the door down and beating you. . . (yet) . . . they are instead getting law degrees, dressing in nice suits and suing you. It's much more profitable. It ultimately achieves the same goal. You tend to keep your opinions / comments to yourself.

Re:No, it doesn't.

The trouble is, how can you win a false advertising law suit it no-one is prepared to do the research to find the product is insecure ?

Interesting, isn't it, in these days of terrorism paranoia, that laws like this ARE going to result in worse security ? Well worse security for the USA, relative to every other country in the world that doesn't (yet) have these sort of laws.

Re:No, it doesn't.

...laws like this ARE going to result in worse security...

My thoughts exactly (for quite some time now). The true criminals won't care it's illegal. They will get and USE the information anyway, leaving someone else to take the blame. (Honest officer, it wasn't me who swiped the card to break into the dorm and rob people.) And since the system is <sarcasm> so secure</sarcasm>, who's going to believe the victim? Of course, defending yourself without access to the information that shows how insecure the system really is is going to be a <sarcasm>cake walk</sarcasm>.

It's been my experience (and looking at history, I'm not alone) that trying to ignore a problem (bring in the lawyers!) only makes it worse and more expensive. Sadly, common sense seems so uncommon nowadays.

Re:No, it doesn't.

" A corporation who distributes flawed merchandise or software has every right to tell me to be quiet."

but that doesn't mean you should have to respect that wish.
How many things only get better because someone talks to the press?

Re:No, it doesn't.

Hello. Stupid. The corporation is using the law to prevent speech. The law is stopping someone from speaking. A prior restraint, stupid. This is the hallmark of a police state -- laws being used to silence the voice of individuals. Armed thugs will beat the shit out of him if he speaks -- they will attempt to kidnap him, imprison him, and extort money from him for this sin in the guise of arrest, detention, and fines by the police and court system. You have no idea what you are talking about, AC.

you don't know police states

If we lived in a police state, armed thugs would not tell you, [...]They'd just beat the living crap out of you and then go home,

Maybe that's how police states work in your native, ignorant, Hollywood view of the world. In real life, police states don't usually bother with beating people up--it's way too much effort--and it's not necessary. They control people through implicit and subtle threats to their liberty, livelihood, and privileges, as well as similar threats to their families. They only resort to force when people absolutely don't comply--but so does law enforcement everywhere.

You don't agree with the party line? Sorry, you or your kids can't go to college. You don't return from your trip abroad? Well, to compensate the state for your misdeeds, your home will be confiscated; too bad about your family. In some areas of US law enforcement, it's getting frighteningly close to that (drug seizures, computer seizures, etc.).

Police states aren't anarchies. They operate orderly and according to laws, they just happen to be laws that limit freedoms excessively. And it's very easy to move from the rule of law in a free society to the rule of law in a police state.

I say publish all the details overseas

I wish there were a way to accidentally leak the exacty details overseas. There, it would be very difficult to get shut down, and every college using this system would have to deal with it.

While this may be an inconvenience to students, they can get by without buying coke with a swipe of a card for a while.

Re:I say publish all the details overseas

It is trivial to leak this kind of information. Walk into an internet cafe (or walk by any of millions of open 802.11b network) and upload the information to USENET. Problem solved.

Re:I say publish all the details overseas

Ah, I've often shouted "POST IT ON USENET!" at the television screen whenever there's a movie or x-files/whatever episode where the hero is running away with the evidence/HotInfo trying to keep it from the Evil Conspirators.

They almost never do.

Re:I say publish all the details overseas

The problem is that uploading the information to usenet is exactly what's going to happen. Corporate-types don't read usenet, but hacker-types do. What does that lead to? Some bored kid stealing all of my money, and only THEN is there a reaction from the company. I attend Cornell University, and I have to say, Blackboard is EVERYWHERE. We call it CornellCard. It controls all of the vending machines and meal plans. At least one door on each academic building and all the doors on the newer dorms are controlled by it. Not only can it be used to charge money out of our debit account (called Big Red Bucks), but it can be used to charge however much you want to your parents' bursar bill. The card isn't the only product Blackboard provides to schools. They also sell Cornell a web service called MyBlackboard. It allows teachers to set up websites for their classes. In addition to trivial stuff like assignments and lecture notes, the teachers use this interface to post test scores. Imagine all the havoc that could be brought upon this huge system simply because some exec decided it was more "cost-effective" to send out the attack lawyers than to fix their shoddy product.

Re:I say publish all the details overseas

Indeed. If they'd just thrown the information onto usenet in the
first place, no lawyer action would have had any effect at all.
The problem is, people[1] who find security flaws don't generally
*want* to post them to usenet: they want to work with the vendor
and the security community to get the problems _fixed_.

So here's the question: will these sorts of responses from vendors
force the security community into just giving up on all pretenses
of working with the vendor and just leaking everything to the
general public immediately upon discovery? That would be bad for
all concerned, but it might be better than being lawyered to death.
It's pretty easy to arrange to get something posted to usenet
with a reasonable degree of anonymity, and there's absolutely no
way to suppress anything that has been posted to a big-8 or alt
group, short of destroying the whole planet. But I don't think
I trust the security of a product whose vendor is sufficiently
uncooperative as to motivate a discoverer[1] of a vulnerability
to do things that way.

Maybe people who discover such vulnerabilities should discreetly
communicate everything they know to some third party overseas
first before doing anything else...? But you still have the
problem that if you try to work with the vendor they know who
you are and can laywer you, and you can be held responsible for
communicating the information to the third party.

Ah... but what if the original discoverer remained anonymous
and communicated to someone _else_ who would try to work with
the vendor, and if that failed the original discoverer or some
third party he communicates with could release the information
to the security community (and, in the process, the general
public)? This would be harder for the discoverer, who would
have to anonymously contact a trusted third party in the first
place whom he would have to trust to make a good-faith attempt
to work with the vendor. But if the vendor tried to laywer
the non-anonymous person, they'd run into "I just found out
from this here anonymous email and was trying to work with
you; this leak must have been perpetrated by the evil person
who circumvented your effective measure in the first place,
probably the same dude who sent this email, which seems to
have come to me from an evil open relay in southeast Asia,
one of the same ones the spammers use to send me special
offers for reduced-price copies of your products, which they're
probably pirating. Gosh, you should really go after those
open relays, they're all kinds of trouble."

[1] Security people, I mean. I'm not talking about blackhats.

Re:I say publish all the details overseas

Now of course, I wouldn't have had this reaction if the company had taken steps working with the discoverers of the security flaw. If anything, they should hire/pay these researchers for their work, fix the problem, implement it, and then publish what went wrong. And who knows, maybe they even tried. I doubt it though, when a cease-and-desist can have the same effect.

Re:I say publish all the details overseas

chances are that they knew _exactly_ how bad the system was, and maybe just hadn't care when they first made the system, maybe thinking that it would be such niche system or so it wouldn't need to be secure, or maybe it was some other system adapted to use where security would have paid off..

Re:I say publish all the details overseas

Now of course, I wouldn't have had this reaction if the company had taken steps working with the discoverers of the security flaw. If anything, they should hire/pay these researchers for their work, fix the problem, implement it, and then publish what went wrong. And who knows, maybe they even tried. I doubt it though, when a cease-and-desist can have the same effect.

Sadly, the reaction of Blackboard is a big hint to the future discoverers of security flaws: don't even try to contact the company - wear gloves, attach a fake beard, go to an internet cafe, publish your exploits on Freenet, Usenet, foreign haxx0r sites and whatever else comes to your mind, grin evilly (this part is optional).

Re:I say publish all the details overseas

The same kind of thing happened in France. (Maybe it was on /., it was a few years ago...)

A guy figured out how to manipulate the chip on the smart cards used for credit cards. He contacted whatever company makes the cards to try to get them to hire him. They didn't believe him, so to prove his point he bought about $7.00 worth of metro tickets from an automatic distributor.

And then what?

They busted his ass big time. I think it totally destroyed the guy's career, life, etc. Then the company upgraded their encryption...

Re:I say publish all the details overseas

The story of Serge is here [bbc.co.uk]

Re:I say publish all the details overseas

Why isn't there a way? It seems like it wouldn't be that hard to drop a .pdf file onto a p2p network (call it how_to_get_coke_for_free_at_school.pdf) and watch the downloads begin. The point is that by doing it in this manner, the flow of information is limited to those people who are tech-saavy enough (I know, I know - you wouldn't have to know very much to download and view a .pdf file) to get the file. This prevents many of the people who really need this information, the administrators and parents, from getting it. The college kids can still find out because they've grown up with computers but the people pulling the strings won't know their system is insecure because their knowledge of computers starts and stops with Solitaire.

What a strange filename

how_to_get_coke_for_free_at_school.pdf? WTF?!? Are you trying to publish a security analysis, or are you trying to help people commit theft? Some people might draw conclusions about your intent, from that filename. And you might not like how they act in response to those conclusions.

Re:What a strange filename

Purely for marketing purposes chief. If the suits realize the kids are ripping off the system, the system will get fixed really quickly. On the other hand, how many college kids are going to download security_analysis_of_collegecard_system.pdf? Come on now, it's MARKETING.

Re:I say publish all the details overseas

I wish there were a way to accidentally leak the exacty details overseas. There, it would be very difficult to get shut down, and every college using this system would have to deal with it. While this may be an inconvenience to students, they can get by without buying coke with a swipe of a card for a while.

Yeah, I wish we had some sort of global communication network where you could instantly and anonymously post a piece of information, and people anywhere in the world could see it. Wouldn't that totally rock?

Hey!

How come we can post Win2k3 serial keys in the slashdot forums, but no one posts how to get phr33 as in c0ke c0kes? Sheesh. What bullshit.

Come *on*, someone toss a practical exploit in here!

--grendel drago

Re:Hey!

From: The law firm of Dewey Cheatem and Howe
To: mkldev
Subject: Cease and desist

Sir/Madam,

Due to your recent post on the 'news' site 'Slashdot', we issue this cease and desist hereby ordering you to refrain from describing any manner of breaking security methods for refreshment beverage machines. Your suggestion of "...first you take a crowbar..." is in violation of the Digital Millenium Copyright Act.

or something like that ;)

Re:I say publish all the details overseas

Well, going to a school where all my food is purchased by cards and the only way I can get back to my room is controlled by cards, I'd say your statement of "deal with it" is quite silly.

It is sad to see that the DMCA can be used by a company if it wishes to ignore flaws. It is a sad day knowing that profit is more important than a good product.

Can you say 'Ford Pinto'? I knew you could!

Profit has long been more important than a good product. The sad part now is corporations have a law to prevent consumer groups from researching their flaws.

Does it bother anyone else that copyright violations are given more attention than violent crime? Why can't the same reasoning the vilifies P2P networks since they "could" be used for illegal copies be applied to manufactures of Dum-Dum bullets, Assault rifles, etc.?

Before rants go off-topic both ways, I'm trying to point out the absurdity of the anti-copyright measures when compared with how other crimes against individuals and not corporations are treated. Laws are being crafted that protect corporations, at the expense of individual rights. My right to not get shot should be a lot more important than a corporations right to make money

(For the record, I'm not against guns in principle - I'll eat hunted meat, etc. I just don't think you can get a good set of steaks if you hunt with an assault rifle, nor is it really sporting, so I don't see why normal people need them. And in today's world the 'standing militia' argument no longer holds - if our armed forces can't hold off an invasion, we're pretty much boned. You'd have to have lots of forces to be able to get a supply chain for more ammo, and if I remember correctly WWI proved you can't really hold the ground without air superiority, so you'd better build an air strip as well.)

Re:Can you say 'Ford Pinto'? I knew you could!

And in today's world the 'standing militia' argument no longer holds - if our armed forces can't hold off an invasion, we're pretty much boned.

The right to organize militia is not intended for defense against foreign invaders; rather, it is to be a defense against a tyrannical government that has gone berserk.

Sure, that might not happen, a lot of things might not happen; but it's silly to simply throw away one of the most important checks that individual citizens have on the federal government's power, just because there are some idiots out there who are mentally incapable of possessing a weapon without doing harm to innocent third parties.

By eliminating the right of individual citizens to bear the same firearms that soldiers do, you save a few lives in the short run, and you set us up for a bloody revolution in the long run, when the government decides it's had enough of that "freedom" thing.

not only that

but distributing e-books that you can't make personal copies of is illegal in his home country !

I say DON'T publish the details AT ALL!

Why not flip the proverbial script.

Just announce that the product has a MAJOR and EASILY EXPLOITABLE security flaw. Then absolutely _refuse_ to give any details on it to the company. Cite fear of the DMCA [and numerous examples] of its enforcement as your reasoning. (+5th amendment)

Watch their stock take a pounding, and see if they don't fix it themselves. Then they will have to hope you come out and say they fixed it.

Re:I say DON'T publish the details AT ALL!

To comment on your comment, my solution would be somewhat different.

My solution is pick one university, find a specific solution, and have about 1000 people get free cokes, free lunches, free access, all on one particular day only. Create a financial incentive, but more importantly a social incentive to open up the conversation.

I am NOT a big fan of breaking the law purely for protest means. (see my many other posts on this subject) However, considering the DMCA itself is a violation of free speech, it may be warranted. Not to rip off large amounts of money, or do serious damage, just nickel and dimed for ONE day where it is OBVIOUS that it is a security breach that can not be overlooked. Then do what you suggested, say you can't tell them how it was done due to DMCA. ('you' being someone who didn't participate but knows how it was done)

....back in my day, we didn't have swipers on.....

..anything, why you usta hafta put coins in....

that's right, you young whipper-snappers are giving up something up by "swiping" rather than having to DIG for coins!

The major concern here is about your PRIVACY as you swipe...where's the identity on these cards going?

Free laundry and coke is cool, but I mastered the "quarters on dentalfloss" technique myself...If you are giving all your personal info away at every swipe, there's something wrong.

You should reconsider what you are doing, or at least send me your checking acct#.

Just hold security conferences in a safer country

Just why are people still holding security conferences in the USSA ? Is it going to take a conference chair being thrown into jail before the lights go on and people move them to a sane nation ?

Still another fine example of the DMCA at work, protecting the right of corporations to ensure that even the daftest of terrorists can break US security, and stop for a free canteen lunch on the way.

Oh no! Not again! (And again, and again, ...)

How many more times are we going to hear about the DMCA and the extreem mesures some companies and people will go to use it?

Probably a couple per week until the damned thing is repealed or struck down.

When will the DMCA start getting some media attention outside of /.?

When there are media outside of /. that aren't part of entertainment conglomerates that are pushing the use of the DMCA to "protect" their "content", or by conglomerates that also own proprietary software vendors who are using it to "protect" their software products from reverse engineering, exposure of security flaws, and/or competition.

The DMCA strikes down a lot of rights that many people hold near and dear. I don't know about the rest of /. readers but I [am] disgusted by the DMCA.

Your opinion is widely shared.

Duh...

Well, if you aren't even able to TALK about security flaws *Cough*First Amendment*Cough* they'll never get fixed. The DMCA again makes the net less secure instead of more.

Re:*cough* Clueless *cough*

actually, it does. Thats the point of a free press. An informed public is necessary to maintain ones freedoms, but i guess we already missed the "informed public" boat too early to avoid draconian laws like the DMCA anyhow.

Re:*cough* Clueless *cough*

It doesn't.

You are not allowed to shout "fire!" in a crowded theater.
You are not allowed to using "fighting words" (words intended to incite violence).
You are not allowed to threaten people.
You are not allowed to libel or slander people.
You are not allowed to be "obscene".

http://www.educause.edu/ir/library/html/cem9732.ht ml [educause.edu]

Re:*cough* Clueless *cough*

So which one of your examples is this? He's not yelling fire in a crowded theater... He originally tried to tell the company their theater was on fire, and when they refused to give a damn, he decided to tell the people inside the theater about the fire.

That's when they Cease and Desisted him, and told him that the burning theater was their little secret.

Personally, I'd wanna know, but hey, I'm obviously not normal. Stay asleep if you want, everybody. It's still a free country - but you better check back with me tomorrow just in case.

----
www.whatreallyhappened.com is interesting.

Re:Duh...

Ummm, no. If Neo-nazis can parade down the street, hate-mongers can publish their diatribes, crosses can be burnt, and flags defecated on then by God the first amendment should protect academic discussion on security holes and their implications. Teaching someone how to pick a lock is not the same as breaking into Ft. Knox.

Re:Duh...

Actually, the US Supreme Court recently ruled that cross burning is, in fact, illegal [suntimes.com].

But the supporting opinions agreed that it should be illegal because it is a form of intimidation, and I don't think anybody believes that a presentation on the security flaws of a popular transaction system is intimidating...just dangerous to a certain corporation.

Re:Duh...

Actually, IIRC, the article doesn't quite state the facts clearly. The supreme court was split in that it supported one case and returned the other to the lower court. It ruled that the two men who got drunk and burned a cross on their [black] neighbor's lawn did so for the purposes of intimidation and that this was not a protected form a speech. (see for example their recent ruling on the illegality of the anti-abortion websites posting "wanted" ads of abortion doctors.).

They did, however, uphold the right of the KKK to burn the large 30' cross as a form of protected speech (i.e. political, without an immediate threat of harm or intimidation). It was for this reason that Thomas dissented - his comments indicated that the history of cross-burning is such that there is never a time when cross-burning is not meant to intimidate.

So to return to the question at hand, the Supreme Court has clearly, multiple times, made a distinction between types of speech and that some are protected and others aren't. Regardless of the first amendment, you can't make threats on the life of the president (no matter how much of a ditz he is). Similarly, you can't give away state secrets. No matter how inane or ludicrous the DMCA is, there is a long precedent for restricting certain types of speech. (So the question of its constitutionality is not one that is easily answered.)

Re:Duh...

I'm a law student, but this is NOT legal advice.

Assuming that Blackboard's security has a flaw, then the first amendment protects your right to say Blackboard's security system has a flaw in it.

The first amendment might protect your ability to talk about the flaw in general terms.

The first amendment does not protect your ability to instruct people about the precise details of the flaw and how to exploit it.

The difference? Saying there's a flaw is beneficial because then the company knows and can fix it. Saying how the flaw works and how to exploit it facilitates criminal activity.

Tell a kid that the kid who made fun of him is an idiot and someday he'll die lonely and maybe you'll have made him feel better.

Tell the kid that if he takes the gun on the table, points it at that other kid who made fun of him, and pulls the trigger that the other kid won't make fun of him anymore and you'll land yourself in jail.

In both instances you're talking about speech. See the difference?

And btw, picking a lock almost inherently involves tools. Possession of tools for picking a lock is a crime in most places if you're not a locksmith. Go ahead and ask a lawyer.

silly response

oh good, possible security hole found in card readers

solution1) talk about it and develop a fix
solution2) send cease and decist letters to people who could possibly fix the issue, and rely on security through obscurity

solution2 seems kinda silly to me..

Re:silly response

Hmmm, they had better go with option 1.

Given solution 2, how about this scenario. While C&D is in force and no one is implementing a fix, all users of the systems still remain vulnerable. Someone else figures out how to fake the ID's, uses said fake to gain access to student's dormroom, and commits serious crime against student. Student's parents sue college, college FREAKS and looks to point a finger, original objects of C&D step forward with evidence that security company was informed of the problem and offered help with a solution. College and student's parents sue security company into non-existence.

well

Pretty soon if will even be illegal to have this article posted since it relates to a story which relates to a specific technology that relates to reverse engineering of a product which relates etc etc - because some people don't know enough tech to be passing laws on it.

If a default remote control, garage door opener, et al provided the features the consumers :really: wanted there would be no need for me to go buy a universal remote. It's not the consumer's fault the original creator's product doesn't meet people's needs

I don't know if anyone else saw the >article [securityfocus.com] [securityfocus.com] about the student doing steganography work for his PhD - he's moving all his work offshore because he resides in Michigan and the super-dmca may make 'his whole academic career illegal' - depressing.

Re:well

Pretty soon if will even be illegal to have this article posted since it relates to a story which relates to a specific technology that relates to reverse engineering of a product which relates etc etc - because some people don't know enough tech to be passing laws on it.

Well, once again, this is a case where somebody got hit with a cease and desist. No government action, repeat, no government action was involved with this story whatsoever. A lawyer wrote a letter to a guy, the guy got scared, and chose to curb his own behavior rather than potentially fight the issue in court. (Only potentially, mind you, because the lawyers/company might not have even chosen to pursue the issue, or to involve the DMCA in their case.)

Yes, the possibility with getting slapped with a huge lawsuit and/or criminal charges is pretty scary. Somewhat scarier, on the other hand, is a society where people comply with the demands of other people even though those other people aren't really authorities at all.

Police states are pretty bad. Worse, IMHO, is a people governed by the Will of f*cking Landru...

Another BS Govt Move

Way to secure the flaw, lets just not talk about the flaws and arrest anyone who says otherwise.

The sky is Blue!!

DMCA Official " You must cease to call the sky blue, as it is in violation of what we have said before that the sky is infact not there"

Ostrich tactics

So, assuming that's not possible -- is the DMCA a viable tool to ensure security?

Of course not...the DMCA is a tool that allows companies to safely keep their heads in the sand. Here on Planet Earth, wrapping a towel around your head doesn't *really* make the Ravenous Bug-blatter Beast of Traal go away.

I know a little about this...

Our school uses blackboard, and last year the machines were shut down for a long time because students used methods to get free stuff out of the snack machines. And I'm not talking cracking a case or making a fake card either. It was really simple too, like swiping really fast after the transaction, if I remember right, and you could get a second item for free. Kinda scary.

Re:How do you know?

How did you find out that the system used was Blackboard?

Look for an AT&T or Blackboard logo on the devices that you swipe your ID through. (Soda machines, POS terminals, dining halls, copy machines...)

My university (University of Missouri) has TONS of these things. And most of them are totally unsecure. The RS-485 lines are there, ripe for the picking. I've seen many soda machines and copiers, many in low-traffic areas, simply plugged into an RJ11 jack in the wall with no conduit protecting it. It's ridiculous.

Re:I know a little about this...

The sentence "swiping really fast after the transaction" is a violation of the DMCA. Seriously.

Re:I know a little about this...

The sentence "The sentence "swiping really fast after the transaction" is a violation of the DMCA. Seriously." is also a violation of the DMCA.
Repeat ad infinitum.

obviously not

To answer the question "is the DMCA a viable tool to ensure security?"

Here's [bbc.co.uk] an article from the BBC [bbc.co.uk].

and here's a good presentation [treachery.net] from toorcon.

and lastly, this [itworld.com] is a good article from ITWorld.

Money

Cease and decist letters get written when someone threatens anothers money making schemes. To fix the problem costs money, to scare individual X into keeping their info to themselves is much cheaper.

What about this analogy

Say that a random person on the street finds a crack in a banks wall that allows intruders to get in, tack the cash, and run away. Should the person start holding seminars about how there's such a vulnerability, or should the person go tell the bank so it can fix it?

Initially, the later case seems like the thing to do. But what if the bank ignores you? Should someone be allowed to convey information about a problem with a system if the system controllers refuse to fix it? I'd still think not - it'd be one thing to state that there is a vulnerability, and that in good conscience could not state what the vulnerability is, and quite another thing to go explaining the vulnerability to everyone else.

Just my 2 cents, and as always, there's probably more to the story.

F-bacher

Re:What about this analogy

or should the person go tell the bank so it can fix it?

They DID try to tell the company, and were "blown off".

But what if the bank ignores you? Should someone be allowed to convey information about a problem with a system if the system controllers refuse to fix it? I'd still think not - it'd be one thing to state that there is a vulnerability, and that in good conscience could not state what the vulnerability is, and quite another thing to go explaining the vulnerability to everyone else.

This is something compuer security has had to deal with for quite some time. The normal ethical guidelines are to first contact the vendor and attempt to work with them to find a solution, and release the information once the vulnerability is corrected. If they either ignore it or fail to correct the problem in a reasonable time frame, the consensus is to take the problem to the security experts and users of the security system generally. This is based on the theory that criminals may already have such knowledge, and therefore the users need to know in order to protect themselves.

Hope that helps with your question.

Re:What about this analogy

I actually had something like this happen once. I went to a drive-up ATM at a bank I once used, and the machine was literally unlocked - there was a sort of swing-door arrangement where the whole ATM would open on a hinge sort of like some switch stacks do, and it was broken open. I decided not to stick my card in the machine and instead drove away to a payphone and called the bank.

Amazingly, the people on the other end gave me attitude when I called to tell them that their ATM was broken open - the attitude switched between "it's not my problem" and "you must have done it." At no time did I believe that they were actually going to do anything about it.

Two months later, when I was back in that town, I went to the same ATM, and the lock was still jimmied - it was closed, but obviously broken so that it would be a matter of prying with a screwdriver to open it again. I guess a couple of thousand bucks in cash and whatever private details can be gleaned from endorsed checks and deposit slips are unimportant to bancs of, um America.

Is this SLAPP?

Considering the nature of the security flaws and that they are now exposed, can this legal action against Virgil be challenged under SLAPP clauses?

Companies hurting themselves

You know a C&D letter may stop people from disclosing exploits, but will not stop people from disclosing that their are exploits. That's enough for lots of poor, enterprising college students.

A much better plan would of been to let these guys give their talk, to hire them, fix the problems, and them make a bundle in upgrades to existing customers. Come on, if some of these installations are 20 years old we're not talking much more then maintenance revenue. On the other hand system upgrades, especially when demanded by parents, can net a pretty penny. The colleges could have fund drives, hit up alumni societies, all the normal ways to get money when something unexpected walks through the door.

Instead the company gets to look like a fool that knows there are security flaws, aren't fixing them and instead are wasting money on laywers, get getting bad press.

Oh well, I guess there is no such thing as bad press. And that companies would rather think about prestige short term then a better product long term, even if the better product will get them more money.

=Blue(23)

it's over

Time to stop being a geek. I'm getting my pencils and paper back out, doing RPGs that way, and selling off my 7 or 8 computers.

I can see the writing on the wall just as easily as anyone else. The joy that I got out of these marvelous toys just isn't worth it anymore. It used to be liberating, now it's just torturous. I can think of dozens of ways to get thrown in prison just by playing around with my system at night after work. Tinkering and exploring are forbidden. I'd rather be an insurance guy or something similarly boring then spending part of my life in a 4x6 cell, or even living in fear of same.

Just proof once again that anytime government gets involved with anything, it sucks all the fun out of it. All in the name of equity and greater corporate profits.

Is this the most correct channel?

Surely Acidus and his colleagues informed the Universities about this before they went public with this information. That is of course the most effective way to get the system to change. . . Imagine inviting the Dean of Purchasing and Procurement to a Coke and a Apple pie on campus and using a facsimile of his id and account to pay for it. Or even more fun - - getting a sweet new laptop at the bookstore with a hyper-inflated account balance. Most certainly then Blackboard would think about upgrading their machines. Announcing that you are going to circumvent their digitally encrypted system in public, no less, simply gave Blackboard a way to facilitate their illegitimate hardware and polices and making it legitimate under the cover of an unjust law.

As my good old Uncle Scrooge always said: Work Smarrrrrterrrr not harrrrrderrrrr

Tried that, went to jail.

Actually, someone tried that already. He ended up in jail.

In 1997, after four years of research, a French cryptographer, Serge Humpich, found a flaw in the widely used French smart card, which requires owners to type a PIN on a payment terminal for all credit card and ATM transactions. He found that 1.the PIN was verified by the chip on the card, 2. some terminals didn't really check what chip they were talking to, and 3. If the chip told the terminal "yes, the PIN is right", the terminal would blindly accept the confirmation and allow the transaction. Such a card is called a "yes-card"

Humpich contacted the Carte Bleue consortium, an association of 200 banks managing the French smart cards, and told them about the flaw. They refused to believe him. So he made a yes-card out of spare parts and went to a Parisian metro station. There, he bought a few metro tickets and send them, along with the payment receipt, to the Carte Bleue people. They immediately contacted the police.

Humpich was arrested in September 1999 and jailed for several months. In 2000, he was given a suspended 10-month jail sentence and a $2600 fine. All his equipment and documentation was confiscated. Now he has a criminal indictment that bars him from a number of jobs.

Of course, the French and US laws are different. But if anything, I suspect a US court will actually be harsher, especially now that the DMCA has been used in several precedents. Heck, the DMCA makes it almost mandatory to jail you if you figure out a way to program your VCR without reading the obviously encrypted documentation!

So I really don't think it's a good idea to show the problem exists. Blackboard knows, the people who selected them as a supplier know, and if you show them that they're effectively slobs, they'll crush you to cover their asses.

-- SysKoll

Stupid. Typical.

If guns are outlawed, only outlaws will have guns.

If hacking is outlawed (and talking about it), only outlaws will know how to hack.

So who do you get to sue if someone makes a dupe of your ID card and raids your campus debit account, or breaks into your dorm room? The school? The hacker? The company that sold the school the lame ID system they claim is secure but is not?

I would think the schools would like to know why sodas, meals, etc. are disappearing from their supplies. Hmmm.... This Coke machine is empty, but only 5 Cokes were recorded to be bought from it. Hmmm...

This is the worst kind of security through obscurity.

- Jasen.

my experience with it...

After I left the Ohio State dorms in 1998 (I'm still a student) the university started to put card readers on the dorm entrances (up to that time either you had a key that opened both your dorm room and the main entrance, or you had two separate keys if you lived in a really big dorm.)

It does offer some advantages, for instance, all people could be allowed into the dorms at some parts of the day, but other times of the day only people who live in that dorm could gain entry.

Though there are some interesting caveats

*the first one, which I didn't really know well at the time, is the fact that making a copy of the card is far easier than making a copy of the key. Remagnetizing magnetic stripes is not the hardest thing in the world.

*the campuswide system runs off of ethernet to the AT&T9000 computer which administers everything. If a particular door gets disconnected with the central computer, it's default setting is to pretend like everything is normal, and let everyone in, and it has a cache of swipes which it would then transmit back to the central computer when the connection was restored. That seems like a sensible kludge given the circumstances, given a network failure it would be more sensible to allow all in as opposed to all out, especially at a dorm. (Higher security places would have their door failure mode set to allow no one.) On the other hand, as a security concept, it just bugged me. (this is explained in the powerpoint presentations.)

*my big concern at the time was the tracking and auditing abilities, and it still is. the key system had no tracking and auditing. The swipe system allowed the university to keep a record of when students come into the building (and implicitly, when they go.) I pointed out that Ohio law prohibited a government institution from collecting information which were not authorized by law, nor required to achieve a particular purpose...and that the system need not perform the tracking, it only needed to perform the authorization.

The response I got was that the system was not designed with a zero tracking/auditing setting, it needed to perform tracking and auditing as part of its authentication mechanism. I pointed out that I can't help that the university bought a dumbass product, and I threatened to sue them, but I was young, and I threatened to sue everyone. :-)

I got a letter from the university lawyers saying "While we ourselves certainly hope never to need the archived data -- and, fortunately, rarely do -- it can be of unquestionable value in
investigating incidents in the residence halls. It is for this very reason that similar systems are in use at numerous colleges and universities
around the country."

I've however pointed out that any idiot who was gonna do something in the dorms would do what everyone else does, and that is follow someone who swiped before you, and not swipe themselves.

I still hope to work on this issue at some point. :-)

I have a OneCard

I'm a student at the University of Alberta [ualberta.ca], and I have one of these OneCards.

There are various machines around that let you deposit money onto your OneCard, but there is no "university-approved network" of stores that accept the OneCard as payment.

The OneCard is primarily used for borrowing books from the library, and for operating the photocopiers/printers on campus, and there is exactly one vending machine on campus that allows you to pay with your OneCard.

As for people living in residence who have meal plans (like me), there's a separate card for that, provided by Aramark [aramark.com]. To get into our dorms, we have keys. Laundry is coin-operated. The OneCard has absolutely nothing to do with the on-campus residences.

For most finals and midterms, we're required to show our onecards and/or driver's licenses as photo ID, but the OneCards aren't swiped through a card reader or anything, it's just photo ID, nothing more.

There are restricted areas on campus that you can access by swiping your OneCard and punching in a secret code, but as a first year undergrad, I don't have access to any of those places so I can't say what it's like (though for most of the places that aren't top-secret nuclear research facilities, it's almost trivially easy to get in by walking in when somebody else walks out -- we're friendly here in Canada, generally we hold the door open for people we don't know).

So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?

Gee, I dunno. This is Canada, there is no DMCA here (as far as I know, anyway). Hopefully some Canadian security researcher will hear about this, and continue the research here...

DMCA=Gun Control=Thought Control

So.

Instead of fixing the exploit in their keycard system, the company in question finds it easier to have their lawyers drop a house on the students.

Doesn't "Security through Obscurity" create an environment where persons with malicious intent are free to exercise it?

The students discovering the security hole = The Good Guys. The knowledge they posses equal a Munition (or, a firearm.) They were not planning to use their knowledge maliciously.

Essentially the DMCA has turned knowledge into a weapon to be regulated through the legal system. Just be careful what you know, because speaking of it publicly is becoming the 21st century equivalent of pulling a gun out of your pocket at the mall to discuss it's function with another gun enthusiast.

Of course, we all know the gun paradox. Seriously. Increasingly orwellian gun laws !=less crime. Criminals will always find weapons. On the electronic mean streats, crackers & hackers will always find exploits, but unlike the Good Guys, the Bad Guys won't go to a symposium to divulge the PROBLEM, embarassing the company into FIXING IT. Instead, the Bad Guys will EXPLOIT the FUCK OUT OF IT.

I'm not a philosopher, psychologist, ethicist or sociologist by profession, but perhaps the DMCA needs to be re-evaluated by a panel consisting of a few. Right now it seems to favor only the government and very, very large corporations. Oh, and it makes learning a criminal act.

Do you have a permit for your mind?

False advertising?

IANAL, but could someone sue the company for false advertising? If they say their product is safe and secure, but you feel it isn't and you are a user, then shouldn't your be able to bring a case against them? At that point, you have to present evidence for your claim and (assuming the court records aren't sealed) the exploit becomes public record.

Trade secrets and the Economic Espionage Act

The Economic Espionage Act of 1996 [cybercrime.gov] is worth reading. It's overly broad, and its definition of trade secrets is broader than that of the Uniform Trade Secrets Act.

Trade secrets used to be frowned upon by the law. Patents were legally preferable, so that when the patent expired, the knowledge went into the public domain. A trade secret could be lost easily; any publication by anybody erased trade secret status. All trade secret law really did was to put some teeth into confidentiality requirements for employees. It didn't affect outsiders.

All that has changed in the last decade. Between the Economic Espionage Act, the DMCA, and several court rulings, trade secrets now look more like property rights.

DMCA isn't about security

So, assuming that's not possible -- is the DMCA a viable tool to ensure security?

The DMCA isn't about secruity--it's about copyright. Read the DMCA [copyright.gov], also known as Chapter 12 of Title 17, USC, and decide for yourself.

IMO, the law should either be moved to a general security law, or it shouldn't be interpreted to cover anything except the aiding and abeiting of real anti-copyright infringment sale aid--that is, unless a device is intended to protect a document that's transmitted / broadcast, the DMCA shouldn't touch it.

Then again, these are new positions for me--reply and you might change me again.

DMCA how?

Anyone know what the copyrighted content that is protected by this technological measure, could possibly be?

If it's something within the school, then the makers of the system wouldn't really have a DMCA complaint against researchers; the school (user of the blackboard product) would. (Just as MPAA, not DVDCCA, are the ones who had DMCA complaints when knowledge of bypassing CSS got out. It's the copyright holder of content who gets to use DMCA, not the inventor of a protection mechanism.)

Assuming the blackboard lawyers actually see a way to use DMCA and aren't just trying to intimidate (hell of an assumption), then the copyrighed content must be some artistic expression within the Blackboard system itself, rather than something the system is intended to protect.

If the copyrighted expression turns out to just be the serial number on a card, or something like that, then that would be very (*cough*) interesting.

Patent your exploits

The only sane thing to do is to patent your exploits before you announce them. :)

Then you have precedence for publishing them, or you just point to the online patent info.

As a bonus, you can sue the companies that fix the holes you're supporting because they've broken that "shall circumvent a technological measure that effectively controls access to a work" line. After all, your exploit controls access, right? Opening a door is controlling access as much as locking it is.

I presume Blackboard is a technical company?

Reading through the C&D letter, I have to wonder who approved it from Blackboard's perspective and if anybody technical thought through what may be the result of it is.

There sounds like there is enough information in the letter so that somebody that knows what a 75176 is (I would disagree with the assertions in the paper about RS-485's obscurity), can program a PIC or an 8051 and can use an oscilloscope can reproduce the work done by Messrs. Griffith and Hoffman. Along with this it sounds like the readers are connected to standard cabling via standard connectors.

So, the result I would expect from this letter is, 1) it will be put on the Internet for all to read, 2) boxes throughout the different colleges and universities that use the system will be pulled out of walls and vending machines with many of them stolen or vandalized to see what's actually inside them, next 3) The protocol and hardware will be distributed on a variety of web sites (probably ending with .ru or .iq) and finally 4) Blackboard's reps get innundated with phone calls, emails and letters complaining that their system is not secure.

This begs the question on what Blackboard should have done. (next reply).

myke

Slack-ass bastards!

This past week, one of the first comments to be modded up as funny is someone claiming to be the Iraqi information minister.

Now, they could have said something like, "There are no holes in the BuzzCard system, and we have repelled the elitist satan dogs who have attempted to break its security!" and it would have finally been funny!

-JDF

College students

There are 2 things geeks in college have in abundance: free time and the want to break things. Now that every geek with a heartbeat and a B0x0rz knows there IS a flaw in this card system then they can go ahead and track it down on their own. Free access to EE labs is a beautiful thing. Let's wait and see how long it takes before they are ripped off to the tune of a couple million dollars.

How can I tell if I'm vulnerable?

I go to Cornell University. I have one ID card that swipes *everything*. Access to dorm hall. Attendance count at mandatory lectures. Meal plan. Laundry account. Snack/soda machines. Credit card.

Some people have been asking "what 'University approved network'" in other posts. At least here, we've got an account tied to our cards called "city bucks" that lets us spend a declining balance at local off-campus restaurants, and I think a couple supermarkets too. While City Bucks is Cornell-specific, I'm sure other universities have similar things.

I think there are other accounts too, but I forget them. The point is, I'd like to know if I should complain to someone in administration.

Anyway, we have a server with the Blackboard Courseware website software on it, but that doesn't mean we've got their card system too.. but how can I tell if we do use their card swiping system? (There isn't a logo on my card that would identify it as any particular brand.)

Buzzcards

We use Buzzcards here at Georgia Tech. It's been the experience of me and most people I know that the cards are only used for laundry, dining hall meals, and admission to athletic events and facilities. This is the first I've heard of any flaws in the reader system, but to be honest I don't think it affects people too much. There doesn't seem to be many places for students to put money on a Buzzcard, and when someone does, it's usually just enough to do wash their clothes this week and maybe get some snacks from the food court. I just don't see it as being a big issue.

That being said, I don't think that threatening these folks with the DMCA and acting like the situation doesn't exist is the best possible way to make things safer. Hopefully situations like this can help get part or all of that legislation thrown out.

Doesn't the DMCA have exemptions for this?

If I recall, the RIAA/MPAA cartel tried the same shit on Dr. Felton didn't they? Then they dropped it when he cancelled his talk and sued them. That went to court and the judge threw it out claiming "No harm done". It seems to me that I see a pattern happening here. Big companies are abusing the DMCA by threatening to sue, which clearly abuses the Educatuional exception that Congress put into the DMCA. Then, once the talk is cancelled, they say: "OOPS! we goofed...we were never planning to sue you!" THEN the court agrees with them. The problem is this is a variant of the "shoot, ready, aim" philosophy. This stuff they're pulling is a dangerous incursion into free speech....but then again, free speech means NOTHING in the Post 911 Bush dictatorship!

Why did they desist?

Seriously. If these people felt so strongly about the flaws in this system to hold a public seminar on it, why did they backdown when they got a letter? They should have held the seminar anyways. They might go to jail, but think of what they could accomplish.

1) Get the information they wanted presented to the public.

2) Get media attention

3) Bring the insanity of the DMCA to the courts.

free printing

We had the Onecard system at my school. Best hack we found was with the printing system. Insert a card with $30 on it in the machine toy print for $0.10 say this is my print job, wait for it to read amount on card. take out the card and put in a card with $0 on it. hit yes to print. $29.90 will be wrote to the card. Everyone I knew had $100 on the card in no time once we "borrowed" a profs card. We also got to print at half price by taking a copy of his card.

People also spent time sniffing the one card network, but as far as I know no one had found anything interesting yet. this was 4 years ago, so I'd assume the entire thing is solved by now.

using DMCA to hide problem: easier than fixing it

Reminds me of an episode in "Surely You're Joking, Mr. Feynman!": Adventures of a Curious Character. Richard Feynman pointed out problems with security of file cabinets containing secret documents at Los Alamos. The "solution" to the problem? Easy! Keep Feynman away from the cabinets!

embarassment & consequences

As a US citizen, I'm depressed (I should be outraged) at this sad state of affairs. However in-your-face this particular presentation was to be, the stated goal was to expose the flaws of the system through hand-on research & controlled experimentation. Research. It was NOT to distribute hacking tools for actual implementation to facilitate illegal or illicit purposes. But ballsy kids in an academic environment who want to improve the technology and processes that surround them? They're stymied by corporate protecionism ensconsed in federal law. That's sad. It's wrong, immoral, and ultimately ineffectual. But the real tragedy is that it depresses the level of creativity in academia and creates fear for those that think too hard.

As a security professional, the fact that any cheeseball company can successfully hide their shoddy product behind a federal law is an embarassment. It induces even more cognitive dissonance when I work with federal and state goverment security staff who are well aware of good security principles, and then think about laws such as the DMCA which are diametrically opposed to known-good principles of improving security technology and processes.

It's a lose-lose proposition: News of an exploit always gets out, and is propogated fastest within the community which has little fear of the DMCA. But invocation of the DMCA causes relatively-innocent people -- those that were willing to stand up and state their names -- to tremble and retreat. As I said: it's wrong, immoral, and ultimately ineffectual. I spend my days educating people about the dangers of security by obscurity, and exposing the risks associated with snake-oil solutions such as Blackboard's "secure" transactions. I'm doing my part to educate as many people as I can, but with Grand Moff Ashcroft at the legal helm of the country (and with US federal/foreign policy changed to match the prosecutorial principles of "pre-crime"), I'm afraid it's like spitting into the Mojave.

The first time that some predator clones the card of a victim (or a patsy) in order to gain access to a building and rape/murder someone, I wonder... Will the appropriate law enforcement be able to effectively investigate/prosecute such a crime if the computing research community is prohibited from supporting them? Would Blackboard be content to sit on known security flaws and let a patsy get convicted? Again: wrong, immoral, and ultimately ineffectual. It ought to be illegal to *withhold* security flaws, at least from those who depend on/are subject to them. Feh.

J

DMCA vs Common Sense

The first time someone uses the exploit to commit a rape or murder, the kneejerk reaction of the corportation will be to point at the students who knew the exploit and told officials about it as the scapegoats.

"They told us that we didn't leave our door locked, since naturally it was intrusive to check our door to see if it was locked (even though it affected the security of the people telling us) we told the students to scram and forbid them to tell anyone that our doors were open. Unfortunately yesterday we had a sad epsiode on campus where someone entered through our unlocked doors and commited a heinous crime, sadly the conclusion to be derived from this is definite - those infiltrators that went checking our doors must have relayed the information to their despicable accomplices. The University declines any assumption of guilt or failure of any kind. Thank you."

Face it, people suck and they don't ever stop sucking. The world is run by imbeciles to protect imbeciles, and the intelligent are their favorite food group unless they are creating more ways to create morons or joining the pack in their cannabilistic orgy of idiocy.

Restraining Order

I must be missing something. Has a lawyer sent them a cease and desist letter? Or has a restraining order been granted against them by a court?

Because, all the links point to a cease and desist letter, which are as cheap as lawsuits in the United States. Any schmoe can send a cease and desist letter. Hell, I could send CmdrTaco a letter claming that the space aliens he keeps in his laundry hamper are interfering with the workings of my tin-foil reflector beanie. You certainly don't have to do what the cease and desist letter tells you to do, any more than I have to follow instructions from the little voices in my head. Sometimes the little voices in my head give me good practical advice, like "change your socks." But you would be a fool to follow the advice of either the voices in my head or a random lawyer's cease and desist letter without question.

But, I understand a restraining order as an entirely different thing. A restraining is handed out by a court, and unless you're fond of the inside of jail cells you would be well advised to follow it to the letter.

So, did these people actually get a restraining order against them? Or is this just another badly misleading slashdot article?

2600 Magazine

There was an article in 2600 about 4 issues ago that had complete details on this system I believe, and how to hack into it.

If I can remember which issue it was I'll post it here. If anyone else remembers, feel free to remind me. I remember though it basically showed how with no effort the system can be cracked.

** To avoid DMCA lawsuits, etc. I did not write this article or am involved with it's creation whatsoever. **

Spend your meal card cash on Beer!

Maybe readers who go to schools that use such a system can expand on how that system is used.

At my school, the recently mentioned [slashdot.org] McMaster University [mcmaster.ca], our residence meal plan could be used at local restaurants which had a deal with the Univerisity, like East Side Marios, Pizza Hut, and equivalent places.

Thing was, while they were mainly restaurants, some of these restaurants had bars in them, and we found early on that the system did not discriminate between what one ordered from these places.

So basically, one could use mommy and daddy's meal plan money. I think they eliminated this loophole since my first year, but it was good(by which I mean very very bad) while it lasted :)

Blackboard Follies

I go to a school in the northeast that relies heavily on Blackboard. (I also work computing support here, so I know what a pain it is on the backend, but I digress.)

Oddly enough...I had a discussion about this with a CS prof a while back. Turns out he and another tenured prof figured out how to make all the vending machines (which are on the card) spit out free stuff by using a card with purposely malformed data.

This worked so well that the machines would dispense free stuff until somebody came along and unplugged/restarted them...

But anyway, if Blackboard wants to, two highly respected, published CS profs could be prosecuted under the DMCA.

Another problem popped up a couple years ago that never became common knowledge: if your account balance was between 0 and $0.05, you could buy as much as you wanted, and your balance would never change. I'm not sure if that was a Blackboard bug or something else we did here.

Another one of those through-the-grapevine stories that I suspect is true--the host "machines", whatever they are, for the locks operated by these cards communicate via TCP/IP with a central server. Last year a CS student figured this out and started sending a variety of packets at one of the hosts, crashed it, and summarily locked 200 students out of their dorm.

Ah, Blackboard, how I love thee.

And I've just committed multiple crimes under the DMCA, I believe...

ID Card "Security" at UCLA

I was a member of the UCLA Grad. student gov't (GSA) at a time when the Admin. sent out a mass email to all students in blocks of about 200 students at a time which included in the CC section of the email, the email address and Registration ID numbers of the recipient and 200 other students. By collating a few dozen such emails I and other GSA members were able to obtain ID #'s for over 3,000 unique students.

After we went public, the admin. apologized, but said this was not a security risk because each student's account was protected by not only that 9 digit (now public) number but also a 4 digit numerical password. This didn't make me feel very secure. The ID + passwd combination was used to add/drop classes, find out grades, administer financial aid, etc.

The cards themselves were made by AT and T; you could put money on them over the web using your credit card, then buy food, etc.

It's pretty much the same system used in arcades

Most of the card reader systems used in arcades (a-la Dave/Busters, Gattitown, et al) use a RS-485 network as well.

When these units need to be repaired, they are plugged into a "dumb server". This server basically takes ANY card input, and sends back an "OK" to the reader to allow it to start up a game.

The only critical knowledge needed is the location/site ID code the reader is setup for, and (obviously) the format that particular manufacturer/provider uses for their network.

I can't imagine it would be difficult at all to do the same thing for a coke machine, or any other device, on a CampusWide Network.

- litz

Contact the Lawyer.

here's the contact info for the lawyer who sent the cease and desist letter.

http://www.sablaw.com/profiles/bio.asp?ID=000032 25 1170

This was in my fortune today

"A commercial, and in some respects a social, doubt has been started within the
last year or two, whether or not it is right to discuss so openly the security
or insecurity of locks. Many well-meaning persons suppose that the discus-
sion respecting the means for baffling the supposed safety of locks offers a
premium for dishonesty, by showing others how to be dishonest. This is a fal-
lacy. Rogues are very keen in their profession, and already know much more
than we can teach them respecting their several kinds of roguery. Rogues knew
a good deal about lockpicking long before locksmiths discussed it among them-
selves, as they have lately done. If a lock -- let it have been made in what-
ever country, or by whatever maker -- is not so inviolable as it has hitherto
been deemed to be, surely it is in the interest of *honest* persons to know
this fact, because the *dishonest* are tolerably certain to be the first to
apply the knowledge practically; and the spread of knowledge is necessary to
give fair play to those who might suffer by ignorance. It cannot be too ear-
nestly urged, that an acquaintance with real facts will, in the end, be better
for all parties."

-- Charles Tomlinson's Rudimentary Treatise on the Construction of Locks,
published around 1850

Re:God this world blows...

God this world blows... why does the world have to suck so much? i mean it; any serious thoughts?

Hey, don't blame me. I set you up in a nice garden, and you had to listen to that stupid snake.
-----
g0d

Re:You Americans should have another civil war..

If you look at the history of America, these problems get solved after a while. The reason you don't see people marching in the streets is because nobody's life depends on it. Matters of copyright and other such things may take years to be straightened out, but it happens, no death necessary.

Just recently there have been proposals to amend the DMCA to add some public rights to the equation. They might go somewhere, they might not, but a stable democracy is dependant on changes NOT happening a breakneck speeds.

Nothing works itself out

If you look at the history of America, these problems get solved after a while. The reason you don't see people marching in the streets is because nobody's life depends on it. Matters of copyright and other such things may take years to be straightened out, but it happens, no death necessary.

The reason "those problems got solved" is because a lot of people made a big deal about them. Had someone convinced them not to sweat over it, we'd probably still be living with those problems.

That's the ultimate flaw in the "everything'll work out" motif. Nothing works itself out, and that sort of attitude just hinders the process.

Re:Another way to go about this?

Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").

And you know very well that this is not the first time this sort of thing has happened.

Re:Another way to go about this?

This is a snippet from Acidus' old website. It relates the timeline of events. I hope you enjoy.

Sorry for posting AC but since this does come from Acidus' website ....

Spring 2001 - I got interested in the Buzzcard network on Campus. Based on the AT&T logo, I went to the Internet and soon found out about the system. Lots of Web research done, and fieldwork on the connection between the device and the reader. Locked Cabinet with Multiplexes was opened and photo was taken of insides. Determined which wires to cross to make doors open, laundry machines get credited, etc.

Summer 2001 - Continued exploring the system, called the company (now Blackboard), and interviewed Jim Resing.

Fall 2001 - With Publishing of my Fortres article, increased last minute field research, and finalized my notes. Called Blackboard again to tell them all the flaws I found, was blown off.

Spring 2002 - Wrote Article, and was published in Spring 2002 issue of 2600.

6/2002 - Blackboard learned of my article. The Blackboard Usergroup tried to track me down; finally figuring out I went to Tech, saw my web page and was very upset. Concerns about how accurate my article was are posted by schools around the country to the list-serve. GT tells the list-serve that they are looking into it and they would reply again soon.

GT Police asks to speak to me to determine if crime was committed. GT Police never file charges and indeed I am told there is no long an investigation. Buzzcard Office conducts internal audit of their systems. I go to Buzzcard office unsolicited to try and assist them in securing their system. They were not happy to see me. Office of Information Technology (OIT) on campus starts a test of the Buzzcard system to see if any of the attacks described in article are valid.

Buzzcard office asks that I remove picture of inside of the locked cabinet from my web page (since its hosted on GT machines), which I did. Buzzcard center asks me to remove AT&T cached pages, which I refuse to do. (Its not theirs, if AT&T wants it down, they can ask me).

Buzzcard office reluctant to talk with my about my article, since they don't want to confirm or deny how accurate I was. They do confirm the VTS could be hacked and money can be added to any accounts as I describe. However parts of my article (namely how to clone a card through the VTS), are, they claim incorrect. They ask if I would write a letter for the list-serve that explains what parts were incorrect. I agree as long as my letter will be unedited, and I get to also stress what parts are accurate to let colleges learn what they need to secure. Buzzcard office agrees but continues to cancel my meetings with them and not return phone calls. I am contacted by several colleges that are on the list-serve. They tell me that Tech has all along been posting that they have interviewed me, that my article is totally false. Tech uses such loaded statements as "As any experienced administrator should know, these security holes are not possible." These colleges are concerned Tech is not being truthful, and want to talk to me. I see that the Buzzcard center was stringing me along, and cease my attempts to contact them, or help them fix their pathetic security.

OIT concludes their investigation, and confirm that everything in my article is correct, except about how to clone a card. Tech does not post these results to the list-serv.

Dean of Students is involved, and is checking to see if, while no laws were broken, if I broke institute policy.

Re:God this world blows...

Money and power: these two increasingly interchangeable qualities sum it up.

Every year more money is spent on political campaigns in the USA. Money, in other words, is an essential requirement for securing election in the USA. The result? Well, look at the percentage of millionaires in Congress versus the general population (http://www.opensecrets.org/pubs/law_wp/wealth06.h tm) - hmm, quite a disparity. there. Now, do we WANT to be led by wealthy individuals? Can we expect them to represent us, as opposed to the tiny percentage of the general population they represent in terms of individual wealth? Of course not. We're trapped in a system where wealth can purchase attention, where wealth is a necessary precursor to a serious bid for winning political power. Anyone who denies this is either a witless dupe or is pushing one of the wealth driven political agendas (hint: there are two of them, brought to you by the letter R and the letter D).

So, what can we expect the actions of power driven and facilitated by wealth to do? We can expect it to act on behalf of the wealthy and the systems that support them. So why should we experience any surprise when this is exactly what happens?

The DMCA, for example, represents a simple transaction in this political economy. Intellectual property creates value. Value can be converted into money. The more control people are able to exert over intellectual property, the less it's potential value can be harnessed by its owners to create wealth. It may be true that further restriction of access to intellectual property may impair the absolute value that can be derived from a given pool intellectual property. To those who value intellectual property solely or primarily for the wealth it can generate, this is immaterial. So, the groups that represent the greatest centralized pools of wealth generated by intellectual property transact some of that wealth into political power (by supporting representatives directly and by buying the louder voice on capital hill through lobbyists, by controlling large parts of the media and keeping the issue a non-story in most conventional news outlets, etc.). So, the legislation is passed, and these are the consequences.

In a rational economic system, the bottom line for a product like Blackboard's swipe cards would be how well they work and security would be part of that. But Blackboard isn't going to think that way - they are thinking about covering their asses and squeezing as much money out of their property as they can and security be damned.

Without appropriate protections and controls in place to level the playing field where money is concerned, in a context where wealth and power are more and more easily interchanged, it's easy to see that the worse it gets the worse it will get, becuase the very systems we expect to protect us from the undue influence of wealth are themselves increasingly corrupted by wealth, and like a compromised immune system, the more those sytems are corrupted the more curruptible they become.

As long as people accept the side a/side b black and white polarized view they are provided by the respective representatives of sides a and b - that is to say, as long as the primary beneficiaries of the current system are allowed to define the dialogue within their own terms - it will never get better. If you're still voting democrat cause you're scared of them war mongering, civil rights destroying, business loving loonies or republican because you're scared of those tax and spend, victim culture gun banning freaks, then you are manifestly part of the problem.