Slashdot Log In
Blackboard Campus IDs: Security Thru Cease & Desist
from the cease-and-desist dept.
Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."
The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.
For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).
At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.
A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)
The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."
Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.
Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.
So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?
If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?
This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").
So, assuming that's not possible -- is the DMCA a viable tool to ensure security?
P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.
P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:
"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."
Remember, Citizens (Score:5, Funny)
(http://slashdot.org/ | Last Journal: Sunday July 29, @04:31PM)
Re:No, it doesn't. (Score:4, Interesting)
Re:No, it doesn't. (Score:5, Insightful)
Re:No, it doesn't. (Score:5, Insightful)
Interesting, isn't it, in these days of terrorism paranoia, that laws like this ARE going to result in worse security ? Well worse security for the USA, relative to every other country in the world that doesn't (yet) have these sort of laws.
Re:No, it doesn't. (Score:5, Insightful)
(http://www.spotswood-computer.net/)
My thoughts exactly (for quite some time now). The true criminals won't care it's illegal. They will get and USE the information anyway, leaving someone else to take the blame. (Honest officer, it wasn't me who swiped the card to break into the dorm and rob people.) And since the system is <sarcasm> so secure</sarcasm>, who's going to believe the victim? Of course, defending yourself without access to the information that shows how insecure the system really is is going to be a <sarcasm>cake walk</sarcasm>.
It's been my experience (and looking at history, I'm not alone) that trying to ignore a problem (bring in the lawyers!) only makes it worse and more expensive. Sadly, common sense seems so uncommon nowadays.
Re:No, it doesn't. (Score:5, Insightful)
(http://slashdot.org/ | Last Journal: Thursday February 21 2002, @04:37PM)
but that doesn't mean you should have to respect that wish.
How many things only get better because someone talks to the press?
Re:No, it doesn't. (Score:5, Insightful)
you don't know police states (Score:5, Insightful)
Maybe that's how police states work in your native, ignorant, Hollywood view of the world. In real life, police states don't usually bother with beating people up--it's way too much effort--and it's not necessary. They control people through implicit and subtle threats to their liberty, livelihood, and privileges, as well as similar threats to their families. They only resort to force when people absolutely don't comply--but so does law enforcement everywhere.
You don't agree with the party line? Sorry, you or your kids can't go to college. You don't return from your trip abroad? Well, to compensate the state for your misdeeds, your home will be confiscated; too bad about your family. In some areas of US law enforcement, it's getting frighteningly close to that (drug seizures, computer seizures, etc.).
Police states aren't anarchies. They operate orderly and according to laws, they just happen to be laws that limit freedoms excessively. And it's very easy to move from the rule of law in a free society to the rule of law in a police state.
I say publish all the details overseas (Score:3, Interesting)
(http://slashdot.org/)
While this may be an inconvenience to students, they can get by without buying coke with a swipe of a card for a while.
Re:I say publish all the details overseas (Score:5, Insightful)
Re:I say publish all the details overseas (Score:5, Funny)
Ah, I've often shouted "POST IT ON USENET!" at the television screen whenever there's a movie or x-files/whatever episode where the hero is running away with the evidence/HotInfo trying to keep it from the Evil Conspirators.
They almost never do.
Re:I say publish all the details overseas (Score:5, Insightful)
Re:I say publish all the details overseas (Score:5, Insightful)
(http://mistersanity.blogspot.com/ | Last Journal: Tuesday May 29 2007, @04:42PM)
first place, no lawyer action would have had any effect at all.
The problem is, people[1] who find security flaws don't generally
*want* to post them to usenet: they want to work with the vendor
and the security community to get the problems _fixed_.
So here's the question: will these sorts of responses from vendors
force the security community into just giving up on all pretenses
of working with the vendor and just leaking everything to the
general public immediately upon discovery? That would be bad for
all concerned, but it might be better than being lawyered to death.
It's pretty easy to arrange to get something posted to usenet
with a reasonable degree of anonymity, and there's absolutely no
way to suppress anything that has been posted to a big-8 or alt
group, short of destroying the whole planet. But I don't think
I trust the security of a product whose vendor is sufficiently
uncooperative as to motivate a discoverer[1] of a vulnerability
to do things that way.
Maybe people who discover such vulnerabilities should discreetly
communicate everything they know to some third party overseas
first before doing anything else...? But you still have the
problem that if you try to work with the vendor they know who
you are and can laywer you, and you can be held responsible for
communicating the information to the third party.
Ah... but what if the original discoverer remained anonymous
and communicated to someone _else_ who would try to work with
the vendor, and if that failed the original discoverer or some
third party he communicates with could release the information
to the security community (and, in the process, the general
public)? This would be harder for the discoverer, who would
have to anonymously contact a trusted third party in the first
place whom he would have to trust to make a good-faith attempt
to work with the vendor. But if the vendor tried to laywer
the non-anonymous person, they'd run into "I just found out
from this here anonymous email and was trying to work with
you; this leak must have been perpetrated by the evil person
who circumvented your effective measure in the first place,
probably the same dude who sent this email, which seems to
have come to me from an evil open relay in southeast Asia,
one of the same ones the spammers use to send me special
offers for reduced-price copies of your products, which they're
probably pirating. Gosh, you should really go after those
open relays, they're all kinds of trouble."
[1] Security people, I mean. I'm not talking about blackhats.
Re:I say publish all the details overseas (Score:5, Insightful)
(http://slashdot.org/)
Re:I say publish all the details overseas (Score:5, Insightful)
(http://--/ | Last Journal: Monday December 09 2002, @05:12PM)
Re:I say publish all the details overseas (Score:5, Interesting)
(Last Journal: Wednesday January 08 2003, @09:48AM)
Re:I say publish all the details overseas (Score:5, Interesting)
(http://www.ditl.info/ | Last Journal: Sunday April 27 2003, @10:37AM)
A guy figured out how to manipulate the chip on the smart cards used for credit cards. He contacted whatever company makes the cards to try to get them to hire him. They didn't believe him, so to prove his point he bought about $7.00 worth of metro tickets from an automatic distributor.
And then what?
They busted his ass big time. I think it totally destroyed the guy's career, life, etc. Then the company upgraded their encryption...
Re:I say publish all the details overseas (Score:4, Informative)
Re:I say publish all the details overseas (Score:4, Interesting)
(http://www.microsoft.com/ | Last Journal: Tuesday April 26 2005, @10:17AM)
What a strange filename (Score:5, Interesting)
(http://www.biglumber.com/ | Last Journal: Tuesday November 27, @12:44PM)
Re:What a strange filename (Score:5, Interesting)
(http://www.microsoft.com/ | Last Journal: Tuesday April 26 2005, @10:17AM)
Re:I say publish all the details overseas (Score:5, Funny)
Yeah, I wish we had some sort of global communication network where you could instantly and anonymously post a piece of information, and people anywhere in the world could see it. Wouldn't that totally rock?
Hey! (Score:5, Funny)
(http://grendel.dyndns.org/)
Come *on*, someone toss a practical exploit in here!
--grendel drago
Re:Hey! (Score:5, Funny)
(http://slashdot.org/)
To: mkldev
Subject: Cease and desist
Sir/Madam,
Due to your recent post on the 'news' site 'Slashdot', we issue this cease and desist hereby ordering you to refrain from describing any manner of breaking security methods for refreshment beverage machines. Your suggestion of "...first you take a crowbar..." is in violation of the Digital Millenium Copyright Act.
or something like that
Re:I say publish all the details overseas (Score:5, Insightful)
(Last Journal: Wednesday January 14 2004, @04:52AM)
It is sad to see that the DMCA can be used by a company if it wishes to ignore flaws. It is a sad day knowing that profit is more important than a good product.
Can you say 'Ford Pinto'? I knew you could! (Score:5, Insightful)
Does it bother anyone else that copyright violations are given more attention than violent crime? Why can't the same reasoning the vilifies P2P networks since they "could" be used for illegal copies be applied to manufactures of Dum-Dum bullets, Assault rifles, etc.?
Before rants go off-topic both ways, I'm trying to point out the absurdity of the anti-copyright measures when compared with how other crimes against individuals and not corporations are treated. Laws are being crafted that protect corporations, at the expense of individual rights. My right to not get shot should be a lot more important than a corporations right to make money
(For the record, I'm not against guns in principle - I'll eat hunted meat, etc. I just don't think you can get a good set of steaks if you hunt with an assault rifle, nor is it really sporting, so I don't see why normal people need them. And in today's world the 'standing militia' argument no longer holds - if our armed forces can't hold off an invasion, we're pretty much boned. You'd have to have lots of forces to be able to get a supply chain for more ammo, and if I remember correctly WWI proved you can't really hold the ground without air superiority, so you'd better build an air strip as well.)
Re:Can you say 'Ford Pinto'? I knew you could! (Score:5, Insightful)
Sure, that might not happen, a lot of things might not happen; but it's silly to simply throw away one of the most important checks that individual citizens have on the federal government's power, just because there are some idiots out there who are mentally incapable of possessing a weapon without doing harm to innocent third parties.
By eliminating the right of individual citizens to bear the same firearms that soldiers do, you save a few lives in the short run, and you set us up for a bloody revolution in the long run, when the government decides it's had enough of that "freedom" thing.
not only that (Score:4, Interesting)
(http://www.milksucks.com/ | Last Journal: Monday September 15 2003, @12:30PM)
I say DON'T publish the details AT ALL! (Score:5, Insightful)
(http://www.rigidsoftware.com/ | Last Journal: Saturday September 24 2005, @11:58PM)
Just announce that the product has a MAJOR and EASILY EXPLOITABLE security flaw. Then absolutely _refuse_ to give any details on it to the company. Cite fear of the DMCA [and numerous examples] of its enforcement as your reasoning. (+5th amendment)
Watch their stock take a pounding, and see if they don't fix it themselves. Then they will have to hope you come out and say they fixed it.
Re:I say DON'T publish the details AT ALL! (Score:5, Interesting)
(http://www.tanningbeds.org/ | Last Journal: Sunday November 05 2006, @07:23AM)
My solution is pick one university, find a specific solution, and have about 1000 people get free cokes, free lunches, free access, all on one particular day only. Create a financial incentive, but more importantly a social incentive to open up the conversation.
I am NOT a big fan of breaking the law purely for protest means. (see my many other posts on this subject) However, considering the DMCA itself is a violation of free speech, it may be warranted. Not to rip off large amounts of money, or do serious damage, just nickel and dimed for ONE day where it is OBVIOUS that it is a security breach that can not be overlooked. Then do what you suggested, say you can't tell them how it was done due to DMCA. ('you' being someone who didn't participate but knows how it was done)
....back in my day, we didn't have swipers on..... (Score:4, Funny)
that's right, you young whipper-snappers are giving up something up by "swiping" rather than having to DIG for coins!
The major concern here is about your PRIVACY as you swipe...where's the identity on these cards going?
Free laundry and coke is cool, but I mastered the "quarters on dentalfloss" technique myself...If you are giving all your personal info away at every swipe, there's something wrong.
You should reconsider what you are doing, or at least send me your checking acct#.
Just hold security conferences in a safer country (Score:4, Interesting)
(http://www.linux.org.uk/diary)
Still another fine example of the DMCA at work, protecting the right of corporations to ensure that even the daftest of terrorists can break US security, and stop for a free canteen lunch on the way.
Oh no! Not again! (And again, and again, ...) (Score:5, Interesting)
(Last Journal: Friday November 02, @02:49PM)
Probably a couple per week until the damned thing is repealed or struck down.
When will the DMCA start getting some media attention outside of
When there are media outside of
The DMCA strikes down a lot of rights that many people hold near and dear. I don't know about the rest of