Blackboard Campus IDs: Security Thru Cease & Desist 853
Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."
The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.
For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).
At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.
A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)
The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."
Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.
Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.
So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?
If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?
This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").
So, assuming that's not possible -- is the DMCA a viable tool to ensure security?
P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.
P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:
"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."
obviously not (Score:5, Informative)
Here's [bbc.co.uk] an article from the BBC [bbc.co.uk].
and here's a good presentation [treachery.net] from toorcon.
and lastly, this [itworld.com] is a good article from ITWorld.
Try dotLRN - the Free and Open Source alternative! (Score:0, Informative)
It was originally funded and built by the Sloan School of Business at MIT [mit.edu] and has recently been adopted by the University of Heidelberg in Germany, the University of Bergen in Norway and parts of Cambdridge University in England.
This past weekend I attended the dotLRN Seminar [collaboraid.biz] in Copenhagen and over 70 people from over 20 institutions worldwide were present. dotLRN's future is very bright!
Also, you can rest assured that no learning institution will ever face silliness such as this.
talli
Re:*cough* Clueless *cough* (Score:3, Informative)
Sounds to me like "you can say what you want, when you want, and no consequences" to me.
Re:Another way to go about this? (Score:3, Informative)
And you know very well that this is not the first time this sort of thing has happened.
Re:Another way to go about this? (Score:5, Informative)
This is a snippet from Acidus' old website. It relates the timeline of events. I hope you enjoy.
Sorry for posting AC but since this does come from Acidus' website ....
Re:Try dotLRN - the Free and Open Source alternati (Score:2, Informative)
Re:What about this analogy (Score:5, Informative)
Hope that helps with your question.
Re:*cough* Clueless *cough* (Score:3, Informative)
Sounds to me like "you can say what you want, when you want, and no consequences" to me.
What you want, yes.
When you want, yes.
No consequences, no.
The amendment has been interpreted to mean that the congress can't stop you ahead of time, but can set up rules for punishing you after the fact if your speech meets certain criteria. (Like harming others, soliciting crimes, or otherwise interfering with a "compelling state interest".)
While I'm with you on this one (the GOVERNMENT shouldn't be setting up any content-based penalties for speech, before or after the act), the Supreme Court says otherwise. And there's no appeal beyond the supreme court - which is why it gets to rule on the constitutionality of laws and have the rules stick.
(Oh, well. They say two out of three ain't bad...)
Re:Try dotLRN - the Free and Open Source alternati (Score:2, Informative)
Way to read the article, champ.
I have a OneCard (Score:5, Informative)
There are various machines around that let you deposit money onto your OneCard, but there is no "university-approved network" of stores that accept the OneCard as payment.
The OneCard is primarily used for borrowing books from the library, and for operating the photocopiers/printers on campus, and there is exactly one vending machine on campus that allows you to pay with your OneCard.
As for people living in residence who have meal plans (like me), there's a separate card for that, provided by Aramark [aramark.com]. To get into our dorms, we have keys. Laundry is coin-operated. The OneCard has absolutely nothing to do with the on-campus residences.
For most finals and midterms, we're required to show our onecards and/or driver's licenses as photo ID, but the OneCards aren't swiped through a card reader or anything, it's just photo ID, nothing more.
There are restricted areas on campus that you can access by swiping your OneCard and punching in a secret code, but as a first year undergrad, I don't have access to any of those places so I can't say what it's like (though for most of the places that aren't top-secret nuclear research facilities, it's almost trivially easy to get in by walking in when somebody else walks out -- we're friendly here in Canada, generally we hold the door open for people we don't know).
So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?
Gee, I dunno. This is Canada, there is no DMCA here (as far as I know, anyway). Hopefully some Canadian security researcher will hear about this, and continue the research here...
Re:ThoughtCrime!!!! (Score:2, Informative)
Re:Could someone please not be a wuss about this? (Score:2, Informative)
Subscribe to root@se2600.org (root-subscribe@se2600.org) if you want to chat with the locals about this... or have tips. The con organizers for likely reasons can't comment on enough information, but other people have... more information.
-Iridium (on that list)
Trade secrets and the Economic Espionage Act (Score:5, Informative)
Trade secrets used to be frowned upon by the law. Patents were legally preferable, so that when the patent expired, the knowledge went into the public domain. A trade secret could be lost easily; any publication by anybody erased trade secret status. All trade secret law really did was to put some teeth into confidentiality requirements for employees. It didn't affect outsiders.
All that has changed in the last decade. Between the Economic Espionage Act, the DMCA, and several court rulings, trade secrets now look more like property rights.
Re:Companies hurting themselves (Score:1, Informative)
Good luck lawyers. Bite me.
DMCA isn't about security (Score:4, Informative)
The DMCA isn't about secruity--it's about copyright. Read the DMCA [copyright.gov], also known as Chapter 12 of Title 17, USC, and decide for yourself.
IMO, the law should either be moved to a general security law, or it shouldn't be interpreted to cover anything except the aiding and abeiting of real anti-copyright infringment sale aid--that is, unless a device is intended to protect a document that's transmitted / broadcast, the DMCA shouldn't touch it.
Then again, these are new positions for me--reply and you might change me again.
Re:*cough* Clueless *cough* (Score:3, Informative)
First, the standard IANAL but I play one on /., and seek legal advice regularly.
Now for an example, yelling about a fire or a bomb in a movie theater is a violation of the Constitutional protection on speech. The courts have been working on establishing the guidelines for different classes of speech that are protect and that are not, such as informational (IE: a book about ways to kill people) and those that are functional, or produce actions (a book that entices people to kill others). Informational speach is protected, functional speach may be restricted.
The same is true for technical issues, although I wouldn't want to be a lawyer in that case. Arguing on first-ammendment lines, you would have to demonstrate that the claims are purely factual, that the research was conducted legally (many laws explicitly allow exemptions for researchers), and that the paper is purely informational and not functional. If the paper were functional, then it might be interpreted as being restricted by the various laws.
But then, as other posters have said, if a student or university does lose money due to this flaw (which is likely) then they can take it back to the company and sue it for not repairing or disclosing a fatal, known flaw in their systems.
[sigh]
Maybe someday we will be free from the IP garbage that has been spewed out over the past decade. Or maybe we'll get a utopian world where everyone will be honest and do the 'right thing'. No more need for security systems, and software flaws will be presented, evaluated, and repaired quickly...
frob.
Re:it's over (Score:3, Informative)
The fact is, the people in charge are so technologically incompetant that the laws they wrote are being rewritten in legal precedents as companies twist them and the weak minds of judges and juries. The DMCA could have been a great copyright protection tool. Too bad it now covers everything from Wal Mart's prices to garage door openers, a far cry from its intent. How long before the internet is illegal under the DMCA and everyone with a computer is fined for possession of a circumvention device?
So yeah. You have free will. You can choose to live your life on the straight and narrow. And you'll even get away with it as long as the MPAA, RIAA, or someone else doesn't want your money. Or you can sell your computers and live like a hermit.
Just like the unibomber.
My univ. uses this system (Score:1, Informative)
The security on the system is almost laughable. Multiple unchecked user input flaws have come over bugtraq in the past couple months that allow one to retrieve MD5 hashed passwords of an account of your choosing, exploitable over the internet. Some of these holes have been patched.(If memory serves its possible to brute force a password that hashes to the same MD5, thereby logging in as anyone who has access to the system) Professors use the system for quizzing, grades and god knows what else. Last I checked even the quizing system's timer was controled by a Javascript countdown timer (need more time to complete that final? No problem, set your system clock back by an hour). We have the ID cards that work like the ones described also, but ours until very recently were encoded with our social security numbers (!!!).
How can I tell if I'm vulnerable? (Score:3, Informative)
Some people have been asking "what 'University approved network'" in other posts. At least here, we've got an account tied to our cards called "city bucks" that lets us spend a declining balance at local off-campus restaurants, and I think a couple supermarkets too. While City Bucks is Cornell-specific, I'm sure other universities have similar things.
I think there are other accounts too, but I forget them. The point is, I'd like to know if I should complain to someone in administration.
Anyway, we have a server with the Blackboard Courseware website software on it, but that doesn't mean we've got their card system too.. but how can I tell if we do use their card swiping system? (There isn't a logo on my card that would identify it as any particular brand.)
Re:Wait a second ... (Score:2, Informative)
Re:Duh... (Score:4, Informative)
But the supporting opinions agreed that it should be illegal because it is a form of intimidation, and I don't think anybody believes that a presentation on the security flaws of a popular transaction system is intimidating...just dangerous to a certain corporation.
Buzzcards (Score:3, Informative)
That being said, I don't think that threatening these folks with the DMCA and acting like the situation doesn't exist is the best possible way to make things safer. Hopefully situations like this can help get part or all of that legislation thrown out.
Re:I know a little about this... (Score:5, Informative)
Lawyer's info (Score:2, Informative)
using DMCA to hide problem: easier than fixing it (Score:4, Informative)
Re:Could someone please not be a wuss about this? (Score:3, Informative)
google cache of Acidus' yanked pages (Score:2, Informative)
The main page:
http://216.239.37.100/search?q=cache:aCrSrlgFxsYC
Text document covering network infrastructure, database, servers, etc. for blackboard system:
http://216.239.39.100/search?q=cache:fM1kWpR_dbQC
These are the old cached ATT webpages, full of Technical details Blackboard wished weren't floating around:
http://216.239.37.100/search?q=cache:www.yak.net/
Acidus' card system FAQ:
http://216.239.37.100/search?q=cache:www.yak.net/
Creative use of cut and paste within the google cache should let you hit any of the other links within those pages that you may be interested in.
Restraining Order (Score:4, Informative)
Because, all the links point to a cease and desist letter, which are as cheap as lawsuits in the United States. Any schmoe can send a cease and desist letter. Hell, I could send CmdrTaco a letter claming that the space aliens he keeps in his laundry hamper are interfering with the workings of my tin-foil reflector beanie. You certainly don't have to do what the cease and desist letter tells you to do, any more than I have to follow instructions from the little voices in my head. Sometimes the little voices in my head give me good practical advice, like "change your socks." But you would be a fool to follow the advice of either the voices in my head or a random lawyer's cease and desist letter without question.
But, I understand a restraining order as an entirely different thing. A restraining is handed out by a court, and unless you're fond of the inside of jail cells you would be well advised to follow it to the letter.
So, did these people actually get a restraining order against them? Or is this just another badly misleading slashdot article?
Already a zillion exceptions (Score:3, Informative)
You can be sued for libel and slander.
Lying in a contract is a no-no.
Making false claims in ads is frowned upon.
Yelling FIRE in a theater is not in the cards.
The Secret Service will come after you if you make threats against givernment officials.
What part about make no law don't you understand?
Re:Hey! (Score:3, Informative)
You could also get free food, drinks, and laundry if you used the machines when the card system was offline (this happened at the same time every week, I'm assuming the database was down for maintenance or something). You couldn't always get free food (although I once saw people completely clear out a set of vending machines), but when your food purchases failed, it was generally a good time to do free laundry (laundry purchases never failed, even if the system was down - I guess they didn't want people to be unable to dry their wet clothing). It's best to do this when you have no money on your card, then there's no risk of being charged later.
Building security was (and is still) pretty weak. Access is controlled by cards at night (different cards from the vending machines), and I don't know of any way to circumvent this system. But generally, there was at least one door on each building that was never locked (sometimes the doors were locked, but pushing the button for the automatic door opener would open them). Many of the buildings were linked, so one unlocked building could give you access to several locked buildings. IIRC, there are only 3 or 4 buildings locked securely at night.
Re:Duh... (Score:4, Informative)
They did, however, uphold the right of the KKK to burn the large 30' cross as a form of protected speech (i.e. political, without an immediate threat of harm or intimidation). It was for this reason that Thomas dissented - his comments indicated that the history of cross-burning is such that there is never a time when cross-burning is not meant to intimidate.
So to return to the question at hand, the Supreme Court has clearly, multiple times, made a distinction between types of speech and that some are protected and others aren't. Regardless of the first amendment, you can't make threats on the life of the president (no matter how much of a ditz he is). Similarly, you can't give away state secrets. No matter how inane or ludicrous the DMCA is, there is a long precedent for restricting certain types of speech. (So the question of its constitutionality is not one that is easily answered.)
Re:I say publish all the details overseas (Score:1, Informative)
IIRC, the idea was to make a card with a chip that would always approve the current transaction. Meaning that you could use the false card in older vending machines and the like. You couldn't get cash with it, though.
Blackboard Follies (Score:3, Informative)
Oddly enough...I had a discussion about this with a CS prof a while back. Turns out he and another tenured prof figured out how to make all the vending machines (which are on the card) spit out free stuff by using a card with purposely malformed data.
This worked so well that the machines would dispense free stuff until somebody came along and unplugged/restarted them...
But anyway, if Blackboard wants to, two highly respected, published CS profs could be prosecuted under the DMCA.
Another problem popped up a couple years ago that never became common knowledge: if your account balance was between 0 and $0.05, you could buy as much as you wanted, and your balance would never change. I'm not sure if that was a Blackboard bug or something else we did here.
Another one of those through-the-grapevine stories that I suspect is true--the host "machines", whatever they are, for the locks operated by these cards communicate via TCP/IP with a central server. Last year a CS student figured this out and started sending a variety of packets at one of the hosts, crashed it, and summarily locked 200 students out of their dorm.
Ah, Blackboard, how I love thee.
And I've just committed multiple crimes under the DMCA, I believe...
It's pretty much the same system used in arcades (Score:3, Informative)
When these units need to be repaired, they are plugged into a "dumb server". This server basically takes ANY card input, and sends back an "OK" to the reader to allow it to start up a game.
The only critical knowledge needed is the location/site ID code the reader is setup for, and (obviously) the format that particular manufacturer/provider uses for their network.
I can't imagine it would be difficult at all to do the same thing for a coke machine, or any other device, on a CampusWide Network.
- litz
Contact the Lawyer. (Score:3, Informative)
here's the contact info for the lawyer who sent the cease and desist letter.
http://www.sablaw.com/profiles/bio.asp?ID=00003
eyewitness (Score:1, Informative)
Acidus has been telling Blackboard about the flaws in their products for at least 18 months.
I saw Acidus' talk at both Interz0ne I and PhreakNIC6, plus the 2600 article has been out for a while too. Blackboard has known that people were discussing these flaws for quite some time and chose to ignore it.
At Interz0ne II, a cease and desist email was received by the con chair on Friday night, and two FedEx packages arrived at the con hotel Saturday morning. Inside were paper copies of the email, plus restraining orders, unsigned by a judge. A courier arrived Saturday afternoon with signed restraining orders; I was in the lobby and personally witnessed this, saw the paperwork, etc. I couldn't read the Judge's signature before the organizers left with the papers, but I did see "DeKalb County" on the restraining orders, so I assume that's where they came from (the con was in DeKalb County as well).
Acidus and Virgil were not sure of their legal status. Neither were the con organizers. Try finding a lawyer or getting in touch with someone from the EFF, ACLU, etc, at 4pm on a Saturday; their talk was scheduled at 7pm. If I was an evil bastard lawyer, I would have timed it that way too. Organizers, have a good-guy lawyer or three onhand at all times during future cons, ok?
They erred on the side of caution, which probably kept them all from actually getting arrested (as one of the con organizers pointed out, someone reporting to Blackboard or the law firm had to have been attending the con, otherwise they wouldn't know if the cease and desist and restraining orders had been observed).
Keep checking the Interz0ne website for updates, and there will hopefully be further talks at DefCon, Dragoncon and PhreakNIC7 this year.
I am not Virgil, Acidus or any of the con organizers (Rockit, JohnnyX, Iridium, etc).
Re:I say publish all the details overseas (Score:4, Informative)