Blackboard Campus IDs: Security Thru Cease & Desist 853
Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."
The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.
For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).
At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.
A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)
The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."
Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.
Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.
So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?
If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?
This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").
So, assuming that's not possible -- is the DMCA a viable tool to ensure security?
P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.
P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:
"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."
Duh... (Score:5, Insightful)
silly response (Score:4, Insightful)
solution1) talk about it and develop a fix
solution2) send cease and decist letters to people who could possibly fix the issue, and rely on security through obscurity
solution2 seems kinda silly to me..
Re:I say publish all the details overseas (Score:5, Insightful)
well (Score:5, Insightful)
If a default remote control, garage door opener, et al provided the features the consumers
I don't know if anyone else saw the >article [securityfocus.com] [securityfocus.com] about the student doing steganography work for his PhD - he's moving all his work offshore because he resides in Michigan and the super-dmca may make 'his whole academic career illegal' - depressing.
*cough* Clueless *cough* (Score:1, Insightful)
Re:Duh... (Score:2, Insightful)
Re:I say publish all the details overseas (Score:5, Insightful)
Re:silly response (Score:3, Insightful)
Unfortunately, the DMCA doesn't give any rights to the public at all. You do not talk about security flaws. Go ahead and exploit them, just don't talk about them.
Freedom of the press? (Score:2, Insightful)
That freedom has taken a back seat to congress' lust for power and money.
We should look for other ways to take on the DMCA. IANAL, but the following link is to an interesting case, about fedral powers. I have some doubt, but maybe this is a method to bypass the DMCA.
http://supct.law.cornell.edu/supct/html/93-1260
I am very interested in what people think. Any ideas?
Ps: Why aren't techies lawyer? Oh, and why look at http://www.lp.org They hate the DMCA also.
Re:I say publish all the details overseas (Score:5, Insightful)
It is sad to see that the DMCA can be used by a company if it wishes to ignore flaws. It is a sad day knowing that profit is more important than a good product.
Re:*cough* Clueless *cough* (Score:5, Insightful)
Money (Score:3, Insightful)
Re:Duh... (Score:5, Insightful)
What about this analogy (Score:3, Insightful)
Initially, the later case seems like the thing to do. But what if the bank ignores you? Should someone be allowed to convey information about a problem with a system if the system controllers refuse to fix it? I'd still think not - it'd be one thing to state that there is a vulnerability, and that in good conscience could not state what the vulnerability is, and quite another thing to go explaining the vulnerability to everyone else.
Just my 2 cents, and as always, there's probably more to the story.
F-bacher
good for students, not for administration (Score:2, Insightful)
And yes I realize this is immoral and wrong, it was more a thrill thing at the time.
Another way to go about this? (Score:0, Insightful)
I don't mean to present an opposing viewpoint or anything. Wait... MICROSOFT SUCKS! That better?
Companies hurting themselves (Score:5, Insightful)
A much better plan would of been to let these guys give their talk, to hire them, fix the problems, and them make a bundle in upgrades to existing customers. Come on, if some of these installations are 20 years old we're not talking much more then maintenance revenue. On the other hand system upgrades, especially when demanded by parents, can net a pretty penny. The colleges could have fund drives, hit up alumni societies, all the normal ways to get money when something unexpected walks through the door.
Instead the company gets to look like a fool that knows there are security flaws, aren't fixing them and instead are wasting money on laywers, get getting bad press.
Oh well, I guess there is no such thing as bad press. And that companies would rather think about prestige short term then a better product long term, even if the better product will get them more money.
=Blue(23)
Freedom? (Score:2, Insightful)
You should really consider switch to using GNUnet/Freenet solutions for distributing such information there since it seems the Government there is just too restrictive.
I bet the NSA & Co. are after me now for whatever reason they can come up with... truth hurts yea I know...
- Voice of Ambience -
Stupid. Typical. (Score:5, Insightful)
If hacking is outlawed (and talking about it), only outlaws will know how to hack.
So who do you get to sue if someone makes a dupe of your ID card and raids your campus debit account, or breaks into your dorm room? The school? The hacker? The company that sold the school the lame ID system they claim is secure but is not?
I would think the schools would like to know why sodas, meals, etc. are disappearing from their supplies. Hmmm.... This Coke machine is empty, but only 5 Cokes were recorded to be bought from it. Hmmm...
This is the worst kind of security through obscurity.
- Jasen.
Re:You Americans should have another civil war.. (Score:5, Insightful)
Just recently there have been proposals to amend the DMCA to add some public rights to the equation. They might go somewhere, they might not, but a stable democracy is dependant on changes NOT happening a breakneck speeds.
Re:silly response (Score:5, Insightful)
Given solution 2, how about this scenario. While C&D is in force and no one is implementing a fix, all users of the systems still remain vulnerable. Someone else figures out how to fake the ID's, uses said fake to gain access to student's dormroom, and commits serious crime against student. Student's parents sue college, college FREAKS and looks to point a finger, original objects of C&D step forward with evidence that security company was informed of the problem and offered help with a solution. College and student's parents sue security company into non-existence.
Re:I say publish all the details overseas (Score:5, Insightful)
DMCA=Gun Control=Thought Control (Score:5, Insightful)
Instead of fixing the exploit in their keycard system, the company in question finds it easier to have their lawyers drop a house on the students.
Doesn't "Security through Obscurity" create an environment where persons with malicious intent are free to exercise it?
The students discovering the security hole = The Good Guys. The knowledge they posses equal a Munition (or, a firearm.) They were not planning to use their knowledge maliciously.
Essentially the DMCA has turned knowledge into a weapon to be regulated through the legal system. Just be careful what you know, because speaking of it publicly is becoming the 21st century equivalent of pulling a gun out of your pocket at the mall to discuss it's function with another gun enthusiast.
Of course, we all know the gun paradox. Seriously. Increasingly orwellian gun laws !=less crime. Criminals will always find weapons. On the electronic mean streats, crackers & hackers will always find exploits, but unlike the Good Guys, the Bad Guys won't go to a symposium to divulge the PROBLEM, embarassing the company into FIXING IT. Instead, the Bad Guys will EXPLOIT the FUCK OUT OF IT.
I'm not a philosopher, psychologist, ethicist or sociologist by profession, but perhaps the DMCA needs to be re-evaluated by a panel consisting of a few. Right now it seems to favor only the government and very, very large corporations. Oh, and it makes learning a criminal act.
Do you have a permit for your mind?
Re:No, it doesn't. (Score:5, Insightful)
Re:You Americans should have another civil war.. (Score:2, Insightful)
system that could allow rapists access to college dorms...
Can you say 'Ford Pinto'? I knew you could! (Score:5, Insightful)
Does it bother anyone else that copyright violations are given more attention than violent crime? Why can't the same reasoning the vilifies P2P networks since they "could" be used for illegal copies be applied to manufactures of Dum-Dum bullets, Assault rifles, etc.?
Before rants go off-topic both ways, I'm trying to point out the absurdity of the anti-copyright measures when compared with how other crimes against individuals and not corporations are treated. Laws are being crafted that protect corporations, at the expense of individual rights. My right to not get shot should be a lot more important than a corporations right to make money
(For the record, I'm not against guns in principle - I'll eat hunted meat, etc. I just don't think you can get a good set of steaks if you hunt with an assault rifle, nor is it really sporting, so I don't see why normal people need them. And in today's world the 'standing militia' argument no longer holds - if our armed forces can't hold off an invasion, we're pretty much boned. You'd have to have lots of forces to be able to get a supply chain for more ammo, and if I remember correctly WWI proved you can't really hold the ground without air superiority, so you'd better build an air strip as well.)
False advertising? (Score:3, Insightful)
Re:*cough* Clueless *cough* (Score:4, Insightful)
It doesn't.
You are not allowed to shout "fire!" in a crowded theater.
You are not allowed to using "fighting words" (words intended to incite violence).
You are not allowed to threaten people.
You are not allowed to libel or slander people.
You are not allowed to be "obscene".
http://www.educause.edu/ir/library/html/cem9732.ht ml [educause.edu]
Re:Is this the most correct channel? (Score:3, Insightful)
What they are doing is slowing the process down so they can create a fix, and implement it before everything goes nuts on tons of college campuses
Re:Can you say 'Ford Pinto'? I knew you could! (Score:5, Insightful)
Sure, that might not happen, a lot of things might not happen; but it's silly to simply throw away one of the most important checks that individual citizens have on the federal government's power, just because there are some idiots out there who are mentally incapable of possessing a weapon without doing harm to innocent third parties.
By eliminating the right of individual citizens to bear the same firearms that soldiers do, you save a few lives in the short run, and you set us up for a bloody revolution in the long run, when the government decides it's had enough of that "freedom" thing.
Re:Can you say 'Ford Pinto'? I knew you could! (Score:3, Insightful)
1v1 slashdot shibboleths. (Score:2, Insightful)
One one hand, there is the party line that any security / encryption measure CAN be broken, so that social measures are really what's necessary to achieve desired aims.
On the other, we see slashdot outrage any time a social convention is established / followed that actually attempts to impose social codes of behavior.
(Side notes to all of this include the typical calling whoever developed the security mechanism a moron because of some obscure backdoor that took the investigator 6 dateless months to find but he acts as if it's so obvious.)
The fact of the matter is that the systems these "young security researchers" are ALL at about the state of the art for this stuff as evidenced by the fact that several companies are more or less doing the same thing. It's also evident that without their information being made public, the security systems do a reasonable job of protecting what they need to protect. It's also clear that there WOULD be a greater social benefit if their information was used to make the security systems even better.
However what's bloody obvious as well is that, given their userbase (students), that there is a greater societal harm in releasing the security flaws publicly at this moment. The DMCA, for all its flaws, was designed for exactly this situation. This is a correct application of the DMCA. The young crackers should negotiate a private deal with the providers for a fair amount for the information, intermediated by an intependent arbiter.
With this current administration??? (Score:3, Insightful)
What will be the result? Easy illegal hackers who steal. The DMCA is setting up a black market of crime. Just like how people "steal" cable. And people will not consider it stealing because it is digital. Oh yeah forgot more lawyer work, to prosecute the illegal people. Can we say DMCA is a make work system?
The DMCA will be struck down once people in the mainstream realize it has no effect. This reminds me of the argument with strong encryption....
Add on the fact that governments these days do not care about the little person. Just the big companies with their lobbies....
Re:Hacking by any other name (Score:2, Insightful)
Let's bring this into the physical world rather than the ethereal world of bits and bytes.
Stealing cars is illegal. I don't think there's any debate as to whether or not it should stay that way.
Figuring out how to break into cars and publishing that information is not illegal. (Well, it might be now undere the DMCA.) Especially if Ford makes a car that all you have to do is pull the handle four times real fast, or kick the corner of the door while pushing down the right spot, or some other reasonably trivial method to open a "locked" car.
Such information (how to, and how easy it is or isn't) on breaking into cars is valuable to consumers. They can choose to buy a car from a different manufacturer. They can install an alarm system. They can move to a safer neighborhood where they don't have to worry about people breaking into their car.
The same holds true in the digital world. If I as a consumer put some level of trust in a security system, I want to know how reliable that system is. In this specific case, if Blackboard's security is very weak, then I'll make sure never to have more than $100 in my debit account; as a school, I'll put cameras up to catch students stealing sodas with bogus cards, etc.
The bad guys out there WILL exploit any and all security holes they can find. As a consumer (whether a business buying an enterprise wide security solution, or a soccer mom hooking up to the Internet) it is in my best interest to know that people are out there actively trying to break anything that claims to protect me.
The act of breaking into someone else's machine, or using a bogus ID to steal products, is still illegal. And should be. But people need to know how easy it is or isn't to bypass any security measure so they can make an informed decision how far to trust that measure and what additional measures they may wish to employ.
- Jasen.
Re:Duh (Score:3, Insightful)
I say DON'T publish the details AT ALL! (Score:5, Insightful)
Just announce that the product has a MAJOR and EASILY EXPLOITABLE security flaw. Then absolutely _refuse_ to give any details on it to the company. Cite fear of the DMCA [and numerous examples] of its enforcement as your reasoning. (+5th amendment)
Watch their stock take a pounding, and see if they don't fix it themselves. Then they will have to hope you come out and say they fixed it.
Re:*cough* Clueless *cough* (Score:5, Insightful)
That's when they Cease and Desisted him, and told him that the burning theater was their little secret.
Personally, I'd wanna know, but hey, I'm obviously not normal. Stay asleep if you want, everybody. It's still a free country - but you better check back with me tomorrow just in case.
----
www.whatreallyhappened.com is interesting.
Cease && Decist != Outrage (Score:2, Insightful)
If I were a student on that campus I wouldn't want people openly talking about the system's flaws. I wouldn't want people cracking the system and tampering with any of my information that it contained - ESPECIALLY if this thing controls my meals, my dorm room and my exams.
Also, if I were the genius that found all of these system flaws, I would use it as a marketing opportunity to apply for a job at the company that wrote the software, supplying them with a detailed description of the problem and a proposed solution.
Why must this whole thing be so combative? Why is it so critical for this public forum to be held? If you find problems with the system, go to the company about it, not the public.
Re:*cough* Clueless *cough* (Score:3, Insightful)
So yelling "that card system is insecure" might be considered bad were it not actually true.
And you are allowed to threaten people. Lawyers threaten people all the time using cease and desist letters.
Awww.... (Score:2, Insightful)
Seriously though. Does it ever occur to people that sometimes they have to FIGHT to get things their way? Not fighting in the sense of a debate-club discussion, but rather a nasty bar brawl; you are gonna get hurt a bit, but [hopefully] the other guy gets hurt more.
How did civil rights come about? Did Martin Luther King bitch to his fellow oppressed on the local bulletin board (ahem), write a congressman, and then go home? As I recall, he spent more than a few nights in jail, and eventually got shot to boot.
I'd rather be an insurance guy or something similarly boring then spending part of my life in a 4x6 cell, or even living in fear of same.
Well instead of a 4x6 cell you can have a 100x100 subdivision in some godless plastic suburb somewhere. You'll be safe there, have a fun life!
-----------
Re:No, it doesn't. (Score:5, Insightful)
Interesting, isn't it, in these days of terrorism paranoia, that laws like this ARE going to result in worse security ? Well worse security for the USA, relative to every other country in the world that doesn't (yet) have these sort of laws.
Re:my experience with it... (Score:3, Insightful)
It's not always that simple. You ignore the case where the person had no intention of committing any mischief when they arrived at the dorms. They showed up for a party, drank a few too many beers, got carried away, raped someone and ran. The next day, they're questioned by campus security and deny having been in the residence at all.
But their card was swiped.
Re:I say publish all the details overseas (Score:2, Insightful)
jlk
Re:*cough* Clueless *cough* (Score:3, Insightful)
On the other hand, claiming that your product is "safe and secure" when it's easily provable to be otherwise would seem to violate any number of state and Federal statutes long on the books before the advent of DMCA, etc. I'd think that you could at least make a reasonable case for several flavors of fraud.
Any REAL lawyers out there to comment on that?
Re:No, it doesn't. (Score:5, Insightful)
Re:God this world blows... (Score:5, Insightful)
Every year more money is spent on political campaigns in the USA. Money, in other words, is an essential requirement for securing election in the USA. The result? Well, look at the percentage of millionaires in Congress versus the general population (http://www.opensecrets.org/pubs/law_wp/wealth06.
So, what can we expect the actions of power driven and facilitated by wealth to do? We can expect it to act on behalf of the wealthy and the systems that support them. So why should we experience any surprise when this is exactly what happens?
The DMCA, for example, represents a simple transaction in this political economy. Intellectual property creates value. Value can be converted into money. The more control people are able to exert over intellectual property, the less it's potential value can be harnessed by its owners to create wealth. It may be true that further restriction of access to intellectual property may impair the absolute value that can be derived from a given pool intellectual property. To those who value intellectual property solely or primarily for the wealth it can generate, this is immaterial. So, the groups that represent the greatest centralized pools of wealth generated by intellectual property transact some of that wealth into political power (by supporting representatives directly and by buying the louder voice on capital hill through lobbyists, by controlling large parts of the media and keeping the issue a non-story in most conventional news outlets, etc.). So, the legislation is passed, and these are the consequences.
In a rational economic system, the bottom line for a product like Blackboard's swipe cards would be how well they work and security would be part of that. But Blackboard isn't going to think that way - they are thinking about covering their asses and squeezing as much money out of their property as they can and security be damned.
Without appropriate protections and controls in place to level the playing field where money is concerned, in a context where wealth and power are more and more easily interchanged, it's easy to see that the worse it gets the worse it will get, becuase the very systems we expect to protect us from the undue influence of wealth are themselves increasingly corrupted by wealth, and like a compromised immune system, the more those sytems are corrupted the more curruptible they become.
As long as people accept the side a/side b black and white polarized view they are provided by the respective representatives of sides a and b - that is to say, as long as the primary beneficiaries of the current system are allowed to define the dialogue within their own terms - it will never get better. If you're still voting democrat cause you're scared of them war mongering, civil rights destroying, business loving loonies or republican because you're scared of those tax and spend, victim culture gun banning freaks, then you are manifestly part of the problem.
embarassment & consequences (Score:5, Insightful)
As a security professional, the fact that any cheeseball company can successfully hide their shoddy product behind a federal law is an embarassment. It induces even more cognitive dissonance when I work with federal and state goverment security staff who are well aware of good security principles, and then think about laws such as the DMCA which are diametrically opposed to known-good principles of improving security technology and processes.
It's a lose-lose proposition: News of an exploit always gets out, and is propogated fastest within the community which has little fear of the DMCA. But invocation of the DMCA causes relatively-innocent people -- those that were willing to stand up and state their names -- to tremble and retreat. As I said: it's wrong, immoral, and ultimately ineffectual. I spend my days educating people about the dangers of security by obscurity, and exposing the risks associated with snake-oil solutions such as Blackboard's "secure" transactions. I'm doing my part to educate as many people as I can, but with Grand Moff Ashcroft at the legal helm of the country (and with US federal/foreign policy changed to match the prosecutorial principles of "pre-crime"), I'm afraid it's like spitting into the Mojave.
The first time that some predator clones the card of a victim (or a patsy) in order to gain access to a building and rape/murder someone, I wonder... Will the appropriate law enforcement be able to effectively investigate/prosecute such a crime if the computing research community is prohibited from supporting them? Would Blackboard be content to sit on known security flaws and let a patsy get convicted? Again: wrong, immoral, and ultimately ineffectual. It ought to be illegal to *withhold* security flaws, at least from those who depend on/are subject to them. Feh.
J
Re:No, it doesn't. (Score:3, Insightful)
Re:*cough* Clueless *cough* (Score:3, Insightful)
Now that most people get their information from TV, the notion of an "informed public" has ceased to exist. For example, to attract ratings, Headline News now has some sort of worthless "Entertainment Tonight" segment, constant mentions of "We're the most trusted name in news", constant interruptions to learn that Jessica Lynch brushed her teeth this morning, and on and on. If I watch it for more than five minutes, I get angry at how absurd "news" has become and turn off the TV in disgust.
There's a reason Homer Simpson gets so many laughs...it's because he's so damn accurate, anymore, that we are laughing at ourselves!
Re:I say publish all the details overseas (Score:5, Insightful)
Re:I say publish all the details overseas (Score:2, Insightful)
Nothing works itself out (Score:5, Insightful)
The reason "those problems got solved" is because a lot of people made a big deal about them. Had someone convinced them not to sweat over it, we'd probably still be living with those problems.
That's the ultimate flaw in the "everything'll work out" motif. Nothing works itself out, and that sort of attitude just hinders the process.
Re:I say publish all the details overseas (Score:5, Insightful)
first place, no lawyer action would have had any effect at all.
The problem is, people[1] who find security flaws don't generally
*want* to post them to usenet: they want to work with the vendor
and the security community to get the problems _fixed_.
So here's the question: will these sorts of responses from vendors
force the security community into just giving up on all pretenses
of working with the vendor and just leaking everything to the
general public immediately upon discovery? That would be bad for
all concerned, but it might be better than being lawyered to death.
It's pretty easy to arrange to get something posted to usenet
with a reasonable degree of anonymity, and there's absolutely no
way to suppress anything that has been posted to a big-8 or alt
group, short of destroying the whole planet. But I don't think
I trust the security of a product whose vendor is sufficiently
uncooperative as to motivate a discoverer[1] of a vulnerability
to do things that way.
Maybe people who discover such vulnerabilities should discreetly
communicate everything they know to some third party overseas
first before doing anything else...? But you still have the
problem that if you try to work with the vendor they know who
you are and can laywer you, and you can be held responsible for
communicating the information to the third party.
Ah... but what if the original discoverer remained anonymous
and communicated to someone _else_ who would try to work with
the vendor, and if that failed the original discoverer or some
third party he communicates with could release the information
to the security community (and, in the process, the general
public)? This would be harder for the discoverer, who would
have to anonymously contact a trusted third party in the first
place whom he would have to trust to make a good-faith attempt
to work with the vendor. But if the vendor tried to laywer
the non-anonymous person, they'd run into "I just found out
from this here anonymous email and was trying to work with
you; this leak must have been perpetrated by the evil person
who circumvented your effective measure in the first place,
probably the same dude who sent this email, which seems to
have come to me from an evil open relay in southeast Asia,
one of the same ones the spammers use to send me special
offers for reduced-price copies of your products, which they're
probably pirating. Gosh, you should really go after those
open relays, they're all kinds of trouble."
[1] Security people, I mean. I'm not talking about blackhats.
Re:No, it doesn't. (Score:5, Insightful)
but that doesn't mean you should have to respect that wish.
How many things only get better because someone talks to the press?
Re:Is this the most correct channel? (Score:2, Insightful)
WADR, I disagree.
In reality, they're probably running around in circles, not sure what to do. They may wind up doing just as you said, maybe to the point of backing off with the legal threats once they've got a handle on their technical and marketing response to the issue. I think they're scared and lashing out anyway they can.
The cat's outta the bag. Maybe they didn't expect this publicity from their legal actions but I can't believe that... and maybe the adverse publicity doesn't matter.
Dumb move in the long run or not, when they cool down, I bet they'll just stick to their present course. If they can stop wholesale dissemination of their technical flaws, perhaps dealing with the individual, rare case of exploitation (based only on the knowledge that there *are* flaws) can be done under the radar and on the cheap.
Re:1v1 slashdot shibboleths. (Score:3, Insightful)
On the contrary: what we see here is a moral innovation -- an attempt at creating new and nontraditional codes -- which severely contradicts several established, traditional moral codes.
One of those established, traditional moral codes is called freedom of speech. It holds that it is morally wrong for those in power to restrict others' telling of the truth or proclaiming of beliefs. It does not authorize just any speech: for instance, false speech such as slander is beyond its pale. However, to threaten a person with prosecution for stating the (ugly) truth violates this moral principle.
Another moral code violated here, more recent but still established, is called the public's right to know. It is similar to freedom of speech: it holds that it is morally wrong to allow those in power to hold the general public in a state of ignorance for private benefit. The Blackboard company is in a position to benefit from the public's ignorance if it is not held responsible for its violation of its clients' trust by selling them vulnerable software. If it can suppress the fact of the vulnerability from public disclosure, it is gaining an immoral benefit. Those capable of denying it this ill-gotten gain are obligated to do so.
An instantiation of these moral codes online, a recent but also well-known moral principle, is called full disclosure. It holds that since the harm to the public caused by ignorance of security problems outweighs the harm caused by their exposure; and since vendors such as Blackboard must be prevented from benefiting from the public ignorance; that those who discover security flaws should reveal them in a responsible fashion to the public. One step of this disclosure is to notify the vendor; but when the vendor refuses to take moral responsibility, it is fully acceptable and desired to go to the public with the full and ugly truth.
To advocate protecting the Blackboard company from its responsibility to its clients (universities and students) and the general public is not a moral position. It is precisely an amoral one: one which defends the status quo, or the position of an entity with power, against justified moral claims by others. Please refrain from standing on a pseudo-moral high horse when you are in fact advocating "might makes right" and damning the public's and individuals' rights.
DMCA vs Common Sense (Score:5, Insightful)
"They told us that we didn't leave our door locked, since naturally it was intrusive to check our door to see if it was locked (even though it affected the security of the people telling us) we told the students to scram and forbid them to tell anyone that our doors were open. Unfortunately yesterday we had a sad epsiode on campus where someone entered through our unlocked doors and commited a heinous crime, sadly the conclusion to be derived from this is definite - those infiltrators that went checking our doors must have relayed the information to their despicable accomplices. The University declines any assumption of guilt or failure of any kind. Thank you."
Face it, people suck and they don't ever stop sucking. The world is run by imbeciles to protect imbeciles, and the intelligent are their favorite food group unless they are creating more ways to create morons or joining the pack in their cannabilistic orgy of idiocy.
Re:Stupid. Typical. (Score:3, Insightful)
Wow, you have no idea what you're talking about, do you?
The problem with your examples (all of them) is that you assume that what is obscure remains obscure forever.
The problem with obscurity as a primary means of security is that too many people know things, and the odds on one person speaking out of turn or being duped into revealing a secret is non-trivial. Take, for example, the cases of Kevin Mitnick. He got a lot of his information about unlocked PSTN switches by calling up the maintenance centers for Sprint or whatever and impersonating a repair person in the field.
I'm sure the security at Fort Knox is well understood ("simple" circuits, cameras, and locks). If you ask me, the fact that it's a real fort with lots of troops around making it kind of hard to, for example, sneak in a truck or dozen that you'd need to cart of gold (it's kinda heavy :) ) has more to do with the fact that there hasn't been a break in.
The point of the anti-obscurity argument is that relying on obscurity as the main means of security a system is almost never effective against a determined attacker, because obscurity can be eliminated. Systems designed in the light of day, or at least with collaboration outside of a single interested entity, tend to be more secure because it eliminates those "in the know" short cuts.
Sujal
Re:Remember, Citizens (Score:3, Insightful)
Re:No, it doesn't. (Score:2, Insightful)
I strongly disagree with this concept of licensing, legal or eula restrictions preventing a citizen from speaking his/her mind about what is (generally) a consumer product. A "free society" that cannot freely discuss the products and services it purchases and uses is not a free society.
Re:Duh... (Score:4, Insightful)
Assuming that Blackboard's security has a flaw, then the first amendment protects your right to say Blackboard's security system has a flaw in it.
The first amendment might protect your ability to talk about the flaw in general terms.
The first amendment does not protect your ability to instruct people about the precise details of the flaw and how to exploit it.
The difference? Saying there's a flaw is beneficial because then the company knows and can fix it. Saying how the flaw works and how to exploit it facilitates criminal activity.
Tell a kid that the kid who made fun of him is an idiot and someday he'll die lonely and maybe you'll have made him feel better.
Tell the kid that if he takes the gun on the table, points it at that other kid who made fun of him, and pulls the trigger that the other kid won't make fun of him anymore and you'll land yourself in jail.
In both instances you're talking about speech. See the difference?
And btw, picking a lock almost inherently involves tools. Possession of tools for picking a lock is a crime in most places if you're not a locksmith. Go ahead and ask a lawyer.
Re:No, it doesn't. (Score:5, Insightful)
My thoughts exactly (for quite some time now). The true criminals won't care it's illegal. They will get and USE the information anyway, leaving someone else to take the blame. (Honest officer, it wasn't me who swiped the card to break into the dorm and rob people.) And since the system is <sarcasm> so secure</sarcasm>, who's going to believe the victim? Of course, defending yourself without access to the information that shows how insecure the system really is is going to be a <sarcasm>cake walk</sarcasm>.
It's been my experience (and looking at history, I'm not alone) that trying to ignore a problem (bring in the lawyers!) only makes it worse and more expensive. Sadly, common sense seems so uncommon nowadays.
Re:No, it doesn't. (Score:3, Insightful)
They might claim that my statements are not factual, libelous, and what not.
However, they shouldn't have the right to stop someone from proving facts about the company, it's products, services or dealings with others.
Of course, they try to contract you to be unable to do just that; did you have to sign an EULA for using your card?
Re:DMCA how? (Score:2, Insightful)
In my (admittedly perhaps quaint) part of the country, cards are only needed to "check out" books (i.e. remove them from the building). You can still enter a library and access the books, even without a card. Thus, the technological measure does not effectively limit access.
And then there's the issue of who holds the copyright on the books. Unless it is a very special library (i.e. only contains books published by the school's press, itself) it is likely that almost all the books have no conditions for access imposed by their holders.
Homework? (Score:2, Insightful)
I sure hope this won't diminish the spirit of the young researchers out there. These kids are building our future whether we allow them to or not. Stifling their growth will only give us a dysfunctional future.
you don't know police states (Score:5, Insightful)
Maybe that's how police states work in your native, ignorant, Hollywood view of the world. In real life, police states don't usually bother with beating people up--it's way too much effort--and it's not necessary. They control people through implicit and subtle threats to their liberty, livelihood, and privileges, as well as similar threats to their families. They only resort to force when people absolutely don't comply--but so does law enforcement everywhere.
You don't agree with the party line? Sorry, you or your kids can't go to college. You don't return from your trip abroad? Well, to compensate the state for your misdeeds, your home will be confiscated; too bad about your family. In some areas of US law enforcement, it's getting frighteningly close to that (drug seizures, computer seizures, etc.).
Police states aren't anarchies. They operate orderly and according to laws, they just happen to be laws that limit freedoms excessively. And it's very easy to move from the rule of law in a free society to the rule of law in a police state.
Re:No, it doesn't. (Score:3, Insightful)
This was in my fortune today (Score:4, Insightful)
last year or two, whether or not it is right to discuss so openly the security
or insecurity of locks. Many well-meaning persons suppose that the discus-
sion respecting the means for baffling the supposed safety of locks offers a
premium for dishonesty, by showing others how to be dishonest. This is a fal-
lacy. Rogues are very keen in their profession, and already know much more
than we can teach them respecting their several kinds of roguery. Rogues knew
a good deal about lockpicking long before locksmiths discussed it among them-
selves, as they have lately done. If a lock -- let it have been made in what-
ever country, or by whatever maker -- is not so inviolable as it has hitherto
been deemed to be, surely it is in the interest of *honest* persons to know
this fact, because the *dishonest* are tolerably certain to be the first to
apply the knowledge practically; and the spread of knowledge is necessary to
give fair play to those who might suffer by ignorance. It cannot be too ear-
nestly urged, that an acquaintance with real facts will, in the end, be better
for all parties."
-- Charles Tomlinson's Rudimentary Treatise on the Construction of Locks,
published around 1850
Let's remember why we have disclosure (Score:3, Insightful)
Re:Restraining Order (Score:2, Insightful)
What makes you think they did not know EXACTLY what they were going to do? What makes you think the almost 100 times Blackboard hit our website did not warn us? What makes you think that we were not prepared as hell?
With that said, I think it was still a shock, but we come prepared every year. We had well over 10 separate internet connections. If $#1t hit the fan we would have been streaming it live. If some other event "prevented" us from posting the data we would have gotten around that also. As it was, somewhere around 5 minutes after the rant/talk at the con started, we had relevant information sitting in about 5 continents, on at least 15 webservers I knew of. Not counting the untold numbers of relays the information recieved.
Looks like a cheap but effective maneuver to me.
It was very cheap on the lawyers' part. I think they doubted our resolve, our commitment, and our loyalty to our ideals. We had at least a few traitors in our midst, but the funny thing is they did us NO irreperable harm (*watches feds come in and raid me now*) thus far.
I think it was a bluff, but it may or may not remain that way. Keep in touch [mailto] and stay updated [interz0ne.com].
support our troops! [eff.org]
Re:Remember, Citizens (Score:3, Insightful)
Perhaps a better approach would have been to engage the interest of a local TV news station and arrange, with cooperation from campus security, a live broadcast of a break-in on a Coke machine. If the guys were suitably disguised (ski masks?) and the details sufficiently fuzzy to prevent casual replication by "script kiddies", I'd think they might get away with it. Especially if the news crew leaned heavily towards "the security provided by the cards is clearly crap", instead of "look what these hackers just did".
They wouldn't even have to name Blackboard specifically, just mention that the system so easily cracked is used by major Universities to "secure" thousands of devices, ranging from Coke machines to the girls dorm...
Re:No, it doesn't. (Score:3, Insightful)
When common sense is outlawed, only outlaws will have common sense.
Re:*cough* Clueless *cough* (Score:3, Insightful)
Threat and warning are similar. I would draw the distinction here:
The company has a choice whether it will prosecute the DMCA violation. This is not a capital crime where the state must prosecute. Therefore, the company's letter is a statement of "we will drop rocks on you" more than one of "rocks will fall on you."
Re:No, it doesn't. (Score:2, Insightful)