Results 1 to 3 of 3

Thread: Blackboard Campus IDs: Security Thru Cease & Desist

  1. #1
    Purveyor of Lather Syini666's Avatar
    Join Date
    Aug 2001
    Posts
    553

    Blackboard Campus IDs: Security Thru Cease & Desist

    On Saturday night, Virgil and Acidus, two young security researchers, were scheduled to give a talk at Interz0ne II on security flaws they'd found in a popular ID card system for universities. It's run by Blackboard, formerly by AT&T, and you may know it as OneCard, CampusWide, or BuzzCard. On Saturday, instead of the talk, attendees got to hear an Interz0ne official read the Cease and Desist letter sent by corporate lawyers. The DMCA, among other federal laws including the Economic Espionage Act, were given as the reasons for shutting down the talk (but -- update -- see the P.P.S below). I spoke with Virgil this morning.
    Full article [ here ]

    I came across this and I figured alot of the college students here could benefit from being aware of the weakness in the Blackboard system before they find their identity stolen and account drained mysteriously. Looks like another example of where the DMCA is botching things up rather than protecting likes its *supposed* to. Just out of curiosity, how many students here know if their school uses Blackboard, I know mine does and I'm definately going to be wary of it from now on.
    You're not your post count, You're not your avatar or sig, You're not how fast your internet connection is, You are not your processor, hard drive, or graphics card. You're the all-singing, all-dancing crap of AO
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

  2. #2
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    In reading the article it turns out the cease and desist was not DMCA-related, but its the same concept.

    There have been a number of DMCA threads and the whole thing pisses me off every time. Should an ethical researcher who has discovered a flaw or wekaness take it to the vendor first? Absolutely.

    If the vendor chooses to ignore the issue should the researcher tell the public? Absolutely. At least that is my opinion which is in direct conflict of the DMCA.

    In the case cited in this article there is a system used on college campuses across the country that has a fundamental security flaw. The vendor chose to use litigation to keep the specifics from being released- but that doesn't make it more secure. Shouldn't the vendor have an obligation to let all users of its product know that the security can't be relied on?

    In fact, I would submit that once something like this comes out- where it is known that researchers already found a flaw but had the DMCA or other law thrown at them to shut them up- it makes it more imperative than ever to fix the flaw.

    The fact that this is in the news marks the product as a prime target for hackers. The race is on. They already know its flawed and now they just have to find out how. They also can work with the knowledge that the vendor thinks they have squashed the issue and is doing nothing to actually fix the flaw.

    The federal DMCA and the state DMCA's that are pending or already passed are all a mess. They have almost no chance of catching those the law was intended for and technology vendors abuse and mis-interpret the laws to fit their needs and crush legitimate security research. Those who break the law don't care if you write a new law. Gun laws don't keep guns out of the hands of the lawless and hacking laws don't keep lawless hackers down. Laws serve to keep the honest honest but have no effect on those who would break them in the first place.

  3. #3
    Senior Member
    Join Date
    Feb 2002
    Posts
    253

    Smile Here is FAQ in the Blackboard fiasco

    Here is inside information on the Interz0ne matter.

    http://www.edifyingfellowship.org/~overcode/bb-faq.html

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •