April 15th, 2003, 04:57 AM
Blackboard Campus IDs: Security Thru Cease & Desist
Full article [ here ]
On Saturday night, Virgil and Acidus, two young security researchers, were scheduled to give a talk at Interz0ne II on security flaws they'd found in a popular ID card system for universities. It's run by Blackboard, formerly by AT&T, and you may know it as OneCard, CampusWide, or BuzzCard. On Saturday, instead of the talk, attendees got to hear an Interz0ne official read the Cease and Desist letter sent by corporate lawyers. The DMCA, among other federal laws including the Economic Espionage Act, were given as the reasons for shutting down the talk (but -- update -- see the P.P.S below). I spoke with Virgil this morning.
I came across this and I figured alot of the college students here could benefit from being aware of the weakness in the Blackboard system before they find their identity stolen and account drained mysteriously. Looks like another example of where the DMCA is botching things up rather than protecting likes its *supposed* to. Just out of curiosity, how many students here know if their school uses Blackboard, I know mine does and I'm definately going to be wary of it from now on.
You're not your post count, You're not your avatar or sig, You're not how fast your internet connection is, You are not your processor, hard drive, or graphics card. You're the all-singing, all-dancing crap of AO
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
April 16th, 2003, 04:15 AM
In reading the article it turns out the cease and desist was not DMCA-related, but its the same concept.
There have been a number of DMCA threads and the whole thing pisses me off every time. Should an ethical researcher who has discovered a flaw or wekaness take it to the vendor first? Absolutely.
If the vendor chooses to ignore the issue should the researcher tell the public? Absolutely. At least that is my opinion which is in direct conflict of the DMCA.
In the case cited in this article there is a system used on college campuses across the country that has a fundamental security flaw. The vendor chose to use litigation to keep the specifics from being released- but that doesn't make it more secure. Shouldn't the vendor have an obligation to let all users of its product know that the security can't be relied on?
In fact, I would submit that once something like this comes out- where it is known that researchers already found a flaw but had the DMCA or other law thrown at them to shut them up- it makes it more imperative than ever to fix the flaw.
The fact that this is in the news marks the product as a prime target for hackers. The race is on. They already know its flawed and now they just have to find out how. They also can work with the knowledge that the vendor thinks they have squashed the issue and is doing nothing to actually fix the flaw.
The federal DMCA and the state DMCA's that are pending or already passed are all a mess. They have almost no chance of catching those the law was intended for and technology vendors abuse and mis-interpret the laws to fit their needs and crush legitimate security research. Those who break the law don't care if you write a new law. Gun laws don't keep guns out of the hands of the lawless and hacking laws don't keep lawless hackers down. Laws serve to keep the honest honest but have no effect on those who would break them in the first place.
April 16th, 2003, 08:36 PM
Here is FAQ in the Blackboard fiasco