Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Blackboard Campus IDs: Security Thru Cease & Desist

jamie posted more than 11 years ago | from the cease-and-desist dept.

Security 853

On Saturday night, Virgil and Acidus, two young security researchers, were scheduled to give a talk at Interz0ne II on security flaws they'd found in a popular ID card system for universities. It's run by Blackboard, formerly by AT&T, and you may know it as OneCard, CampusWide, or BuzzCard. On Saturday, instead of the talk, attendees got to hear an Interz0ne official read the Cease and Desist letter sent by corporate lawyers. The DMCA, among other federal laws including the Economic Espionage Act, were given as the reasons for shutting down the talk (but -- update -- see the P.P.S below). I spoke with Virgil this morning.

Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."

The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.

For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).

At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.

A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)

The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."

Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.

Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.

So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?

If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?

This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").

So, assuming that's not possible -- is the DMCA a viable tool to ensure security?

P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.

P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:

"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."

Sorry! There are no comments related to the filter you selected.

Check it out!! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5730073)

The Goatse guy [goatse.cx] put up a new picture! It's not even obscene anymore! This a historic day on the internet!!!

Re:Check it out!! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5730247)

If I ever meet you, I will KICK YOUR ASS!

Security through FP (-1, Offtopic)

Anonymous Niggard (657484) | more than 11 years ago | (#5730077)

michael ate my balls!

I FAIL IT! (-1, Troll)

Anonymous Niggard (657484) | more than 11 years ago | (#5730096)

Remember, Citizens (5, Funny)

RLiegh (247921) | more than 11 years ago | (#5730091)

This in NO WAY implies we live in a police state.

No, it doesn't. (3, Interesting)

Anonymous Coward | more than 11 years ago | (#5730110)

A corporation is preventing you from doing something, which is their right according to law.

If we lived in a police state, armed thugs would not tell you, "You can't detail the flaws of our product." They'd just beat the living crap out of you and then go home, kick back, and drink a cold Coors 20 ouncer.

Re:No, it doesn't. (0, Redundant)

gamgee5273 (410326) | more than 11 years ago | (#5730245)

Doesn't make the law right though, does it Trollboy?

Re:No, it doesn't. (1)

gricholson75 (563000) | more than 11 years ago | (#5730272)

True. But with laws like the DMCA, is there really that much difference?

Re:No, it doesn't. (4, Interesting)

nehumanuscrede (624750) | more than 11 years ago | (#5730276)

A corporation who distributes flawed merchandise or software has every right to tell me to be quiet. I also have every right to a functional secure product that they claim to be pawing off on you. Perhaps hitting the corporation with a false advertisement lawsuit ( we sell a secure product, we swear ) in return would wake them up. ( Doubtful ) With our sorry ass congress/senate passing these bills as fast as they can, it's probably our only recourse until we boot the entire lawmaking body out of office and get someone with some sense.


Sexual Asspussy (453406) | more than 11 years ago | (#5730115)

posting AC is for fucking QUEEEERS | | / /
"MEN" who want to fuck other "MEN" ( ( |=D ( ( =D
mmmmmmm the sweet taste of BALL SAP | | |@ | | @
can't get ENOUGH can you FAGGOTS??
right over here -- this is your "LOVER" --^^^ ^
and THIS HERE is your ASS about to get FUCKED ------|

gay ho mo fa GA y! A C Yo !
gaylord ho mo GG gays A C ur !
gay ho mo ot GA y! AC=GAY eG `


Anonymous Coward | more than 11 years ago | (#5730141)

Q) What's more lame then ascii art?
A) Ascii art that doesn't even look like anything!


i repeat -- FUCK AC (-1)

Proctal Relapse (467579) | more than 11 years ago | (#5730228)

i will pin down your anonymous virtual shoulders against the ground, nail your e-hands to either side of you, and take a big analog dump in your mouth.

fucking AC scum. fucking dissing my ASCII... bring yours to the table you unskilled rodlicker. i'll rape your ass in 7-bit characters, and your little faggot dog too.


Re:i repeat -- FUCK AC (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5730296)

Shouldn't you do something it won't enjoy?


Anonymous Coward | more than 11 years ago | (#5730262)

dumb bitch you are - ascii dbag

MODS ON CRACK (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5730182)

This is not a troll; this is highly insightful. It's just that the mods are smoking the cheap $2 crack and they "loev teh ManHam". M2ers, please mark these fuckers Unfair.

I say publish all the details overseas (3, Interesting)

Marx_Mrvelous (532372) | more than 11 years ago | (#5730093)

I wish there were a way to accidentally leak the exacty details overseas. There, it would be very difficult to get shut down, and every college using this system would have to deal with it.

While this may be an inconvenience to students, they can get by without buying coke with a swipe of a card for a while.

Re:I say publish all the details overseas (5, Insightful)

Jeffrey Baker (6191) | more than 11 years ago | (#5730118)

It is trivial to leak this kind of information. Walk into an internet cafe (or walk by any of millions of open 802.11b network) and upload the information to USENET. Problem solved.

Re:I say publish all the details overseas (5, Insightful)

Marx_Mrvelous (532372) | more than 11 years ago | (#5730146)

Now of course, I wouldn't have had this reaction if the company had taken steps working with the discoverers of the security flaw. If anything, they should hire/pay these researchers for their work, fix the problem, implement it, and then publish what went wrong. And who knows, maybe they even tried. I doubt it though, when a cease-and-desist can have the same effect.

Re:I say publish all the details overseas (5, Insightful)

gl4ss (559668) | more than 11 years ago | (#5730329)

chances are that they knew _exactly_ how bad the system was, and maybe just hadn't care when they first made the system, maybe thinking that it would be such niche system or so it wouldn't need to be secure, or maybe it was some other system adapted to use where security would have paid off..

Re:I say publish all the details overseas (4, Interesting)

Acidic_Diarrhea (641390) | more than 11 years ago | (#5730158)

Why isn't there a way? It seems like it wouldn't be that hard to drop a .pdf file onto a p2p network (call it how_to_get_coke_for_free_at_school.pdf) and watch the downloads begin. The point is that by doing it in this manner, the flow of information is limited to those people who are tech-saavy enough (I know, I know - you wouldn't have to know very much to download and view a .pdf file) to get the file. This prevents many of the people who really need this information, the administrators and parents, from getting it. The college kids can still find out because they've grown up with computers but the people pulling the strings won't know their system is insecure because their knowledge of computers starts and stops with Solitaire.

Re:I say publish all the details overseas (1)

adamruck (638131) | more than 11 years ago | (#5730207)

naw.. if I just recieved a cease and decist order, the last thing I would do is put it on a p2p network.. to easy to trace ips. Better solution would be a news group, or say google groups or something.

Re:I say publish all the details overseas (1)

Dthoma (593797) | more than 11 years ago | (#5730226)

the people pulling the strings won't know their system is insecure because their knowledge of computers starts and stops with Solitaire.

This is a good thing in one respect; it means there's less of a chance of you getting busted seconds after you upload it to Gnutella.

Re:I say publish all the details overseas (5, Funny)

Anonymous Coward | more than 11 years ago | (#5730165)

I wish there were a way to accidentally leak the exacty details overseas. There, it would be very difficult to get shut down, and every college using this system would have to deal with it. While this may be an inconvenience to students, they can get by without buying coke with a swipe of a card for a while.

Yeah, I wish we had some sort of global communication network where you could instantly and anonymously post a piece of information, and people anywhere in the world could see it. Wouldn't that totally rock?

Hey! (4, Funny)

Grendel Drago (41496) | more than 11 years ago | (#5730283)

How come we can post Win2k3 serial keys in the slashdot forums, but no one posts how to get phr33 as in c0ke c0kes? Sheesh. What bullshit.

Come *on*, someone toss a practical exploit in here!

--grendel drago

Re:I say publish all the details overseas (5, Insightful)

orthancstone (665890) | more than 11 years ago | (#5730166)

Well, going to a school where all my food is purchased by cards and the only way I can get back to my room is controlled by cards, I'd say your statement of "deal with it" is quite silly.

It is sad to see that the DMCA can be used by a company if it wishes to ignore flaws. It is a sad day knowing that profit is more important than a good product.

Re:I say publish all the details overseas (1)

Randolpho (628485) | more than 11 years ago | (#5730187)

"difficult to get shut down"? Need I remind you that Sklyarov was arrested in the U.S. for doing something that was perfectly legal when he was in his home country?

Re:I say publish all the details overseas (1)

gtsquirrel (613500) | more than 11 years ago | (#5730206)

There was a rumor going around that overseas mirrors had gone up. I don't know exact details, but I'm sure someone has the answer. Keep searching Google, perhaps?

Re:I say publish all the details overseas (0)

Anonymous Coward | more than 11 years ago | (#5730260)

You could always contact the lawyer who served the cease and desist letter. His personal information is freely available [sablaw.com] on his firm's website. Fortunately, it even his has his phone number and email address. Who knows? He may be willing to share the information with you.

Re:I say publish all the details overseas (0)

Anonymous Coward | more than 11 years ago | (#5730275)

This is just the kind of thing that freenet was designed for.

Re:I say publish all the details overseas (1)

phasm42 (588479) | more than 11 years ago | (#5730325)

Maybe it should be arranged for someone overseas to "hack" into this guy's computer and publish it on the internet... At least this way, they couldn't point a finger at him.

Again? (1)

insecuritiez (606865) | more than 11 years ago | (#5730097)

How many more times are we going to hear about the DMCA and the extreem mesures some companies and people will go to use it? When will the DMCA start getting some media attention outside of /.? The DMCA strikes down a lot of rights that many people hold near and dear. I don't know about the rest of /. readers but I disgusted by the DMCA.

Re:Again? (0)

Anonymous Coward | more than 11 years ago | (#5730177)

How many more times are we going to hear about the DMCA and the extreem mesures some companies and people will go to use it? When will the DMCA start getting some media attention outside of /.?

The answer to both is "when you get off your ass and do something about the DMCA".

Re:Again? (2, Interesting)

MKalus (72765) | more than 11 years ago | (#5730193)

Not anytime soon.

Most people in their daily lives aren't directly affected by it (or not to their knowledge at least).

Most of the places that bump into the DMCA right now are the academics. Why? Because they are a bit ahead of the curve, the idea to undstand things is integral to them. Most people though are just consuming the final product, as such they won't be affected for a while.

Wait a bit longer until the product Johnny wants to buy (or an update to a Software he is using) can't be had anymore because the developer wasn't allowed to incorporate the functionality because of the DMCA.

Of course by then the question is if the masses will still care (I bet not).


Oh no! Not again! (And again, and again, ...) (4, Interesting)

Ungrounded Lightning (62228) | more than 11 years ago | (#5730267)

How many more times are we going to hear about the DMCA and the extreem mesures some companies and people will go to use it?

Probably a couple per week until the damned thing is repealed or struck down.

When will the DMCA start getting some media attention outside of /.?

When there are media outside of /. that aren't part of entertainment conglomerates that are pushing the use of the DMCA to "protect" their "content", or by conglomerates that also own proprietary software vendors who are using it to "protect" their software products from reverse engineering, exposure of security flaws, and/or competition.

The DMCA strikes down a lot of rights that many people hold near and dear. I don't know about the rest of /. readers but I [am] disgusted by the DMCA.

Your opinion is widely shared.

Duh... (5, Insightful)

c0dedude (587568) | more than 11 years ago | (#5730099)

Well, if you aren't even able to TALK about security flaws *Cough*First Amendment*Cough* they'll never get fixed. The DMCA again makes the net less secure instead of more.

*cough* Clueless *cough* (1, Insightful)

Anonymous Coward | more than 11 years ago | (#5730129)

The First Amendment most certainly does not grant you the right to say what you want, when you want, and damned be the consequences.

Re:*cough* Clueless *cough* (5, Insightful)

intermodal (534361) | more than 11 years ago | (#5730168)

actually, it does. Thats the point of a free press. An informed public is necessary to maintain ones freedoms, but i guess we already missed the "informed public" boat too early to avoid draconian laws like the DMCA anyhow.

Re:*cough* Clueless *cough* (2, Informative)

HeghmoH (13204) | more than 11 years ago | (#5730241)

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.

Sounds to me like "you can say what you want, when you want, and no consequences" to me.

Re:*cough* Clueless *cough* (0)

Anonymous Coward | more than 11 years ago | (#5730295)

Feel free to bold the part that says no consequences.

Consequences. (1)

Grendel Drago (41496) | more than 11 years ago | (#5730297)

Where does it guarantee no consequences? You mean I can piss on a flag in front of the VA and not get my ass kicked? That I can burn a cross on my lawn in a black community and not be set on fire myself? That I can wear a Nazi uniform in downtown Skokie and walk out of there alive?

No legal consequences, maybe.

--grendel drago

Re:Duh... (2, Insightful)

adamruck (638131) | more than 11 years ago | (#5730138)

im no lawyer but I think that talking about security holes vs. giving a lecture on how to exploit security holes are two different things, and the first ammentment only applies to one of them.

Re:Duh... (5, Insightful)

BattleTroll (561035) | more than 11 years ago | (#5730174)

Ummm, no. If Neo-nazis can parade down the street, hate-mongers can publish their diatribes, crosses can be burnt, and flags defecated on then by God the first amendment should protect academic discussion on security holes and their implications. Teaching someone how to pick a lock is not the same as breaking into Ft. Knox.

Re:Duh... (0)

Anonymous Coward | more than 11 years ago | (#5730231)

jeese, that didn't take long.. its true.. all forum discussions to lead to nazis

silly response (4, Insightful)

adamruck (638131) | more than 11 years ago | (#5730101)

oh good, possible security hole found in card readers

solution1) talk about it and develop a fix
solution2) send cease and decist letters to people who could possibly fix the issue, and rely on security through obscurity

solution2 seems kinda silly to me..

Re:silly response (2, Insightful)

evilviper (135110) | more than 11 years ago | (#5730156)

Actually solution2 isn't completely a bad thing as long as it is only a short-term, temorary measure, until a fix can be finished. Then solution1 would be perfectly okay.

Unfortunately, the DMCA doesn't give any rights to the public at all. You do not talk about security flaws. Go ahead and exploit them, just don't talk about them.

ThoughtCrime!!!! (2, Funny)

jsimon12 (207119) | more than 11 years ago | (#5730192)

Such things are doubleplusbad.

Re:silly response (5, Insightful)

st0rmshad0w (412661) | more than 11 years ago | (#5730273)

Hmmm, they had better go with option 1.

Given solution 2, how about this scenario. While C&D is in force and no one is implementing a fix, all users of the systems still remain vulnerable. Someone else figures out how to fake the ID's, uses said fake to gain access to student's dormroom, and commits serious crime against student. Student's parents sue college, college FREAKS and looks to point a finger, original objects of C&D step forward with evidence that security company was informed of the problem and offered help with a solution. College and student's parents sue security company into non-existence.

God this world blows... (0, Offtopic)

Recoil_42 (665710) | more than 11 years ago | (#5730106)

why does the world have to suck so much? i mean it; any serious thoughts?

Re:God this world blows... (5, Funny)

L. VeGas (580015) | more than 11 years ago | (#5730137)

God this world blows... why does the world have to suck so much? i mean it; any serious thoughts?

Hey, don't blame me. I set you up in a nice garden, and you had to listen to that stupid snake.

Re:God this world blows... (0)

Anonymous Coward | more than 11 years ago | (#5730306)

It was the woman that listened to the snake. Then, as most men do, the man listened to her and ate the fruit.

Re:God this world blows... (1)

Quixadhal (45024) | more than 11 years ago | (#5730151)

That's easy... because elves and faerie magic aren't real. If they were, we could just blame everything on the elves, and use magic to get things done. Since they're not, we have to do all the work ourselves and blame the government.

Certain people who've been on TV from "The Government" do kinda have pointy ears... don't they?

Re:God this world blows... (1)

realdpk (116490) | more than 11 years ago | (#5730155)

Power-hungry folks end up in power (either by vote or by invading another country/civil war), and are desperate to maintain that power. It's to the point that I highly doubt the former could repair the system, too.

OMG (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5730109)

I like Kittens and Ponies and FIFTH POSTs!

MOD PARENT POST UP (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5730132)

That was the most insightful post I've ever seen on Slashdot

You Americans should have another civil war.. (0, Flamebait)

Idimmu Xul (204345) | more than 11 years ago | (#5730121)

Thats how you successfully got rid of the nasty oppressors last time :)

Or some lawyers :(

I hope nothing like this is going to be passed in the UK/Europe. Even with reading slashdot and the reg Im still not sure if im missing anything :/

Re:You Americans should have another civil war.. (1)

hoggoth (414195) | more than 11 years ago | (#5730233)

> I hope nothing like this is going to be passed in the UK/Europe

Too late... [slashdot.org]

Re:You Americans should have another civil war.. (0, Offtopic)

Idimmu Xul (204345) | more than 11 years ago | (#5730266)

Grr that was only yesterday too!

And please stop modding me flamebait :rolleyes: ! (or are you actually happy with the dmca?) :)

Re:You Americans should have another civil war.. (4, Insightful)

evilviper (135110) | more than 11 years ago | (#5730246)

If you look at the history of America, these problems get solved after a while. The reason you don't see people marching in the streets is because nobody's life depends on it. Matters of copyright and other such things may take years to be straightened out, but it happens, no death necessary.

Just recently there have been proposals to amend the DMCA to add some public rights to the equation. They might go somewhere, they might not, but a stable democracy is dependant on changes NOT happening a breakneck speeds.

Re:You Americans should have another civil war.. (0)

Anonymous Coward | more than 11 years ago | (#5730310)

I strongly disagree that nobody's life depends on it. Take the example that the DMCA can be used by a company to supress, say, a report on a flaw in a car airbag system, or a safety valve that happens to be installed in a nuclear power station, or a...

Re:You Americans should have another civil war.. (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5730256)

Thats why we have the right to bear arms! So when the govenment got to represive, we could replace it ourselves. Unfortunetly, the government has been able to convince mostly everyone that the right to bear arms was to protect personal property and such, so anti-gun laws are passed without the populus even giving it a good look. The phrase "think of the children!" will get just about anything passed nowadays.

Quite the reverse, actually. (1)

dark-nl (568618) | more than 11 years ago | (#5730288)

The civil war was a massive power grab for the federal government.

Re:You Americans should have another civil war.. (-1, Flamebait)

jasenj1 (575309) | more than 11 years ago | (#5730298)

No, actually the "nasty oppressors" won last time.

- Jasen.

Give it to me (0)

Anonymous Coward | more than 11 years ago | (#5730122)

I'll read it. To hell with the consequences.

(Please ignore the irony of posting as an A.C. But, it seems that anonymous speech may be the last bastion of truth.)

well (5, Insightful)

Meeble (633260) | more than 11 years ago | (#5730124)

Pretty soon if will even be illegal to have this article posted since it relates to a story which relates to a specific technology that relates to reverse engineering of a product which relates etc etc - because some people don't know enough tech to be passing laws on it.

If a default remote control, garage door opener, et al provided the features the consumers :really: wanted there would be no need for me to go buy a universal remote. It's not the consumer's fault the original creator's product doesn't meet people's needs

I don't know if anyone else saw the >article [securityfocus.com] [securityfocus.com] about the student doing steganography work for his PhD - he's moving all his work offshore because he resides in Michigan and the super-dmca may make 'his whole academic career illegal' - depressing.

Another BS Govt Move (5, Funny)

DSL-Admin (597132) | more than 11 years ago | (#5730134)

Way to secure the flaw, lets just not talk about the flaws and arrest anyone who says otherwise.

The sky is Blue!!

DMCA Official " You must cease to call the sky blue, as it is in violation of what we have said before that the sky is infact not there"

Re:Another BS Govt Move (1)

Coz (178857) | more than 11 years ago | (#5730240)

"You are Number Six. Who is Number One?"

Ostrich tactics (4, Funny)

Cutriss (262920) | more than 11 years ago | (#5730143)

So, assuming that's not possible -- is the DMCA a viable tool to ensure security?

Of course not...the DMCA is a tool that allows companies to safely keep their heads in the sand. Here on Planet Earth, wrapping a towel around your head doesn't *really* make the Ravenous Bug-blatter Beast of Traal go away.

Re:Ostrich tactics (1)

Thud457 (234763) | more than 11 years ago | (#5730320)

Here's the combination to my boss's safe:

32 right - 16 left - 24 right

Disclaimer:this information for educational uses only!

Responsibility (1)

LamerX (164968) | more than 11 years ago | (#5730150)

Just another case of corporations not wanting to spend the extra money to take responsibility for thier own actions. Just like when Ford paid off people instead of recalling thier cars. Just like garage door manufacturers not making secure doors. Just like... etc etc... When is the DMCA going to go away?!?!?!?

I know a little about this... (5, Interesting)

Probius (130206) | more than 11 years ago | (#5730152)

Our school uses blackboard, and last year the machines were shut down for a long time because students used methods to get free stuff out of the snack machines. And I'm not talking cracking a case or making a fake card either. It was really simple too, like swiping really fast after the transaction, if I remember right, and you could get a second item for free. Kinda scary.

Re:I know a little about this... (2, Interesting)

orthancstone (665890) | more than 11 years ago | (#5730292)

Do you know what your school did after the incident? Did they do anything to try and increase security for the system for future prevention?

Marx (0)

Anonymous Coward | more than 11 years ago | (#5730157)

It's lame ass people like you that ruin the world.

obviously not (5, Informative)

ih8apple (607271) | more than 11 years ago | (#5730160)

To answer the question "is the DMCA a viable tool to ensure security?"

Here's [bbc.co.uk] an article from the BBC [bbc.co.uk] .

and here's a good presentation [treachery.net] from toorcon.

and lastly, this [itworld.com] is a good article from ITWorld.

Re:obviously not (1)

ih8apple (607271) | more than 11 years ago | (#5730317)

Just to point out the most important line in the last article:

Security through obscurity alone helps no one

Freedom of the press? (2, Insightful)

Tiger Smile (78220) | more than 11 years ago | (#5730164)

That freedom has taken a back seat to congress' lust for power and money.

We should look for other ways to take on the DMCA. IANAL, but the following link is to an interesting case, about fedral powers. I have some doubt, but maybe this is a method to bypass the DMCA.

http://supct.law.cornell.edu/supct/html/93-1260. ZO .html

I am very interested in what people think. Any ideas?

Ps: Why aren't techies lawyer? Oh, and why look at http://www.lp.org They hate the DMCA also.

Information law as a CS class (1)

0x00000dcc (614432) | more than 11 years ago | (#5730294)

Ps: Why aren't techies lawyer?

There are some out there. As a non-technical (no programming) elective for my CS degree, I decided to take a "special topics" class call information law. We covered DMCA, Elrod v Reno, Franklin v Apple, all that fun stuff. The professor was a computer scientist who also is a patent attorney. Although the prof himself was a little loopy (saw him in a bar and didn't even recognize me although I sat in the front row every day), the class was very interesting. I think it'd be great if more colleges would cover this as a non-tech cs elective.

Money (3, Insightful)

nehumanuscrede (624750) | more than 11 years ago | (#5730172)

Cease and decist letters get written when someone threatens anothers money making schemes. To fix the problem costs money, to scare individual X into keeping their info to themselves is much cheaper.

Try dotLRN - the Free and Open Source alternative! (0, Informative)

tsmoke (455045) | more than 11 years ago | (#5730178)

dotLRN [mit.edu] is the free and open source alternative to Blackboard and WebCT. It is released under the GPL. It is totally open source, supporting PostgreSQL as well as Oracle.

It was originally funded and built by the Sloan School of Business at MIT [mit.edu] and has recently been adopted by the University of Heidelberg in Germany, the University of Bergen in Norway and parts of Cambdridge University in England.

This past weekend I attended the dotLRN Seminar [collaboraid.biz] in Copenhagen and over 70 people from over 20 institutions worldwide were present. dotLRN's future is very bright!

Also, you can rest assured that no learning institution will ever face silliness such as this.


Re:Try dotLRN - the Free and Open Source alternati (1, Informative)

op00to (219949) | more than 11 years ago | (#5730302)

Yes, I'm sure some open source courseware project will kick the pants off of Blackboard, which is a closed-source electronic commerce system for vending machines and POS. Way to go, Einstein.

What about this analogy (3, Insightful)

Anonymous Coward | more than 11 years ago | (#5730183)

Say that a random person on the street finds a crack in a banks wall that allows intruders to get in, tack the cash, and run away. Should the person start holding seminars about how there's such a vulnerability, or should the person go tell the bank so it can fix it?

Initially, the later case seems like the thing to do. But what if the bank ignores you? Should someone be allowed to convey information about a problem with a system if the system controllers refuse to fix it? I'd still think not - it'd be one thing to state that there is a vulnerability, and that in good conscience could not state what the vulnerability is, and quite another thing to go explaining the vulnerability to everyone else.

Just my 2 cents, and as always, there's probably more to the story.


Re:What about this analogy (4, Informative)

Frobnicator (565869) | more than 11 years ago | (#5730307)

or should the person go tell the bank so it can fix it?
They DID try to tell the company, and were "blown off".
But what if the bank ignores you? Should someone be allowed to convey information about a problem with a system if the system controllers refuse to fix it? I'd still think not - it'd be one thing to state that there is a vulnerability, and that in good conscience could not state what the vulnerability is, and quite another thing to go explaining the vulnerability to everyone else.
This is something compuer security has had to deal with for quite some time. The normal ethical guidelines are to first contact the vendor and attempt to work with them to find a solution, and release the information once the vulnerability is corrected. If they either ignore it or fail to correct the problem in a reasonable time frame, the consensus is to take the problem to the security experts and users of the security system generally. This is based on the theory that criminals may already have such knowledge, and therefore the users need to know in order to protect themselves.

Hope that helps with your question.

Is it just me (0)

Anonymous Coward | more than 11 years ago | (#5730196)

... Or does the "land of the free" not have some rather Draconian laws? (Surely, when copyright laws are impose this kind of censorship, things *have* to be wrong.)

Sigh. Thankfully, I live in Canada.

good for students, not for administration (2, Insightful)

Anonymous Coward | more than 11 years ago | (#5730197)

Where I went to undergrad there was a debit card system that was also unsecured (unknown company). This was actually a nice thing, as it effectively meant everything was free for engineering students (vending, meals, ?), with the rest of the student body picking up the tab. I was all for the poor protocols at the time. It?s the administration, not the students or parents that should worry...

And yes I realize this is immoral and wrong, it was more a thrill thing at the time.

Is this SLAPP? (2, Interesting)

dacarr (562277) | more than 11 years ago | (#5730199)

Considering the nature of the security flaws and that they are now exposed, can this legal action against Virgil be challenged under SLAPP clauses?

Official Gentoo-Linux-Zealot translator (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5730208)

Official Gentoo-Linux-Zealot translator-o-matic

Gentoo Linux is an interesting new distribution with some great features. Unfortunately, it has attracted a large number of clueless wannabes who absolutely MUST advocate Gentoo at every opportunity. Let's look at the language of these zealots, and find out what it really means...

"Gentoo makes me so much more productive."
"Although I can't use the box at the moment because it's compiling something, as it will be for the next five days, it gives me more time to check out the latest USE flags and potentially unstable optimisation settings."

"Gentoo is more in the spirit of open source!"
"Apart from Hello World in Pascal at school, I've never written a single program in my life or contributed to an open source project, yet staring at endless streams of GCC output whizzing by somehow helps me contribute to international freedom."

"I use Gentoo because it's more like the BSDs."
"Last month I tried to install FreeBSD on a well-supported machine, but the text-based installer scared me off. I've never used a BSD, but the guys on Slashdot say that it's l33t though, so surely I must be for using Gentoo."

"Heh, my system is soooo much faster after installing Gentoo."
"I've spent hours recompiling Fetchmail, X-Chat, gEdit and thousands of other programs which spend 99% of their time waiting for user input. Even though only the kernel and glibc make a significant difference with optimisations, and RPMs and .debs can be rebuilt with a handful of commands, my box MUST be faster. It's nothing to do with the fact that I've disabled all startup services and I'm running BlackBox instead of GNOME or KDE."

"...my Gentoo Linux workstation..."
"...my overclocked AMD eMachines box from PC World, and apart from the third-grade made-to-break components and dodgy fan..."

""You Red Hat guys must get sick of dependency hell..."
"I'm too stupid to understand that circular dependencies can be resolved by specifying BOTH .rpms together on the command line, and that problems hardly ever occur if one uses proper Red Hat packages instead of mixing SuSE, Mandrake and Joe's Linux packages together (which the system wasn't designed for)."

"All the other distros are soooo out of date."
"Constantly upgrading to the latest bleeding-edge untested software makes me more productive. Never mind the extensive testing and patching that Debian and Red Hat perform on their packages; I've just emerged the latest GNOME beta snapshot and compiled with -09 -fomit-instructions, and it only crashes once every few hours."

"Let's face it, Gentoo is the future."
"OK, so no serious business is going to even consider Gentoo in the near future, and even with proper support and QA in place, it'll still eat up far too much of a company's valuable time. But this guy I met on #animepr0n is now using it, so it must be growing!"

Another way to go about this? (0, Insightful)

ToadSprocket (628571) | more than 11 years ago | (#5730209)

Maybe these guys should have called Blackboard and informed them of the vulnerabilities, and worked with them to fix it, instead of taking the exploits into a public forum? If I am Blackboard, and there is a fatal flaw in my product, why wouldn't I want to fix it?

I don't mean to present an opposing viewpoint or anything. Wait... MICROSOFT SUCKS! That better?

Re:Another way to go about this? (2, Informative)

Dyolf Knip (165446) | more than 11 years ago | (#5730255)

Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").

And you know very well that this is not the first time this sort of thing has happened.

Re:Another way to go about this? (5, Informative)

Anonymous Coward | more than 11 years ago | (#5730285)

This is a snippet from Acidus' old website. It relates the timeline of events. I hope you enjoy.

Sorry for posting AC but since this does come from Acidus' website ....

Spring 2001 - I got interested in the Buzzcard network on Campus. Based on the AT&T logo, I went to the Internet and soon found out about the system. Lots of Web research done, and fieldwork on the connection between the device and the reader. Locked Cabinet with Multiplexes was opened and photo was taken of insides. Determined which wires to cross to make doors open, laundry machines get credited, etc.

Summer 2001 - Continued exploring the system, called the company (now Blackboard), and interviewed Jim Resing.

Fall 2001 - With Publishing of my Fortres article, increased last minute field research, and finalized my notes. Called Blackboard again to tell them all the flaws I found, was blown off.

Spring 2002 - Wrote Article, and was published in Spring 2002 issue of 2600.

6/2002 - Blackboard learned of my article. The Blackboard Usergroup tried to track me down; finally figuring out I went to Tech, saw my web page and was very upset. Concerns about how accurate my article was are posted by schools around the country to the list-serve. GT tells the list-serve that they are looking into it and they would reply again soon.

GT Police asks to speak to me to determine if crime was committed. GT Police never file charges and indeed I am told there is no long an investigation. Buzzcard Office conducts internal audit of their systems. I go to Buzzcard office unsolicited to try and assist them in securing their system. They were not happy to see me. Office of Information Technology (OIT) on campus starts a test of the Buzzcard system to see if any of the attacks described in article are valid.

Buzzcard office asks that I remove picture of inside of the locked cabinet from my web page (since its hosted on GT machines), which I did. Buzzcard center asks me to remove AT&T cached pages, which I refuse to do. (Its not theirs, if AT&T wants it down, they can ask me).

Buzzcard office reluctant to talk with my about my article, since they don't want to confirm or deny how accurate I was. They do confirm the VTS could be hacked and money can be added to any accounts as I describe. However parts of my article (namely how to clone a card through the VTS), are, they claim incorrect. They ask if I would write a letter for the list-serve that explains what parts were incorrect. I agree as long as my letter will be unedited, and I get to also stress what parts are accurate to let colleges learn what they need to secure. Buzzcard office agrees but continues to cancel my meetings with them and not return phone calls. I am contacted by several colleges that are on the list-serve. They tell me that Tech has all along been posting that they have interviewed me, that my article is totally false. Tech uses such loaded statements as "As any experienced administrator should know, these security holes are not possible." These colleges are concerned Tech is not being truthful, and want to talk to me. I see that the Buzzcard center was stringing me along, and cease my attempts to contact them, or help them fix their pathetic security.

OIT concludes their investigation, and confirm that everything in my article is correct, except about how to clone a card. Tech does not post these results to the list-serv.

Dean of Students is involved, and is checking to see if, while no laws were broken, if I broke institute policy.

duh, they did (1)

JiffyPop (318506) | more than 11 years ago | (#5730331)

about 2 years ago, at that.

why don't they fix it? because that requires time and money...

alternative views are wonderful. just don't assume that because you have a different view that you have stumbled upon an insight that everyone else has missed.

Companies hurting themselves (4, Insightful)

Blue23 (197186) | more than 11 years ago | (#5730214)

You know a C&D letter may stop people from disclosing exploits, but will not stop people from disclosing that their are exploits. That's enough for lots of poor, enterprising college students.

A much better plan would of been to let these guys give their talk, to hire them, fix the problems, and them make a bundle in upgrades to existing customers. Come on, if some of these installations are 20 years old we're not talking much more then maintenance revenue. On the other hand system upgrades, especially when demanded by parents, can net a pretty penny. The colleges could have fund drives, hit up alumni societies, all the normal ways to get money when something unexpected walks through the door.

Instead the company gets to look like a fool that knows there are security flaws, aren't fixing them and instead are wasting money on laywers, get getting bad press.

Oh well, I guess there is no such thing as bad press. And that companies would rather think about prestige short term then a better product long term, even if the better product will get them more money.


"Power Point" is a trade mark, not a thing (2, Interesting)

t_allardyce (48447) | more than 11 years ago | (#5730220)

"remove all references to Blackboard and its Transaction System from any website, power point presentation, seminar handouts, or any other promotional materials"

Why so Microsoft centric? does that mean they can use OpenOffice.org "Impress" presentation slides instead? Does that also mean Microsoft can sue the lawers for use of their trademark in their document?

it's over (5, Interesting)

HBI (604924) | more than 11 years ago | (#5730221)

Time to stop being a geek. I'm getting my pencils and paper back out, doing RPGs that way, and selling off my 7 or 8 computers.

I can see the writing on the wall just as easily as anyone else. The joy that I got out of these marvelous toys just isn't worth it anymore. It used to be liberating, now it's just torturous. I can think of dozens of ways to get thrown in prison just by playing around with my system at night after work. Tinkering and exploring are forbidden. I'd rather be an insurance guy or something similarly boring then spending part of my life in a 4x6 cell, or even living in fear of same.

Just proof once again that anytime government gets involved with anything, it sucks all the fun out of it. All in the name of equity and greater corporate profits.

Is this the most correct channel? (5, Interesting)

sabinm (447146) | more than 11 years ago | (#5730230)

Surely Acidus and his colleagues informed the Universities about this before they went public with this information. That is of course the most effective way to get the system to change. . . Imagine inviting the Dean of Purchasing and Procurement to a Coke and a Apple pie on campus and using a facsimile of his id and account to pay for it. Or even more fun - - getting a sweet new laptop at the bookstore with a hyper-inflated account balance. Most certainly then Blackboard would think about upgrading their machines. Announcing that you are going to circumvent their digitally encrypted system in public, no less, simply gave Blackboard a way to facilitate their illegitimate hardware and polices and making it legitimate under the cover of an unjust law.

As my good old Uncle Scrooge always said: Work Smarrrrrterrrr not harrrrrderrrrr

Freedom? (2, Insightful)

AmbyVoc (596135) | more than 11 years ago | (#5730234)

So the legistlation in the US no longer supports freedom of speech? God bless America, again.

You should really consider switch to using GNUnet/Freenet solutions for distributing such information there since it seems the Government there is just too restrictive.

I bet the NSA & Co. are after me now for whatever reason they can come up with... truth hurts yea I know...

- Voice of Ambience -

Stupid. Typical. (5, Insightful)

jasenj1 (575309) | more than 11 years ago | (#5730236)

If guns are outlawed, only outlaws will have guns.

If hacking is outlawed (and talking about it), only outlaws will know how to hack.

So who do you get to sue if someone makes a dupe of your ID card and raids your campus debit account, or breaks into your dorm room? The school? The hacker? The company that sold the school the lame ID system they claim is secure but is not?

I would think the schools would like to know why sodas, meals, etc. are disappearing from their supplies. Hmmm.... This Coke machine is empty, but only 5 Cokes were recorded to be bought from it. Hmmm...

This is the worst kind of security through obscurity.

- Jasen.

Thanks for the LINKS Jamie! (1, Redundant)

Real World Stuff (561780) | more than 11 years ago | (#5730237)

1.3- About this FAQ
This FAQ was originally written as a supplement my 2600 article "CampusWide Wide
Open." This Article was published in the Spring 2002 issue. Back issues are
available from www.2600.com, or download the article from:

The Article caused a lot of stir, which I'll discuss later. This stir allowed me
to talk with some of the CampusWide admins at my school and they told me of
some things that were either incorrect in my article. In addition, they were
several things left out of my article, little bits of tech info. Some theories I
have, new info, etc. Hence the need for the FAQ to make sure this stuff stays
update. But instead of merely having it as a supplement, I figured having all
the information in 1 place would be much more helpful.

1.4- What will I get from this FAQ?
Updated info. I researched the article in the summer of 2001, and finally wrote
it in the spring of 2002. It was as accurate as I could make it. However even
then there was info I had to leave out for length reasons, and others mentioned
in the last section. This FAQ will make sure the info about the system stays
current. You will not find in the article or this FAQ how to cheat/steal. I will
not tell you any info someone could be directly applied to steal from the

2.1- So what is CampusWide?
CampusWide is the mostly widely used card access system in America today. It
sadly is the least secure. CampusWide is ID Card solution originally created by
AT&T, and now owned by Blackboard. It is an ID card that can be used to purchase
things from vending /laundry machines, or the college book store just like a
debt card. Its used to check out books from libraries, open computer labs and
buildings at night, gain access to parking decks, and even get you into sporting
events. The CampusWide system gives everyone a card that lets them access both
unattended and attended card readers and Points of Sale. All these actions and
transactions are sent to a central server which stores all the information in a
database. A confirm or deny signal is sent back to the card reader, and the
transaction goes through or is denied. It is fast becoming the way of life on
college campus around the world. You need it to eat, to get into your dorm, to
get into college events, everything.

2.2- CampusWide? I thought it was called X
The CampusWide system has been called lots and lots of names. AT&T first
developed it and called it the AT&T CampusWide Optim9000 System. It was
generally called CampusWide. When Blackboard bought AT&T's system, in 2000, they
also bought another system called Envision from a company named Icollege.
Blackboard then had 2 products, the Blackboard Optim9000 system, and The
Blackboard Envision System. Blackboard is only selling one system, called
Blackboard: Transaction System. However this new system comes in 2 versions, the
Windows Version and the Unix Version. Since AT&T marketed this thing as
CampusWide for short, and did it for a number of years, and since Blackboard has
been doing it for so few, I call the collective whole system CampusWide. When I
refer specifically to the Unix version, I will say Optim9000, and when I referto
the windows version, I will say Envision.

2.3- Wait. there are 2 systems?
You need to understand that the front end of CampusWide, the card readers and
data lines for both Envision and Optim9000 are the exact same The difference
between Envision and Optim9000 are their operating systems and their databases.
The card readers can't tell the difference. The faults in my article apply to
both systems (though the technical data is for the Optim9000 system).These
faults are for both systems since they both use RS-485 lines.

2.4- What does it look like?
2.4.1- Readers
The CampusWide system is easy to spot. The readers are black metal or plastic,
almost all have LCD screen (2x16 seems to be the standard), and they will have
no writing on the except the AT&T logo, and the word "AT&T" is under it. The
newer Blackboard ones work exactly the same as the AT&T ones, only they have
Blackboard written on them. They vary in size, with your door readers being
about 3"x5" all the way up to POS terminals, which are around 14"x28". The old
AT&T ones look very institutional, and very boxy. The newer Blackboard readers
appear sleeker, with angles and such.

2.4.2- Data Lines
Data Lines are the normally hidden away. The ones I have seen are grey cables
with 4 wires in them. Red, Black White and Green. However I imagine they could
be any color. Coming out of the blacks of coke machines (if a reader is
installed) is a black wire with a telephone (RJ-11) jack on the end. I would
imagine all 4 wires on the hack are used.

Normally you can't see the data lines, because the school should have taken
steps to shield them. This normally takes the form of metal conduit, flexible
metal sheaths, and thicker pipes for multiple lines.

2.4.3- Metal Enclosures
In areas where there are lots of readers, multiplexers are used (more on these
later). These are most commonly found in laundry rooms. Blackboard doesn't
advertise these, but AT&T had them, so I figure they do as well. AT&T called
them MW/MHWMENC : Wall Mount Enclosure. It's a big grey metal box, about 3'x4',
that will have a lot of thick pipes (About 3" in diameter) coming out of the top
of it. It has a handle with a lock. It's the type of handle that when you turn
it, 2 bars are twisted by the handle and pulled back to within the shape of the
door, on the inside. The door can now be opened. There is a fault to the door
though. The lock/Handle is held in place by 4 flat head screws. Simply
unscrewing these and turning the entire assembly clockwise will open the door.
The bad part of Blackboard is these enclosures have no means of attaching an
external lock, and to make them secure either the entire enclosure needs to be
replaced, or the screws need to be changed to carriage bolts.

3.1- So what is the current system
Blackboard currently (7/13/2002) offers one card access solution, known as the
"Transaction system." It comes in 2 versions "Unix," and Windows. The Unix
version is the AT&T CampusWide System. The windows is the Envisions system
running on Windows NT. The basic layout of the system is a central server,
talking to hundreds of readers through data lines.

3.1.1- The Server
The AT&T system and the Unix version of Blackboards system is recommended to run
on HP9000 machines, though any RISC processor will do. It only runs on HP-UX
(Blackboard currently installs ver 11.x). The AT&T system had a list of specs
that the end users must have to support the software. These included the above,
but also a 4 gig Digital audio Tape with a 4 gig capacity of equivalent and a
UPS that can keep the system up for 20 minutes (Blackboard's newer specs suggest
a Best Ferrups 1.8 KVA battery that can go for 45 minutes). More interestingly,
the CampusWide system is required to have a 9600 baud modem for remote
diagnostics The system itself consists of 2 parts: The Application Processor
(AP) and the Network Processor (NP). The Applications Processor is the backend
of CampusWide, the part the users never see. It manages the database where all
the information is stored, and provides an interface for human operators to look
at logs and run reports, and well as change configuration/privileges, and
transactions/account maintenance. The NP is the gateway from the infrastructure
to the AP. It takes in the requests from readers around campus, and converts the
mode of communications into commands the AP can understand, and then passes it
along. AT&T CampusWide could support up 60 communication lines and 1000 card
readers the new Blackboard system allows up to 3072 readers. Please note that
the AP and the NP don't have to be 2 different machines. Indeed they could be on
a single machine, or a spread over a cluster.

The Windows version, runs on a Windows NT/2000 machine. The above stats were
taken from AT&T's page, and thus don't necessarily apply to the the Windows
version. However, I would imagine that the same type of equipment would be
needed. A UPS, some type of backup for the database (could be a DVD-R). There
also needs to be some kind of interface to the RS-485 lines. You could look for
companies that make RS-485 adapters for PC's (probably plugs into a PCI slot).

3.1.2- The Database:
All the information about a student or employee isn't stored on the card for
security reasons: its stored in the database (The card simply has an account
number which is used to organize the data in the database). The database used by
the current Unix Blackboard system is dbVista. The database used by the Windows
version is Oracle. The database for the AT&T version was never advertised by
AT&T, but was believed to be Informix. However, based on the modular design of
CampusWide, I believe any SQL queried Relational Database should work. The
database is most likely not encrypted or protected in any way other than by
isolation. The only way to get to it is either at the console of the AP, or by
the commands sent from card readers that have already passed through the NP.
Blackboard's assumptions that these 2 ways of reaching the AP are secure are the
one of the systems downfalls. The database can store up to 9,999 different
accounts, each account having many different fields. The balance the person has
and the doors he can open are included in the system. The balance will be a
floating point number, and the doors the person can open will most like be a
string of characters, with the bits being used to tell which doors
he can or can't open. The doors are most likely grouped into zones, so that the
5 doors into a building have 1 bit instead of 5 separate bits saying if the
person can open those doors or not. This idea is upheld by the fact that
Blackboard says the users are given plans and that can be updated regarding
their access to buildings. This plans grant different levels of security access
to a building. Lower levels can get into the building through all the exits,
next level can access labs on a certain floor, etc. Without direct inspection of
the database, only educated guesses can be made about its structure. (I have
totally left out any provisions for checking put books, and other things the
card can do).

3.1.3- The Card
The ID cards that are used are your standard ANSI CR-80 Mag stripe cards. They
are made of PVC and are 2.125 by 3.375 inches. They are made onsite at the
college's "card station," and normally have a photo ID on them. A 300 dpi photo
printer is used, and the company recommended by Blackboard to use is Polaroid
(Just like the printers at the DMV). The magnetic stripe on the card is a
Standard American Banker Association (ABA) Track 2. Any card reader/capture tool
can read these cards. The cards are encoded on high Coercivity stripes (known as
HiCo), which are very resistance to wear and tear. These cards only use Track 2
of the card which is read only. It is interesting that they don't use Track 3
which is read/write. Track 2's information breakdown is as follows:
Start Sentinel = 1 character
Primary Account Number = Up to 19 characters
Separator = 1 character
Country Code = 3 character
Expiration Date or Separator = 1 or 4 characters
Junk data = Fills the card up to 40 characters
LRC (Longitudinal Redundancy Check = 1 character

As you can see, most of this applies to banks, however the account number I have
stamped on my CampusWide card is 16 characters long, so the Primary Account
number field is known to be used. CampusWide also allows for lost cards. If card
is lost, an entry is made in that person's table in the database, the last digit
of the account number is increased by one (this is called the check digit, so of
the 16 digit account number I have the first 15 digits are my number the 16th
digit is the check digit) deactivate the old card that uses the old check digit
and then prints a new card.

3.1.4- The Infrastructure
The infrastructure is a "security through obscurity" ploy of the system.
Originally the system was designed to run over a several of RS-485 drop lines
(This are the 60 communication lines mentioned before). RS-485 is a very robust
means to transmit data (The whole CampusWide system is designed to take a
beating). Unlike RS-232, which has a protocol build in to the standard that says
how devices must talk to each other (stop bits, baud, handshaking, etc), RS-485
has none of that. It is a way for a master device that sits at the end of a
communication line to talk to slave devices that are daisy chained on the line.
The CampusWide system uses the full duplex version of RS-485 where slaves can
speak to the master before the master polls them for data (CampusWide needs this
to have the sub-seconds times they advertise. However, the NP still polls all
the readers on a regular basis, and can be interrupted by a reader when a
transaction comes in.). The data lines are very robust against noise and
interference. RS-485 has 2 lines in each direction, called A and B. Data is sent
by having a difference in the voltage of A and B of more than 5 volts. This mean
that if you have a signal being sent, and A is at 10 volts, and B is at 15, and
a power spike comes along, the spike will boost BOTH voltages by the power of
the spike, however the difference between the higher power A and B will still be
5 volts, and the data is not corrupted. Over short distances, speeds of 10Mbit
can be achieved. However the longer the cable is, the lower the speed.

All CampusWide card readers operate at 9600 baud, thus making the max distance
of the RS-485v drop line can be to still be able to transmit at 9600 baud is
4100 ft. This can be extended through the uses of repeaters and boosters on the
line. RS-485 is not something you would find just sitting around on a college
campus. Its primary use is in industry, for talking to different machines on
assembly lines. I guess AT&T figured it was "secure" at a college since it is
unlikely anyone would have a means to interface to it.

AT&T recommend that these lines be used (indeed all the readers can only
transmit their data in RS-485 mode), however the data can travel over any
facility from telephone lines to radio waves, provided that full duplex 9600
baud asynchronous communication can occur on them. The NP is the part of the
system that would sort all this out.

The infrastructure ends up like this. All the devices in a building send their
lines into 1 place in the building. This is where multiplexers exist which split
the main RS-485 drop line up into slices for each reader. These multiplexers
also can boost the power of the main drop line, letting it travel longer
distances. These multiplexers can be stored in a locked networking closet or in
these big metal cabinets on the wall of a room. AT&T called these MW/MHWMENC -
Wall Mount Enclosure. The drop lines coming to the building can be traced back
all the way to the building the houses the NP. There the NP interfaces with the
AP to approve or deny transactions.

3.1.4- The Readers:
Every reader imaginable is available to a college from Blackboard. Laundry
readers, Vending machine readers, Point of Sale (POS) terminals in the campus
Bookstore, door readers, elevators, copiers, football game attendance,
everything!!! All of the readers communicate using RS-485 lines, and if any
other medium is used between the reader and the NP (such as a TCP/IP networking
by way of the IP converter), it must be converted back to RS-485 at the NP,
since all CampusWide uses that standard. Everything is backwards compatible, the
majority of my college campus has AT&T readers on them, though a few new
blackboard readers are showing up.

AT&T had great technical specifications of the campusWide system on their web
page. Blackboard doesn't. AT&T removed their old HTML documents from their
server when Blackboard discovered by article, and pressured them to remove them.
Google no longer has the pages in their cache. For all I know I am the last
person who saved copies of them. So in the next section I will reprint all the
technical data from these pages, along with my description of them. Security readers
Security readers are made of high density plastic, and consist of a vertical
swipe slot, and 2 LEDS. They are green when they are not locked, and red when
they are. When you swipe a card to open a door you are cleared for, the light
will change to green for around 10 seconds. If the door has not been opened in
that time, it locks again. To allow for handicap people who may not be able to
get to the door in time, a proximity sensor is available. There is also a model
of door reader with both a swipe and a 0-9 keypad for codes. Advanced forms of
these 3 security readers are available, which have the ability to have a local
database of 4,000 (expandable to 16,000) account numbers stored in NV-RAM. This
way if for some reason the card reader can't reach the NP to confirm someone's
Identity, then the reader can check its local records. The tricky bastards also
built the readers so there is no visual difference between a reader that can't
reach the NP and one that can.

3.2- What has Blackboard changed on the CampusWide system.
Blackboard has left the basic structure the same. They have to for compatibility
sake. They have added 2 new features IP Converters and MDTs

3.2.1 IP Converters
In an attempt to phase out the old RS-485 lines, Blackboard has created IP
Converters. They are simple boxes with a Pentium class processor and a NIC
(whether they are actual computers or boxes I don't know) that take in the RS-
485 signals from up to 16 readers, encrypt them, create an IP packet (whether it
is UDP or TCP I don't know, I think UDP would function), and send them out onto
the existing campus network. The website doesn't say whether it needs to be
Ethernet or not, but I doubt it support token ring or BNC. What encryption is used by the IP converters.
I really don't know. The only thing Blackboards says about their IP Converter's
encryption is that you can change the key on a regular basis if you want to. The
IP Converters are have Pentium class processors in them, so they have the power
to do some serious encryption. I have a feeling on the high end it is probably
DES, and on the laughable end Rot13 or XOR. Since companies tend to brag about
the key length of their encryption in an attempt to amaze people, and Blackboard
doesn't, but instead is secretive. I bet it is most likely a simple algorithm,
probably XOR, with a key around 5-10 bytes.

3.2.2- Merchant Dial-up Terminal (MDT)
The MDT is a way for pizza joints or other venders around campus to use have the
dept services of CampusWide in their store, without having to run expensive rs-
485 drop lines all the way out to the vender. This used to be the way AT&T did
it(around 1998). These simply dial in through a modem directly to the Network
Processor (NP), and hand it the requests. This has major security risks, as
anyone dialing this number is now dealing directly with the NP, and it is the
doorway to the Appliances Processor (AP), which stores the database of

4.1- Would Encryption Help for the RS-485 Lines?
No. If the reader takes its data and encodes it to "DOG", and "DOG" is sent to
the NP. The NP decodes "DOG" and gets the data. and then sends back an ok signal
encoded as "CAT". If you capture the "CAT" signal You can simply send "CAT" back
to the reader, and the reader will decode it. So you see, encryption doesn't
matter as long you have access to the raw data on the RS-485 lines.

5.1- What do you mean Full 96 character ASCII Set? Isn't 265? Yes and no. ASCII
is defined as characters 0-127, and is constant on all machines. Extended ASCII,
isn't standard, and is 128-255. There are 96 characters that are printable
characters of the ASCII set. 0-31 are control characters used for lots of stuff
that cash receipt printers don't need. 127-32 = 96 (inclusive math), so all the
printable characters are available.


7.1- How do I contact Blackboard.
Blackboards Headquarters are in Washington DC:

Blackboard Inc.
1899 L Street NW, 5th Floor
Washington, DC 20036
202.463.4863 fax

Their CampusWide Division is located in Phoenix. This is where AT&T's branch
was too. In fact, Blackboard used to have AT&T's offices until about a year
ago. However the still kept AT&T's original Phone number, even at the new
location. Here it is:

Blackboard Inc.
22601 North 19th Avenue, Suite 200
Phoenix, AZ 85027
623.476.1401 fax

For fun, here is AT&T's and later the original Blackboard office's information:

AT&T CampusWide
2362 W. Shangri-La Rd.
Building 100
Phoenix, AZ 85029-4724
Toll Free: 800-528-0465
Phone: 602-944-1565

Oh yeah, this helps. (1)

solios (53048) | more than 11 years ago | (#5730271)

All these cats gotta do is leave their findings in a position where they can be easily "stolen". Some 1337 haxx0r with that information in his hands can do whatever the hell he wants with it, especially if he's outside the US- HE wasn't smacked with a cease and desist, after all...

The worst thing about this situation is that it's now an effective known that the system can be compromised. That fact alone is sufficient motivation for many who would have something to gain from an effective hack- especially since the company is so hellbent on keeping it quiet!

Facts like this should be released on foreign servers outside of US controlled DNS, made publicly available and actively linked to. Why in the flaming hell would I ever want to be in a position to have to use this system when it's been proven insecure and the manufacturer refuses to fix the problems? I'd feel safer running IIS without a firewall- at least the fucking bug fixes are actually released to the public periodically.


Seriously. Drop a big flaw like this anonymously on usenet- thoroughly documented and reproduceable- and it'll get fixed by the end of semester.

Disgusting (0)

Anonymous Coward | more than 11 years ago | (#5730284)

This is really disgusting.

It's amazing people can sleep at night when they pull off shit like this - to endanger the financial status of students for the sake of saving public face.

I hope this business goes as stone cold as the money that runs through its veins.

Could someone please not be a wuss about this? (1)

litewoheat (179018) | more than 11 years ago | (#5730286)

Someone, for whom this directly effects needs to stand up and fight these things rather then back out and whine about it! We need a court case to make it to the Supreme court to overturn this idiotic law. Its in clear violation of the First Amendment and even the current Conserative Court can't ignore that. I'm sure who ever takes it that far will be backed by EFF and or ACLU. Someone please take a stand. If this effected me directly I'll be right there.

Hacking by any other name (1)

lemongrass (657516) | more than 11 years ago | (#5730326)

All the objections to the DCMA are just the same objections to hacking that were used as excuses for breaking in to other people's systems. There is no right to other people's property, and no right to duplicate a key or otherwise bypass a security system to gain access to someone's house or premises. Academic work to prove a method or algorithm is flawed or insecure should certainly not be outlawed, but attempts to crack a specific product or protection scheme are valid actions that can be legislated against.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?