Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Student Attempting To Improve School Security Suspended

Zonk posted more than 7 years ago | from the no-good-deed-goes-unpunished dept.

Education 282

TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"

cancel ×


Sorry! There are no comments related to the filter you selected.

University doing a favor (5, Insightful)

Anonymous Coward | more than 7 years ago | (#18906387)

It seems obvious that the suspension is a favor done by the university. A person of this caliber could do better in the workforce or a better university instead of TEACHING the university...

Re:University doing a favor (0)

Anonymous Coward | more than 7 years ago | (#18906399)

Why did I leave college early........Oh now I remember!!

Re:University doing a favor (5, Insightful)

bfizzle (836992) | more than 7 years ago | (#18906505)

I wouldn't want to hire someone who wrote a piece of software that clearly violates University Policy and used it for 6 months. Its one thing to write the software, distribute it as a proof of concept and let Cisco or the University fix it. Its a whole other to write the said software and use it to exploit the hole for an extended period of time then claim you were going to tell Cisco months later. His actions sing a whole different song than his words.

Re:University doing a favor (3, Insightful)

rblancarte (213492) | more than 7 years ago | (#18906709)

I don't know if I would fully agree with not wanting to hire this guy. He is clearly smart and knows what he is doing. As a programmer, he could be a valuable employee.

NOW, that being said, I am the first that will say - if you do something like this, know that you are breaking the rules and be prepared to pay the consequences (the guy is ROTC, and probably is going to own the Air Force some money). If you stumble upon something, that is one thing. But to blatantly break the rules for SEVEN months - bad idea.

And the guy can say "I was planning on going to Cisco with the vulnerability this summer," But that is just talk. Yes, it could be true, but it also could be something he is saying to try to cover his butt since he was found out. Sorry, paint me skeptical.


Re:University doing a favor (2, Insightful)

Romancer (19668) | more than 7 years ago | (#18906955)

Totally agree. Regardless of what his intentions were, he did make the entire network less safe against the specific will of the administrators. By bypassing the security check he opened up a door that they were trying to keep closed. He states no gain from bypassing these checks that would offset the risk created by using his code. So there was no benifit other than making the network less secure.

Now imagine that a virus got in through this hole and deleted all their e-mails on campus. What would the opinion be then? Even if he had contacted Cisco I think that they would have told him in the second line to not run the code because it would cause a vulnerability. IE:

Thanks for contacting Cisco. Do not run that code on any network that you do not own.

Proof of concept is a totally different thing than what happened here. He is trying to cover his ass.

Re:University doing a favor (2, Insightful)

Anonymous Coward | more than 7 years ago | (#18907171)

If you implement/code security software with holes in it, you deserve to have them exploited. If this university was truly devoted to research they would take this as an opportunity and challenge other students to exploit the system. This isn't a national defence system or even a corporate accounting computer. This is a university, their primary concern should be research, their secondary concern should be education, and security shouldn't even enter into the picture.

Re:University doing a favor (2, Insightful)

lpw (1089731) | more than 7 years ago | (#18907657)

security shouldn't even enter into the picture

Have you any idea how much confidential information lives on university networks? Many university researchers sit on loads of proprietary and/or highly sensitive data with confidentiality and nondisclosure agreements up the yingyang. Public health, national security, and defense research come to mind. Security MUST be part of the picture, lest the university loose the trust and the funding from external sources that value the privacy of their data.

You must be new here (the universe, not Slashdot).

Re:University doing a favor (2, Interesting)

cheater512 (783349) | more than 7 years ago | (#18906875)

I'm not sure exactly what the Cisco software does so I could be on the wrong track.

At my uni we are given a pathetic 150mb/month internet quota and we are charged $7/gig extra.
I naturally found a way to get free net and I really dont have any problem using it for personal use.
I dont abuse it or anything either.

If the Cisco software put constrains on how the guy could use the computer then I would hire him in a instant.
The more you try to lock something down, the more people try to fight back.

You'd be stupid not to hire the people who beat the system - especially since we are talking about a Cisco system.

Catch me if you can (3, Insightful)

electrosoccertux (874415) | more than 7 years ago | (#18906975)

Clearly you haven't learned from the movie "Catch Me If You Can".

These people can outsmart you every minute of the day if you give them reason to. Why not just employ them and get on their side?

Oh right, this isn't about security, this is another stupid power struggle.

RTFA before commenting... (4, Insightful)

msauve (701917) | more than 7 years ago | (#18907101)

"There was nothing in [the policies] that stood out to me that I would be in violation of," Maass said of his thinking at the time he authored the program.

Maass was charged with "violations of the Acceptable Use Policy, the Network Security Policy, disrespect for authority, disrespect for property, disorderly conduct and fraud," according to a letter he received from the University Judicial Board...

"A lot of these policies are written to be very vague and flexible so that they can be [used] in whatever situation they (the University) need to use them in," he [Maass] says...

Goldrick [ vice president of student services] declined to comment on issues concerning policies.

Would you care to quote the policy you claim he broke?

No, it sounds like he embarassed the University IT administration, so they closed ranks and used a kangaroo court to express their displeasure. Dean Wormer put him on double secret probation first, I'm sure.

Re:University doing a favor (1)

kimvette (919543) | more than 7 years ago | (#18907237)

I wouldn't want to hire someone who wrote a piece of software that clearly violates University Policy and used it for 6 months.

Keep in mind that some universities require that you run only WINDOWS on machines attached to their network, including computers connected from your dormitories. Sometimes policy is stupid and ought to be ignored, just as unjust laws ought to be broken.

Re:University doing a favor (1)

EveLibertine (847955) | more than 7 years ago | (#18907375)

Wrote a piece of software that clearly violates University Policy and used it for 6 months... His actions sing a whole different song than his words.
The biggest offense that you can sight in his actions is that he gave the software to a few friends and a professor. When developing a piece of software such as this, one might be best served by testing it on a variety of different computers, especially if you plan on presenting it to a potential employer. In fact, this sounds pretty close to what he said he was doing with it, so his actions speak pretty closely to his words. You don't just write software, guess that it works, and go run off to a company to demo for to them. Unless you're some kind of fan of untested, broken, and poorly designed software. I wouldn't want to hire anyone who who did anything less. Regardless, I imagine giving the software out to a professor was probably not the brightest of his ideas, as it was probably installed on a school owned computer that probably (if my own experience is of any value here) crashed, broke down, and did all sorts of other unsightly things that required the services of their local IT support. Upon their latest maintenance of the machine they would find this strange piece of software. At least that's how it played out in my mind when I read that he gave the software to his professor.

Hanlon's Razor comes to mind:
Never attribute to malice that which can be adequately explained by stupidity.

Don't do security research in the US (5, Insightful)

Anonymous Coward | more than 7 years ago | (#18906393)

Anyone in the software biz should know: don't do security research (look for vulnerabilities) in commercial software or commercial websites if you want to be in the US. If you find a vulnerability, like a website that lets you launch missiles by putting &loggedIn=true in the URL, the best thing to do is to laugh to yourself about it, and forget it. Failing that, use some secure anonymous service and post the vulnerability somewhere. Doing the responsible thing, like informing the vendor, is absolutely thankless and likely to result in nothing but problems. Be smart, don't be a hero. Don't try to improve the security of others.

Re:Don't do security research in the US (1)

iamacat (583406) | more than 7 years ago | (#18906489)

commercial != educational. I am sure we agree that we don't want security research to be done on city's traffic light system or nuclear missile control.

Re:Don't do security research in the US (1)

strider44 (650833) | more than 7 years ago | (#18907235)

So you instead just pretend or blindly hope that they're secure and simply wait for the first person to come along who actually *wants* to cause traffic chaos or launch nuclear missiles?

Using the Ravenous Bugblatter Beast of Traal method. All we need to do is arrest anyone who points out your obvious idiocy then the obvious idiocy will obviously disappear.

PS IAASR, though a relative beginner at the job.

Re:Don't do security research in the US (1)

iamacat (583406) | more than 7 years ago | (#18907701)

Nice sentiment, but in practice it's hard to tell if the intruder is going to cause harm or just point out the flaws until it's too late. I think in the case of university computer (especially your own one in the dorm) and in case of nuke control, preemptive responses should be quite different.

Re:Don't do security research in the US (0)

Anonymous Coward | more than 7 years ago | (#18907167)

Research alone isn't why he got in trouble -- the problem is that he never involved the IT department. That's all he had to do. When I went to a different state college in Oregon, I had a blast working on special projects during my free time, but I always arranged them with the IT department.

Whatever happened to just Smoking in the Boysroom? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18906401)

Did you ever seem to have one of those days
When everyone seemed to be on your case
From your teacher all the waydown to your best girlfriend
Well, that used to happen to me all the time
But I found a way to get out of it

Sittin' in the classroom thinkin' it's a drag
Listening to the teacher rap--just ain't my bag
When two bells ring you know it's my cue
Gonna meet the boys on floor number 2

Smokin' in the boys room
Smokin' in the boys room
Teacher don't you fill me up with your rules
Everybody knows that smokin' ain't allowed in school

Checkin' out the halls makin' sure the coast is clear
Lookin' in the stalls--nah, there ain't nobody here
My buddies sixx, mick & tom
To get caught would surely be the death of us all

Smokin' in the boys room
Smokin' in the boys room
Teacher don't you fill me up with your rules
Everybody knows that smokin' ain't allowed in school

Put me to work in the school bookstore
Check-out counter, and I got bored
Teacher was lookin' for me all around
Two hours later you know where I was found

Smokin' in the boys room
Smokin' in the boys room
Teacher don't you fill me up with your rules
Everybody knows that smokin' ain't allowed in school

Smokin' in the boys room
Smokin' in the boys room
Smokin' in the boys room
Smokin' in the boys room
Teacher don't you fill me up with your rules
Everybody knows that smokin' ain't allowed in school

One more time

Smokin' in the boys room
Smokin' in the boys room
Teacher I ain't foolin' around with your rules
Everybody knows that smokin' ain't allowed in school

Brownsville Station

Ookaaay then (4, Funny)

FlyByPC (841016) | more than 7 years ago | (#18906403)

Guess I *won't* be doing that automated WiFi stumbler as a senior project...

Getting past two imflammatory headlines (3, Insightful)

Lockejaw (955650) | more than 7 years ago | (#18906405)

TFA isn't really clear on what sort of "break-in" this was. It looks like it was, at most, a proof of concept break-in, and may have been as little as figuring out how to break the system without actually doing it.
In any case, he didn't go around giving out exploit code, and he even worked on the problem of patching the hole (as well as solving other problems with the CCA software), with the intent of full diclosure of the patch and upgrades. This isn't really a punishment for breaking things, it's a DMCA-style punishment for figuring out how someone might break things.

Re:Getting past two imflammatory headlines (1)

oninojudo (804969) | more than 7 years ago | (#18906459)

It looks to me like he was annoyed with how long the CCA software took to load on his machine, looked for vulnerabilities in the program, and wrote something to spoof the "this machine is OK" message and skip the loading times. Then handed it out to students and professors. So he probably did subvert the security policy, at least, not to mention aiding others in doing so.

Re:Getting past two imflammatory headlines (5, Insightful)

yali (209015) | more than 7 years ago | (#18906511)

In any case, he didn't go around giving out exploit code...

From TFA:

"I was planning on going to Cisco with the vulnerability this summer," Maass says. Maass' program was in use for approximately seven months before the University froze his UP account. Additionally, he gave the program to several friends and one professor.

Also from TFA:

Moreover, [fellow student] Vandermeulen said, many people are frustrated with CCA. CCA has sometimes taken up to 20 minutes to load on Vandermeulen's computer, he said. "I hear so many complaints (that) I'm not surprised that someone would go ahead and try to write something that would completely bypass it," he added.

I don't think this guy deserved the punishment he got. But the whole, "I was just trying to help them" argument sounds fishy. Seems more likely that the uni put cumbersome security requirements on students, this guy tried to circumvent them, and the IT folks caught him and overreacted.

Re:Getting past two imflammatory headlines (1)

mantm (1093813) | more than 7 years ago | (#18906615)

"In any case, he didn't go around giving out exploit code"... Really. From TFA: "Additionally, he gave the program to several friends and one professor. As a result, they suffered judicial consequences including having their account frozen, residence hall probation, writing a 3-4 page reflection paper and having their computers inspected by IS to get network access back, according to Maass." That separates him in my mind from just doing "a proof of concept break-in"...

and he deserved it (0, Insightful)

Anonymous Coward | more than 7 years ago | (#18906411)

He should have brought this to the IT department's attention. People writing software to bypass security and installing it without permission on someone's network should have their fingers glued together so they can't type anymore. This guy deserves to have an example made out of him.

This just doesnt bother me at all.

Not impressed (5, Interesting)

Adam Zweimiller (710977) | more than 7 years ago | (#18906417)

When I started at as a freshman at the University of South Carolina 2 years ago, they were already using CCA. It's main intrusion was the fact that the University demanded that we use McAffee regardless of any other (superior) software we may have already purchased. Personally, I used Symantec Antivirus (Corporate) that I got through my internship. Regardless, it forced McAffee down my throat. I couldn't use the two side by side, as XP would freeze on startup with both installed. I noticed that the policy for CCA usage only applied to Windows computers, and that Linux and Mac users were exempt. So I booted my SuSe installation and launched Firefox to discover a web-gate type login, a form that I had to put my CCA user and pass into. Once entered, it said I was logged in for 7 days. I thought, well there's really only one way they're seperating out Windows, Mac's and Linux boxes: the user-agent. All it took to bypass was a custom Firefox deployment package pre-configured with User Agent Switcher. You didn't even need CCA installed. Every 7 days you got the web-gate login. All you had to do was switch to the pre-configured Linux user-agent and login, upon which you could change back to the default and continue on your merry way for 7 days. In about a week everyone in my dorm was using it, and it still works today. They just ban the user-agent when they catch on, and we come up with new ones. I'm not sure this guy's University may differ, but it really shouldn't take any kind of sexy software hackery to bypass it. PS. wtf is up with slashdot's server? It took me like 15 minutes to get this posted

Re:Not impressed (3, Interesting)

bahwi (43111) | more than 7 years ago | (#18906611)

Well, there's not really just one way to split up the OS'es, see nmap TCP/IP OS fingerprinting, but it's kind of disheartening that Cisco is using the UA for that, as it's the least secure thing you could possibly do. Kind of a name badge, "Hi My name is: CEO of Your Company" and security letting him pass without a card swipe or ID check because he says it so it must be true. Nmap OS Fingerprinting [] is really very cool if you haven't checked it out before. OpenBSD hides itself pretty well and FreeBSD does ok with certain switches turned on. But of course the detection just gets better each time too.

Re:Not impressed (5, Interesting) (21914) | more than 7 years ago | (#18906983)

Heh... I reported this via Bugtraq on August 19, 2005, and CISCO responded to it 3 days later... /threaded []

As in, they've known about this for at least 20 months...

Re:Not impressed (1)

pete6677 (681676) | more than 7 years ago | (#18907455)

Cisco "security" software is complete and total crap. There are hacks on the internet for just about all of it. They secure a computer about as well as Norton Internet Security. Its only purpose is to make people feel safe and to satisfy auditors, most of which are MBAs who don't even know what a packet is.

My experience with CCA (2, Interesting)

Christophotron (812632) | more than 7 years ago | (#18907311)

My university imposed this crapola on all dorm residents during the summer to test it out. I wasn't there, but my girlfriend's computer suffered the consequences of it. They forced her to uninstall the AVG antivirus and Comodo firewall that I configured, and during the transition her computer was massively hijacked. I'll admit, the dorm networks there are atrocious and this type of software might have been a good idea. Worms/viruses were absolutely rampant; two or three times a day AVG would popup saying it found a threat in some random temporary folder, and the firewall would report numerous "intrusion attempts". However, they didn't even warn people that they would be COMPLETELY unprotected while they are installing the new protection software. If I was there I would have unplugged the network cable during all this. Opening the ports for even five minutes proved disastrous. Needless to say I ended up reformatting.

They never did implement CCA after the trial. Now, the dorm network is simply bandwidth-throttled and packet-shaped to oblivion. Dial-up is faster, I am sure. It's still a security risk, but so slow that no one gives a shit.

Re:Not impressed (1)

Atlantis-Rising (857278) | more than 7 years ago | (#18907645)

There was something vaguely similar that happened when I was in University.

I found that, rather than booting into SuSe, I was better off just grabbing firefox and telling the User Agent Switcher to represent me as a Mac or Linux, or anything else, really. I never had a problem after, never needed to download the software, and I passed on this tip to dozens of individuals. Six weeks after the beginning of the semester, Network Operations came to me (I had intervewed for a part-time position there) and asked me quietly to stop passing around the tip. They said that while it was fine if someone came up with it on their own (because it indicated a sufficient grasp of understanding network security, I imagine), they did not want it passed around to those who didn't understand security principles.

I stopped passing it around, and that was that.

Heh (2, Insightful)

Ant P. (974313) | more than 7 years ago | (#18906421)

I bet he's reconsidering helping them now.

Do schools have a policy about this? (1)

DaveWick79 (939388) | more than 7 years ago | (#18906425)

I was wondering whether or not schools had written policies about this type of thing, and whether this punishment was according to the book or just made up out of thin air.

It seems that most of the time when school officials are faced with an issue like this, they have no idea what they ought to do and either let it slide completely, or overreact and deal a much harder punishment than necessary. This case seems like the latter, as there doesn't appear to be any malicious intent.

Re:Do schools have a policy about this? (2, Interesting)

acidrain69 (632468) | more than 7 years ago | (#18906639)

I don't get it. Is this a client that runs on your personal machine? Or something installed on University machines?

If the former, then yeah, the kid had it coming. You don't bypass security on computers that aren't yours. Punishment was too harsh, but it sounds like he did break policy, and the university is in the right to do something. If he didn't have permission to bypass security on their network for research, then he has no excuse.

Now if it was the latter, and he did this on his OWN machine on the university network, then unless they state somewhere specifically that you "MUST BE RUNNING CCA TO ACCESS OUR CRAPPY NETWORK!!" then the university doesn't really have a case.

IANAL, but I am in IT. We are slightly lax about what we allow our employees to do with their machines, since we have less than 200 employees. But if they bypassed security? Break of usage policy, case closed.

The article is vague, how exactly did he "patch some holes" by bypassing CCA?

Re:Do schools have a policy about this? (1)

acidrain69 (632468) | more than 7 years ago | (#18906663)

err, switch "former" and "latter", I got them backwards.

Cisco Clean Access Agent... (4, Interesting)

TheGreatHegemon (956058) | more than 7 years ago | (#18906427)

The article goes over it pretty well, but Cisco Clean Access Agent, in my experience at my college is more of a headache than it's worth. If someone has the slightest problem with Anti-virus updates, they get locked out every week, (I actually have to download the smart installer for them, and then patch it manually). Plus, a lot of good antiviruses aren't recognized by CCA agent as being acceptable. I currently run Windows 2003 server as a desktop, and CCA agent doesn't play nice with me either - I have to trick CCA agent by using a virtual machine for logins. Frankly, if there was a link to this program, I'd be using it right now...

Re:Cisco Clean Access Agent... (2, Informative)

pathological liar (659969) | more than 7 years ago | (#18906971)

That's not a problem with Cisco Clean Access, it's a problem with whoever setup the policies it's using, and their decision that if you don't have antivirus X, you get locked out. Complain to your admin staff, but don't hold your breath.

At this university the rules only enforce that you've got McAfee and the EPO agent installed, that your patterns are up-to-date, and that you're at a reasonably recent patch level for Windows. They're only set to restrict systems we can reasonably expect to enforce policies on. Macs and Linux machines obviously are exempt, as was Vista for a while. (it wasn't supported properly by McAfee)

Re:Cisco Clean Access Agent... (1)

Saint V Flux (915378) | more than 7 years ago | (#18907405)

Exactly. CCA is nothing but a pain (thankfully I no longer live on campus so I don't have to waste my time fighting with it / run extra processes). The main reason my college started requiring it was because Johnny Frat-moron couldn't figure out how to download his porn without getting a thousand viruses (because something simple like getting anti-virus and setting it for auto-updates is too complicated for a frat guy). They could've solved the problem by banning fraternity members from having computers - and they'd have saved everyone else a lot of trouble!

Glad he didn't use his powers for evil... (1)

WarlockD (623872) | more than 7 years ago | (#18906431)

Though, its starting to sound like anyone who tries to use their hacking powers to show vulnerability's, they are suddenly the bad guy.

Well duh. (1)

orclevegam (940336) | more than 7 years ago | (#18906435)

I'd like to say I'm surprised at a school acting like this, but honestly it's about the expected behavior. Companies, schools, and institutions in general typically take the approach that if they deny it exists it will go away.

On a completely unrelated note, did anyone else notice that the read more page seemed to be down? I was getting 503 errors clicking on it.

Am I Nitpicking (2, Interesting)

Soporific (595477) | more than 7 years ago | (#18906437)

Maybe it's just me but isn't the statement that he was going to inform Cisco sometime this summer pretty vague? What was holding him back?


If he were a law student... (0)

mangu (126918) | more than 7 years ago | (#18906903)

He should have a written statement notarized and put in a sealed envelope beforehand. I once saw an interview with a journalist who was trying to expose some airport security hole and that's what he did.

Re:If he were a law student... (1)

dknj (441802) | more than 7 years ago | (#18907285)

...and that does what?

similar (1)

reddcell (1044072) | more than 7 years ago | (#18906441)

I pointed out 2 widely known vulns in my universities network and I'm still serving my suspension...2 semesters left!

Re:similar (0)

Anonymous Coward | more than 7 years ago | (#18907243)

ye ye course you did, respect to you sir you hacker you!

They really should be thanking this guy (0)

Anonymous Coward | more than 7 years ago | (#18906443)

Not criticizing [] him.

High quality reporting from school newspaper! (1)

loimprevisto (910035) | more than 7 years ago | (#18906451)

Article links to what looks like a student newspaper, "The Beacon". It's nice to see articles of this quality in a student publication; the first link does a good job explaining the situation and reporting it without bias, while the second is a well written editorial style piece that criticizes the university response.

The only problem I can see with their site is that the poll "How did you spend most of your Easter Break?" is missing a Cowboy Neil option...

Read the second link (1)

JohnnyComeLately (725958) | more than 7 years ago | (#18906453)

The first article didn't really clarify and actually confused the issue(s). They did indeed do more than just set him back a year. If he's on a full ROTC scholarship, they likely just yanked his funding by suspending him.

If you look at it out of context, their decision makes some sense, however, as soon as you apply ANY logic to it, their reaction is way too far. What is the result? I would never do research there or even TOUCH anything security related. Imagine if you got suspended because you left your lab's back door open, while there was still a guard on duty. Someone COULD break in, but there's a guard. This is similar to what he did...the security was never compromised, it may not have been the MAX (which is also a farce, because the university itself wasn't up to the most current version). Using their own logic, they should suspend their director of IT for one year for knowingly having a system not most up to date (which is what the kid did).

Re:Read the second link (0, Flamebait)

OverlordQ (264228) | more than 7 years ago | (#18906541)

If he's on a ROTC Scholarship he should know better then to pull something like this without prior notification, and without the knowledge of the people whose systems he was 'testing'

This summer? (1)

ArcherB (796902) | more than 7 years ago | (#18906457)

Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says.

While I'm all for white-hat hacking, it's unfortunate that every time someone is busted, they suddenly put the white hat on. In this case, I have to ask:
Why didn't he go to Cisco with the vulnerability YESTERDAY?

Re:This summer? (1)

mark-t (151149) | more than 7 years ago | (#18906601)

Well, if he gave it to Cisco, he'd lose control over what happens to it, and Cisco may well release a patch but that wouldn't mean that his school would obtain it right away. He probably wanted to talk it over with the school first to make sure his own school's interests were covered before letting it get out.

And for this loyalty, he gets suspended.

Typical.... absolutely typical.

Re:This summer? (3, Informative)

mark-t (151149) | more than 7 years ago | (#18906687)

....or.... I could *READ* the TFA and discover he had been using it for seven months and given copies to his friends.

I take back what I said before.

The idea that he was about to tell Cisco about it is a pretty weak cover story, given his behaviour.

Re:This summer? (4, Insightful)

dgatwood (11270) | more than 7 years ago | (#18907483)

OTOH, if he were smart enough to break this thing and he were malicious, he would have instead sold it to some Russian hacking group to put into new viruses. He didn't. He didn't crack anybody else's machines with it. He didn't run it on university equipment. He didn't do any of the thousands of truly malicious things he could have done. Based on that, I see no reason to believe that the guy didn't intend to tell Cisco about it... but probably not until after he graduated so that he wouldn't have to deal with a bug-fixed version of the software that disabled his workaround....

Instead of using the software maliciously (which would have been relatively easy by comparison), the guy just ran it on his own personal machines and gave it to other people to willingly run on their own personal machines so that they could use the network without the interference of an overbearing piece of security software. All the guy did was write software that made it look like he was running the stupid tool that the uni required him to run in order to use the network without actually having to run it. That's hardly malicious behavior, and if the guy was running reasonable antivirus protection software and was keeping up-to-date with security patches without the "assistance" of the tool in question, it really didn't create any significant security risk, either.

No, this is a typical knee-jerk reaction by bureaucrats. I would expect nothing better from most universities, but it's still a shame every time someone's life is needlessly wrecked because of a bunch of pencil pushers.

Stop instituationalizing young people (5, Insightful)

iamacat (583406) | more than 7 years ago | (#18906463)

It's unavoidable that a bright C.Sci student will bypass some university security measures, for some of the following reasons

  • Bypass cloying "for your own protection" software that he and his computer-literate friends do not need anyway. Besides, what security updates if you have Mac/Linux?
  • Impress a girl by resetting her lost password or re-enabling account in her undergrad school
  • Explore a realistic network structure and challenges of its administration
  • Repair the system when it's down, admin can not be bothered and final project is due tomorrow at 8:30

Steve Jobs openly admits to phone phreaking and calling the Pope. Both he and Bill Gates eventually dropped out of school. It's clear that, to become a person of substance, you have to be willing to challenge authority once in a while. Are we trying to raise a generation of corporate drones who are so obedient they can never pose a competitive threat to existing oligarchy. Are we so insane we let disturbed students stay in school and own guns, but suspend ones who are merely using university's property, paid for by their tuition, more efficiently than average?

wow, excellent points (4, Interesting)

JohnnyComeLately (725958) | more than 7 years ago | (#18906613)

Your reply hits many points, dead on (pardon the pun when combined with the guns reference). Technically, I "broke" Sprint PCS security policy by showing them a hole in 3G data services (around 98/99). The security guys were certain they were applying the layers of security but forgot about a fundamental shift in types of traffic (tunneling within a tunnel) used in 3G. I said, "OK, if it's secure, how is it I can ping the billing server from my "public" computer".....I could technically have been in the same boat as some others (not this kid...he was clever).

Which brings up your main, and correct, point. It's sad when we penalize so harshly for students just being clever. Would they have suspended him for a year for putting a penny in the dorm elevator (in effect locking it on a single floor during early morning rush time)??? I often joke, and I'm sadly accurate: If I did half of what I did 20 years ago in highschool and later'd be a multiple strike felon...and yet no one or any property was really ever hurt

Re:wow, excellent points (5, Interesting)

ScrewMaster (602015) | more than 7 years ago | (#18907519)

When I was in college thirty-odd years ago, my University only allocated 2,000 minutes per quarter per student of mainframe time. Not enough (obviously) and they refused to give me any more. So I wrote a simple fake-login program that would log the user's name and password, and cough up a realistic "system is down" message. Matter of fact, I exactly duplicated the normal logon procedure, including any nominal pauses and delays that occurred. Even fooled the system operators a couple of times. I ran the thing on forty or fifty terminals simultaneously, and I would watch in case someone called one of the admins over to ask why the system wasn't working. Whenever that happened, I'd hit a key on my terminal that would immediately log all the other systems off, so it would work normally at the next login attempt. It wasn't often: most people just shrugged, got up and left to go about their business. Occasionally some busybody would call an administrator over, so I had to keep an eye on things.

In under a week I had captured the accounts of every active student user on the system, plus all the supervisory accounts. It was pretty unbelievable (as in, "holy SHIT Jesus Mary mother of God" unbelievable) and I couldn't understand why there were no precautions taken against that sort of thing. Needless to say I had no problems with account time after that. That was on the one mainframe: there was another guy, pretty sharp coder, that figured out what I was doing. At first I thought I was screwed, but he was delighted by the idea and duplicated it on the bigger system (this was years before the word "pwned" came in to the popular lexicon but it's no less applicable.) No surprise, a few days later and he had the run of that machine. So far as I'm aware, nobody ever figured out what we'd done. The big system was the one that had everything administrative on it from student grades to paper clips and we could have wreaked havoc if we'd wanted to. As it was, though, we just wanted more computer time to do our homework.

A couple of years later my father testified in front of my State's legislature regarding a new "computer crime" bill they were shopping around. It was one of those ridiculous "zero tolerance" laws that make the lawmakers look "tough on crime" but end up shafting a lot of people that don't deserve it. Dad pointed out to these idiots that, if passed, their brain-child would immediately criminalize 90% of the best and brightest students in our engineering and computer science curricula. They backed off in a hurry and came back with a more reasonable bill, which never got passed anyway.

That was then. Nowadays, I don't think our lawmakers would bat an eye if they put half our smartest engineering students in jail. They're just engineers, after all, and ... who the fuck needs those.

Re:Stop instituationalizing young people (1)

curious.corn (167387) | more than 7 years ago | (#18907395)

well said

Re:Stop instituationalizing young people (1)

emphatic (671123) | more than 7 years ago | (#18907531)

Actually, it was Woz who called the Pope. (Full story in his book, iWoz, but cited in many online articles as well, [] )

I hope he has his assertion well documented (3, Insightful)

John Harrison (223649) | more than 7 years ago | (#18906469)

He should have talked to the campus IT guys about this "research" before conducting it on live campus systems. I worked in campus IT at Stanford and my experience is that they might be open to seeing what you're working on and allowing it.

The article summary posted here on /. conveniently left off the next paragraph:
Maass' program was in use for approximately seven months before the University froze his UP account.

So he ran this thing for most of the school year and gave it away to his friends and put up a facebook page about it without telling Cisco? At some point it starts to look like the, "I was about to tell Cisco!" claim is just an excuse to get out of trouble. Once he had a working demonstration he should have approached Cisco, not distributed it while he put off talking to the vendor for half a year.

Still, it seems like the uni is going overboard on the punishment.

Re:I hope he has his assertion well documented (1)

TheLazySci-FiAuthor (1089561) | more than 7 years ago | (#18906653)

Still, it seems like the uni is going overboard on the punishment.

I agree with your post, save this line. I'm starting to sound like an old man, but examples must be made.

As you allude to, he may indeed not truly have intended to go to Cisco with this vulnerability - how much further would he go if not caught? He knew of 6 other methods apparently.

At any rate, I'm starting to sound reactionary so I'll cut it there.

Nonetheless, it seems that a computer science major would have the resources available to try out his vulnerability theories on a test environment.

When the lock is broken on the girls showers, you should probably not wait until summer to tell someone: though who could really blame you for delay?!

Re:I hope he has his assertion well documented (1)

pembo13 (770295) | more than 7 years ago | (#18907347)

like campus IT guys know anything

Re:I hope he has his assertion well documented (1)

dgatwood (11270) | more than 7 years ago | (#18907535)

Normally, what one do on his/her own personal machine is that person's business and nobody else's, including the network administrators, unless and until he/she causes harm to the normal operation of the network or other systems on the network.

Okay, maybe putting it on a facebook page was stupid....

When will people learn.. (1)

BalanceOfJudgement (962905) | more than 7 years ago | (#18906471)

Nobody wants things to work right or work well, if it means upsetting the status quo.

They'd rather things disappear and get bitten in the ass for it in the future, than deal with it now, if it means someone's going to get embarrassed. There's no intellectual honesty anymore..

Schools... (1)

pavera (320634) | more than 7 years ago | (#18906473)

And I thought school was where you went when you wanted to learn about things, test things, build new things, and in general broaden your horizons and expand what you are capable of doing.

Wait, that is the lie people have been telling us forever.

School (high school and univ) in my opinion is a very poor excuse for "preparation" for the real world. In all of the jobs that I've had, identifying, working through, and solving problems is what its all about. Of course in school, the students are rarely if ever tasked with the first step of identifying a problem (the professors assign the homework), working through problems is an exercise of taking notes (not thinking about the problem just verbatim listing what the professor says), and solving problems normally is left to the TAs to babysit 90% of the students through anything that requires even the slightest bit of rational thought.

This guy is guilty of breaking that mold, he identified, worked through, and solved problems all on his own with no intervention from the school. Thus proving that the school is indeed useless. Because he proved that the school was a redundant and useless institution they had to punish him.

Re:Schools... (2, Insightful)

BalanceOfJudgement (962905) | more than 7 years ago | (#18906517)

If you stop thinking of school (all school, from kindergarten through college) as "where you went when you wanted to learn about things, test things, build new things, and in general broaden your horizons and expand what you are capable of doing" and instead start thinking about it as a way to keep people busy and out of the work force for awhile, then the whole thing starts to make alot more sense.

Imagine what the job market and the economy would look like if everyone in our overpopulated civilization who could work, had one.

Re:Schools... (1)

Rakishi (759894) | more than 7 years ago | (#18906861)

As I have said often in the past: Just because you went to shitty college, took shitty classes and didn't take advantage of the available opportunities doesn't mean everyone is a dumbass like you.

College (and life) is what you make of it, don't complain about being spoon fed everything when you never showed any ability to eat on your own.

Re:Schools... (1)

ephedream (899351) | more than 7 years ago | (#18907385)

Right, tell that to the kid in the ghetto who goes to the crappy public school with boring classes where they memorize things instead of learning so that the school can scrape by and get those required standardized test scores with their overworked teachers and crappy under funded schools. This replaces "learning" and naturally kids (especially intelligent ones) will be bored to tears by this unnecessary, forced, rigid hoop jumping. The goody goody positive attitude, closed-minded, cheerful, conformist rule followers will do ok though, cuz they have that sunny, authority loving attitude. Just keep on churning that work out until it's done...

Re:Schools... (2, Insightful)

Rakishi (759894) | more than 7 years ago | (#18907567)

I was talking about colleges and universities, lower schools a somewhat different matter. Second of all the problem 95% of the time isn't schools (almost all, even "magnet", middle and high schools are rigid) or the nature of the student but parenting (or rather lack thereof). Now I'm not blaming the parents per say but simply saying that there are tons of options to get out of the hell hole of a system if you are determined enough.

Likewise children should be taught to do the damn work, contrary to what you may believe in real life you all too often need to do bitch work and you can't cry or throw a tantrum or get bored. I remember fondly how in 6th grade after realizing that every math assignment was from the book I simply took a few days and did all the assignments till the end of the year. Doing them all at once on my own was mildly interesting and gave me 2+ months of no math homework. A few friends even got into it and we had a sort of implied competition on who could finish the problems the fastest.

lets just suspend ALL students and save time (4, Interesting)

TheGratefulNet (143330) | more than 7 years ago | (#18906475)

story after story, its "this student scared us - lets git 'em!".

why is this country SO AFRAID of students and so into controlling them? I'm not sure I could survive in a modern high school or even college environment now. I'd be too angry all the time at how badly they are mismanaging our youth.

I am quickly losing all my faith and trust in the so-called 'education system' we have in the US. its becoming not much more than babysitting and nannying.

and I fear for the kind of young adults we are going to produce from this brainwashing factory we call 'school'.

anyway, what good is there in suspending this kid? what does that accomplish? the fact that he found YOUR security flaw embarassed you? is that a reason to punish him?

perhaps the school does not DESERVER your funding. yes, YOU fund the school - they work FOR YOU. its not the other way around. YOU are the consumer. if school-A is giving you crap, why not take your business elsewhere? yes, school IS a business - very much so.

Re:lets just suspend ALL students and save time (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18907505)

That reminds me of something that happened back in sixth grade.

I was fortunate that in the early 80's, Apple had donated some computers to my school district. I was in the "gifted" program, so we got to use the Apple computer lab at the junior high school once a week. My mother was a teacher in the local district, so she was able to borrow a computer during the summer, and at about the same time my father bought a TRS-80 from Radio Shack. The end result was that at about the age of five, I started learning to program these computers.

Fast forward to sixth grade. By now I had plenty of experience with Apple computers and was starting to learn some of the more advanced things you could do: peeking and poking memory, getting programs to boot from floppy disk, etc. Well, one of my science classes studied computers for a few weeks and we used the computer lab on a regular basis. Being the type of person I was, intelligent and all too happy to question authority and mess with adults, I wrote a program that when booted from floppy made a bunch of beeps on the computer and flashed some bogus alert/warning message.

I set the teacher up such that when he sat down on a machine and powered it up, he'd get this scary warning message. Sure enough it worked, and the teacher got freaked out. Unfortunately, when he learned that it was just something I had rigged up, he got mighty pissed and banned me from the lab for a while.

One thing you can count on is for adults to misunderstand the youth and fear that which they don't understand. Rather than having to acknowledge a youngster on a personal level and try to understand their motivations, they simply react and try to punish the kid like you would a "bad" dog.

Inaccurate information. (0)

Anonymous Coward | more than 7 years ago | (#18906481)

Summary information is incorrect. Michael Maass has not been suspended for a whole year, but rather for just a single semester, following completion of the current semester.

"...following an appeal process in which he was supported by many friends and faculty, the University ruled that Maass will be allowed to finish out the rest of this semester, but will be suspended through next semester."

Still a shame that the school even went that far. Here's to hoping that there are some further appeals processes he can follow up on.

in use for seven months (2, Informative)

arabagast (462679) | more than 7 years ago | (#18906483)

TFA says he was running this program for seven months, and was planning on alerting cisco "this summer", and he also spread the program to his friends. Doesn't really sound like security research to me, more like bypassing the security for your own convenience. You really don't "research" a security flaw for seven months, and even spread it to other people.

We avoided situations like this... (2, Funny)

Cylix (55374) | more than 7 years ago | (#18906529)

Early only we ran into some policy issues at the university.

The solution...

Take the engineering department off of the campus network and maintain it ourselves.

It worked out fairly well when I was there, but resulted in some equipment deficiencies. We ended up getting the backend of the upgrade cycle, but that was fine as we were allowed to "blow them up."

This would not have worked without volunteer work and when I had returned I was already a competent admin. It probably wouldn't scale too well, but it's a good learning experience for some.

It does lead to issues though...

At one point, a professor proclaims the network seems to be having issues and at that point I poked my head up.

"Um, no it's not... I'm putting in dDNS... because it looked like fun."

Things were back up momentarily. (Hey I was young!)

The best was probably the day I rooted the servers and updated the motd.

"Under new management -- cylix"

This was of course the policy for gaining administration for maintaining systems. The final system I had to social engineer my way into... sorta... I basically made it into the server room with the prof maintaining things and he left to go get some papers. He knew I was after the final system and just wouldn't let me take it over without a fight. He had to know what I was going to do and probably just wanted to see how fast I could get my hands into the system. The moment he stepped out I tackled the keyboard like it was a drunken cheerleader.

The only catch was no denial of service. So, if you were going to bring something down... no one could notice.

Fun times!

Tell people before doing this type of project (1)

HockeyPuck (141947) | more than 7 years ago | (#18906567)

Let's see, if you're writing a program that will circumvent security measures, if he had gone to IT and said "I'm writing a program to test CCA..." he wouldn't have been in deep water as opposed to trying to explain why he did it "No, I wasn't trying to hack the network, I was writing a *test application* and then go to cisco"..

If he had nothing to hide in the first place, then he shouldn't have hid it in the first place.

University of Portland (3, Informative)

pclminion (145572) | more than 7 years ago | (#18906569)

U of P is a Catholic school with no particular engineering focus. I think he would have stood a better chance of a reasonable response had he been attending a "real" engineering school. There's nothing wrong with Catholic school, or in studying engineering at such a school, but I think this poor guy should have seen it coming... If you're going to do research like this, do it at home. If he wanted to inform Cisco of the problems, he should have just done so directly. I feel bad for the guy but it's not surprising.

To be honest... (2, Insightful)

HuguesT (84078) | more than 7 years ago | (#18906609)

If I did something like that and got caught I would say I was planning to come clean as well.

Let's see.... (2, Funny)

MBCook (132727) | more than 7 years ago | (#18906633)

And now... the university's decision process:
  • Finding security holes in our expensive software: -1 point
  • Fixing security holes in our expensive software: -1 point
  • Giving the program and information to a professor: +1 point
  • Giving the program and information to other students: -3 points
  • Mentioning this online: -2 points
  • Planning to tell Cisco: +1 point
  • Not telling Cisco immediately: -2 points
  • Using the software for months: -2 points

Total? -9 points. Not good. The university had no choice. For reference, here is the scale:

  • +10 or better: Scholarship
  • +5 or better: Award
  • +1 or better: Acknowledgment
  • 0: "We'll ignore this"
  • -1 to -3: Chiding
  • -4 to -6: Write in your file
  • -7 and -8: "You're in serious trouble"
  • -9 or worse: Suspension

Too bad the guy may lose his scholarship. He presented it wrong, especially giving it out and not telling Cisco immediately, along with running it himself. But it doens't deserve a full suspension for a semester.

CCA (2, Informative)

michrech (468134) | more than 7 years ago | (#18906635)

To those who are saying "CCA doesn't recognize perfectly good antivirus packages" (and other sorts of comments). Most, if not all, of that is configurable on the backend. If your school forces McAfee, they likely removed (or never added) other products to the CCA server. The college for which I work supports Symantec, McAfee (which we give away to students), AVG, and at least a few others.

If your CCA isn't acceping an antivirus scanner you like, why not go through the proper channels to find out *why* it's not supported and see about getting that fixed?

CCA is a joke (0)

Anonymous Coward | more than 7 years ago | (#18906701)

Its a technically unwinnable war. Obviously NAC, CCA...whatever is broken and can be circumvented by a not so determined advasary this will never not be the case nor is it necessarily a problem.

The purpose is to foster a sane environment by requiring certain levels of patching and network protection software. While this does not guarantee a system can not be compromised it helps a little by demanding software be installed and kept up to date.

Once a system is compromised then the system breaks down into basically asking a liar if their telling the truth... which from a security POV is not useful.

The first time I heard about schemes such as these was at a MS conference in Redmond years ago where the PM for RAS touted the scan / quarantine features in an update for server 2003.

My immediate reaction was you've got to be kidding me from a technical POV ... but on second thought these systems were designed more for CYA and enforcement of preventative maintenance a very good thing rather than a technically secure solution... at least thats my thinking and I don't doubt its at odds with advertising.

The only secure solution is a fully trusted system which if existed these solutions would not be necessary in the first place.

It falls right into line with the concept of there being any reasonable expectation of protection from the use firewalls and virus scanners. From a technical security POV this is not realistic.

Once a system fails in a way that bad code is in a position to be executed the *game is over* right there. Scanners only work to mitigate what happenes when something that shouldn't happen in the first place does. They will never be in a position to provide security gurantees.

the article doesnt mention.... (2, Informative)

Anonymous Coward | more than 7 years ago | (#18906711)

I just finished working with the CCIE who implemented the CCA at U of P today and he said the student wasn't suspended for circumventing the CCA but rather distributing it to other students, which in my book is malicious. And for the record I work for a University around 30 miles away from U of P.

Re:the article doesnt mention.... (0)

Anonymous Coward | more than 7 years ago | (#18906847)

How is it malicious?

From the misleading headline department (3, Informative)

peacefinder (469349) | more than 7 years ago | (#18906727)

Many of the arguments we use to - justly - defend security researchers seem like they may not apply in this case.

* He used the software to bypass the security check for seven months
* He distributed the software to several other students and a professor
* He did not disclose the vulnerability to the vendor before releasing his exploit
* He did not ask permission

Now, this is not to say that the University's use of CCA is wise or it's reaction was reasonably proportionate to the damage done. (If the damage and the policy violation is as minimal as the article claims, a 1-year suspension is insane.) But Mr. Maass did not do a good job of covering his ass, either.

Let this be a lesson to the next guy.

Easy to bypass Cisco Clean Access (0)

Anonymous Coward | more than 7 years ago | (#18906757)

All one needs to do is spoof a browser's user-agent string (Linux or Mac), login, and make sure you have a firewall that can restrict communication to/from the clean access server to just HTTP(S).

If you need to do more manipulation, theres always greasemonkey.

hm (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18906801)


This program was overkill. (1)

eeg3 (785382) | more than 7 years ago | (#18906871)

My University uses CCA, and to bypass it... you can either not use Windows, or use Firefox and install a plug-in that allows you to modify the User-Agent to identify itself as if it were running Linux/OSX. This might not work in all cases, though.

Re:This program was overkill. (1)

Virgil Tibbs (999791) | more than 7 years ago | (#18907315)

you know what would be funny?
what would be funny would be if he WAS the author of that Ff extension.
-that bypasses it etc, thats online...

This illustrates "transitive trust" fallacies (4, Insightful)

malcomvetter (851474) | more than 7 years ago | (#18906979)

Regardless of the student's ethics (or lack thereof), this illustrates a fallacy of trust in computing that often goes overlooked, especially in software security products: transitive (implicit) trust.

Think about it logically for a second ... If the administrator (of the University, some enterprise, or even a home network) cannot state anything about the trustworthiness of an unfamiliar computer, how can that same administrator trust the output of some software program designed to assert the trustworthiness of an otherwise untrusted computer?

Trusted input (e.g. Cisco Clean Access)
+ Untrusted computation (unknown host)
!= Trusted output (i.e. an assertion from the CCA that the computer is trustworthy)

The nature of this equation is that the untrusted computer is implicitly trusted to compute its own trustworthiness. What ramifications does that have on the real world analogies?

Banker: Can I trust that you'll repay this loan for $1 Billion?
Some joe off the street: [Hides "will work for food" cardboard sign behind his back.] Uh, sure.

And yet, how many NAC/NAP vendors actually try to challenge the unknown host (java applet, activeX control, native code, etc.)? Answer is: nearly all of them, unfortunately. Even if Cisco fixes this hole, what will happen next? This is not unlike Cisco trying to sell a perpetual motion machine-- this simply defies the "natural laws" of security.

NAC is not the answer. How about those good ol' 3270 connections?

Generally I would say 7 month's use = malicious (1)

280Z28 (896335) | more than 7 years ago | (#18907011)

But more malicious = forcing me to uninstall the A/V I know and trust and install some crap before I can access the #1 source of malware (the internet)?! I'm doing just fine on my own, thank you. Congrats to the student for not tolerating that crap.

"go to Cisco?" then he's documented his code then (1)

Locutus (9039) | more than 7 years ago | (#18907029)

If this "kid" REALLY intended to bring his findings to Cisco, then he should have been documenting not only his intent but also his findings and techniques used and this should be enough to prevent a suspension. Unless he came up with this idea of 'going to Cisco' after he got busted.

I have a hard time believing his story without some proof he'd been discussing visiting Cisco or interning there well in advance of getting busted for spoofing their APIs.


CCA and University Technical Support (1)

dorath (939402) | more than 7 years ago | (#18907113)

I work in the IT department at a university that uses CCA. If you live on-campus you're required to use CCA to connect to the University network. IIRC, the setup here doesn't check for much: anti-virus and XP SP2 if you're on Windows, and Linux users are ignored.

Support calls from students have fallen by more than 50% since CCA was put into use. Simply requiring anti-virus and SP2 has tremendously reduced the amount of garbage infecting Windows users machines. CCA has been a real boon, even if there are a plethora of ways around it.

Truly a failure of the education system (0)

Anonymous Coward | more than 7 years ago | (#18907131)

This is truly a failure of the education system. Whenever someone wants to be innovative or do something productive with his or her education, the school system shuts that person down.

missing part of transcript (0)

Anonymous Coward | more than 7 years ago | (#18907179)

"I was planning on going to Cisco with the vulnerability this summer," Maass says. '"

Added Maass, "Right after they let me out of prison."

Honest Your Honor! (3, Funny)

Stormy Dragon (800799) | more than 7 years ago | (#18907207)

I wasn't buglarizing this house, I was just checking the home security system for holes!

Bait and Switch (4, Insightful)

litewoheat (179018) | more than 7 years ago | (#18907225)

OK this story is sensationalist BS. Maybe the summary should have stated that he USED IT FOR SEVEN MONTHS and GAVE IT OUT TO FRIENDS!? Come on, only when he gets caught does he say he was going to share his results. Yeah, that's like embezzling and then saying you were going to give all the money back when you get caught.

CCA is the issue here (0)

Anonymous Coward | more than 7 years ago | (#18907413)

All of you are forgetting that the STUDENT owns this hardware and has the right to install or not install any software he damn well pleases.

The responsibility of him disclosing the 'vulnerability' to Cisco is academic. Does the University have a documented policy that you are required to use CCA to access their residential network? If they do not, then he wasn't in violation of anything. If they do, then he was.

CCA is fundamentally flawed because it is, no matter what, running on a hostile host, and there will always be ways to defeat it. It's like asking some random guy off the street if you can trust them. Of course they're going to say yes.

Regardless of how long he used it (keep in mind, again, this is HIS hardware, and that in almost every case, you are not permitted to opt out of the University-provided service and install something else, due to alleged 'wiring issues' (which is code for 'we don't want you to'), and even if you CAN, you can't get a refund for the Internet access your fees paid for.

The argument that he using this software somehow could bring down the entire network is absolutely ludicrous on its face, networks survived without CCA before, and Macs and Linux computers (or computers appearing as such) don't have to go through the 'validation' process anyway. Antivirus software is not a panacea, and does not detect every virus. All CCA does is let needledicked IT administrators continue to exert control over the only part of the network they know they can get away with - the student network, because students have no political power at a University. Amazingly, CCA is never required for professor's machines, or on lab machines, even though the alleged goal of CCA is for 'safety' of the whole network. Professors must just be safe by default, right?

"Trying to improve security" my a$$ (1)

ericfitz (59316) | more than 7 years ago | (#18907507)

This guy was being clever disabling the security software, nothing more. He got caught and now he's whining.

It may be unpopular, but when you connect your computer to some networks you do so under agreement which may limit what you can do, may require you to consent to monitoring, and may require you to install software to enforce the terms of that agreement. Tampering with the software may be a violation of that agreement, it doesn't matter if it's "your" computer, we're talking contracts here.

There's nothing extraordinary about someone with physical access and superuser/administrative access rights being able to modify the software on their own machine. And if you can debug a client app, then you can write your own app that can pretend to be that client when talking to the corresponding server.

If he was a security professional then he would have done this in a lab, not on his own machine, and would have reported the results in a timely fashion, not "I was going to get around to it", and would not have distributed exploit code to his friends.

This guy's behavior violated pretty much any acceptable use policy I've ever seen or written, and he got a punishment probably on the stiffer end of the scale because his behavior doesn't appear to show any mitigating circumstance.

Cho Vs Maass (1)

chromozone (847904) | more than 7 years ago | (#18907583)

All week I been reading how the kid at Virginia Tech couldn't be dismissed from school even though he stalked, threatened and oozed a violent psyche to the point of having 2 professors ask the university for help with him. Universities should only protect students as vigorously as they seem to protect themselves in this case.

Universities have overstepped their bounds (0)

Anonymous Coward | more than 7 years ago | (#18907591)

These days, access to the campus network is a right, not a priviledge. Access is required in order to do research, use learning management systems, communicate, ad infinitum. Any student denied access to this vital resource without probable cause should sue.

While it is certainly within the university administrator's rights to deny network access to computers causing network problems; telling students that they must install software that effectively gives the university administrative control over the student's own property is an egregious violation of their privacy, and a security blunder just waiting for an exploit. When that exploit is found, and it will be, students should hold the university liable for the breach and subsequent damages. Students do not pay thousands of dollars for screaming hardware just so their word processor might still barely function after all the other cycles have been consumed by overzealous anti-virus crap.

Teacher, leave those kids alone.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>