Student Attempting To Improve School Security Suspended 282
TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"
University doing a favor (Score:5, Insightful)
Don't do security research in the US (Score:5, Insightful)
Getting past two imflammatory headlines (Score:4, Insightful)
In any case, he didn't go around giving out exploit code, and he even worked on the problem of patching the hole (as well as solving other problems with the CCA software), with the intent of full diclosure of the patch and upgrades. This isn't really a punishment for breaking things, it's a DMCA-style punishment for figuring out how someone might break things.
and he deserved it (Score:0, Insightful)
This just doesnt bother me at all.
Heh (Score:3, Insightful)
Stop instituationalizing young people (Score:5, Insightful)
Steve Jobs openly admits to phone phreaking and calling the Pope. Both he and Bill Gates eventually dropped out of school. It's clear that, to become a person of substance, you have to be willing to challenge authority once in a while. Are we trying to raise a generation of corporate drones who are so obedient they can never pose a competitive threat to existing oligarchy. Are we so insane we let disturbed students stay in school and own guns, but suspend ones who are merely using university's property, paid for by their tuition, more efficiently than average?
I hope he has his assertion well documented (Score:4, Insightful)
The article summary posted here on
Maass' program was in use for approximately seven months before the University froze his UP account.
So he ran this thing for most of the school year and gave it away to his friends and put up a facebook page about it without telling Cisco? At some point it starts to look like the, "I was about to tell Cisco!" claim is just an excuse to get out of trouble. Once he had a working demonstration he should have approached Cisco, not distributed it while he put off talking to the vendor for half a year.
Still, it seems like the uni is going overboard on the punishment.
Re:University doing a favor (Score:5, Insightful)
Re:Getting past two imflammatory headlines (Score:5, Insightful)
In any case, he didn't go around giving out exploit code...
From TFA:
Also from TFA:
I don't think this guy deserved the punishment he got. But the whole, "I was just trying to help them" argument sounds fishy. Seems more likely that the uni put cumbersome security requirements on students, this guy tried to circumvent them, and the IT folks caught him and overreacted.
Re:Schools... (Score:3, Insightful)
Imagine what the job market and the economy would look like if everyone in our overpopulated civilization who could work, had one.
To be honest... (Score:3, Insightful)
Re:University doing a favor (Score:4, Insightful)
NOW, that being said, I am the first that will say - if you do something like this, know that you are breaking the rules and be prepared to pay the consequences (the guy is ROTC, and probably is going to own the Air Force some money). If you stumble upon something, that is one thing. But to blatantly break the rules for SEVEN months - bad idea.
And the guy can say "I was planning on going to Cisco with the vulnerability this summer," But that is just talk. Yes, it could be true, but it also could be something he is saying to try to cover his butt since he was found out. Sorry, paint me skeptical.
RonB
Re:University doing a favor (Score:3, Insightful)
Now imagine that a virus got in through this hole and deleted all their e-mails on campus. What would the opinion be then? Even if he had contacted Cisco I think that they would have told him in the second line to not run the code because it would cause a vulnerability. IE:
Thanks for contacting Cisco. Do not run that code on any network that you do not own.
Proof of concept is a totally different thing than what happened here. He is trying to cover his ass.
Catch me if you can (Score:4, Insightful)
These people can outsmart you every minute of the day if you give them reason to. Why not just employ them and get on their side?
Oh right, this isn't about security, this is another stupid power struggle.
This illustrates "transitive trust" fallacies (Score:5, Insightful)
Think about it logically for a second
Trusted input (e.g. Cisco Clean Access)
+ Untrusted computation (unknown host)
!= Trusted output (i.e. an assertion from the CCA that the computer is trustworthy)
The nature of this equation is that the untrusted computer is implicitly trusted to compute its own trustworthiness. What ramifications does that have on the real world analogies?
Banker: Can I trust that you'll repay this loan for $1 Billion?
Some joe off the street: [Hides "will work for food" cardboard sign behind his back.] Uh, sure.
And yet, how many NAC/NAP vendors actually try to challenge the unknown host (java applet, activeX control, native code, etc.)? Answer is: nearly all of them, unfortunately. Even if Cisco fixes this hole, what will happen next? This is not unlike Cisco trying to sell a perpetual motion machine-- this simply defies the "natural laws" of security.
--
NAC is not the answer. How about those good ol' 3270 connections?
RTFA before commenting... (Score:5, Insightful)
Would you care to quote the policy you claim he broke?
No, it sounds like he embarassed the University IT administration, so they closed ranks and used a kangaroo court to express their displeasure. Dean Wormer put him on double secret probation first, I'm sure.
Re:University doing a favor (Score:2, Insightful)
Bait and Switch (Score:5, Insightful)
Re:This summer? (Score:5, Insightful)
OTOH, if he were smart enough to break this thing and he were malicious, he would have instead sold it to some Russian hacking group to put into new viruses. He didn't. He didn't crack anybody else's machines with it. He didn't run it on university equipment. He didn't do any of the thousands of truly malicious things he could have done. Based on that, I see no reason to believe that the guy didn't intend to tell Cisco about it... but probably not until after he graduated so that he wouldn't have to deal with a bug-fixed version of the software that disabled his workaround....
Instead of using the software maliciously (which would have been relatively easy by comparison), the guy just ran it on his own personal machines and gave it to other people to willingly run on their own personal machines so that they could use the network without the interference of an overbearing piece of security software. All the guy did was write software that made it look like he was running the stupid tool that the uni required him to run in order to use the network without actually having to run it. That's hardly malicious behavior, and if the guy was running reasonable antivirus protection software and was keeping up-to-date with security patches without the "assistance" of the tool in question, it really didn't create any significant security risk, either.
No, this is a typical knee-jerk reaction by bureaucrats. I would expect nothing better from most universities, but it's still a shame every time someone's life is needlessly wrecked because of a bunch of pencil pushers.
Re:Schools... (Score:3, Insightful)
Likewise children should be taught to do the damn work, contrary to what you may believe in real life you all too often need to do bitch work and you can't cry or throw a tantrum or get bored. I remember fondly how in 6th grade after realizing that every math assignment was from the book I simply took a few days and did all the assignments till the end of the year. Doing them all at once on my own was mildly interesting and gave me 2+ months of no math homework. A few friends even got into it and we had a sort of implied competition on who could finish the problems the fastest.
Re:University doing a favor (Score:2, Insightful)
Have you any idea how much confidential information lives on university networks? Many university researchers sit on loads of proprietary and/or highly sensitive data with confidentiality and nondisclosure agreements up the yingyang. Public health, national security, and defense research come to mind. Security MUST be part of the picture, lest the university loose the trust and the funding from external sources that value the privacy of their data.
You must be new here (the universe, not Slashdot).
Re:University doing a favor (Score:3, Insightful)
As someone who has fallen victim of University ID theft (SSN taken from a University computer), this guy could have been putting information at risk. Sorry, do not pass go, do not collect $200.
RonB
Re:University doing a favor (Score:4, Insightful)
There should be no connection between computers in dorms, labs, and classrooms, and any computer that has secure/financial information. They shouldn't have to rely on a crappy program from Cisco to give them the illusion of security.
Sorry about your ID theft. I'm a veteran who uses the VA, and I'm sure my SSN was one of those 26 million that were recently compromised. Got a nice letter saying they were sorry but I shouldn't worry. Of course, no credit monitoring, no ability to "freeze" my credit reports... just sit back and wait and hope nothing happens. Kind of like the University in this case... but not by choice.
Re:University doing a favor (Score:4, Insightful)
You obviously didn't read the articles. He did nothing that people with Macs or Linux or BSD on their computer are allowed to do. Its only Windows computers that they force users to run Cisco Clean Access ... and they also force them to us Symantec Antivirus instead of letting them choose ther own AV product.
Considering that Symantec AV is not the only antivirus out there, if you were running a different antivirus, you would have to bypass CCA as well.
Check out the article - CCA was taking up to 20 minutes to load - who wouldn't bypass that?
Also, it is not clear that it "violates university policy" to write such a program, if you're a computer major, and your class work involves looking at vulnerabilities in software - which is what he learned in class. Then again, those who can, do - those who can't - teach.
FTFA:
"Disrespect for authority?" "Disorderly conduct?" Aren't they part of what yo go to university for - to question the "accepted wisdom"? Or are universities becoming enclaves where they'll start teaching that women have fewer teeth then men, because Aristotle taught that, and it must be true... (in this case Aristotle was clearly an idiot - he was married - twice - and never bothered to check!!! Sort of like the university's VP of IT, because they don't understand the difference between a program a student runs on his own computer, and "hacking their system.")
So, are they going to suspend every student who goes on a kegger? Flips the bird at a politician? Refuses to let their computer be hijacked by a buggy program? Sounds like a great place not to get an education.
BTW - his actions exactly suit his words - of course he'd withhold giving it to Cisco until he was ready to ask for a summer job / internship. Your uninformed criticism of him, on the other hand, shows you're real university administration material.
Re:University doing a favor (Score:1, Insightful)
Huh? So you think that because he's a computer major, the _production_ network is his personal playground? NO. The production network is only for precisely whatever IT designates it for. And all their policies are not in place just to piss you off. You may not know the reasons they're in place, and they may or may not be good reasons, but there are probably actual reasons. And those reasons probably have a whole lot more history and politics behind them than you realize.
Additionally, has it occurred to you that the reason only Windows computers were required to run the CCA client is because they're the only computers that could potentially cause the kind of problems that CCA is designed to help prevent? And additionally, it makes absolutely no difference whatsoever what you think of the policies, you don't get to ignore them just because you don't like them. And 20 minutes to get on the network sucks, but then a network with haxxored windows boxen on it sucks even more. And as for the Symantec thing.. you think the IT department automatically has the resources to support any software package you want to use in any manner you want to use it?
Grow up
Re:University doing a favor (Score:4, Insightful)
First, any computer user can get around CCA just by using Firefox and using the user agent switcher to say that its running Linux - and this is very well known, has been for a long time, so CCA isn't about security; its about promoting a cover-your-ass mentality.
Second, CCA is part of the problem, not part of the solution. CCA isn't a cure - it's a "feel good because we're doing something about it" thing. A cure, on the other hand, will only come about if people get cut off the network because their Windows box is p0wned. Then maybe they'll switch to a real operating system, and everyone will be ahead. The longer people continue to insist on their "right" to use a proven crappy toy operating system, and the longer its tolerated, the harder it gets to fix everything.
Third, nobody was asking the school IT department to support "any software package" - if you had bothered to follow all the links, and then do some more research, you'd have found out that the VP of IT is despised by students and faculty, in part because of the crappy "support" for essentials (like half the computers in engineering don't work, AND they're not available after hours), but still finding time to force everyone to use CCA spyware.
Fourth, he wasn't "hacking a production network." He wasn't trying to break into a database, or steal sensitive information, or access the network on conditions different from any mac or linux user ... or any windows user running firefox and user agent switcher. Get a grip. Be less pompous. CCA is a piece of shit. Its KNOWN to be a piece of shit. Anyone who thinks they're secure because they run CCA is incompetent and should be fired - which is what a lot of people are saying about this particular VP of IT, for this and other problems.
Fifth, its a university network. If its not there for the student's education, WFT IS it there for? (aside from downloading pr0n, that is). Its already "insecure" (CCA is readily bypassable by the firefox user agent trick) so what's the harm of pointing out other ways that CCA fails in its purpose? Or are you one of those who actually believes "security through obscurity and SLAPP lawsuits" works?
Sixth, we already know that monocultures are a bad thing. Requiring that all Windows users use the same brand of antivirus is just f*cked up. This was a stupid decision, because CCA can be configured to accept a list of AV packages. Bypassing CCA in this case is necessary if you want to avoid the problems of a monoculture within a monoculture.
Re:University doing a favor (Score:2, Insightful)
Again, your points sound great on the surface, but they make the assumption that you know more about their environment that they do, on top of other arrogant assumptions.
I'm neither defending CCA or even Universities. But for the love of electrons, *you* need to get a grip. The University took the exact right action in this case. The student did the exact wrong thing. Sorry.
Re:University doing a favor (Score:2, Insightful)