Student Attempting To Improve School Security Suspended 282
TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"
Not impressed (Score:5, Interesting)
Cisco Clean Access Agent... (Score:5, Interesting)
Am I Nitpicking (Score:3, Interesting)
~S
lets just suspend ALL students and save time (Score:5, Interesting)
why is this country SO AFRAID of students and so into controlling them? I'm not sure I could survive in a modern high school or even college environment now. I'd be too angry all the time at how badly they are mismanaging our youth.
I am quickly losing all my faith and trust in the so-called 'education system' we have in the US. its becoming not much more than babysitting and nannying.
and I fear for the kind of young adults we are going to produce from this brainwashing factory we call 'school'.
anyway, what good is there in suspending this kid? what does that accomplish? the fact that he found YOUR security flaw embarassed you? is that a reason to punish him?
perhaps the school does not DESERVER your funding. yes, YOU fund the school - they work FOR YOU. its not the other way around. YOU are the consumer. if school-A is giving you crap, why not take your business elsewhere? yes, school IS a business - very much so.
Re:Not impressed (Score:4, Interesting)
wow, excellent points (Score:5, Interesting)
Which brings up your main, and correct, point. It's sad when we penalize so harshly for students just being clever. Would they have suspended him for a year for putting a penny in the dorm elevator (in effect locking it on a single floor during early morning rush time)??? I often joke, and I'm sadly accurate: If I did half of what I did 20 years ago in highschool and later college....today...I'd be a multiple strike felon...and yet no one or any property was really ever hurt
Re:Do schools have a policy about this? (Score:3, Interesting)
If the former, then yeah, the kid had it coming. You don't bypass security on computers that aren't yours. Punishment was too harsh, but it sounds like he did break policy, and the university is in the right to do something. If he didn't have permission to bypass security on their network for research, then he has no excuse.
Now if it was the latter, and he did this on his OWN machine on the university network, then unless they state somewhere specifically that you "MUST BE RUNNING CCA TO ACCESS OUR CRAPPY NETWORK!!" then the university doesn't really have a case.
IANAL, but I am in IT. We are slightly lax about what we allow our employees to do with their machines, since we have less than 200 employees. But if they bypassed security? Break of usage policy, case closed.
The article is vague, how exactly did he "patch some holes" by bypassing CCA?
Re:University doing a favor (Score:3, Interesting)
At my uni we are given a pathetic 150mb/month internet quota and we are charged $7/gig extra.
I naturally found a way to get free net and I really dont have any problem using it for personal use.
I dont abuse it or anything either.
If the Cisco software put constrains on how the guy could use the computer then I would hire him in a instant.
The more you try to lock something down, the more people try to fight back.
You'd be stupid not to hire the people who beat the system - especially since we are talking about a Cisco system.
Re:Not impressed (Score:5, Interesting)
http://www.securityfocus.com/archive/1/408603/30/
As in, they've known about this for at least 20 months...
My experience with CCA (Score:2, Interesting)
They never did implement CCA after the trial. Now, the dorm network is simply bandwidth-throttled and packet-shaped to oblivion. Dial-up is faster, I am sure. It's still a security risk, but so slow that no one gives a shit.
Re:lets just suspend ALL students and save time (Score:1, Interesting)
That reminds me of something that happened back in sixth grade.
I was fortunate that in the early 80's, Apple had donated some computers to my school district. I was in the "gifted" program, so we got to use the Apple computer lab at the junior high school once a week. My mother was a teacher in the local district, so she was able to borrow a computer during the summer, and at about the same time my father bought a TRS-80 from Radio Shack. The end result was that at about the age of five, I started learning to program these computers.
Fast forward to sixth grade. By now I had plenty of experience with Apple computers and was starting to learn some of the more advanced things you could do: peeking and poking memory, getting programs to boot from floppy disk, etc. Well, one of my science classes studied computers for a few weeks and we used the computer lab on a regular basis. Being the type of person I was, intelligent and all too happy to question authority and mess with adults, I wrote a program that when booted from floppy made a bunch of beeps on the computer and flashed some bogus alert/warning message.
I set the teacher up such that when he sat down on a machine and powered it up, he'd get this scary warning message. Sure enough it worked, and the teacher got freaked out. Unfortunately, when he learned that it was just something I had rigged up, he got mighty pissed and banned me from the lab for a while.
One thing you can count on is for adults to misunderstand the youth and fear that which they don't understand. Rather than having to acknowledge a youngster on a personal level and try to understand their motivations, they simply react and try to punish the kid like you would a "bad" dog.
Re:wow, excellent points (Score:5, Interesting)
In under a week I had captured the accounts of every active student user on the system, plus all the supervisory accounts. It was pretty unbelievable (as in, "holy SHIT Jesus Mary mother of God" unbelievable) and I couldn't understand why there were no precautions taken against that sort of thing. Needless to say I had no problems with account time after that. That was on the one mainframe: there was another guy, pretty sharp coder, that figured out what I was doing. At first I thought I was screwed, but he was delighted by the idea and duplicated it on the bigger system (this was years before the word "pwned" came in to the popular lexicon but it's no less applicable.) No surprise, a few days later and he had the run of that machine. So far as I'm aware, nobody ever figured out what we'd done. The big system was the one that had everything administrative on it from student grades to paper clips and we could have wreaked havoc if we'd wanted to. As it was, though, we just wanted more computer time to do our homework.
A couple of years later my father testified in front of my State's legislature regarding a new "computer crime" bill they were shopping around. It was one of those ridiculous "zero tolerance" laws that make the lawmakers look "tough on crime" but end up shafting a lot of people that don't deserve it. Dad pointed out to these idiots that, if passed, their brain-child would immediately criminalize 90% of the best and brightest students in our engineering and computer science curricula. They backed off in a hurry and came back with a more reasonable bill, which never got passed anyway.
That was then. Nowadays, I don't think our lawmakers would bat an eye if they put half our smartest engineering students in jail. They're just engineers, after all, and
Re:University doing a favor (Score:3, Interesting)
Believe me, UP is a nice school, but it's not one of those.
Having worked with some of these particular IT people, they're mostly ignorant and get very nasty about any who tries to point it out. They are only coming down on him so hard because he made them look bad. It's being done to make him an example to anyone else who might make them look bad.
They really don't care about security - only the illusion of it.
Re:RTFA before commenting... (Score:3, Interesting)
And, btw, university code of conduct, aups and the like are meant to be vague. Not so they can stick it to anybody they don't like, but because it's impossible to enumerate the entirety of stupid behavior. University students should have the brains to not need an itemized list of good and acceptable behavior.
All in all it sounds like their being pretty nice to the guy. He's just been suspended, he could have been expelled.
Re:University doing a favor (Score:3, Interesting)
Does that mean that a student who owns a Mac won't be allowed on the University Network since Macs don't need, or at least very few of them have any anti-malware crap? Does that mean Mac users, or even Windows users are forced to run all sorts of garbage software, just so they may use the University's precious network? I'd find myself a more enlightened place to spend precious education dollars. What business is is of anybody to search my PERSONAL computer for whatever software or data it contains? Let them install a decent firewall and spend a few dollars on educating users how to avoid malware by not clicking OK on every dialog box and opening every email.