Blackboard story in the Washington Post

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: John Adams <jadams01 () sprynet com>
Date: Fri, 18 Apr 2003 07:48:47 -0400
To: dave () farber net
Subject: Blackboard story in the Washington Post

http://www.washingtonpost.com/wp-dyn/articles/A48214-
2003Apr17.html?referrer=email

Here's the paragraph that annoys me no end:

"We weren't really worried about security of the system. We were
worried about the reputation of the system," Baker said. The company
said that, to its knowledge, no one has ever hacked into its card
systems, used on college campuses since the 1980s.

I know, I know, perception is reality, and all that pomo-corpocrap--but
these guys _clearly_ said they could compromise the security of the
system, and wrote a paper detailing the weaknesses which allow those
compromises. My perception, which may not be reality, is that paragraph
above is spin designed to impede communication.

The whole story follows.

All the best,

    John A
    see me fulminate at http://www.jzip.org/

Blackboard Gets Gag Order Against Smart-Card Hackers

By Anitha Reddy
Washington Post Staff Writer
Friday, April 18, 2003; Page E01

A D.C.-based company that sells a "smart card" network used on more
than 200 college campuses has blocked two students from publicly
describing how to override the system to circumvent building security,
obtain free soft drinks and avoid paying for laundry.

Blackboard Inc. obtained a court order last weekend preventing Billy
Hoffman, a computer science major at Georgia Tech, and Virgil Griffith,
a student at the University of Alabama, from discussing vulnerabilities
in the card system at a hacker convention in Atlanta.

The case has prompted heated discussion online among hackers and
technology groups, because it touches on a controversial federal law
that forbids people to pick the virtual locks protecting electronic
content.

Hoffman described breaking into a card reader installed in a dorm
laundry room "with a cheap metal knife" and discovering how to trick
the system into doling out free washes in an article last year in 2600,
a hacker magazine.

"Hopefully, this article will force Blackboard to change to a more
secure system," Hoffman wrote. Hoffman has spoken at several hacker
conventions on the topic in the past two years, according to his online
résumé and Bob Roth, the chief executive of another campus card
provider, NuVision Networks Corp.

Blackboard did not sue Hoffman immediately after the article was
published because it understood that Georgia Tech had punished him,
said Greg Baker, vice president of product development for Blackboard
Transaction System. Georgia Tech would not say whether it sanctioned
Hoffman.

But now, the company says Hoffman's talks provide a "blueprint" for
vandalism and copyright infringement and mislead clients about the
safety of its systems.

"We weren't really worried about security of the system. We were
worried about the reputation of the system," Baker said. The company
said that, to its knowledge, no one has ever hacked into its card
systems, used on college campuses since the 1980s.

In a statement, the company accused Hoffman and Griffith of "promoting
methods to dismantle secure hardware installations by vandalizing and
gaining access to wiring of Blackboard Transaction Systems."

"These flaws don't necessarily just extend to silly things such as
tricking a Coke machine -- they have much more important implications
to physical security," Hoffman said in an Associated Press report
yesterday.

Hoffman and Griffith declined to be interviewed yesterday through their
lawyer, Pete Wellborn. Blackboard cards go by a variety of names and
have a variety of uses. At some schools, such as Ohio State University,
students swipe their Blackboard cards to enter dormitories and other
secured buildings.

At Georgia Tech, Blackboard's cards are called BuzzCards, a reference
to the school mascot, the yellow jacket, and they are carried by all
students, faculty and staff. They are the school's main ID card and
serve as library cards, meal cards and campus debit cards that can be
used in vending machines and laundry rooms.

The computer system that stores BuzzCard balances isn't linked to the
same databases that store students' financial, academic and health
records, according to university spokesman Bob Harty.

Wellborn, the attorney for Hoffman and Griffith, said Blackboard rested
its case on several federal and state statutes, but not the 1998
Digital Millennium Copyright Act. That act set off a debate between
proponents who argued it safeguarded intellectual property and legal
experts who declared it would smother innovation. It remains
controversial in the technology community.

Blackboard's lawyers cited the act in their letter last week demanding
the pair call off their presentation. Wellborn, who has an
undergraduate degree in computer science and teaches Internet law at
Georgia Tech, said it could come up in the case.

Last month, Hoffman attended a trade show for campus card users as a
paid consultant for Blackboard competitor NuVision Networks. Roth said
the company had invited Hoffman to the New Orleans event after using
excerpts from his article on Blackboard's card system in its
promotional literature for the past two years.

In fact, Hoffman peppered Blackboard's Baker, who was manning a booth
at the show, with questions about Blackboard's security before
identifying himself, Baker said. He added that Hoffman "seemed nice and
pleasant."

A hearing on the case is scheduled for May 30 before DeKalb County
Superior Court Judge Anne Workman, who issued the restraining order.


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/