Interesting People mailing list archives
DMCA used to shut down campus ID security talk
From: Dave Farber <dave () farber net>
Date: Mon, 14 Apr 2003 18:58:05 -0400
------ Forwarded Message From: Jamie McCarthy <jamie () mccarthy vg> Date: Mon, 14 Apr 2003 18:12:50 -0400 To: dave () farber net, ip <ip () v2 listbox com>, declan () well com, politech () politechbot com Subject: DMCA used to shut down campus ID security talk Dave, Declan, You may be interested in this use of the DMCA to shut down a talk at a security conference over the weekend. The topic was flaws in the security of an ID card system used at quite a few colleges and universities, and how to exploit those flaws. http://features.slashdot.org/features/03/04/14/1846250.shtml Blackboard Campus IDs: Security Thru Cease & Desist Posted by jamie on Mon Apr 14, '03 03:14 PM EDT from the cease-and-desist dept. On Saturday night, Virgil and Acidus, two young security researchers, were scheduled to give a talk at Interz0ne II on security flaws they'd found in a popular ID card system for universities. It's run by Blackboard, formerly by AT&T, and you may know it as OneCard, CampusWide, or BuzzCard. On Saturday, instead of the talk, attendees got to hear an Interz0ne official read the Cease and Desist letter sent by corporate lawyers. The DMCA, among other federal laws including the Economic Espionage Act, were given as the reasons for shutting down the talk. I spoke with Virgil this morning. Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that." The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access. For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror [1] has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year). At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam. A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." [...] [1] http://www.se2600.org/acidus/index.html ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- DMCA used to shut down campus ID security talk Dave Farber (Apr 14)