DMCA used to shut down campus ID security talk

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Jamie McCarthy <jamie () mccarthy vg>
Date: Mon, 14 Apr 2003 18:12:50 -0400
To: dave () farber net, ip <ip () v2 listbox com>, declan () well com,
politech () politechbot com
Subject: DMCA used to shut down campus ID security talk

Dave, Declan,

You may be interested in this use of the DMCA to shut down a talk at
a security conference over the weekend.  The topic was flaws in the
security of an ID card system used at quite a few colleges and
universities, and how to exploit those flaws.


http://features.slashdot.org/features/03/04/14/1846250.shtml

Blackboard Campus IDs: Security Thru Cease & Desist

Posted by jamie on Mon Apr 14, '03 03:14 PM EDT
from the cease-and-desist dept.

On Saturday night, Virgil and Acidus, two young security
researchers, were scheduled to give a talk at Interz0ne II on
security flaws they'd found in a popular ID card system for
universities. It's run by Blackboard, formerly by AT&T, and you may
know it as OneCard, CampusWide, or BuzzCard. On Saturday, instead of
the talk, attendees got to hear an Interz0ne official read the Cease
and Desist letter sent by corporate lawyers. The DMCA, among other
federal laws including the Economic Espionage Act, were given as the
reasons for shutting down the talk. I spoke with Virgil this
morning.

Virgil was there two years ago when Dmitri Sklyarov was arrested and
led away in handcuffs at Def Con 9. He's not in handcuffs now, but
in speaking to me, he had to stop and think about everything he
said, and every third answer was "I really shouldn't talk about
that."

The DMCA is largely to thank for that. Section 1201 states that no
one "shall circumvent a technological measure that effectively
controls access to a work," and that no one "shall... offer to the
public... any technology" to do so. Blackboard Inc., whose card
system is called the Blackboard Transaction System and known to end
users under various names, uses a network of card readers and a
central server, and they communicate over RS-485 and Internet
Protocol -- using, or so they apparently claim, measures that
effectively control access.

For the record, none of what I learned about the Blackboard
technology was from him or Acidus after the restraining order was
sent. I spoke to other people, who have not been served with a
restraining order. Google has a less enlightening mirror of the
slide titles from this weekend's PowerPoint presentation and a more
enlightening mirror of Acidus's "CampusWide FAQ" from last July.
And, most enlightening of all, this mirror [1] has an updated
version with details on what they figured out how to do and what
their talk was going to be about (click "CampusWide" for the text
description, the PowerPoint slides, and Acidus's timeline of the
last year).

At many schools, Blackboard's system is the ID: you swipe your card
for your meal plan at the cafeteria, to get into your dorm, maybe
even to get your final exam.

A swipe at a vending machine will get you a soda -- a money
transaction from your campus debit account. When you use a swipe to
do laundry and make copies, money has to be involved. Blackboard
even notes that they can set up a merchant network on- and
off-campus: "a cashless, safe, and secure way to transact on and
around campus while offering parents the assurance that their funds
will be spent within a university-approved network."

[...]

[1] http://www.se2600.org/acidus/index.html


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/