FC: Judge orders researchers, conference not to reveal security flaws

[Declan McCullagh <declan () well com>]

Sorry for the delay on sending this one out, folks. The preliminary 
injunction is here:
http://www.interz0ne.com/events/Blackboard_Restr_Order.pdf
And the complaint is here:
http://www.interz0ne.com/events/Blackboard_Complaint.pdf

A few points:

* The plaintiff company (Blackboard) appears to be making an interesting 
claim: That publishing this info is commercial speech, even though the 
complaint cites the language that the defendants might "give" the devices 
away. (http://news.com.com/2100-1028-996836.html)

* It is true that the DMCA is one of the claims, but focusing on that 
misses the bigger picture. Even if the DMCA did not exist, I'd wager that 
the judge would have granted this restraining order.

* My memory of prior restraint law is hazy, but I recall that the Supreme 
Court (Freedman v. Maryland) has said that they are possibly acceptable 
when a prompt adversarial proceedings take place -- and this week's hearing 
would probably qualify. The interesting twist we get here is that because 
the presentation is now so widely distributed thanks to Google's cache, the 
"immediate and irreparable" harm Blackboard cited in its request for an 
injunction seems to have already taken place, and there's little the court 
can do. So there's a reasonable argument, I'd say, the analysis should halt 
there and the injunction should be denied (a subpoena to Google asking how 
many people viewed the cached presentation would be interesting).

-Declan

---

Date: Sat, 12 Apr 2003 22:08:53 -0400
From: E2 <e2 () lugatgt org>
To: declan () well com
Subject: bad news

Hi Declan,

I have some bad news from Interz0ne.  Our friends Billy Hoffman and
Virgil Griffith have been silenced by the DMCA.  Blackboard Inc.,
a company that makes credit card like systems for many universities,
has ordered them to destroy their a presentation on errors and
negligent vulnerabilities in the Buzzcard system.  A cease and desist
letter arrived citing future charges based on the Lanham Act, and
"(among others) the Digital Millenium Copyright Act, the Economic
Espionage Act, the Electronic Communications Privacy Act,
the Wiretap Act, and the Consumer Fraud and Abuse Act, as well as
Georgia's Computer Systems Protection Act."(1)
        Billy and Virgil have been cataloging vulnerabilities in
the card system here at Georgia Tech in an attempt to have the
administration provide the students a secure system.  The system
Blackboard has provided to Georgia Tech the is labeled the "Buzzcard"
system.  It has many uses around campus, most notably holding
student money for electronic transfer.  Virgil and Billy discovered
that the system had many blatant flaws and was a risk to every student
on campus.  They communicated with Blackboard and the director of
Buzzcard services.  Their complaints about security were not acted
upon.  In fact, their research was blown off as being false.  Now,
just as Billy and Virgil were about to announce the their findings
at Interz0ne, they were throttled by a court order and will soon
face a lawsuit backed by a large company.  Instead of listening and
improving their product, Blackboard has chosen to try and destroy the
lives to two bright young people, and the recent legislation that we
know so well is the perfect bludgeon for doing it.

(1)  http://interz0ne.com/events/interz0ne_cease_order.html

google's cache of their page:

http://216.239.33.100/search?q=cache:rrdoEQlM2v4C:www.yak.net/acidus/campuswide/interz0ness.ppt+blackboard+interz0ne+hack&hl=en&ie=UTF-8
(ware wrap)

Please post this to Politech, I think we need help on this one.
You can post my email address.


--
Eric Innis

---

Date: Sat, 12 Apr 2003 19:32:10 -0500
To: dave () farber net, declan () well com
Subject: Interz0ne receives cease and desist order
Message-ID: <20030413003210.GA5782 () sleekhosting com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
From: John Bigelow <angler () sleekhosting com>

Conference chair members and members giving presentations have received
a cease and desist order. The information can be found at :
www.interz0ne.com

---

Date: Mon, 14 Apr 2003 18:12:50 -0400
From: Jamie McCarthy <jamie () mccarthy vg>
Subject: DMCA used to shut down campus ID security talk
To: dave () farber net, ip <ip () v2 listbox com>, declan () well com,
   politech () politechbot com

Dave, Declan,

You may be interested in this use of the DMCA to shut down a talk at
a security conference over the weekend.  The topic was flaws in the
security of an ID card system used at quite a few colleges and
universities, and how to exploit those flaws.


http://features.slashdot.org/features/03/04/14/1846250.shtml

Blackboard Campus IDs: Security Thru Cease & Desist

Posted by jamie on Mon Apr 14, '03 03:14 PM EDT
from the cease-and-desist dept.

On Saturday night, Virgil and Acidus, two young security
researchers, were scheduled to give a talk at Interz0ne II on
security flaws they'd found in a popular ID card system for
universities. It's run by Blackboard, formerly by AT&T, and you may
know it as OneCard, CampusWide, or BuzzCard. On Saturday, instead of
the talk, attendees got to hear an Interz0ne official read the Cease
and Desist letter sent by corporate lawyers. The DMCA, among other
federal laws including the Economic Espionage Act, were given as the
reasons for shutting down the talk. I spoke with Virgil this
morning.

Virgil was there two years ago when Dmitri Sklyarov was arrested and
led away in handcuffs at Def Con 9. He's not in handcuffs now, but
in speaking to me, he had to stop and think about everything he
said, and every third answer was "I really shouldn't talk about
that."

The DMCA is largely to thank for that. Section 1201 states that no
one "shall circumvent a technological measure that effectively
controls access to a work," and that no one "shall... offer to the
public... any technology" to do so. Blackboard Inc., whose card
system is called the Blackboard Transaction System and known to end
users under various names, uses a network of card readers and a
central server, and they communicate over RS-485 and Internet
Protocol -- using, or so they apparently claim, measures that
effectively control access.

For the record, none of what I learned about the Blackboard
technology was from him or Acidus after the restraining order was
sent. I spoke to other people, who have not been served with a
restraining order. Google has a less enlightening mirror of the
slide titles from this weekend's PowerPoint presentation and a more
enlightening mirror of Acidus's "CampusWide FAQ" from last July.
And, most enlightening of all, this mirror [1] has an updated
version with details on what they figured out how to do and what
their talk was going to be about (click "CampusWide" for the text
description, the PowerPoint slides, and Acidus's timeline of the
last year).

At many schools, Blackboard's system is the ID: you swipe your card
for your meal plan at the cafeteria, to get into your dorm, maybe
even to get your final exam.

A swipe at a vending machine will get you a soda -- a money
transaction from your campus debit account. When you use a swipe to
do laundry and make copies, money has to be involved. Blackboard
even notes that they can set up a merchant network on- and
off-campus: "a cashless, safe, and secure way to transact on and
around campus while offering parents the assurance that their funds
will be spent within a university-approved network."

[...]

[1] http://www.se2600.org/acidus/index.html




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
-------------------------------------------------------------------------
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------