From: Joe Klein [jsklein@x]
To: SE2600 List [root at don't-you-dare se2600.org]
Subject: RE: [se2600] RE: Swipe Card Hack Prompts Complaint
Date: Thu, 17 Apr 2003 13:42:46 -0400
Response send to author:
Thank you for the article, but I think you have been misinformed.
Fact 1: Banks and other financial institutes are required by law to secure financial transactions between and over networks. Even on the Internet, financial transactions are secured using ssl encryption. Blackboard, now acting like a financial network, is not using secure communications.
Fact 2: BlackBoard has other products which have had vulnerabilities over the last 4 years. Apparently, they have a history of slow response to security problems.
Fact 3: Harvard signed a contract, releasing BlackBoard of all liability, in the used of their product. Any financial loss because of the lack of security in the BlackBoard systems, will be absorbed by Harvard.
Fact 4: This problem was reported to the BlackBoard company 6 months ago. This delay of addressing the security vulnerability only exposes blackboard customers and not Blackboard company.
Fact 5: The majority of hackers are not caught, so focusing on prosecution of the crime and not securing the system, would be considered a lack of due diligence. There for holding the Blackboard customers again, liable for all loss.
Here is the backup information which substantiates the above facts.
2003-01-25: Blackboard Learning System search.pl SQL Injection
2003-01-21: Blackboard Learning System search.pl SQL Injection
2002-07-01: Blackboard Cross-Site Scripting Vulnerability
2000-07-18: Blackboard CourseInfo 4.0 Database Modification
2000-07-10: Blackboard CourseInfo 4.0 Plaintext Administrator
Now here is the challenge to you, how about writing an article which
addresses the facts.
Snagged from the SE2600 mailing list.