From firstname.lastname@example.org Wed Jul 16 10:59:47 2003
Date: Wed, 16 Jul 2003 06:14:52 -0400
From: Rockit [email@example.com]
Subject: [se2600] Interz0ne Press Release re: Blackboard Settlement
Interz0ne Press Release:
Censorship via lawsuit wins again.
Lawyers working for Blackboard Inc., the maker of a card transaction, vending and ID system used by approximately 275 colleges and universities globally, as well as an undiscosed number of government and military installations, succeeded in silencing two college students who have found numerous flaws in Blackboard's flagship product over the last two years.
Georgia Tech student Billy Hoffman, along with University of Alabama student Virgil Griffith, initially kept the discoveries quiet while attempting to report them to Blackboard engineers, along with possible fixes. Traditionally, the discoverers of such flaws allow the vendors time to fix problems before going public; this provides the vendors with essentially free quality control labor while the discoverers get later bragging rights and items to pad their resumes. This unofficial system has worked well in the past, to the extent that Blackboard even boasts of working with the hacker community on their website.
Instead of taking an interest in news of these flaws, however, Blackboard engineers first dismissed Hoffman as a know-nothing "kid", then attempted to have him expelled from Georgia Tech after he voiced his concerns about Tech's Blackboard system to campus administrators and student organizations. Hoffman responded by first publishing his (and later Griffith's) findings, and then updating his articles via talks at various vendor and security conferences.
It was at such a conference, Interz0ne II in Atlanta, that Hoffman and Griffith were planning to discuss the most severe problems they had uncovered to date, including a demonstration of several easy-to-assemble hardware devices that could supposedly allow anyone with malicious intent free reign on a Blackboard system.
Hoffman and Griffith never gave their talk.
Instead, they and the convention organizers were served with both restraining orders and cease and desist orders. Court dates soon followed, along with legal threats. Several months after the convention, both Hoffman and Griffith settled out of court. They refuse to discuss the issue, so one can assume that the settlement includes an NDA.
Blackboard spokesdrone Michael Stanton stated to AP reporters on Monday, July 14th (a day before the settlement was officially filed) that "...the claims [Hoffman and Griffith] were making were silly," that "...they really didn't do a lot of the things they were claiming to [have done]" and that the settlement reaffirms that Blackboard's systems are secure.
The settlement does nothing of the sort.
If Hoffman and Griffith's claims were "silly," why then the cease and desist order, the restraining order, and threats of charges for violating numerous state and federal statutes, including the Digital Millenium Copyright Act, the Economic Espionage Act, the Electronic
Communications and Privacy Act, the Wiretap Act, the Computer Fraud and Abuse Act, the Lenham Act, Georgia's Computer Systems Protection Act and the Georgia Trade Secrets Act?
Hoffman and Griffith did not do "a lot of the things they were claiming to" because they were served prior to their talk and thus unable to present their findings or demonstrate their hardware
(presumably because they didn't bother to finish assembling it once they knew they wouldn't be speaking). Keep in mind that Hoffman has published articles and given similar lectures in the past; he knew what he was talking about and was prepared to demonstrate such.
Upon the advice of convention councel, the talk was cancelled due to the pending legal issues and the waiting audience was informed. What happened next was unexpected: an angry audience quckly mirrored the contents of Hoffman and Griffith's websites, which contained all of their earlier research. Within ten minutes, information Blackboard wished to surpress was transmitted to dozens of countries spread over six continents. To this day, a simple web search will bring up numerous copies of the sites in various languages. Thousands (millions?) of people all over the world now have access to this information, not simply a few concerned security professionals and college students who were interested in the flaws and fixes for mainly academic reasons.
Several mailing lists and websites outside US jurisdiction have been set up, and new flaws, some seemingly similar in nature to the surpressed research, and some potentially worse, are now openly
discussed. Anonymous individuals claiming to be frustrated administrators of Blackboard systems occasionally post to these message boards, and they usually have few kind words regarding
Blackboard or their products. A few posters have even expressed openly malicious intentions.
To conclude that Blackboard's transaction system is now secure, simply because their lawyers have silenced a couple of college-kid critics is, as Mr. Stanton stated, "silly." It is also misleading, irresponsible, potentially dangerous, possibly false advertising and maybe even fraudulent.
If Blackboard's system is truly secure, they would not have prevented Hoffman and Griffith from speaking. If Blackboard's system is truly secure, they would gladly allow outside, independent and
public security audits. Scientific knowledge is advanced through a similar process known as "peer review," in which theories are put forth, freely discussed, challeneged by critics and then stand
or fall on their own merits.
Who do you think is better qualified to decide if Blackboard's system is truly secure? A couple of engineering students who seem to have proven they know this system better than its designers, or
corporate lawyers and PR flacks who wish to censor and spin-doctor? For now, the former appear to be barred from speaking, and the latter have the final say.
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!