By wpengine April 23, 2003
The card systems that form the backbone of most college campuses has come under scrutiny recently after a self-described hacker, Billy Hoffman, published a guide on how to hack into his school’s card system. Hoffman, who is better known on the web as Adicus, and his “research” partner Virgil Griffith were scheduled to discuss vulnerabilities of the Blackboard Transaction System at a recent annual hacking convention known as Interz0ne. Hoffman attends the Georgia Institute of Technology and Griffith is a student at the University of Alabama at Tuscaloosa. Prior to this presentation, Hoffman published an article, “CampusWide Wide Open”, on the same topic in a recent issue of 2600 magazine. Moments before their scheduled talk, the head of the conference was served with a cease-and-desist letter from Blackboard’s attorneys. Blackboard, better known as CampusWide, OneCard, or BuzzCard, is the most popular card system on college campuses. It is a localized debit-card system linked and databased to everything from building entrances to laundry, snack machines and dining halls. According to Tony Salerno, Cornell dining system manager, the University adopted the Diebold card system in 1991 for unspecified reasons. Security was a non-issue at that time. Brad Stephenson, general manager of Diebold Card Systems Division, credited Diebold’s history in the banking industry. Before producing ATM machines, they produced safes, clear proof of their dedication to security. “We have 150 years in the security business,” said Stephenson. Although Cornell’s card system is fundamentally different from CampusWide’s, Salerno still has taken notice of the recent events. “When we see something like [Hoffman’s] paper, we take a good look at it,” Salerno said. “Obviously, we look at security as a serious issue. We feel that the Diebold system is the safest,” Salerno continued. Stephenson said in concurrence with Salerno that security is “fluid”. “Just like anti-virus software updates to keep pace with new viruses, our company needs to update our system to keep up with new methods of attack,” Stephenson said. The two hackers discovered the vulnerabilities at their schools while exploring the many aspects of the system. Hoffman and Griffith claim that their hacking was done in the name of research and that they merely wished to point out the failings of the CampusWide network. Hoffman’s website and other hacker-orientated websites have made their cause a rallying point for free speech advocates. Michael J. Stanton, senior director corporate communications of Blackboard Inc., through a press release on Blackboard’s website, claimed that the company turned to legal actions because they felt that the Hoffman and Griffith were far too explicit in detailing the vulnerabilities of their system. Stanton claimed the company feared that Hoffman and Griffith’s work could read as a how-to manual for breaking into their system, which would compromise over 275 campuses. In a follow-up interview, Stanton said that the court ruled in favor of the injunction “because what Mr. Hoffman and Mr. Griffith did was to promote the use of illegal activity. They provided blueprints for how to vandalize property, illegally wiretap our system, and violate Blackboard intellectual property.” In the press release, Stanton even suggested that one of the pair had been employed by a competitor, but failed to mention which one. Later, Stanton identified Hoffman as the purported consultant, but for legal issues refused to name the employer. Stephenson and Diebold refused to comment on this assertion that one of the hackers had been a consultant for a competitor. Stephenson did agree with Blackboard’s suppression of Hoffman’s article, saying if a similar article were published concerning the Diebold system, “We would work to prevent any release.” Hoffman and Griffith claim that Blackboard’s actions violate their free speech. On the website Slashdot, many people have expressed their frustration on this issue. One contributor, identifying himself as nehumanuscrede said, “Think of America as the ‘politically correct’ police state.” Numerous contributors agreed with this sentiment arguing that Blackboard was using the law to control thought and expression. The online magazine Salon entered the fray last week with an article entitled “The Copyright Cops Strike Again”. The article, written by former Sun editor-in-chief Farhad Manjoo ’00, agrees with many Slashdot contributors who argued that this was a violation of free speech. Salerno disagreed with this conclusion; he suggested that some restraint should be used in the publishing of such important security flaws. “My personal opinion is that [Hoffman] certainly has the right to voice his opinion. However, I agree with the order if publicly disclosing certain technical details puts the card holders or others users at risk, financial or otherwise,” said Salerno. This debate has become very polarized: the Salon article referred to Hoffman and his associate as “researchers” instead employing the term “hackers”. “I think ‘researchers’ is a generous term … [even] ‘hacker’ is generous,” Stanton said. “I think they are vandals,” he added. Stanton elaborated on this by saying that what Hoffman and Griffith had done was to break into the physical architecture of Blackboard’s system and proceed to “illegally wiretap” the system. Salerno questioned the relative vulnerabilities that Hoffman outlined in his paper. “I think [Hoffman] makes it sound easier than it is to do and ultimately if someone tries this, the expense will merely be passed on to the customers,” said Salerno. “Damages are costly and are yet another factor in rising tuition costs,” said Stephenson. One of the vulnerabilities Hoffman exposed required splicing a laptop into a Coke machine’s connection to the card reader, others required removing casings to the card readers. Stephenson said that the point of entry attack described in the case of the coke machine, “will fail on our system.” “I didn’t see anywhere in [Hoffman’s] article claims that he could steal money from your card,” Salerno said. One frailty of the CampusWide system that Hoffman criticized was that much of the electronic architecture is based upon 1980’s technology. Salerno agreed with this criticism and stated that the key aspect of Diebold’s system, the database software, is based upon modern Oracle software. This is not an exercise in theoretical security issues for all involved parties though. On April 17, a former Boston College student, Douglas Boudreau, received five years probation for collecting personal information from his school’s card system and abusing it for a total of nearly $2000 in goods and services. Boston College officials could not be reached for comment.Archived article by Michael Margolis
By wpengine April 23, 2003
Fourth in a series on interesting courses at Cornell. Three credits, three 50-minute classes weekly…inner peace? Not quite, but if you take ASIAN 277: Meditation in Indian Culture, you will at least be introduced to the concept of meditation. The course, taught by Prof. Daniel Gold, asian studies, was envisioned as a class that would serve as a “survey or sampler” of meditation techniques and history. Meditation is not exactly the staple of an Ivy League education, but students have responded well to this opportunity to expand beyond, what are for most, Western cultural boundaries. Ravi Barr ’05, who took the course in 2002, said that “everyone is out there studying economics, and unless you’re an asian studies major, you normally don’t learn this kind of stuff.” “If you take the class you are expected to experiment with meditation practices,” Gold said. However, he also added that students “are graded on papers.” Gold, who did his undergraduate studies at the University of California at Berkeley and his graduate studies at the University of Chicago, describes the class as “less conventional” than most. That’s because at least once, maybe twice a week, part of lecture will be devoted to experimenting with a style of meditation. The course primarily focuses on Hindu and Buddhist meditation styles, which include among other techniques, breath meditation, mantra meditation-word based, simple visualizations, and philosophical meditations. According to Gold, “these meditation styles are paired with certain aspects of cultural traditions.” Because of this, Gold dedicates a significant part of the class to “understanding what meditation techniques are, and how they fit into cultural traditions.” Gold mediates himself, and when asked why, he responded jokingly, “I’d like to say salvation, but I haven’t gotten it yet.” Gold says that many students have informed him that they enjoyed meditation’s secular aspects, in that they found meditation relaxing. The class has been taught three times in the past few years, most recently in the spring of 2002. One of the reasons Gold developed the class was a grant offered by the American Council of Learned Societies that worked to promote meditation through the classroom. Another reason that Gold claims impelled him to teach the class was the perceived level of ignorance the average person has when it comes to meditation. “I think there is just a general lack of knowledge about [meditation],” Gold said. The class may be “less conventional” but it does still require three to four papers, depending on how many students are enrolled. In 2002, class enrollment swelled to 150 students. The first time it was offered, the class was in the 25-30 range. Gold said that if enrollment does not taper off they will have to start limiting enrollment because they cannot find the teaching staff to handle the class load. The class is Gold’s favorite to teach. Of this he said, “I feel that it’s special. It’s a lot of work-a lot of papers-but I feel it’s worthwhile.” Even though class involves meditation exercises, Gold tries to maintain a certain level of academic rigor. “I try to keep [the class] on an intellectual edge. I build it around contrasts between Hindu and Buddhist practices,” he said. Gold said that these differences manifest themselves in the “different world views and affect the practices.” Students generally respond well to Gold’s emphasis on contrasts. “The cultural and religious comparisons were very interesting,” Barr said. Prof. Gold also teaches ASIAN 347: Tantric Traditions. Tantra has garnered an interesting reputation in popular culture recently as a unique marathon style of sex. Gold’s class is by no means a sexual education class but as he explains, “sex naturally develops out of [Tantra].” He is quick to emphasize, however, that “the majority of people who practice Tantra do not practice the sexual aspect.” Tantra is a difficult philosophy to define, and Gold explains this is precisely why he has developed the class. Tantra is a style that pervades a number of Indian religious traditions, which preach polarity. “This means that the cosmos are polarized, with a masculine principle of calmness and a feminine principle of power,” Gold said. “And you can’t have one without the other.” According to Gold, these concepts of polarity, balance and the personification of power as female and calmness as male “has lead to some sexual practices.” The Tantric course naturally overlaps with his meditation class, both dealing with, in Gold’s words, “elaborate ritual traditions.” Gold has not taught ASIAN 347 in a couple of years and is unsure when it will return to the roster. He hopes to continue the class sometime next year, when he returns from sabbatical. Archived article by Michael Margolis