|
Student suspended for bypassing network security - News by k at 12:41 pm EDT, Apr 30, 2007 |
The University of Portland handed a one-year suspension to engineering major and Air Force ROTC member Michael Maass after he wrote a computer program designed to replace and improve Cisco Clean Access (CCA). Maass noticed flaws in CCA that would allow it to be bypassed in "antivirus and operating system check." Essentially, a program could be written that fooled CCA into thinking it was receiving correct information identifying a computer's operating system and antivirus as current and up to date. According to Information Services Director Bryon Fessler, a fundamental purpose of CCA is that it "evaluates whether computers are compliant with security policies (i.e., specific antivirus software, operating system updates, patches, etc.)." In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says.
[ On it's face, this is definitely the university's response, for better or for worse... it doesn't look like Cisco had any hand in it. Plus, handing his software around might not have been the best idea in the world. Nonetheless, Cisco shares some responsibility, together with a lot of other companies, for setting the tone that security research is dangerous and that doing it outside of their strict and private rules should be met with sanctions. I think the whole idea that security problems can be responded to by silencing their discovery is the fault of a lot of people and it's a damn shame. |
|
RE: Student suspended for bypassing network security - News by Decius at 2:13 pm EDT, Apr 30, 2007 |
k wrote: The University of Portland handed a one-year suspension to engineering major and Air Force ROTC member Michael Maass after he wrote a computer program designed to replace and improve Cisco Clean Access (CCA).
Its worth mentioning here that this "vulnerability" isn't really a bug or flaw in the software, nor was this "discovery" particularly new. This is how CCA is designed to work. It keeps honest people honest. It is not "secure" against people who lie about their setup, nor could it be, without some sort of "trusted computing" system installed non-consentually on student computers that kept them from controlling the software they were running through cryptographic integrity checks controlled by the University. |
|
Student suspended for bypassing network security - News by Shannon at 12:12 pm EDT, Apr 30, 2007 |
The University of Portland handed a one-year suspension to engineering major and Air Force ROTC member Michael Maass after he wrote a computer program designed to replace and improve Cisco Clean Access (CCA). Maass noticed flaws in CCA that would allow it to be bypassed in "antivirus and operating system check." Essentially, a program could be written that fooled CCA into thinking it was receiving correct information identifying a computer's operating system and antivirus as current and up to date. According to Information Services Director Bryon Fessler, a fundamental purpose of CCA is that it "evaluates whether computers are compliant with security policies (i.e., specific antivirus software, operating system updates, patches, etc.)." In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says.
Cisco is insecure about its insecurities. |
|
|