The University of Portland handed a one-year suspension to engineering major and Air Force ROTC member Michael Maass after he wrote a computer program designed to replace and improve Cisco Clean Access (CCA).
Maass noticed flaws in CCA that would allow it to be bypassed in "antivirus and operating system check." Essentially, a program could be written that fooled CCA into thinking it was receiving correct information identifying a computer's operating system and antivirus as current and up to date.
According to Information Services Director Bryon Fessler, a fundamental purpose of CCA is that it "evaluates whether computers are compliant with security policies (i.e., specific antivirus software, operating system updates, patches, etc.)."
In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues.
He says that the method he chose is "one of six that I came up with."
Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed.
"I was planning on going to Cisco with the vulnerability this summer," Maass says.
[ On it's face, this is definitely the university's response, for better or for worse... it doesn't look like Cisco had any hand in it. Plus, handing his software around might not have been the best idea in the world.
Nonetheless, Cisco shares some responsibility, together with a lot of other companies, for setting the tone that security research is dangerous and that doing it outside of their strict and private rules should be met with sanctions. I think the whole idea that security problems can be responded to by silencing their discovery is the fault of a lot of people and it's a damn shame.
