Judge: Student can’t discuss potential flaws in school transaction system

Should intellectual property laws prevent tech-savvy students and other “hackers” from exposing potential flaws they find in computer systems? It’s a question being raised in a growing number of court cases—and although the courts have tended to side with the computer industry so far, civil rights and consumer advocacy groups say that’s unfair to schools and other software purchasers.

Take the recent case of a Georgia Tech student. Fifteen minutes before he was to lecture on security flaws in a debit card system used on 223 college campuses, 22-year-old Billy Hoffman found out a judge had banned him from talking.

Hoffman had used a screwdriver to break into a laundry room swipe machine that reads BuzzCards, identification cards used by staff and his fellow students at Georgia Tech and similar to ones at hundreds of other schools. The computer engineering major says he found ways to bilk the school out of Cokes, laundry service, and cash.

He was scheduled to discuss his findings before computer hackers at the Interz0ne conference in Atlanta earlier this month, but card maker Blackboard Inc. got a judge to issue a temporary restraining order.

Hoffman said he wasn’t a curiosity-seeker breaking the law. He says he was trying to expose security flaws so they could be fixed.

“All I wanted to do is tell everyone, ‘Hey, this is a problem, and it needs to be protected,'” Hoffman said. “Everyone was blissfully unaware of how it works. I looked at it and found the emperor has no clothes, and now everyone’s mad at me.”

Washington, D.C.-based Blackboard likened Hoffman to a common thief who’s spreading his criminal methods. Blackboard, which reported revenues of $69.2 million in 2002, said it could suffer severe financial losses if Hoffman’s methods are spread.

“We took the legal course because what he’s presenting and promoting was encouraging illegal behavior,” said Blackboard spokesman Michael Stanton. “He was able to tap into the wires, like anyone could do if they took a sledgehammer to an ATM machine.”

Although Hoffman wouldn’t discuss the specifics of how he hacked into the system because of the restraining order, he had previously published the information on a web site that is still viewable.

The site discusses ways to trick a vending machine into giving free drinks and deceive a laundry machine into starting for free. Hoffman also describes other possible ways to exploit the BuzzCard, such as getting into dormitories and sporting events, ordering free food on the student meal plan, and getting textbooks for free.

“These flaws don’t necessarily just extend to silly things such as tricking a Coke machine—they have much more important implications to physical security,” he said in an interview.

Blackboard asserts its system is safe unless someone physically breaks into a circuit board or card-reading terminal, though Hoffman suggests hackers might be able to remotely do what he did with a screwdriver.

Citing student privacy, Georgia Tech wouldn’t discuss whether it took disciplinary action against Hoffman, spokesman Bob Harty said. He added that he believed the systems on campus were secure.

Hoffman’s lawyer, Pete Wellborn, said the courts must decide whether intellectual property laws prohibit exposing security flaws.

“It’s sheer folly to claim that the purchaser must blindly use that system accepting the word of the seller with no means of investigation or confirmation,” he said.

The restraining order, issued April 12 by DeKalb County Superior Court Judge Anne Workman, keeps Hoffman and co-defendant Virgil Griffith—who was scheduled to help Hoffman give the presentation at the Interz0ne conference—from discussing information relating to Blackboard card readers. A hearing on the case is set for May 30.

The order relied on trade secret, trademark, and other state and federal laws, though it did not cite the 1998 Digital Millennium Copyright Act (DMCA), a controversial law that prohibits circumventing anti-piracy devices. Lawyers on both sides said the DMCA could become part of the case later.

In another recent court ruling on the issue, a federal judge on April 9 threw out a lawsuit that challenged the DMCA by seeking permission for a Harvard student to probe internet filtering software used in schools and public libraries. The lawsuit was brought last summer by the American Civil Liberties Union (ACLU) on behalf of Ben Edelman, a Harvard Law School student who argued that such software—which is required of schools and libraries that receive federal technology funding—often blocks far more than pornography and other objectionable sites.

Edelman had asked Seattle-based filtering company N2H2 Inc. for a list of sites its software blocks, but was rebuffed. He then went to court to seek permission to reverse-engineer N2H2’s product, saying he needed court permission because the controversial 1998 law forbids the dissemination of information that could be used to bypass copyright-protection schemes.

U.S. District Judge Richard Stearns ruled that “there is no plausibly protected constitutional interest that Edelman can assert that outweighs N2H2’s right to protect its copyrighted material from an invasive and destructive trespass.” (See “Judge tosses lawsuit seeking probe of filtering software,” http://www.eschoolnews.com/news/showStory.cfm?ArticleID=4360.)


Hoffman’s site

Blackboard Inc.

Want to share a great resource? Let us know at submissions@eschoolmedia.com.