Sorry for the delay on sending this one out, folks. The preliminary injunction is here: http://www.interz0ne.com/events/Blackboard_Restr_Order.pdf And the complaint is here: http://www.interz0ne.com/events/Blackboard_Complaint.pdf A few points: * The plaintiff company (Blackboard) appears to be making an interesting claim: That publishing this info is commercial speech, even though the complaint cites the language that the defendants might "give" the devices away. (http://news.com.com/2100-1028-996836.html) * It is true that the DMCA is one of the claims, but focusing on that misses the bigger picture. Even if the DMCA did not exist, I'd wager that the judge would have granted this restraining order. * My memory of prior restraint law is hazy, but I recall that the Supreme Court (Freedman v. Maryland) has said that they are possibly acceptable when a prompt adversarial proceedings take place -- and this week's hearing would probably qualify. The interesting twist we get here is that because the presentation is now so widely distributed thanks to Google's cache, the "immediate and irreparable" harm Blackboard cited in its request for an injunction seems to have already taken place, and there's little the court can do. So there's a reasonable argument, I'd say, the analysis should halt there and the injunction should be denied (a subpoena to Google asking how many people viewed the cached presentation would be interesting). -Declan --- Date: Sat, 12 Apr 2003 22:08:53 -0400 From: E2 <e2at_private> To: declanat_private Subject: bad news Hi Declan, I have some bad news from Interz0ne. Our friends Billy Hoffman and Virgil Griffith have been silenced by the DMCA. Blackboard Inc., a company that makes credit card like systems for many universities, has ordered them to destroy their a presentation on errors and negligent vulnerabilities in the Buzzcard system. A cease and desist letter arrived citing future charges based on the Lanham Act, and "(among others) the Digital Millenium Copyright Act, the Economic Espionage Act, the Electronic Communications Privacy Act, the Wiretap Act, and the Consumer Fraud and Abuse Act, as well as Georgia's Computer Systems Protection Act."(1) Billy and Virgil have been cataloging vulnerabilities in the card system here at Georgia Tech in an attempt to have the administration provide the students a secure system. The system Blackboard has provided to Georgia Tech the is labeled the "Buzzcard" system. It has many uses around campus, most notably holding student money for electronic transfer. Virgil and Billy discovered that the system had many blatant flaws and was a risk to every student on campus. They communicated with Blackboard and the director of Buzzcard services. Their complaints about security were not acted upon. In fact, their research was blown off as being false. Now, just as Billy and Virgil were about to announce the their findings at Interz0ne, they were throttled by a court order and will soon face a lawsuit backed by a large company. Instead of listening and improving their product, Blackboard has chosen to try and destroy the lives to two bright young people, and the recent legislation that we know so well is the perfect bludgeon for doing it. (1) http://interz0ne.com/events/interz0ne_cease_order.html google's cache of their page: http://216.239.33.100/search?q=cache:rrdoEQlM2v4C:www.yak.net/acidus/campuswide/interz0ness.ppt+blackboard+interz0ne+hack&hl=en&ie=UTF-8 (ware wrap) Please post this to Politech, I think we need help on this one. You can post my email address. -- Eric Innis --- Date: Sat, 12 Apr 2003 19:32:10 -0500 To: daveat_private, declanat_private Subject: Interz0ne receives cease and desist order Message-ID: <20030413003210.GA5782at_private> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i From: John Bigelow <anglerat_private> Conference chair members and members giving presentations have received a cease and desist order. The information can be found at : www.interz0ne.com --- Date: Mon, 14 Apr 2003 18:12:50 -0400 From: Jamie McCarthy <jamieat_private> Subject: DMCA used to shut down campus ID security talk To: daveat_private, ip <ipat_private>, declanat_private, politechat_private Dave, Declan, You may be interested in this use of the DMCA to shut down a talk at a security conference over the weekend. The topic was flaws in the security of an ID card system used at quite a few colleges and universities, and how to exploit those flaws. http://features.slashdot.org/features/03/04/14/1846250.shtml Blackboard Campus IDs: Security Thru Cease & Desist Posted by jamie on Mon Apr 14, '03 03:14 PM EDT from the cease-and-desist dept. On Saturday night, Virgil and Acidus, two young security researchers, were scheduled to give a talk at Interz0ne II on security flaws they'd found in a popular ID card system for universities. It's run by Blackboard, formerly by AT&T, and you may know it as OneCard, CampusWide, or BuzzCard. On Saturday, instead of the talk, attendees got to hear an Interz0ne official read the Cease and Desist letter sent by corporate lawyers. The DMCA, among other federal laws including the Economic Espionage Act, were given as the reasons for shutting down the talk. I spoke with Virgil this morning. Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that." The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access. For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror [1] has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year). At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam. A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." [...] [1] http://www.se2600.org/acidus/index.html ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. ------------------------------------------------------------------------- To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Apr 14 2003 - 18:53:39 PDT