Two students from the Georgia Institute of Technology and the University of Alabama sparked controversy over the security of campus ID cards and the rights of hackers when their attempt to publicize how they had compromised the security of the Blackboard Transaction System was stopped by a suit brought by Blackboard, Inc.
Blackboard, known by students for hosting the University's course websites, also operates student ID cards at approximately 223 universities across the nation, including Princeton. Princeton uses Blackboard technology to provide access to University buildings and to run its meal plan; however, at other universities Blackboard IDs also function as debit cards.
Princeton's Paw Points, a debit system that can be used at local merchants, operates through software provided by Student Advantage, an independent company that recently sold a significant portion of its assets to Blackboard.
Billy Hoffman of Georgia Tech threatened Blackboard security by claiming on his website that he had captured the signals to and from the machines that read information from student ID cards and deduct money from student accounts. The website states he had identified how data was stored on the cards and that he "hacked" into the system so that he "could build functional readers from scratch."
Hoffman and Virgil Griffith, the Alabama student, intended to publicize the information in a seminar entitled "Campuswide System Vulnerabilities Update" at the InterzOne II technology conference in April, but the cease and desist letter from Blackboard was read instead.
Michael Stanton, Blackboard's senior director of corporate communications, said the students would have provided a blueprint for others to illegally violate the physical security of universities.
"They were promoting this activity and putting students and higher institutions in a state of uncertainty," he said.
Blackboard filed a complaint with the Superior Court of Dekalb County in Georgia stating the two students had claimed to have the ability to "facilitate massive fraud, security breaches and other harms, threatening both the physical and financial security of college students and harming the universities, their vendors, and Blackboard itself," the complaint read.
Stanton said the overall security of Blackboard's transaction system has not been compromised, and the students did not actually have the ability to recreate readers.
"They are all theoretical claims," Stanton said. "They haven't been done."
According to Stanton, the two students did not actually "hack" into the Blackboard system but rather wiretapped a control box that had not been properly secured by the University of Georgia.
"They couldn't do anything," Stanton said. "It amounts to vandalism."
The students were able to monitor transactions, as if they had wiretapped a phone system or an ATM, Stanton said.
Law and hacking
Blackboard's complaint alleged that the two students had violated the Electronic Communications Privacy Act, the Georgia Computer Systems Protection Act and the Consumer Fraud and Abuse Act, among others, that prohibit interfering with a computer program, accessing a computer without authorization and accessing facilities through which electronic information service is provided.
What is controversial is whether Hoffman and Griffith's "hacking" could be construed as reverse engineering, tinkering with something to figure out how it works, which has been found legal by the Supreme Court in cases of mechanical technology. The legality of reverse engineering computer software and hardware is less clear, according to the Chilling Effects website — a joint project of the Electronic Frontier Foundation, Harvard and Stanford Universities, University of California at Berkeley, and the Universities of San Francisco and Maine — which provides information about online rights.
Blackboard at Princeton
Though Princeton uses the Blackboard Transaction System to run its ID cards, Elizabeth Chase, coordinator of dining cards at the University, said that she is "absolutely" satisfied with the current level of security at Princeton.
Princeton's readers are more secure than those at other universities because they run on phone lines rather than through the campus's computer network, Dining Services Director Stuart Orefice said.
Unlike at other universities where vending and laundry machines have ID card readers, the only readers on the Princeton campus are those dining services uses to run the meal plans and those attached to copy machines in the library, said Andrew Rosenau, OIT director of administrative services.
Anthony Scaturro, the University's information technology security officer, said Princeton's readers are more secure because they are generally under the supervision of a University employee.
"The big concern is if someone can replace a reader on some device," he said.
To do so, one would need to invest a large sum of money in the technology and find the opportunity to disassemble the device and exchange the reader with a new one, Scaturro said.
"There's a lot more things to be concerned about than worrying that somebody's going to go and spend a couple hundred dollars on equipment just to get a free copy. It doesn't make sense to view this as a huge risk the way we are using it," he said.
Rosenau said Paw Points is also secure. It would be just as difficult for a hacker to access the information on a credit card as it is being swiped by a vendor as it would be to glean the information from an ID card, Rosenau said.
"The hackers were able to get through the system because [the transaction system worked through] the campus network, and the Paw Points in the stores are not on the campus network," Orefice said.
Read More
U. investigating swastika graffiti in graduate student apartment building
Sena ChangGraffiti of a swastika was discovered in mid-July at Princeton’s Lakeside graduate housing complex, prompting Public Safety to boost patrols and investigate. The Department of Public Safety’s investigation is still ongoing, with no suspects identified.
Graffiti of a swastika was discovered in mid-July at Princeton’s Lakeside graduate housing complex, prompting Public Safety to boost patrols and investigate. The Department of Public Safety’s investigation is still ongoing, with no suspects identified.
U. discontinues Wintersession, citing budget constraints
Hayk YengibaryanThe University will discontinue the Office of Campus Engagement and Wintersession in September amid budget cuts, ending the six-year program that has offered winter session since 2021.
The University will discontinue the Office of Campus Engagement and Wintersession in September amid budget cuts, ending the six-year program that has offered winter session since 2021.
Princeton boosts financial aid despite potential budget cuts, new endowment tax
Devon RudolphThe financial aid increase comes amid a rocky financial picture for many elite universities, which are confronting the loss of research federal funding and an endowment tax passed by Congress in July. It could also reduce Princeton’s tuition-paying student population.
Princeton's recent announcement of a boosted financial aid program could allow the University to be exempt from the recently passed federal endowment tax.