So I have created quite a stir from this article. It all started when I got a call from my Mom saying the GATECH Police had called for me. The Cop told me the Buzzcard office was conducting an audit of its system to see if anyone was using my info to compromise the system. I suggested to the cop that I could go talk to them in detail about my article, and help them fill in their holes. I walked over thinking that the Buzzcard folks might be upset, but they would see if anyone could help them do a better job it was me
Boy was I wrong. It was like walking into the lion's den. I basicly got reamed from 2 hours by those folks."Do you know what you did?"
I have been yelled at because I showed the world that the system is weak. Where the HELL are the people
yelling at Blackboard for the weak system? Hello Hello? anyone there? Did I embarrass Tech? Did I hurt
peoples reputations? MAYBE THEY DESERVED TO BE HURT OR EMBARRASSED! After all, you did the bad job
implementing the system. Not me. I said the emperor had no clothes and its easier for you to attack me
shame yourselves. "We do a better job than most." Thats like saying my boat as less holes than yours
does. Yes every system has holes, but that doesn't mean you use that as an excuse not to try and fix
things. But thats what was done. "Well every system has holes we can't fix them all, so we'll sit on our hands and
maybe nobody will find them." "You could cost Blackboard money." Well, if Blackboard is sending you this system in a box
with a little tag on it that says "Plug me in, turn me on, you are ready to go," and doesn't tell you how to properly install
the system, the than deserve to have business go to a competitor. Hell, Diebold makes ATMs for gods sake. I bet they do a
better job, they have to have some DES hardware units just lying around.
If Blackboard doesn't tell its clients how to properly implement the system, than Blackboard deserves to
lose potential clients.
The more I think about it the angrier I get. I didn't write an article that said "Cross this wire with this wire to get free stuff." No I didn't. I wrote an article that had roughly the same amount of detail on how to do the exploits that a CERT advisory has. I wrote this article because I was interested in a system that no one seemed to know anything about. I found it had holes, and I call Blackboard, and got Blown off. They didn't want to hear about it. So no I didn't go to tech. I wrote an article, to let everyone know the system has big time flaws, and that the company doesn't care. And you know what. Most universities don't care. They are going to say "Hmm, it will cost X dollars to run pipes, maybe X number of people we hack it, this isn't worth it." Nothing about this will be done until someone jacks a school for a few thousand. And that will happen folks. Believe me. As I have said to the cops, to the Buzzcard office, and to the Dean's office: I'm really not that smart of a guy. At Tech their are people far smarter than I. And On a college campus with smart people who are poor, they might get ideas about ways to advance themselves a little.
Wake up people. the cat is out of the bag. If you can get to the RS-485 cables, the system is by the balls. So all of you, Blackboard, GATECH, everyone: As the old saying goes: Stop your bitchin' and start a fixin', because despite all your yelling at me, the title of my article still stands: CampusWide is Wide Open.
I would love to hear your comments. Acidus