At Blackboard's Request, Judge Prevents Students From Discussing Security of Debit-Card System
By ANDREA L. FOSTER
Two college students who were set to discuss security weaknesses in a popular college debit- and identification-card system last weekend were prevented from revealing their findings after a Georgia judge issued a temporary restraining order.
The students -- Billy Hoffman, of the Georgia Institute of Technology, and Virgil Griffith, of the University of Alabama at Tuscaloosa -- received the order on Saturday as they were preparing to talk about the system at an Interz0ne computer conference, in Atlanta. A hearing on whether they should be permanently prevented from discussing the system is scheduled for today in Georgia Superior Court.
Blackboard has sold the electronic-card system, called the Blackboard Transaction System, to about 223 colleges. In seeking the restraining order, the company argued that it faced "imminent risk of irreparable harm" from the students' presentation.
The company's complaint said the students' findings, if disseminated, "could facilitate massive fraud, security breaches, and other harms, threatening both the physical and financial security of college students, and harming the universities, their vendors, and Blackboard itself."
Blackboard cited federal and Georgia anti-hacking laws, as well as federal and Georgia trade-secret laws, to justify its request for the restraining order. The complaint made no mention of the Digital Millennium Copyright Act, but a lawyer for Blackboard sent the conference organizers a cease-and-desist letter that said the students' presentation could violate that law as well.
The conference, which had a free-speech theme, was open to "all technology addicts, digerati, security professionals, hackers, phreakers, geeks, and the general public," according to its Web site. Many of the presenters are listed by online aliases, such as "V1rus" ("Lockpicking and Forensics: A Real World Case") and "timball" ("Coding Don'ts"). Mr. Hoffman is listed as "Acidus."
According to the cease-and-desist letter, Mr. Hoffman and Mr. Griffith planned to tell those attending the conference that "not only did we hack the system, but we hacked it so far we could build functional [card] readers from scratch."
Mr. Hoffman, an undergraduate who is planning to major in computer engineering, began two years ago to probe the electronic underpinnings of Georgia Tech's BuzzCard, an identification card that all of the university's students and faculty and staff members are required to have. Each BuzzCard has the user's photograph and name. As an ID card, it is used to check out library books and gain entry to events; as a debit card, it can be used in vending machines and to pay for meals and parking.
Mr. Hoffman detailed his findings on his Web site, and his postings often taunted Blackboard and Georgia Tech computer administrators. "If Blackboard doesn't tell its clients how to properly implement the system, then Blackboard deserves to lose potential clients," he wrote in one posting. What Mr. Hoffman has learned about BuzzCard could apply to any such debit-card system sold by Blackboard.
In his postings, Mr. Hoffman acknowledges that he used a knife to open a metal switchbox in a dormitory laundry room in June 2002. He was trying, he says in the postings, to figure out how the debit-card system worked, as well as to understand how secure it was. Bob Hardy, a spokesman for Georgia Tech, said the university reprimanded Mr. Hoffman for breaking into the circuitry box, but he declined to elaborate.
According to the postings, Mr. Hoffman used a laptop computer and a converter to capture signals sent from a debit-card reader to a network processor, and he then manipulated the reader to respond in certain ways. If he wanted to, he said in the postings, he could fool a soda-vending machine into acting as if he had paid for a soda when in fact he had not. And he could trap data and create a copy of someone's debit-card account, Mr. Hoffman stated.
He told Blackboard and Georgia Tech officials to, as he put it, "stop your bitchin' and start a-fixin'." When Judge Ann Workman, of Superior Court in Decatur, Ga., issued the restraining order, Mr. Hoffman was forced to remove the material from his Web site. But the information was copied and posted to other Web sites, including se2600.org, a site popular among hackers.
Reached by phone, Mr. Hoffman said he couldn't talk freely about the case because of Judge Workman's order. But he said he had forewarned Blackboard about his findings in an effort to get the company to improve its product, and was ignored. "They said, 'Give us your information, and we'll call you back,' and they never did," he said.
Mr. Griffith could not be reached for comment.
Michael Stanton, a spokesman for Blackboard, said the company was always working to improve the security of its products. But he said that Mr. Hoffman's research had reached a low point when he "vandalized" the laundry-room switchbox. "If I take a sledgehammer to an automatic teller machine, I'm a vandal. I'm not pointing out inherent security flaws in a system," Mr. Stanton said.
Judge Workman's restraining order and Blackboard's complaint are both available online. They can be viewed using Adobe's Acrobat Reader, available free.