- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
It'd be good if there was some way to stop frist comments. They're soooo tedious.
Admin
The last set of comments do, of course, start here.
Admin
To be fair they did at least fix it a few months down the line, all the stripe readers where changed to enabled reading of the second track and all the ID cards where re-issued to include a random number on the second track.
This way you did at least have to be in possession of a card in order to clone it, where as before, you only had to know someone's staff/student ID number... which is printed on the card, and wage slips, and their mail etc..
Admin
Strange that a 2013 posting would get comments; while being a rerun.
Admin
Admin
I'm shocked! Hanzo was the most popular with me!!
Admin
[quote user="nonpartisan"]I'm shocked! Hanzo was the most popular with me!![/quote
Hanzo rulez!
Admin
It's a shame.
Schools could be the source for security ideas/talent by testing their students to access the system and improving it every year.
Instead, they punish students for thinking creatively, with the concern that knowledge is power, they withhold knowledge, thus being the antithesis to their primary function, to teach.
Ironic.
And teachers wonder why they aren't valued by society.
Admin
This may shock you, but just like the bad-developer-apologists say, you either teach what you're told, or you get fired.
Admin
Very Funny
Admin
Universities are notorious for this. As repositories for groupthink, they are as anti-intellectual as you can imagine.
Admin
I'm no lawyer, but just because you can exploit a system, doesn't mean you should do so, even if your intention is honorable.
If you see your neighbor's house, and he left his window unlocked, it would be ethical to remind him to lock his windows, but it would be unethical to crawl through the unlocked window without your neighbor's permission then tell him about it later in order to demonstrate his lack of home security. One is helpful, the other is trespassing.
If Egon only examined the contents of his own card and speculated how he might exploit it, then he is most likely legally safe. If he created a duplicate as a proof of concept, he crossed an ethical and perhaps legal line.
That's not to say the Uni didn't over-react.
Admin
Admin
Shit like this makes me so mad.
Admin
Admin
While I applaud the general I'm-a-hacker-and-I-don't-give-shit attitude, why have people not learned that ANY security flaw should be reported anonymously? I love it when people throw a shit-fit over being fired for stuff like this.
Admin
Admin
Admin
The only reason he could have reasonably expected anything other than being fired is because they ignored so many other offenses that would have cost his job anywhere else.
Companies will sometimes hire security consultants to try to break through their security in order to report vulnerabilities to them, but anyone who does so on their own without being asked to is simply breaking in.
Egon had no business trying to clone his security badge. Of course he'd be fired for that. Now if he'd come across the problem legitimately, while doing something he should be or at least had permission to be doing, that would be a different matter. In that case, he wouldn't get fired and might even be thanked for finding the problem. But finding a security problem while trying to break their security just points out that he's trying to break their security.
Admin
"We don't have any security issues. No one on staff is aware of any security issues with our cards". A true statement: anyone else who figured out the problem has been fired, and [the person speaking] has momentarily compartmentalized the issue and is at the moment not aware of it.
And because we're not aware of it, we can't be blamed if someone discovers it.
Admin
Except that he's at risk by the system.
If he did nothing, and then someone else copied his card and bought food, he'd have a right to sue. I don't understand why society is so bent on being reactionary instead of proactive.
Admin
This right here is the same mindset that says citizens shouldn't have guns to defend themselves with.
But what if the bad people?!?
We can't allow people to attempt to subvert the system in order to determine security flaws so the system can be strengthened.
Allowing people the power to participate in protecting themselves allows nefarious power. Power should be centralized, so when it fails, everyone is at risk because a small subset of the community wasn't more proactive.
But what if the bad people?!?
No, you can't have your own lawyer to ensure your rights are protected and the law is correctly interpreted, just trust us. If we let that happen, some criminals would be able to get away with crime.
Admin
So, Valued Service...
You're saying someone should have the right to hire a trusted third party to test the security of a system that puts them at risk?
Yes, yes I am.
Admin
You know, if someone had just discovered a major vulnerability in my system, he'd be the last person I'd want to upset.
Admin
Way to painfully shoe-horn that issue in. Not to mention, is it really the "anti gun" people "afraid of the bad people?"
Pretty sure anti-gun people aren't the ones that are dead certain that any moment now their lives are going to be put at risk by some boogeyman.
Admin
Admin
Of course, TRWTF here is that the poor guy didn't think to counter the firing with: "If you fire me, I will go public with this information."
Perhaps he would've been able to keep his job at that point. :-)
Admin
Seems the deadbeat finally got what was coming after crossing the line x number of times.
Admin
I know this is a repost, but even the first time i thought of Randal Schwartz
Advice: even though you think it's whitehat, it's technically hacking (err, cracking, wtf it is this week). PointyHairedBosses that you laugh at because of "potato chip vs computer chip" will not understand the whitehat/blackhat divide.
CYA. Get Auth.
Admin
This is not technically hacking. The concept even looking at what's on a magnetic strip in your possession is hacking is absurd. It didn't say he copied it.
Admin
Admin
This story is pretty absurd. You wouldn't need a "proof of concept" to point out the security flaw here. All you would have to do is take a look at your own id card and see that it is keyed to your university id number.
Somebody compared this to climbing in your neighbor's window to remind them to lock their windows. This is almost literally like reading a badge you the college lent you and noticing it has your social security number on it.
So the question is, why didn't Egon lawyer up? He even had his boss's support.
Admin
File this under:
No good deed goes unpunished.
Of course when the object of the clone is your ex-wife's ATM card, it becomes closer to "duty".
Admin
Trying to read a security badge is not an invasive action. Say the university had the numbers written on the badge in an "encrypted" form, and you looked at it and realized the number was simply written backwards. Your reading it, without taking any steps to decrypt it, is just applying common sense.
What he did was simply decode the magstripe, which is simply reading by another means. Acts that prohibit tampering such as CFAA only prohibit decryption, not decoding.
Admin
So, that means there are other things you "love" about school shootings?
Admin
Admin
Of course, I'm never sure how serious anything on cracked.com is.....
Admin
Admin
To sum up, mass shooting isn't a factor of guns per person, it's a factor of being depraved, mentally ill, or American...
Admin
Admin
Here in Chile, we have a national ID number, called the RUT (Tributary unique role number, maybe)
When i was studying in the university, we used our RUT as user, and its 4 first digits as password to access to the web services.
Someday, working with a friend in our thesis, we obtained a list with the RUT of every teacher, administrative, dean, everybody who worked there, from a public network shared folder... so, we tried to access to the grades system (called the teachers system, forbidden for a student) using the rut and 4 first digits from a teacher and it worked. We showed to that teacher (who was my computer science teacher), and he phonecalled to the Big Chiefs. it was thursday.
tuesday, i met with the IT Director. I worked with him in my thesis, so we started talking. He told me that every one on IT worked fri, sat, sun, mon to check what "the hackers" could have done with the access via RUT, as the CS teacher told, and he was thinking the big chiefs would fired him. So i told him what we did ("I am the haxx00r" i said), thrice... he was relieved, because we saved his ass (and his chief knew me and my friend, so they could believe that).
End of year... he quitted (before he got fired).
I know my engrish sucks. damn google translate.
Admin
The common element there was "where people are found", by the way.
Admin
He just read the contents of the stripe and decoded what was on it (with no encryption or anything) and found out it was his student ID number.
Admin
I had a similar experience at 'The Brick'. I was trying to get the new mouse working on the front desk system, so I ran the add new hardware wizard, which caused the cash drawer to pop open. Nothing disappeared from the drawer (I had alternate access to it as part of my job, so no concern there). I immediately closed the drawer, and reported the situation to the office manager, and the next day, was rewarded the by being fired for "not fitting in". Funny thing is, everyone loved my work ethic, and were all equally surprised for the reason of my termination.
Admin
Which just goes to show you the correct response to a security vulnerability is to find a student patsy and sell IDs on the open market. At the least keep your mouth shut.
The real WTF is that Ebon didn't sign up for a night class, get a student ID, and proceed to collect "severance" from the PTB.
Admin
Admin
A few comments on top : "And teachers wonder why they aren't valued by society." "Universities are notorious for this."
May I remind you that this behavior was done by many companies. This isn't specific at all to school.
As for the opened window metaphor, Egon didn't enter the house, he clearly only pointed that the window was opened. The article mentions no copy, no hack, as someone say, just reading.
Admin
His job rarely required him to do anything. If he performs all of his required duties, but still has lots of time to spend how he chooses, how is he a deadbeat?