Post Fri Apr 27, 2007 6:53 pm

Student Suspended for Bypassing Network Security

For those of you on the fence about getting permission, this is an article for you. And as for you young readers out there, learn this lesson early. Even if you think you are doing something educational or for the good of your school, if you don't get permission first, you'll pay the price. At least in school. the punishment is not jail. Well at least in most cases.

The University of Portland handed a one-year suspension to engineering major and Air Force ROTC member Michael Maass after he wrote a computer program designed to replace and improve Cisco Clean Access (CCA).

Maass noticed flaws in CCA that would allow it to be bypassed in "antivirus and operating system check." Essentially, a program could be written that fooled CCA into thinking it was receiving correct information identifying a computer's operating system and antivirus as current and up to date.

According to Information Services Director Bryon Fessler, a fundamental purpose of CCA is that it "evaluates whether computers are compliant with security policies (i.e., specific antivirus software, operating system updates, patches, etc.)."

In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues.

He says that the method he chose is "one of six that I came up with."

Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed.

"I was planning on going to Cisco with the vulnerability this summer," Maass says.

Maass' program was in use for approximately seven months before the University froze his UP account.

Additionally, he gave the program to several friends and one professor. As a result, they suffered judicial consequences including having their account frozen, residence hall probation, writing a 3-4 page reflection paper and having their computers inspected by IS to get network access back, according to Maass.

Many of these students declined an interview with The Beacon for fear of more sanctions from the University.

"They (University judicial officials) said they would most likely get in contact with the people (who has Maass's program) and ask them to delete the software," Maass said. "They weren't definitive, but I can tell you I was surprised (when the University punished them), and I thought it was hurtful."

Residence Hall probation is "a serious warning. Any further misconduct for any reason may result in removal from the residential system," according to this year's student handbook.

Maass believes his computer program finally came to the attention of the Judicial Board because of a facebook.com group he created in order to publicize the security research he was doing.

"There was nothing in [the policies] that stood out to me that I would be in violation of," Maass said of his thinking at the time he authored the program.

Maass was charged with "violations of the Acceptable Use Policy, the Network Security Policy, disrespect for authority, disrespect for property, disorderly conduct and fraud," according to a letter he received from the University Judicial Board.

Originally Maass was suspended for the rest of this academic year and the fall 2007 semester. He would be eligible to reapply for the fall 2009 semester after going through counseling for "internal integrity, ethics and identity issues."

But following an appeal process in which he was supported by many friends and faculty, the University ruled that Maass will be allowed to finish out the rest of this semester, but will be suspended through next semester

Natalie Shank, University Judicial Coordinator, was unavailable to make any comment concerning the case, and John Goldrick, vice president of student services, declined to interview due to legal confidentiality.

Some students think the University was too harsh.

"In this case, nobody was hurt; there is no concrete evidence of any kind that University policy was broken, and there was no state or federal regulation that was broken," said one of a handful of students sanctioned by the University for having and running the program on their computers. The student asked that his name not be revealed.


Full story by Cole Vonder Haar of The Beacon (Univ of Portland).

Don
CISSP, MCSE, CSTA, Security+ SME