Thursday, March 27, 2008

Security, and Class Projects

As I was reading Freedom to Tinker, catching up on the latest reports of flawed voting machines, I remembered my favorite class project of all time.

My first year teaching Algorithms at the End of the Wire, I included a subunit on cryptography/security. (This was before Salil Vadhan arrived, and before Michael Rabin started regularly teaching a crypto course.) One group, for their final class project, decided to explore the potential security flaws in the Crimson Cash system, the local system where students put money on their ID. They got a card reader and figured out how to intercept and spoof messages from the vending machines in the Maxwell-Dworkin lobby. It was a standard man-in-the-middle attack -- you intercept the message from the vending machine so your account doesn't get debited, and tell the vending machine the message went through. For their demo, they showed how they could get a free soda. They got to learn about security by breaking an actual system (which, by the way, in retrospect was something of a bad idea -- next time students try to break system security, I'll make sure they do it in a closed, lab-type setting).

It was great stuff. All CS majors should do some sort of a-little-bit-out-there, hands-on project like that. And then, maybe, we'd have better voting machines.


Adam Kirsch said...

Oh come on, Michael, if you're going to tell this story on your blog, then you should also tell the part about what happened *afterwards* :-)

Anonymous said...

What happened *afterwards* ?

Michael Mitzenmacher said...

Sigh. I gave their report to the Harvard network people -- I figured that their work was probably publishable, but before publishing, it would be appropriate to inform the networking people of the flaws in the Crimson cash system. They called us all in, to let us know that what the students did was wrong; I covered for the students and made sure that all they got was an informal warning. To avoid further issues, the students and I opted not to publish anything and keep it quiet.

A few years later, I saw some news (in the Harvard Crimson) about some student who had apparently done/published the same sort of thing.

David Molnar said...

Sounds like Billy Hoffman, from Georgia Tech. The company that makes the system sent him and his co-authors a lawsuit just before he was supposed to speak. The Electronic Frontier Foundation has a writeup here:

Michael Mitzenmacher said...


I'm not sure, but if I'm remembering right, it was a person at Georgia Tech who (subsequent to the work of the students in my class) also broke an ID card system; it was probably this one. My recollection, just from the Crimson article, was that there was a lot of overlap in the security flaws he and my students found.

Thanks for the pointer to
(that's ID=383 if you're seeing the line cut off). I hadn't heard about that follow-up. I'm not big on the squelching of free speech, but I'm glad to not have had that sort of hassle.

Almost Philosopher said...

I know what the students did was wrong but you have to wonder how much of the anger was because they'd been shown up.

Oh well, at least it ended fairly happily.