STRATEGIC PARTNERS
April 17, 2003
ATLANTA -- Fifteen minutes before he was to lecture on security flaws in a debit card system used on 223 college campuses, 22-year-old Billy Hoffman learned a judge had banned him from talking.
According to the Associated Press, Hoffman, a computer engineering major at Georgia Tech, used a screwdriver to break into a laundry room swipe machine that reads BuzzCards -- identification cards used by staff and students there and similar to ones at other schools.
Hoffman was scheduled to discuss his findings before computer hackers at the recent Interz0ne conference in Atlanta -- but card maker Blackboard Inc. halted his speech by getting a judge to issue a temporary restraining order.
Hoffman said he was trying to expose security flaws so they could be fixed.
"All I wanted to do is tell everyone, `Hey, this is a problem, and it needs to be protected,' Hoffman said. ``Everyone was blissfully unaware of how it works. I looked at it and found the emperor has no clothes, and now everyone's mad at me.'
However, Washington-based Blackboard, which reported revenues of $69.2 million in 2002, said it could suffer severe financial losses if Hoffman's methods are disseminated.
"We took the legal course because what he's presenting and promoting was encouraging illegal behavior,' said Blackboard spokesman Michael Stanton. "He was able to tap into the wires, like anyone could do if they took a sledgehammer to an ATM machine.'
Hoffman's lawyer, Pete Wellborn, said the courts must decide whether intellectual property laws prohibit exposing security flaws.
"It's sheer folly to claim that the purchaser must blindly use that system accepting the word of the seller with no means of investigation or confirmation,' he said.
Although Hoffman wouldn't discuss the specifics of how he hacked into the system because of the restraining order, he had previously published the information on a Web site that is still viewable, according to the AP.
The site mentions methods of tricking a vending machine into giving free drinks and deceiving a laundry machine into starting for free. Hoffman also describes other possible ways to exploit the BuzzCard -- such as getting into dormitories and sporting events and ordering free food on the student meal plan.
Blackboard says its system is safe unless someone physically breaks into a circuit board or card-reading terminal, though Hoffman suggests hackers might be able to remotely do what he did with a screwdriver.
Citing student privacy, Georgia Tech wouldn't discuss whether it took disciplinary action against Hoffman, spokesman Bob Harty said.
The restraining order issued by DeKalb County Superior Court Judge Anne Workman prevents Hoffman and another student who was scheduled to help him give the presentation at the Interz0ne conference from discussing information relating to Blackboard card readers. A hearing on the case is set for May 30.
