By Mark Niesse
Associated Press Writer Thursday, April 17, 2003; 1:49 PM
ATLANTA –– Georgia Tech student Billy Hoffman says he was only trying to expose security flaws when he used a screwdriver and a laptop to hack into a campus debit card system that's used by 223 colleges nationwide.
But to the company that makes the system, the 22-year-old computer engineering major is nothing but a common vandal who is bent on telling the world how easy it was to hack in and get free Cokes and laundry service.
Last weekend, just before Hoffman was to tell Atlanta's Interz0ne computer conference how he compromised Tech's BuzzCard system, card-maker Blackboard Inc. got a judge to issue an order barring him from talking about it.
"All I wanted to do is tell everyone, 'Hey, this is a problem, and it needs to be protected,'" Hoffman said. "Everyone was blissfully unaware of how it works. I looked at it and found the emperor has no clothes, and now everyone's mad at me."
Washington-based Blackboard, which reported revenues of $69.2 million in 2002, said it could suffer severe financial losses if Hoffman's methods are spread.
"We took the legal course because what he's presenting and promoting was encouraging illegal behavior," said Blackboard spokesman Michael Stanton. "He was able to tap into the wires, like anyone could do if they took a sledgehammer to an ATM machine."
Although Hoffman wouldn't discuss the specifics of how he hacked into the system because of the restraining order, he had previously published the information on a Web site that is still viewable.
The site discusses ways to hook up a laptop so it can trick a card-operated vending machine into giving free drinks and how to deceive a laundry machine into starting for free. Hoffman also describes other possible ways to exploit the BuzzCard — getting into dormitories and sporting events, ordering free food on the student meal plan and getting textbooks for free.
"These flaws don't necessarily just ext curity," Hoffman said.
Blackboard asserts its system is safe unless someone physically breaks into a circuit board or card reading terminal. Hoffman said it's possible for hackers to do the same thing he did with a screwdriver through telephone wires and software.
Georgia Tech wouldn't discuss whether it took disciplinary action against Hoffman for reasons of student privacy. Hoffman said only that he was interviewed by campus police but not arrested.
"It's a blessing and a curse to have that kind of brainpower on campus," said school spokesman Bob Harty. "We worry about it all the time, but I do believe our systems are secure."
Hoffman's lawyer, Pete Wellborn, said the courts must decide whether it's a violation of intellectual property to try and expose security flaws.
"It's sheer folly to claim that the purchaser must blindly use that system, accepting the word of the seller with no means of investigation or confirmation," he said.
Charles Lester, an attorney for Blackboard, said he is concerned Hoffman's hacking could damage the company's business that has taken years to build.
DeKalb County Superior Court Judge Anne Workman issued the temporary restraining order Saturday, which constrains Hoffman and co-defendant Virgil Griffith from discussing information relating to any Blackboard card reader. A hearing on the case was set for May 30.
Blackboard's Stanton said the company's competitors — Diebold and NuVision — may also be vulnerable to hacking attacks.
