I just read the newest post at [tag]Daily WTF[/tag] and it reminded me of the fun times we had with the Blackboard system. Yes, I am talking about the same company which patented LMS .
You see, [tag]Blackboard[/tag] is so flawed that some professors who teach [tag]security[/tag] classes use it as an example of easily hackable system. Case in point, our very first assignment was to bypass Blackboard visibility features and access the “instructor only” document posted on the assignment page. I think it took me under a minute to get to it once the problem was explained. Most of the people who brought laptops to class that day were able to get it before the end of the lecture.
You see, just like the [tag]WTF[/tag] system described in the linked article, Blackboard does not have any access restrictions on uploaded files. It sticks them into obscure directories with complex names, but once you figure out the pattern you can access them without any trouble. In fact you can easily harvest the entire contents of the digital dropbox using a relatively simple perl script.
You can also easily to wipe out the entire [tag]digital dropbox[/tag] clean by deleting all the submitted files. All you need to do is to play around with the URL a little bit. If you create a perl script not much unlike the one above you can just let it running and go for a coffee while the homeworks of thousands of students get trashed. I’m not going to post that exploit here, because I don’t want to feel responsible when someone pulls it off. As far as I know this [tag]exploit[/tag] was never published. Blackboard didn’t seem to care when we tried to report all these issues to them. Kinda like the guy in the article.
The saddest part is that the system described in Daily WTF is some ugly, hack-job conceived and maintained by an incompetent sysadmin. Blackboard on the other hand is an enterprise grade, mature software suite deployed at hundreds of universities throughout the county…
And to think… these are the people trying to TEACH todays youth.
Heheh. So you me and a select 20 other people know of this flaw. I even tried myself informing a blackboard person who had come to campus for a career fair. didn’t like it when i told him that his company made incompanent flawed software that they refuse to allow people to inform them of the bugs.
but hey, they have a monoply now. meaning that like windows, when a flaw is discovered and published, it could have wide spread problems.
i also want to point out that even though you haven’t said how the flaw can be exploited, the fact you made reference to the point it exists, means that someone out there will sit down and attempt to find it.
Well, don’t want to feel responsible if someone does this thing and fucks up their school, and gets in massive trouble because of it. But if they sit down, figure out the xploit and run it – oh well. Bad publicity for Blackboard would not be a bad thing. Maybe they would finally patch it then. :P
I think Robila tried to get in touch with them too, and they keept sending him to different departements untill he gave up…
i know he tried on several occasions to contact them. then he just became apathetic and gave up.
here’s a thought, would they sue an open source project if it violated the patent. if not, i say loophole.
hmm. how would we go about publishing flaw. that’d get our names out there.
(side note, my new place has blackboard)
The ENTIRE Education Department of South Australia (obviously, tahts in Australia) is using the Blackboard Learning System. I think it is crude and inefficient. Now I have another reason to despise it: It’s insecure.
But then again, the only things it’s used for in this school are checking one’s quota, checking one’s email, sending one’s email, setting up message forwarding to someone who has set up message forwarding to you so you create an endless loop and, well, that’s pretty much it. I miss teh old myInternet system, but I don’t miss Dingo Mail (which was pure rubbish)
Pingback: Terminally Incoherent » Blog Archive » Blackboard Gradebook Sucks
As a former student I share the mentioned feelings on BlackBoard. Currently I’m involved in a young company called TeacherSeat that wants to come up with an alternative to BlackBoard. Objective is to release a lightweight learning management system that doesn’t require hours of training and isn’t equipped with an excessive set of features. Please join our mission by filling out a simple 1minute survey, which can be found here: http://teacherseat.com/survey.html
Great posts…
do u guys have any suggestions for alternatives to BlackBoard??? What exactly is the difference with moodle or WebCT?
– Also, does Blackboard integrate with the university databases or is it completely independent?
Thanks!