This is a mirror of the site

Blackboard Transaction System Cease and Desist FAQ

John R. Hall

Current version:
The most current version of this FAQ will always be available here.

The system in question is the Blackboard Transaction System (henceforth BTS), known variously as CampusWide, BuzzCard, and OneCard. This system is installed in various capacities on a large number of college campuses around the country. Recently two university students, Billy Hoffman and Virgil Griffith, have researched flaws in this system and published their results. Blackboard, Inc. filed a civil complaint and obtained a temporary restraining order to prevent Hoffman and Griffith from further discussing their results.

The purpose of this FAQ is to supplement Blackboard's public relations spin with information on the nature and severity of the BTS' security flaws. This information should be of interest to anyone who deals with the BTS, whether as a student or as a university administrator.

Blackboard and Blackboard Transaction Systems are trademarks of Blackboard, Inc. The author of this FAQ, John R. Hall, is not affiliated with Blackboard in any way. BuzzCard is a trademark of the Georgia Institute of Technology. Any other trademarks mentioned in this FAQ are the property of their respective owners.

All of the information in this FAQ is true to the best of my knowledge. The author does not speak for Georgia Tech. I have never personally compromised BTS security, and I do not encourage others to do so. Neither Billy Hoffman nor Virgil Griffith were involved in the production of this FAQ.

You can reach the author of this FAQ at overcode at overcode dot net. I would also be happy to discuss these issues over the phone; email me for my number.

All of the credit for this security research goes to Billy Hoffman and Virgil Griffith. I am only posting this FAQ because they are forbidden to speak about Blackboard's security issues due to a restraining order.

And now, the FAQ: