‘The matter has been resolved to the mutual satisfaction of both parties’
A technology company will not pursue legal action against Syracuse University after publicly accusing a Syracuse computer lab of launching a week of cyberattacks against it, a company official told The College Fix.
Rivet.cloud, a “blockchain gateway provider,” said the Full-Stack Security Lab claimed it was just testing for flaws in Rivet’s system – an example of “ethical hacking.” But the Department of Electrical Engineering and Computer Science unit didn’t tell Rivet what it was doing until the company traced the attacks to the lab.
The university told The Fix Monday it would forward the request for comment on Rivet’s allegations to an unnamed person. Syracuse has not responded to The Fix since.
Rivet experienced a week of denial-of-service attacks at the height of the coronavirus pandemic in April, according to an eight-part series of blog posts by Austin Roberts, founder of OpenRelay, the company that created Rivet.
At the end of the week, when it traced the activity to Syracuse, Rivet contacted Prof. Yuzhe Tang, the head of the lab. Tang allegedly admitted that the attacks on Rivet came from his lab on April 24, near the end of the barrage, but didn’t cop to the full week of attacks. He said the lab was trying to discover flaws in Rivet’s system.
Roberts (left) took issue with Tang describing his team as ethical hackers. “First of all, ‘ethical hacking’ is a real thing,” he wrote. “There’s even an Ethical Hacker Certification (though I have no idea whether Dr. Tang or his students have obtained this certification).”
The Syracuse lab didn’t meet three obligations for ethical hacking, he explained: permission from the target, agreement on scope and prompt disclosure of weaknesses in the server.
Not everyone agrees on that definition. “There is a wide-ranging debate on what constitutes ethical hacking,” Irina Raicu of Santa Clara University’s Markkula Center for Applied Ethics told The Fix in an email.
Roberts’ blog series “argues that pre-arranged consent and defined scope of the attack/test are required, but that is by no means the consensus,” said Raicu, director of the center’s Internet Ethics Program. Without hearing the lab’s explanation, she can’t evaluate “whether the university went too far–or whether this is an attack or an example of penetration testing.”
Rivet has been in contact with Syracuse since the incident and “the matter has been resolved to the mutual satisfaction of both parties,” Beth Van Horn, co-founder and chief operating officer of OpenRelay, told The Fix in an email. That is “all we can say.”
‘Expose the prestigious institution that should have known better’
It’s not clear whether Rivet or OpenRelay disclosed the April attacks sooner than last week, when Van Horn told The Fix that Rivet wanted to “expose the prestigious institution that should have known better.” (It outed Syracuse the following day at a virtual conference on “decentralized finance.”)
Roberts’ blog series is intended to “show people what it’s like to be on the receiving end of a deliberate attack that threatens the business you’ve worked hard to build,” and to “start a discussion about how security research is done and how it should be done,” she wrote.
The cyberattacks started Sunday around dinner time, Roberts wrote. He and his team ran a series of tests that identified a DoS attack and set up a filter to block the action. Roberts went back to dinner.
The attacks quickly started up again as the attackers got around the filter. They were able to fight off the attack, but forgot to block the offending address, he wrote.
Rivet had to stabilize its servers and spent an hour finding the problem. Since there were no attacks in that hour, they decided to fix it in the morning. However, at 12:38 a.m. the next morning the attacks started again.
Staff implemented the fix and made changes to their servers at 1 a.m. to gather more data. They implemented new servers later on Wednesday and successfully fought off another round of attacks. Thursday was quiet, he said.
Syracuse lab’s explanation contradicted by the ‘server logs’
When the attacks returned Friday, Roberts and his team were finally able to get an IP address and trace the attacks – to Syracuse. Originally, Rivet thought the attacks came from a bored college student or third-party hackers who had compromised university computers.
Roberts emailed Tang that night and the professor responded on Saturday, confirming it was neither of those theories.
“In our test on April 24, we sent a total of two (crafted) requests to your service. We apologize for the inconvenience caused here,” Tang (right) wrote in an alleged email reproduced by Roberts. Tang also sent a bug report to Roberts of the vulnerabilities they found in Rivet’s system.
Tangs’s claim is false, Roberts wrote: “We have server logs showing hundreds if not thousands of requests crafted to harm our service. Even the bug report he provided indicates that the crafted requests were sent repeatedly for a period of 60 seconds.”
The bugs Syracuse found were not worth anything, according to Roberts. “Needless to say, we had no interest in working with Dr. Tang’s lab, and were deeply concerned by the idea that the University of Syracuse [sic] was sanctioning these activities.”
There was no real damage done to Rivet, which is asking security researchers to follow its new guidelines, Roberts wrote.
“With regard to our business impact, overall despite the long hours and uncertainty endured by our team over the course of the week-long sustained attack, things turned out reasonably well for us—and to the ultimate benefit of subscribers to our service,” Van Horn told The Fix.
IMAGES: KsanaGraphica/Shutterstock, Global DeFi Summit, Yuzhe Tang/ResearchGate