Spring 2001 - I got interested in the Buzzcard network on Campus. Based on the AT&T logo, I went to the 
Internet and soon found out about the system. Lots of Web research done, and fieldwork on the connection 
between the device and the reader. Locked Cabinet with Multiplexes was opened and photo was taken of 
insides. Determined which wires to cross to make doors open, laundry machines get credited, etc.

Summer 2001 - Continued exploring the system, called the company (now Blackboard), and interviewed 
Jim Resing. 

Fall 2001 - With Publishing of my Fortres article, increased last minute field research, and finalized my 
notes. Called Blackboard again to tell them all the flaws I found, was blown off.

Spring 2002 - Wrote Article, and was published in Spring 2002 issue of 2600.

6/2002 - Blackboard learned of my article. The Blackboard Usergroup tried to track me down; finally 
figuring out I went to Tech, saw my web page and was very upset. Concerns about how accurate my article 
was are posted by schools around the country to the list-serve. GT tells the list-serve that they are looking 
into it and they would reply again soon. 

GT Police asks to speak to me to determine if crime was committed. GT Police never file charges and 
indeed I am told there is no long an investigation. Buzzcard Office conducts internal audit of their systems. 
I go to Buzzcard office unsolicited to try and assist them in securing their system. They were not happy to 
see me. Office of Information Technology (OIT) on campus starts a test of the Buzzcard system to see if 
any of the attacks described in article are valid.

Buzzcard office asks that I remove picture of inside of the locked cabinet from my web page (since its 
hosted on GT machines), which I did. Buzzcard center asks me to remove AT&T cached pages, which I 
refuse to do. (Its not theirs, if AT&T wants it down, they can ask me).

Buzzcard office reluctant to talk with my about my article, since they don't want to confirm or deny how 
accurate I was. They do confirm the VTS could be hacked and money can be added to any accounts as I 
describe. However parts of my article (namely how to clone a card through the VTS), are, they claim 
incorrect. They ask if I would write a letter for the list-serve that explains what parts were incorrect. I agree 
as long as my letter will be unedited, and I get to also stress what parts are accurate to let colleges learn 
what they need to secure. Buzzcard office agrees but continues to cancel my meetings with them and not 
return phone calls. I am contacted by several colleges that are on the list-serve. They tell me that Tech has 
all along been posting that they have interviewed me, that my article is totally false. Tech uses such loaded 
statements as "As any experienced administrator should know, these security holes are not possible." These 
colleges are concerned Tech is not being truthful, and want to talk to me. I see that the Buzzcard center was 
stringing me along, and cease my attempts to contact them, or help them fix their pathetic security.

OIT concludes their investigation, and confirm that everything in my article is correct, except about how to 
clone a card. Tech does not post these results to the list-serv.

Dean of Students is involved, and is checking to see if, while no laws were broken, if I broke institute 
policy.

9/27/2002 - Interz0ne conference in Atlanta Georgia. Far more detailed than my article, I discuss all 3 
types of ways to crack the system (Reader to Device, Reader to Server, and Card based). Response is 
tremendous. Con Organizers so impressed they offer me another spot the next day to do either a repeat or 
talk about any other projects I'm working on. Very primitive talk about Spector given.

11/1/2002 - Phreaknic 6 conference in Nashville Tennessee. Same presentation, very laid back. Lots of 
response. Start Petition of GT students to have an 3rd party audit of Buzzcard system done.


12/2002 -I get to interview the Head of Security for OIT for a paper I am writing for the Dean of Students. 
He tells me that OIT tested my article and my attacks do work (especially between reader and device). He 
says there simply isn't money in the budget to fix the problems, though he wishes he could. When I ask 
why wouldn't Tech tell other colleges that my article is accurate, he tells me "off the record, you 
embarrassed a lot of people, and they are all struggling to save face."

Winter 2002/2003 - More research done, not at Tech into the system. Focusing on how readers talk to 
servers, what's on Mag stripes, and how to interface to them.

April 11, 2003 - Will speak at Interz0ne, and release code to make a computer emulate any Blackboard 
reader, as well as the hardware designs (IE RS-485, mag stripe)to make it a drop in replacement for any 
Blackboard Reader. If Blackboard wouldn't make their system more secure, or tell people how to better 
secure it, I'll simply make compatible ones myself and give them away.