Frequently Asked Questions about CampusWide Version 1.2
Version History
1.2- 7/13/2002, Converted to standard FAQ outline format, Major rewrite
1.1- 4/2002Minor spelling and other updated
1.0- 3/13/2002 Created

CampusWide FAQ Version 1.2
1.0- Notes from the Author
1.1- Copyrights
1.2- Contact the Author
1.3- About this FAQ
1.4- What will I get from this FAQ

2.0- About the system
2.1- So what is CampusWide
2.2- CampusWide I thought it was called X
2.3- There are 2 systems? WTF?
2.4- What does this look like?
2.4.1- Readers
2.4.2- Data lines
2.4.3- Metal Enclosures

3.0- The Current System
3.1- What is the current system?
3.1.1- Servers
3.1.2- The Database
3.1.3- The Card
3.1.4- The Infrastructure
3.1.5- The Readers
3.1.5.1- Security
3.1.5.2- Self Vending
3.1.5.3- Point of Sales (POS)

3.2- What did Blackboard change from the AT&T system?
3.2.1- IP Converts
3.2.1.1- What encryption is used by the IP converters.
3.2.2- Merchant Dial-up Terminal (MDT)

4.0- Weaknesses in the System

5.0- Article Clarifications and Corrections.

6.0- How I got involved

7.0- Contacting Blackboard

1.0 NOTES FROM THE AUTHOR
1.1- Copyrights
This FAQ is the copyright of Billy Hoffman (AKA Acidus). You do not have the 
right to change or modify this FAQ directly without his written (note the 
written, electronic permission is not allowed) permission. You do have the right 
to copy, print, distribute in part or in whole this FAQ by any means, provided 
it is accessible in the new form at no cost. This means you cannot put it on a 
"hacking CD" and sell it on ebay. You cannot put it on a website and only allow 
access to paying customers. This work must remain free and public.

1.2- The Author
Billy Hoffman is the author of these FAQ. You may reach me at 
Acidus@resnet.gatech.edu. or mail me at:

Billy Hoffman
335884 Georgia Tech Station
Atlanta GA 30332


1.3- About this FAQ
This FAQ was originally written as a supplement my 2600 article "CampusWide Wide 
Open." This Article was published in the Spring 2002 issue. Back issues are 
available from www.2600.com, or download the article from:
www.prism.gatech.edu/~gte344p/index.html

The Article caused a lot of stir, which I'll discuss later. This stir allowed me 
to talk with some of the CampusWide admins at my school and they told me of 
some things that were either incorrect in my article. In addition, they were 
several things left out of my article, little bits of tech info. Some theories I 
have, new info, etc. Hence the need for the FAQ to make sure this stuff stays 
update. But instead of merely having it as a supplement, I figured having all 
the information in 1 place would be much more helpful.

1.4- What will I get from this FAQ?
Updated info. I researched the article in the summer of 2001, and finally wrote 
it in the spring of 2002. It was as accurate as I could make it. However even 
then there was info I had to leave out for length reasons, and others mentioned 
in the last section. This FAQ will make sure the info about the system stays 
current. You will not find in the article or this FAQ how to cheat/steal. I will 
not tell you any info someone could be directly applied to steal from the
system.

2.0 ABOUT THE SYSTEM
2.1- So what is CampusWide?
CampusWide is the mostly widely used card access system in America today. It 
sadly is the least secure. CampusWide is ID Card solution originally created by 
AT&T, and now owned by Blackboard. It is an ID card that can be used to purchase 
things from vending /laundry machines, or the college book store just like a 
debt card. Its used to check out books from libraries, open computer labs and 
buildings at night, gain access to parking decks, and even get you into sporting 
events. The CampusWide system gives everyone a card that lets them access both 
unattended and attended card readers and Points of Sale. All these actions and 
transactions are sent to a central server which stores all the information in a 
database. A confirm or deny signal is sent back to the card reader, and the 
transaction goes through or is denied. It is fast becoming the way of life on 
college campus around the world. You need it to eat, to get into your dorm, to 
get into college events, everything.

2.2- CampusWide? I thought it was called X
The CampusWide system has been called lots and lots of names. AT&T first 
developed it and called it the AT&T CampusWide Optim9000 System. It was 
generally called CampusWide. When Blackboard bought AT&T's system, in 2000, they 
also bought another system called Envision from a company named Icollege. 
Blackboard then had 2 products, the Blackboard Optim9000 system, and The 
Blackboard Envision System. Blackboard is only selling one system, called 
Blackboard: Transaction System. However this new system comes in 2 versions, the 
Windows Version and the Unix Version. Since AT&T marketed this thing as 
CampusWide for short, and did it for a number of years, and since Blackboard has 
been doing it for so few, I call the collective whole system CampusWide. When I 
refer specifically to the Unix version, I will say Optim9000, and when I referto 
the windows version, I will say Envision.

2.3- Wait. there are 2 systems?
You need to understand that the front end of CampusWide, the card readers and 
data lines for both Envision and Optim9000 are the exact same The difference 
between Envision and Optim9000 are their operating systems and their databases. 
The card readers can't tell the difference. The faults in my article apply to 
both systems (though the technical data is for the Optim9000 system).These 
faults are for both systems since they both use RS-485 lines.

2.4- What does it look like?
2.4.1- Readers
The CampusWide system is easy to spot. The readers are black metal or plastic, 
almost all have LCD screen (2x16 seems to be the standard), and they will have 
no writing on the except the AT&T logo, and the word "AT&T" is under it. The 
newer Blackboard ones work exactly the same as the AT&T ones, only they have 
Blackboard written on them. They vary in size, with your door readers being 
about 3"x5" all the way up to POS terminals, which are around 14"x28". The old 
AT&T ones look very institutional, and very boxy. The newer Blackboard readers 
appear sleeker, with angles and such.

2.4.2- Data Lines
Data Lines are the normally hidden away. The ones I have seen are grey cables 
with 4 wires in them. Red, Black White and Green. However I imagine they could 
be any color. Coming out of the blacks of coke machines (if a reader is 
installed) is a black wire with a telephone (RJ-11) jack on the end. I would 
imagine all 4 wires on the hack are used.

Normally you can't see the data lines, because the school should have taken 
steps to shield them. This normally takes the form of metal conduit, flexible 
metal sheaths, and thicker pipes for multiple lines.

2.4.3- Metal Enclosures
In areas where there are lots of readers, multiplexers are used (more on these 
later). These are most commonly found in laundry rooms. Blackboard doesn't 
advertise these, but AT&T had them, so I figure they do as well. AT&T called 
them MW/MHWMENC : Wall Mount Enclosure. It's a big grey metal box, about 3'x4', 
that will have a lot of thick pipes (About 3" in diameter) coming out of the top 
of it. It has a handle with a lock. It's the type of handle that when you turn 
it, 2 bars are twisted by the handle and pulled back to within the shape of the 
door, on the inside. The door can now be opened. There is a fault to the door 
though. The lock/Handle is held in place by 4 flat head screws. Simply 
unscrewing these and turning the entire assembly clockwise will open the door. 
The bad part of Blackboard is these enclosures have no means of attaching an 
external lock, and to make them secure either the entire enclosure needs to be 
replaced, or the screws need to be changed to carriage bolts.

3.0 THE CURRENT SYSTEM
3.1- So what is the current system
Blackboard currently (7/13/2002) offers one card access solution, known as the 
"Transaction system." It comes in 2 versions "Unix," and Windows. The Unix 
version is the AT&T CampusWide System. The windows is the Envisions system 
running on Windows NT. The basic layout of the system is a central server, 
talking to hundreds of readers through data lines.

3.1.1- The Server
The AT&T system and the Unix version of Blackboards system is recommended to run 
on HP9000 machines, though any RISC processor will do. It only runs on HP-UX 
(Blackboard currently installs ver 11.x). The AT&T system had a list of specs 
that the end users must have to support the software. These included the above, 
but also a 4 gig Digital audio Tape with a 4 gig capacity of equivalent and a 
UPS that can keep the system up for 20 minutes (Blackboard's newer specs suggest 
a Best Ferrups 1.8 KVA battery that can go for 45 minutes). More interestingly, 
the CampusWide system is required to have a 9600 baud modem for remote 
diagnostics The system itself consists of 2 parts: The Application Processor 
(AP) and the Network Processor (NP). The Applications Processor is the backend 
of CampusWide, the part the users never see. It manages the database where all 
the information is stored, and provides an interface for human operators to look 
at logs and run reports, and well as change configuration/privileges, and 
transactions/account maintenance. The NP is the gateway from the infrastructure 
to the AP. It takes in the requests from readers around campus, and converts the 
mode of communications into commands the AP can understand, and then passes it 
along. AT&T CampusWide could support up 60 communication lines and 1000 card 
readers the new Blackboard system allows up to 3072 readers. Please note that 
the AP and the NP don't have to be 2 different machines. Indeed they could be on 
a single machine, or a spread over a cluster.

The Windows version, runs on a Windows NT/2000 machine. The above stats were 
taken from AT&T's page, and thus don't necessarily apply to the the Windows 
version. However, I would imagine that the same type of equipment would be 
needed. A UPS, some type of backup for the database (could be a DVD-R). There 
also needs to be some kind of interface to the RS-485 lines. You could look for 
companies that make RS-485 adapters for PC's (probably plugs into a PCI slot).

3.1.2- The Database:
All the information about a student or employee isn't stored on the card for 
security reasons: its stored in the database (The card simply has an account 
number which is used to organize the data in the database). The database used by 
the current Unix Blackboard system is dbVista. The database used by the Windows 
version is Oracle. The database for the AT&T version was never advertised by 
AT&T, but was believed to be Informix. However, based on the modular design of 
CampusWide, I believe any SQL queried Relational Database should work. The 
database is most likely not encrypted or protected in any way other than by 
isolation. The only way to get to it is either at the console of the AP, or by 
the commands sent from card readers that have already passed through the NP. 
Blackboard's assumptions that these 2 ways of reaching the AP are secure are the 
one of the systems downfalls. The database can store up to 9,999 different 
accounts, each account having many different fields. The balance the person has 
and the doors he can open are included in the system. The balance will be a 
floating point number, and the doors the person can open will most like be a 
string of characters, with the bits being used to tell which doors 
he can or can't open. The doors are most likely grouped into zones, so that the 
5 doors into a building have 1 bit instead of 5 separate bits saying if the 
person can open those doors or not. This idea is upheld by the fact that 
Blackboard says the users are given plans and that can be updated regarding 
their access to buildings. This plans grant different levels of security access 
to a building. Lower levels can get into the building through all the exits, 
next level can access labs on a certain floor, etc. Without direct inspection of 
the database, only educated guesses can be made about its structure. (I have 
totally left out any provisions for checking put books, and other things the 
card can do).

3.1.3- The Card
The ID cards that are used are your standard ANSI CR-80 Mag stripe cards. They 
are made of PVC and are 2.125 by 3.375 inches. They are made onsite at the 
college's "card station," and normally have a photo ID on them. A 300 dpi photo 
printer is used, and the company recommended by Blackboard to use is Polaroid 
(Just like the printers at the DMV). The magnetic stripe on the card is a 
Standard American Banker Association (ABA) Track 2. Any card reader/capture tool 
can read these cards. The cards are encoded on high Coercivity stripes (known as 
HiCo), which are very resistance to wear and tear. These cards only use Track 2 
of the card which is read only. It is interesting that they don't use Track 3 
which is read/write. Track 2's information breakdown is as follows:
Start Sentinel = 1 character
Primary Account Number = Up to 19 characters
Separator = 1 character
Country Code = 3 character
Expiration Date or Separator = 1 or 4 characters
Junk data = Fills the card up to 40 characters
LRC (Longitudinal Redundancy Check = 1 character

As you can see, most of this applies to banks, however the account number I have 
stamped on my CampusWide card is 16 characters long, so the Primary Account 
number field is known to be used. CampusWide also allows for lost cards. If card 
is lost, an entry is made in that person's table in the database, the last digit 
of the account number is increased by one (this is called the check digit, so of 
the 16 digit account number I have the first 15 digits are my number the 16th 
digit is the check digit) deactivate the old card that uses the old check digit 
and then prints a new card.

3.1.4- The Infrastructure
The infrastructure is a "security through obscurity" ploy of the system. 
Originally the system was designed to run over a several of RS-485 drop lines 
(This are the 60 communication lines mentioned before). RS-485 is a very robust 
means to transmit data (The whole CampusWide system is designed to take a 
beating). Unlike RS-232, which has a protocol build in to the standard that says 
how devices must talk to each other (stop bits, baud, handshaking, etc), RS-485 
has none of that. It is a way for a master device that sits at the end of a 
communication line to talk to slave devices that are daisy chained on the line. 
The CampusWide system uses the full duplex version of RS-485 where slaves can 
speak to the master before the master polls them for data (CampusWide needs this 
to have the sub-seconds times they advertise. However, the NP still polls all 
the readers on a regular basis, and can be interrupted by a reader when a 
transaction comes in.). The data lines are  very robust against noise and 
interference. RS-485 has 2 lines in each direction, called A and B. Data is sent 
by having a difference in the voltage of A and B of more than 5 volts. This mean 
that if you have a signal being sent, and A is at 10 volts, and B is at 15, and 
a power spike comes along, the spike will boost BOTH voltages by the power of 
the spike, however the difference between the higher power A and B will still be 
5 volts, and the data is not corrupted. Over short distances, speeds of 10Mbit 
can be achieved. However the longer the cable is, the lower the speed. 

All CampusWide card readers operate at 9600 baud, thus making the max distance 
of the RS-485v drop line can be to still be able to transmit at 9600 baud is 
4100 ft. This can be extended through the uses of repeaters and boosters on the 
line. RS-485 is not something you would find just sitting around on a college 
campus. Its primary use is in industry, for talking to different machines on 
assembly lines. I guess AT&T figured it was "secure" at a college since it is 
unlikely anyone would have a means to interface to it. 

AT&T recommend that these lines be used (indeed all the readers can only 
transmit their data in RS-485 mode), however the data can travel over any 
facility from telephone lines to radio waves, provided that full duplex 9600 
baud asynchronous communication can occur on them. The NP is the part of the 
system that would sort all this out. 

The infrastructure ends up like this. All the devices in a building send their 
lines into 1 place in the building. This is where multiplexers exist which split 
the main RS-485 drop line up into slices for each reader. These multiplexers 
also can boost the power of the main drop line, letting it travel longer 
distances. These multiplexers can be stored in a locked networking closet or in 
these big metal cabinets on the wall of a room. AT&T called these MW/MHWMENC - 
Wall Mount Enclosure. The drop lines coming to the building can be traced back 
all the way to the building the houses the NP. There the NP interfaces with the 
AP to approve or deny transactions.

3.1.4- The Readers:
Every reader imaginable is available to a college from Blackboard. Laundry 
readers, Vending machine readers, Point of Sale (POS) terminals in the campus 
Bookstore, door readers, elevators, copiers, football game attendance, 
everything!!! All of the readers communicate using RS-485 lines, and if any 
other medium is used between the reader and the NP (such as a TCP/IP networking 
by way of the IP converter), it must be converted back to RS-485 at the NP, 
since all CampusWide uses that standard. Everything is backwards compatible, the 
majority of my college campus has AT&T readers on them, though a few new 
blackboard readers are showing up.

AT&T had great technical specifications of the campusWide system on their web 
page. Blackboard doesn't. AT&T removed their old HTML documents from their 
server when Blackboard discovered by article, and pressured them to remove them. 
Google no longer has the pages in their cache. For all I know I am the last 
person who saved copies of them. So in the next section I will reprint all the 
technical data from these pages, along with my description of them.

3.1.4.1- Security readers
Security readers are made of high density plastic, and consist of a vertical 
swipe slot, and 2 LEDS. They are green when they are not locked, and red when 
they are. When you swipe a card to open a door you are cleared for, the light 
will change to green for around 10 seconds. If the door has not been opened in 
that time, it locks again. To allow for handicap people who may not be able to 
get to the door in time, a proximity sensor is available. There is also a model 
of door reader with both a swipe and a 0-9 keypad for codes. Advanced forms of 
these 3 security readers are available, which have the ability to have a local 
database of 4,000 (expandable to 16,000) account numbers stored in NV-RAM. This 
way if for some reason the card reader can't reach the NP to confirm someone's 
Identity, then the reader can check its local records. The tricky bastards also 
built the readers so there is no visual difference between a reader that can't 
reach the NP and one that can.


3.2- What has Blackboard changed on the CampusWide system.
Blackboard has left the basic structure the same. They have to for compatibility 
sake. They have added 2 new features IP Converters and MDTs

3.2.1 IP Converters
In an attempt to phase out the old RS-485 lines, Blackboard has created IP 
Converters. They are simple boxes with a Pentium class processor and a NIC 
(whether they are actual computers or boxes I don't know) that take in the RS-
485 signals from up to 16 readers, encrypt them, create an IP packet (whether it 
is UDP or TCP I don't know, I think UDP would function), and send them out onto 
the existing campus network. The website doesn't say whether it needs to be 
Ethernet or not, but I doubt it support token ring or BNC.

3.2.1.1- What encryption is used by the IP converters.
I really don't know. The only thing Blackboards says about their IP Converter's 
encryption is that you can change the key on a regular basis if you want to. The 
IP Converters are have Pentium class processors in them, so they have the power 
to do some serious encryption. I have a feeling on the high end it is probably 
DES, and on the laughable end Rot13 or XOR. Since companies tend to brag about 
the key length of their encryption in an attempt to amaze people, and Blackboard 
doesn't, but instead is secretive. I bet it is most likely a simple algorithm, 
probably XOR, with a key around 5-10 bytes.

3.2.2- Merchant Dial-up Terminal (MDT) 
The MDT is a way for pizza joints or other venders around campus to use have the 
dept services of CampusWide in their store, without having to run expensive rs-
485 drop lines all the way out to the vender. This used to be the way AT&T did 
it(around 1998). These simply dial in through a modem directly to the Network 
Processor (NP), and hand it the requests. This has major security risks, as 
anyone dialing this number is now dealing directly with the NP, and it is the 
doorway to the Appliances Processor (AP), which stores the database of 
information.

4.0 WEAKNESSES IN THE SYSTEM
4.1- Would Encryption Help for the RS-485 Lines?
No. If the reader takes its data and encodes it to "DOG", and "DOG" is sent to 
the NP. The NP decodes "DOG" and gets the data. and then sends back an ok signal 
encoded as "CAT". If you capture the "CAT" signal You can simply send "CAT" back 
to the reader, and the reader will decode it. So you see, encryption doesn't 
matter as long you have access to the raw data on the RS-485 lines.

5.0 ARTICLE CLARIFICATIONS AND CORRECTIONS
5.1- What do you mean Full 96 character ASCII Set? Isn't 265? Yes and no. ASCII 
is defined as characters 0-127, and is constant on all machines. Extended ASCII, 
isn't standard, and is 128-255. There are 96 characters that are printable 
characters of the ASCII set. 0-31 are control characters used for lots of stuff 
that cash receipt printers don't need. 127-32 = 96 (inclusive math), so all the 
printable characters are available.

6.0 HOW I GOT INVOLVED

7.0 CONTACT BLACKBOARD
7.1- How do I contact Blackboard.
Blackboards Headquarters are in Washington DC:

Blackboard Inc.
1899 L Street NW, 5th Floor
Washington, DC 20036
800.424.9299 
202.463.4860
202.463.4863 fax

Their CampusWide Division is located in Phoenix. This is where AT&T's branch 
was too. In fact, Blackboard used to have AT&T's offices until about a year 
ago. However the still kept AT&T's original Phone number, even at the new 
location. Here it is:

Blackboard Inc.
22601 North 19th Avenue, Suite 200
Phoenix, AZ 85027
800.528.0465
623.476.1400
623.476.1401 fax 
 
For fun, here is AT&T's and later the original Blackboard office's information:

AT&T CampusWide
2362 W. Shangri-La Rd.
Building 100
Phoenix, AZ 85029-4724   
Toll Free: 800-528-0465 
Phone: 602-944-1565