Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

University Brings Charges Against White Hat Hacker

Soulskill posted more than 6 years ago | from the easier-than-fixing-security-holes dept.

Education 540

aqui writes "A university student at Carleton is learning that no good deed goes unpunished. After hacking into what was probably a not-so-secure university network, this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive. The university should spend money on hiring some admins with better computer skills and teaching skills rather than paying lawyers. In the Engineering department at my old university, the unofficial policy was that when you broke in, didn't damage anything, and reported the problem and how you broke in, they didn't charge you (if you maliciously caused damage, you usually faced academic sanctions). In some cases, the students were hired or they 'volunteered' for the summer to help secure the servers or fix the hole they found. The result was that Engineering ended up with one of the most secure systems in the university." Read on for the rest of aqui's comments.aqui continues: "The truth is, some university students are going to have the desire to hack something, and not all of them have the judgment to stay out of trouble. If you acknowledge that and catch them inside the university, you can straighten them out before they wreck their lives, and teach them to be white hats. Rather than creating a hostile environment where people may become black hats, you create an environment where you guide them in the right direction to being good computer security professionals. For every hacker they catch, there's probably at least one that they don't know about. I can imagine that a number of those hackers at Carleton are now seeing the university as the enemy for burning 'one of their own,' and some of them may become malicious to get even. If the student's intentions were good - which they appear to be - I can't help but feel sorry for the guy."

Sorry! There are no comments related to the filter you selected.

No harm, no foul (1, Interesting)

SpaceLifeForm (228190) | more than 6 years ago | (#24987879)

Such as it should be.

Re:No harm, no foul (5, Insightful)

jeevesbond (1066726) | more than 6 years ago | (#24987953)

No harm, no foul

Exactly, if the law were balanced in this area the case will probably be thrown out (if it even reached court) and the student let-off. I bet he gets a prison sentence, or harsh fine and community service. Worst of all he'll have a criminal record, meaning he might not be able to get a job. Is one other person on the dole -- when their crime is nothing more than curiosity and a desire to help -- useful to society?

It's not just the university admins who have a bad attitude, it's all society that have been conditioned to believe the hacking == terrrism meme.

I would suggest that any prospective students reading this politely contact this university and explain why you will not be choosing them. Same for any parents who's kids might be thinking of going to Carleton.

Do have some pity for those admins though: they're probably just MCSE's.

Re:No harm, no foul (5, Insightful)

SilverJets (131916) | more than 6 years ago | (#24988045)

Ya know, if he saw a flaw (and obviously there was something wrong since he installed a keylogger on at least one university computer) he should have reported it to the IT department. He decided to act and break the law so he should man up and face the consequences.

At the absolute most, he should have stopped after installing the keylogger and reported that to the IT department. He could have even reported it anonymously. The fact that he then took account information and accessed people's accounts goes way over the line.

Re:No harm, no foul (5, Insightful)

zippthorne (748122) | more than 6 years ago | (#24988477)

Yes, but the difference is that it was the university's own department. It's not just any organization. Students, by definition, are going to make some bad decisions along the way, and one of a university's jobs is to minimize the damage of those decisions so that a student can benefit from learning from their mistakes.

It's one of the reasons colleges like to have "campus police" rather than real police: keep everything "in the family" and out of the "rap sheets" where possible.

Academic sanctions, sure. But involving law enforcement where no significant damages have occurred shows a serious lack of judgment somewhere in the administration. I would emphatically not recommend attending any school which prefers to make an example of someone over protecting their students from making life-altering mistakes.

Re:No harm, no foul (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24988493)

It's one of the reasons colleges like to have "campus police" rather than real police: keep everything "in the family" and out of the "rap sheets" where possible.

I thought they liked to have their own police so that if someone was going around raping and murdering female coeds in dorm rooms they'd be able to sweep it under the rug.

Re:No harm, no foul (3, Interesting)

YttriumOxide (837412) | more than 6 years ago | (#24988285)

Is it really that hard to get a job in some places if you have a criminal record? I have a record - for Phreaking of all things (actually, the charge was "Obtains other service credit by fraud"), and it has never had any effect on my ability to find work. Most employers don't ask, and the very few that have have just said, "well, you were young, and it shows technical aptitude" or something along those lines and then never mentioned it again.

Note: I don't live in the US, nor have I ever applied for a job in that country, so it might (or might not be) just a US thing.

Re:No harm, no foul (5, Interesting)

Antique Geekmeister (740220) | more than 6 years ago | (#24988539)

No, some anger is justified. The Morris Worm was not written to ruin systems, it was written to probe them and report its results. Nevertheless, it brought down UNIX servers worldwide becuase it was badly written. Doing 'harmless' security cracks against a badly secured network can in fact trash that network, by accident, as you tweak local settings in 'harmless' ways.

As well meant as it was, this is why you don't put your name on that paper about the flaws. You send copies to the core administrators and money providing bureaucrats, from their own email accounts, and possibly to the staff of the school newspaper.

The Politics (5, Insightful)

D Ninja (825055) | more than 6 years ago | (#24987891)

this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive.

So, I agree with you. Someone who took the time to show flaws in the system should not be punished (at least not to this extent).

However, here's probably what happened.

1. Someone received the 16 page write-up. They took it to the sys admins.

2. The system administrators, WHO WANT TO KEEP THEIR JOB, are going to go into a tirade of how he subverted their systems and purposely used "nefarious methods" to break system security, etc, etc. Basically, it's politics here - they don't want to look bad and/or lose their job so they will do everything in their power to make him look like a bad guy (which, to some extent, he is).

3. So, sys admins may have suggested some legal action to protect the school and make an example of him. (Or someone higher up may have.) The reason someone higher up may have done this is because they want to protect the school's image. Knowing that their system was weak could really hurt a school which is a business.

Basically, all of this is politics. All of it. Technically, the kid did the right thing by reporting what he found (although, quite honestly, he probably shouldn't have been there in the first place without asking permission). But, he didn't think through how other people were going to see his actions. You *always* have to think about the politics.

Wake up please. (1, Insightful)

stonecypher (118140) | more than 6 years ago | (#24987919)

Technically, the kid did the right thing by reporting what he found

No, technically he did the wrong thing by breaking into the network. This isn't complicated. If he technically did the right thing, he wouldn't be technically looking at jail time. This isn't a pity party. He did a bad thing and he's getting punished. Simple as pie.

If some asshat broke into one of my servers then told me how, I'd send his ass to jail too. If he contacted me and said "I would like to break into your server then I'll tell you how", I'd pay him to do it under controlled circumstances. However, if he just up and did it one day, it would cost me tens of thousands of dollars in cleanup.

I can't imagine why you think this was in any way a good idea.

Re:Wake up please. (0)

Anonymous Coward | more than 6 years ago | (#24987975)

"I can't imagine why you think this was in any way a good idea."

It's wholly dependent on the type of person you are and the type of world, community you live in. Now I know our world is not that world, but the point being, it's based on the psychology of the culture itself

Re:Wake up please. (1, Insightful)

profplump (309017) | more than 6 years ago | (#24987997)

I'm not saying it was a good idea, but there's no evidence that he cause 1 cent of damage or required anyone to do any cleanup. Maybe he did, but it sure doesn't say that in the article.

I'm pretty sure if someone contacted you and told you they'd show you vulnerabilities in your system for a fee your lawyers would tell you to press charges for extortion.

But hey, don't let reality ruin your hypothetical hate session.

Re:Wake up please. (0)

Anonymous Coward | more than 6 years ago | (#24988085)

So, putting keyloggers on PCs you have physical access to exposes "vulnerabilities in your system?" That's news to me.

Re:Wake up please. (1)

atari2600 (545988) | more than 6 years ago | (#24988095)

Read the parent post at all? He didn't say anything about being asked for money. I am sure his response for such a demand would be as you've stated for obvious and sane reasons.

It's not hypothetical hate as much as it is obvious / common sense not that I expect a 20 year old kid to have much of it - still the kid f'ed up and has to pay for it.

Re:Wake up please. (0)

Anonymous Coward | more than 6 years ago | (#24988215)

Ahem. For your education, and my amusement, the "parent" to which you referred actually did say this: "If some asshat broke into one of my servers then told me how, I'd send his ass to jail too. If he contacted me and said "I would like to break into your server then I'll tell you how", I'd pay him to do it under controlled circumstances."

How's that crow tasting?

Re:Wake up please. (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24988169)

Anytime a system is compromised you *must* clean it up. You have no idea what might be there, even if he sent a 16 page pager saying what he did. You must assume that he left stuff out.
 
And how many systems are connected to this system? Unless there are additional protections, you can't trust them either. And so on. If this happened at my work, we'd be talking hundreds to thousands of machines that would have to be wiped of everything and restored. That's more than a trivial cost.

Re:Wake up please. (5, Insightful)

porcupine8 (816071) | more than 6 years ago | (#24988001)

No, technically, he did the illegal thing, and thus is getting punished.

Whether it's wrong is up for debate. I can see how someone could think it was wrong, or morally neutral but stupid, or perfectly fine.

Re:Wake up please. (4, Informative)

pizzach (1011925) | more than 6 years ago | (#24988061)

No, technically, he did the illegal thing, and thus is getting punished. Whether it's wrong is up for debate. I can see how someone could think it was wrong, or morally neutral but stupid, or perfectly fine.

Whether it's wrong and if the punishment was extremely excessive is up to debate. Premeditated murder, manslaughter by negligence, and Murder in the name of self defense can warrant totally different outcomes. It looks to me in this case intent is being totally ignored.

Re:Wake up please. (4, Informative)

grahamd0 (1129971) | more than 6 years ago | (#24988331)

Premeditated murder, manslaughter by negligence, and Murder in the name of self defense can warrant totally different outcomes.

Murder is the illegal killing of another human being.

If it's legal for you to defend yourself with deadly force then it is, by definition, not murder.

If you are in a jurisdiction where it isn't legal to defend yourself then the fact that you were defending yourself is irrelevant.

Re:Wake up please. (4, Interesting)

registrar (1220876) | more than 6 years ago | (#24988509)

You are so right about intent. Ignoring the kid's intent is part of what makes this repugnant.

In my workplace, I get technical people to work for me by honouring their expertise and sometimes cracking just a bit dumb. IT managers especially do not respond well to any hint that you know they are doing a second rate job. But academics and students should thrive on give-and-take. This kid acted in an academic sort of way at a university, and that should be fine. University is not the place where you should have to learn how to deal nicely with incompetent people. So I find it quite awful that this university is discouraging take free learning process.

Sucks to be the IT guy, but the best IT managers I ever saw at UNO were bored academics. Not always entirely technically competent, but they understood where we were coming from and knew how to keep us in line. And quite happy for us to point out security holes.

Re:Wake up please. (1)

MikeBabcock (65886) | more than 6 years ago | (#24988495)

In a democratic country, whether its illegal or not should also be up for debate.

Re:Wake up please. (5, Insightful)

iminplaya (723125) | more than 6 years ago | (#24988039)

Your desire for vengeance will only serve to drive the next guy underground. I certainly would know better than to come forward in a world with an attitude such as yours. You all are so quick with your "lock 'em up" bullcrap.

Re:Wake up please. (5, Insightful)

glitch23 (557124) | more than 6 years ago | (#24988049)

If some asshat broke into one of my servers then told me how, I'd send his ass to jail too. If he contacted me and said "I would like to break into your server then I'll tell you how", I'd pay him to do it under controlled circumstances. However, if he just up and did it one day, it would cost me tens of thousands of dollars in cleanup.

So just because someone asks beforehand means you can trust them to not require a cleanup afterwards? What kind of arbitrary logic is that? If you don't trust them and that's why you want it done under controlled conditions such that everything they do is recorded then you may as well do it yourself. Someone who doesn't ask isn't necessarily malicious as in this case but someone who does ask can still be malicious. You just have a better chance of the person(s) not being malicious if they do ask but there are exceptions on both sides of the situation.

Re:Wake up please. (5, Interesting)

yttrstein (891553) | more than 6 years ago | (#24988065)

If I found out that one of my engineers turned in and made moves to press charges against a hacker who broke in and then told them exactly how it was done, I would fire that engineer on the spot, for two reasons:

1. As was said in the story, you have an opportunity there to pull a potential fence-sitter over to the white-hat side of things, and you can only do that if you don't send them to prison on the spot. To not understand this is to be missing a fundamental requirement of anyone on the payroll -- "don't be a jerk!"

2. They're not very good at their job if some pinhead waltzes into the network and screws around like that.

But maybe that's why some engineers and administrators get so hot headed about this sort of thing. When it happens it draws unwanted attention to their own potential incompetence, and any rational human being would be pretty threatened by that.

Still, Don't be a jerk.

Re:Wake up please. (0)

Anonymous Coward | more than 6 years ago | (#24988075)

agree with the parent..even though his intentions were good he should have got the sysadmins on his side before he started the system security test..no diff from someone breaking into my house and then telling me how and what to fix.!!

Re:Wake up please. (5, Insightful)

Anonymous Coward | more than 6 years ago | (#24988115)

Besides having been that kid 15 years ago, when I was a teenager, and the IT department and CS staff chose to point me in the right direction. Now I don't do any hacking, or any other illegal, scandalous, shady or immoral activity other then wasting time on Slashdot. I am, on the other hand, a practicing engineer and making the world a better place. If I were treated like this kid, I'd still be in nowhereville. Is the university doing what's legal? Yes. Are they doing what's moral? Fuck no.

Re:Wake up please. (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24988163)

Sorry, but I have to question your abilities of a System Admin if you've gone to the extremes of securing your servers in all the appropriate manners, yet you still cry foul if you are hacked.

That means the person doing the hacking, knows more about exploits that are probably unknown to package in questions software community, is obviously out of your league in terms of skill, and is obviously mallicious.

There is no endpoint in System Administration. It is a constant battle, and YOU SHOULD KNOW THAT, if you are indeed a System Admin. To think that sending some white/black hat to jail or whatever somehow lessens the constant target that are your systems is ludicrous. WAKE UP. The threat is still there no matter how many 'hackers' you think you can put away.

Re:Wake up please. (1)

qw(name) (718245) | more than 6 years ago | (#24988223)

If the people who are defending this idiot took the time to read the article they would learn that he didn't just employ 1337 hacking techniques to gain access. He installed key loggers and a magnetic stripe-reader to capture student's information in order to gain access to the system. This is criminal behavior. He's no Robin Hood. More like Robin Hoodlum.

Re:Wake up please. (3, Interesting)

SirSlud (67381) | more than 6 years ago | (#24988407)

Robin Hood stole from the rich and gave to the poor. In this situation, he could have only stole from the poor, but stole from nobody and told the rich that stealing from them was feasible if somebody else wanted to be a true anti-Robin Hood.

It's a shame people think most hacking involves breaking down hex codes. I've had my debit card number and pin stolen twice from the nearby grocery store, and I'd love nothing more than for somebody to do it again who would actually tell them how it was done and how to prevent it in the future.

Re:Wake up please. (1)

zaffir (546764) | more than 6 years ago | (#24988375)

If he technically did the right thing, he wouldn't be technically looking at jail time.

Not that I disagree with your overall position, but, just because it's illegal, doesn't mean it's wrong.

Re:Wake up please. (1)

Luke_22 (1296823) | more than 6 years ago | (#24988425)

I can't imagine why you think this was in any way a good idea.

law says he's wrong, ok.
but the main principle of law is to punish those who damage, not those who help.
That is why I still think he's right.

Re:Wake up please. (2, Insightful)

MikeBabcock (65886) | more than 6 years ago | (#24988483)

Oh, sorry, you're in the camp of people who actually believe you won't go to jail for doing the right thing because our laws are perfect and the legal system has no flaws.

Innocent people do jail time, innocent people are further up on the 'got screwed over by the justice system' list than this guy, so don't go on about how he wouldn't be facing jail time if he'd technically done the right thing.

Re:The Politics (3, Insightful)

drakethegreat (832715) | more than 6 years ago | (#24987983)

Part of the issue here is that just because he submitted a write up on what he claims he did doesn't mean he didn't leave a backdoor. Chances are he didn't but until they analyze everything (which takes forever given the number of servers a university department has), how do they know? It could be a way of covering tracks. Look at it this way, you got home one day and found a 16 page write-up about how a guy broke into your house, disabled the motion detector, and finally video taped it all, how would you feel? Jail is beyond what I would do personally but I'm pretty sure I wouldn't be peachy for such a kind gesture.

Re:The Politics (0)

Anonymous Coward | more than 6 years ago | (#24988445)

If he broke in then it seems to me that being concerned he left a back door is pointless - other people may well have broken in, not given a helpful write-up of what happened, and left their own back doors. Assuming the admins aren't perfect at detecting break-ins, there'd be exactly the same amount of chance that someone left a back door whether or not this kid broke in - it's just that he gave them a warning to look for it. Punishing this kid is a way to push admin ignorance of security problems as an official policy.

Realism ahoy (4, Insightful)

stonecypher (118140) | more than 6 years ago | (#24987893)

Yes, anyone should be able to break the law and then get off scot-free by claiming it was in the public best interest. Nevermind the cost of the sudden campus-wide security lockdown, nevermind that IT staff may have lost their jobs, nevermind the people now losing sleep because they don't know how to handle things. Nevermind the risk incurred in that if he caused outages he could have disrupted phenomenally expensive research projects. Nevermind that most whitehats leave doors open behind them.

He meant well.

He deserves what he got. Quit trying to make heroes out of everyone looking at jail time. Jesus.

Re:Realism ahoy (2, Insightful)

Harry Balzack (1291328) | more than 6 years ago | (#24987955)

Just because it's some computer savvy person doesn't make his actions above the law. A robber could advance the same arguement: "I robbed you just to prove to you that (you) should take your personal safety more seriously" Sorry, that dog don't hunt!

Re:Realism ahoy (5, Insightful)

Skye16 (685048) | more than 6 years ago | (#24988035)

Looking at your response, then, there seems to be no reason what-so-ever to be a white-hat.

Honestly, if you're going to get the book thrown at you, fucking make it worth it. Destroy those phenomenally expensive research projects.

I mean, after all, if he's going to get punished for things like this, it's better off at least feeling the satisfaction of really dicking someone over. I mean, if they're going to fuck your life up for the end of all days, you may as well have done it to them first. At least then you have "an eye for an eye".

Right now you have "an eye for a paper showing precisely how I could have taken your eye".

I would never do it. (1)

maillemaker (924053) | more than 6 years ago | (#24988409)

>Looking at your response, then, there seems to be no reason what-so-ever to be a white-hat.

Duh!

Would you? I wouldn't. Would I break the law and then hope people thank me for it instead of prosecute me for it, all to help my university? Fuck no.

Everyone knows no good deed goes unpunished. For good deeds done through illegal means the punishment is even more sure.

So yeah, if you're gonna hack, I hope you're getting something out of it - ass, money, personal satisfaction of dicking someone over, whatever. 'Cause altruism don't pay for shit.

Re:Realism ahoy (2, Interesting)

Jewfro_Macabbi (1000217) | more than 6 years ago | (#24988073)

Actually there have been court upheld exceptions and dismissals of charges in cases where people broke the law to "preserve public interest". See the recent U.K. dismissal of Greenpeace activist on vandalism charges... It's a long established legal precedent. For example you are allowed to trespass/break and enter private property to stop a fire, save a life, etc, etc.

Re:Realism ahoy (0)

Anonymous Coward | more than 6 years ago | (#24988219)

The UK case was jury nullification, nothing more. Ever hear of O.J. Simpson?

People like you create "fail upward" workforces. (4, Insightful)

plasmacutter (901737) | more than 6 years ago | (#24988113)

Someone equally or more competent than your own staff tested your infrastructure, found its flaws, and gave you a free report on it, and you're going to beat them over the head.

This "law uber alles" authoritarian streak is what causes most companies to become plagued with "upward failure". The truly competent don't dare to speak inconvenient truths, and the incompetent are given free reign to take advantage.

Re:People like you create "fail upward" workforces (0)

Anonymous Coward | more than 6 years ago | (#24988513)

That's cool, its easier to act like a fool than it is to act intelligently. If we can spread the "fail upwardly" love, most of the internet will be overdue for promotions.

Re:Realism ahoy (1)

pizzach (1011925) | more than 6 years ago | (#24988125)

Nevermind the cost of the sudden campus-wide security lockdown, nevermind that IT staff may have lost their jobs, nevermind the people now losing sleep because they don't know how to handle things. Nevermind the risk incurred in that if he caused outages he could have disrupted phenomenally expensive research projects.

I was with you until that last sentence there. Are you going to give a "think of the children" statement next?

Re:Realism ahoy (3, Interesting)

yttrstein (891553) | more than 6 years ago | (#24988139)

It's precisely this sort of attitude, stonecypher, that will prevent any other hackers at Carleton from coming forward and reporting any problems they happen to find, legally or not.

But at least your ethics are intact.

Though perhaps there's some sort of happy medium where you could get your punishment rocks off while at the same time places like Carleton don't have to scare everyone into never reporting anything. You're never, ever going to stop a hacker who loves what they do from hacking. Ever.

Those of us active in the security field would really appreciate your help on this.

Re:Realism ahoy (1)

Maelwryth (982896) | more than 6 years ago | (#24988329)

"Yes, anyone should be able to break the law and then get off scot-free by claiming it was in the public best interest."

Your right. We should leave that to our government.

Re:Realism ahoy (1)

WolfWalker545 (960367) | more than 6 years ago | (#24988473)

Depending on how vulnerable the network was, some IT staff or their management SHOULD lose their jobs. Security is a pain in the ass. There are always reasons not to lock things down, to counter the reasons to lock them down. If the IT staff weren't trying to keep it secure, they need new jobs. If they tried, but management refused to allow it, then the management should take the hit. I don't have much sympathy for people losing their jobs for lack of competence or laziness. Without more information, we have no way of knowing if he left any back doors (and I wouldn't consider that a "white hat" action), or if he interrupted any processing. But universities tend to deal with a lot of data that they are SUPPOSED to keep safe. Financial aid information, payrolls, social security numbers for students, faculty, and staff. Credit card information. All sensitive data. It's also the law that this data be protected. And what incentive is there for universities to protect their networks if nobody brings their vulnerabilities to their attention? Or should they only find out AFTER sensitive data has been stolen? Do you REALLY think administration officials are going to say "let's hire a security testing team to test our network"? Of course, giving them the information in a way that they could figure out who did it isn't the brightest thing in the world, nobody likes their failures pointed out to them, and it's easier to press charges than it is to admit mistakes and take efforts to clean up. But we do sanctioned penetration scans against our servers, and if any group "needs" to run insecure services, we require that upper management sign off on the business risk. And our network team ALSO runs sanctioned scans against our systems, with results reported up a different management chain, for accountability purposes.

Re:Realism ahoy (1)

MikeBabcock (65886) | more than 6 years ago | (#24988511)

Let me follow this logic -- if HE caused the campus-wide lock-down, that's worse than leaving the campus insecure to more ill-intentioned persons?

I don't follow.

The security problem didn't exist because he hacked the system, the security problem allowed him to hack the system. The security problem should have required a lock-down before he ever hacked it, but the team at the University didn't realize it (or didn't care).

His actions changed nothing but awareness.

Bullshit (5, Informative)

atari2600 (545988) | more than 6 years ago | (#24987899)

From the article: Det. Michel Villeneuve of the Ottawa Police high-tech crime unit said yesterday that a suspect used Keylogger software and magnetic stripe-card reader software to acquire students' information.

Using keylogger software is not White hat material sorry. You install a keylogger on a random machine and watch people come in and access their email / student accounts and then later go "me l33t haxor?"

Computing access in schools is a privilege and I see an abuse of privilege here by installing keyloggers. Sorry but physical access to machines means all security is out of the window. Sure the admins can install a variety of tools to detect keyloggers but there's always going to be one program that will escape detection.

Should I blame Soulskill? Such a verbose summary and no mention of keylogging software.

Re:Bullshit (0)

Anonymous Coward | more than 6 years ago | (#24988149)

You left out what might be the most important part of the paragraph.

"The suspect then put together a 16-page document addressed to the university secretary's office, later e-mailing the document to 37 students."

Add this to what was reported earlier in TFA:

"Claims of a breach of security in the university's electronic system came to light last week after a letter was sent to university officials with a list of the students' accounts and their passwords."

The exact same reports without truncating any of the information? It is possible the school's administration wasn't the one who called the police or it is also possible the police was called due to demands of the students or their parents. Of course that is only a minimum of the discussion that could come up over what could possibly go wrong when you consider he may have sent all that info to each of those 37 students.

Also FTFA:

"The breach allowed access to the Campus Cards that students use as debit cards for campus purchases, including photocopiers, food kiosks and the bookstore."

Not sure being as it was a campus only card but might not that alone kick in some laws requiring the breach be reported? Say if Canada has any laws similar to California's law regarding debit/credit card information breaches?

Everyone needs a chance to learn from their mistakes, just hope his lesson isn't too harsh or that he goes the wrong direction. His odds computations might make him popular at poker games for a while, if he is free to play any.

Are you serious? (1)

atari2600 (545988) | more than 6 years ago | (#24988207)

Pretty sure I caught the most important part - "keyloggers". Sure he didn't profit from his little adventure but that doesn't make what did any right. He abused his privileges and there is the whole privacy question because of the passwords he stole.

How many passwords do you think an average college kid uses for the several accounts he or she has? (Facebook, credit card, bank, email, student services, slashdot account) - I am going to bet that it's usually going to be ONE.

Now because Mr. Vigilante decided to better the security system out of his good heart, it doesn't change the fact the has actively inconvenienced several people while doing it. Also tell me what's a best safeguard against physical access is?

Let me give you an idea: "We don't want students installing keyloggers so let's just take away all install privileges" GREAT IDEA! "Let's do it" and you will still find someone who out of the good nature of their heart will put in a trojan or a keylogger and then write a 600 page document. The ends don't justify the means here.

If you still don't get it, here's an analogy: I want to complain about my company's sprinkler system. I set fire to a bunch of stuff, make life miserable for an entire floor of people - smoke, heat and all. I also make the fire department show up when they could be doing something else somewhere where they are needed more. The sprinklers don't go off but hey I am cool, I am writing a 16 page document to explain I did it for the good of the company.

His intentions appear good but no way it makes what he did unforgivable. Unless he gets punished which is sad for him, that's going to set a dangerous precedent and we all know that's the excuse the authorities will use.

You've got some black on your white hat sir. (4, Insightful)

Anonymous Coward | more than 6 years ago | (#24987901)

What he did was gray hat and not white hat.

If he had gotten the permission of the school to do security testing first then he would be a white hat. He had good intentions, but by breaking into a system he didn't own without the owners permission he broke the law.

-Jim Bastard

Re:You've got some black on your white hat sir. (1)

mbstone (457308) | more than 6 years ago | (#24988121)

Amen. A prudent whitehat never touches someone else's system or network without first obtaining written permission, using language that has been reviewed and approved by his own lawyer. And the lawyer had better be familiar with the various, and latest, federal and state computer intrusion statutes and appellate court decisions.

Fail to do this and you are in the category of Whining. IAAL.

P.S. (2, Interesting)

mbstone (457308) | more than 6 years ago | (#24988181)

Reporting a vuln using a lawyer as a go-between completely removes you from the possibility of criminal prosecution, unless you left a trail of bread crumbs. Attorney-client privilege beats any number of anonymized proxy servers.

I'd love to see them poll a jury on this (1)

missing000 (602285) | more than 6 years ago | (#24987905)

As stated above no harm no foul. If this is a crime so is alerting your neighbor that their door is unlocked while they were gone.

Re:I'd love to see them poll a jury on this (4, Insightful)

magarity (164372) | more than 6 years ago | (#24987939)

No, breaking in via a keylogger and a magstripe reader is the same as stealing your neighbor's keys, making a copy, poking around his house while he's out, and then telling him that he needs better security.

Re:I'd love to see them poll a jury on this (1)

yttrstein (891553) | more than 6 years ago | (#24988157)

Like a burglar alarm that would have gone off if the guy with the key didn't have the code as well?

I agree whole heartedly.

Re:I'd love to see them poll a jury on this (1)

SirSlud (67381) | more than 6 years ago | (#24988457)

I think the point is, what is the fucking point of putting somebody in jail if they had every opportunity to rape you, and didn't?

What exactly are we rehabilitating here? If it's a desire to watch some TV in your living room while you're not home, years in jail seems a little excessive to a tax payer like me.

If somebody did that to my place or my parents', I don't think I'd feel so violated as to think I'd feel safer if this one guy was locked up for 5 years.

Re:I'd love to see them poll a jury on this (4, Insightful)

DerekLyons (302214) | more than 6 years ago | (#24988321)

If this is a crime so is alerting your neighbor that their door is unlocked while they were gone.

Except he didn't "alert his neighbor". He opened the door (which he has no business even trying to do in the first place), and then riffled through the neighbors desk, refrigerator, garage, and basement. Before leaving he made a copy of the front door key, installed taps on the phones, a webcam in the bathroom. Then he told the neighbor that his door was unlocked, his checkbook needed balancing, his taste in soda abominable, his garage was a mess, and the furnace filters needed cleaning.

Re:I'd love to see them poll a jury on this (1)

Paradigm_Complex (968558) | more than 6 years ago | (#24988439)

The problem with that is I can keep checking my neighbor's doors or trying to crack my school's computers until I find something worth the risk of failing to report it. Maybe the guy deserves a relatively minor punishment, but what he did is not ignorable.

Doing the right thing (2, Interesting)

Announcer (816755) | more than 6 years ago | (#24987909)

Your old school did, indeed, do the right thing. This one is not. The guy came forward with what he discovered, in good faith! It gives them the opportunity of preventing a malicious person from causing real damage... and they are going to punish him for this? That's just wrong.

In fact, it could theoretically turn many others into "black hats" that will go after them, just because they were so hard-nosed with this guy who was, let's be honest, doing them a favor!

Time for that school to get a clue. I'm really disappointed in their actions.

Re:Doing the right thing (2, Insightful)

reddburn (1109121) | more than 6 years ago | (#24988109)

We need more information. If, for instance, even looked at another student's Family Educational Rights and Privacy Act (FERPA) protected information, then the school must, by law, prosecute him. Uncle Sam doesn't mess around when it comes to assessing penalties - schools with violations can lose federal funding (including grants).

If he was poking around in an area that made any student information not considered "directory information" (address, campus box, telephone, degree, or e-mail address) accessible, then they had no choice. And ignorance is no excuse - they shove FERPA down the kiddies' throats when they arrive, just to make sure they know that mommy and daddy can't meet with professors.

Re:Doing the right thing (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24988193)

FE-what? Uncle who? I think you're talking about another country..

Re:Doing the right thing (0)

Anonymous Coward | more than 6 years ago | (#24988203)

We need more information. If, for instance, even looked at another student's Family Educational Rights and Privacy Act (FERPA) protected information, then the school must, by law, prosecute him. Uncle Sam doesn't mess around when it comes to assessing penalties - schools with violations can lose federal funding (including grants).

So you're saying that the Canadian school must prosecute a Canadian student for a crime committed in Canada because Uncle Sam might impose a penalty on the Canadian school if they don't comply?

don't blame the admins (1)

ScubaS (600042) | more than 6 years ago | (#24987915)

unfortunately a lot of businesses don't have the money to hire someone to make sure their IT security is inpennetrable. they often have business objectives to worry about that are more important than making sure the security is top notch. How many admins actually don't consider security? probably not a lot.

I, for one... (-1)

Anonymous Coward | more than 6 years ago | (#24987923)

...blame the Jews.

Seriously. Who else would it be?

Re:I, for one... (0)

Weedlekin (836313) | more than 6 years ago | (#24988417)

I don't blame all the Jews, just the Hassidic ones who wear hats and big overcoats even in the summer. They could be hiding _anything_ inside that sort of clothing: ninja Chihuahuas that have been trained to sit on the seats of fat sysadmins and give them coronaries by biting and yapping when they try to sit down; small monkeys who sneak in and type swear words on keyboards; boxes full of suicide spiders that have been genetically engineered to crawl into computers and short out components; or even low calorie food stuffs that can nefariously substituted for the fatty, sugary items that IT people depend on to maintain their complexions and waistlines.

As St. Barry The Lambent said in his famous warning to the Parthians: "He who accepts a gift of ants from a man of Gaul shall have no comfort from any shoe, for the feet of the ant coveter are anathema in the eyes of The Lord".

good luck (0)

Anonymous Coward | more than 6 years ago | (#24987931)

the exact same thing happened to my roommate in college. I was brought in to testify, and I argued that, based on a multitude of previous experience (open source contributions, etc.) that my roommate was a white hat. After many blank stares, I gave a brief overview of archetypes in western film (I was a film minor).

he got off, fwiw, and so should this guy

Should have submitted it anonymously (4, Insightful)

inflex (123318) | more than 6 years ago | (#24987973)

He should have just submitted the 16 page paper anonymously. If he was truly trying to do a purely good deed so there shouldn't have been any need for his name to appear on it for the purposes of fame or positive retribution.

Given the number of previous incidents similar to this, one would have thought he'd have been aware that this is almost always the outcome. Try entering into a store after hours (when closed) without due permission, without stealing anything and reporting how you did it. Compare the outcome.

Re:Should have submitted it anonymously (1)

PsyberS (1356021) | more than 6 years ago | (#24988235)

From TFA,

"The writer, who used a pseudonym,"

No, what he should have done was avoid breaking in without permission in the first place. Problem solved.

terms of use (4, Insightful)

jschen (1249578) | more than 6 years ago | (#24987991)

The student almost certainly signed an agreement stating the terms of use for the university network. And he almost certainly broke that agreement. If that's the case, then I don't see how the university's response is wrong.

Well said (3, Insightful)

atari2600 (545988) | more than 6 years ago | (#24988031)

Not only did he break rules but he did it maliciously (no grey area here) when he used keyloggers. I can see what would happen if I did the same thing where I work - they'd fire me, throw my ass in a federal pound me in the ass prison and generally my life would be ruined

What we have here is a not a hacker, not a white hat or a black hat hacker. We have a script kiddie. Sadly most of the posters before you seem to have already started making a hero out of this "vigilante".

Re:Well said (1)

YttriumOxide (837412) | more than 6 years ago | (#24988503)

I did do it at work (at my previous place of employment - which I left of my own free will, not because of this!)... what I got out of it was a payrise, a few extra duties for a few months (helping the admin fix the problems I found) and a really nice thankyou gift paid from the IT department's budget. Not every company treats their employees like crap. What I did wasn't exactly like this guy, but it did involve exposing weaknesses in the card system we used for security, so it's not totally unrelated.

Re:terms of use (0)

Anonymous Coward | more than 6 years ago | (#24988101)

Focusing on what was signed, what's the law, and what the school defines as good and moral behavior does not mean that we should still not address whether or not it is the right thing to do.

This situation with a keylogger is not a strong argument, because it is not as much a network vulnerability (in a sense I think we all know), but how many people exploit things in systems before this?

The MIT subway hacker - how many people do that regularly? White hats expose that. In general, I'd say he's doing right, while he is contradicting the almighty law. What people said the law is good can look subjectively to see if it is good case by case, not blindsiding helpful people.

Re:terms of use (0)

ChameleonDave (1041178) | more than 6 years ago | (#24988291)

And he almost certainly broke that agreement. If that's the case, then I don't see how the university's response is wrong.

You show an utter inability to see any difference between rules and morals; between what you can get away with and what you ought to do.

As a student of Carleton... (5, Informative)

Joelfabulous (1045392) | more than 6 years ago | (#24988009)

I can tell you firsthand that the administration did not take kindly to this.

With regards to the magnetic stripe thing, it's not surprising that those in charge reacted strongly and sharply. We had recurrent incidents on campus last year with sexual assault and they had to lock down all the residences and the labs, and as such, they took great pains to inform the students who had access cards for the suite residences that they would not, in fact, be in danger, be it financial or otherwise.

Ouch (1)

atari2600 (545988) | more than 6 years ago | (#24988131)

Looks like they found a nice scapegoat given your new information. Poor guy will get nailed harder than he deserves.

Ah, so administration ego safety! hurray! (4, Insightful)

plasmacutter (901737) | more than 6 years ago | (#24988137)

it's not surprising that those in charge reacted strongly and sharply. We had recurrent incidents on campus last year with sexual assault and they had to lock down all the residences and the labs, and as such, they took great pains to inform the students who had access cards for the suite residences that they would not, in fact, be in danger, be it financial or otherwise.

you have to love an administration which cares more about their ego than the rape targets they were trying to help.

Overreaction? (3, Insightful)

thatskinnyguy (1129515) | more than 6 years ago | (#24988241)

We had recurrent incidents on campus last year with sexual assault and they had to lock down all the residences and the labs, and as such, they took great pains to inform the students who had access cards for the suite residences that they would not, in fact, be in danger, be it financial or otherwise.

If your school is locking everything down thanks to sexual assault, because of the nature of the crime, they're obviously not thinking straight. That is a reactive measure and only instills panic. In the case of a shooting however, that can be a proactive measure to ensure that more people aren't harmed.

keyloggers (0)

Anonymous Coward | more than 6 years ago | (#24988087)

Keyloggers destroy any and all chances at privacy. News at 11.

Get real (1, Insightful)

taustin (171655) | more than 6 years ago | (#24988103)

"The truth is, some university students are going to have the desire to hack something."

The truth is, some university students are going to have the desire to light things on fire, too. How many buildings do we let them practice on before we arrest him?

The truth is, the kid broke the law, and it is nearly inconceivable that he didn't know it at the time he did it. For every hacker they know about, there may well be at least one more they don't know about. But for every hacker they crucify, there will be dozens who think twice before breaking the law.

Tactless (1)

kungfoolery (1022787) | more than 6 years ago | (#24988145)

When you disagree with someone's opinion and wish to offer a rebuttal; most times, saying "You're a moronic shithead and your logic is atrociously sophomoric" will not garner a positive response. On the same token, surreptitiously infiltrating your school/company/organization's systems and offering a similar statement in hacker-terms isn't likely to get much praise: no matter how right you might be.

Yes, to us humans, the approach is almost as important as the idea.

Re:Tactless (1)

plasmacutter (901737) | more than 6 years ago | (#24988151)

True, but pointing out the flaws without a real-world example would allow incompetent officials to plausibly spout off denial and claim the flaws are merely "hypothetical"
 

Is this white hat hacking? (2, Interesting)

Gnavpot (708731) | more than 6 years ago | (#24988159)

The subject of this story says White Hat Hacker. But it seems to me that the break-in was typical black hat hacking. The info to the system administrators may be a typical white hat hacker action, but this does not make the whole thing white hat.

Re:Is this white hat hacking? (2, Insightful)

centuren (106470) | more than 6 years ago | (#24988315)

Typical black hat hacking? Like bringing all the servers down, or taking private information for criminal use? Seriously?

Student looks around in his universities network. Goes past poorly implemented safeguards, writes about how it can be improved.

Sounds like an extra credit assignment to me.

Why white hat? (0)

Anonymous Coward | more than 6 years ago | (#24988173)

I don't understand. If somebody picks the lock on my house and breaks in, I'd like them to get arrested. Sending me a 16 page report about how he broke into my house, and having people call him a 'white hat burgler' doesn't really change anything.

How about a 'white hat robber' who mugs me on the street, but is careful not to hurt me too badly and gives me a report to help me improve my self-defense skills? Sorry, it's still assault.

No sympathy here.

The student is stupid (1)

Alex Belits (437) | more than 6 years ago | (#24988199)

Any system has some range of conditions that it is intended to tolerate, and there is always a possibility that something outside of that range will break it. As long as people who use and run those systems are aware of this, there is no point in reporting "vulnerabilities" of this kind, in 16-page papers or otherwise. I am sure, I can get a bulldozer, add some armor made of steel and concrete, drive it into a data center, and cause a massive denial of service for everything in it. And yet this is not a good reason to write papers on killdozer-proofing data centers, and neither I would expect an experimental verification of this fact to be appreciated by its victims.

This is actually a much wider problem. For exactly the same reason airport security madness is counterproductive -- a determined person still can destroy an airplane with its passengers, however millions of people suffer from pointless "security measures" that produce no positive outcome. While being as clueless about security as American politicians is not a crime, this student has very poor understanding of the very subject of his paper.

In other news (4, Insightful)

kenp2002 (545495) | more than 6 years ago | (#24988201)

Mr. Johnson was recently arrested after finding Mr. Smith's front door unlocked.

Mr. Johnson snuck into Mr. Smith's home and watched Mr. Smith sleeping for several hours.

Afterwards Mr. Johnson provided a detailed account of how Mr. Smith had left his front door insecure and ways to better secure the front door.

Mr. Smith wasn't amused by the report and had Mr. Johnson arrested for tresspassing and breaking and entering.

Mr Johnson's defense is grounded in the fact he was helping Mr. Smith become a better home owner by sneaking into Mr. Smith's house.

-----

You now realize how stupid you sound when you defend someone under these circumstances. This whole White Hat nonsense is about as intelligent a the statement, "Well your honor his front door was unlocked, and obviously I should be allowed to go in there as long as I don't break anything, afterall if he didn't want people in there he should have locked his door at the very least..."

Put him in jail and maybe these adult children will grow up.

Re:In other news (0)

YttriumOxide (837412) | more than 6 years ago | (#24988527)

I'm on Mr Johnson's side in your scenario actually... Mr Smith did an idiotic thing and Mr Johnson pointed it out to him without causing any harm to Mr Smith or his property. That's a GOOD thing. If I were in Mr Smith's situation, I'd have thanked Mr Johnson and then reprimanded myself for my own stupidity.

happened to me, twice... (3, Insightful)

Anonymous Coward | more than 6 years ago | (#24988213)

I've noticed that generally, if the admins are worth their salt, you don't need to detail every single step to produce an exploit. Just provide enough information to walk them up to the open door, and let THEM walk through it. In fact, writing 16 pages detailing every step of the way makes them question WHY you were so thorough. It also makes them look bad to their higher-ups because some "punk kid" figured out something they didn't.

I speak as someone who had a run-in with both high school admins and university network admins. Two distinct cases, but with very different results.

In HS, a friend installed a homebrew backdoor onto every computer in the HS computer lab. It permitted basic keylogging functions, as well as partial remote control (mostly just starting programs remotely). I just de-backdoored the computer I used for class and let others fend for themselves. When he reinstalled the backdoor on my computer the following week, I turned around and killed the backdoor on every system (it supported a room-wide purge in the event that it needed to be removed quickly). Unfortunately, stopping it also caused an error pop-up on every screen in the lab.. at which point everyone knew something was up (but no one knew it was me who stopped it).

After class, I went to the admins to report exactly how my friend performed the attack, how my friend installed the backdoor, how I stopped it, etc. I figured I was in the clear because I responded as soon as the problem became visible. The following day, I was called into the principles office and threatened with expulsion for "hacking the network". I couldn't convince him that I didn't "hack the network", and it didn't matter that I *STOPPED* the hack; I was in trouble because I drew lots of attention to the problem and proved the admin to be an incompetent moron (the backdoor only existed because the admin's password was his userid+1). My friend was never called into the office, nor given any punishment.

Fast-forward to college: Through a series of (individually) harmless actions, I discovered that one could elevate their user access from "student" to "full time employee" and gain access to a handful of otherwise inaccessible directories (including source for various university projects). As soon as I realized the problem, I went to the admins and e-mailed them personally with a much vaguer description of the problem. I also couched it with terminology that suggested that I didn't know what I was doing ("I think there might be a bug somewhere in X because when I did X a bunch of directories became accessible that weren't before. It also gave me access to what might be the source code for project Y, but I didn't touch it because I don't think I'm supposed to see it. But I think you guys should know that there might be a problem.")

The admins thanked me, said they'd look into it, and a day or two later the hole was patched. I never had any problems with them, and continued on my merry way through college.

Look, People, This is REALLY SIMPLE... (4, Insightful)

trims (10010) | more than 6 years ago | (#24988225)

Bottom line: it's only White Hat if the "target" asks you to perform the security audit. Pure and simple. Anything else is at best Grey Hat, and that gets you subject to prosecution at the target's discretion. Period.

This kind of stuff is in a completely different category than analyzing the theoretical weaknesses of a system. Or even cracking software/etc on your personal equipment. Or demonstrating faulty design in a [ahem] subway system WITHOUT HAVING TO SCREW WITH THE SYSTEM. Once you start abusing other people's stuff without permission, I couldn't care less if you were Mary Poppins. IT AIN'T YOURS, SO KEEP YOUR FINGERS OFF IT.

This isn't Investigative Journalism. Which at least has standards of ethics and conduct.

People, quit glorifying these idiots.

Re:Look, People, This is REALLY SIMPLE... (1)

MikeBabcock (65886) | more than 6 years ago | (#24988525)

White hat hackers break lots of things without permission. Is DVD Jon a black hat for hacking the CSS system allowing us easier DVD access on Linux now? He'd certainly never have gotten permission to do that.

Nor would many researchers get permission to test the products they test for defects (physical hacking).

People need to read the article before posting... (0)

Anonymous Coward | more than 6 years ago | (#24988281)

In response to all the comments that he should have posted the article anonymously:

"The writer, who used a pseudonym, claimed he easily broke into the accounts using a program that captures computer keystrokes."

So, he actually did and got busted anyway...

Nice going ! (1)

Adult film producer (866485) | more than 6 years ago | (#24988341)

The next 'white hat' testing their network defenses will remember what happened here and won't be so nice to them..

Good Luck Carleton admins!

White Hat vs Black Hat (1)

tukang (1209392) | more than 6 years ago | (#24988351)

It used to be that "white hat" simply described a person who hacked the system with access to the internals of it (i.e. source code or server configuration details) and the "black hat" only had information that was available to the outside world.

Looks like the definition has changed to describe good vs evil ... sigh

Seems to me it could have been made real easy if.. (1)

deft (253558) | more than 6 years ago | (#24988365)

he had sent the 16 page report as an anonymous coward.

The 2 page addendum should have read "if you'd like to talk about this, please sign this contract and return it to this po box, and I will store it in a safe place while I help you guys implement your patches/fixes/etc.

Acting like a child to protect ones own inadaquacy (3, Insightful)

scientus (1357317) | more than 6 years ago | (#24988389)

Arggg, its this type of politics bullshit that is holding america back in any technology field that not cutting edge and pure ideas and rather requires a diverse industry. (ie cell phones) American cant just look at facts and look forward and rather like harmful trenches and politics. If someone broke into the network and could write a 16 page report on it it the system admins should be forced to quickly implement it (hiring the guy if they need to) or loose their jobs.

No amount of the blame game will change the fact that their system is insecure and securing it is in everybody's interest and is really the only thing that matters.

The submitters policy is exactly what should be used, it reflects real life -- look at the that Switzerland man that got hundreds millions and a new identity from the USA IRS and Germany for his supposedly black-hat acquired data that uncovered millions in tax fraud.

Not all black hat work is always bad, however it is on the black-hat himself to both make prove this in his case and minimize his damage. This is simply reality.

Today's black hats do not make noise. Their work does not show up. If you are hacked you probably do not know, and most certainly will not if these type of guys are in charge.

It is not long till people realize that their personal data has long been available on the market due to bad practices like this and organizations get back lashed against. Sadly for both consumers and these organizations, and even the IT guys they are going to take the childish way out and wait for this to come to them.

I kinda went off topic, but its a fundamental thing. **playing this blame game destroys everybody, can makes white-hats turn black in disgust with the politics, and will eventually hurt both the general public and the industry greatly**

This is why humanity fails. (0)

Anonymous Coward | more than 6 years ago | (#24988435)

Let me get this straight. Some of you think this guy deserves extra credit or a job for doing this. Others think he deserves jail time and a criminal record.

Think of just HOW MUCH of a difference there is between these 2 outcomes. One sets him up for a life. The other ensures his life is pretty much over.

Honestly, how does mankind actually manage to survive with such HUGE differences of opinion? I'm ashamed to know that there are fellow members of my species who want something like this to result in hard jail time. I honestly can't believe how easy it is for some people to want to dole out harsh punishment for stupid things like this. Get rid of the murderers and rapists; please don't hand out death sentences like fucking candy.

How would you feel? (3, Interesting)

erroneus (253617) | more than 6 years ago | (#24988459)

It's late at night. You're still up messing around on your computer. It is otherwise very quiet.

Suddenly, you hear weird noises at your door. It's not an animal... it's something working at the keyhole.

At this point, some of you are already reaching for a gun, a baseball bat, something. Others are calling 9-11. Whatever is going on, it isn't right.

If for some reason, you just go to the door and open it to see who is there, would you feel friendly to this guy if he smiles and says "I am doing you a favor!"

Okay, this isn't parallel enough...

How about you came home from work to find a note on the inside of your home explaining "Hi, I got into your home but I didn't take anything. Here is how I did it and what I saw." Come on! How creepy is that?!

What this guy did was a classic security breach... the kind everyone is already afraid of... the kind that always gets headlines when "personal information is exposed." In some stupid way, maybe he had some twisted idea that he was doing something noble or scholarly. But in the real world, we already know there is a balance between security and convenience. Once in a while, people need to be reminded that the balance is often set too far in favor of convenience, but this guy did too much. Stopping at "I was able to install a keylogger on this system, ran a test or two and disabled it. The log files are here for examination. The information on this computer and accessible through this computer is vulnerable." would have more than sufficed... but even then, it's a bit too much. Perhaps it would have been better to simply place an "Out of Order" sign on the computer to prevent anyone from using it.

There is a difference between noticing that someone left a door unlocked and telling someone and actually going in and rummaging about and writing up a big report on the topic.

He needs a slap on the wrist for this. No doubt about it. But nothing permanent... this time...maybe. Some people actually lack some impulse controls in their personalities and get giddy at the notion that they have some power or superiority over others. Some people are just broken that way.

Seriously? (2, Interesting)

DigitalisAkujin (846133) | more than 6 years ago | (#24988461)

I'm honestly appalled by the response from some of you saying he deserved what he got.

This is a University, not a business. There's no damage, period. There's no cost, no down time. Wtf is wrong with you people?

This sends the wrong messages. Especially considering we want talented individuals in the IT field. I'm sick an tired of seeing these cookie cutter CIS & IST majors graduating having ZERO or less then one year of real world experience. I would much rather hire this guy. Even more so because even in the position of having the possibility to be malicious in his intent he didn't turn to the evil side. Now you're just gonna turn him into a pariah and ruin the life of a person who clearly would have been a more then productive member of society.

Breaking and entering to prove a point != Whitehat hacking

Stop pretending that it is.

Fuck the politics. This is the difference between right and wrong.

You people make me sick.

So the solution is..... (0)

Anonymous Coward | more than 6 years ago | (#24988467)

don't report it, do it to see if you can and keep your mouth shut. Every good hacker knows that even if you are doing it for the right reasons you should never attach your name to anything. The authorities are not your friends. They will put you in jail if you make them look bad. He did this, which made them look bad and it seems like he did it on purpose. I think he is just an idiot for reporting. Well done on the crack but learn how to keep your mouth shut, moron.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?