Charges Dropped Against Student Who Alerted University To Security Flaws
from the don't-hack-and-tell dept
Last year, we wrote about a student at Carleton University in Canada who was arrested for hacking, after he wrote up a 16-page paper telling the school how poor its computer security was, and had some suggestions on how to fix it. It does sound like, in the process of figuring this out, the guy did hack into some accounts to prove that the vulnerability was there — but there doesn’t seem to be any evidence that he did anything with the access. And the fact that he wrote up a detailed paper on it and alerted the university certainly suggests his intentions were benevolent. So it was a bit disturbing that he was arrested. However, Allan Lussier-Meek writes in to let us know that charges against the guy were recently dropped after he agreed to go through a community service program. It’s still not entirely clear why he needed to do that. This really does seem like blaming the messenger.
Filed Under: carleton university, hacking, security flaws
Comments on “Charges Dropped Against Student Who Alerted University To Security Flaws”
A lesson for whistleblowers
Next time keep your mouth shut and let them find out for themselves.
Back when I was in high school I took an HTML class and I found some security holes in the computers myself (these security holes existed in all the computers on the campus even). I alerted my HTML teacher (who also taught C and he was mostly responsible for maintaining all of the computers on campus since most of the other teachers were computer illiterate. This was a long time ago) about the security holes and he just said thanks and fixed them. No big deal. Why is it that now a days you have to worry about liability for doing something good?
In fact, the only reason I found the security holes (or even bothered to look) is because I heard of cases where a bunch of important data from other computers on campus got deleted. They never found who did it or how they did it but I figure I wanted to figure out how they did so I started hacking away at one of the computers and I figured out some loopholes. I told the teacher and it got fixed (I even told them how it could be fixed, but the fix was obvious anyway). Why is that so darn complicated these days?
No good deed goes unpunished.
Yeah, great, arrest someone for actually trying to help you make your security better. Clearly, you’re better off selling that information to the bad guys instead. Wonderful message they’re sending there.
Ironic
It’s a bit ironic that he’s been given community service for trying to provide a community service.
Re: Ironic
The trick is if you’re going to try to alert someone of something you either
A: have to do it anonymously (and that means to be careful of the words you choose. You don’t want people figuring out who you are based on your writing style. They can narrow it down to someone who is familiar with computers from the get go, a few more deductions and they can find out who wrote the letter).
or
B: Tell someone in a position to correct the problem whom you trust. If you find a decent person they probably won’t get you in trouble (of course that requires you to judge whom you can trust).
I think much of the problem is a lack of willingness to pay for security or an unwillingness to put the effort into securing the system.
I Can Punish Unfairly Too
Guess who I am going to offer a job in IT security after they graduate and which Canadian university is not getting an endowment from my corporation.
Is this akin
to saying that the emperor is wearing no clothes
Isn’t this the same university that put out a press release saying “the Emperor of Japan is coming, but don’t tell anyone”?
Missing something here
Note: “It does sound like, in the process of figuring this out, the guy did hack into some accounts to prove that the vulnerability was there”
“Hey, I noticed your front door was open so I came in and looked around. Did you know that the top drawer of your dresser is the first place a thief would look for jewelry? You should get that fixed.”
If he knew of the vulnerabilities he should have informed someone without poking around himself. Doesn’t matter if he had good intentions, or if he documented it all or anything. He should never have “proved it” for himself. “I think these things are wrong, you should check on them.” A note on the front door, not one on the kitchen table, as it were.
Re: Missing something here
We have a winner right here folks
Underwear my ass. we’re talking mouse clicks on a pc. If you have something on a computer at your work about yourself which you do not want anyone other than the affected employees IE the bookeeper to see, and lo & behold, they can, who’s fault is that? Seems to me it would land squarely on the net admin’s shoulders and not on the guy who knows how to type and came forward with the knowledge. Physically breaking in is a crime. This was not.
Of course, if as stated, he was a bit smarter he would not have ‘proved’ (dumbass) that it was possible to begin with. Pointing it out would have been wiser.
Many other IT mistakes have been much costlier and much much more embarassing. This was trivial.
But officer, I never take the keys out of the car…
Still missing something
I’m taking Mike’s word for it: “the guy did hack into some accounts”. That’s wrong, end of story.
Sorry if you don’t see that. Sorry if you don’t like the analogy. Hacking into accounts is wrong and might even be a crime (clicks on a mouse or not). Just because the net admin is an idiot and didn’t prevent it and it’s really easy and he didn’t break anything anyway, doesn’t make it any less wrong.
If someone accidentally leaves their front door unlocked and wide open, you don’t break into their house to prove a point.
Re: Still missing something
In open source communities this guy would be rewarded. It’s the hard work of finding and correcting a flaw at no cost to the project maintainers that keep things free and secure over closed source projects. The kind of security hole this guy was talking about is not akin to leaving a door wide open. It’s more as if you tell me you have the best lock and it’s secure but I tell you I can jimmy it open. You don’t believe me. So I jimmy open and figure out how to protect it from being jimmied open again then leave you a note letting you know how to fix it. While I’m sure I could still get arrested for breaking and entering there are some issues where it’s better to have these kinds of people honest and let you know. I’m willing to bet that many others knew of the loophole and just used it without telling anyone which is the real danger.
Now which guy deserves to hang for it?
Re: Still missing something
David -> “Sorry if you don’t like the analogy.”
– It is not a matter of dislike. The analogy does not work, they are two distinctly different things.
David -> “Hacking into accounts is wrong “
– I agree.
David -> “If someone accidentally leaves their front door unlocked and wide open, you don’t break into their house to prove a point.”
– And again with the bad analogy …
Re: Re: Still missing something
All analogies break down at some point. However I don’t see this as a bad analogy. He “hacked into some accounts”. It matters not if he actually “broke” anything. Hacking into an account, that is, getting access to information he should not have, is wrong, against the rules, maybe illegal, regardless of how easy it is, or if you don’t believe I can do it or any “excuse” you think of. IT’S FUCKING WRONG.
It’s wrong in the same way as if I wander into your house’s open front door and look around. I don’t break anything, hell, I might even clean your kitchen floor. It doesn’t matter if I lock the door behind me when I leave, however briefly I was there. I committed a crime, breaking and entering, regardless of my “good intentions”.
Same thing here. So there was no physical “breaking”. So what? He broke rules, and maybe laws, and got access to information he should not have had. He “says” he didn’t do anything, but do we really know that? Maybe not. We don’t know what he copied down while he was “proving there was a problem”. If the admin “didn’t believe him” he could have tried a higher-up, or just given up. He tried, they didn’t believe him, oh well, too bad for them. Admins being jerks or stupid don’t give you the right to break the law.
I say he got off light.
Re: Re: Re: Still missing something
Better analogy is that he picked the lock to the front door, then closed and locked it again.
The analogy of someone leaving the front door open would be like having a site without security but obscurity and someone just happens accross the URL and then pokes around.
Learn how to think up better analogies, or don’t use them to express your opinion.
Re: Still missing something
David, maybe in your dimension. In our dimension, issuing some computer commands which cause no harm in order to uncover flaws in systems, thereby improving the security and prosperity of the world, is a commendable action. Expect clashes between warriors from our dimensions. We view reality entirely differently. Don’t try to change our minds.
done...
With all you extremist nut jobs…expand your brain..let PEOPLE TEACH you something for once. This “story” is a good point to start OPENING YOUR MIND!! echo echo echo echo echo……………………………………I agree he did no crime there was no “damage” its not hard to grasp..pleeeeeease just try?
If the student wanted to alert the school to security vulnerabilities, he should have met with someone at the school (IT Department probably) BEFORE he did any real hacking and gotten permission to attempt to exploit the system. Heck, they probably could have even set up a few dummy accounts (created like normal) for the student to do his proof of concept hack on. Companies hire security consultants all of the time to try to hack their system, but the difference is that the company hires the consultant for that purpose. I don’t doubt that if someone hacked a corporate computer system without being hired first, that the company would be able to get the hacker arrested.
Still missing something
Under your rationale(s), included in all your msgs David; not only on this point but all, any kind of progress would be impossible. Indeed we’d still all be on horseback as even inventing the buggy would have been implausible. Certainly we could not have ever had a railroad, let alone a highway or an airplane. Telegraphy would not have been invented, nor a light bulb.
You’re exactly what Geo. Bush thinks everyone should be like (other than him). I suggest you open your mind a bit for a change, if that’s [even] possible in your case.
VRP
Re: Still missing something
What the fuck are you talking about? You have no clue about my “rationale”. In most places it’s illegal to hack into computer systems, good intentions or bad. It’s at least a problem at this university that they charged this guy in the first place. He did wrong. People here don’t like my analogy, I think it’s appropriate. People are so goddammed literal – it’s a fucking analogy. It fits as well as anything else. “No a better analogy would be-” for you to fuck off.
When did I say anything about not wanting progress? I didn’t. Not even the slightest. Where you got that, I don’t know. Apparently just pulled it out of your ass. Don’t like my opinion, so you come up with some straw-man argument.
So you equate some asshole breaking into a university computer system and poking around with the invention of the car or airplane? Just how fucking stupid are you?
So here it is again, no analogy. Guy broke into the computer system, without authorization, and poked around where he shouldn’t have. He got caught and was punished. All of that is valid. All of that is GOOD. A GOOD THING TO PUNISH AN ASSHOLE FOR BREAKING INTO A COMPUTER SYSTEM WITHOUT AUTHORIZATION.
“But – but, he was, just – just trying to point out a, a problem, bu-bu-bu-bu…” Too fucking bad for him. Should have gone through proper channels. Should have done it the right way. This guy is not a whistle-blower, he’s a dumb prick who apparently thinks he’s better that the people currently running the university. It doesn’t even matter if he is better than them.
I can not see how anyone can defend what he did. Rule of law is a good thing.
Re: Re: Still missing something
If you read the article, the single bone of contention between the guy and the school was that he admit he didn’t contact the school’ IT Dept. before sending the letters to the students and making the breach he found public. He said he did send a letter 2 weeks before going public. He wasn’t caught, he told everybody and obviously left a path to him.
Note that he left the school and Ottawa because of this.
Could he have forced the school to respond to him privately, maybe he could. They didn’t and in response to any bad publicity (a response most every school does rather than admit they have a insecure system) they made an example of this guy. Are they in their rights to do so, yes they are. Was it smart to do this, of course not. It was a knee jerk reaction to show their benefactors that they were doing something. It was that or admit that they were poor stewards of the donations they had received in support if a lowly underclassman could break their systems.
Re: Re: Still missing something
David:
Looks like you haven’t learned much aboout the Rule of Law either. It requires, inter alia, mens rae — “criminal intent; the thoughts and intentions behind a wrongful act.” Word Web 5.2. “Criminal intent.” Merriam-Webster 2.5.
No criminal conviction against this guy could have possibly withstood appellate review. A trial judge would have to grant him judgment “N.O.V.”
I have no clue about your rationale? It only jumps at me, as it does at everyone else, from each of your msgs — you open mouth, insert foot. And you advertise your sub-terrainean IQ by the language that you use, inter alia again!
VRP
Re: Re: Re: Still missing something
…that is, unless it is shown that this individual did, in fact, show criminal intent.
I just have to wonder what would cause a student to write up a 16-page report on how insecure the school’s security is. Why not simply report the first problem in an email to the IT department?
Let’s say, just for the sake of argument, that this guy had hacked the systems and mucked around in there a bit. Then, after a bit, realized that his activities were being tracked down. Now, how would you try to avoid prosecution? Well, write up your black hat activities as though you are a white hat. Wouldn’t that be a convenient solution?
So, ask yourself, what is the motivation of the school administration to pursue this individual? Is it that they are so self-righteous and/or overly sensitive as to not be open to criticisms? Or is it possible that they know more than the press is telling us (i.e. the press is giving a one-sided angle) and they have some merit to their charges?
Just wondering. I mean, if this student was so in the right, why did he accept community service?
Nice analogies
You know, if I left my front door unlocked *and* open and someone came in and washed my floor, I wouldn’t have them arrested for breaking and entering- I’d thank them for doing a chore!
And if the door was open, there was no “breaking in”, so the crime would only be trespassing or unlawful entering. If the person didn’t take anything, there’s no theft to charge him with.
But, like VRP just said, doesn’t the trial court consider the person’s motive? Like the previous analogies, it’s WRONG, WRONG, WRONG to go through an unlocked and open door and we shouldn’t care if you entered the house to get some food for your children because of the current economy. Entering an unlocked house is WRONG and you should be punished. Yes, stealing food is wrong, but again, if the door is open and you see food on the table and you can’t feed your kids because you lost your job and…
Everything is hackable
Yes, you can pick a lock or break a glass window, stealing a wallet, or drive through red for that matter! “You know Mr. Policeman, i just drove through red to let you know that it is possible. You should use real fire walls or something!”
It’s not like he didn’t know what he was doing. I think all analogies here are good and have a valid point. Same thing is with all “new” technologies, after they stop being new and cool (like tapping in a fixed phone line, or using FM transmitters) there are regulations which we have to obey and not try to prove that there are ways to break them, because of course there are.
I’m sorry, I am all against this. Yes, everything is hackable, breakable and abuse-able but doing it is illegal and should be punishable, especially for the stupid one like just proving that it is possible.
Univ IT = bunch of monkeys flinging poo
If their university IT staff is anything like most, then it would have done no good to report this ‘issue’, as there would be no reason for IT to do anything about it (security through obscurity is alive and well in most Univ IT operations). One student complaining about a potential security weakness would be seen as the enemy rather than as a messenger, and speaking from personal experience, IT loves to shoot the messenger (if nobody can hear the message, then there isn’t really a problem, right…. it’s that whole head in the sand mentality…. if nobody talks about the 500lb pink elephant in the middle of the room, then it’s not really there and it doesn’t have to be dealt with).
I agree that his methods were questionable, and his intent may have been debatable, but he didn’t actually DO anything wrong, other than accessing the University IT system in a way that IT didn’t intend (if they knew about the weakness and did nothing to prevent it they they are as responsible as he was and should be held accountable, if they didn’t know about the weakness, then they are bunch of clueless monkeys flinging poo at the wall (bad hacker broke into our super secure system, nobody should be able to do that because we covered it in poo…) and hoping some of it sticks…)
And I’m off with a quote:
They say that sufficiently advanced incompetence is indistinguishable from malice. Nowhere is this more clear than University IT. – Unknown