Slashdot Mirror
University Brings Charges Against White Hat Hacker
aqui writes "A university student at Carleton is learning that no good deed goes unpunished. After hacking into what was probably a not-so-secure university network, this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive. The university should spend money on hiring some admins with better computer skills and teaching skills rather than paying lawyers. In the Engineering department at my old university, the unofficial policy was that when you broke in, didn't damage anything, and reported the problem and how you broke in, they didn't charge you (if you maliciously caused damage, you usually faced academic sanctions). In some cases, the students were hired or they 'volunteered' for the summer to help secure the servers or fix the hole they found. The result was that Engineering ended up with one of the most secure systems in the university."
Read on for the rest of aqui's comments.
aqui continues:
"The truth is, some university students are going to have the desire to hack something, and not all of them have the judgment to stay out of trouble. If you acknowledge that and catch them inside the university, you can straighten them out before they wreck their lives, and teach them to be white hats. Rather than creating a hostile environment where people may become black hats, you create an environment where you guide them in the right direction to being good computer security professionals. For every hacker they catch, there's probably at least one that they don't know about. I can imagine that a number of those hackers at Carleton are now seeing the university as the enemy for burning 'one of their own,' and some of them may become malicious to get even. If the student's intentions were good - which they appear to be - I can't help but feel sorry for the guy."
Such as it should be.
You are being MICROattacked, from various angles, in a SOFT manner.
this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive.
So, I agree with you. Someone who took the time to show flaws in the system should not be punished (at least not to this extent).
However, here's probably what happened.
1. Someone received the 16 page write-up. They took it to the sys admins.
2. The system administrators, WHO WANT TO KEEP THEIR JOB, are going to go into a tirade of how he subverted their systems and purposely used "nefarious methods" to break system security, etc, etc. Basically, it's politics here - they don't want to look bad and/or lose their job so they will do everything in their power to make him look like a bad guy (which, to some extent, he is).
3. So, sys admins may have suggested some legal action to protect the school and make an example of him. (Or someone higher up may have.) The reason someone higher up may have done this is because they want to protect the school's image. Knowing that their system was weak could really hurt a school which is a business.
Basically, all of this is politics. All of it. Technically, the kid did the right thing by reporting what he found (although, quite honestly, he probably shouldn't have been there in the first place without asking permission). But, he didn't think through how other people were going to see his actions. You *always* have to think about the politics.
Yes, anyone should be able to break the law and then get off scot-free by claiming it was in the public best interest. Nevermind the cost of the sudden campus-wide security lockdown, nevermind that IT staff may have lost their jobs, nevermind the people now losing sleep because they don't know how to handle things. Nevermind the risk incurred in that if he caused outages he could have disrupted phenomenally expensive research projects. Nevermind that most whitehats leave doors open behind them.
He meant well.
He deserves what he got. Quit trying to make heroes out of everyone looking at jail time. Jesus.
StoneCypher is Full of BS
From the article: Det. Michel Villeneuve of the Ottawa Police high-tech crime unit said yesterday that a suspect used Keylogger software and magnetic stripe-card reader software to acquire students' information.
Using keylogger software is not White hat material sorry. You install a keylogger on a random machine and watch people come in and access their email / student accounts and then later go "me l33t haxor?"
Computing access in schools is a privilege and I see an abuse of privilege here by installing keyloggers. Sorry but physical access to machines means all security is out of the window. Sure the admins can install a variety of tools to detect keyloggers but there's always going to be one program that will escape detection.
Should I blame Soulskill? Such a verbose summary and no mention of keylogging software.
What he did was gray hat and not white hat.
If he had gotten the permission of the school to do security testing first then he would be a white hat. He had good intentions, but by breaking into a system he didn't own without the owners permission he broke the law.
-Jim Bastard
As stated above no harm no foul. If this is a crime so is alerting your neighbor that their door is unlocked while they were gone.
Your old school did, indeed, do the right thing. This one is not. The guy came forward with what he discovered, in good faith! It gives them the opportunity of preventing a malicious person from causing real damage... and they are going to punish him for this? That's just wrong.
In fact, it could theoretically turn many others into "black hats" that will go after them, just because they were so hard-nosed with this guy who was, let's be honest, doing them a favor!
Time for that school to get a clue. I'm really disappointed in their actions.
Willie...
No, technically he did the wrong thing by breaking into the network. This isn't complicated. If he technically did the right thing, he wouldn't be technically looking at jail time. This isn't a pity party. He did a bad thing and he's getting punished. Simple as pie.
If some asshat broke into one of my servers then told me how, I'd send his ass to jail too. If he contacted me and said "I would like to break into your server then I'll tell you how", I'd pay him to do it under controlled circumstances. However, if he just up and did it one day, it would cost me tens of thousands of dollars in cleanup.
I can't imagine why you think this was in any way a good idea.
StoneCypher is Full of BS
the exact same thing happened to my roommate in college. I was brought in to testify, and I argued that, based on a multitude of previous experience (open source contributions, etc.) that my roommate was a white hat. After many blank stares, I gave a brief overview of archetypes in western film (I was a film minor).
he got off, fwiw, and so should this guy
He should have just submitted the 16 page paper anonymously. If he was truly trying to do a purely good deed so there shouldn't have been any need for his name to appear on it for the purposes of fame or positive retribution.
Given the number of previous incidents similar to this, one would have thought he'd have been aware that this is almost always the outcome. Try entering into a store after hours (when closed) without due permission, without stealing anything and reporting how you did it. Compare the outcome.
The student almost certainly signed an agreement stating the terms of use for the university network. And he almost certainly broke that agreement. If that's the case, then I don't see how the university's response is wrong.
I can tell you firsthand that the administration did not take kindly to this.
With regards to the magnetic stripe thing, it's not surprising that those in charge reacted strongly and sharply. We had recurrent incidents on campus last year with sexual assault and they had to lock down all the residences and the labs, and as such, they took great pains to inform the students who had access cards for the suite residences that they would not, in fact, be in danger, be it financial or otherwise.
Sometimes I wonder if I think too much.
Not only did he break rules but he did it maliciously (no grey area here) when he used keyloggers. I can see what would happen if I did the same thing where I work - they'd fire me, throw my ass in a federal pound me in the ass prison and generally my life would be ruined
What we have here is a not a hacker, not a white hat or a black hat hacker. We have a script kiddie. Sadly most of the posters before you seem to have already started making a hero out of this "vigilante".
Keyloggers destroy any and all chances at privacy. News at 11.
"The truth is, some university students are going to have the desire to hack something."
The truth is, some university students are going to have the desire to light things on fire, too. How many buildings do we let them practice on before we arrest him?
The truth is, the kid broke the law, and it is nearly inconceivable that he didn't know it at the time he did it. For every hacker they know about, there may well be at least one more they don't know about. But for every hacker they crucify, there will be dozens who think twice before breaking the law.
Someone equally or more competent than your own staff tested your infrastructure, found its flaws, and gave you a free report on it, and you're going to beat them over the head.
This "law uber alles" authoritarian streak is what causes most companies to become plagued with "upward failure". The truly competent don't dare to speak inconvenient truths, and the incompetent are given free reign to take advantage.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Looks like they found a nice scapegoat given your new information. Poor guy will get nailed harder than he deserves.
it's not surprising that those in charge reacted strongly and sharply. We had recurrent incidents on campus last year with sexual assault and they had to lock down all the residences and the labs, and as such, they took great pains to inform the students who had access cards for the suite residences that they would not, in fact, be in danger, be it financial or otherwise.
you have to love an administration which cares more about their ego than the rape targets they were trying to help.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
When you disagree with someone's opinion and wish to offer a rebuttal; most times, saying "You're a moronic shithead and your logic is atrociously sophomoric" will not garner a positive response. On the same token, surreptitiously infiltrating your school/company/organization's systems and offering a similar statement in hacker-terms isn't likely to get much praise: no matter how right you might be.
Yes, to us humans, the approach is almost as important as the idea.
The subject of this story says White Hat Hacker. But it seems to me that the break-in was typical black hat hacking. The info to the system administrators may be a typical white hat hacker action, but this does not make the whole thing white hat.
I don't understand. If somebody picks the lock on my house and breaks in, I'd like them to get arrested. Sending me a 16 page report about how he broke into my house, and having people call him a 'white hat burgler' doesn't really change anything.
How about a 'white hat robber' who mugs me on the street, but is careful not to hurt me too badly and gives me a report to help me improve my self-defense skills? Sorry, it's still assault.
No sympathy here.
Reporting a vuln using a lawyer as a go-between completely removes you from the possibility of criminal prosecution, unless you left a trail of bread crumbs. Attorney-client privilege beats any number of anonymized proxy servers.
Any system has some range of conditions that it is intended to tolerate, and there is always a possibility that something outside of that range will break it. As long as people who use and run those systems are aware of this, there is no point in reporting "vulnerabilities" of this kind, in 16-page papers or otherwise. I am sure, I can get a bulldozer, add some armor made of steel and concrete, drive it into a data center, and cause a massive denial of service for everything in it. And yet this is not a good reason to write papers on killdozer-proofing data centers, and neither I would expect an experimental verification of this fact to be appreciated by its victims.
This is actually a much wider problem. For exactly the same reason airport security madness is counterproductive -- a determined person still can destroy an airplane with its passengers, however millions of people suffer from pointless "security measures" that produce no positive outcome. While being as clueless about security as American politicians is not a crime, this student has very poor understanding of the very subject of his paper.
Contrary to the popular belief, there indeed is no God.
Mr. Johnson was recently arrested after finding Mr. Smith's front door unlocked.
Mr. Johnson snuck into Mr. Smith's home and watched Mr. Smith sleeping for several hours.
Afterwards Mr. Johnson provided a detailed account of how Mr. Smith had left his front door insecure and ways to better secure the front door.
Mr. Smith wasn't amused by the report and had Mr. Johnson arrested for tresspassing and breaking and entering.
Mr Johnson's defense is grounded in the fact he was helping Mr. Smith become a better home owner by sneaking into Mr. Smith's house.
-----
You now realize how stupid you sound when you defend someone under these circumstances. This whole White Hat nonsense is about as intelligent a the statement, "Well your honor his front door was unlocked, and obviously I should be allowed to go in there as long as I don't break anything, afterall if he didn't want people in there he should have locked his door at the very least..."
Put him in jail and maybe these adult children will grow up.
-=[ Who Is John Galt? ]=-
Pretty sure I caught the most important part - "keyloggers". Sure he didn't profit from his little adventure but that doesn't make what did any right. He abused his privileges and there is the whole privacy question because of the passwords he stole.
How many passwords do you think an average college kid uses for the several accounts he or she has? (Facebook, credit card, bank, email, student services, slashdot account) - I am going to bet that it's usually going to be ONE.
Now because Mr. Vigilante decided to better the security system out of his good heart, it doesn't change the fact the has actively inconvenienced several people while doing it. Also tell me what's a best safeguard against physical access is?
Let me give you an idea: "We don't want students installing keyloggers so let's just take away all install privileges" GREAT IDEA! "Let's do it" and you will still find someone who out of the good nature of their heart will put in a trojan or a keylogger and then write a 600 page document. The ends don't justify the means here.
If you still don't get it, here's an analogy: I want to complain about my company's sprinkler system. I set fire to a bunch of stuff, make life miserable for an entire floor of people - smoke, heat and all. I also make the fire department show up when they could be doing something else somewhere where they are needed more. The sprinklers don't go off but hey I am cool, I am writing a 16 page document to explain I did it for the good of the company.
His intentions appear good but no way it makes what he did unforgivable. Unless he gets punished which is sad for him, that's going to set a dangerous precedent and we all know that's the excuse the authorities will use.
I've noticed that generally, if the admins are worth their salt, you don't need to detail every single step to produce an exploit. Just provide enough information to walk them up to the open door, and let THEM walk through it. In fact, writing 16 pages detailing every step of the way makes them question WHY you were so thorough. It also makes them look bad to their higher-ups because some "punk kid" figured out something they didn't.
I speak as someone who had a run-in with both high school admins and university network admins. Two distinct cases, but with very different results.
In HS, a friend installed a homebrew backdoor onto every computer in the HS computer lab. It permitted basic keylogging functions, as well as partial remote control (mostly just starting programs remotely). I just de-backdoored the computer I used for class and let others fend for themselves. When he reinstalled the backdoor on my computer the following week, I turned around and killed the backdoor on every system (it supported a room-wide purge in the event that it needed to be removed quickly). Unfortunately, stopping it also caused an error pop-up on every screen in the lab.. at which point everyone knew something was up (but no one knew it was me who stopped it).
After class, I went to the admins to report exactly how my friend performed the attack, how my friend installed the backdoor, how I stopped it, etc. I figured I was in the clear because I responded as soon as the problem became visible. The following day, I was called into the principles office and threatened with expulsion for "hacking the network". I couldn't convince him that I didn't "hack the network", and it didn't matter that I *STOPPED* the hack; I was in trouble because I drew lots of attention to the problem and proved the admin to be an incompetent moron (the backdoor only existed because the admin's password was his userid+1). My friend was never called into the office, nor given any punishment.
Fast-forward to college: Through a series of (individually) harmless actions, I discovered that one could elevate their user access from "student" to "full time employee" and gain access to a handful of otherwise inaccessible directories (including source for various university projects). As soon as I realized the problem, I went to the admins and e-mailed them personally with a much vaguer description of the problem. I also couched it with terminology that suggested that I didn't know what I was doing ("I think there might be a bug somewhere in X because when I did X a bunch of directories became accessible that weren't before. It also gave me access to what might be the source code for project Y, but I didn't touch it because I don't think I'm supposed to see it. But I think you guys should know that there might be a problem.")
The admins thanked me, said they'd look into it, and a day or two later the hole was patched. I never had any problems with them, and continued on my merry way through college.
Bottom line: it's only White Hat if the "target" asks you to perform the security audit. Pure and simple. Anything else is at best Grey Hat, and that gets you subject to prosecution at the target's discretion. Period.
This kind of stuff is in a completely different category than analyzing the theoretical weaknesses of a system. Or even cracking software/etc on your personal equipment. Or demonstrating faulty design in a [ahem] subway system WITHOUT HAVING TO SCREW WITH THE SYSTEM. Once you start abusing other people's stuff without permission, I couldn't care less if you were Mary Poppins. IT AIN'T YOURS, SO KEEP YOUR FINGERS OFF IT.
This isn't Investigative Journalism. Which at least has standards of ethics and conduct.
People, quit glorifying these idiots.
There are always four sides to every story: your side, their side, the truth, and what really happened.
We had recurrent incidents on campus last year with sexual assault and they had to lock down all the residences and the labs, and as such, they took great pains to inform the students who had access cards for the suite residences that they would not, in fact, be in danger, be it financial or otherwise.
If your school is locking everything down thanks to sexual assault, because of the nature of the crime, they're obviously not thinking straight. That is a reactive measure and only instills panic. In the case of a shooting however, that can be a proactive measure to ensure that more people aren't harmed.
The game.
In response to all the comments that he should have posted the article anonymously:
"The writer, who used a pseudonym, claimed he easily broke into the accounts using a program that captures computer keystrokes."
So, he actually did and got busted anyway...
The next 'white hat' testing their network defenses will remember what happened here and won't be so nice to them..
Good Luck Carleton admins!
It used to be that "white hat" simply described a person who hacked the system with access to the internals of it (i.e. source code or server configuration details) and the "black hat" only had information that was available to the outside world.
Looks like the definition has changed to describe good vs evil ... sigh
he had sent the 16 page report as an anonymous coward.
The 2 page addendum should have read "if you'd like to talk about this, please sign this contract and return it to this po box, and I will store it in a safe place while I help you guys implement your patches/fixes/etc.
There's nothing Intelligent about Intelligent Design.
Arggg, its this type of politics bullshit that is holding america back in any technology field that not cutting edge and pure ideas and rather requires a diverse industry. (ie cell phones) American cant just look at facts and look forward and rather like harmful trenches and politics. If someone broke into the network and could write a 16 page report on it it the system admins should be forced to quickly implement it (hiring the guy if they need to) or loose their jobs.
No amount of the blame game will change the fact that their system is insecure and securing it is in everybody's interest and is really the only thing that matters.
The submitters policy is exactly what should be used, it reflects real life -- look at the that Switzerland man that got hundreds millions and a new identity from the USA IRS and Germany for his supposedly black-hat acquired data that uncovered millions in tax fraud.
Not all black hat work is always bad, however it is on the black-hat himself to both make prove this in his case and minimize his damage. This is simply reality.
Today's black hats do not make noise. Their work does not show up. If you are hacked you probably do not know, and most certainly will not if these type of guys are in charge.
It is not long till people realize that their personal data has long been available on the market due to bad practices like this and organizations get back lashed against. Sadly for both consumers and these organizations, and even the IT guys they are going to take the childish way out and wait for this to come to them.
I kinda went off topic, but its a fundamental thing. **playing this blame game destroys everybody, can makes white-hats turn black in disgust with the politics, and will eventually hurt both the general public and the industry greatly**
>Looking at your response, then, there seems to be no reason what-so-ever to be a white-hat.
Duh!
Would you? I wouldn't. Would I break the law and then hope people thank me for it instead of prosecute me for it, all to help my university? Fuck no.
Everyone knows no good deed goes unpunished. For good deeds done through illegal means the punishment is even more sure.
So yeah, if you're gonna hack, I hope you're getting something out of it - ass, money, personal satisfaction of dicking someone over, whatever. 'Cause altruism don't pay for shit.
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
I don't blame all the Jews, just the Hassidic ones who wear hats and big overcoats even in the summer. They could be hiding _anything_ inside that sort of clothing: ninja Chihuahuas that have been trained to sit on the seats of fat sysadmins and give them coronaries by biting and yapping when they try to sit down; small monkeys who sneak in and type swear words on keyboards; boxes full of suicide spiders that have been genetically engineered to crawl into computers and short out components; or even low calorie food stuffs that can nefariously substituted for the fatty, sugary items that IT people depend on to maintain their complexions and waistlines.
As St. Barry The Lambent said in his famous warning to the Parthians: "He who accepts a gift of ants from a man of Gaul shall have no comfort from any shoe, for the feet of the ant coveter are anathema in the eyes of The Lord".
I'm not going to change your sheets again, Mr. Hastings.
Let me get this straight. Some of you think this guy deserves extra credit or a job for doing this. Others think he deserves jail time and a criminal record.
Think of just HOW MUCH of a difference there is between these 2 outcomes. One sets him up for a life. The other ensures his life is pretty much over.
Honestly, how does mankind actually manage to survive with such HUGE differences of opinion? I'm ashamed to know that there are fellow members of my species who want something like this to result in hard jail time. I honestly can't believe how easy it is for some people to want to dole out harsh punishment for stupid things like this. Get rid of the murderers and rapists; please don't hand out death sentences like fucking candy.
It's late at night. You're still up messing around on your computer. It is otherwise very quiet.
Suddenly, you hear weird noises at your door. It's not an animal... it's something working at the keyhole.
At this point, some of you are already reaching for a gun, a baseball bat, something. Others are calling 9-11. Whatever is going on, it isn't right.
If for some reason, you just go to the door and open it to see who is there, would you feel friendly to this guy if he smiles and says "I am doing you a favor!"
Okay, this isn't parallel enough...
How about you came home from work to find a note on the inside of your home explaining "Hi, I got into your home but I didn't take anything. Here is how I did it and what I saw." Come on! How creepy is that?!
What this guy did was a classic security breach... the kind everyone is already afraid of... the kind that always gets headlines when "personal information is exposed." In some stupid way, maybe he had some twisted idea that he was doing something noble or scholarly. But in the real world, we already know there is a balance between security and convenience. Once in a while, people need to be reminded that the balance is often set too far in favor of convenience, but this guy did too much. Stopping at "I was able to install a keylogger on this system, ran a test or two and disabled it. The log files are here for examination. The information on this computer and accessible through this computer is vulnerable." would have more than sufficed... but even then, it's a bit too much. Perhaps it would have been better to simply place an "Out of Order" sign on the computer to prevent anyone from using it.
There is a difference between noticing that someone left a door unlocked and telling someone and actually going in and rummaging about and writing up a big report on the topic.
He needs a slap on the wrist for this. No doubt about it. But nothing permanent... this time...maybe. Some people actually lack some impulse controls in their personalities and get giddy at the notion that they have some power or superiority over others. Some people are just broken that way.
I'm honestly appalled by the response from some of you saying he deserved what he got.
This is a University, not a business. There's no damage, period. There's no cost, no down time. Wtf is wrong with you people?
This sends the wrong messages. Especially considering we want talented individuals in the IT field. I'm sick an tired of seeing these cookie cutter CIS & IST majors graduating having ZERO or less then one year of real world experience. I would much rather hire this guy. Even more so because even in the position of having the possibility to be malicious in his intent he didn't turn to the evil side. Now you're just gonna turn him into a pariah and ruin the life of a person who clearly would have been a more then productive member of society.
Breaking and entering to prove a point != Whitehat hacking
Stop pretending that it is.
Fuck the politics. This is the difference between right and wrong.
You people make me sick.
don't report it, do it to see if you can and keep your mouth shut. Every good hacker knows that even if you are doing it for the right reasons you should never attach your name to anything. The authorities are not your friends. They will put you in jail if you make them look bad. He did this, which made them look bad and it seems like he did it on purpose. I think he is just an idiot for reporting. Well done on the crack but learn how to keep your mouth shut, moron.
That's cool, its easier to act like a fool than it is to act intelligently. If we can spread the "fail upwardly" love, most of the internet will be overdue for promotions.
Pointing out people's security problems to them is usually about as "good a deed" as saying something like "Did you know you have a big, ugly, black mole on your nose? You should really have that removed."
While we can debate to death whether his original actions were 'grey hat' or 'white hat' we can be quite sure he will not be informing the target(s) of his next hack. Instead, he might figure out something else to do with the knowledge. I.e. 'black hat' stuff. I hope the individual has better grasp of right and wrong than the university also in the future. There will be a next time, nothing (in short of having him shot right now) on this planet will change that.
Breaking in without a permission was a bad thing. Sure. But usually you're not given permission to do it and often to be able to know if something actually works, you'll have to try it out. So it's not so very bad in my opinion. If he could do it, others can and probably have too. So the system needs a fix. He then wasn't caught but gave himself in. And made a fucking epic effort to do it right. How many 20 year olds have ever written a 16 paper piece in their life?
I toast to this boy, his wit and courage. And his sense of right and wrong.
And I weep at the Carleton uni handling of the issue so far.
Great!!! You point the weakness of something and you get busted because you found the weakness....only one word comes to my head. Insanity!!!
Ever to excel
If you act nice to someone and they are rude in return, they deserve no respect. Just mention how the sixteen page report will become public if they pursue the matter. Make sure the document is placed somewhere NOT UNDER YOUR CONTROL so that a restraining order will have no effect.
That's a nice network you have there. It would be shame if something were to happen to it.
Blackmail is a dirty word. I prefer extortion.
-- Will program for bandwidth
Here's your every day problem. Law and moral justice are drifting very far apart..
To the morons that are in the process of ruining someone's future, two questions:
- what did YOU do when you were at college?
- what would you do if this was your own kid? Sure, I'd give him hell but I wouldn't even remotely considering getting him a rap sheet.
Yes, I said morons. I meant it, too.
Insert
Hacking into other students accounts with a kelogger and card reader is not a good deed wichever way you look at it. The student did not gain elevated privileges. He abused his given privilege of physical access. It's no better than help desk personell showing of how they phish passwords from users.
Well, you get the Most Off-The-Wall Post on the Internet Award.
I give you three internets and advice to see a doctor about that.
"So long and thanks for all the fish."
sounds like your university had some common sense. but, then again, that was probably in a different era, when things weren't as dependent on the internet, or so easily accessible. but maybe not. hopefully they're just trying to deter other ppl from doing the same. who knows, maybe he made a big deal about it, and if the university doesn't punish him severely, it would encourage others to do it. so, hopefully they're just trying to set an example with him, and, hopefully, after he's convicted, they'll request a lenient sentence, maybe community service.
"Hacking, for 25,000 dollars."
Slashdot, University Brings Charges Against White Hat Hacker.
"What is the best way to turn a well-intentioned white hat into a revenge-motivated black hat"?
ABSOLUTELY CORRECT!
The writer, who used a pseudonym, claimed he easily broke into the accounts using a program that captures computer keystrokes.
Det. Michel Villeneuve of the Ottawa Police high-tech crime unit said yesterday that a suspect used Keylogger software and magnetic stripe-card reader software to acquire students' information. The suspect then put together a 16-page document addressed to the university secretary's office, later e-mailing the document to 37 students.
Sooo....this guy deliberately broke into 32 accounts using both software and hardware. Then he rationalized that he shouldn't be punished for it by preemptively confessing.
Make the punishment fit the crime: throw the book at him, then give him probation. But he definitely should get some academic sanction for this: he knew what he was doing, in both the technical and actionable sense. Oh, and fix the problem: don't allow your users to install keylogging software. He does have a point there.
DNA is a Turing machine. You, however, being dynamic and emergent, are not.
Not going there. This is outrageous. Bunch of idiots. Must be a crappy school indeed.
Mr Smith forgot to tell the authorities that he had a history of forgetting to lock his door, because otherwise he would have a slightly harder time getting the insurance to pay out for his losses. Mr Smith was thus incredibly pissed off with Mr Johnson for showing him up to his insurance, especially since he had a similar heads up a few months back and didn't do anything about it then either.
No doubt Mr Smith would have also been the first to yell at the police for not sufficiently fighting crime if he got burgled because Mr Smith is of the type that is never at fault himself, and doesn't consider himself responsible for his own conduct. And hell, those kids are a pest anyway so if someone did something to them while they were in the house that would be a bonus. Maybe put up a sign "Kids here", just in case?
There are two sides to every story.
The "hacker" was stupid by taking it too far, the college is blatantly moronic by not providing a real bit of education out of this experience (thanks, but do this next time, and you're to clean the college kitchen for a month - with a toothbrush). Giving this wannabee a conviction (read: something that will follow him for life) is overkill, and is likely to prompt much worse things to happen soon (action creates reaction, hash action creates a lot of trouble). I'd be surprised if someone isn't already using resources for hosting malware.
On the upside, yes, that's a real life experience. Do someone a favour, get solidly shafted. The moral of the story: forget about being a citizen, down there it's everyone for himself, and educational values be damned. Standard politics, basically.
I look at motivation. On balance of what I know (and that's just the article, there may be more left untold) I can't see malice.
Insert
People that volunteer their coding expertise for community projects are whitehats, people that probe software which is *run on their hardware* and publish results are whitehats, people that voluntarily hack each others systems for fun, with prior consent, can be considered whitehats.
This guy was a gray hat, at best... and IMHO perhaps an asshat.
Don't install keyloggers on my servers... and don't expect to get off for free because you published the results. However, I will say criminal prosecution is a bit much... It was a stupid move by a fool hearty kid - maybe some civil penalties and community service would do it.
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
"see a doctor about that"
I already see lots of doctors. They live in the walls, and creep out to torment me with cold stethoscopes on sensitive places during the night, but they forget to take their white coats off, so I can still see them in the dark. Don't tell them that though, otherwise they'll take the white coats off before coming out of the walls, and that wouldn't be very nice at all.
I'm not going to change your sheets again, Mr. Hastings.
Send his ass to jail and make it public. Right thing to do would be to get permission first, but he didn't. He wanted to be a smartass. Now he'll be someone's "sweet" ass. Let this be a lesson to all you script kiddies. Don't tell me he should not be punished. That's like breaking into a building and then sending them a letter detailing how you did it. Try this at the post office and see how sympathetic they are !
OK, so he fucked up. Still, it takes one event like this, and about 100 potential white hats are going to decide that disclosure is a mugs game. Better to break in and steal stuff, or don't bother about security at all. Too few programmers / admins learn security, because it practically makes you a criminal. So who will bother apart from a diminishing number of professional white hats, and an increasing number of professional criminals?
All this stuff about "we need to encourage them to be white hats and good people and this will just drive them underground". My reply to you is: I don't give a crap what you do with your life. Go underground above ground white hat black... I don't care . You touch my network without my permission and I'll WILL find you and you ass is going to prison.. asshole.
Some guy picks the lock on your mom's house. And then mails her a letter telling all about his adventure and she should buy better locks. She and you don't know what he did while he was in her house. I know I'd be calling the police.
"Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive."
I suppose, but when he broke the law he opened himself up to prosecution. Don't play with fire if you're afraid of getting burnt.
"The university should spend money on hiring some admins with better computer skills and teaching skills rather than paying lawyers."
They could... or they could make an example out of someone who screwed with them.
Every time we get robbed, we could just increase our home security until we are living in a steel box, or we could, you know, send the robber to jail to make an example out of him.
The truth is, there is no such thing as a secure computer system, or a secure physical building for that matter. The reason most people don't get robbed on a regular basis isn't because there's no way to break into their house. The reason is that if you are caught breaking and entering, even if you don't steal anything, the consequences are severe (i.e. jail time, loss of your right to vote, etc).
It doesn't really matter that this guy in particular had no ill intent. If they don't enforce the law when someone breaks it, and make an example out of him, they might as well not have the law at all. That may sound cruel, but that's how society works. The basis of all law, and civilization as an extension of law, is fear.
Except, you know, this was Canada which is distinctly non-American.
"So long and thanks for all the fish."
This isn't so complicated - I like to relate IT questions to Cars..
It's like if you neighbour leaves his car unlocked overnight. Do you steal his car, dump it 10 km's away and anonymously send him a letter telling him where it was dumped and detail what his security flaw was?
No... you either tell him he should lock his car or be a law abiding person and leave it alone.
I dream of a day people don't hind under the perceived anonymousity of IP packets and act online just as they do in person.
The only thing you can know as a Sysadmin is; there are always ways to hack into a network of computers.
My kneejerk reaction to the headline was 'Poor guy', and then I read TFA. He uses a keylogger and a magnetic stripe reader to steal access to the accounts of *32* students - access which includes the ability to read emails, personal details, and also debit transactions. He's already well into Black Hat territory at this point.
Then he sends the summary, not just to the administration, but to 37 other students... effectively, he put that information into the wild with all the attendant privacy and financial implications that has. There's no mention in TFA of the time delay between it going to the administration and to other students (if any), but even giving the benefit of the doubt there are many better ways to encourage action on the part of a sluggish IT team.
Why exactly are we debating this? Strikes me that the guy is getting what he deserves.
hackers wearing hats. REAL hackers have fuzzy hair in plain sight.
And real hackers don't go to the barbershop. They simply insert their head in their computer system once a month.
This guy is just a thief who brought back what he'd stolen. Any idiot can install a keylogger, even if it was a physical device between the keyboard and mouse.
If he'd noticed something interesting, like the vunrabilities no doubt present in the commerical off-the-shelf systems the University administration probably forced the IT admins to install for the administrative departments, then perhaps he wouldn't have been in so much trouble - that would have been useful information.
If someone breaks into your computer system intentionally, then they are by default, a criminal, regardless of intent. They may tell you that their intentions were good. Ok, fine. And if you have credit card data stored on this machine or other such sensitive data? You are going to TRUST this person at their word? The fact that they broke in to begin with doesn't bode well. Now they are assuring you that they did no damage? How would you like it if someone broke into your house then sent you a letter saying that they didn't take anything? The bottom line is that it's a CRIME and it is poor policy to trust criminals. You can never be sire what this person's real intent was or that he did not leave them some "presents" behind.
If you plan on doing any "white hat" system cracking, ASK FOR PERMISSION. Better yet, let them come to you.
The university should spend money on hiring some admins with better computer skills and teaching skills rather than paying lawyers.
These are criminal charges. The university doesnt have to pay lawyers for this. The tax payers of Carlton County get to pay a D.A. to prosecute this kid.
"His name was James Damore."
The real meaning of punishment here, from the University's perspective, is that "don't mess with our systems, or they'll be consequences". It's a punishment to discourage others, who may not be that good, to attempt hacking.
Politics are so rampant in Higher Ed that this kind of stupid crap is par for the course.
He wasn't a white-hat. He was installing keystroke loggers. Without explicit permission, that's straightforward black-hat behavior, because many of those interfere with other programs on the system.
The lead should emphasize that this is *Carleton University in Canada*, and *not* the elite liberal arts college in Minnesota, Carleton College. No doubt the student and IT administration at the latter would have handled the matter with more sensitivity, humor and aplomb :)
Just because you claim your hat is white doesn't mean your victim will believe you.
woke him up, and told him, "See what your lack of security has done?". Then I went out into the street, and let everyone in the neighborhood know, so they could all see how it's a bad refection on the community, and weakens all their positions, since what he does affects them all. When the police finally arrived, I pointed out that I hadn't actually taken anything or hurt anyone. And I berated the police, their lax response endangers everyone, and emboldens REAL criminals. At my trial, I took the issue all the way to the US Supreme Court, and got a Constitutional Amendment passed, because the inherent weakness in the system simply had to be addressed, thanks to me. All this happened, and I was of course, never shot at by anyone -- homeowner, neighbors, police -- because I was doing what was right.
OK. On some levels, the previous diatribe is a false analogy. But I would like to point out that the whole "white hat hacker" meme is, at least a little bit, phony.
Quite fascinating indeed.
Jiff
www.anonymize.us.tc
At first I was sympathetic ... but a moments' thinking changed my mind. The guy deserves a criminal record, and to be expelled.
Thnk about it for a second. You don't install a keylogger on a server and then capture logins from students from remote machines ... the keyloggers were installed on the students' laptops. This is NOT "hacking" or "cracking" the university's computers. He installed keyloggers on up to 37 other students' laptops to capture their login info.
How would you react if someone installed a keylogger on YOUR laptop? And dozens of others? Whether he tookThis isn't Soviet Russia - laptops don't (or shouldn't) log YOU!
If he had physically assaulted 37 students, rather than compromising their laptops and account info, he'd be in jail. Ditto if he had vandalized their cars, instead of their laptops. But looking at the comments, it's okay to screw with other people's property if you want to look 1337 to your peers.
Expulsion is the least the university can (and should) do, as well as pursuing criminal charges.
What nobody seems to be mentioning is that he send the 16 page paper to the administration under a pseudonym, thus not immediately taking responsibility for his actions. So, the administration has no choice but to go to the police and begin an investigation in order to find out who it was, rather than just haul him into an office and have a chat with him.
Moral of the story.. always take responsibility for your actions.. even if they're in a legally grey area. Often, that will carry a lot of weight with the authorities.
Now he'll stay out of that horrible profession and get into something easier. Gotta learn somehow, amirite?
Use of keyloggers is rarely determined these days, and even more rarely punished. However, they're often the source of identity theft crimes. I agree with the criminal prosecution of this. I hope he gets off, but then they go after him civilly. People need to understand this is bad, mkay. Prosecuting this *adult* is the way to do it.
Want to see every step I took to start my company? http://www.rowdylabs.com/blogs/pitchtothegods
I did something similar during my college days except I wrote it as a college newspaper article. I was surprised the editor allowed it to run since not only did I expose the flaws, but provided enough information so that any enterprising students could find what they needed to test the flaws themselves.
I hadn't intended on including the necessary information such as the name of the cracking program I used (John the Ripper) to crack the simple DES encryption covering all email accounts on a UNIX system where students had shell access.
The reason I included it was I called the head of IT to get his response to the article I was writing and he said, "The vast majority of the students are not knowledgeable enough for us to worry."
The reason I was writing the article was because of the danger to students and their data. Every machine on campus had a public IP that was not firewalled. It was the wild west of computing.
The reason I included instruction was because of the IT guy's indifference.
A few fun notes:
-I never heard from school administrators wanting to try to discipline me or anything else
-A firewall was installed to protect the campus in a matter of a couple of weeks
-A few years later, I applied for a job in the college IT department for which I was easily qualified. I never even got an interview.
1. An ordinary user has very limited access to your server's internal logic, so it is often hard to know, without actually attempting a harmless exploit, whether some suspicious-looking code is actually a bug and is actually exploitable. Your suggestion is impractical unless the sysadmin has the time to deal with people pointing out false positives rather than real bugs.
2. After a sysadmin finds a security hole in his system, he can avoid cleaning up everything if the logs can be trusted and they say the hole has not been exploited. Now, if the trusted log instead says that the only exploit to your SQL injection bug is that someone did a "CREATE TABLE this_is_a_security_hole ...", this does not take much more effort to deal with.
3. s/your house/the government building containing everyone's personal data. A security hole may affect other people more than it affects you.
He should have submitted the report anonymously to avoid such idiots from causing him any harm.
Thnk about it for a second. You don't install a keylogger on a server and then capture logins from students from remote machines ... the keyloggers were installed on the students' laptops. This is NOT "hacking" or "cracking" the university's computers. He installed keyloggers on up to 37 other students' laptops to capture their login info.
I agree, his actions are borderline script kiddie. There is no glory in running a keylogger and then turning the results over to their owners.
By turning this in to the administrators, he asked for his punishment. At the university I'm currently at, it is strictly outlined in our network access policy about what you can and cannot do on the university network. Something tells me that his university probably has something similar set up and he decided to defy it.
This isn't to say that I'm against experimenting and exploring networks -- but do it on your own computers; don't violate the privacy of others for your own benefit because you think you'll be praised for some discovery. In reality, its a catch-22, but the student will lose 99.99999% of the time.
C7 C4 25 8A 11 BB 0D 40 8F 4E 4E 47 CA F0 BE 5B
Here's the one and only thing he did wrong. He went up to the sysadmin and called him a documented idiot to his face. There are much better ways to nudge a system towards improved security. People skills, everyone. People skills.
Towards the Singularity.
Hire him! Put him in charge of security. Once keeping the network running smoothly is his responsibility, he'll not only feel no inclination to harm it, he'll also jealously guard it from anyone else, just to prove his skills are better.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Actually, did you read the article? The bottom line is that he revealed account information on students to multiple people who were not in the position to fix any problems (including other students via e-mail).
White hat hacking, my ass.
He used a keylogger and magnetic card reader to capture the information to break into accounts. After that, he sent the 16-page paper (which WAS sent under a psudonym, since people keep suggesting that) not to a system administrator or someone who could deal with it quietly, but instead to a secretary, and eventually he e-mailed it to 37 other students. Fantastic move, that. Included in the paper was the personal account information of the students. So yes, he revealed the account information of his victims to other people.
Maybe he had good intentions, but that puts him pretty firmly in the "Please, prosecute me!" camp. If he'd revealed information on me that allowed someone to make campus purchases as me as well as check my school records and access my email, I'd be pressing charges too.
Maybe there was no damage to the university's infrastructure that we know about, but I'm pretty sure that those students would have been damn lucky if no one went into their accounts and took advantage of them, the way he handled it. And THAT, my friend, is why he's being charged.
"Det. Michel Villeneuve of the Ottawa Police high-tech crime unit said yesterday that a suspect used Keylogger software and magnetic stripe-card reader software to acquire students' information. The suspect then put together a 16-page document addressed to the university secretary's office, later e-mailing the document to 37 students."
Keylogger and mag-stripe reader? Okay, I don't have much sympathy anymore. He could have written a letter explaining how the system could have been compromised by keyloggers and mag-stripe readers without actually implementing it, and called for better security on the basis that his own account could have been easily compromised that way.
Alternatively, if he wanted to be bolder but still show "white hat" behaviour, he could have offered to demonstrate to them how easy it would be to compromise his OWN account (e.g., clone it or add $1000 to it), and then said "See? Why should I trust my money to such an insecure system? What are you going to do about it?"
Finally, although he still could have been in trouble and up on charges for it, he could have approached the student paper, compromised an editor's account with their permission, and turned the exercise into "investigative journalism" and appealed to the public good rationale for protection.
But actually compromising 30+ accounts and sending the list to the university authority? That's just STUPID, and completely unnecessary to prove the point. You don't always have to break the law in order to demonstrate that the law could be broken. This guy is an idiot.
Well, I'm not usually particularly vocal about issues like this. However, I was fortunate enough to have been in a university with an IT chief whose stated policy was "by all means crack away, so long as you tell me what you've done and how you did it". It was always a battle of wits between us and them, but always friendly. To my knowledge, we never had any serious breach, and holes that were discovered were quickly patched.
Contrawise, this seems to be the second security breach at Carleton Uni in the last few months. Personally, I wouldn't trust their IT system admins one inch.
I have emailed my thoughts on the matter to the President, and to the members of the Senate of Carleton University. Addresses are on their website. Perhaps, if they receive enough messages, they may choose to change their course of action...
The university setting makes all the difference here.
Certainly this kid's actions were illegal and "grey hat."
In the process of growing from a stupid kid to a responsible professional, many people go through a stage where they have the skills of a professional and the judgment of a kid.
What kind of a school, upon catching a student at this stage, decides to ruin his life?
Now, all of you hardliners, I challenge you to post one of the following responses:
1) I have never committed a computer crime.
2) I have committed a computer crime. Society would be better off today if I had been caught and severely punished.
http://xkcd.com/756//
I've had to go through something similar myself when I was studying. There is a huge set of paranoia and the insident was almost placed on my permanent record. Eventually I just stopped telling the admins it was much safer.
The student should sue the pants off of the administrator if the administrator distributed the student's 16 page paper without permission.
"Hey Guys, your systems are not secure."
"Oh yes it is."
"No, it's, not."
"Prove it. We installed SP3. Muhahaha."
"Sigh, ok, here goes...."
Hopefully he goes to jail foreva. That'll teach him. ...and hopefully some real hackers have their way
with the school since they are now justified.
Live by the sword.
When I went to (what I believe is the Norwegian equivalent of) college back in '95-'96ish, I hacked into the Novell network they had. Twice. The head principal wanted to throw me out for a week and give me a failing grade. My teacher on the other hand, negotiated a much better deal seeing as I did show interest in classes (it happened during IT classes), and that I learnt by myself. The end result was that I was thrown out for a day and got an A in IT.
RTFA. RTFA. RTFA.
For God's sake, before you bitch about how people respond, read the fucking article.
He never sent the 16-page document to IT. He sent it to a SECRETARY and to OTHER STUDENTS.
He also included the personal account information he'd stolen in it.
So, I expect IT had no choice in whether or not they wanted to learn from the experience, since the university was probably too busy dealing with the backlash from the people who'd had their personal information revealed to a bunch of other people, apparently none of whom were actually in a position to fix the problem.
I'd charge his ass, too.
As Chris Rock would say "what did you expect? a cookie?" same goes to this kid: what the fuck did you expect to happen? To get a pat on the back? Some moment of geek glory to gloat and be remembered for generations to come? A thanks?
For any kid, young man or socially-inept geek out there not quite capable of interacting with other members of the human race, remember this:
People are fucked up. People has buttons. People are stupid. Push the wrong button on a fucked up stupid asshole and he's going to try to stick it up your ass. Simple as that.
Sysadmins are territorial. Hell, all IT people are. But also, there are some that are very insecure about their skills, and anything that could put their skills on doubt, they'll lash out with geeky, lawyered up weasel fury.
I'm not going to tell you what to do or not to do when it comes to breaking into a system and then document the methods of how you did it for the sysadmin to use. I'm not going to tell you if it's right or wrong.
But I'm going to tell you that if you are going to do this, for fucks sake, submit your findings anonymously.
If you have the skills to break into a system, for fucks sake, also develop the mental skills to see the system's owners might not be too kind and might you want to put in jail, in a cell next to a lonely 300lbs dude named Bubba:
Bubba - He, what have we here? Hello, sweet pretty little thing. Get them panties down and let's get busy!!!
Thnk about it for a second. You don't install a keylogger on a server and then capture logins from students from remote machines ... the keyloggers were installed on the students' laptops. This is NOT "hacking" or "cracking" the university's computers. He installed keyloggers on up to 37 other students' laptops to capture their login info.
Not necessarily their laptops. A lot of universities have computers available for student use and that does not mean he set up a kelogger on a server. Contrary to popular belief, many students don't own or at least don't carry their laptop around campus with them.
This guy gave them a patch to a security hole for free. Normally it would cost the university a lot of money to hire a computer security analyst. So what do they do? They press charges against this kid, and blow money on lawyers.
This is NOT white-hat.
Installing keyloggers isn't a white-hat activity. Sorry.
Reminds me of someone I helped put away a couple years back. During his school years, he claimed to be "toying with white hat hacking". Broke into his university's computer systems, installed his OWN back doors, then offered to teach the admins about the methods he used to break in (but no mention of the back doors).
Luckily the admins caught everything he was doing on a logserver that he couldn't break into. So they found his work. Needless to say he was expelled. AS HE SHOULD HAVE BEEN. Yet, to him it was all "so unfair".
What this kid did isn't white hat. It's simply password theft and CF&A.
Chas - The one, the only.
THANK GOD!!!
As I goto this school and have for the last four years I will admit there network is terrible, it has had many flaws that have been never fixed. Some as small as being able to just drive by hop on wireless without a login and password and being able to get unrestricted bandwidth. They just in the last year started using packet shaping, in which is still terribly implemented at best. They CCS (Communications and Computing Services) at Carleton is a joke, even when I was in residence my friend and I were the liaison from Res to CCS on Res Network issues. I showed them literally dozens of security issues and I am no where near a strong network security person.
When I was a grad student, the lab in the education department asked me to implement a "fast, simple" method of pulling up student records. I bought them a cheap mag-strip reader and wrote a little script that would grab the Student ID from the card, then submit it to their campus information system. The lab manager (who was not a tech) was shocked that it worked. He assumed the information on the card would be encrypted or something.
That same year a buddy of mine who worked for IT services put together a demo of how easily the mag cards could be forged - with less than $100 + a cheap laptop. His bosses were impressed and asked him to demo it for one of the VPs. When he did, the VP told him, "You know, you're on thin ice here. You could get in a lot of trouble for this."
In essence, the administration (who purchased the card systems) didn't want to know if they were secure. They just wanted to give the impression of security.
I'd rather have someone respond than be modded up.
Get a job at a university (which is also a business BTW) and have to deal with thousands of users who feel that they can screw with the network with impunity. I hope that pays well.
There is no such thing as a completely secure network.
Most times there isn't enough time nor money to secure a network as well as an employee wants to. May God help the Admin that doesn't have a proper budget and grant them the ability deal with the frustration of not be able to do as good of job as desired.
This guy went to college to learn real world knowledge. It seems to me that he is getting more knowledge than he expected, but not more than he needs.
I at first want to agree with you. HOWEVER, in this case, how did he have access to install a keylogger? Since when do those run in userland?! He had to have gotten admin privs (or the admins misconfigured the machine to give out admin privs to everyone).
That said, the responsible thing to do would have been to say "Hey admins-- I got root on this box. I could do anything I want, including install a keylogger." This is 2008. We're well beyond the state of needing a Proof of Concept for installing a keylogger.
How is this any different than breaking into someones home (without damaging any property) and waking them to let them know there is a major flaw in the security of their house?
I can understand the arguments people are making against what this kid did; it could have been done in much better ways that would have covered his ass a bit more and saved face a bit for whoever was responsible for securing that particular network/system.
I think that possible jail time (especially of 10 years) is extremely harsh. Especially because he is already probably going to lose his education, at least at that school - that is a massively huge blow that will likely affect the rest of his life.
Even from the article I don't feel like I know enough to discern whether he was truly trying to do this stuff for the "right" reasons or was either trying to do something else and figured he could cover his ass by providing documentation to the school after the fact or was simply looking for the prestige. All I do know is that judging by what I read he probably embarrassed the person whose job it is to ensure security and others and they are looking to pay him back for that - this often happpens, because in a lot of IT departments people don't do the things they should out of laziness or busy-ness - to have someone come along and expose that you haven't done your job well enough can make one feel extremely defensive..(which is no excuse, but can explain harsh responses).
In this day and age of massive corporate/government/institutional dishonesty and hubris where checks and balances are being lost by the day "white hat" hacking can be extremely important and at times an extremely valuable and courageous thing to do - these governments, corporations and institutions have proven time and again that they only care about power, money and control. They don't care about people usually or protecting people and their assets, privacy, personal information. When someone is "hacking" ethically and for the right reasons it can provide a societal "check and balance" on hubristic organizations - hopefully causing better security before someone with knowledge and no conscience comes along and wreaks really harm.
I am sure everyone can think of what sort of things happen when government and corporations and institutions don't secure things - had it been someone who truly was being malicious the damage would have been much worse.
It's one of the reasons colleges like to have "campus police" rather than real police: keep everything "in the family" and out of the "rap sheets" where possible.
.
It has been a very long time - an eon ago - since the campus cop has been anything less than the real thing.
Freshmen at the University of Wisconsin-Whitewater have always spent their first few days on campus learning college survival - how to join the karate club, cheer like a Warhawk and find English 101.
The school is one of about 500 around the country that have purchased "Shots Fired on Campus," a new video training program with tactics for surviving a mass-casualty shooting. It's the latest strategy for college officials who are preparing for the worst in the aftermath of shootings at Virginia Tech, Northern Illinois and other universities.
Students hear creepy music and watch a chilling dramatization of a shooter roaming the halls. They learn to identify exit routes, when to barricade or hide, and when to attack a shooter using improvised weapons. Freshman 101: How to survive - and stop - a campus shooting
Students in the sixties began demanding they be treated like adults - and no more excuses - exemptions - for the brainiac or the jock. It is that side of the bargain the geek chooses to forget.
I absolutely do not understand the "no harm no foul" concept applied anywhere outside of a playground.
Suppose I play Russian Roulette, but aim at you instead of myself. You watch me spin the cylinder, aim at you, squeeze the trigger, and... nothing happens. Whew, No harm no foul! I'm glad you won't press charges against me for endangering your life.
Suppose I drive home with triple the blood-alcohol limit, but I don't hit anything. "Gee occifer, no farm no houl!" No, that won't get me off the hook, and it shouldn't!
Now perhaps the most appropriate analogy: Suppose after I break into someone's home, I don't find anything worth stealing. I sneak back out before anyone notices my presence, and leave no damage behind. Should I be considered guilty of a crime? Of course! Even if I tell the homeowner his back door is a little loose? Of course!
If I recall correctly, someone else who was jealously guarding router passwords is now facing jail..
And I would not hire him until he's had his fingers slapped first. Without permission it may be a nice initiative but it IS illegal, and I'd just wanted to make sure he remembers that. However, to ruin his life for then not using his insights for personal gain is stupid, unproductive and likely to keep the problems in place.
It's not like they didn't have a warning before..
Insert
Thnk about it for a second. You don't install a keylogger on a server and then capture logins from students from remote machines ... the keyloggers were installed on the students' laptops. This is NOT "hacking" or "cracking" the university's computers. He installed keyloggers on up to 37 other students' laptops to capture their login info.
Not so. The University I go to has a number of library and lab machines that people log in to all the time. He easily could have done that, and I'm sure he did - installing keyloggers on laptops is a much more difficult task and is not "hacking", it's simply being a dick and definitely illegal. However, there is NOTHING in the article to suggest that's what happened. It's a simple case of a guy figuring out how to install a keylogger and how to read swipe cards. That's it. It says nowhere that he accessed their accounts or did anything past getting their account usernames and passwords.
All of you folks (people that call themselves System Administrators/Teachers) going off like " ... yeah, I'd burn his ass" come off looking exactly what you, at 20 years old, held contemptuous. Uncaring cogs of the establishment looking to cover their ass as the result of some kid doing what he thought might be helpful, all the while trying to be transparent and upfront.
Oh!, isn't that the real meaning of HACKER?
Way to go.
Forgetting that this is supposed to be an institution of higher learning, since when do you mace/taze/shoot someone for an illegal left turn?
http://www.indybay.org/uploads/2008/09/01/pepper.mpg
Oh, yeah, nevermind, I lapsed in to reason there for a second.
Yeah, make him a criminal instead of bringing him in and instructing him LIKE A STUDENT.
Pleeease - defend yourselves.
Fucking MORONS.
~hylas
AFAIK see he first indeed contacted those responsible, and it appears he then later did this distribution of information which may or may not have contained more than logon details of each recipient - this suggests he didn't get much of a response.
I think the guy has been a mild idiot, but I would reserve the jail terms for people who deserve it. The smart thing for the Uni to do would be to can the charges in exchange for student service work like cleaning the toilets for a month. That won't give him glory points, and I'm pretty sure he'll remember having been on the edge of a conviction.
I don't think he's dumb, just not very socially aware..
Insert
For those who didn't RTFA, he has a possibly Arabic name
I think that may be irrelevant. It would be a bit unfair to throw racism at them, it's a stupid enough case without it and I don't see that suggestion justified. But that's just me ..
Insert
If the people running the network were unsophisticated enough to allow this to happen (I've worked in two university IT departments in Canada, and both had their share of very marginal, "unemployable commercially" individuals) and were doubtlessly going to be very embarrassed by it, he probably shouldn't have sent it off to fellow students. University employees by deign of their strong unions are virtually unfireable, and this lawsuit is probably more about job protection than prosecution.
The downfall of every crime (for lack of a better term) is usually arrogance or pride. If he had left it as a letter, he might have had an outside chance of just getting a 'talking to' or at worst booted out, but the extra mud-in-your-face of making it public is probably what did him in.
------
Good intentions and a sack are equal to exactly one sack, minus court costs.
Just blending in there :-)
Insert
... what would have happened had the white hacker stumble upon very sensitive data, banking information or student's private information. At that point, the word 'white' is irrelevant. That person should be prosecuted. A true white hacker in my humble opinion is a paid consultant whose job is to find security vulnerabilities and point them out.
TOP DSLR Cameras Reviews of the top DSLRs
Senior year of high school I had a friend who, admittedly, was not exactly the White Hat persuasion of hacker. Nevertheless, he once hacked into the school network, stumbling upon a file containing 13,000 names, addresses, telephone numbers, and social security numbers - among them, mine.
So he did what was probably the most reasonable thing, and went straight to the principal. Rather than thank him (and punish him) and immediately hire a new tech guy to secure the network, he was slapped with a battery of criminal charges. He was 18, and AFAIK still trying to completely clear his name.
What's worse is that about four months after this incident, a freshman did the exact same thing - same file and everything. This time, however, the file was quite possibly leaked.
So while you shouldn't hack into networks, abuse from schools like this is all too common.
(And if you happen to have heard about the hacking incident in Downingtown, PA, now you know more of the story).
and found a 16 page write-up about how a guy broke into your house, disabled the motion detector
I agree this would be disturbing, but I hear these analogies to people's homes all the time and I've always been a little uncomfortable with them, and I think I've figured out why.
One of the key problems with a home invasion is that it's pretty reasonable to assume it threatens your personal safety. There are other places to threaten someone's personal safety, but it's one of the few places where just by dint of being there, it's reasonable to assume someone constitutes some kind of threat to you.
I think a better analogy would be some kind of storage unit or a locker. If you had stuff in this protected by a certain kind of lock, and somebody broke into your place and left a note that said "Dude. These locks are defective. They're easy to open by using this technique. Your stuff will be safer if you get something else!" and didn't take anything, that'd be closer to what happens when a system is compromised. You might be likely to be a bit surprised and perhaps wary, but it's not the place where you sleep.
Tweet, tweet.
That's the distinction between law and justice. Laws don't necessarily lead to justice. For that we need more than lawyers. He may have broken the letter of the law, but there's no justice in prosecuting him. Another good lesson why we cannot rely on lawyers alone for justice.
The outcry is about the severity of the proposed sentence.
Yes, he needs a very serious rap on the knuckles, probably with a cluebat so he won't be able to type for a couple of months (and other things). What I don't agree with is a criminal record, that is OTT.
What are you going to do with a black hat hacker when you find him? Death row?
I don't think anyone condones what he did (at least not the depth of it) but a sense of proportion is lacking here. Hence the discussion..
Insert
In the majority of countries where I've been it IS a crime to break into a system (i.e. access it without due authorization). There are a few grey zones there (unsecured web directories - you screw up and you can't prosecute) but in general, if it has a password and you don't have it, gaining access regardless is deemed unauthorized. In some countries adding a logon notice greatly enhances your standing in court.
Insert
A poweruser of mine recently found a blog server we have set for our community had been hacked -- a malicious php file dropped in because our version of the blogging software was a few versions behind (because the plugins required by the users didn't work on the new versions until recently). So I can't just clean that particular blog; I have to check the others, and I have to check the server itself, and I have to check that the backups aren't fucked, and I have to check the other servers that also run php/apache, and all the linux systems in general. 1 hack and now I've got at least a week or two worth of solid 8-hour days of forensic work.
FreeBSD for the impatient.
Which "damage" are you talking about?
Insert
The university should spend money on hiring some admins with better computer skills and teaching skills rather than paying lawyers.
This is naive.
Computing security isn't about individual admins. Choosing to make it about individual admins while ignoring policy and process is guaranteeing that security lapses will occur.
they often have business objectives to worry about that are more important than making sure the security is top notch.
WTF?? so you are saying they have stuff like acquiring information and goods to do. which will make them money. and they don't have time to ensure this information is safe?
I have a diamond operation. i'm way too busy pulling diamonds out of the ground to hire a security force at my diamond storage facility.
King Kong Died For Your Sins
Here's why I fully support sending this miscreant to jail:
If someone picks the lock on the door to my house and shows me how it can be done, it's still breaking and entering.
If someone unlocks my car door and dumps all my CDs on the ground to show that it can be done, I'm still calling 911.
If someone spends a little time in my home and then proceeds to tell me all the problems with my marriage and my family, I'm still kicking the meddling asshat out.
It's ILLEGAL to misuse a network like this, and regardless of intention doing so is a crime. If the sysadmins did anything less than call 911 they would be irresponsible, and worse yet they would be encouraging other asshats to do the same thing. Even if this results in a more secure network, it's wrong, wrong, wrong.
This is bull*hit. How the *uck you gonna charge someone for helping you?
Here are the email addresses of the computer science division: dappleya@carleton.edu, adalal@carleton.edu, jdavis@carleton.edu, jgoldfea@carleton.edu, sjandro@carleton.edu, rkirchne@carleton.edu, dlibenno@carleton.edu, dmusican@carleton.edu, rnau@carleton.edu, jondich@carleton.edu, mtie@carleton.edu
http://www.carleton.edu/campus/directory/
Hit em up.
let em know how you feel.
Um, wasn't it just a keylogger he used. He didn't hack anything, but used a keylogger to track every keystroke... Not really hacking any systems per say...
He didn't keep it internal and sent it outside to the media (and who else??) so it actually was sent outside the campus...
In the end, did he break the law??? If he did then of course he should be punished...
You learn the hard way. If he didn't do anything illegal, he has nothing to worry about...
You can see a story with more details at http://www.charlatan.ca/index.php?option=com_content&task=view&id=20410&Itemid=148 . He put a keylogger on a random e-Kiosk PC in one of the campus buildings. These PCs provide 20 minutes of web access per login so that students can check e-mails/surf the web briefly. There's nothing white-hat about this, unless it was done in a proof-of-concept manner, but he _DID_ collect user information. The login/password combos he would have keylogged let a student into the myCarleton portal (http://connect.carleton.ca), which is just a glorified front-end for their email. All student account information (awards, fees, course registration) is held on a separate server, http://central.carleton.ca./ This becomes a more serious problem, since once you enter into the "secure" myCarleton portal, you can click a tab called 'Carleton Central', which bypasses your need to use a separate login to view your student account information. They have purposely removed a level of security for convenience to the lemmings. As for the campus card data, I've never put my campus card through a card reader, but all campus card transactions are approved via a centralized server somewhere. Again, not sure what this kid was trying to prove, but if all he wanted to demonstrate was that he could sniff campus card data, again he overstepped his boundaries. He sent everything anonymously to Carleton Administration and the students whose data was compromised, but this was also where he tripped up, "his account log-in was embedded in the electronic document he sent out" from http://www.cbc.ca/canada/ottawa/story/2008/09/11/ot-carleton-080911.html . If you google this persons name, he is rather involved in the Gentoo Security mailing lists.
I never said I agreed with it or that it was the appropriate response... But it's the only way to quell people's fears sometimes, mostly because the average person doesn't think rationally when it comes to technology OR sexual crimes.
Even in a university setting, it's astounding how many people truly lacking in critical analysis have managed to get in. I guess they have to make money somehow...
Sometimes I wonder if I think too much.
A university student at Carleton is learning that no good deed goes unpunished. After picking the lock into what was probably a not-so-secure professor's office, this guy took the time to write a 16-page paper on his methods and sent it to facilities management. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive.
See how stupid this sounds when you apply the same logic elsewhere? Weak security is not an excuse for hacking a system, any more than having crappy locks is an excuse to break in somewhere to demonstrate to the owners that their physical security sucks. It's irrelevant whether he thought he was being helpful, it doesn't excuse his actions.
He might not have done any damage, or looked at anything he shouldn't have had access to, or planted backdoors into the system, but what proof do they have of this until they tear everything down and check it all for themselves?
The truth is, some university students are going to have the desire to hack something, and not all of them have the judgment to stay out of trouble.
So what? Not all of them have the judgement to not drink and drive, too - should we excuse them from DUI convinctions, as well? By the time you hit university, you're an adult, and it's time to act like one.
If he contacted me and said "I would like to break into your server then I'll tell you how", I'd pay him to do it under controlled circumstances.
No you wouldn't!!!
Haha!!!
You would tell him to go pound sand.
Which, of course, leaves him in the position of KNOWING about visible external vulnerabilities and recognizing the security threat, but having no recourse with which to fix it, or even voice his concern.
Maybe he could go to the newspaper with it, but without a spectacular story of penetrating servers, they'll tel him to "go pound sand".
After that happens a few dozen times, he'll probably go do it anyway. That's a bit of human nature for you.
Apparently this student's ego condemned him in the first place by playing the anonymous hacker role and by spreading the information before reaching the sys admin. That is foul behavior.
Not so. According to http://www.cbc.ca/canada/ottawa/story/2008/09/09/ot-hacker-080909.html he installed the keylogger on a public terminal. He didn't run around installing software on everyone's laptop. Another interesting note here is the accounts he compromised were all Journalist student's accounts.
> No, technically he did the wrong thing by breaking into the network. This isn't complicated. If he technically did the right thing, he wouldn't be technically looking at jail time. This isn't a pity party. He did a bad thing and he's getting punished. Simple as pie.
On the contrary, it's not simple. There's a whole realm of debate where we try to figure out What the right thing is. Someone who breaks the law isn't necessarily committing a moral wrong, even as someone who follows the law scrupulously may be a terrible person who's hurting others left, right, and center.
If some asshat broke into one of my servers then told me how, I'd send his ass to jail too.
If he contacted me and said "I would like to break into your server then I'll tell you how", I'd pay him to do it under controlled circumstances. However, if he just up and did it one day, it would cost me tens of thousands of dollars in cleanup.
Okay, now what if he's the one paying your salary? He's the one paying hundreds of thousands of dollars to learn at the place where you work, and he does something that teaches him and teaches you?
So he could have done it differently. So there's a better way to do it. Fine. Teach him, show him, be willing to listen and be willing to work. This problem wouldn't have arisen if the network were secured in the first place--so use this to argue for more funding and more security. It doesn't have to be a negative that costs him and the college tens or hundreds of thousands of dollars and possibly jail time in the settlement.
Let's be realistic. Nobody is ever safe.
Sometimes it's more important that you do what you can and let people BELIEVE that they're safe.
It's like the terrorism bullshit, honestly. Nobody will ever be safe if a few people with a little determination decide to hurt you. It's more important that you make it SEEM like people are safe so they're not all paralyzed with fear.
Same for auto safety. We COULD make everyone drive 15mph on the highway. Instead we let them have their airbags and seat belts, make the speed limit 55, let people drive 70, everyone figures they're pretty safe... and the world keeps spinning.
In reality you're piloting a multi-thousand-pound vehicle down a painted runway, surrounded by a thousand unknowns, with little organization or control, at speeds faster than the human body was built to deal with, in a safety container that simply can NOT adequately protect you against those conditions. Now add coffee and a cell phone. But yet we all do it every day.
Again, it's more the illusion of safety that matters.
So you'd prefer selective laws? People generally dislike those, is why I ask. (cf: "telecom immunity")
FreeBSD for the impatient.
Controlled experiments are best when it comes to papers about crime-prevention, or you look like a criminal.
Alternatively, the guy could have discussed the sensitive nature of his experiment with his prof, in advance to get a sense of his grade-potential (many good students use this technique to gauge the prof's reaction).
The prof would have likely said, OMGWTF-NO!, and this wouldn't have happened. Or the prof would have said, WOWCOOL, and it would have eliminated the student's potential culpability, if there was a legal record of it (via email or something).
Also, it wouldn't have hurt to have notified the school ahead of time that he was testing their security system. He could have cooperated with the systems staff and also been given the opportunity to learn that they wouldn't want him using keyloggers.
He was prolly showing off to his dorm buds about what a l33t h4x0r he is, and it bit him in the *.
On the flip-side, only 35% of students at Carleton get beyond year #1. Only 11% graduate... so there is a good chance this guy did one of them a favour!
The dangers of knowledge trigger emotional distress in human beings.
Canada is distinctly non-American.
As far as I'm concerned, the student did a few things right but two things wrong. First, the good:
1. He thought about security. We should all do this.
2. He told the university when he found a flaw.
But he did two things wrong:
1. He installed a keylogger. Maybe this is just my moral code, but the right way to hack is to find a real vulnerability. Taking advantage of the physical insecurity of the university machines to install a keylogger is not cool. Besides, *of course* they're vulnerable to that. Similarly, if they use magnetic strips, grabbing other people's cards and cloning them is possible. Maybe they should use secure smartcards, but there's no need to clone a magstripe just to prove it possible.
2. He email 37 students in addition to the administration. Did he email them a list of passwords, too?
For comparison, I hacked my (top-tier CS) university's systems back in the day. Specifically, I found a vulnerability in the network authentication system that everyone knew existed in theory but thought was essentially unexploitable in practice and used it to read my roommate's email. But I got my roommate's permission first, and I took the exploit description and sample code directly to the IT people. I didn't disclose it to the rest of the world immediately, or, in fact, at all.
Not surprisingly, the IT department was happy, they fixed the problem, and they even wrote me a check as a thank you. But I bet they would've been pissed off if I'd emailed 37 people a detailed description before they had a chance to fix the problem.
The lesson: if you want to do some unsolicited white-hat hacking, don't be a dick about it.
Good sysadmins know how to properly employ intruders. I have a friend that is a sysadmin for a high school. If he caught a student in an attempt or successful intrusion, he instantly had a new apprentice. It was either the intruder ow would-be intruder accept the role as apprentice or face possible expulsion. This is a great idea because the benefits are two fold: (1) the student gains practical experience and tutillage that is good for future employment, (2) my friend gets a much-needed assistant to lighten his work load and enable him to spend time on additional projects. Why turn a wrong into a super right?
having such a story run on slashdot.
they will be better off if they just shut their cs, i.t. related departments now.
Read radical news here
Simply because he did not ask permission. This makes it Black Hat in my book...
So, lets say I know your house was built with cheap locks from china, and your security system vendor is incompetent.
I come to your place during the day, carefully pick your locks, waltz by your shoddy sensors, and then proceed to document just how insecure your house is by letting you know how much money is in your office desk, and how nice your wife's pink bras are.
Then I proceed to give you a lesson in what would make your house more secure so that roving white-hat-thieves like me can't get in. So now I put this into a nice term paper and leave it for you to find on your bed with my name and address just to show you what a white-hat-nice-guy I really am.
How surprised I am when the cops show up at my house later that evening and take me away in cuffs.
But really, I didn't do anything wrong ....
Informing PHB's that their computers are insecure in such a way that you can be identified is foolish.
Not only are they not going to understand anything you're saying (wah-wah-wah-wah-wah ala Charlie Brown) but they're going to panic and immediately try to shoot the messenger.
This guy should have either kept his mouth shut, or submitted his findings in such a way that he would not have been identified.
Expecting people whose ignorance is only surpassed by their fear of what they do not understand to be rational is a fools errand.
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
you're at a university and you have a desire to hack something...
Go find a professor to set you up with a real project, something that someone (even if it's just a faculty member) has asked to be done. There's no shortage of stuff to do out there, but there's a major shortage of common sense. Actions matter more than intentions, so give yourself the protection of an academic role, or an internship in a professional organization.
A similar thing happened at my old university. A student broke into the student housing computer system and may have caused all sorts of trouble. The administration wanted to press criminal charges, but because he had done this under the supervision of a computer science faculty member and because it was presented at an academic conference, the computer science department was able to convince the administration to back off.
the majority of the "hardliners" are capable of committing a computer crime without physical access... as in the ability to pick up a server and throw it on the floor.
Of the minority of actual sysadmins among them, there are probably people around here who are NOT white hats trying to figure out who they are and where they work. And when they finish running exploits on the servers these "hardliners" operate, there will be no 16 page report. Just a successful security breach at the institutions and organizations imprudent enough to hire them. The point behind these searches is that it's less work to find known-insecure servers than to crack a secure one.
One reason I don't spend as much time here as I used to is that slashdot has gone downhill in the last few years. A few years ago, the opinions of the "hardliners" would have been laughed out of here, not treated with undeserved respect.
Tech Public Policy stuff
I prefer they be tempered by sanity, requiring proof of substantive harm done.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Smaller techie-type places are more likely to look neutrally or even favorably on something like phreaking on your resume, especially if it happened a while ago. It'll blackball you at a big corporation, though.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
He broke the law and stole 32 students' passwords. That's not "White Hat". White Hat would have been to publish his findings without actually stealing the passwords.
However, if you broke into the house, and while there you discovered a fire and rescued a child, chances are you'd still be arrested for breaking and entering, despite the fact that you did something nice in the process of breaking the law.
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
In 1989, a German pilot flew a small plane from Germany to Russia, evaded Soviet defences and landed inside Red Square. This embarassed the SU greatly, and as a result 2,000 Soviet military officers were fired. Included were the head of the air force.
The guy was found guilty of ... get this ... hooliganism, and breaching the Soviet defence system, in that order! He was also sentenced to 4 years hard labour, released after 1 year.
http://en.wikipedia.org/wiki/Mathias_Rust
"Rust's flight had a great impact on the Soviet military and his successful flight through a supposedly impregnable air defence system lead to the firing of many senior officers. The incident enabled Mikhail Gorbachev to speed his reforms and helped bring an end to the Cold War. [1]"
Apparently, the Soviet military had more of a sense of humour about the whole incident than the police and the Canadian bureaucracy (Carleton is in Ottawa, near the Parliament of Canada buildings) does.
The logic of some people on this thread would lead to the conclusion that Rust had "invaded the Soviet Union", and so deserved to be shot down.
Go figure.
Hasan
First reaction: it's not news that a key-logger will let someone snoop passwords.
After a moment's thought: It absolutely is a problem that someone can install a key logger on the machines that the university expects you to type your password into.
These machines should be locked down, but are not. That's a risk. Students should be made aware of the risk (the Uni knew, or were negligently unaware, but said nothing).
A more likely scenario is that students install games or other software with a trojan keylogger, or that they visit a website with the resident IE and get keyloggers as they surf. Either way, there is a plausible mechanism (verging on the inevitable) for such keyloggers to be there right now, without this guy.
Mr Moufid's actions may not have been the best way to highlight the problem, but according to TFA, he was asking the uni to improve security.
And, for all those "what did he expect for not being anonymous" folk - he did this under a pseudonym.
Where he really messed up was (a) mailing people's passwords to other people - this was stupid, (b) using email in a way that was traceable back to him, (c) admitting to using the passwords, rather than just collecting them, (d) having an "islamic terrorist" name, (e) underestimating the vengefulness of the administration, and probably (f) talking to the police without a lawyer - even when he thought he'd done nothing wrong.
As for "but he used the passwords" - I submit that the only way he could demonstrate that real passwords were being exposed was to log in to a less sensitive part of the system (avoiding the sensitive data and money handling parts). There is no evidence here that he did any more than this verification step.
Remember - the uni was hacked back in July. Many students will have been concerned about security. This guy will have realised that there were still problems, and that students' personal information and money were at risk from the insecure terminals that read student debit cards.
Here are three questions: how should he have highlighted the problem, what should he have done if the authorities ignored this, and (whatever the technical legalities, rights and wrongs) is it a sensible use of someone's life and the state's tax money to send someone to prison who was trying to help - or would a less extreme response be appropriate?
Paul "Say no to feeping creaturism"
forgot to add this: It absolutely is a problem that someone can install a key logger on the machines that the university expects you to type your password into, especially when this password and id allows your money to be spent.
Paul "Say no to feeping creaturism"
A whitehat would never do this kind of intrusion without first getting approval. This is what is called a Grayhat and maybe even a Blackhat. He did not have proper authorization.
Has it occurred to anyone that you really ought to have a right to know your network account is secure? I mean, my university has a lot of sensitive personal information for most of it's students, including banking information used for direct deposit and automatic payment of bills. In this case, students were apparently using thier swipe cards as debit cards. Of course, not all of this is accessable even if you can hack my account, but some of it would be, and anything is accessable if you can access root/administrative accounts. Really, you ought to have a RIGHT to try and hack the university serers, just to check your OWN info is safe.
I mean one of the other recent articles:
http://it.slashdot.org/it/08/09/13/1639235.shtml
Shows 42% of the guys they interviewed didn't KNOW if they're systems had been breached and 25% DID know they had a security breach. I've been kind of oblivious to this until recently, figuring as long as I can stay secure at on my home network, I'm fine. But, honestly, I have an online bank account and my university has most of my banking information plus paypal has my credit card info, and I've got no way of knowing how secure that stuff is unless I try to break into thier system myslf. Which, obviously, is illegal.
If the trust, reliability and authenticity of data on a server is compromised and has to be verified, that's "harm done". "The security team had to spend a week poring over everything, even if you only /said/ you touched 1 server" means that they couldn't be doing something else. That's time and resources wasted. Most organizations would call that "harm done". Anyone who's had a wallet lost or stolen knows that the real pain is in dealing with the security BS that goes along with it (cancelling cards, verifying that nothing got charged, getting your IDs reissued, etc). He wasn't "more competent" and this wasn't an innocent good deed, he was "more malicious" and he inconvenienced at least 40 people and handled notification poorly. He's getting burned now, and it's unfortunate for him, but there's an applicable aphorism about heat and kitchens.
FreeBSD for the impatient.
Thnk about it for a second. You don't install a keylogger on a server and then capture logins from students from remote machines ... the keyloggers were installed on the students' laptops. This is NOT "hacking" or "cracking" the university's computers. He installed keyloggers on up to 37 other students' laptops to capture their login info.
You obviously haven't even read the report. Please do:
http://wikileaks.org/wiki/Censored_Cartleton_University_Campuscard_fiasco_2008
The keylogger was installed on university Point of Sale terminal(s), not "laptops"...
And it was 32 students, not 37...
Try again.