Slashdot Mirror

← Back to Stories (view on slashdot.org)

University Brings Charges Against White Hat Hacker

Posted by Soulskill on from the easier-than-fixing-security-holes dept.

aqui writes "A university student at Carleton is learning that no good deed goes unpunished. After hacking into what was probably a not-so-secure university network, this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive. The university should spend money on hiring some admins with better computer skills and teaching skills rather than paying lawyers. In the Engineering department at my old university, the unofficial policy was that when you broke in, didn't damage anything, and reported the problem and how you broke in, they didn't charge you (if you maliciously caused damage, you usually faced academic sanctions). In some cases, the students were hired or they 'volunteered' for the summer to help secure the servers or fix the hole they found. The result was that Engineering ended up with one of the most secure systems in the university." Read on for the rest of aqui's comments. aqui continues: "The truth is, some university students are going to have the desire to hack something, and not all of them have the judgment to stay out of trouble. If you acknowledge that and catch them inside the university, you can straighten them out before they wreck their lives, and teach them to be white hats. Rather than creating a hostile environment where people may become black hats, you create an environment where you guide them in the right direction to being good computer security professionals. For every hacker they catch, there's probably at least one that they don't know about. I can imagine that a number of those hackers at Carleton are now seeing the university as the enemy for burning 'one of their own,' and some of them may become malicious to get even. If the student's intentions were good - which they appear to be - I can't help but feel sorry for the guy."

2 of 540 comments (clear)

  1. Re:No harm, no foul by Antique+Geekmeister · · Score: 0, Flamebait

    You were not dishonest, merely negligent that your password was discoverable with a dictionary attack. That's not numeric bad luck, that's a bad password: you should know better. Whether it's malice or carelessness does not matter much: the scale of the invasion should matter more, especially if someone could nab your passwords from other, more critical services.

    Now, if you had laid the groundwork in previous reports that the password handling was poor and that a properly synchronized Kerberos or RSA key login approach sould be used, you'd be in better shape now.

  2. Re:No harm, no foul by SilverJets · · Score: 0, Flamebait

    But involving law enforcement where no significant damages have occurred shows a serious lack of judgment somewhere in the administration.

    Ok so if someone gains entry to where you live by picking the lock, watches your tv, uses your toilet, reads your mail and personal papers, and then leaves you a note identifying themselves you would not involve the police?