Slashdot Mirror

← Back to Stories (view on slashdot.org)

University Brings Charges Against White Hat Hacker

Posted by Soulskill on from the easier-than-fixing-security-holes dept.

aqui writes "A university student at Carleton is learning that no good deed goes unpunished. After hacking into what was probably a not-so-secure university network, this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive. The university should spend money on hiring some admins with better computer skills and teaching skills rather than paying lawyers. In the Engineering department at my old university, the unofficial policy was that when you broke in, didn't damage anything, and reported the problem and how you broke in, they didn't charge you (if you maliciously caused damage, you usually faced academic sanctions). In some cases, the students were hired or they 'volunteered' for the summer to help secure the servers or fix the hole they found. The result was that Engineering ended up with one of the most secure systems in the university." Read on for the rest of aqui's comments. aqui continues: "The truth is, some university students are going to have the desire to hack something, and not all of them have the judgment to stay out of trouble. If you acknowledge that and catch them inside the university, you can straighten them out before they wreck their lives, and teach them to be white hats. Rather than creating a hostile environment where people may become black hats, you create an environment where you guide them in the right direction to being good computer security professionals. For every hacker they catch, there's probably at least one that they don't know about. I can imagine that a number of those hackers at Carleton are now seeing the university as the enemy for burning 'one of their own,' and some of them may become malicious to get even. If the student's intentions were good - which they appear to be - I can't help but feel sorry for the guy."

6 of 540 comments (clear)

  1. Bullshit by atari2600 · · Score: 5, Informative

    From the article: Det. Michel Villeneuve of the Ottawa Police high-tech crime unit said yesterday that a suspect used Keylogger software and magnetic stripe-card reader software to acquire students' information.

    Using keylogger software is not White hat material sorry. You install a keylogger on a random machine and watch people come in and access their email / student accounts and then later go "me l33t haxor?"

    Computing access in schools is a privilege and I see an abuse of privilege here by installing keyloggers. Sorry but physical access to machines means all security is out of the window. Sure the admins can install a variety of tools to detect keyloggers but there's always going to be one program that will escape detection.

    Should I blame Soulskill? Such a verbose summary and no mention of keylogging software.

  2. As a student of Carleton... by Joelfabulous · · Score: 5, Informative

    I can tell you firsthand that the administration did not take kindly to this.

    With regards to the magnetic stripe thing, it's not surprising that those in charge reacted strongly and sharply. We had recurrent incidents on campus last year with sexual assault and they had to lock down all the residences and the labs, and as such, they took great pains to inform the students who had access cards for the suite residences that they would not, in fact, be in danger, be it financial or otherwise.

    --
    Sometimes I wonder if I think too much.
  3. Re:Wake up please. by pizzach · · Score: 4, Informative

    No, technically, he did the illegal thing, and thus is getting punished. Whether it's wrong is up for debate. I can see how someone could think it was wrong, or morally neutral but stupid, or perfectly fine.

    Whether it's wrong and if the punishment was extremely excessive is up to debate. Premeditated murder, manslaughter by negligence, and Murder in the name of self defense can warrant totally different outcomes. It looks to me in this case intent is being totally ignored.

    --
    Once you start despising the jerks, you become one.
  4. Re:Wake up please. by grahamd0 · · Score: 4, Informative

    Premeditated murder, manslaughter by negligence, and Murder in the name of self defense can warrant totally different outcomes.

    Murder is the illegal killing of another human being.

    If it's legal for you to defend yourself with deadly force then it is, by definition, not murder.

    If you are in a jurisdiction where it isn't legal to defend yourself then the fact that you were defending yourself is irrelevant.

  5. No damage? Really? by shalla · · Score: 3, Informative

    Actually, did you read the article? The bottom line is that he revealed account information on students to multiple people who were not in the position to fix any problems (including other students via e-mail).

    White hat hacking, my ass.

    He used a keylogger and magnetic card reader to capture the information to break into accounts. After that, he sent the 16-page paper (which WAS sent under a psudonym, since people keep suggesting that) not to a system administrator or someone who could deal with it quietly, but instead to a secretary, and eventually he e-mailed it to 37 other students. Fantastic move, that. Included in the paper was the personal account information of the students. So yes, he revealed the account information of his victims to other people.

    Maybe he had good intentions, but that puts him pretty firmly in the "Please, prosecute me!" camp. If he'd revealed information on me that allowed someone to make campus purchases as me as well as check my school records and access my email, I'd be pressing charges too.

    Maybe there was no damage to the university's infrastructure that we know about, but I'm pretty sure that those students would have been damn lucky if no one went into their accounts and took advantage of them, the way he handled it. And THAT, my friend, is why he's being charged.

  6. Re:keyloggers on student laptops is not hacking .. by SilverJets · · Score: 3, Informative

    Thnk about it for a second. You don't install a keylogger on a server and then capture logins from students from remote machines ... the keyloggers were installed on the students' laptops. This is NOT "hacking" or "cracking" the university's computers. He installed keyloggers on up to 37 other students' laptops to capture their login info.

    Not necessarily their laptops. A lot of universities have computers available for student use and that does not mean he set up a kelogger on a server. Contrary to popular belief, many students don't own or at least don't carry their laptop around campus with them.