Slashdot Mirror
University Brings Charges Against White Hat Hacker
aqui writes "A university student at Carleton is learning that no good deed goes unpunished. After hacking into what was probably a not-so-secure university network, this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive. The university should spend money on hiring some admins with better computer skills and teaching skills rather than paying lawyers. In the Engineering department at my old university, the unofficial policy was that when you broke in, didn't damage anything, and reported the problem and how you broke in, they didn't charge you (if you maliciously caused damage, you usually faced academic sanctions). In some cases, the students were hired or they 'volunteered' for the summer to help secure the servers or fix the hole they found. The result was that Engineering ended up with one of the most secure systems in the university."
Read on for the rest of aqui's comments.
aqui continues:
"The truth is, some university students are going to have the desire to hack something, and not all of them have the judgment to stay out of trouble. If you acknowledge that and catch them inside the university, you can straighten them out before they wreck their lives, and teach them to be white hats. Rather than creating a hostile environment where people may become black hats, you create an environment where you guide them in the right direction to being good computer security professionals. For every hacker they catch, there's probably at least one that they don't know about. I can imagine that a number of those hackers at Carleton are now seeing the university as the enemy for burning 'one of their own,' and some of them may become malicious to get even. If the student's intentions were good - which they appear to be - I can't help but feel sorry for the guy."
this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive.
So, I agree with you. Someone who took the time to show flaws in the system should not be punished (at least not to this extent).
However, here's probably what happened.
1. Someone received the 16 page write-up. They took it to the sys admins.
2. The system administrators, WHO WANT TO KEEP THEIR JOB, are going to go into a tirade of how he subverted their systems and purposely used "nefarious methods" to break system security, etc, etc. Basically, it's politics here - they don't want to look bad and/or lose their job so they will do everything in their power to make him look like a bad guy (which, to some extent, he is).
3. So, sys admins may have suggested some legal action to protect the school and make an example of him. (Or someone higher up may have.) The reason someone higher up may have done this is because they want to protect the school's image. Knowing that their system was weak could really hurt a school which is a business.
Basically, all of this is politics. All of it. Technically, the kid did the right thing by reporting what he found (although, quite honestly, he probably shouldn't have been there in the first place without asking permission). But, he didn't think through how other people were going to see his actions. You *always* have to think about the politics.
Exactly, if the law were balanced in this area the case will probably be thrown out (if it even reached court) and the student let-off. I bet he gets a prison sentence, or harsh fine and community service. Worst of all he'll have a criminal record, meaning he might not be able to get a job. Is one other person on the dole -- when their crime is nothing more than curiosity and a desire to help -- useful to society?
It's not just the university admins who have a bad attitude, it's all society that have been conditioned to believe the hacking == terrrism meme.
I would suggest that any prospective students reading this politely contact this university and explain why you will not be choosing them. Same for any parents who's kids might be thinking of going to Carleton.
Do have some pity for those admins though: they're probably just MCSE's.
I'm going to transform myself into a mighty hawk. Either that or I'll just go and work at Dixons, haven't decided yet.
No, technically, he did the illegal thing, and thus is getting punished.
Whether it's wrong is up for debate. I can see how someone could think it was wrong, or morally neutral but stupid, or perfectly fine.
Warning: Apple/Nintendo fangirl. Likes her electronics cute & cuddly. May be rabid.
Looking at your response, then, there seems to be no reason what-so-ever to be a white-hat.
Honestly, if you're going to get the book thrown at you, fucking make it worth it. Destroy those phenomenally expensive research projects.
I mean, after all, if he's going to get punished for things like this, it's better off at least feeling the satisfaction of really dicking someone over. I mean, if they're going to fuck your life up for the end of all days, you may as well have done it to them first. At least then you have "an eye for an eye".
Right now you have "an eye for a paper showing precisely how I could have taken your eye".
Your desire for vengeance will only serve to drive the next guy underground. I certainly would know better than to come forward in a world with an attitude such as yours. You all are so quick with your "lock 'em up" bullcrap.
What?
Ya know, if he saw a flaw (and obviously there was something wrong since he installed a keylogger on at least one university computer) he should have reported it to the IT department. He decided to act and break the law so he should man up and face the consequences.
At the absolute most, he should have stopped after installing the keylogger and reported that to the IT department. He could have even reported it anonymously. The fact that he then took account information and accessed people's accounts goes way over the line.
If some asshat broke into one of my servers then told me how, I'd send his ass to jail too. If he contacted me and said "I would like to break into your server then I'll tell you how", I'd pay him to do it under controlled circumstances. However, if he just up and did it one day, it would cost me tens of thousands of dollars in cleanup.
So just because someone asks beforehand means you can trust them to not require a cleanup afterwards? What kind of arbitrary logic is that? If you don't trust them and that's why you want it done under controlled conditions such that everything they do is recorded then you may as well do it yourself. Someone who doesn't ask isn't necessarily malicious as in this case but someone who does ask can still be malicious. You just have a better chance of the person(s) not being malicious if they do ask but there are exceptions on both sides of the situation.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
Besides having been that kid 15 years ago, when I was a teenager, and the IT department and CS staff chose to point me in the right direction. Now I don't do any hacking, or any other illegal, scandalous, shady or immoral activity other then wasting time on Slashdot. I am, on the other hand, a practicing engineer and making the world a better place. If I were treated like this kid, I'd still be in nowhereville. Is the university doing what's legal? Yes. Are they doing what's moral? Fuck no.
Yes, but the difference is that it was the university's own department. It's not just any organization. Students, by definition, are going to make some bad decisions along the way, and one of a university's jobs is to minimize the damage of those decisions so that a student can benefit from learning from their mistakes.
It's one of the reasons colleges like to have "campus police" rather than real police: keep everything "in the family" and out of the "rap sheets" where possible.
Academic sanctions, sure. But involving law enforcement where no significant damages have occurred shows a serious lack of judgment somewhere in the administration. I would emphatically not recommend attending any school which prefers to make an example of someone over protecting their students from making life-altering mistakes.
Can you be Even More Awesome?!
2. They're not very good at their job if some pinhead waltzes into the network and screws around like that.
It's not just that. If they responded this way, then it means that they don't want to learn. If you plan to employ them for the long-term, that's just as important as their current skill set.
At first I was sympathetic ... but a moments' thinking changed my mind. The guy deserves a criminal record, and to be expelled.
Thnk about it for a second. You don't install a keylogger on a server and then capture logins from students from remote machines ... the keyloggers were installed on the students' laptops. This is NOT "hacking" or "cracking" the university's computers. He installed keyloggers on up to 37 other students' laptops to capture their login info.
How would you react if someone installed a keylogger on YOUR laptop? And dozens of others? Whether he tookThis isn't Soviet Russia - laptops don't (or shouldn't) log YOU!
If he had physically assaulted 37 students, rather than compromising their laptops and account info, he'd be in jail. Ditto if he had vandalized their cars, instead of their laptops. But looking at the comments, it's okay to screw with other people's property if you want to look 1337 to your peers.
Expulsion is the least the university can (and should) do, as well as pursuing criminal charges.
and found a 16 page write-up about how a guy broke into your house, disabled the motion detector
I agree this would be disturbing, but I hear these analogies to people's homes all the time and I've always been a little uncomfortable with them, and I think I've figured out why.
One of the key problems with a home invasion is that it's pretty reasonable to assume it threatens your personal safety. There are other places to threaten someone's personal safety, but it's one of the few places where just by dint of being there, it's reasonable to assume someone constitutes some kind of threat to you.
I think a better analogy would be some kind of storage unit or a locker. If you had stuff in this protected by a certain kind of lock, and somebody broke into your place and left a note that said "Dude. These locks are defective. They're easy to open by using this technique. Your stuff will be safer if you get something else!" and didn't take anything, that'd be closer to what happens when a system is compromised. You might be likely to be a bit surprised and perhaps wary, but it's not the place where you sleep.
Tweet, tweet.