University Brings Charges Against White Hat Hacker

aqui writes "A university student at Carleton is learning that no good deed goes unpunished. After hacking into what was probably a not-so-secure university network, this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive. The university should spend money on hiring some admins with better computer skills and teaching skills rather than paying lawyers. In the Engineering department at my old university, the unofficial policy was that when you broke in, didn't damage anything, and reported the problem and how you broke in, they didn't charge you (if you maliciously caused damage, you usually faced academic sanctions). In some cases, the students were hired or they 'volunteered' for the summer to help secure the servers or fix the hole they found. The result was that Engineering ended up with one of the most secure systems in the university." Read on for the rest of aqui's comments. aqui continues: "The truth is, some university students are going to have the desire to hack something, and not all of them have the judgment to stay out of trouble. If you acknowledge that and catch them inside the university, you can straighten them out before they wreck their lives, and teach them to be white hats. Rather than creating a hostile environment where people may become black hats, you create an environment where you guide them in the right direction to being good computer security professionals. For every hacker they catch, there's probably at least one that they don't know about. I can imagine that a number of those hackers at Carleton are now seeing the university as the enemy for burning 'one of their own,' and some of them may become malicious to get even. If the student's intentions were good - which they appear to be - I can't help but feel sorry for the guy."

Re:Wake up please.

[yttrstein]

If I found out that one of my engineers turned in and made moves to press charges against a hacker who broke in and then told them exactly how it was done, I would fire that engineer on the spot, for two reasons:

1. As was said in the story, you have an opportunity there to pull a potential fence-sitter over to the white-hat side of things, and you can only do that if you don't send them to prison on the spot. To not understand this is to be missing a fundamental requirement of anyone on the payroll -- "don't be a jerk!"

2. They're not very good at their job if some pinhead waltzes into the network and screws around like that.

But maybe that's why some engineers and administrators get so hot headed about this sort of thing. When it happens it draws unwanted attention to their own potential incompetence, and any rational human being would be pretty threatened by that.

Still, Don't be a jerk.

Re:Realism ahoy

[yttrstein]

It's precisely this sort of attitude, stonecypher, that will prevent any other hackers at Carleton from coming forward and reporting any problems they happen to find, legally or not.

But at least your ethics are intact.

Though perhaps there's some sort of happy medium where you could get your punishment rocks off while at the same time places like Carleton don't have to scare everyone into never reporting anything. You're never, ever going to stop a hacker who loves what they do from hacking. Ever.

Those of us active in the security field would really appreciate your help on this.

Re:No harm, no foul

[YttriumOxide]

Is it really that hard to get a job in some places if you have a criminal record? I have a record - for Phreaking of all things (actually, the charge was "Obtains other service credit by fraud"), and it has never had any effect on my ability to find work. Most employers don't ask, and the very few that have have just said, "well, you were young, and it shows technical aptitude" or something along those lines and then never mentioned it again.

Note: I don't live in the US, nor have I ever applied for a job in that country, so it might (or might not be) just a US thing.

Re:Wake up please.

[SirSlud]

Robin Hood stole from the rich and gave to the poor. In this situation, he could have only stole from the poor, but stole from nobody and told the rich that stealing from them was feasible if somebody else wanted to be a true anti-Robin Hood.

It's a shame people think most hacking involves breaking down hex codes. I've had my debit card number and pin stolen twice from the nearby grocery store, and I'd love nothing more than for somebody to do it again who would actually tell them how it was done and how to prevent it in the future.

How would you feel?

[erroneus]

It's late at night. You're still up messing around on your computer. It is otherwise very quiet.

Suddenly, you hear weird noises at your door. It's not an animal... it's something working at the keyhole.

At this point, some of you are already reaching for a gun, a baseball bat, something. Others are calling 9-11. Whatever is going on, it isn't right.

If for some reason, you just go to the door and open it to see who is there, would you feel friendly to this guy if he smiles and says "I am doing you a favor!"

Okay, this isn't parallel enough...

How about you came home from work to find a note on the inside of your home explaining "Hi, I got into your home but I didn't take anything. Here is how I did it and what I saw." Come on! How creepy is that?!

What this guy did was a classic security breach... the kind everyone is already afraid of... the kind that always gets headlines when "personal information is exposed." In some stupid way, maybe he had some twisted idea that he was doing something noble or scholarly. But in the real world, we already know there is a balance between security and convenience. Once in a while, people need to be reminded that the balance is often set too far in favor of convenience, but this guy did too much. Stopping at "I was able to install a keylogger on this system, ran a test or two and disabled it. The log files are here for examination. The information on this computer and accessible through this computer is vulnerable." would have more than sufficed... but even then, it's a bit too much. Perhaps it would have been better to simply place an "Out of Order" sign on the computer to prevent anyone from using it.

There is a difference between noticing that someone left a door unlocked and telling someone and actually going in and rummaging about and writing up a big report on the topic.

He needs a slap on the wrist for this. No doubt about it. But nothing permanent... this time...maybe. Some people actually lack some impulse controls in their personalities and get giddy at the notion that they have some power or superiority over others. Some people are just broken that way.

Re:Wake up please.

[registrar]

You are so right about intent. Ignoring the kid's intent is part of what makes this repugnant.

In my workplace, I get technical people to work for me by honouring their expertise and sometimes cracking just a bit dumb. IT managers especially do not respond well to any hint that you know they are doing a second rate job. But academics and students should thrive on give-and-take. This kid acted in an academic sort of way at a university, and that should be fine. University is not the place where you should have to learn how to deal nicely with incompetent people. So I find it quite awful that this university is discouraging take free learning process.

Sucks to be the IT guy, but the best IT managers I ever saw at UNO were bored academics. Not always entirely technically competent, but they understood where we were coming from and knew how to keep us in line. And quite happy for us to point out security holes.

Re:No harm, no foul

[Antique+Geekmeister]

No, some anger is justified. The Morris Worm was not written to ruin systems, it was written to probe them and report its results. Nevertheless, it brought down UNIX servers worldwide becuase it was badly written. Doing 'harmless' security cracks against a badly secured network can in fact trash that network, by accident, as you tweak local settings in 'harmless' ways.

As well meant as it was, this is why you don't put your name on that paper about the flaws. You send copies to the core administrators and money providing bureaucrats, from their own email accounts, and possibly to the staff of the school newspaper.

Re:The Politics

[permaculture]

There was a similar situation awhile ago where I work (in my outfit's Computer Center.)

I found a password ripper on the net, and tried it on our password file. Seemingly, the password rules that used to be applied had been lost during a recent system change; and now passwords like 'password' and 'letmein' were not rejected when the user tried to set their password. I was able to crack >1,000 passwords within 30 minutes.

I reported the problem to my supervisor, and he got me to discuss it with the Technical Director. They decided that the new Identity Management system that they were looking for funding for, would fix the problem. The budget bid failed, and the IDM system still hasn't been built. The hole remained for 2 to 3 more years.

I read a case online where a NASA sysadmin would email users to warn them to strengthen their passwords, so I started doing that myself. "Hullo [user], your password is your favourite football team. That's a dictionary word, and easy to crack. Please choose a stronger password, using one of these methods." This did reduce the scale of the problem somewhat, but new accounts would appear with weak passwords, so the hole was still open.

Around 2 to 3 years after I originally reported the problem, a user reported exactly the same thing to his boss, who told the Computer Centre. He was hauled over the coals, reprimanded and nearly got disciplined for his trouble. Password creation rules were instituted, and the hole was closed in short order.

Since those days my outfit has started filtering our Web access using http://www.websense.com/. I recently found a way around the filter, but don't want to report this hole in case the management decide to punish me for it.

Re:Wake up please.

[silentcoder]

>Robin Hood stole from the rich and gave to the poor.

Just for the record, that's not true. The actual legend, which is at least in part based on facts, is that he led a revolt against a corrupt aristrocracy that overtaxed peasants (to the point of leaving them unable to eat). The revolt consisted of robbing said corrupt aristocrats (in particular the tax collectors) and then giving the money back to it's rightful owners.
The oldest version of the legend I could find in a book (published in the 1700's) explained their system as follows:
1/3 of the money the aristocrat had was left with him - (this was deemed a fair amount, even in taxes)
1/3 was given to the peasants it came from - (that was deemed fair by said peasants)
the last 1/3 was kept by Robin Hood and his men to buy their own food and weaponry.

Basically, an early form of guerilla warfare and civil disobedience rather than outright theft.

Most modern tellings do remember that Robin Hood was born a nobleman and a knight (Sir Robert of Locksley) but very few recall the end of the legend completely (as per said oldest book version). Most end with the return of Richard I from the crusades who punishes his corrupt brother and the aristocrats who scored from the system he set up. According to the older versions though, he didn't just punish them and pardon Robin Hood. He then rewarded Robert of Locksley for what he deemed exceptional service to the country, by greatly upgrading his title and making him the Earl of Huntingdon.
Said title is still extant, and I do believe it's carriers take some pride in being (probably) descended from Robin Hood.

Of course, with an almost 500 year old legend, a lot of facts are not known - especially when the oldest book about it I could find was written more than a 2 centuries after the fact, but the old 'steal from the rich, give to the poor' idea is really a rather massive oversimplification of what he said to have done. I think it would almost be more fair to think of Robin Hood as an early form of a welfare system in a taxed-state.

Re:No harm, no foul

[skolima]

Fuck academic sanctions. My Operating Systems teacher (professor on PUT, Poland) _encouraged_ us to try and break into university computers. His assistant (Ph.D.) told us that he uploaded exam questions into his account a week before the exam date, they were up for reading for anyone who was able to get to them and document how he did this (AFAIK only a single person in 6 years managed to get in, those guys knew what they were doing). University is for learning and documenting what you know for others to use, not for fearing that you might anger some incompetent sysadmin.

Re:No harm, no foul

[haus]

It is worth noting, that despite the pain caused by Robert T. Morris with the release of his worm and the criminal record that followed, he has managed to find productive work (currently a professor at MIT).

Perhaps it is a good reminder that while punishment may be appropriate, it is not necessarily good for society to punish people continuously for past misdeeds.

Re:Wake up please.

[Draek]

The cost of which should fall on *you* since it was *your* job to configure the network to prevent such attacks, and *you* failed at it.

Yeah, it'd make the sysadmins' jobs a lot more hellish, but hey, as long as we're in this wanking hate session... plus it's only logical that if you're going to penalize somebody for the sysadmin's incompetence, that it should be the sysadmin himself.

Mag cards are worthless

[cvd6262]

When I was a grad student, the lab in the education department asked me to implement a "fast, simple" method of pulling up student records. I bought them a cheap mag-strip reader and wrote a little script that would grab the Student ID from the card, then submit it to their campus information system. The lab manager (who was not a tech) was shocked that it worked. He assumed the information on the card would be encrypted or something.

That same year a buddy of mine who worked for IT services put together a demo of how easily the mag cards could be forged - with less than $100 + a cheap laptop. His bosses were impressed and asked him to demo it for one of the VPs. When he did, the VP told him, "You know, you're on thin ice here. You could get in a lot of trouble for this."

In essence, the administration (who purchased the card systems) didn't want to know if they were secure. They just wanted to give the impression of security.