Slashdot Mirror

← Back to Stories (view on slashdot.org)

University Brings Charges Against White Hat Hacker

Posted by Soulskill on from the easier-than-fixing-security-holes dept.

aqui writes "A university student at Carleton is learning that no good deed goes unpunished. After hacking into what was probably a not-so-secure university network, this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive. The university should spend money on hiring some admins with better computer skills and teaching skills rather than paying lawyers. In the Engineering department at my old university, the unofficial policy was that when you broke in, didn't damage anything, and reported the problem and how you broke in, they didn't charge you (if you maliciously caused damage, you usually faced academic sanctions). In some cases, the students were hired or they 'volunteered' for the summer to help secure the servers or fix the hole they found. The result was that Engineering ended up with one of the most secure systems in the university." Read on for the rest of aqui's comments. aqui continues: "The truth is, some university students are going to have the desire to hack something, and not all of them have the judgment to stay out of trouble. If you acknowledge that and catch them inside the university, you can straighten them out before they wreck their lives, and teach them to be white hats. Rather than creating a hostile environment where people may become black hats, you create an environment where you guide them in the right direction to being good computer security professionals. For every hacker they catch, there's probably at least one that they don't know about. I can imagine that a number of those hackers at Carleton are now seeing the university as the enemy for burning 'one of their own,' and some of them may become malicious to get even. If the student's intentions were good - which they appear to be - I can't help but feel sorry for the guy."

4 of 540 comments (clear)

  1. Re:Wake up please. by yttrstein · · Score: 5, Interesting

    If I found out that one of my engineers turned in and made moves to press charges against a hacker who broke in and then told them exactly how it was done, I would fire that engineer on the spot, for two reasons:

    1. As was said in the story, you have an opportunity there to pull a potential fence-sitter over to the white-hat side of things, and you can only do that if you don't send them to prison on the spot. To not understand this is to be missing a fundamental requirement of anyone on the payroll -- "don't be a jerk!"

    2. They're not very good at their job if some pinhead waltzes into the network and screws around like that.

    But maybe that's why some engineers and administrators get so hot headed about this sort of thing. When it happens it draws unwanted attention to their own potential incompetence, and any rational human being would be pretty threatened by that.

    Still, Don't be a jerk.

  2. Re:No harm, no foul by Antique+Geekmeister · · Score: 5, Interesting

    No, some anger is justified. The Morris Worm was not written to ruin systems, it was written to probe them and report its results. Nevertheless, it brought down UNIX servers worldwide becuase it was badly written. Doing 'harmless' security cracks against a badly secured network can in fact trash that network, by accident, as you tweak local settings in 'harmless' ways.

    As well meant as it was, this is why you don't put your name on that paper about the flaws. You send copies to the core administrators and money providing bureaucrats, from their own email accounts, and possibly to the staff of the school newspaper.

  3. Re:Wake up please. by silentcoder · · Score: 5, Interesting

    >Robin Hood stole from the rich and gave to the poor.

    Just for the record, that's not true. The actual legend, which is at least in part based on facts, is that he led a revolt against a corrupt aristrocracy that overtaxed peasants (to the point of leaving them unable to eat). The revolt consisted of robbing said corrupt aristocrats (in particular the tax collectors) and then giving the money back to it's rightful owners.
    The oldest version of the legend I could find in a book (published in the 1700's) explained their system as follows:
    1/3 of the money the aristocrat had was left with him - (this was deemed a fair amount, even in taxes)
    1/3 was given to the peasants it came from - (that was deemed fair by said peasants)
    the last 1/3 was kept by Robin Hood and his men to buy their own food and weaponry.

    Basically, an early form of guerilla warfare and civil disobedience rather than outright theft.

    Most modern tellings do remember that Robin Hood was born a nobleman and a knight (Sir Robert of Locksley) but very few recall the end of the legend completely (as per said oldest book version). Most end with the return of Richard I from the crusades who punishes his corrupt brother and the aristocrats who scored from the system he set up. According to the older versions though, he didn't just punish them and pardon Robin Hood. He then rewarded Robert of Locksley for what he deemed exceptional service to the country, by greatly upgrading his title and making him the Earl of Huntingdon.
    Said title is still extant, and I do believe it's carriers take some pride in being (probably) descended from Robin Hood.

    Of course, with an almost 500 year old legend, a lot of facts are not known - especially when the oldest book about it I could find was written more than a 2 centuries after the fact, but the old 'steal from the rich, give to the poor' idea is really a rather massive oversimplification of what he said to have done. I think it would almost be more fair to think of Robin Hood as an early form of a welfare system in a taxed-state.

    --
    Unicode killed the ASCII-art *
  4. Re:No harm, no foul by skolima · · Score: 5, Interesting

    Fuck academic sanctions. My Operating Systems teacher (professor on PUT, Poland) _encouraged_ us to try and break into university computers. His assistant (Ph.D.) told us that he uploaded exam questions into his account a week before the exam date, they were up for reading for anyone who was able to get to them and document how he did this (AFAIK only a single person in 6 years managed to get in, those guys knew what they were doing). University is for learning and documenting what you know for others to use, not for fearing that you might anger some incompetent sysadmin.