University Brings Charges Against White Hat Hacker

aqui writes "A university student at Carleton is learning that no good deed goes unpunished. After hacking into what was probably a not-so-secure university network, this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive. The university should spend money on hiring some admins with better computer skills and teaching skills rather than paying lawyers. In the Engineering department at my old university, the unofficial policy was that when you broke in, didn't damage anything, and reported the problem and how you broke in, they didn't charge you (if you maliciously caused damage, you usually faced academic sanctions). In some cases, the students were hired or they 'volunteered' for the summer to help secure the servers or fix the hole they found. The result was that Engineering ended up with one of the most secure systems in the university." Read on for the rest of aqui's comments.

aqui continues: "The truth is, some university students are going to have the desire to hack something, and not all of them have the judgment to stay out of trouble. If you acknowledge that and catch them inside the university, you can straighten them out before they wreck their lives, and teach them to be white hats. Rather than creating a hostile environment where people may become black hats, you create an environment where you guide them in the right direction to being good computer security professionals. For every hacker they catch, there's probably at least one that they don't know about. I can imagine that a number of those hackers at Carleton are now seeing the university as the enemy for burning 'one of their own,' and some of them may become malicious to get even. If the student's intentions were good - which they appear to be - I can't help but feel sorry for the guy."

The Politics

[D Ninja (825055)]

this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive.

So, I agree with you. Someone who took the time to show flaws in the system should not be punished (at least not to this extent).

However, here's probably what happened.

1. Someone received the 16 page write-up. They took it to the sys admins.

2. The system administrators, WHO WANT TO KEEP THEIR JOB, are going to go into a tirade of how he subverted their systems and purposely used "nefarious methods" to break system security, etc, etc. Basically, it's politics here - they don't want to look bad and/or lose their job so they will do everything in their power to make him look like a bad guy (which, to some extent, he is).

3. So, sys admins may have suggested some legal action to protect the school and make an example of him. (Or someone higher up may have.) The reason someone higher up may have done this is because they want to protect the school's image. Knowing that their system was weak could really hurt a school which is a business.

Basically, all of this is politics. All of it. Technically, the kid did the right thing by reporting what he found (although, quite honestly, he probably shouldn't have been there in the first place without asking permission). But, he didn't think through how other people were going to see his actions. You *always* have to think about the politics.

Re:The Politics

[drakethegreat (832715)]

Part of the issue here is that just because he submitted a write up on what he claims he did doesn't mean he didn't leave a backdoor. Chances are he didn't but until they analyze everything (which takes forever given the number of servers a university department has), how do they know? It could be a way of covering tracks. Look at it this way, you got home one day and found a 16 page write-up about how a guy broke into your house, disabled the motion detector, and finally video taped it all, how would you feel? Jail is beyond what I would do personally but I'm pretty sure I wouldn't be peachy for such a kind gesture.

Computers are not houses

[weston (16146)]

and found a 16 page write-up about how a guy broke into your house, disabled the motion detector

I agree this would be disturbing, but I hear these analogies to people's homes all the time and I've always been a little uncomfortable with them, and I think I've figured out why.

One of the key problems with a home invasion is that it's pretty reasonable to assume it threatens your personal safety. There are other places to threaten someone's personal safety, but it's one of the few places where just by dint of being there, it's reasonable to assume someone constitutes some kind of threat to you.

I think a better analogy would be some kind of storage unit or a locker. If you had stuff in this protected by a certain kind of lock, and somebody broke into your place and left a note that said "Dude. These locks are defective. They're easy to open by using this technique. Your stuff will be safer if you get something else!" and didn't take anything, that'd be closer to what happens when a system is compromised. You might be likely to be a bit surprised and perhaps wary, but it's not the place where you sleep.

Re:The Politics

[permaculture (567540)]

There was a similar situation awhile ago where I work (in my outfit's Computer Center.)

I found a password ripper on the net, and tried it on our password file. Seemingly, the password rules that used to be applied had been lost during a recent system change; and now passwords like 'password' and 'letmein' were not rejected when the user tried to set their password. I was able to crack >1,000 passwords within 30 minutes.

I reported the problem to my supervisor, and he got me to discuss it with the Technical Director. They decided that the new Identity Management system that they were looking for funding for, would fix the problem. The budget bid failed, and the IDM system still hasn't been built. The hole remained for 2 to 3 more years.

I read a case online where a NASA sysadmin would email users to warn them to strengthen their passwords, so I started doing that myself. "Hullo [user], your password is your favourite football team. That's a dictionary word, and easy to crack. Please choose a stronger password, using one of these methods." This did reduce the scale of the problem somewhat, but new accounts would appear with weak passwords, so the hole was still open.

Around 2 to 3 years after I originally reported the problem, a user reported exactly the same thing to his boss, who told the Computer Centre. He was hauled over the coals, reprimanded and nearly got disciplined for his trouble. Password creation rules were instituted, and the hole was closed in short order.

Since those days my outfit has started filtering our Web access using http://www.websense.com/ [websense.com]. I recently found a way around the filter, but don't want to report this hole in case the management decide to punish me for it.

Re:The Politics

[Alioth (221270)]

Since those days my outfit has started filtering our Web access using http://www.websense.com/ [websense.com] [websense.com]. I recently found a way around the filter, but don't want to report this hole in case the management decide to stop me using this way around the filter.

There! Fixed that for ya.

Re:Wake up please.

[porcupine8 (816071)]

No, technically, he did the illegal thing, and thus is getting punished.

Whether it's wrong is up for debate. I can see how someone could think it was wrong, or morally neutral but stupid, or perfectly fine.

Re:Wake up please.

[pizzach (1011925)]

No, technically, he did the illegal thing, and thus is getting punished. Whether it's wrong is up for debate. I can see how someone could think it was wrong, or morally neutral but stupid, or perfectly fine.

Whether it's wrong and if the punishment was extremely excessive is up to debate. Premeditated murder, manslaughter by negligence, and Murder in the name of self defense can warrant totally different outcomes. It looks to me in this case intent is being totally ignored.

Re:Wake up please.

[grahamd0 (1129971)]

Premeditated murder, manslaughter by negligence, and Murder in the name of self defense can warrant totally different outcomes.

Murder is the illegal killing of another human being.

If it's legal for you to defend yourself with deadly force then it is, by definition, not murder.

If you are in a jurisdiction where it isn't legal to defend yourself then the fact that you were defending yourself is irrelevant.

Re:Wake up please.

[julesh (229690)]

If you are in a jurisdiction where it isn't legal to defend yourself then the fact that you were defending yourself is irrelevant.

Not necessarily true. The law doesn't treat all acts with the same outcome as being indistinguishable.

Here in the UK, there is a somewhat limited scope for self-defence as a defence from a murder charge. It wouldn't work in the case where my response was disproportionate to the threat. For instance, if an unarmed man attempts to mug me and I pull a gun and shoot him, even though I can reasonably say I feared for my life, I would probably still be convicted of murder.

Consider as a contrast, though, a case where I'm walking down the street, see somebody I don't like, pull a gun and shoot them.

In the latter case, I could expect to spend 20-30 years in prison for my offence. In the former case, I'd be unlikely to be inside for 10.

Re:Wake up please.

[registrar (1220876)]

You are so right about intent. Ignoring the kid's intent is part of what makes this repugnant.

In my workplace, I get technical people to work for me by honouring their expertise and sometimes cracking just a bit dumb. IT managers especially do not respond well to any hint that you know they are doing a second rate job. But academics and students should thrive on give-and-take. This kid acted in an academic sort of way at a university, and that should be fine. University is not the place where you should have to learn how to deal nicely with incompetent people. So I find it quite awful that this university is discouraging take free learning process.

Sucks to be the IT guy, but the best IT managers I ever saw at UNO were bored academics. Not always entirely technically competent, but they understood where we were coming from and knew how to keep us in line. And quite happy for us to point out security holes.

Re:Wake up please.

[Buran (150348)]

We can't then turn around and say that we can ignore the laws to make a person not guilty.

Two words: "Telecoms" and "Wiretapping".

Try again.

Re:Wake up please.

[iminplaya (723125)]

Your desire for vengeance will only serve to drive the next guy underground. I certainly would know better than to come forward in a world with an attitude such as yours. You all are so quick with your "lock 'em up" bullcrap.

Re:Wake up please.

[glitch23 (557124)]

If some asshat broke into one of my servers then told me how, I'd send his ass to jail too. If he contacted me and said "I would like to break into your server then I'll tell you how", I'd pay him to do it under controlled circumstances. However, if he just up and did it one day, it would cost me tens of thousands of dollars in cleanup.

So just because someone asks beforehand means you can trust them to not require a cleanup afterwards? What kind of arbitrary logic is that? If you don't trust them and that's why you want it done under controlled conditions such that everything they do is recorded then you may as well do it yourself. Someone who doesn't ask isn't necessarily malicious as in this case but someone who does ask can still be malicious. You just have a better chance of the person(s) not being malicious if they do ask but there are exceptions on both sides of the situation.

Re:Wake up please.

[yttrstein (891553)]

If I found out that one of my engineers turned in and made moves to press charges against a hacker who broke in and then told them exactly how it was done, I would fire that engineer on the spot, for two reasons:

1. As was said in the story, you have an opportunity there to pull a potential fence-sitter over to the white-hat side of things, and you can only do that if you don't send them to prison on the spot. To not understand this is to be missing a fundamental requirement of anyone on the payroll -- "don't be a jerk!"

2. They're not very good at their job if some pinhead waltzes into the network and screws around like that.

But maybe that's why some engineers and administrators get so hot headed about this sort of thing. When it happens it draws unwanted attention to their own potential incompetence, and any rational human being would be pretty threatened by that.

Still, Don't be a jerk.

Re:Wake up please.

[by Anonymous Coward]

2. They're not very good at their job if some pinhead waltzes into the network and screws around like that.

It's not just that. If they responded this way, then it means that they don't want to learn. If you plan to employ them for the long-term, that's just as important as their current skill set.

Re:Wake up please.

[by Anonymous Coward]

Besides having been that kid 15 years ago, when I was a teenager, and the IT department and CS staff chose to point me in the right direction. Now I don't do any hacking, or any other illegal, scandalous, shady or immoral activity other then wasting time on Slashdot. I am, on the other hand, a practicing engineer and making the world a better place. If I were treated like this kid, I'd still be in nowhereville. Is the university doing what's legal? Yes. Are they doing what's moral? Fuck no.

Re:Wake up please.

[SirSlud (67381)]

Robin Hood stole from the rich and gave to the poor. In this situation, he could have only stole from the poor, but stole from nobody and told the rich that stealing from them was feasible if somebody else wanted to be a true anti-Robin Hood.

It's a shame people think most hacking involves breaking down hex codes. I've had my debit card number and pin stolen twice from the nearby grocery store, and I'd love nothing more than for somebody to do it again who would actually tell them how it was done and how to prevent it in the future.

Re:Wake up please.

[silentcoder (1241496)]

>Robin Hood stole from the rich and gave to the poor.

Just for the record, that's not true. The actual legend, which is at least in part based on facts, is that he led a revolt against a corrupt aristrocracy that overtaxed peasants (to the point of leaving them unable to eat). The revolt consisted of robbing said corrupt aristocrats (in particular the tax collectors) and then giving the money back to it's rightful owners.
The oldest version of the legend I could find in a book (published in the 1700's) explained their system as follows:
1/3 of the money the aristocrat had was left with him - (this was deemed a fair amount, even in taxes)
1/3 was given to the peasants it came from - (that was deemed fair by said peasants)
the last 1/3 was kept by Robin Hood and his men to buy their own food and weaponry.

Basically, an early form of guerilla warfare and civil disobedience rather than outright theft.

Most modern tellings do remember that Robin Hood was born a nobleman and a knight (Sir Robert of Locksley) but very few recall the end of the legend completely (as per said oldest book version). Most end with the return of Richard I from the crusades who punishes his corrupt brother and the aristocrats who scored from the system he set up. According to the older versions though, he didn't just punish them and pardon Robin Hood. He then rewarded Robert of Locksley for what he deemed exceptional service to the country, by greatly upgrading his title and making him the Earl of Huntingdon.
Said title is still extant, and I do believe it's carriers take some pride in being (probably) descended from Robin Hood.

Of course, with an almost 500 year old legend, a lot of facts are not known - especially when the oldest book about it I could find was written more than a 2 centuries after the fact, but the old 'steal from the rich, give to the poor' idea is really a rather massive oversimplification of what he said to have done. I think it would almost be more fair to think of Robin Hood as an early form of a welfare system in a taxed-state.

Re:Wake up please.

[rtfa-troll (1340807)]

He broke in. He caused damage. If you know that a system has been under control of an unauthorised person, any competent system administrator will tell you that the only thing you can do is a) reinstall and b) treat the data on the system as potentially compromised from that point on. That takes work

Now, he has many potential arguments

• the damage was justified since they weren't taking the care they should do
• they had such insecure systems that should treat them as compromised anyway
• the damage was less than the damage they did to him by keeping his data on insecure systems
• the damage was much less than they claim

but the argument that he didn't do damage isn't one of them

Re:Wake up please.

[Draek (916851)]

The cost of which should fall on *you* since it was *your* job to configure the network to prevent such attacks, and *you* failed at it.

Yeah, it'd make the sysadmins' jobs a lot more hellish, but hey, as long as we're in this wanking hate session... plus it's only logical that if you're going to penalize somebody for the sysadmin's incompetence, that it should be the sysadmin himself.

Realism ahoy

[stonecypher (118140)]

Yes, anyone should be able to break the law and then get off scot-free by claiming it was in the public best interest. Nevermind the cost of the sudden campus-wide security lockdown, nevermind that IT staff may have lost their jobs, nevermind the people now losing sleep because they don't know how to handle things. Nevermind the risk incurred in that if he caused outages he could have disrupted phenomenally expensive research projects. Nevermind that most whitehats leave doors open behind them.

He meant well.

He deserves what he got. Quit trying to make heroes out of everyone looking at jail time. Jesus.

Re:Realism ahoy

[Skye16 (685048)]

Looking at your response, then, there seems to be no reason what-so-ever to be a white-hat.

Honestly, if you're going to get the book thrown at you, fucking make it worth it. Destroy those phenomenally expensive research projects.

I mean, after all, if he's going to get punished for things like this, it's better off at least feeling the satisfaction of really dicking someone over. I mean, if they're going to fuck your life up for the end of all days, you may as well have done it to them first. At least then you have "an eye for an eye".

Right now you have "an eye for a paper showing precisely how I could have taken your eye".

Re:I would never do it.

[Seraphim_72 (622457)]

"No officer I didn't go into that burning house to save that child. That would have been breaking and entering and kidnapping!" Justice should be blind, but it doesn't have to deaf, dumb and have no sensory nerve endings.

People like you create "fail upward" workforces.

[plasmacutter (901737)]

Someone equally or more competent than your own staff tested your infrastructure, found its flaws, and gave you a free report on it, and you're going to beat them over the head.

This "law uber alles" authoritarian streak is what causes most companies to become plagued with "upward failure". The truly competent don't dare to speak inconvenient truths, and the incompetent are given free reign to take advantage.

Bullshit

[atari2600 (545988)]

From the article: Det. Michel Villeneuve of the Ottawa Police high-tech crime unit said yesterday that a suspect used Keylogger software and magnetic stripe-card reader software to acquire students' information.

Using keylogger software is not White hat material sorry. You install a keylogger on a random machine and watch people come in and access their email / student accounts and then later go "me l33t haxor?"

Computing access in schools is a privilege and I see an abuse of privilege here by installing keyloggers. Sorry but physical access to machines means all security is out of the window. Sure the admins can install a variety of tools to detect keyloggers but there's always going to be one program that will escape detection.

Should I blame Soulskill? Such a verbose summary and no mention of keylogging software.

You've got some black on your white hat sir.

[by Anonymous Coward]

What he did was gray hat and not white hat.

If he had gotten the permission of the school to do security testing first then he would be a white hat. He had good intentions, but by breaking into a system he didn't own without the owners permission he broke the law.

-Jim Bastard

Doing the right thing

[Announcer (816755)]

Your old school did, indeed, do the right thing. This one is not. The guy came forward with what he discovered, in good faith! It gives them the opportunity of preventing a malicious person from causing real damage... and they are going to punish him for this? That's just wrong.

In fact, it could theoretically turn many others into "black hats" that will go after them, just because they were so hard-nosed with this guy who was, let's be honest, doing them a favor!

Time for that school to get a clue. I'm really disappointed in their actions.

Should have submitted it anonymously

[inflex (123318)]

He should have just submitted the 16 page paper anonymously. If he was truly trying to do a purely good deed so there shouldn't have been any need for his name to appear on it for the purposes of fame or positive retribution.

Given the number of previous incidents similar to this, one would have thought he'd have been aware that this is almost always the outcome. Try entering into a store after hours (when closed) without due permission, without stealing anything and reporting how you did it. Compare the outcome.

terms of use

[jschen (1249578)]

The student almost certainly signed an agreement stating the terms of use for the university network. And he almost certainly broke that agreement. If that's the case, then I don't see how the university's response is wrong.

Well said

[atari2600 (545988)]

Not only did he break rules but he did it maliciously (no grey area here) when he used keyloggers. I can see what would happen if I did the same thing where I work - they'd fire me, throw my ass in a federal pound me in the ass prison and generally my life would be ruined

What we have here is a not a hacker, not a white hat or a black hat hacker. We have a script kiddie. Sadly most of the posters before you seem to have already started making a hero out of this "vigilante".

As a student of Carleton...

[Joelfabulous (1045392)]

I can tell you firsthand that the administration did not take kindly to this.

With regards to the magnetic stripe thing, it's not surprising that those in charge reacted strongly and sharply. We had recurrent incidents on campus last year with sexual assault and they had to lock down all the residences and the labs, and as such, they took great pains to inform the students who had access cards for the suite residences that they would not, in fact, be in danger, be it financial or otherwise.

Ah, so administration ego safety! hurray!

[plasmacutter (901737)]

it's not surprising that those in charge reacted strongly and sharply. We had recurrent incidents on campus last year with sexual assault and they had to lock down all the residences and the labs, and as such, they took great pains to inform the students who had access cards for the suite residences that they would not, in fact, be in danger, be it financial or otherwise.

you have to love an administration which cares more about their ego than the rape targets they were trying to help.

Mag cards are worthless

[cvd6262 (180823)]

When I was a grad student, the lab in the education department asked me to implement a "fast, simple" method of pulling up student records. I bought them a cheap mag-strip reader and wrote a little script that would grab the Student ID from the card, then submit it to their campus information system. The lab manager (who was not a tech) was shocked that it worked. He assumed the information on the card would be encrypted or something.

That same year a buddy of mine who worked for IT services put together a demo of how easily the mag cards could be forged - with less than $100 + a cheap laptop. His bosses were impressed and asked him to demo it for one of the VPs. When he did, the VP told him, "You know, you're on thin ice here. You could get in a lot of trouble for this."

In essence, the administration (who purchased the card systems) didn't want to know if they were secure. They just wanted to give the impression of security.

Overreaction?

[thatskinnyguy (1129515)]

We had recurrent incidents on campus last year with sexual assault and they had to lock down all the residences and the labs, and as such, they took great pains to inform the students who had access cards for the suite residences that they would not, in fact, be in danger, be it financial or otherwise.

If your school is locking everything down thanks to sexual assault, because of the nature of the crime, they're obviously not thinking straight. That is a reactive measure and only instills panic. In the case of a shooting however, that can be a proactive measure to ensure that more people aren't harmed.

In other news

[kenp2002 (545495)]

Mr. Johnson was recently arrested after finding Mr. Smith's front door unlocked.

Mr. Johnson snuck into Mr. Smith's home and watched Mr. Smith sleeping for several hours.

Afterwards Mr. Johnson provided a detailed account of how Mr. Smith had left his front door insecure and ways to better secure the front door.

Mr. Smith wasn't amused by the report and had Mr. Johnson arrested for tresspassing and breaking and entering.

Mr Johnson's defense is grounded in the fact he was helping Mr. Smith become a better home owner by sneaking into Mr. Smith's house.

-----

You now realize how stupid you sound when you defend someone under these circumstances. This whole White Hat nonsense is about as intelligent a the statement, "Well your honor his front door was unlocked, and obviously I should be allowed to go in there as long as I don't break anything, afterall if he didn't want people in there he should have locked his door at the very least..."

Put him in jail and maybe these adult children will grow up.

Look, People, This is REALLY SIMPLE...

[trims (10010)]

Bottom line: it's only White Hat if the "target" asks you to perform the security audit. Pure and simple. Anything else is at best Grey Hat, and that gets you subject to prosecution at the target's discretion. Period.

This kind of stuff is in a completely different category than analyzing the theoretical weaknesses of a system. Or even cracking software/etc on your personal equipment. Or demonstrating faulty design in a [ahem] subway system WITHOUT HAVING TO SCREW WITH THE SYSTEM. Once you start abusing other people's stuff without permission, I couldn't care less if you were Mary Poppins. IT AIN'T YOURS, SO KEEP YOUR FINGERS OFF IT.

This isn't Investigative Journalism. Which at least has standards of ethics and conduct.

People, quit glorifying these idiots.

How would you feel?

[erroneus (253617)]

It's late at night. You're still up messing around on your computer. It is otherwise very quiet.

Suddenly, you hear weird noises at your door. It's not an animal... it's something working at the keyhole.

At this point, some of you are already reaching for a gun, a baseball bat, something. Others are calling 9-11. Whatever is going on, it isn't right.

If for some reason, you just go to the door and open it to see who is there, would you feel friendly to this guy if he smiles and says "I am doing you a favor!"

Okay, this isn't parallel enough...

How about you came home from work to find a note on the inside of your home explaining "Hi, I got into your home but I didn't take anything. Here is how I did it and what I saw." Come on! How creepy is that?!

What this guy did was a classic security breach... the kind everyone is already afraid of... the kind that always gets headlines when "personal information is exposed." In some stupid way, maybe he had some twisted idea that he was doing something noble or scholarly. But in the real world, we already know there is a balance between security and convenience. Once in a while, people need to be reminded that the balance is often set too far in favor of convenience, but this guy did too much. Stopping at "I was able to install a keylogger on this system, ran a test or two and disabled it. The log files are here for examination. The information on this computer and accessible through this computer is vulnerable." would have more than sufficed... but even then, it's a bit too much. Perhaps it would have been better to simply place an "Out of Order" sign on the computer to prevent anyone from using it.

There is a difference between noticing that someone left a door unlocked and telling someone and actually going in and rummaging about and writing up a big report on the topic.

He needs a slap on the wrist for this. No doubt about it. But nothing permanent... this time...maybe. Some people actually lack some impulse controls in their personalities and get giddy at the notion that they have some power or superiority over others. Some people are just broken that way.

Re:I'd love to see them poll a jury on this

[magarity (164372)]

No, breaking in via a keylogger and a magstripe reader is the same as stealing your neighbor's keys, making a copy, poking around his house while he's out, and then telling him that he needs better security.

Re:I'd love to see them poll a jury on this

[DerekLyons (302214)]

If this is a crime so is alerting your neighbor that their door is unlocked while they were gone.

Except he didn't "alert his neighbor". He opened the door (which he has no business even trying to do in the first place), and then riffled through the neighbors desk, refrigerator, garage, and basement. Before leaving he made a copy of the front door key, installed taps on the phones, a webcam in the bathroom. Then he told the neighbor that his door was unlocked, his checkbook needed balancing, his taste in soda abominable, his garage was a mess, and the furnace filters needed cleaning.

Re:No harm, no foul

[jeevesbond (1066726)]

No harm, no foul

Exactly, if the law were balanced in this area the case will probably be thrown out (if it even reached court) and the student let-off. I bet he gets a prison sentence, or harsh fine and community service. Worst of all he'll have a criminal record, meaning he might not be able to get a job. Is one other person on the dole -- when their crime is nothing more than curiosity and a desire to help -- useful to society?

It's not just the university admins who have a bad attitude, it's all society that have been conditioned to believe the hacking == terrrism meme.

I would suggest that any prospective students reading this politely contact this university and explain why you will not be choosing them. Same for any parents who's kids might be thinking of going to Carleton.

Do have some pity for those admins though: they're probably just MCSE's.

Re:No harm, no foul

[SilverJets (131916)]

Ya know, if he saw a flaw (and obviously there was something wrong since he installed a keylogger on at least one university computer) he should have reported it to the IT department. He decided to act and break the law so he should man up and face the consequences.

At the absolute most, he should have stopped after installing the keylogger and reported that to the IT department. He could have even reported it anonymously. The fact that he then took account information and accessed people's accounts goes way over the line.

Re:No harm, no foul

[zippthorne (748122)]

Yes, but the difference is that it was the university's own department. It's not just any organization. Students, by definition, are going to make some bad decisions along the way, and one of a university's jobs is to minimize the damage of those decisions so that a student can benefit from learning from their mistakes.

It's one of the reasons colleges like to have "campus police" rather than real police: keep everything "in the family" and out of the "rap sheets" where possible.

Academic sanctions, sure. But involving law enforcement where no significant damages have occurred shows a serious lack of judgment somewhere in the administration. I would emphatically not recommend attending any school which prefers to make an example of someone over protecting their students from making life-altering mistakes.

Re:No harm, no foul

[skolima (1159779)]

Fuck academic sanctions. My Operating Systems teacher (professor on PUT, Poland) _encouraged_ us to try and break into university computers. His assistant (Ph.D.) told us that he uploaded exam questions into his account a week before the exam date, they were up for reading for anyone who was able to get to them and document how he did this (AFAIK only a single person in 6 years managed to get in, those guys knew what they were doing). University is for learning and documenting what you know for others to use, not for fearing that you might anger some incompetent sysadmin.

Re:No harm, no foul

[jDeepbeep (913892)]

University is for learning and documenting what you know for others to use, not for fearing that you might anger some incompetent sysadmin.

From TFA: This is the second time Carleton has dealt with hackers in recent months. In late July, a hacker broke into the e-mail system.

Let us agree on the incompetence. This is their second incident in 3 months.

keyloggers on student laptops is not hacking ...

[tomhudson (43916)]

Ya know, if he saw a flaw (and obviously there was something wrong since he installed a keylogger on at least one university computer)

At first I was sympathetic ... but a moments' thinking changed my mind. The guy deserves a criminal record, and to be expelled.

The writer, who used a pseudonym, claimed he easily broke into the accounts using a program that captures computer keystrokes.

Thnk about it for a second. You don't install a keylogger on a server and then capture logins from students from remote machines ... the keyloggers were installed on the students' laptops. This is NOT "hacking" or "cracking" the university's computers. He installed keyloggers on up to 37 other students' laptops to capture their login info.

How would you react if someone installed a keylogger on YOUR laptop? And dozens of others? Whether he tookThis isn't Soviet Russia - laptops don't (or shouldn't) log YOU!

If he had physically assaulted 37 students, rather than compromising their laptops and account info, he'd be in jail. Ditto if he had vandalized their cars, instead of their laptops. But looking at the comments, it's okay to screw with other people's property if you want to look 1337 to your peers.

Expulsion is the least the university can (and should) do, as well as pursuing criminal charges.

Re:keyloggers on student laptops is not hacking ..

[SilverJets (131916)]

Thnk about it for a second. You don't install a keylogger on a server and then capture logins from students from remote machines ... the keyloggers were installed on the students' laptops. This is NOT "hacking" or "cracking" the university's computers. He installed keyloggers on up to 37 other students' laptops to capture their login info.

Not necessarily their laptops. A lot of universities have computers available for student use and that does not mean he set up a kelogger on a server. Contrary to popular belief, many students don't own or at least don't carry their laptop around campus with them.

Re:No harm, no foul

[YttriumOxide (837412)]

Is it really that hard to get a job in some places if you have a criminal record? I have a record - for Phreaking of all things (actually, the charge was "Obtains other service credit by fraud"), and it has never had any effect on my ability to find work. Most employers don't ask, and the very few that have have just said, "well, you were young, and it shows technical aptitude" or something along those lines and then never mentioned it again.

Note: I don't live in the US, nor have I ever applied for a job in that country, so it might (or might not be) just a US thing.

Re:No harm, no foul

[Antique Geekmeister (740220)]

No, some anger is justified. The Morris Worm was not written to ruin systems, it was written to probe them and report its results. Nevertheless, it brought down UNIX servers worldwide becuase it was badly written. Doing 'harmless' security cracks against a badly secured network can in fact trash that network, by accident, as you tweak local settings in 'harmless' ways.

As well meant as it was, this is why you don't put your name on that paper about the flaws. You send copies to the core administrators and money providing bureaucrats, from their own email accounts, and possibly to the staff of the school newspaper.

Re:No harm, no foul

[haus (129916)]

It is worth noting, that despite the pain caused by Robert T. Morris with the release of his worm and the criminal record that followed, he has managed to find productive work (currently a professor at MIT).

Perhaps it is a good reminder that while punishment may be appropriate, it is not necessarily good for society to punish people continuously for past misdeeds.

No damage? Really?

[shalla (642644)]

Actually, did you read the article? The bottom line is that he revealed account information on students to multiple people who were not in the position to fix any problems (including other students via e-mail).

White hat hacking, my ass.

He used a keylogger and magnetic card reader to capture the information to break into accounts. After that, he sent the 16-page paper (which WAS sent under a psudonym, since people keep suggesting that) not to a system administrator or someone who could deal with it quietly, but instead to a secretary, and eventually he e-mailed it to 37 other students. Fantastic move, that. Included in the paper was the personal account information of the students. So yes, he revealed the account information of his victims to other people.

Maybe he had good intentions, but that puts him pretty firmly in the "Please, prosecute me!" camp. If he'd revealed information on me that allowed someone to make campus purchases as me as well as check my school records and access my email, I'd be pressing charges too.

Maybe there was no damage to the university's infrastructure that we know about, but I'm pretty sure that those students would have been damn lucky if no one went into their accounts and took advantage of them, the way he handled it. And THAT, my friend, is why he's being charged.