University Brings Charges Against White Hat Hacker

aqui writes "A university student at Carleton is learning that no good deed goes unpunished. After hacking into what was probably a not-so-secure university network, this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive. The university should spend money on hiring some admins with better computer skills and teaching skills rather than paying lawyers. In the Engineering department at my old university, the unofficial policy was that when you broke in, didn't damage anything, and reported the problem and how you broke in, they didn't charge you (if you maliciously caused damage, you usually faced academic sanctions). In some cases, the students were hired or they 'volunteered' for the summer to help secure the servers or fix the hole they found. The result was that Engineering ended up with one of the most secure systems in the university." Read on for the rest of aqui's comments.

aqui continues: "The truth is, some university students are going to have the desire to hack something, and not all of them have the judgment to stay out of trouble. If you acknowledge that and catch them inside the university, you can straighten them out before they wreck their lives, and teach them to be white hats. Rather than creating a hostile environment where people may become black hats, you create an environment where you guide them in the right direction to being good computer security professionals. For every hacker they catch, there's probably at least one that they don't know about. I can imagine that a number of those hackers at Carleton are now seeing the university as the enemy for burning 'one of their own,' and some of them may become malicious to get even. If the student's intentions were good - which they appear to be - I can't help but feel sorry for the guy."

Bullshit

[atari2600]

From the article: Det. Michel Villeneuve of the Ottawa Police high-tech crime unit said yesterday that a suspect used Keylogger software and magnetic stripe-card reader software to acquire students' information.

Using keylogger software is not White hat material sorry. You install a keylogger on a random machine and watch people come in and access their email / student accounts and then later go "me l33t haxor?"

Computing access in schools is a privilege and I see an abuse of privilege here by installing keyloggers. Sorry but physical access to machines means all security is out of the window. Sure the admins can install a variety of tools to detect keyloggers but there's always going to be one program that will escape detection.

Should I blame Soulskill? Such a verbose summary and no mention of keylogging software.

As a student of Carleton...

[Joelfabulous]

I can tell you firsthand that the administration did not take kindly to this.

With regards to the magnetic stripe thing, it's not surprising that those in charge reacted strongly and sharply. We had recurrent incidents on campus last year with sexual assault and they had to lock down all the residences and the labs, and as such, they took great pains to inform the students who had access cards for the suite residences that they would not, in fact, be in danger, be it financial or otherwise.

Re:Wake up please.

[pizzach]

No, technically, he did the illegal thing, and thus is getting punished. Whether it's wrong is up for debate. I can see how someone could think it was wrong, or morally neutral but stupid, or perfectly fine.

Whether it's wrong and if the punishment was extremely excessive is up to debate. Premeditated murder, manslaughter by negligence, and Murder in the name of self defense can warrant totally different outcomes. It looks to me in this case intent is being totally ignored.

Re:Wake up please.

[grahamd0]

Premeditated murder, manslaughter by negligence, and Murder in the name of self defense can warrant totally different outcomes.

Murder is the illegal killing of another human being.

If it's legal for you to defend yourself with deadly force then it is, by definition, not murder.

If you are in a jurisdiction where it isn't legal to defend yourself then the fact that you were defending yourself is irrelevant.

Re:Doing the right thing

[KGIII]

It is quite likely that Canada has similar laws in effect.

Re:Seriously?

[Xugumad]

> Breaking and entering to prove a point != Whitehat hacking

How is it not? Because one's breaking into a computer and one's breaking into a house?

This guy could have written some software that popped up "keylogger!" after someone logged in, and found a member of staff to show. Or he could have found a member of staff, and demonstrated logging his own password and magstripe.

Instead, he accessed THIRTY TWO different student accounts. Really, how many do you need to test to be sure it works?

Re:No harm, no foul

[bev_tech_rob]

More than likely a U.S. thing. On your employment application, they typically ask you "have you ever been convicted of a felony, etc, etc". If you answer 'yes', you won't get the job. If you answer 'no', they typically run a background check on you (especially if it is a government job or a bank for instance). If they discover you lied on your application, you are fired on the spot.....

Re:Wake up please.

[Anonymous Coward]

If you are in a jurisdiction where it isn't legal to defend yourself then the fact that you were defending yourself is irrelevant.

It is only legal once all the facts are examined by a judge and/or jury, and agrees that "deadly force" was a reasonable defense given the situation.

If you kill someone, you can certainly find yourself in court. The outcome is determined by the totality of the facts, not by the exclusive opinion of the person who did the killing.

Welcome to America.

Re:How would you feel?

[erroneus]

How about if the analogy was a car? Or more directly, how about where you work?

The point I am driving home is that not only was "a computer network" broken into or entered without proper authority, but someone's very realm of personal interest and responsibility was also invaded.

My office was broken into one day not long ago. "Nothing was taken" but file cabinets of executive offices showed signs of being damaged and possibly entered. Every last person who works there was given lifelock service and every last person who works there felt violated.

And don't pretend that if someone invaded YOUR computer system(s) that you too wouldn't feel violated and I doubt you would feel a sense of forgiveness or appreciation for pointing out you have a weakness.

No damage? Really?

[shalla]

Actually, did you read the article? The bottom line is that he revealed account information on students to multiple people who were not in the position to fix any problems (including other students via e-mail).

White hat hacking, my ass.

He used a keylogger and magnetic card reader to capture the information to break into accounts. After that, he sent the 16-page paper (which WAS sent under a psudonym, since people keep suggesting that) not to a system administrator or someone who could deal with it quietly, but instead to a secretary, and eventually he e-mailed it to 37 other students. Fantastic move, that. Included in the paper was the personal account information of the students. So yes, he revealed the account information of his victims to other people.

Maybe he had good intentions, but that puts him pretty firmly in the "Please, prosecute me!" camp. If he'd revealed information on me that allowed someone to make campus purchases as me as well as check my school records and access my email, I'd be pressing charges too.

Maybe there was no damage to the university's infrastructure that we know about, but I'm pretty sure that those students would have been damn lucky if no one went into their accounts and took advantage of them, the way he handled it. And THAT, my friend, is why he's being charged.

Re:keyloggers on student laptops is not hacking ..

[SilverJets]

Thnk about it for a second. You don't install a keylogger on a server and then capture logins from students from remote machines ... the keyloggers were installed on the students' laptops. This is NOT "hacking" or "cracking" the university's computers. He installed keyloggers on up to 37 other students' laptops to capture their login info.

Not necessarily their laptops. A lot of universities have computers available for student use and that does not mean he set up a kelogger on a server. Contrary to popular belief, many students don't own or at least don't carry their laptop around campus with them.

I have no sympathy for the guy.

[dskoll]

He broke the law and stole 32 students' passwords. That's not "White Hat". White Hat would have been to publish his findings without actually stealing the passwords.