University Brings Charges Against White Hat Hacker

aqui writes "A university student at Carleton is learning that no good deed goes unpunished. After hacking into what was probably a not-so-secure university network, this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive. The university should spend money on hiring some admins with better computer skills and teaching skills rather than paying lawyers. In the Engineering department at my old university, the unofficial policy was that when you broke in, didn't damage anything, and reported the problem and how you broke in, they didn't charge you (if you maliciously caused damage, you usually faced academic sanctions). In some cases, the students were hired or they 'volunteered' for the summer to help secure the servers or fix the hole they found. The result was that Engineering ended up with one of the most secure systems in the university." Read on for the rest of aqui's comments.

aqui continues: "The truth is, some university students are going to have the desire to hack something, and not all of them have the judgment to stay out of trouble. If you acknowledge that and catch them inside the university, you can straighten them out before they wreck their lives, and teach them to be white hats. Rather than creating a hostile environment where people may become black hats, you create an environment where you guide them in the right direction to being good computer security professionals. For every hacker they catch, there's probably at least one that they don't know about. I can imagine that a number of those hackers at Carleton are now seeing the university as the enemy for burning 'one of their own,' and some of them may become malicious to get even. If the student's intentions were good - which they appear to be - I can't help but feel sorry for the guy."

The Politics

[D Ninja]

this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive.

So, I agree with you. Someone who took the time to show flaws in the system should not be punished (at least not to this extent).

However, here's probably what happened.

1. Someone received the 16 page write-up. They took it to the sys admins.

2. The system administrators, WHO WANT TO KEEP THEIR JOB, are going to go into a tirade of how he subverted their systems and purposely used "nefarious methods" to break system security, etc, etc. Basically, it's politics here - they don't want to look bad and/or lose their job so they will do everything in their power to make him look like a bad guy (which, to some extent, he is).

3. So, sys admins may have suggested some legal action to protect the school and make an example of him. (Or someone higher up may have.) The reason someone higher up may have done this is because they want to protect the school's image. Knowing that their system was weak could really hurt a school which is a business.

Basically, all of this is politics. All of it. Technically, the kid did the right thing by reporting what he found (although, quite honestly, he probably shouldn't have been there in the first place without asking permission). But, he didn't think through how other people were going to see his actions. You *always* have to think about the politics.

Realism ahoy

[stonecypher]

Yes, anyone should be able to break the law and then get off scot-free by claiming it was in the public best interest. Nevermind the cost of the sudden campus-wide security lockdown, nevermind that IT staff may have lost their jobs, nevermind the people now losing sleep because they don't know how to handle things. Nevermind the risk incurred in that if he caused outages he could have disrupted phenomenally expensive research projects. Nevermind that most whitehats leave doors open behind them.

He meant well.

He deserves what he got. Quit trying to make heroes out of everyone looking at jail time. Jesus.

You've got some black on your white hat sir.

[Anonymous Coward]

What he did was gray hat and not white hat.

If he had gotten the permission of the school to do security testing first then he would be a white hat. He had good intentions, but by breaking into a system he didn't own without the owners permission he broke the law.

-Jim Bastard

Wake up please.

[stonecypher]

Technically, the kid did the right thing by reporting what he found

No, technically he did the wrong thing by breaking into the network. This isn't complicated. If he technically did the right thing, he wouldn't be technically looking at jail time. This isn't a pity party. He did a bad thing and he's getting punished. Simple as pie.

If some asshat broke into one of my servers then told me how, I'd send his ass to jail too. If he contacted me and said "I would like to break into your server then I'll tell you how", I'd pay him to do it under controlled circumstances. However, if he just up and did it one day, it would cost me tens of thousands of dollars in cleanup.

I can't imagine why you think this was in any way a good idea.

Re:I'd love to see them poll a jury on this

[magarity]

No, breaking in via a keylogger and a magstripe reader is the same as stealing your neighbor's keys, making a copy, poking around his house while he's out, and then telling him that he needs better security.

Re:No harm, no foul

[jeevesbond]

No harm, no foul

Exactly, if the law were balanced in this area the case will probably be thrown out (if it even reached court) and the student let-off. I bet he gets a prison sentence, or harsh fine and community service. Worst of all he'll have a criminal record, meaning he might not be able to get a job. Is one other person on the dole -- when their crime is nothing more than curiosity and a desire to help -- useful to society?

It's not just the university admins who have a bad attitude, it's all society that have been conditioned to believe the hacking == terrrism meme.

I would suggest that any prospective students reading this politely contact this university and explain why you will not be choosing them. Same for any parents who's kids might be thinking of going to Carleton.

Do have some pity for those admins though: they're probably just MCSE's.

Re:Realism ahoy

[Harry Balzack]

Just because it's some computer savvy person doesn't make his actions above the law. A robber could advance the same arguement: "I robbed you just to prove to you that (you) should take your personal safety more seriously" Sorry, that dog don't hunt!

Should have submitted it anonymously

[inflex]

He should have just submitted the 16 page paper anonymously. If he was truly trying to do a purely good deed so there shouldn't have been any need for his name to appear on it for the purposes of fame or positive retribution.

Given the number of previous incidents similar to this, one would have thought he'd have been aware that this is almost always the outcome. Try entering into a store after hours (when closed) without due permission, without stealing anything and reporting how you did it. Compare the outcome.

Re:The Politics

[drakethegreat]

Part of the issue here is that just because he submitted a write up on what he claims he did doesn't mean he didn't leave a backdoor. Chances are he didn't but until they analyze everything (which takes forever given the number of servers a university department has), how do they know? It could be a way of covering tracks. Look at it this way, you got home one day and found a 16 page write-up about how a guy broke into your house, disabled the motion detector, and finally video taped it all, how would you feel? Jail is beyond what I would do personally but I'm pretty sure I wouldn't be peachy for such a kind gesture.

terms of use

[jschen]

The student almost certainly signed an agreement stating the terms of use for the university network. And he almost certainly broke that agreement. If that's the case, then I don't see how the university's response is wrong.

Re:Wake up please.

[profplump]

I'm not saying it was a good idea, but there's no evidence that he cause 1 cent of damage or required anyone to do any cleanup. Maybe he did, but it sure doesn't say that in the article.

I'm pretty sure if someone contacted you and told you they'd show you vulnerabilities in your system for a fee your lawyers would tell you to press charges for extortion.

But hey, don't let reality ruin your hypothetical hate session.

Re:Wake up please.

[porcupine8]

No, technically, he did the illegal thing, and thus is getting punished.

Whether it's wrong is up for debate. I can see how someone could think it was wrong, or morally neutral but stupid, or perfectly fine.

Well said

[atari2600]

Not only did he break rules but he did it maliciously (no grey area here) when he used keyloggers. I can see what would happen if I did the same thing where I work - they'd fire me, throw my ass in a federal pound me in the ass prison and generally my life would be ruined

What we have here is a not a hacker, not a white hat or a black hat hacker. We have a script kiddie. Sadly most of the posters before you seem to have already started making a hero out of this "vigilante".

Re:Realism ahoy

[Skye16]

Looking at your response, then, there seems to be no reason what-so-ever to be a white-hat.

Honestly, if you're going to get the book thrown at you, fucking make it worth it. Destroy those phenomenally expensive research projects.

I mean, after all, if he's going to get punished for things like this, it's better off at least feeling the satisfaction of really dicking someone over. I mean, if they're going to fuck your life up for the end of all days, you may as well have done it to them first. At least then you have "an eye for an eye".

Right now you have "an eye for a paper showing precisely how I could have taken your eye".

Re:Wake up please.

[iminplaya]

Your desire for vengeance will only serve to drive the next guy underground. I certainly would know better than to come forward in a world with an attitude such as yours. You all are so quick with your "lock 'em up" bullcrap.

Re:No harm, no foul

[SilverJets]

Ya know, if he saw a flaw (and obviously there was something wrong since he installed a keylogger on at least one university computer) he should have reported it to the IT department. He decided to act and break the law so he should man up and face the consequences.

At the absolute most, he should have stopped after installing the keylogger and reported that to the IT department. He could have even reported it anonymously. The fact that he then took account information and accessed people's accounts goes way over the line.

Re:Wake up please.

[glitch23]

If some asshat broke into one of my servers then told me how, I'd send his ass to jail too. If he contacted me and said "I would like to break into your server then I'll tell you how", I'd pay him to do it under controlled circumstances. However, if he just up and did it one day, it would cost me tens of thousands of dollars in cleanup.

So just because someone asks beforehand means you can trust them to not require a cleanup afterwards? What kind of arbitrary logic is that? If you don't trust them and that's why you want it done under controlled conditions such that everything they do is recorded then you may as well do it yourself. Someone who doesn't ask isn't necessarily malicious as in this case but someone who does ask can still be malicious. You just have a better chance of the person(s) not being malicious if they do ask but there are exceptions on both sides of the situation.

Get real

[taustin]

"The truth is, some university students are going to have the desire to hack something."

The truth is, some university students are going to have the desire to light things on fire, too. How many buildings do we let them practice on before we arrest him?

The truth is, the kid broke the law, and it is nearly inconceivable that he didn't know it at the time he did it. For every hacker they know about, there may well be at least one more they don't know about. But for every hacker they crucify, there will be dozens who think twice before breaking the law.

Re:Doing the right thing

[reddburn]

We need more information. If, for instance, even looked at another student's Family Educational Rights and Privacy Act (FERPA) protected information, then the school must, by law, prosecute him. Uncle Sam doesn't mess around when it comes to assessing penalties - schools with violations can lose federal funding (including grants).

If he was poking around in an area that made any student information not considered "directory information" (address, campus box, telephone, degree, or e-mail address) accessible, then they had no choice. And ignorance is no excuse - they shove FERPA down the kiddies' throats when they arrive, just to make sure they know that mommy and daddy can't meet with professors.

People like you create "fail upward" workforces.

[plasmacutter]

Someone equally or more competent than your own staff tested your infrastructure, found its flaws, and gave you a free report on it, and you're going to beat them over the head.

This "law uber alles" authoritarian streak is what causes most companies to become plagued with "upward failure". The truly competent don't dare to speak inconvenient truths, and the incompetent are given free reign to take advantage.

Re:Wake up please.

[Anonymous Coward]

Besides having been that kid 15 years ago, when I was a teenager, and the IT department and CS staff chose to point me in the right direction. Now I don't do any hacking, or any other illegal, scandalous, shady or immoral activity other then wasting time on Slashdot. I am, on the other hand, a practicing engineer and making the world a better place. If I were treated like this kid, I'd still be in nowhereville. Is the university doing what's legal? Yes. Are they doing what's moral? Fuck no.

Ah, so administration ego safety! hurray!

[plasmacutter]

it's not surprising that those in charge reacted strongly and sharply. We had recurrent incidents on campus last year with sexual assault and they had to lock down all the residences and the labs, and as such, they took great pains to inform the students who had access cards for the suite residences that they would not, in fact, be in danger, be it financial or otherwise.

you have to love an administration which cares more about their ego than the rape targets they were trying to help.

Re:Wake up please.

[Anonymous Coward]

Sorry, but I have to question your abilities of a System Admin if you've gone to the extremes of securing your servers in all the appropriate manners, yet you still cry foul if you are hacked.

That means the person doing the hacking, knows more about exploits that are probably unknown to package in questions software community, is obviously out of your league in terms of skill, and is obviously mallicious.

There is no endpoint in System Administration. It is a constant battle, and YOU SHOULD KNOW THAT, if you are indeed a System Admin. To think that sending some white/black hat to jail or whatever somehow lessens the constant target that are your systems is ludicrous. WAKE UP. The threat is still there no matter how many 'hackers' you think you can put away.

Re:Wake up please.

[Anonymous Coward]

Anytime a system is compromised you *must* clean it up. You have no idea what might be there, even if he sent a 16 page pager saying what he did. You must assume that he left stuff out.
 
And how many systems are connected to this system? Unless there are additional protections, you can't trust them either. And so on. If this happened at my work, we'd be talking hundreds to thousands of machines that would have to be wiped of everything and restored. That's more than a trivial cost.

Re:Doing the right thing

[Anonymous Coward]

FE-what? Uncle who? I think you're talking about another country..

In other news

[kenp2002]

Mr. Johnson was recently arrested after finding Mr. Smith's front door unlocked.

Mr. Johnson snuck into Mr. Smith's home and watched Mr. Smith sleeping for several hours.

Afterwards Mr. Johnson provided a detailed account of how Mr. Smith had left his front door insecure and ways to better secure the front door.

Mr. Smith wasn't amused by the report and had Mr. Johnson arrested for tresspassing and breaking and entering.

Mr Johnson's defense is grounded in the fact he was helping Mr. Smith become a better home owner by sneaking into Mr. Smith's house.

-----

You now realize how stupid you sound when you defend someone under these circumstances. This whole White Hat nonsense is about as intelligent a the statement, "Well your honor his front door was unlocked, and obviously I should be allowed to go in there as long as I don't break anything, afterall if he didn't want people in there he should have locked his door at the very least..."

Put him in jail and maybe these adult children will grow up.

happened to me, twice...

[Anonymous Coward]

I've noticed that generally, if the admins are worth their salt, you don't need to detail every single step to produce an exploit. Just provide enough information to walk them up to the open door, and let THEM walk through it. In fact, writing 16 pages detailing every step of the way makes them question WHY you were so thorough. It also makes them look bad to their higher-ups because some "punk kid" figured out something they didn't.

I speak as someone who had a run-in with both high school admins and university network admins. Two distinct cases, but with very different results.

In HS, a friend installed a homebrew backdoor onto every computer in the HS computer lab. It permitted basic keylogging functions, as well as partial remote control (mostly just starting programs remotely). I just de-backdoored the computer I used for class and let others fend for themselves. When he reinstalled the backdoor on my computer the following week, I turned around and killed the backdoor on every system (it supported a room-wide purge in the event that it needed to be removed quickly). Unfortunately, stopping it also caused an error pop-up on every screen in the lab.. at which point everyone knew something was up (but no one knew it was me who stopped it).

After class, I went to the admins to report exactly how my friend performed the attack, how my friend installed the backdoor, how I stopped it, etc. I figured I was in the clear because I responded as soon as the problem became visible. The following day, I was called into the principles office and threatened with expulsion for "hacking the network". I couldn't convince him that I didn't "hack the network", and it didn't matter that I *STOPPED* the hack; I was in trouble because I drew lots of attention to the problem and proved the admin to be an incompetent moron (the backdoor only existed because the admin's password was his userid+1). My friend was never called into the office, nor given any punishment.

Fast-forward to college: Through a series of (individually) harmless actions, I discovered that one could elevate their user access from "student" to "full time employee" and gain access to a handful of otherwise inaccessible directories (including source for various university projects). As soon as I realized the problem, I went to the admins and e-mailed them personally with a much vaguer description of the problem. I also couched it with terminology that suggested that I didn't know what I was doing ("I think there might be a bug somewhere in X because when I did X a bunch of directories became accessible that weren't before. It also gave me access to what might be the source code for project Y, but I didn't touch it because I don't think I'm supposed to see it. But I think you guys should know that there might be a problem.")

The admins thanked me, said they'd look into it, and a day or two later the hole was patched. I never had any problems with them, and continued on my merry way through college.

Look, People, This is REALLY SIMPLE...

[trims]

Bottom line: it's only White Hat if the "target" asks you to perform the security audit. Pure and simple. Anything else is at best Grey Hat, and that gets you subject to prosecution at the target's discretion. Period.

This kind of stuff is in a completely different category than analyzing the theoretical weaknesses of a system. Or even cracking software/etc on your personal equipment. Or demonstrating faulty design in a [ahem] subway system WITHOUT HAVING TO SCREW WITH THE SYSTEM. Once you start abusing other people's stuff without permission, I couldn't care less if you were Mary Poppins. IT AIN'T YOURS, SO KEEP YOUR FINGERS OFF IT.

This isn't Investigative Journalism. Which at least has standards of ethics and conduct.

People, quit glorifying these idiots.

Overreaction?

[thatskinnyguy]

We had recurrent incidents on campus last year with sexual assault and they had to lock down all the residences and the labs, and as such, they took great pains to inform the students who had access cards for the suite residences that they would not, in fact, be in danger, be it financial or otherwise.

If your school is locking everything down thanks to sexual assault, because of the nature of the crime, they're obviously not thinking straight. That is a reactive measure and only instills panic. In the case of a shooting however, that can be a proactive measure to ensure that more people aren't harmed.

Re:Is this white hat hacking?

[centuren]

Typical black hat hacking? Like bringing all the servers down, or taking private information for criminal use? Seriously?

Student looks around in his universities network. Goes past poorly implemented safeguards, writes about how it can be improved.

Sounds like an extra credit assignment to me.

Re:I'd love to see them poll a jury on this

[DerekLyons]

If this is a crime so is alerting your neighbor that their door is unlocked while they were gone.

Except he didn't "alert his neighbor". He opened the door (which he has no business even trying to do in the first place), and then riffled through the neighbors desk, refrigerator, garage, and basement. Before leaving he made a copy of the front door key, installed taps on the phones, a webcam in the bathroom. Then he told the neighbor that his door was unlocked, his checkbook needed balancing, his taste in soda abominable, his garage was a mess, and the furnace filters needed cleaning.

Acting like a child to protect ones own inadaquacy

[scientus]

Arggg, its this type of politics bullshit that is holding america back in any technology field that not cutting edge and pure ideas and rather requires a diverse industry. (ie cell phones) American cant just look at facts and look forward and rather like harmful trenches and politics. If someone broke into the network and could write a 16 page report on it it the system admins should be forced to quickly implement it (hiring the guy if they need to) or loose their jobs.

No amount of the blame game will change the fact that their system is insecure and securing it is in everybody's interest and is really the only thing that matters.

The submitters policy is exactly what should be used, it reflects real life -- look at the that Switzerland man that got hundreds millions and a new identity from the USA IRS and Germany for his supposedly black-hat acquired data that uncovered millions in tax fraud.

Not all black hat work is always bad, however it is on the black-hat himself to both make prove this in his case and minimize his damage. This is simply reality.

Today's black hats do not make noise. Their work does not show up. If you are hacked you probably do not know, and most certainly will not if these type of guys are in charge.

It is not long till people realize that their personal data has long been available on the market due to bad practices like this and organizations get back lashed against. Sadly for both consumers and these organizations, and even the IT guys they are going to take the childish way out and wait for this to come to them.

I kinda went off topic, but its a fundamental thing. **playing this blame game destroys everybody, can makes white-hats turn black in disgust with the politics, and will eventually hurt both the general public and the industry greatly**

Re:No harm, no foul

[zippthorne]

Yes, but the difference is that it was the university's own department. It's not just any organization. Students, by definition, are going to make some bad decisions along the way, and one of a university's jobs is to minimize the damage of those decisions so that a student can benefit from learning from their mistakes.

It's one of the reasons colleges like to have "campus police" rather than real police: keep everything "in the family" and out of the "rap sheets" where possible.

Academic sanctions, sure. But involving law enforcement where no significant damages have occurred shows a serious lack of judgment somewhere in the administration. I would emphatically not recommend attending any school which prefers to make an example of someone over protecting their students from making life-altering mistakes.

Re:Wake up please.

[MikeBabcock]

Oh, sorry, you're in the camp of people who actually believe you won't go to jail for doing the right thing because our laws are perfect and the legal system has no flaws.

Innocent people do jail time, innocent people are further up on the 'got screwed over by the justice system' list than this guy, so don't go on about how he wouldn't be facing jail time if he'd technically done the right thing.

Re:Wake up please.

[Buran]

We can't then turn around and say that we can ignore the laws to make a person not guilty.

Two words: "Telecoms" and "Wiretapping".

Try again.

Re:Wake up please.

[julesh]

If you are in a jurisdiction where it isn't legal to defend yourself then the fact that you were defending yourself is irrelevant.

Not necessarily true. The law doesn't treat all acts with the same outcome as being indistinguishable.

Here in the UK, there is a somewhat limited scope for self-defence as a defence from a murder charge. It wouldn't work in the case where my response was disproportionate to the threat. For instance, if an unarmed man attempts to mug me and I pull a gun and shoot him, even though I can reasonably say I feared for my life, I would probably still be convicted of murder.

Consider as a contrast, though, a case where I'm walking down the street, see somebody I don't like, pull a gun and shoot them.

In the latter case, I could expect to spend 20-30 years in prison for my offence. In the former case, I'd be unlikely to be inside for 10.

Re:Wake up please.

[Anonymous Coward]

2. They're not very good at their job if some pinhead waltzes into the network and screws around like that.

It's not just that. If they responded this way, then it means that they don't want to learn. If you plan to employ them for the long-term, that's just as important as their current skill set.

Re:Seriously?

[temugen]

I would agree with you had he not used a keylogger and a mag-stripe card reader. Those two just cross the line as far as any real white/gray hat hacking (ANY hacking for that matter) is concerned. Neither take much knowledge or intelligence to operate, and they both require high permissions from the start (access to hardware). If he was finding an SQL injection vuln, an RFI, or software on a listening port that he can crawl through, then I think the situation would be much different, and your opinion would be correct.

Great way to encourage white hats

[wisty]

OK, so he fucked up. Still, it takes one event like this, and about 100 potential white hats are going to decide that disclosure is a mugs game. Better to break in and steal stuff, or don't bother about security at all. Too few programmers / admins learn security, because it practically makes you a criminal. So who will bother apart from a diminishing number of professional white hats, and an increasing number of professional criminals?

Re:Wake up please.

[rtfa-troll]

He broke in. He caused damage. If you know that a system has been under control of an unauthorised person, any competent system administrator will tell you that the only thing you can do is a) reinstall and b) treat the data on the system as potentially compromised from that point on. That takes work

Now, he has many potential arguments

• the damage was justified since they weren't taking the care they should do
• they had such insecure systems that should treat them as compromised anyway
• the damage was less than the damage they did to him by keeping his data on insecure systems
• the damage was much less than they claim

but the argument that he didn't do damage isn't one of them

Re:The Politics

[Alioth]

Since those days my outfit has started filtering our Web access using http://www.websense.com/ [websense.com] [websense.com]. I recently found a way around the filter, but don't want to report this hole in case the management decide to stop me using this way around the filter.

There! Fixed that for ya.

Punishment is a message for other hackers

[master_p]

The real meaning of punishment here, from the University's perspective, is that "don't mess with our systems, or they'll be consequences". It's a punishment to discourage others, who may not be that good, to attempt hacking.

Re:No harm, no foul

[Anonymous Coward]

obviously there was something wrong since he installed a keylogger on at least one university computer

Some people around here apparently haven't been to a college in a long time. Colleges are environments for learning and research. Computer systems in colleges are tuned to that purpose, not security. What this guy did was wrong for numerous reasons, but one that I immediately thought of is: "Great, now they're going to lock down their systems even more and make them less useful." College system admins are enablers, not preventers.

Re:Wake up please.

[Anonymous Coward]

You are so right about intent. Ignoring the kid's intent is part of what makes this repugnant.

Hmm, I suspect under the laws he is charged under, the intent question is simply "did he intend to access a computer system in an unauthorised manner?" and "did he intend to mischief with data?". It appears that he did -- he didn't accidentally break in, and he installed a keylogger which is certainly mischief. That there is no proof he did anything more malicious than that (like selling on any credit card numbers that were typed in on the keylogged computers) means he isn't up for further charges yet, and would presumably be taken into account in any sentencing, but it doesn't necessarily mean the earlier charges have to be dropped. The "hunting for aliens" excuse didn't work so well for Gary McKinnon either.

This kid acted in an academic sort of way at a university, and that should be fine.

Not like any academics I know. For instance, the academics in the security department at my uni, working on flaws in Chip&Pin, use their own terminals with their own test data -- they don't break into Sainsbury's in the middle of the night, tamper with their equipment, steal a bunch of customer's details, etc.

University is not the place where you should have to learn how to deal nicely with incompetent people.

Oh let's face it -- if you haven't learnt that by the time you've left, you're going to find life really tough in the real world!

So I find it quite awful that this university is discouraging take free learning process.

Realistically, they are just discouraging hacking into their systems and installing keyloggers. The chances are, after giving this kid a thoroughly good scare, the charges will be dropped or negotiated down.

So I broke into someone's house last night ...

[Anonymous Coward]

woke him up, and told him, "See what your lack of security has done?". Then I went out into the street, and let everyone in the neighborhood know, so they could all see how it's a bad refection on the community, and weakens all their positions, since what he does affects them all. When the police finally arrived, I pointed out that I hadn't actually taken anything or hurt anyone. And I berated the police, their lax response endangers everyone, and emboldens REAL criminals. At my trial, I took the issue all the way to the US Supreme Court, and got a Constitutional Amendment passed, because the inherent weakness in the system simply had to be addressed, thanks to me. All this happened, and I was of course, never shot at by anyone -- homeowner, neighbors, police -- because I was doing what was right.

OK. On some levels, the previous diatribe is a false analogy. But I would like to point out that the whole "white hat hacker" meme is, at least a little bit, phony.

keyloggers on student laptops is not hacking ...

[tomhudson]

Ya know, if he saw a flaw (and obviously there was something wrong since he installed a keylogger on at least one university computer)

At first I was sympathetic ... but a moments' thinking changed my mind. The guy deserves a criminal record, and to be expelled.

The writer, who used a pseudonym, claimed he easily broke into the accounts using a program that captures computer keystrokes.

Thnk about it for a second. You don't install a keylogger on a server and then capture logins from students from remote machines ... the keyloggers were installed on the students' laptops. This is NOT "hacking" or "cracking" the university's computers. He installed keyloggers on up to 37 other students' laptops to capture their login info.

How would you react if someone installed a keylogger on YOUR laptop? And dozens of others? Whether he tookThis isn't Soviet Russia - laptops don't (or shouldn't) log YOU!

If he had physically assaulted 37 students, rather than compromising their laptops and account info, he'd be in jail. Ditto if he had vandalized their cars, instead of their laptops. But looking at the comments, it's okay to screw with other people's property if you want to look 1337 to your peers.

Expulsion is the least the university can (and should) do, as well as pursuing criminal charges.

Re:Wake up please.

[Anonymous Coward]

"No, technically he did the wrong thing by breaking into the network. This isn't complicated."

Yes, but it is worse than that. It is almost a certainty that he broke the terms which he AGREED to abide by when he signed up for a user account on the university system. Most universities have pretty specific policies about attempting to access systems when you do not have permission. Carleton is no exception [carleton.ca]. Even if it wasn't illegal, he'd still be breaking university rules.

That being said, if I was in the relevant university administration, I'd send his case straight to the academic discipline committee on those grounds (because he DID break the rules), but leave a formal legal case out of it. Just because you can pursue a legal case doesn't mean it is in the interests of the student or the university to do so.

This student apparently had the right idea in mind, but went about it in completely the wrong way, and did not think about the implications of breaking rules they had already accepted. It was a stupid mistake. That deserves some kind of strong penalty, but not as severe as (potentially) a criminal record, because intent does matter and those 16 pages demonstrate it fairly well.

There is a tricky balance to be struck here. You don't want to encourage students to be probing for security flaws, but, on the other hand, you do want them to be able to tell you if they've accidentally stumbled across them.

Re:No harm, no foul

[jDeepbeep]

University is for learning and documenting what you know for others to use, not for fearing that you might anger some incompetent sysadmin.

From TFA: This is the second time Carleton has dealt with hackers in recent months. In late July, a hacker broke into the e-mail system.

Let us agree on the incompetence. This is their second incident in 3 months.

Re:No harm, no foul

[shalla]

Do you know that no significant damages have occurred? If I were one of the 32 students whose personal information he e-mailed to 37 other students plus sent to a secretary and God knows who else, I would be pressing charges against him. Just because he didn't damage the infrastructure doesn't mean that no one else he shared the information with didn't abuse it to access educational records, email accounts, or to buy things on campus pretending to be a different student.

If a corporation, let's say a large store, had this happen to 32 of its customers, and the guy who did it e-mailed the personal account information of those customers (which provided access to their store credit card information, personal address and contact information, and credit history) to a bunch of other people, would we not all expect him to be charged with a crime? I sure as hell would.

If you reveal personal information protected by law, expect to be charged.

Computers are not houses

[weston]

and found a 16 page write-up about how a guy broke into your house, disabled the motion detector

I agree this would be disturbing, but I hear these analogies to people's homes all the time and I've always been a little uncomfortable with them, and I think I've figured out why.

One of the key problems with a home invasion is that it's pretty reasonable to assume it threatens your personal safety. There are other places to threaten someone's personal safety, but it's one of the few places where just by dint of being there, it's reasonable to assume someone constitutes some kind of threat to you.

I think a better analogy would be some kind of storage unit or a locker. If you had stuff in this protected by a certain kind of lock, and somebody broke into your place and left a note that said "Dude. These locks are defective. They're easy to open by using this technique. Your stuff will be safer if you get something else!" and didn't take anything, that'd be closer to what happens when a system is compromised. You might be likely to be a bit surprised and perhaps wary, but it's not the place where you sleep.

Re:I would never do it.

[Seraphim_72]

"No officer I didn't go into that burning house to save that child. That would have been breaking and entering and kidnapping!" Justice should be blind, but it doesn't have to deaf, dumb and have no sensory nerve endings.

How white is his hat?

[johndoe42]

As far as I'm concerned, the student did a few things right but two things wrong. First, the good:

1. He thought about security. We should all do this.
2. He told the university when he found a flaw.

But he did two things wrong:

1. He installed a keylogger. Maybe this is just my moral code, but the right way to hack is to find a real vulnerability. Taking advantage of the physical insecurity of the university machines to install a keylogger is not cool. Besides, *of course* they're vulnerable to that. Similarly, if they use magnetic strips, grabbing other people's cards and cloning them is possible. Maybe they should use secure smartcards, but there's no need to clone a magstripe just to prove it possible.

2. He email 37 students in addition to the administration. Did he email them a list of passwords, too?

For comparison, I hacked my (top-tier CS) university's systems back in the day. Specifically, I found a vulnerability in the network authentication system that everyone knew existed in theory but thought was essentially unexploitable in practice and used it to read my roommate's email. But I got my roommate's permission first, and I took the exploit description and sample code directly to the IT people. I didn't disclose it to the rest of the world immediately, or, in fact, at all.

Not surprisingly, the IT department was happy, they fixed the problem, and they even wrote me a check as a thank you. But I bet they would've been pissed off if I'd emailed 37 people a detailed description before they had a chance to fix the problem.

The lesson: if you want to do some unsolicited white-hat hacking, don't be a dick about it.