University Brings Charges Against White Hat Hacker 540
aqui writes "A university student at Carleton is learning that no good deed goes unpunished. After hacking into what was probably a not-so-secure university network, this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive. The university should spend money on hiring some admins with better computer skills and teaching skills rather than paying lawyers. In the Engineering department at my old university, the unofficial policy was that when you broke in, didn't damage anything, and reported the problem and how you broke in, they didn't charge you (if you maliciously caused damage, you usually faced academic sanctions). In some cases, the students were hired or they 'volunteered' for the summer to help secure the servers or fix the hole they found. The result was that Engineering ended up with one of the most secure systems in the university."
Read on for the rest of aqui's comments.
aqui continues:
"The truth is, some university students are going to have the desire to hack something, and not all of them have the judgment to stay out of trouble. If you acknowledge that and catch them inside the university, you can straighten them out before they wreck their lives, and teach them to be white hats. Rather than creating a hostile environment where people may become black hats, you create an environment where you guide them in the right direction to being good computer security professionals. For every hacker they catch, there's probably at least one that they don't know about. I can imagine that a number of those hackers at Carleton are now seeing the university as the enemy for burning 'one of their own,' and some of them may become malicious to get even. If the student's intentions were good - which they appear to be - I can't help but feel sorry for the guy."
No harm, no foul (Score:1, Interesting)
Doing the right thing (Score:3, Interesting)
Your old school did, indeed, do the right thing. This one is not. The guy came forward with what he discovered, in good faith! It gives them the opportunity of preventing a malicious person from causing real damage... and they are going to punish him for this? That's just wrong.
In fact, it could theoretically turn many others into "black hats" that will go after them, just because they were so hard-nosed with this guy who was, let's be honest, doing them a favor!
Time for that school to get a clue. I'm really disappointed in their actions.
Re:Wake up please. (Score:5, Interesting)
1. As was said in the story, you have an opportunity there to pull a potential fence-sitter over to the white-hat side of things, and you can only do that if you don't send them to prison on the spot. To not understand this is to be missing a fundamental requirement of anyone on the payroll -- "don't be a jerk!"
2. They're not very good at their job if some pinhead waltzes into the network and screws around like that.
But maybe that's why some engineers and administrators get so hot headed about this sort of thing. When it happens it draws unwanted attention to their own potential incompetence, and any rational human being would be pretty threatened by that.
Still, Don't be a jerk.
Re:Realism ahoy (Score:3, Interesting)
Re:Realism ahoy (Score:3, Interesting)
But at least your ethics are intact.
Though perhaps there's some sort of happy medium where you could get your punishment rocks off while at the same time places like Carleton don't have to scare everyone into never reporting anything. You're never, ever going to stop a hacker who loves what they do from hacking. Ever.
Those of us active in the security field would really appreciate your help on this.
Is this white hat hacking? (Score:3, Interesting)
The subject of this story says White Hat Hacker. But it seems to me that the break-in was typical black hat hacking. The info to the system administrators may be a typical white hat hacker action, but this does not make the whole thing white hat.
P.S. (Score:3, Interesting)
Reporting a vuln using a lawyer as a go-between completely removes you from the possibility of criminal prosecution, unless you left a trail of bread crumbs. Attorney-client privilege beats any number of anonymized proxy servers.
Re:No harm, no foul (Score:4, Interesting)
Is it really that hard to get a job in some places if you have a criminal record? I have a record - for Phreaking of all things (actually, the charge was "Obtains other service credit by fraud"), and it has never had any effect on my ability to find work. Most employers don't ask, and the very few that have have just said, "well, you were young, and it shows technical aptitude" or something along those lines and then never mentioned it again.
Note: I don't live in the US, nor have I ever applied for a job in that country, so it might (or might not be) just a US thing.
Re:Wake up please. (Score:4, Interesting)
Robin Hood stole from the rich and gave to the poor. In this situation, he could have only stole from the poor, but stole from nobody and told the rich that stealing from them was feasible if somebody else wanted to be a true anti-Robin Hood.
It's a shame people think most hacking involves breaking down hex codes. I've had my debit card number and pin stolen twice from the nearby grocery store, and I'd love nothing more than for somebody to do it again who would actually tell them how it was done and how to prevent it in the future.
How would you feel? (Score:4, Interesting)
It's late at night. You're still up messing around on your computer. It is otherwise very quiet.
Suddenly, you hear weird noises at your door. It's not an animal... it's something working at the keyhole.
At this point, some of you are already reaching for a gun, a baseball bat, something. Others are calling 9-11. Whatever is going on, it isn't right.
If for some reason, you just go to the door and open it to see who is there, would you feel friendly to this guy if he smiles and says "I am doing you a favor!"
Okay, this isn't parallel enough...
How about you came home from work to find a note on the inside of your home explaining "Hi, I got into your home but I didn't take anything. Here is how I did it and what I saw." Come on! How creepy is that?!
What this guy did was a classic security breach... the kind everyone is already afraid of... the kind that always gets headlines when "personal information is exposed." In some stupid way, maybe he had some twisted idea that he was doing something noble or scholarly. But in the real world, we already know there is a balance between security and convenience. Once in a while, people need to be reminded that the balance is often set too far in favor of convenience, but this guy did too much. Stopping at "I was able to install a keylogger on this system, ran a test or two and disabled it. The log files are here for examination. The information on this computer and accessible through this computer is vulnerable." would have more than sufficed... but even then, it's a bit too much. Perhaps it would have been better to simply place an "Out of Order" sign on the computer to prevent anyone from using it.
There is a difference between noticing that someone left a door unlocked and telling someone and actually going in and rummaging about and writing up a big report on the topic.
He needs a slap on the wrist for this. No doubt about it. But nothing permanent... this time...maybe. Some people actually lack some impulse controls in their personalities and get giddy at the notion that they have some power or superiority over others. Some people are just broken that way.
Seriously? (Score:3, Interesting)
I'm honestly appalled by the response from some of you saying he deserved what he got.
This is a University, not a business. There's no damage, period. There's no cost, no down time. Wtf is wrong with you people?
This sends the wrong messages. Especially considering we want talented individuals in the IT field. I'm sick an tired of seeing these cookie cutter CIS & IST majors graduating having ZERO or less then one year of real world experience. I would much rather hire this guy. Even more so because even in the position of having the possibility to be malicious in his intent he didn't turn to the evil side. Now you're just gonna turn him into a pariah and ruin the life of a person who clearly would have been a more then productive member of society.
Breaking and entering to prove a point != Whitehat hacking
Stop pretending that it is.
Fuck the politics. This is the difference between right and wrong.
You people make me sick.
Re:Wake up please. (Score:4, Interesting)
You are so right about intent. Ignoring the kid's intent is part of what makes this repugnant.
In my workplace, I get technical people to work for me by honouring their expertise and sometimes cracking just a bit dumb. IT managers especially do not respond well to any hint that you know they are doing a second rate job. But academics and students should thrive on give-and-take. This kid acted in an academic sort of way at a university, and that should be fine. University is not the place where you should have to learn how to deal nicely with incompetent people. So I find it quite awful that this university is discouraging take free learning process.
Sucks to be the IT guy, but the best IT managers I ever saw at UNO were bored academics. Not always entirely technically competent, but they understood where we were coming from and knew how to keep us in line. And quite happy for us to point out security holes.
Re:No harm, no foul (Score:5, Interesting)
No, some anger is justified. The Morris Worm was not written to ruin systems, it was written to probe them and report its results. Nevertheless, it brought down UNIX servers worldwide becuase it was badly written. Doing 'harmless' security cracks against a badly secured network can in fact trash that network, by accident, as you tweak local settings in 'harmless' ways.
As well meant as it was, this is why you don't put your name on that paper about the flaws. You send copies to the core administrators and money providing bureaucrats, from their own email accounts, and possibly to the staff of the school newspaper.
Re:The Politics (Score:5, Interesting)
There was a similar situation awhile ago where I work (in my outfit's Computer Center.)
I found a password ripper on the net, and tried it on our password file. Seemingly, the password rules that used to be applied had been lost during a recent system change; and now passwords like 'password' and 'letmein' were not rejected when the user tried to set their password. I was able to crack >1,000 passwords within 30 minutes.
I reported the problem to my supervisor, and he got me to discuss it with the Technical Director. They decided that the new Identity Management system that they were looking for funding for, would fix the problem. The budget bid failed, and the IDM system still hasn't been built. The hole remained for 2 to 3 more years.
I read a case online where a NASA sysadmin would email users to warn them to strengthen their passwords, so I started doing that myself. "Hullo [user], your password is your favourite football team. That's a dictionary word, and easy to crack. Please choose a stronger password, using one of these methods." This did reduce the scale of the problem somewhat, but new accounts would appear with weak passwords, so the hole was still open.
Around 2 to 3 years after I originally reported the problem, a user reported exactly the same thing to his boss, who told the Computer Centre. He was hauled over the coals, reprimanded and nearly got disciplined for his trouble. Password creation rules were instituted, and the hole was closed in short order.
Since those days my outfit has started filtering our Web access using http://www.websense.com/ [websense.com]. I recently found a way around the filter, but don't want to report this hole in case the management decide to punish me for it.
Re:In other news (Score:3, Interesting)
I will choose my words carefully.
I'm calling you on that. I think you are being dishonest with us. In short, I don't believe you are telling the truth.
Even if you had left the keys in your car and had your car taken by someone on the street you would NOT be thanking them for teaching you the errors of your ways. You'd be screaming for justice. When they've violated the privacy of your home you'd be doing the same damned thing only louder. Please be honest with us if you're going to post. Thanks.
Re:Wake up please. (Score:5, Interesting)
>Robin Hood stole from the rich and gave to the poor.
Just for the record, that's not true. The actual legend, which is at least in part based on facts, is that he led a revolt against a corrupt aristrocracy that overtaxed peasants (to the point of leaving them unable to eat). The revolt consisted of robbing said corrupt aristocrats (in particular the tax collectors) and then giving the money back to it's rightful owners.
The oldest version of the legend I could find in a book (published in the 1700's) explained their system as follows:
1/3 of the money the aristocrat had was left with him - (this was deemed a fair amount, even in taxes)
1/3 was given to the peasants it came from - (that was deemed fair by said peasants)
the last 1/3 was kept by Robin Hood and his men to buy their own food and weaponry.
Basically, an early form of guerilla warfare and civil disobedience rather than outright theft.
Most modern tellings do remember that Robin Hood was born a nobleman and a knight (Sir Robert of Locksley) but very few recall the end of the legend completely (as per said oldest book version). Most end with the return of Richard I from the crusades who punishes his corrupt brother and the aristocrats who scored from the system he set up. According to the older versions though, he didn't just punish them and pardon Robin Hood. He then rewarded Robert of Locksley for what he deemed exceptional service to the country, by greatly upgrading his title and making him the Earl of Huntingdon.
Said title is still extant, and I do believe it's carriers take some pride in being (probably) descended from Robin Hood.
Of course, with an almost 500 year old legend, a lot of facts are not known - especially when the oldest book about it I could find was written more than a 2 centuries after the fact, but the old 'steal from the rich, give to the poor' idea is really a rather massive oversimplification of what he said to have done. I think it would almost be more fair to think of Robin Hood as an early form of a welfare system in a taxed-state.
Re:Wake up please. (Score:0, Interesting)
Re:Acting like a child to protect ones own inadaqu (Score:3, Interesting)
Re:No harm, no foul (Score:5, Interesting)
Re:No harm, no foul (Score:4, Interesting)
It is worth noting, that despite the pain caused by Robert T. Morris with the release of his worm and the criminal record that followed, he has managed to find productive work (currently a professor at MIT).
Perhaps it is a good reminder that while punishment may be appropriate, it is not necessarily good for society to punish people continuously for past misdeeds.
Re:No harm, no foul (Score:1, Interesting)
Computer systems in colleges are tuned to that purpose, not security.
Generalize much?
I work for a university. Our systems are set up for security. Perhaps you're the one who haven't been to college in a while? Things have changed.
Re:Wake up please. (Score:5, Interesting)
The cost of which should fall on *you* since it was *your* job to configure the network to prevent such attacks, and *you* failed at it.
Yeah, it'd make the sysadmins' jobs a lot more hellish, but hey, as long as we're in this wanking hate session... plus it's only logical that if you're going to penalize somebody for the sysadmin's incompetence, that it should be the sysadmin himself.
Mag cards are worthless (Score:5, Interesting)
When I was a grad student, the lab in the education department asked me to implement a "fast, simple" method of pulling up student records. I bought them a cheap mag-strip reader and wrote a little script that would grab the Student ID from the card, then submit it to their campus information system. The lab manager (who was not a tech) was shocked that it worked. He assumed the information on the card would be encrypted or something.
That same year a buddy of mine who worked for IT services put together a demo of how easily the mag cards could be forged - with less than $100 + a cheap laptop. His bosses were impressed and asked him to demo it for one of the VPs. When he did, the VP told him, "You know, you're on thin ice here. You could get in a lot of trouble for this."
In essence, the administration (who purchased the card systems) didn't want to know if they were secure. They just wanted to give the impression of security.
Re:No harm, no foul (Score:1, Interesting)
You find out about the incident from local library on the weekend. Additionally the write up has a advice that says "people should put 1000 usd locks instead of 100 usd for better security" - What would be your reaction?
Re:Wake up please. (Score:1, Interesting)
You know what worked well for me? I talked to the people who ran my school networks, said I was sure there were a few ways around their bogus security.
From there on out I was always given a terminal away from any other users in the labs, was never bothered about what I did, and always reported what I was able to do.
Great arrangement, got to play, try things out, never got in trouble, and they knew I was an up-front guy that would never intentionally do them any harm. That network was considerably more secure when I left than when I got there, I learned a lot, they looked great.