Forgot your password?
typodupeerror
Education Security Your Rights Online

University Brings Charges Against White Hat Hacker 540

Posted by Soulskill
from the easier-than-fixing-security-holes dept.
aqui writes "A university student at Carleton is learning that no good deed goes unpunished. After hacking into what was probably a not-so-secure university network, this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive. The university should spend money on hiring some admins with better computer skills and teaching skills rather than paying lawyers. In the Engineering department at my old university, the unofficial policy was that when you broke in, didn't damage anything, and reported the problem and how you broke in, they didn't charge you (if you maliciously caused damage, you usually faced academic sanctions). In some cases, the students were hired or they 'volunteered' for the summer to help secure the servers or fix the hole they found. The result was that Engineering ended up with one of the most secure systems in the university." Read on for the rest of aqui's comments.
aqui continues: "The truth is, some university students are going to have the desire to hack something, and not all of them have the judgment to stay out of trouble. If you acknowledge that and catch them inside the university, you can straighten them out before they wreck their lives, and teach them to be white hats. Rather than creating a hostile environment where people may become black hats, you create an environment where you guide them in the right direction to being good computer security professionals. For every hacker they catch, there's probably at least one that they don't know about. I can imagine that a number of those hackers at Carleton are now seeing the university as the enemy for burning 'one of their own,' and some of them may become malicious to get even. If the student's intentions were good - which they appear to be - I can't help but feel sorry for the guy."
This discussion has been archived. No new comments can be posted.

University Brings Charges Against White Hat Hacker

Comments Filter:
  • The Politics (Score:5, Insightful)

    by D Ninja (825055) on Saturday September 13, 2008 @01:48AM (#24987891)

    this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive.

    So, I agree with you. Someone who took the time to show flaws in the system should not be punished (at least not to this extent).

    However, here's probably what happened.

    1. Someone received the 16 page write-up. They took it to the sys admins.

    2. The system administrators, WHO WANT TO KEEP THEIR JOB, are going to go into a tirade of how he subverted their systems and purposely used "nefarious methods" to break system security, etc, etc. Basically, it's politics here - they don't want to look bad and/or lose their job so they will do everything in their power to make him look like a bad guy (which, to some extent, he is).

    3. So, sys admins may have suggested some legal action to protect the school and make an example of him. (Or someone higher up may have.) The reason someone higher up may have done this is because they want to protect the school's image. Knowing that their system was weak could really hurt a school which is a business.

    Basically, all of this is politics. All of it. Technically, the kid did the right thing by reporting what he found (although, quite honestly, he probably shouldn't have been there in the first place without asking permission). But, he didn't think through how other people were going to see his actions. You *always* have to think about the politics.

    • Re:The Politics (Score:4, Insightful)

      by drakethegreat (832715) on Saturday September 13, 2008 @02:07AM (#24987983) Homepage
      Part of the issue here is that just because he submitted a write up on what he claims he did doesn't mean he didn't leave a backdoor. Chances are he didn't but until they analyze everything (which takes forever given the number of servers a university department has), how do they know? It could be a way of covering tracks. Look at it this way, you got home one day and found a 16 page write-up about how a guy broke into your house, disabled the motion detector, and finally video taped it all, how would you feel? Jail is beyond what I would do personally but I'm pretty sure I wouldn't be peachy for such a kind gesture.
      • by weston (16146) <westonsd.canncentral@org> on Saturday September 13, 2008 @12:58PM (#24991393) Homepage

        and found a 16 page write-up about how a guy broke into your house, disabled the motion detector

        I agree this would be disturbing, but I hear these analogies to people's homes all the time and I've always been a little uncomfortable with them, and I think I've figured out why.

        One of the key problems with a home invasion is that it's pretty reasonable to assume it threatens your personal safety. There are other places to threaten someone's personal safety, but it's one of the few places where just by dint of being there, it's reasonable to assume someone constitutes some kind of threat to you.

        I think a better analogy would be some kind of storage unit or a locker. If you had stuff in this protected by a certain kind of lock, and somebody broke into your place and left a note that said "Dude. These locks are defective. They're easy to open by using this technique. Your stuff will be safer if you get something else!" and didn't take anything, that'd be closer to what happens when a system is compromised. You might be likely to be a bit surprised and perhaps wary, but it's not the place where you sleep.

    • Re:The Politics (Score:5, Interesting)

      by permaculture (567540) on Saturday September 13, 2008 @03:59AM (#24988585) Homepage Journal

      There was a similar situation awhile ago where I work (in my outfit's Computer Center.)

      I found a password ripper on the net, and tried it on our password file. Seemingly, the password rules that used to be applied had been lost during a recent system change; and now passwords like 'password' and 'letmein' were not rejected when the user tried to set their password. I was able to crack >1,000 passwords within 30 minutes.

      I reported the problem to my supervisor, and he got me to discuss it with the Technical Director. They decided that the new Identity Management system that they were looking for funding for, would fix the problem. The budget bid failed, and the IDM system still hasn't been built. The hole remained for 2 to 3 more years.

      I read a case online where a NASA sysadmin would email users to warn them to strengthen their passwords, so I started doing that myself. "Hullo [user], your password is your favourite football team. That's a dictionary word, and easy to crack. Please choose a stronger password, using one of these methods." This did reduce the scale of the problem somewhat, but new accounts would appear with weak passwords, so the hole was still open.

      Around 2 to 3 years after I originally reported the problem, a user reported exactly the same thing to his boss, who told the Computer Centre. He was hauled over the coals, reprimanded and nearly got disciplined for his trouble. Password creation rules were instituted, and the hole was closed in short order.

      Since those days my outfit has started filtering our Web access using http://www.websense.com/ [websense.com]. I recently found a way around the filter, but don't want to report this hole in case the management decide to punish me for it.

    • by loraksus (171574)

      2. The system administrators, WHO WANT TO KEEP THEIR JOB, are going to go into a tirade of how he subverted their systems and purposely used "nefarious methods" to break system security, etc, etc. Basically, it's politics here - they don't want to look bad and/or lose their job so they will do everything in their power to make him look like a bad guy (which, to some extent, he is).

      To clarify, in a publicly funded school, it's not just keeping their job, but keeping it for 25 years so they get that nice retirement.

      People should have relatively little faith in most sysadmins who work at schools.
      At one school, a group of us were trying to set up a wireless AP, but got it killed because of IT.
      I'm not even talking about being on the "network", but getting a DSL line in, paying for it with student government funds, a banner page clearly identifying the AP as nothing to do with the school,

  • Realism ahoy (Score:4, Insightful)

    by stonecypher (118140) <stonecypherNO@SPAMgmail.com> on Saturday September 13, 2008 @01:48AM (#24987893) Homepage Journal

    Yes, anyone should be able to break the law and then get off scot-free by claiming it was in the public best interest. Nevermind the cost of the sudden campus-wide security lockdown, nevermind that IT staff may have lost their jobs, nevermind the people now losing sleep because they don't know how to handle things. Nevermind the risk incurred in that if he caused outages he could have disrupted phenomenally expensive research projects. Nevermind that most whitehats leave doors open behind them.

    He meant well.

    He deserves what he got. Quit trying to make heroes out of everyone looking at jail time. Jesus.

    • Re: (Score:2, Insightful)

      Just because it's some computer savvy person doesn't make his actions above the law. A robber could advance the same arguement: "I robbed you just to prove to you that (you) should take your personal safety more seriously" Sorry, that dog don't hunt!
    • Re:Realism ahoy (Score:5, Insightful)

      by Skye16 (685048) on Saturday September 13, 2008 @02:17AM (#24988035)

      Looking at your response, then, there seems to be no reason what-so-ever to be a white-hat.

      Honestly, if you're going to get the book thrown at you, fucking make it worth it. Destroy those phenomenally expensive research projects.

      I mean, after all, if he's going to get punished for things like this, it's better off at least feeling the satisfaction of really dicking someone over. I mean, if they're going to fuck your life up for the end of all days, you may as well have done it to them first. At least then you have "an eye for an eye".

      Right now you have "an eye for a paper showing precisely how I could have taken your eye".

      • >Looking at your response, then, there seems to be no reason what-so-ever to be a white-hat.

        Duh!

        Would you? I wouldn't. Would I break the law and then hope people thank me for it instead of prosecute me for it, all to help my university? Fuck no.

        Everyone knows no good deed goes unpunished. For good deeds done through illegal means the punishment is even more sure.

        So yeah, if you're gonna hack, I hope you're getting something out of it - ass, money, personal satisfaction of dicking someone over, whatev

    • Re: (Score:3, Interesting)

      Actually there have been court upheld exceptions and dismissals of charges in cases where people broke the law to "preserve public interest". See the recent U.K. dismissal of Greenpeace activist on vandalism charges... It's a long established legal precedent. For example you are allowed to trespass/break and enter private property to stop a fire, save a life, etc, etc.
    • by plasmacutter (901737) on Saturday September 13, 2008 @02:27AM (#24988113)

      Someone equally or more competent than your own staff tested your infrastructure, found its flaws, and gave you a free report on it, and you're going to beat them over the head.

      This "law uber alles" authoritarian streak is what causes most companies to become plagued with "upward failure". The truly competent don't dare to speak inconvenient truths, and the incompetent are given free reign to take advantage.

    • by pizzach (1011925)

      Nevermind the cost of the sudden campus-wide security lockdown, nevermind that IT staff may have lost their jobs, nevermind the people now losing sleep because they don't know how to handle things. Nevermind the risk incurred in that if he caused outages he could have disrupted phenomenally expensive research projects.

      I was with you until that last sentence there. Are you going to give a "think of the children" statement next?

    • Re: (Score:3, Interesting)

      by yttrstein (891553)
      It's precisely this sort of attitude, stonecypher, that will prevent any other hackers at Carleton from coming forward and reporting any problems they happen to find, legally or not.

      But at least your ethics are intact.

      Though perhaps there's some sort of happy medium where you could get your punishment rocks off while at the same time places like Carleton don't have to scare everyone into never reporting anything. You're never, ever going to stop a hacker who loves what they do from hacking. Ever.

      Those of
    • by Maelwryth (982896)

      "Yes, anyone should be able to break the law and then get off scot-free by claiming it was in the public best interest."

      Your right. We should leave that to our government.

    • Let me follow this logic -- if HE caused the campus-wide lock-down, that's worse than leaving the campus insecure to more ill-intentioned persons?

      I don't follow.

      The security problem didn't exist because he hacked the system, the security problem allowed him to hack the system. The security problem should have required a lock-down before he ever hacked it, but the team at the University didn't realize it (or didn't care).

      His actions changed nothing but awareness.

      • by KGIII (973947) *

        Well, I will try to make it simple for you...

        If you murder a person who has an unsurvivable cancer you're still a murderer and you still deserve to be punished... Yes he was going to die anyhow but just because he was going to die doesn't give you the right to end his life without permission.

        That's a rather extreme example of where your logic is fatally flawed. There are some situations where we are humanly entitled to violate the law. This isn't one of them in the eyes of the property owners and, it would

  • Bullshit (Score:5, Informative)

    by atari2600 (545988) on Saturday September 13, 2008 @01:48AM (#24987899)

    From the article: Det. Michel Villeneuve of the Ottawa Police high-tech crime unit said yesterday that a suspect used Keylogger software and magnetic stripe-card reader software to acquire students' information.

    Using keylogger software is not White hat material sorry. You install a keylogger on a random machine and watch people come in and access their email / student accounts and then later go "me l33t haxor?"

    Computing access in schools is a privilege and I see an abuse of privilege here by installing keyloggers. Sorry but physical access to machines means all security is out of the window. Sure the admins can install a variety of tools to detect keyloggers but there's always going to be one program that will escape detection.

    Should I blame Soulskill? Such a verbose summary and no mention of keylogging software.

  • by Anonymous Coward on Saturday September 13, 2008 @01:49AM (#24987901)

    What he did was gray hat and not white hat.

    If he had gotten the permission of the school to do security testing first then he would be a white hat. He had good intentions, but by breaking into a system he didn't own without the owners permission he broke the law.

    -Jim Bastard

    • by mbstone (457308)

      Amen. A prudent whitehat never touches someone else's system or network without first obtaining written permission, using language that has been reviewed and approved by his own lawyer. And the lawyer had better be familiar with the various, and latest, federal and state computer intrusion statutes and appellate court decisions.

      Fail to do this and you are in the category of Whining. IAAL.

    • P.S. (Score:3, Interesting)

      by mbstone (457308)

      Reporting a vuln using a lawyer as a go-between completely removes you from the possibility of criminal prosecution, unless you left a trail of bread crumbs. Attorney-client privilege beats any number of anonymized proxy servers.

  • As stated above no harm no foul. If this is a crime so is alerting your neighbor that their door is unlocked while they were gone.
    • by magarity (164372) on Saturday September 13, 2008 @01:56AM (#24987939)

      No, breaking in via a keylogger and a magstripe reader is the same as stealing your neighbor's keys, making a copy, poking around his house while he's out, and then telling him that he needs better security.

      • by SirSlud (67381)

        I think the point is, what is the fucking point of putting somebody in jail if they had every opportunity to rape you, and didn't?

        What exactly are we rehabilitating here? If it's a desire to watch some TV in your living room while you're not home, years in jail seems a little excessive to a tax payer like me.

        If somebody did that to my place or my parents', I don't think I'd feel so violated as to think I'd feel safer if this one guy was locked up for 5 years.

    • by DerekLyons (302214) <fairwater@gmai l . c om> on Saturday September 13, 2008 @03:02AM (#24988321) Homepage

      If this is a crime so is alerting your neighbor that their door is unlocked while they were gone.

      Except he didn't "alert his neighbor". He opened the door (which he has no business even trying to do in the first place), and then riffled through the neighbors desk, refrigerator, garage, and basement. Before leaving he made a copy of the front door key, installed taps on the phones, a webcam in the bathroom. Then he told the neighbor that his door was unlocked, his checkbook needed balancing, his taste in soda abominable, his garage was a mess, and the furnace filters needed cleaning.

    • The problem with that is I can keep checking my neighbor's doors or trying to crack my school's computers until I find something worth the risk of failing to report it. Maybe the guy deserves a relatively minor punishment, but what he did is not ignorable.
  • by Announcer (816755) on Saturday September 13, 2008 @01:49AM (#24987909) Homepage

    Your old school did, indeed, do the right thing. This one is not. The guy came forward with what he discovered, in good faith! It gives them the opportunity of preventing a malicious person from causing real damage... and they are going to punish him for this? That's just wrong.

    In fact, it could theoretically turn many others into "black hats" that will go after them, just because they were so hard-nosed with this guy who was, let's be honest, doing them a favor!

    Time for that school to get a clue. I'm really disappointed in their actions.

    • Re: (Score:3, Insightful)

      by reddburn (1109121)
      We need more information. If, for instance, even looked at another student's Family Educational Rights and Privacy Act (FERPA) protected information, then the school must, by law, prosecute him. Uncle Sam doesn't mess around when it comes to assessing penalties - schools with violations can lose federal funding (including grants).

      If he was poking around in an area that made any student information not considered "directory information" (address, campus box, telephone, degree, or e-mail address) accessibl
  • by inflex (123318) on Saturday September 13, 2008 @02:06AM (#24987973) Homepage Journal

    He should have just submitted the 16 page paper anonymously. If he was truly trying to do a purely good deed so there shouldn't have been any need for his name to appear on it for the purposes of fame or positive retribution.

    Given the number of previous incidents similar to this, one would have thought he'd have been aware that this is almost always the outcome. Try entering into a store after hours (when closed) without due permission, without stealing anything and reporting how you did it. Compare the outcome.

  • terms of use (Score:5, Insightful)

    by jschen (1249578) on Saturday September 13, 2008 @02:08AM (#24987991)
    The student almost certainly signed an agreement stating the terms of use for the university network. And he almost certainly broke that agreement. If that's the case, then I don't see how the university's response is wrong.
    • Well said (Score:3, Insightful)

      by atari2600 (545988)

      Not only did he break rules but he did it maliciously (no grey area here) when he used keyloggers. I can see what would happen if I did the same thing where I work - they'd fire me, throw my ass in a federal pound me in the ass prison and generally my life would be ruined

      What we have here is a not a hacker, not a white hat or a black hat hacker. We have a script kiddie. Sadly most of the posters before you seem to have already started making a hero out of this "vigilante".

      • I did do it at work (at my previous place of employment - which I left of my own free will, not because of this!)... what I got out of it was a payrise, a few extra duties for a few months (helping the admin fix the problems I found) and a really nice thankyou gift paid from the IT department's budget. Not every company treats their employees like crap. What I did wasn't exactly like this guy, but it did involve exposing weaknesses in the card system we used for security, so it's not totally unrelated.
  • by Joelfabulous (1045392) on Saturday September 13, 2008 @02:11AM (#24988009)

    I can tell you firsthand that the administration did not take kindly to this.

    With regards to the magnetic stripe thing, it's not surprising that those in charge reacted strongly and sharply. We had recurrent incidents on campus last year with sexual assault and they had to lock down all the residences and the labs, and as such, they took great pains to inform the students who had access cards for the suite residences that they would not, in fact, be in danger, be it financial or otherwise.

    • by plasmacutter (901737) on Saturday September 13, 2008 @02:31AM (#24988137)

      it's not surprising that those in charge reacted strongly and sharply. We had recurrent incidents on campus last year with sexual assault and they had to lock down all the residences and the labs, and as such, they took great pains to inform the students who had access cards for the suite residences that they would not, in fact, be in danger, be it financial or otherwise.

      you have to love an administration which cares more about their ego than the rape targets they were trying to help.

      • by cvd6262 (180823) on Saturday September 13, 2008 @11:09AM (#24990539)

        When I was a grad student, the lab in the education department asked me to implement a "fast, simple" method of pulling up student records. I bought them a cheap mag-strip reader and wrote a little script that would grab the Student ID from the card, then submit it to their campus information system. The lab manager (who was not a tech) was shocked that it worked. He assumed the information on the card would be encrypted or something.

        That same year a buddy of mine who worked for IT services put together a demo of how easily the mag cards could be forged - with less than $100 + a cheap laptop. His bosses were impressed and asked him to demo it for one of the VPs. When he did, the VP told him, "You know, you're on thin ice here. You could get in a lot of trouble for this."

        In essence, the administration (who purchased the card systems) didn't want to know if they were secure. They just wanted to give the impression of security.

    • Overreaction? (Score:4, Insightful)

      by thatskinnyguy (1129515) on Saturday September 13, 2008 @02:48AM (#24988241)

      We had recurrent incidents on campus last year with sexual assault and they had to lock down all the residences and the labs, and as such, they took great pains to inform the students who had access cards for the suite residences that they would not, in fact, be in danger, be it financial or otherwise.

      If your school is locking everything down thanks to sexual assault, because of the nature of the crime, they're obviously not thinking straight. That is a reactive measure and only instills panic. In the case of a shooting however, that can be a proactive measure to ensure that more people aren't harmed.

  • Get real (Score:2, Insightful)

    by taustin (171655)

    "The truth is, some university students are going to have the desire to hack something."

    The truth is, some university students are going to have the desire to light things on fire, too. How many buildings do we let them practice on before we arrest him?

    The truth is, the kid broke the law, and it is nearly inconceivable that he didn't know it at the time he did it. For every hacker they know about, there may well be at least one more they don't know about. But for every hacker they crucify, there will be doz

  • When you disagree with someone's opinion and wish to offer a rebuttal; most times, saying "You're a moronic shithead and your logic is atrociously sophomoric" will not garner a positive response. On the same token, surreptitiously infiltrating your school/company/organization's systems and offering a similar statement in hacker-terms isn't likely to get much praise: no matter how right you might be.

    Yes, to us humans, the approach is almost as important as the idea.

    • True, but pointing out the flaws without a real-world example would allow incompetent officials to plausibly spout off denial and claim the flaws are merely "hypothetical"
       

  • by Gnavpot (708731) on Saturday September 13, 2008 @02:36AM (#24988159)

    The subject of this story says White Hat Hacker. But it seems to me that the break-in was typical black hat hacking. The info to the system administrators may be a typical white hat hacker action, but this does not make the whole thing white hat.

    • Re: (Score:3, Insightful)

      by centuren (106470)

      Typical black hat hacking? Like bringing all the servers down, or taking private information for criminal use? Seriously?

      Student looks around in his universities network. Goes past poorly implemented safeguards, writes about how it can be improved.

      Sounds like an extra credit assignment to me.

      • by Gnavpot (708731)

        Typical black hat hacking? Like bringing all the servers down, or taking private information for criminal use? Seriously?

        Are these actions necessary to consider it black hat hacking?

        Most of the people convicted of hacking (or at least those I have heard of) actually did not do those things. They just broke in to prove that they could, looked around in the systems and used them as a base for hacking into more systems.

  • Any system has some range of conditions that it is intended to tolerate, and there is always a possibility that something outside of that range will break it. As long as people who use and run those systems are aware of this, there is no point in reporting "vulnerabilities" of this kind, in 16-page papers or otherwise. I am sure, I can get a bulldozer, add some armor made of steel and concrete, drive it into a data center, and cause a massive denial of service for everything in it. And yet this is not a goo

  • In other news (Score:5, Insightful)

    by kenp2002 (545495) on Saturday September 13, 2008 @02:43AM (#24988201) Homepage Journal

    Mr. Johnson was recently arrested after finding Mr. Smith's front door unlocked.

    Mr. Johnson snuck into Mr. Smith's home and watched Mr. Smith sleeping for several hours.

    Afterwards Mr. Johnson provided a detailed account of how Mr. Smith had left his front door insecure and ways to better secure the front door.

    Mr. Smith wasn't amused by the report and had Mr. Johnson arrested for tresspassing and breaking and entering.

    Mr Johnson's defense is grounded in the fact he was helping Mr. Smith become a better home owner by sneaking into Mr. Smith's house.

    -----

    You now realize how stupid you sound when you defend someone under these circumstances. This whole White Hat nonsense is about as intelligent a the statement, "Well your honor his front door was unlocked, and obviously I should be allowed to go in there as long as I don't break anything, afterall if he didn't want people in there he should have locked his door at the very least..."

    Put him in jail and maybe these adult children will grow up.

  • by Anonymous Coward on Saturday September 13, 2008 @02:44AM (#24988213)

    I've noticed that generally, if the admins are worth their salt, you don't need to detail every single step to produce an exploit. Just provide enough information to walk them up to the open door, and let THEM walk through it. In fact, writing 16 pages detailing every step of the way makes them question WHY you were so thorough. It also makes them look bad to their higher-ups because some "punk kid" figured out something they didn't.

    I speak as someone who had a run-in with both high school admins and university network admins. Two distinct cases, but with very different results.

    In HS, a friend installed a homebrew backdoor onto every computer in the HS computer lab. It permitted basic keylogging functions, as well as partial remote control (mostly just starting programs remotely). I just de-backdoored the computer I used for class and let others fend for themselves. When he reinstalled the backdoor on my computer the following week, I turned around and killed the backdoor on every system (it supported a room-wide purge in the event that it needed to be removed quickly). Unfortunately, stopping it also caused an error pop-up on every screen in the lab.. at which point everyone knew something was up (but no one knew it was me who stopped it).

    After class, I went to the admins to report exactly how my friend performed the attack, how my friend installed the backdoor, how I stopped it, etc. I figured I was in the clear because I responded as soon as the problem became visible. The following day, I was called into the principles office and threatened with expulsion for "hacking the network". I couldn't convince him that I didn't "hack the network", and it didn't matter that I *STOPPED* the hack; I was in trouble because I drew lots of attention to the problem and proved the admin to be an incompetent moron (the backdoor only existed because the admin's password was his userid+1). My friend was never called into the office, nor given any punishment.

    Fast-forward to college: Through a series of (individually) harmless actions, I discovered that one could elevate their user access from "student" to "full time employee" and gain access to a handful of otherwise inaccessible directories (including source for various university projects). As soon as I realized the problem, I went to the admins and e-mailed them personally with a much vaguer description of the problem. I also couched it with terminology that suggested that I didn't know what I was doing ("I think there might be a bug somewhere in X because when I did X a bunch of directories became accessible that weren't before. It also gave me access to what might be the source code for project Y, but I didn't touch it because I don't think I'm supposed to see it. But I think you guys should know that there might be a problem.")

    The admins thanked me, said they'd look into it, and a day or two later the hole was patched. I never had any problems with them, and continued on my merry way through college.

  • by trims (10010) on Saturday September 13, 2008 @02:45AM (#24988225) Homepage

    Bottom line: it's only White Hat if the "target" asks you to perform the security audit. Pure and simple. Anything else is at best Grey Hat, and that gets you subject to prosecution at the target's discretion. Period.

    This kind of stuff is in a completely different category than analyzing the theoretical weaknesses of a system. Or even cracking software/etc on your personal equipment. Or demonstrating faulty design in a [ahem] subway system WITHOUT HAVING TO SCREW WITH THE SYSTEM. Once you start abusing other people's stuff without permission, I couldn't care less if you were Mary Poppins. IT AIN'T YOURS, SO KEEP YOUR FINGERS OFF IT.

    This isn't Investigative Journalism. Which at least has standards of ethics and conduct.

    People, quit glorifying these idiots.

    • White hat hackers break lots of things without permission. Is DVD Jon a black hat for hacking the CSS system allowing us easier DVD access on Linux now? He'd certainly never have gotten permission to do that.

      Nor would many researchers get permission to test the products they test for defects (physical hacking).

  • he had sent the 16 page report as an anonymous coward.

    The 2 page addendum should have read "if you'd like to talk about this, please sign this contract and return it to this po box, and I will store it in a safe place while I help you guys implement your patches/fixes/etc.

  • by scientus (1357317) <instigatorircNO@SPAMgmail.com> on Saturday September 13, 2008 @03:18AM (#24988389)
    Arggg, its this type of politics bullshit that is holding america back in any technology field that not cutting edge and pure ideas and rather requires a diverse industry. (ie cell phones) American cant just look at facts and look forward and rather like harmful trenches and politics. If someone broke into the network and could write a 16 page report on it it the system admins should be forced to quickly implement it (hiring the guy if they need to) or loose their jobs.

    No amount of the blame game will change the fact that their system is insecure and securing it is in everybody's interest and is really the only thing that matters.

    The submitters policy is exactly what should be used, it reflects real life -- look at the that Switzerland man that got hundreds millions and a new identity from the USA IRS and Germany for his supposedly black-hat acquired data that uncovered millions in tax fraud.

    Not all black hat work is always bad, however it is on the black-hat himself to both make prove this in his case and minimize his damage. This is simply reality.

    Today's black hats do not make noise. Their work does not show up. If you are hacked you probably do not know, and most certainly will not if these type of guys are in charge.

    It is not long till people realize that their personal data has long been available on the market due to bad practices like this and organizations get back lashed against. Sadly for both consumers and these organizations, and even the IT guys they are going to take the childish way out and wait for this to come to them.

    I kinda went off topic, but its a fundamental thing. **playing this blame game destroys everybody, can makes white-hats turn black in disgust with the politics, and will eventually hurt both the general public and the industry greatly**
    • Re: (Score:3, Interesting)

      He wasn't a white-hat. He was installing keystroke loggers. Without explicit permission, that's straightforward black-hat behavior, because many of those interfere with other programs on the system.
  • How would you feel? (Score:4, Interesting)

    by erroneus (253617) on Saturday September 13, 2008 @03:30AM (#24988459) Homepage

    It's late at night. You're still up messing around on your computer. It is otherwise very quiet.

    Suddenly, you hear weird noises at your door. It's not an animal... it's something working at the keyhole.

    At this point, some of you are already reaching for a gun, a baseball bat, something. Others are calling 9-11. Whatever is going on, it isn't right.

    If for some reason, you just go to the door and open it to see who is there, would you feel friendly to this guy if he smiles and says "I am doing you a favor!"

    Okay, this isn't parallel enough...

    How about you came home from work to find a note on the inside of your home explaining "Hi, I got into your home but I didn't take anything. Here is how I did it and what I saw." Come on! How creepy is that?!

    What this guy did was a classic security breach... the kind everyone is already afraid of... the kind that always gets headlines when "personal information is exposed." In some stupid way, maybe he had some twisted idea that he was doing something noble or scholarly. But in the real world, we already know there is a balance between security and convenience. Once in a while, people need to be reminded that the balance is often set too far in favor of convenience, but this guy did too much. Stopping at "I was able to install a keylogger on this system, ran a test or two and disabled it. The log files are here for examination. The information on this computer and accessible through this computer is vulnerable." would have more than sufficed... but even then, it's a bit too much. Perhaps it would have been better to simply place an "Out of Order" sign on the computer to prevent anyone from using it.

    There is a difference between noticing that someone left a door unlocked and telling someone and actually going in and rummaging about and writing up a big report on the topic.

    He needs a slap on the wrist for this. No doubt about it. But nothing permanent... this time...maybe. Some people actually lack some impulse controls in their personalities and get giddy at the notion that they have some power or superiority over others. Some people are just broken that way.

  • Seriously? (Score:3, Interesting)

    by DigitalisAkujin (846133) on Saturday September 13, 2008 @03:32AM (#24988461) Homepage

    I'm honestly appalled by the response from some of you saying he deserved what he got.

    This is a University, not a business. There's no damage, period. There's no cost, no down time. Wtf is wrong with you people?

    This sends the wrong messages. Especially considering we want talented individuals in the IT field. I'm sick an tired of seeing these cookie cutter CIS & IST majors graduating having ZERO or less then one year of real world experience. I would much rather hire this guy. Even more so because even in the position of having the possibility to be malicious in his intent he didn't turn to the evil side. Now you're just gonna turn him into a pariah and ruin the life of a person who clearly would have been a more then productive member of society.

    Breaking and entering to prove a point != Whitehat hacking

    Stop pretending that it is.

    Fuck the politics. This is the difference between right and wrong.

    You people make me sick.

    • Here's your every day problem. Law and moral justice are drifting very far apart..

      To the morons that are in the process of ruining someone's future, two questions:

      - what did YOU do when you were at college?
      - what would you do if this was your own kid? Sure, I'd give him hell but I wouldn't even remotely considering getting him a rap sheet.

      Yes, I said morons. I meant it, too.

    • Re: (Score:3, Informative)

      by Xugumad (39311)

      > Breaking and entering to prove a point != Whitehat hacking

      How is it not? Because one's breaking into a computer and one's breaking into a house?

      This guy could have written some software that popped up "keylogger!" after someone logged in, and found a member of staff to show. Or he could have found a member of staff, and demonstrated logging his own password and magstripe.

      Instead, he accessed THIRTY TWO different student accounts. Really, how many do you need to test to be sure it works?

    • No damage? Really? (Score:4, Informative)

      by shalla (642644) on Saturday September 13, 2008 @09:55AM (#24989961)

      Actually, did you read the article? The bottom line is that he revealed account information on students to multiple people who were not in the position to fix any problems (including other students via e-mail).

      White hat hacking, my ass.

      He used a keylogger and magnetic card reader to capture the information to break into accounts. After that, he sent the 16-page paper (which WAS sent under a psudonym, since people keep suggesting that) not to a system administrator or someone who could deal with it quietly, but instead to a secretary, and eventually he e-mailed it to 37 other students. Fantastic move, that. Included in the paper was the personal account information of the students. So yes, he revealed the account information of his victims to other people.

      Maybe he had good intentions, but that puts him pretty firmly in the "Please, prosecute me!" camp. If he'd revealed information on me that allowed someone to make campus purchases as me as well as check my school records and access my email, I'd be pressing charges too.

      Maybe there was no damage to the university's infrastructure that we know about, but I'm pretty sure that those students would have been damn lucky if no one went into their accounts and took advantage of them, the way he handled it. And THAT, my friend, is why he's being charged.

  • Pointing out people's security problems to them is usually about as "good a deed" as saying something like "Did you know you have a big, ugly, black mole on your nose? You should really have that removed."

  • If you act nice to someone and they are rude in return, they deserve no respect. Just mention how the sixteen page report will become public if they pursue the matter. Make sure the document is placed somewhere NOT UNDER YOUR CONTROL so that a restraining order will have no effect.

    That's a nice network you have there. It would be shame if something were to happen to it.

    Blackmail is a dirty word. I prefer extortion.

  • "Hacking, for 25,000 dollars."

    Slashdot, University Brings Charges Against White Hat Hacker.

    "What is the best way to turn a well-intentioned white hat into a revenge-motivated black hat"?

    ABSOLUTELY CORRECT!

  • by master_p (608214) on Saturday September 13, 2008 @06:59AM (#24989197)

    The real meaning of punishment here, from the University's perspective, is that "don't mess with our systems, or they'll be consequences". It's a punishment to discourage others, who may not be that good, to attempt hacking.

  • by dskoll (99328) on Sunday September 14, 2008 @03:18AM (#24996673)

    He broke the law and stole 32 students' passwords. That's not "White Hat". White Hat would have been to publish his findings without actually stealing the passwords.

A method of solution is perfect if we can forsee from the start, and even prove, that following that method we shall attain our aim. -- Leibnitz

Working...