Blaming The Messenger: Student Almost Expelled For Spotting Security Flaw

from the better-to-keep-quiet? dept

Wed, Oct 17th 2007 5:41am — Mike Masnick

We've heard so many stories where whoever discovers a security vulnerability (and calls attention to it) is later blamed for that vulnerability. At this point, perhaps it shouldn't be surprising, but we keep hoping that people begin to realize what a ridiculous policy it is, and how it simply pushes people to keep quiet about security weaknesses, leaving them vulnerable to those who would do harm. In the latest case, the good news is that a student who found his university revealing names, social security numbers and grade point averages has not been expelled, but apparently the school came very close to making that decision. The school accused him of breaking "a university computer use policy that prohibits unauthorized people from accessing confidential files that may have been inadvertently placed in a publicly accessible location." Yes, you read that correctly. The school has a policy saying if it screws up and you accidentally access a file it shouldn't have made publicly available, you are to blame.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: blame the messenger, security

40 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

ScaredOfTheMan, 17 Oct 2007 @ 6:05am

What silly response from the University.

Worse, they fired (did not renew the contract of) the Newspaper's advisor, because she did not cover their asses by not publishing it and making it go away quietly (I am guessing of course).

If you want to fire or blame someone, blame the person who put the file in that directory, not the whistle blower(s) who called them out.
[ link to this | view in chronology ]
DCX2, 17 Oct 2007 @ 6:06am

Disingenuous
Mike, your post is disingenuous. He was not almost expelled because he pointed out a security vulnerability. He was almost expelled because when he uncovered this confidential information, he gave it to the campus newspaper, and copies were made.
[ link to this | view in chronology ]
- Random Thoughts, 17 Oct 2007 @ 6:59am
  
  Re: Disingenuous
  I have noticed that Mike sometimes twists a story to his own needs by omitting a relative detail or two.
  [ link to this | view in chronology ]
  - John, 17 Oct 2007 @ 7:11am
    
    Re: Re: Disingenuous
    It's unfortunate that most people tend to do the same in everything from research papers, debates, to news. We live in an age of "spin". I look forward to the day when we can get news without bias.
    [ link to this | view in chronology ]
    - Jason, 17 Oct 2007 @ 10:16am
      
      Re: Re: Re: Disingenuous
      You do that; keep on waiting. You have a better chance at finding Jimmy Hoffa than a completely honest news source.
      [ link to this | view in chronology ]
- Mike (profile), 17 Oct 2007 @ 11:40am
  
  Re: Disingenuous
  Mike, your post is disingenuous. He was not almost expelled because he pointed out a security vulnerability. He was almost expelled because when he uncovered this confidential information, he gave it to the campus newspaper, and copies were made.
  
  The policy in question doesn't say anything about disclosure. It says accessing the content. The question about being expelled was about violating that policy.
  
  Even if you claim that the issue was going to the press, again that's setting a very dangerous precedent. The guy was whistleblowing, which is generally what we want to see. Coming down on him for going to the press is how you stop people from whistleblowing.
  
  For an example of a very similar situation, remember the case in Ohio?
  
  http://www.dispatch.com/live/contentbe/dispatch/2006/06/22/20060622-A1-01.html
  
  Similar situation. The school blamed the guy for finding a data leak, attacked him... but didn't fix the data leak, leading to a massive security breach.
  [ link to this | view in chronology ]
  - Eliot, 18 Oct 2007 @ 7:02am
    
    Re: Re: Disingenuous
    Even if you claim that the issue was going to the press, again that's setting a very dangerous precedent.
    
    Again, I don't think the issue is going to the press, the issue is taking the file to the press. I can agree with your point that stifling whistlyblowing is dangerous, but your report is misleading to suggest that merely finding the file was what caused him to be nearly expelled. While that was the policy that they cited, I doubt they would be done anything had he merely reported the issue versus copying the file.
    
    What is your interest in the story that compels you to make stuff up?
    
    Fascinating choice of words. I didn't, as you say, make stuff up. Since I have no connection to any of this more than just reading the article, I am merely giving my opinion on what I understood to be the issue the school was upset about.
    [ link to this | view in chronology ]
ehrichweiss, 17 Oct 2007 @ 6:17am

the need..
This illustrates the need for every school system to have not just the teacher who doesn't mind learning how to use the hardware/software but rather a real tech with a firm grasp of the concepts and limitations of the system actually IN CHARGE of the system instead of the school administrators. A teacher is always in "authority mode" and never knows when to admit they are wrong especially if their job could be at risk(for claiming expertise in an area where they are actually incompetent) when it's more convenient to get a student suspended/expelled.
[ link to this | view in chronology ]
Chuck Norris' Enemy (deceased), 17 Oct 2007 @ 6:25am

Policy wrong, punishment wrong
Of course the policy is wrong but maybe they had nothing else to grab at to punish the idiot for (if you read the article in its entirety) copying the data and giving it to the newspaper. I wouldn't call that making a security vulnerability known properly. Should have contacted the IT department, school officials, or university police then told the newspaper the story. The fact that he actually copied the data and moved it leaves a lot of unknowns. Where else did he decide to leave a copy? The IT department ransacked the newspaper office...but the guy could have put it anywhere.
[ link to this | view in chronology ]
Mike F.M, 17 Oct 2007 @ 6:35am

Oh dear
"that may have been inadvertently placed in a publicly accessible location"

This is the most stupid thing I have heard all month. And I have heard some utter rubbish this month.
[ link to this | view in chronology ]
Overcast, 17 Oct 2007 @ 6:46am

it decided to publish a four-page special report with an article describing Loving's discovery. No names of any of the students were published in the article.

That's key.. No real data was in the newspaper.

Could really look at this in another way - if the university trained their staff properly, this shouldn't have happened.

I don't place confidential info on public shares..
[ link to this | view in chronology ]
- Strofcon, 17 Oct 2007 @ 9:58am
  
  Re:
  The problem still lies in the fact that he made a copy and supplied the newspaper with the information. The newspaper had no need for that information, and he had no excuse for making a copy of the information. So, it doesn't matter that the paper didn't publish anyone's information (although doing so would have epitomized idiocy), it matters that he handled it wrong.
  
  I'm not sure the paper employee should have been fired, just because she omitted the lecture the university thought she should have included in the article. Hm...
  [ link to this | view in chronology ]
Anonymous Coward, 17 Oct 2007 @ 7:03am

HOLD ON a sec. As someone stated above, he's not in trouble for finding the flaw, but disclosing it to an unauthorized source. To quote your own link:

'
"This was not a freedom of the press issue at all," Weiss said. The school newspaper should be able to write on any topic it wants to, he said. Similarly, "the issue is not that the student discovered a file that contained confidential information. For that we are grateful," said Weiss who also expressed gratitude to Loving for discovering a vulnerability the university had not been aware of up to that time.

Rather, the problem had to do with the manner in which the information was handled after it had been discovered, Weiss said.
'

come on Techdirt....read the whole article before going for the jugular.
[ link to this | view in chronology ]
Anonymous Coward, 17 Oct 2007 @ 7:14am

It doesn't matter whether or not he gave any real data to the newspaper or not. The issue is that he told the newspaper about it first. What if some creep working for the newspaper just exploited that same vulnerability? Then would it still be okay? The student didn't handle it properly.
[ link to this | view in chronology ]
Barrenwaste, 17 Oct 2007 @ 7:15am

Wait....you mean Mike reports things that are biased in his favor? Well, there's no way he'd ever get a job with a major news agency with that kind of thinking! They have thier integert...inteergit...integity (Well, the newspapers can't spell it either) to think of.

So the kid copies the info and sends it to the campus paper? Sounds smart to me. In this day and age it is much to easy to makes such mistakes disapeer, leaving the people who noticed the flaw standing around looking like fools. Hmm, what will get the greatest results, the goal being to make sure the campus doesn't do this sort of thing again. Should we send it to them first, so they can make it go away before the newsies see any proof, or should we rub thier faces in it, then let em take care of it. Tough question, though if I remember my puppy training right you rub it's nose in it before you clean up the piddle puddle.

But, by all means, let's call the guy an idiot because he didn't feel like being made to look like one of the three stooges (most likely curly). And as for the "cover your @$$ mentality"? In sue-happy America do you blame the campus for shooting the messenger? When every honest mistake is seen as aiding and or abetting terrorism or some other villainous scheme, you kind of get jumpy when bad news comes in. Is it right? No. Doesn't mean it's not understandable. Heck, these days they are selling butprotectors instead of pocketprotectors. They're really quite handy. Leave your hands free to actually do something about the problem instead of just running around hunched over with one hand on your rear and the other fending off lawyers.
[ link to this | view in chronology ]
- Anonymous Coward, 17 Oct 2007 @ 4:04pm
  
  Re:
  Wait....you mean Mike reports things that are biased in his favor?
  You need to explain how it was somehow in Mike's favor.
  [ link to this | view in chronology ]
I wanna be like Mike, 17 Oct 2007 @ 7:15am

Typical TechDirt Farmer...
Sensationalize it....people will read it. Omit key details....it makes it on TechDirt....
[ link to this | view in chronology ]
Anonymous Coward, 17 Oct 2007 @ 7:22am

Any Comments Mike?
Are you going to respond to the fact that you completely twisted the facts of what happened? Maybe you could do us all a favor by rewriting this blog or removing it.
[ link to this | view in chronology ]
- Anonymous Coward, 17 Oct 2007 @ 4:05pm
  
  Re: Any Comments Mike?
  Yeah Mike, get off the internet! We don't like what you write!
  [ link to this | view in chronology ]
Brian, 17 Oct 2007 @ 7:30am

Move along...
In other news...
Russian hackers believed to have purchased personal information on thousands of university students in US. The source of the information is unknown, but law enforcement officials are investigating.

On an aside note, since when is an erroneously placed file now considered a "vulnerability" ? This is rubbish. Vulnerabilities can be patched/fixed/corrected. They are UNINTENDED behavior by a service/application that can be exploited. Try as you may, there is no patch or fix for human carelessness or stupidity. Nor did it take anything other than normal file/folder browsing to "exploit" this vulnerability.

Things like this are overcome only by good principles in IT. Why were students accessing the same fileserver as university staff where such data would be stored, secured folder or not? Why would this much/type of information be stored in a "file" to begin with? Why would someone with obviously such lax training on proper file handling be responsible for handling such delicate information, or even have access to it?

These are the questions the newspaper should have been asking of their College, as well as when the next meeting would take place with IT to discuss security practices.
[ link to this | view in chronology ]
Cawwot, 17 Oct 2007 @ 7:34am

what?
why all this Mike bashing? he only did what every single other news corp in the world does. used the media.

also: somehow students just naturally know what to do with that kind of thing? what's that? they took the class on reporting administrative web errors?, that's right.

hah.

-Spikes
[ link to this | view in chronology ]
Magnus, 17 Oct 2007 @ 7:40am

only one thing to do
One thing can make Universities and other corporations wake up to a rule like that... sue them for damages related to stress and inappropriate behaviors for taking punitive steps for accessing information placed inadvertently into the public domain. Recent rulings in my field (ITAR and National Security Compliance) have deemed that when a company does either deliberately or inadvertently place information into the public domain (which for this purpose includes net access) then they are held firmly liable for all consequences.

Even logically the University's policy is wholly inappropriate.
[ link to this | view in chronology ]
Manitcor, 17 Oct 2007 @ 8:01am

I can speak from expiernce here
Going to the paper or not the student would likely get in trouble. Years ago I discovered a very similar problem at my old school and took it directly to the administration. Within hours I was standing in front of a cop with the network admin threatening to have me arrested and expelled (and I didn't even find real data just an un-protected administrative share).

Fortunately both my parents had been working for the county school system for so long and at such a high level that I was practically on a first name basis with the principal.

The sad part about it is after having one of the scariest days of my young life they never fixed the issue. Two years after I left they lost a bunch of student records to data theft. In retrospect I wish I had reported it to the paper, and then at least these students might not have lost a semester worth of grades.

It's a damned if you do/damend if you don't kind of world and in academia it can be even worse.
[ link to this | view in chronology ]
Joshua, 17 Oct 2007 @ 8:14am

Give him a break..
If he had gone directly to the school with the vulnerability he would have been quietly expelled to save the school's ass. And when he complained the school would have the upper hand and be able to tell everyone who asked that he had gone and willingly accessed sensitive information that he had no right to.

The only two real choices this guy had that would not have gotten him expelled were to tell no one, and to tell everyone. By telling everyone, the school is no longer in a position to lie about the circumstances of the incident, making expelling him politically imprudent.
[ link to this | view in chronology ]
Anonymous Coward, 17 Oct 2007 @ 8:25am

someone said "creeps" in the newspaper could have "mishandled" the data.

what about "creeps" in the administration, or IT, or the cops...

anyway, the fact he "copied" data is a thorny issue.

what if he told the IT/admin, then the paper, but by thetime the paper go there "IT had fixed" the issue?

i mean i'd like to know if my info was open to the public....
[ link to this | view in chronology ]
AJ, 17 Oct 2007 @ 9:04am

Hmmm
"Two months into the investigation, Loving -- who is now a staffer with the newspaper -- was found to have broken a university computer use policy that prohibits unauthorized people from accessing confidential files that may have been inadvertently placed in a publicly accessible location. On Sept. 28 he faced a disciplinary hearing over the incident." pc world quote from mike's link above....

I checked out the full story and it looks to me he got in trouble for simply viewing the info. I really don't see how mike twisted the story.
[ link to this | view in chronology ]
- Anonymous Coward, 17 Oct 2007 @ 9:19am
  
  Re: Hmmm
  He got in trouble for going to the school newspaper first, and not the school. Also he made a copy of the file. Common sense says you do not copy a file with a bunch of social security numbers in it. But then again you all drink the cool aid Mike puts out there so I guess it doesn't matter that everyone says that the story was twisted. Fight the man. It is the man's fault that we are all inadequate.
  [ link to this | view in chronology ]
  - Anonymous Coward, 17 Oct 2007 @ 4:09pm
    
    Re: Re: Hmmm
    Talk about twisted. Read the story. The rule he was accused of breaking had nothing to do with newspapers and would have applied whether he went to a newspaper or not.
    [ link to this | view in chronology ]
shell, 17 Oct 2007 @ 10:01am

Blame game
Sounds like this University administration is taking lessons from the Bush's adminstration. They screw up and hold everyone else responsible for letting them screw up!!!So, why isn't this adminstration being investigated, or do they also have a "congress" insulating them from taking responsibiity all the while funding their "policies"?
[ link to this | view in chronology ]
shell, 17 Oct 2007 @ 10:09am

Blame game
Sounds like this University administration is taking lessons from the Bush's adminstration. They screw up and hold everyone else responsible for letting them screw up!!!So, why isn't this adminstration being investigated, or do they also have a "congress" insulating them from taking responsibiity all the while funding their "policies"?
[ link to this | view in chronology ]
Clueby4, 17 Oct 2007 @ 10:19am

Re: Disingenuous
Disingenuous, perhaps if you subscribe to the same creative interpretation that the university attempts to maliciously use. Which I would argue is the only source "spin" in this story

The university screwed up and was embarrassed so they seek retribution, while feebly hiding behind a reality ignoring computer use policy.

And the obtuse computer use policies have no bearing on the discussion because they violate common sense, much like email disclaimers. Anyone who thinks it was wrong to go to the paper first lives in fantasy land if they think it would have been addressed without publicity. Especially given the obviously flawed computer use CMA policy that they were so ready to hid behind.
[ link to this | view in chronology ]
Eliot, 17 Oct 2007 @ 11:11am

Re: Disingenuous
I agree. This post is misleading. It's not that he found and read the information (that would have probably been acceptable) but that he copied the information and gave it to another source.

While I agree that the computer use policy was rediculous, he really should have notified campus staff before he notified the newspapers.

I also agree with another person who was waiting for a response from Mike. ... Mike, anything?
[ link to this | view in chronology ]
- Anonymous Coward, 17 Oct 2007 @ 4:18pm
  
  Re: Re: Disingenuous
  I agree. This post is misleading. It's not that he found and read the information (that would have probably been acceptable) but that he copied the information and gave it to another source.
  That he found and read the information is exactly what the rule he is accused of breaking forbids. What is your interest in the story that compels you to make stuff up?
  [ link to this | view in chronology ]
Barrenwaste, 17 Oct 2007 @ 11:38am

Re:Diingenuous
Wait....it's that he copied invormation? Then why was he given a hearing based on the fact that he viewed it? The campus can't try to discipline him for one thing while claiming that his true infraction was something else intirely. Something, I might add, that isn't illegal. The student would have to be monumentally stupid not to provide evidence for the crime he said he, and he alone, witnessed. So, which is it? Was he wrong for finding it, or wrong for giving said information to the newspaper? Either way, neither action was a crime and the campus had no right to attempt an expulsion.
[ link to this | view in chronology ]
The Kid, 17 Oct 2007 @ 12:28pm

Zing!
[ link to this | view in chronology ]
Tempest, 17 Oct 2007 @ 1:01pm

Lesson Learned
It's stories like that that reaffirm my long-standing policy when it comes to security vulnerabilities, don't tell anyone. As far as I'm concerned if someone else screws their system up it's their ass; I'm not getting expelled/fired/arrested because they wanted a scapegoat...

It's sad when that type of mentality is required but a good Samaritan who gets screwed over is just as screwed as a criminal, so why risk it?
[ link to this | view in chronology ]
LueShi, 17 Oct 2007 @ 1:16pm

LUE ROOLZ
[ link to this | view in chronology ]
RandomThoughts, 18 Oct 2007 @ 6:06am

The student wasn't expelled, so whats the beef? From the PC Magazine article: ""the issue is not that the student discovered a file that contained confidential information. For that we are grateful," said Weiss who also expressed gratitude to Loving for discovering a vulnerability the university had not been aware of up to that time.

Rather, the problem had to do with the manner in which the information was handled after it had been discovered, Weiss said.

"Once confidential information is discovered, we don't expect people to be downloading copies of that information and giving it to other people," he said. "He mishandled copies of the file,"

Whistleblower? I think not. You can whistleblow without giving the actual information over to a newspaper. What purpose does it serve to make more copies of the list? Don't you make your point by just showing someone the list? I think its pretty funny that the kid went to the newspaper first and the school administration after that.

This kid was looking for publicity, don't make him out to be more than he is. Should the kid have been expelled? Of course not, if you don't want kids doing silly things don't put sensitive information in a place where they can find it.
[ link to this | view in chronology ]
Barrenwaste, 18 Oct 2007 @ 7:49am

Replies
Well Coward, if it shows flaws in the policies of big businesses and or large and established corporate/political/educational entities then it most likely favors one of Mike's theories. However, since that part of my reply was mostly vitriol and sarcasm and had no true substance other than critiscism of the unreal expectations of others, I can't see how it matters.

To those who still don't grasp the point of the article, here it is. The campus has a policy that attempts to punish any student for accesing condfidential files that were erronously posted to the world wide web. That was the point of Mike's article. The Campus does in fact have such a policy, so there was no error or misdirection on Mike's part.

The fact that the campus administration tried to redirect focus from thier failures and inapropriate policies was never mentioned in Mike's article, nor was the students actions, other than his finding the misplaced file.

I have to wonder at why people keep stating it was wrong of the student to bring the file, and it's contents, to the newspaper. Even had the newspaper printed the contents of the folder no more harm could be done. The campus had already made that information available to the general public by way of the internet, which gets aruably more readers than a local paper. Also, looking at how and why the campus attempted to punish the student it seems to me that bringing the whole sordid affair into the spotlight was a very smart move. Had he kept quiet there is no doubt in my mind that he would have been expelled. However, with the spotlight on them, the campus administration could hardly punish another for what was undeniably thier failure. If anybody should have legal action taken against them it is the campus, and I gleefully await the lawsuit that any sane person would bring against them for such a breach of confidentiality.
[ link to this | view in chronology ]
Cub, 18 Oct 2007 @ 1:18pm

Reporting it to administration usually results in
A few years back, I was a student at a major public university in Texas. This school used an online blackboard/bbs type system for many of it's classes.

One day, while submitting homework to my teacher, I found that with a few keypresses, I could access the system as an administrator, with full and complete access to everything. Once I realized what it was, I closed my session, and took the information to the appropriate administrative officials.

Big mistake.

I was banned from the universities network, threatened with expulsion, and placed on probation. Mind you I didn't do anything in the system, and once I realized what it was I terminated my session. I brought it to their attention less than 24 hours after my discovery.

Because of my "loss" of network priveledges, I was forced to drop three classes, and basically lost a semester of work along with a semester of tuition/fees/other expenses.

I ended up filing a civil suit against the university. They were quick to offer a settlement, but I refused the first half-dozen because they would have had me admitting to misuse of university property, and would have prevented me from discussing any aspect of the incident or the suit. It took 5 or 6 months before the suit was settled, though less than amicably. In the end, they removed any negative comments or documents related to this incident from my student record, paid my attorney fees, and paid for a year of school (at another university).

One year after I found the flaw, it was still there. I could access student records, including name/ssn/address/email/phone/etc, and change any information contained in the system - including grades for students in classes using that failed, flawed product.

Now, if I find a security flaw, I do not report it to the "appropriate" party. I have no wish to be threatened, sued, etc. Now, I would anonymously and publicly report the flaw.

The powers that be may not like it, but what do you expect when you punish the messenger. The person who finds a flaw is NOT (usually) the person who created the flaw, or failed to follow security procedures. They are NOT criminals, even if treated like one.

I was expecting a "thanks for pointing that out. We will take a look at it and fix it asap", instead I lost almost a year of my life from mistreatment & persecution by the powers that be.
[ link to this | view in chronology ]