Blaming The Messenger: Student Almost Expelled For Spotting Security Flaw
from the better-to-keep-quiet? dept
We've heard so many stories where whoever discovers a security vulnerability (and calls attention to it) is later blamed for that vulnerability. At this point, perhaps it shouldn't be surprising, but we keep hoping that people begin to realize what a ridiculous policy it is, and how it simply pushes people to keep quiet about security weaknesses, leaving them vulnerable to those who would do harm. In the latest case, the good news is that a student who found his university revealing names, social security numbers and grade point averages has not been expelled, but apparently the school came very close to making that decision. The school accused him of breaking "a university computer use policy that prohibits unauthorized people from accessing confidential files that may have been inadvertently placed in a publicly accessible location." Yes, you read that correctly. The school has a policy saying if it screws up and you accidentally access a file it shouldn't have made publicly available, you are to blame.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: blame the messenger, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
Worse, they fired (did not renew the contract of) the Newspaper's advisor, because she did not cover their asses by not publishing it and making it go away quietly (I am guessing of course).
If you want to fire or blame someone, blame the person who put the file in that directory, not the whistle blower(s) who called them out.
[ link to this | view in thread ]
Disingenuous
[ link to this | view in thread ]
the need..
[ link to this | view in thread ]
Policy wrong, punishment wrong
[ link to this | view in thread ]
Oh dear
This is the most stupid thing I have heard all month. And I have heard some utter rubbish this month.
[ link to this | view in thread ]
That's key.. No real data was in the newspaper.
Could really look at this in another way - if the university trained their staff properly, this shouldn't have happened.
I don't place confidential info on public shares..
[ link to this | view in thread ]
Re: Disingenuous
[ link to this | view in thread ]
'
"This was not a freedom of the press issue at all," Weiss said. The school newspaper should be able to write on any topic it wants to, he said. Similarly, "the issue is not that the student discovered a file that contained confidential information. For that we are grateful," said Weiss who also expressed gratitude to Loving for discovering a vulnerability the university had not been aware of up to that time.
Rather, the problem had to do with the manner in which the information was handled after it had been discovered, Weiss said.
'
come on Techdirt....read the whole article before going for the jugular.
[ link to this | view in thread ]
Re: Re: Disingenuous
[ link to this | view in thread ]
[ link to this | view in thread ]
So the kid copies the info and sends it to the campus paper? Sounds smart to me. In this day and age it is much to easy to makes such mistakes disapeer, leaving the people who noticed the flaw standing around looking like fools. Hmm, what will get the greatest results, the goal being to make sure the campus doesn't do this sort of thing again. Should we send it to them first, so they can make it go away before the newsies see any proof, or should we rub thier faces in it, then let em take care of it. Tough question, though if I remember my puppy training right you rub it's nose in it before you clean up the piddle puddle.
But, by all means, let's call the guy an idiot because he didn't feel like being made to look like one of the three stooges (most likely curly). And as for the "cover your @$$ mentality"? In sue-happy America do you blame the campus for shooting the messenger? When every honest mistake is seen as aiding and or abetting terrorism or some other villainous scheme, you kind of get jumpy when bad news comes in. Is it right? No. Doesn't mean it's not understandable. Heck, these days they are selling butprotectors instead of pocketprotectors. They're really quite handy. Leave your hands free to actually do something about the problem instead of just running around hunched over with one hand on your rear and the other fending off lawyers.
[ link to this | view in thread ]
Typical TechDirt Farmer...
[ link to this | view in thread ]
Any Comments Mike?
[ link to this | view in thread ]
Move along...
Russian hackers believed to have purchased personal information on thousands of university students in US. The source of the information is unknown, but law enforcement officials are investigating.
On an aside note, since when is an erroneously placed file now considered a "vulnerability" ? This is rubbish. Vulnerabilities can be patched/fixed/corrected. They are UNINTENDED behavior by a service/application that can be exploited. Try as you may, there is no patch or fix for human carelessness or stupidity. Nor did it take anything other than normal file/folder browsing to "exploit" this vulnerability.
Things like this are overcome only by good principles in IT. Why were students accessing the same fileserver as university staff where such data would be stored, secured folder or not? Why would this much/type of information be stored in a "file" to begin with? Why would someone with obviously such lax training on proper file handling be responsible for handling such delicate information, or even have access to it?
These are the questions the newspaper should have been asking of their College, as well as when the next meeting would take place with IT to discuss security practices.
[ link to this | view in thread ]
what?
also: somehow students just naturally know what to do with that kind of thing? what's that? they took the class on reporting administrative web errors?, that's right.
hah.
-Spikes
[ link to this | view in thread ]
only one thing to do
Even logically the University's policy is wholly inappropriate.
[ link to this | view in thread ]
I can speak from expiernce here
Fortunately both my parents had been working for the county school system for so long and at such a high level that I was practically on a first name basis with the principal.
The sad part about it is after having one of the scariest days of my young life they never fixed the issue. Two years after I left they lost a bunch of student records to data theft. In retrospect I wish I had reported it to the paper, and then at least these students might not have lost a semester worth of grades.
It's a damned if you do/damend if you don't kind of world and in academia it can be even worse.
[ link to this | view in thread ]
Give him a break..
The only two real choices this guy had that would not have gotten him expelled were to tell no one, and to tell everyone. By telling everyone, the school is no longer in a position to lie about the circumstances of the incident, making expelling him politically imprudent.
[ link to this | view in thread ]
what about "creeps" in the administration, or IT, or the cops...
anyway, the fact he "copied" data is a thorny issue.
what if he told the IT/admin, then the paper, but by thetime the paper go there "IT had fixed" the issue?
i mean i'd like to know if my info was open to the public....
[ link to this | view in thread ]
Hmmm
I checked out the full story and it looks to me he got in trouble for simply viewing the info. I really don't see how mike twisted the story.
[ link to this | view in thread ]
Re: Hmmm
[ link to this | view in thread ]
Re:
I'm not sure the paper employee should have been fired, just because she omitted the lecture the university thought she should have included in the article. Hm...
[ link to this | view in thread ]
Blame game
[ link to this | view in thread ]
Blame game
[ link to this | view in thread ]
Re: Re: Re: Disingenuous
[ link to this | view in thread ]
Re: Disingenuous
The university screwed up and was embarrassed so they seek retribution, while feebly hiding behind a reality ignoring computer use policy.
And the obtuse computer use policies have no bearing on the discussion because they violate common sense, much like email disclaimers. Anyone who thinks it was wrong to go to the paper first lives in fantasy land if they think it would have been addressed without publicity. Especially given the obviously flawed computer use CMA policy that they were so ready to hid behind.
[ link to this | view in thread ]
Re: Disingenuous
While I agree that the computer use policy was rediculous, he really should have notified campus staff before he notified the newspapers.
I also agree with another person who was waiting for a response from Mike. ... Mike, anything?
[ link to this | view in thread ]
Re:Diingenuous
[ link to this | view in thread ]
Re: Disingenuous
The policy in question doesn't say anything about disclosure. It says accessing the content. The question about being expelled was about violating that policy.
Even if you claim that the issue was going to the press, again that's setting a very dangerous precedent. The guy was whistleblowing, which is generally what we want to see. Coming down on him for going to the press is how you stop people from whistleblowing.
For an example of a very similar situation, remember the case in Ohio?
http://www.dispatch.com/live/contentbe/dispatch/2006/06/22/20060622-A1-01.html
Similar situation. The school blamed the guy for finding a data leak, attacked him... but didn't fix the data leak, leading to a massive security breach.
[ link to this | view in thread ]
[ link to this | view in thread ]
Lesson Learned
It's sad when that type of mentality is required but a good Samaritan who gets screwed over is just as screwed as a criminal, so why risk it?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Any Comments Mike?
[ link to this | view in thread ]
Re: Re: Hmmm
[ link to this | view in thread ]
Re: Re: Disingenuous
[ link to this | view in thread ]
Rather, the problem had to do with the manner in which the information was handled after it had been discovered, Weiss said.
"Once confidential information is discovered, we don't expect people to be downloading copies of that information and giving it to other people," he said. "He mishandled copies of the file,"
Whistleblower? I think not. You can whistleblow without giving the actual information over to a newspaper. What purpose does it serve to make more copies of the list? Don't you make your point by just showing someone the list? I think its pretty funny that the kid went to the newspaper first and the school administration after that.
This kid was looking for publicity, don't make him out to be more than he is. Should the kid have been expelled? Of course not, if you don't want kids doing silly things don't put sensitive information in a place where they can find it.
[ link to this | view in thread ]
Re: Re: Disingenuous
Again, I don't think the issue is going to the press, the issue is taking the file to the press. I can agree with your point that stifling whistlyblowing is dangerous, but your report is misleading to suggest that merely finding the file was what caused him to be nearly expelled. While that was the policy that they cited, I doubt they would be done anything had he merely reported the issue versus copying the file.
What is your interest in the story that compels you to make stuff up?
Fascinating choice of words. I didn't, as you say, make stuff up. Since I have no connection to any of this more than just reading the article, I am merely giving my opinion on what I understood to be the issue the school was upset about.
[ link to this | view in thread ]
Replies
To those who still don't grasp the point of the article, here it is. The campus has a policy that attempts to punish any student for accesing condfidential files that were erronously posted to the world wide web. That was the point of Mike's article. The Campus does in fact have such a policy, so there was no error or misdirection on Mike's part.
The fact that the campus administration tried to redirect focus from thier failures and inapropriate policies was never mentioned in Mike's article, nor was the students actions, other than his finding the misplaced file.
I have to wonder at why people keep stating it was wrong of the student to bring the file, and it's contents, to the newspaper. Even had the newspaper printed the contents of the folder no more harm could be done. The campus had already made that information available to the general public by way of the internet, which gets aruably more readers than a local paper. Also, looking at how and why the campus attempted to punish the student it seems to me that bringing the whole sordid affair into the spotlight was a very smart move. Had he kept quiet there is no doubt in my mind that he would have been expelled. However, with the spotlight on them, the campus administration could hardly punish another for what was undeniably thier failure. If anybody should have legal action taken against them it is the campus, and I gleefully await the lawsuit that any sane person would bring against them for such a breach of confidentiality.
[ link to this | view in thread ]
Reporting it to administration usually results in
One day, while submitting homework to my teacher, I found that with a few keypresses, I could access the system as an administrator, with full and complete access to everything. Once I realized what it was, I closed my session, and took the information to the appropriate administrative officials.
Big mistake.
I was banned from the universities network, threatened with expulsion, and placed on probation. Mind you I didn't do anything in the system, and once I realized what it was I terminated my session. I brought it to their attention less than 24 hours after my discovery.
Because of my "loss" of network priveledges, I was forced to drop three classes, and basically lost a semester of work along with a semester of tuition/fees/other expenses.
I ended up filing a civil suit against the university. They were quick to offer a settlement, but I refused the first half-dozen because they would have had me admitting to misuse of university property, and would have prevented me from discussing any aspect of the incident or the suit. It took 5 or 6 months before the suit was settled, though less than amicably. In the end, they removed any negative comments or documents related to this incident from my student record, paid my attorney fees, and paid for a year of school (at another university).
One year after I found the flaw, it was still there. I could access student records, including name/ssn/address/email/phone/etc, and change any information contained in the system - including grades for students in classes using that failed, flawed product.
Now, if I find a security flaw, I do not report it to the "appropriate" party. I have no wish to be threatened, sued, etc. Now, I would anonymously and publicly report the flaw.
The powers that be may not like it, but what do you expect when you punish the messenger. The person who finds a flaw is NOT (usually) the person who created the flaw, or failed to follow security procedures. They are NOT criminals, even if treated like one.
I was expecting a "thanks for pointing that out. We will take a look at it and fix it asap", instead I lost almost a year of my life from mistreatment & persecution by the powers that be.
[ link to this | view in thread ]