Student Charged With Crime For Telling University Officials About Security Hole
from the blame-the-messenger dept
For many years, we've covered case after case after case after case after case after case after case of people being blamed, arrested or even jailed for pointing out a security flaw. It should come as no surprise that many security researchers claim that it's just not worth it to research security vulnerabilities, since the risk is just too high.It doesn't seem like those on the other side are getting the message just yet. Slashdot points us to the latest example, where a student at Carleton University has been arrested and charged with computer hacking after discovering a vulnerability and writing up a 16-paged paper to tell university officials about the vulnerability. A criminal doesn't write up a huge paper telling officials how to fix their problems. This just scares off people from telling universities that their systems are insecure. Remember, a few years back in Ohio there was a similar situation, with the whistleblower blamed -- and then the school didn't bother fixing the vulnerability, leading to more info being leaked.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: blame, carleton university, hacking, white hat
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
The article's pretty vague on the actual details, but I find it hard to believe that the student would alert the university after installing a keylogger, unless the purpose of the document he wrote was to tell them how he did it. If that's the case, then this is a stupid move by officials to cover the fact that he broke in so easily. Then, of course, this "face-saving" move puts other students off alerting them about other insecurities, which means the next such move will be for nefarious purposes and they won't find out until real damage has been done...
[ link to this | view in chronology ]
Re:
OK, maybe it wasn't simply a security hole in the software, which but does it really make much difference considering that a lot of people have access to the relevant hardware anyway? He still pulled it off, did no damage and presumably let the officals know how they could have prevented that from happening again. Perhaps he doesn't deserve any praise, but charging him with a crime??? Outrageous, just outrageous. Next time, I hope someone actually screws them royally in the ass, keylogger or not.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
"Det. Michel Villeneuve of the Ottawa Police high-tech crime unit said yesterday that a suspect used Keylogger software and magnetic stripe-card reader software to acquire students' information."
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
If the university uses mag stripe reader hardware for a legitimate business purpose and attaches the hardware to an insecure (physically or over the network) PC, then it'd be simple to use a keylogger to get the credentials for the machine, remote into it/get physical access, overwrite the mag stripe reader software (remember, hardware needs software to actually do anything) with a modified version that could then act normally, but secretly copy all data from the card to where ever the black hat (malicious) cracker wanted for later use.
In this case, the white hat (benign) cracker wanted to prove a point about how insecure such a setup was.
[ link to this | view in chronology ]
Re: anonymous coward
There is problem of security in Carleton,charging a student of crime when he has no intention to commit any crime is criminal behavior.
I think that Mr. Boudreault ,who is in charge of the security on the campus should be replaced by someone else.
[ link to this | view in chronology ]
re
[ link to this | view in chronology ]
Sheesh
That's a really nice lesson to be teaching a university student -- if you do things the proper way and alert the administration of security holes you get punished. What on earth are they thinking? They should be offering that kid a job.
[ link to this | view in chronology ]
Keyloggers, Magnetic Swipe Readers, and 16 page report, Oh My!
Reminds me somehow of the Fake ATM machines we saw several years back.
Point is, it doesn't seem like a basic "Hey, Patch Your SQL Server" type hack, but something that truly has nefarious intent.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Oh I Know This Is A Test
Are you gaming us to see what gets written about this.
Here the kid did indeed break the law. He used a keylogger and a mag stripe reader to steal password and user name info.
This isn't like he typed admin, admin into an NT4 server and got into what ever he wanted.
His actions were criminal, however benign.
I would not slam him in the joint, but I would have him under supervised probation for oh 4 years.
[ link to this | view in chronology ]
Re: Oh I Know This Is A Test
Sounds like a bunch of uptight stuffed-shirts don't like being told that their not doing a good job. if they were smart they'd hire the student to work with the network security team...sounds like they need a fresh perspective in there.
[ link to this | view in chronology ]
short on detail
The article is awful short on detail. It says he used a keylogger and mag-stripe reader *software*. Commenters so far seem to assume he violated physical security in some fashion.
The article also says he gained access to the key card system the school uses for all student transactions, from food court to library photocopiers.
So this could just as easily be a keyboard wedge card reader (a "wedge" in this case is any device that looks to the computer the same as a keyboard). There are physical PS/2 keyloggers that connect inline and store keystrokes in a memory buffer to be dumped later.
*IF* something like this is the case, and *IF* the cards store their info unencrypted, you could capture a LOT of information just by popping one of those hardware keyloggers on a library photocopier's card reader. No horrible breaches of security, no "hacking" of the system, but a very, VERY real security issue.
And just as plausible as anything else suggested so far, given the lack of detail.
[ link to this | view in chronology ]
teach by example
[ link to this | view in chronology ]
The hacker isn't always the good guy.
[ link to this | view in chronology ]
Re: The hacker isn't always the good guy.
You call this a detailed article?? This isn't any more enlightening than the blurb above or the article said blurb also links.
[ link to this | view in chronology ]
Re: Re: The hacker isn't always the good guy.
[ link to this | view in chronology ]
Ohio has a long and proud history...
I think what's needed is a total change in the nature of how people think of security. The nation as a whole is still in the mindset of old fifties spy shows, where security meant secret codewords and clandestine measures that were death to share. Somehow that has to be shifted to start looking at security as an open and collaborative effort.
[ link to this | view in chronology ]
sad sad sad
When I was in high school a buddy of mine, with a trusty 300 baud cradle modem, was able to hack into the FBI (nothing was perused or taken and, once the FBI came calling, he only got a slap on the wrist from the University hosting the math camp he was attending). Later, during our senior year of HS, we took some programming classes at a local tech school. I played a prank on him by writing a dummy terminal interface and running it on his system - when he logged in (unsuccessfully 3 times) it notified him of repeated security violations and, since the FBI had been following his activities since the previous incident, he was to remain where he was until FBI officers arrived.
By the time we got to college, we challenged professors and the precepts of "modern" computing they were teaching at the time (my friend even managed to get an algorithm named after himself). As an offshoot of our willingness to challenge the system, that university hired my friend to create the first mobile platform for their campus police department.
So, were our pranks sometimes childish and an abuse of university computing resources (surely today leading to arrest and/or sanction)? Of course. On the other hand, over the past 20+ years, he and I have made millions in the software industry, starting from scratch 3 separate IT companies, created hundreds of jobs in the process, and provided our families with a small piece of the American dream.
Here is a good multiple choice question:
Students coming out of IT programs at universities these days get to make millions of...
_French fries
_PowerPoint reports
_HIPAA and Sarbox auditing documents
_Dell computers
_Phone calls to India to check on development status
Long live the computer geek!
[ link to this | view in chronology ]
Re: sad sad sad
Your message hit a nerve with me. I often think I was born 5 to 25 years too late to truly appreciate some of the antics you had the pleasure to experience in adult life. While I too have performed pranks, but none as glorious as what you and your buddy performed.
Kudos to you and yours. That spirit you penned about is no stranger to me.
[ link to this | view in chronology ]
Mike
[ link to this | view in chronology ]
Mike's slant
[ link to this | view in chronology ]
Too bad . . . .
[ link to this | view in chronology ]
Let the thick-headed fools fix their systems themselves or suffer the consequences of their ignorance. There are just some people that will refuse the life-ring while busy with drowning.
[ link to this | view in chronology ]
Never once did we consider telling the administration to fix anything. If you do, you're indicating (you, a snot-nosed kid) that you know more than they do. It upsets them and points out that they haven't done their job "correctly."
If you feel that you must alert the authorities in question, set it up such that, should you not be present to prevent a remote server from sending it out (that is, you're in jail), copies of your document will be mailed to all students, the news, and various black hat groups.
It is not only not worth it, it is dangerous to tell them anything. Just send it to black hat groups and drop an anonymous note to the administration that you have decided that the only safe way for you to alert security, given the track records of other institutions, is to allow the university in question to be owned.
[ link to this | view in chronology ]
Re:
The recent issue with the Boston metro RFID tags was the same issue.
[ link to this | view in chronology ]
Seriously
There is a limit to what an IT Dept can do on a daily basis. So no they hadn't prepared for someone to use a Keylogging device (or software) or to overwrite their Card Reading Software, but that is not a reason to applaud what he did either.
Could he have simply notified the IT Dept that this was possible and NOT cracked the records of students?
A crime is still a crime.
[ link to this | view in chronology ]
Re: Seriously
I think what you are securing should also factor in. I'd be considerably more sympathetic if this were to happen to your house than, say your bank. That same solid wooden door that is "adequate" to lock your house is unspeakably negligent to secure the vault of cash and property of a few hundred branch customers.
So, yes, in the age of identity theft, I'm inclined to hold the systems and administrators to a higher standard when those systems are full of thousands of people's personal data.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
DA!
[ link to this | view in chronology ]
Let's thank Carleton hacker
The Ottawa Citizen
Published: Sunday, September 21, 2008
Re: Neither friend nor foe, Sept. 13.
The Carleton University hacker demonstrated for administration and officials that there was at least one weakness in the security of its students' information and use of its on-line campus cards.
The hacker could have chosen not to inform the students whose accounts he broke into: yet he did. He wrote letters to these students to notify each one of them of the vulnerability of their e-accounts.
The hacker could have chosen not to inform university officials of the ease with which he accessed electronic records: yet he did. He wrote a letter to alert them of this weakness. Would someone whose intent was malicious have notified the owners and users of these electronic systems of their potential misuse?
The hacker used a pseudonym when writing these letters, to protect himself from instant condemnation in a delicate situation. Yet he wrote letters of explication and a 16-page document to the university officials, to alert them to the flaws in their system.
A suspect has since been arrested and now faces a possible prison sentence if convicted. The case should be re-evaluated.
Wouldn't any university officials rather have a hacker who works for them, lets them know how simple it was to break-in and also prepares a detailed document to outline and explain the flaws and process in order to correct the weakness? Or would they rather have a silent hacker who simply takes and abuses the desired goods or information for malicious intent?
If a system is weak and flawed, I would want to deter all or any good-willed de-coders from helping correct such a situation. The 20-year-old hacker is obviously a bright young man and adept with electronic technology.
Thank him, enlist his help in correcting the situation, and drop the charges.
Sylvia Parent, Gloucester
[ link to this | view in chronology ]
[ link to this | view in chronology ]