Student Charged With Crime For Telling University Officials About Security Hole

from the blame-the-messenger dept

Mon, Sep 15th 2008 11:09pm — Mike Masnick

For many years, we've covered case after case after case after case after case after case after case of people being blamed, arrested or even jailed for pointing out a security flaw. It should come as no surprise that many security researchers claim that it's just not worth it to research security vulnerabilities, since the risk is just too high.

It doesn't seem like those on the other side are getting the message just yet. Slashdot points us to the latest example, where a student at Carleton University has been arrested and charged with computer hacking after discovering a vulnerability and writing up a 16-paged paper to tell university officials about the vulnerability. A criminal doesn't write up a huge paper telling officials how to fix their problems. This just scares off people from telling universities that their systems are insecure. Remember, a few years back in Ohio there was a similar situation, with the whistleblower blamed -- and then the school didn't bother fixing the vulnerability, leading to more info being leaked.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: blame, carleton university, hacking, white hat

44 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 15 Sep 2008 @ 11:20pm

Well the suspect used a keylogger to get user accounts and passwords - I would classify that as criminal even though he wrote a novel on his experiences. Where is the insecurity in that - every system can be broken if you can attach a keylogger to the system.
[ link to this | view in chronology ]
- PaulT (profile), 16 Sep 2008 @ 12:11am
  
  Re:
  ...and how did he install the keylogger? Did he use some special access that only someone with certain levels of physical access could have done? Or (most likely) did he already have sufficient access to the network so that he could install the keylogger without significant risk of exposing himself (it sounds like he was only caught when he forwarded the information he'd gathered in a report)?
  
  The article's pretty vague on the actual details, but I find it hard to believe that the student would alert the university after installing a keylogger, unless the purpose of the document he wrote was to tell them how he did it. If that's the case, then this is a stupid move by officials to cover the fact that he broke in so easily. Then, of course, this "face-saving" move puts other students off alerting them about other insecurities, which means the next such move will be for nefarious purposes and they won't find out until real damage has been done...
  [ link to this | view in chronology ]
- Nogard, 16 Sep 2008 @ 2:46am
  
  Re:
  How is it not an insecurity if he was able to break in with resources well within the reach of any determined person? What kind of hole did you expect?
  
  OK, maybe it wasn't simply a security hole in the software, which but does it really make much difference considering that a lot of people have access to the relevant hardware anyway? He still pulled it off, did no damage and presumably let the officals know how they could have prevented that from happening again. Perhaps he doesn't deserve any praise, but charging him with a crime??? Outrageous, just outrageous. Next time, I hope someone actually screws them royally in the ass, keylogger or not.
  [ link to this | view in chronology ]
- Trevlac, 16 Sep 2008 @ 7:20am
  
  Re:
  That's not the point, a keylogger can be stopped and quite easily if you have a hardened system. It's only a problem for a non secure OS or network.
  [ link to this | view in chronology ]
  - ehrichweiss, 16 Sep 2008 @ 7:50am
    
    Re: Re:
    Not all keyloggers are software.
    [ link to this | view in chronology ]
    - Yakko Warner, 16 Sep 2008 @ 8:28am
      
      Re: Re: Re:
      This one was. From the article:
      
      "Det. Michel Villeneuve of the Ottawa Police high-tech crime unit said yesterday that a suspect used Keylogger software and magnetic stripe-card reader software to acquire students' information."
      [ link to this | view in chronology ]
      - Anonymous Coward, 16 Sep 2008 @ 9:56am
        
        Re: Re: Re: Re:
        How do you read a magnetic stripe just by using software?
        [ link to this | view in chronology ]
        
        Grae, 16 Sep 2008 @ 11:04am
        
        Re: Re: Re: Re: Re:
        The police are saying that he didn't put his own card reader hardware in place, he only overwrote the software on the machine the already-installed reader hardware was attached to.
        
        If the university uses mag stripe reader hardware for a legitimate business purpose and attaches the hardware to an insecure (physically or over the network) PC, then it'd be simple to use a keylogger to get the credentials for the machine, remote into it/get physical access, overwrite the mag stripe reader software (remember, hardware needs software to actually do anything) with a modified version that could then act normally, but secretly copy all data from the card to where ever the black hat (malicious) cracker wanted for later use.
        
        In this case, the white hat (benign) cracker wanted to prove a point about how insecure such a setup was.
        [ link to this | view in chronology ]
- williams, 17 Sep 2008 @ 4:38pm
  
  Re: anonymous coward
  The campus of Carleton is insecure because people in charge of the security of thousands of students are not competents,they are paid hundreds of thousands $ each year and last year a femal student has been raped in a computer lab on the campus and the rapist has never been arrested.
  There is problem of security in Carleton,charging a student of crime when he has no intention to commit any crime is criminal behavior.
  I think that Mr. Boudreault ,who is in charge of the security on the campus should be replaced by someone else.
  [ link to this | view in chronology ]
DR, 16 Sep 2008 @ 12:28am

re
Similar happened to me only not as bad as this poor guy, our school admin left the backup admain account enabled and the password left as "changeme". When i pointed this out it really got there backs up and i was initially expelled from the school 3 days before leaving for my final exams! After they had time to cool down they allowed me back to take the exams.
[ link to this | view in chronology ]
Spectere, 16 Sep 2008 @ 12:31am

Sheesh
The worst part about this is that if the student were malicious about it (1) he probably wouldn't have gotten caught and we would be and (2) the hole would have been quickly patched.

That's a really nice lesson to be teaching a university student -- if you do things the proper way and alert the administration of security holes you get punished. What on earth are they thinking? They should be offering that kid a job.
[ link to this | view in chronology ]
Anonymous Coward, 16 Sep 2008 @ 12:37am

Keyloggers, Magnetic Swipe Readers, and 16 page report, Oh My!
Yes, a keylogger and magnetic swipe reader was employed to create the desired result.

Reminds me somehow of the Fake ATM machines we saw several years back.

Point is, it doesn't seem like a basic "Hey, Patch Your SQL Server" type hack, but something that truly has nefarious intent.
[ link to this | view in chronology ]
Keep my mouth shut, 16 Sep 2008 @ 12:46am

If you haven't figured it out yet, law enforcement is in a business to make a profit, not a public service that protects truth liberty and justice. Sometimes they get it right and preserve justice, while making a buck, but not at the expense of the almighty dollar.
[ link to this | view in chronology ]
- Anonymous Coward, 16 Sep 2008 @ 12:52am
  
  Re:
  But because it happened in Canada, I'd say it's kinda Loonie. Haha. Loonie, get it? No Dollars here, just some Loonies. Woah. Tough crowd. Don't worry, I won't quit my day job...
  [ link to this | view in chronology ]
  - Anonymous Coward, 16 Sep 2008 @ 2:58am
    
    Re: Re:
    Does your boss make you ask "Want Fries with That"?
    [ link to this | view in chronology ]
- Sabach, 16 Sep 2008 @ 4:33am
  
  Re:
  There are exceptions. Mind you my story is only similar to the situation in the article, not the same. When I was a Correction Officer one of my coworkers spotted a way of circumventing the security of a gate on the perimeter of the prison. He showed it to the Major (Chief of Security) and was rewarded with a promotion.
  [ link to this | view in chronology ]
  - ehrichweiss, 16 Sep 2008 @ 7:54am
    
    Re: Re:
    Using your same example though, if an inmate had reported this hole, he would be charged with attempted escape. That's kinda what this student would have been since he wasn't a part of the good-ole-boy club(the IT dept).
    [ link to this | view in chronology ]
IanK, 16 Sep 2008 @ 2:01am

Face it, you don't have a day job.
[ link to this | view in chronology ]
Anonymous Coward, 16 Sep 2008 @ 2:51am

THAT'S AMERICA
[ link to this | view in chronology ]
- Yakko Warner, 16 Sep 2008 @ 8:26am
  
  Re:
  No, that's CANADA, genius. Read the article.
  [ link to this | view in chronology ]
Joe MCSE, 16 Sep 2008 @ 3:03am

I was hired as a network admin by a data and telcom company 6 years ago. My first assignemt was to do a security audit and write a report to managment with my findings. Then I was to write the security SOP. I used a free program called LOFTcrack to show me 98 percent of the passwords of every user on the domain. I included this bit if info in my report and managment freaked out. They immediately destroyed my "password" portion of the report and implemented sticter password complexity rules. I was rewarded for my efforts because they thought the network was pretty tight
[ link to this | view in chronology ]
bobbknight, 16 Sep 2008 @ 3:29am

Oh I Know This Is A Test
Sorry mike this story doesn't pass the sniff test.
Are you gaming us to see what gets written about this.
Here the kid did indeed break the law. He used a keylogger and a mag stripe reader to steal password and user name info.
This isn't like he typed admin, admin into an NT4 server and got into what ever he wanted.
His actions were criminal, however benign.
I would not slam him in the joint, but I would have him under supervised probation for oh 4 years.
[ link to this | view in chronology ]
- Anonymous Coward, 16 Sep 2008 @ 6:41am
  
  Re: Oh I Know This Is A Test
  is't that the point he was trying to make? He showed them how easy it was, and suggested how they fix it. Locks keep honest people honest, but a thief will use the tools available. Saying that what he did was illegal and suggesting punishment seems like a total asinine way of dealing with it. The fact that he was in there and then didn't take advantage suggests trustworthiness to me.
  
  Sounds like a bunch of uptight stuffed-shirts don't like being told that their not doing a good job. if they were smart they'd hire the student to work with the network security team...sounds like they need a fresh perspective in there.
  [ link to this | view in chronology ]
Dosquatch, 16 Sep 2008 @ 4:20am

short on detail
The article is awful short on detail. It says he used a keylogger and mag-stripe reader *software*. Commenters so far seem to assume he violated physical security in some fashion.

The article also says he gained access to the key card system the school uses for all student transactions, from food court to library photocopiers.

So this could just as easily be a keyboard wedge card reader (a "wedge" in this case is any device that looks to the computer the same as a keyboard). There are physical PS/2 keyloggers that connect inline and store keystrokes in a memory buffer to be dumped later.

*IF* something like this is the case, and *IF* the cards store their info unencrypted, you could capture a LOT of information just by popping one of those hardware keyloggers on a library photocopier's card reader. No horrible breaches of security, no "hacking" of the system, but a very, VERY real security issue.

And just as plausible as anything else suggested so far, given the lack of detail.
[ link to this | view in chronology ]
free_dum, 16 Sep 2008 @ 4:23am

teach by example
The same type of thing happened last year at my school when some poor student got arrested for sneaking a gun into the cafeteria and killing several students, when he was just trying to show the administration how weak the security at lunch time was.
[ link to this | view in chronology ]
Ben, 16 Sep 2008 @ 4:54am

The hacker isn't always the good guy.
I'm a student at Carleton and I'm surprised to be reading about this story on Techdirt because, besides the fairly detailed article in the school paper, www.thecharlatan.ca, it was a pretty small issue. There will be those of you who argue that any breach of any supposedly secure network is a big deal, especially when it contains the private and sensitive data that school networks are likely to contain. However, in this case, the hacker was easily tracked, he had to have physical access to the machines on campus, and although he was able to acquire some information from 30 or so student cards and about as many e-mail addresses, he was unable to fit the pieces together into anything usable. Was his original intent in gathering this information malicious? That's hard to say but my guess would be yes. In any case, he did break university rules and Canadian law rendering himself open for (hopefully mild) punishment.
[ link to this | view in chronology ]
- Dosquatch, 16 Sep 2008 @ 5:51am
  
  Re: The hacker isn't always the good guy.
  You call this a detailed article?? This isn't any more enlightening than the blurb above or the article said blurb also links.
  [ link to this | view in chronology ]
  - Ben, 16 Sep 2008 @ 7:11am
    
    Re: Re: The hacker isn't always the good guy.
    I apologize for the link I provided, I was in a rush and didn't check the content on the website. I'm holding an actual copy of the paper right now and there is a much more detailed account of the attacks. If you click the link to the PDF of the current issue on the right side of the home page, the article is on page three.
    [ link to this | view in chronology ]
Ferin (profile), 16 Sep 2008 @ 5:04am

Ohio has a long and proud history...
...Of burying our heads in the sand over computer security. A buddy of mine got a visit from the FBI in high school when he hacked their system. He'd gotten fed up with the school system ignoring him pointing out all the massive security holes they had.

I think what's needed is a total change in the nature of how people think of security. The nation as a whole is still in the mindset of old fifties spy shows, where security meant secret codewords and clandestine measures that were death to share. Somehow that has to be shifted to start looking at security as an open and collaborative effort.
[ link to this | view in chronology ]
Ferd, 16 Sep 2008 @ 5:43am

sad sad sad
There was a time, it seems oh so long ago now, that we were a people of daring, determination, frontier spirit, thinkers of outside the box, creativity, and "damn the torpedoes" mentality. Did lawyers and insurance companies really manage to fully leech our souls away over the past few decades?

When I was in high school a buddy of mine, with a trusty 300 baud cradle modem, was able to hack into the FBI (nothing was perused or taken and, once the FBI came calling, he only got a slap on the wrist from the University hosting the math camp he was attending). Later, during our senior year of HS, we took some programming classes at a local tech school. I played a prank on him by writing a dummy terminal interface and running it on his system - when he logged in (unsuccessfully 3 times) it notified him of repeated security violations and, since the FBI had been following his activities since the previous incident, he was to remain where he was until FBI officers arrived.

By the time we got to college, we challenged professors and the precepts of "modern" computing they were teaching at the time (my friend even managed to get an algorithm named after himself). As an offshoot of our willingness to challenge the system, that university hired my friend to create the first mobile platform for their campus police department.

So, were our pranks sometimes childish and an abuse of university computing resources (surely today leading to arrest and/or sanction)? Of course. On the other hand, over the past 20+ years, he and I have made millions in the software industry, starting from scratch 3 separate IT companies, created hundreds of jobs in the process, and provided our families with a small piece of the American dream.

Here is a good multiple choice question:
Students coming out of IT programs at universities these days get to make millions of...
_French fries
_PowerPoint reports
_HIPAA and Sarbox auditing documents
_Dell computers
_Phone calls to India to check on development status

Long live the computer geek!
[ link to this | view in chronology ]
- Iron Chef, 17 Sep 2008 @ 3:24am
  
  Re: sad sad sad
  Ferd,
  
  Your message hit a nerve with me. I often think I was born 5 to 25 years too late to truly appreciate some of the antics you had the pleasure to experience in adult life. While I too have performed pranks, but none as glorious as what you and your buddy performed.
  
  Kudos to you and yours. That spirit you penned about is no stranger to me.
  [ link to this | view in chronology ]
Norm, 16 Sep 2008 @ 6:58am

Mike
[ link to this | view in chronology ]
Norm, 16 Sep 2008 @ 7:00am

Mike's slant
Interesting, your take a kid using a keylogger program. How you portrayed this and then what the actual article states are very different. Shame on you Mike.
[ link to this | view in chronology ]
Anonymous Coward, 16 Sep 2008 @ 8:15am

Too bad . . . .
Too bad he wasnt a date raping athelete. Then the university would be paying to defend him in court, not throwing him under the bus.
[ link to this | view in chronology ]
Mark, 16 Sep 2008 @ 8:24am

No good deed....

Let the thick-headed fools fix their systems themselves or suffer the consequences of their ignorance. There are just some people that will refuse the life-ring while busy with drowning.
[ link to this | view in chronology ]
Anonymous Coward, 16 Sep 2008 @ 9:27am

I'm old, but back when I went to college, we had pretty much owned every major box on campus rather swiftly. Root and dirmaint passwords. Vast printouts on green and white paper of accounts and their respective passwords. Access to facilities forgotten by the various departments.

Never once did we consider telling the administration to fix anything. If you do, you're indicating (you, a snot-nosed kid) that you know more than they do. It upsets them and points out that they haven't done their job "correctly."

If you feel that you must alert the authorities in question, set it up such that, should you not be present to prevent a remote server from sending it out (that is, you're in jail), copies of your document will be mailed to all students, the news, and various black hat groups.

It is not only not worth it, it is dangerous to tell them anything. Just send it to black hat groups and drop an anonymous note to the administration that you have decided that the only safe way for you to alert security, given the track records of other institutions, is to allow the university in question to be owned.
[ link to this | view in chronology ]
- Anonymous Coward, 16 Sep 2008 @ 12:32pm
  
  Re:
  Its very sad that your post is... realistically the best approach for anyone to follow in reporting problems to the bs-bureaucracy of typical university administrators (or anywhere else). Security vulnerabilities must be broadcast to the world asap to get things fixed in some of these places, because if one person can find it then another can. Security through obscurity is the worst plan for protecting and maintaining networks.
  
  The recent issue with the Boston metro RFID tags was the same issue.
  [ link to this | view in chronology ]
Norm, 16 Sep 2008 @ 1:38pm

Seriously
If you locked your doors and barred your windows and someone chainsawed through your wall would you appreciate people saying "Should have secured your house pinhead!"

There is a limit to what an IT Dept can do on a daily basis. So no they hadn't prepared for someone to use a Keylogging device (or software) or to overwrite their Card Reading Software, but that is not a reason to applaud what he did either.

Could he have simply notified the IT Dept that this was possible and NOT cracked the records of students?

A crime is still a crime.
[ link to this | view in chronology ]
- Dosquatch, 16 Sep 2008 @ 6:52pm
  
  Re: Seriously
  I think what you are securing should also factor in. I'd be considerably more sympathetic if this were to happen to your house than, say your bank. That same solid wooden door that is "adequate" to lock your house is unspeakably negligent to secure the vault of cash and property of a few hundred branch customers.
  
  So, yes, in the age of identity theft, I'm inclined to hold the systems and administrators to a higher standard when those systems are full of thousands of people's personal data.
  [ link to this | view in chronology ]
Dan, 16 Sep 2008 @ 2:24pm

I guess the next time the details of a flaw should just be posted to the net first.
[ link to this | view in chronology ]
- Norm, 16 Sep 2008 @ 6:36pm
  
  Re:
  And if he broke open the computer and took the hard drive would you also call that a "flaw" on the part of IT?
  [ link to this | view in chronology ]
NullOp, 18 Sep 2008 @ 8:09pm

DA!
Its OK to "hack" the system, find the holes and tell them about it. But for Gods sake sign the paper: Anon.
[ link to this | view in chronology ]
Allison, 24 Sep 2008 @ 7:12am

Let's thank Carleton hacker
Let's thank Carleton hacker
The Ottawa Citizen
Published: Sunday, September 21, 2008

Re: Neither friend nor foe, Sept. 13.

The Carleton University hacker demonstrated for administration and officials that there was at least one weakness in the security of its students' information and use of its on-line campus cards.

The hacker could have chosen not to inform the students whose accounts he broke into: yet he did. He wrote letters to these students to notify each one of them of the vulnerability of their e-accounts.
The hacker could have chosen not to inform university officials of the ease with which he accessed electronic records: yet he did. He wrote a letter to alert them of this weakness. Would someone whose intent was malicious have notified the owners and users of these electronic systems of their potential misuse?

The hacker used a pseudonym when writing these letters, to protect himself from instant condemnation in a delicate situation. Yet he wrote letters of explication and a 16-page document to the university officials, to alert them to the flaws in their system.

A suspect has since been arrested and now faces a possible prison sentence if convicted. The case should be re-evaluated.

Wouldn't any university officials rather have a hacker who works for them, lets them know how simple it was to break-in and also prepares a detailed document to outline and explain the flaws and process in order to correct the weakness? Or would they rather have a silent hacker who simply takes and abuses the desired goods or information for malicious intent?

If a system is weak and flawed, I would want to deter all or any good-willed de-coders from helping correct such a situation. The 20-year-old hacker is obviously a bright young man and adept with electronic technology.

Thank him, enlist his help in correcting the situation, and drop the charges.

Sylvia Parent, Gloucester
[ link to this | view in chronology ]
sprearson81 (profile), 9 Jun 2012 @ 5:56am

So, they thanked him or what?
[ link to this | view in chronology ]