Charges Dropped Against Student Who Alerted University To Security Flaws
from the don't-hack-and-tell dept
Last year, we wrote about a student at Carleton University in Canada who was arrested for hacking, after he wrote up a 16-page paper telling the school how poor its computer security was, and had some suggestions on how to fix it. It does sound like, in the process of figuring this out, the guy did hack into some accounts to prove that the vulnerability was there -- but there doesn't seem to be any evidence that he did anything with the access. And the fact that he wrote up a detailed paper on it and alerted the university certainly suggests his intentions were benevolent. So it was a bit disturbing that he was arrested. However, Allan Lussier-Meek writes in to let us know that charges against the guy were recently dropped after he agreed to go through a community service program. It's still not entirely clear why he needed to do that. This really does seem like blaming the messenger.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: carleton university, hacking, security flaws
Reader Comments
Subscribe: RSS
View by: Time | Thread
A lesson for whistleblowers
[ link to this | view in chronology ]
In fact, the only reason I found the security holes (or even bothered to look) is because I heard of cases where a bunch of important data from other computers on campus got deleted. They never found who did it or how they did it but I figure I wanted to figure out how they did so I started hacking away at one of the computers and I figured out some loopholes. I told the teacher and it got fixed (I even told them how it could be fixed, but the fix was obvious anyway). Why is that so darn complicated these days?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Ironic
[ link to this | view in chronology ]
Re: Ironic
A: have to do it anonymously (and that means to be careful of the words you choose. You don't want people figuring out who you are based on your writing style. They can narrow it down to someone who is familiar with computers from the get go, a few more deductions and they can find out who wrote the letter).
or
B: Tell someone in a position to correct the problem whom you trust. If you find a decent person they probably won't get you in trouble (of course that requires you to judge whom you can trust).
I think much of the problem is a lack of willingness to pay for security or an unwillingness to put the effort into securing the system.
[ link to this | view in chronology ]
I Can Punish Unfairly Too
[ link to this | view in chronology ]
Is this akin
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Missing something here
"Hey, I noticed your front door was open so I came in and looked around. Did you know that the top drawer of your dresser is the first place a thief would look for jewelry? You should get that fixed."
If he knew of the vulnerabilities he should have informed someone without poking around himself. Doesn't matter if he had good intentions, or if he documented it all or anything. He should never have "proved it" for himself. "I think these things are wrong, you should check on them." A note on the front door, not one on the kitchen table, as it were.
[ link to this | view in chronology ]
Re: Missing something here
[ link to this | view in chronology ]
Of course, if as stated, he was a bit smarter he would not have 'proved' (dumbass) that it was possible to begin with. Pointing it out would have been wiser.
Many other IT mistakes have been much costlier and much much more embarassing. This was trivial.
But officer, I never take the keys out of the car...
[ link to this | view in chronology ]
Still missing something
Sorry if you don't see that. Sorry if you don't like the analogy. Hacking into accounts is wrong and might even be a crime (clicks on a mouse or not). Just because the net admin is an idiot and didn't prevent it and it's really easy and he didn't break anything anyway, doesn't make it any less wrong.
If someone accidentally leaves their front door unlocked and wide open, you don't break into their house to prove a point.
[ link to this | view in chronology ]
Re: Still missing something
Now which guy deserves to hang for it?
[ link to this | view in chronology ]
Re: Still missing something
- It is not a matter of dislike. The analogy does not work, they are two distinctly different things.
David -> "Hacking into accounts is wrong "
- I agree.
David -> "If someone accidentally leaves their front door unlocked and wide open, you don't break into their house to prove a point."
- And again with the bad analogy ...
[ link to this | view in chronology ]
Re: Re: Still missing something
It's wrong in the same way as if I wander into your house's open front door and look around. I don't break anything, hell, I might even clean your kitchen floor. It doesn't matter if I lock the door behind me when I leave, however briefly I was there. I committed a crime, breaking and entering, regardless of my "good intentions".
Same thing here. So there was no physical "breaking". So what? He broke rules, and maybe laws, and got access to information he should not have had. He "says" he didn't do anything, but do we really know that? Maybe not. We don't know what he copied down while he was "proving there was a problem". If the admin "didn't believe him" he could have tried a higher-up, or just given up. He tried, they didn't believe him, oh well, too bad for them. Admins being jerks or stupid don't give you the right to break the law.
I say he got off light.
[ link to this | view in chronology ]
Re: Re: Re: Still missing something
The analogy of someone leaving the front door open would be like having a site without security but obscurity and someone just happens accross the URL and then pokes around.
Learn how to think up better analogies, or don't use them to express your opinion.
[ link to this | view in chronology ]
Re: Still missing something
[ link to this | view in chronology ]
done...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Re: Still missing something
You're exactly what Geo. Bush thinks everyone should be like (other than him). I suggest you open your mind a bit for a change, if that's [even] possible in your case.
VRP
[ link to this | view in chronology ]
Re: Re: Re: Still missing something
When did I say anything about not wanting progress? I didn't. Not even the slightest. Where you got that, I don't know. Apparently just pulled it out of your ass. Don't like my opinion, so you come up with some straw-man argument.
So you equate some asshole breaking into a university computer system and poking around with the invention of the car or airplane? Just how fucking stupid are you?
So here it is again, no analogy. Guy broke into the computer system, without authorization, and poked around where he shouldn't have. He got caught and was punished. All of that is valid. All of that is GOOD. A GOOD THING TO PUNISH AN ASSHOLE FOR BREAKING INTO A COMPUTER SYSTEM WITHOUT AUTHORIZATION.
"But - but, he was, just - just trying to point out a, a problem, bu-bu-bu-bu..." Too fucking bad for him. Should have gone through proper channels. Should have done it the right way. This guy is not a whistle-blower, he's a dumb prick who apparently thinks he's better that the people currently running the university. It doesn't even matter if he is better than them.
I can not see how anyone can defend what he did. Rule of law is a good thing.
[ link to this | view in chronology ]
Re: Still missing something
Note that he left the school and Ottawa because of this.
Could he have forced the school to respond to him privately, maybe he could. They didn't and in response to any bad publicity (a response most every school does rather than admit they have a insecure system) they made an example of this guy. Are they in their rights to do so, yes they are. Was it smart to do this, of course not. It was a knee jerk reaction to show their benefactors that they were doing something. It was that or admit that they were poor stewards of the donations they had received in support if a lowly underclassman could break their systems.
[ link to this | view in chronology ]
Re: Re: Re: Re: Still missing something
Looks like you haven't learned much aboout the Rule of Law either. It requires, inter alia, mens rae -- "criminal intent; the thoughts and intentions behind a wrongful act." Word Web 5.2. "Criminal intent." Merriam-Webster 2.5.
No criminal conviction against this guy could have possibly withstood appellate review. A trial judge would have to grant him judgment "N.O.V."
I have no clue about your rationale? It only jumps at me, as it does at everyone else, from each of your msgs -- you open mouth, insert foot. And you advertise your sub-terrainean IQ by the language that you use, inter alia again!
VRP
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Still missing something
...that is, unless it is shown that this individual did, in fact, show criminal intent.
I just have to wonder what would cause a student to write up a 16-page report on how insecure the school's security is. Why not simply report the first problem in an email to the IT department?
Let's say, just for the sake of argument, that this guy had hacked the systems and mucked around in there a bit. Then, after a bit, realized that his activities were being tracked down. Now, how would you try to avoid prosecution? Well, write up your black hat activities as though you are a white hat. Wouldn't that be a convenient solution?
So, ask yourself, what is the motivation of the school administration to pursue this individual? Is it that they are so self-righteous and/or overly sensitive as to not be open to criticisms? Or is it possible that they know more than the press is telling us (i.e. the press is giving a one-sided angle) and they have some merit to their charges?
Just wondering. I mean, if this student was so in the right, why did he accept community service?
[ link to this | view in chronology ]
Nice analogies
And if the door was open, there was no "breaking in", so the crime would only be trespassing or unlawful entering. If the person didn't take anything, there's no theft to charge him with.
But, like VRP just said, doesn't the trial court consider the person's motive? Like the previous analogies, it's WRONG, WRONG, WRONG to go through an unlocked and open door and we shouldn't care if you entered the house to get some food for your children because of the current economy. Entering an unlocked house is WRONG and you should be punished. Yes, stealing food is wrong, but again, if the door is open and you see food on the table and you can't feed your kids because you lost your job and...
[ link to this | view in chronology ]
Everything is hackable
It's not like he didn't know what he was doing. I think all analogies here are good and have a valid point. Same thing is with all "new" technologies, after they stop being new and cool (like tapping in a fixed phone line, or using FM transmitters) there are regulations which we have to obey and not try to prove that there are ways to break them, because of course there are.
I'm sorry, I am all against this. Yes, everything is hackable, breakable and abuse-able but doing it is illegal and should be punishable, especially for the stupid one like just proving that it is possible.
[ link to this | view in chronology ]
Univ IT = bunch of monkeys flinging poo
I agree that his methods were questionable, and his intent may have been debatable, but he didn't actually DO anything wrong, other than accessing the University IT system in a way that IT didn't intend (if they knew about the weakness and did nothing to prevent it they they are as responsible as he was and should be held accountable, if they didn't know about the weakness, then they are bunch of clueless monkeys flinging poo at the wall (bad hacker broke into our super secure system, nobody should be able to do that because we covered it in poo...) and hoping some of it sticks...)
And I'm off with a quote:
They say that sufficiently advanced incompetence is indistinguishable from malice. Nowhere is this more clear than University IT. - Unknown
[ link to this | view in chronology ]