Student Charged With Crime For Telling University Officials About Security Hole

from the blame-the-messenger dept

For many years, we've covered case after case after case after case after case after case after case of people being blamed, arrested or even jailed for pointing out a security flaw. It should come as no surprise that many security researchers claim that it's just not worth it to research security vulnerabilities, since the risk is just too high.

It doesn't seem like those on the other side are getting the message just yet. Slashdot points us to the latest example, where a student at Carleton University has been arrested and charged with computer hacking after discovering a vulnerability and writing up a 16-paged paper to tell university officials about the vulnerability. A criminal doesn't write up a huge paper telling officials how to fix their problems. This just scares off people from telling universities that their systems are insecure. Remember, a few years back in Ohio there was a similar situation, with the whistleblower blamed -- and then the school didn't bother fixing the vulnerability, leading to more info being leaked.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Sep 15th, 2008 @ 11:20pm

    Well the suspect used a keylogger to get user accounts and passwords - I would classify that as criminal even though he wrote a novel on his experiences. Where is the insecurity in that - every system can be broken if you can attach a keylogger to the system.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    PaulT (profile), Sep 16th, 2008 @ 12:11am

    Re:

    ...and how did he install the keylogger? Did he use some special access that only someone with certain levels of physical access could have done? Or (most likely) did he already have sufficient access to the network so that he could install the keylogger without significant risk of exposing himself (it sounds like he was only caught when he forwarded the information he'd gathered in a report)?

    The article's pretty vague on the actual details, but I find it hard to believe that the student would alert the university after installing a keylogger, unless the purpose of the document he wrote was to tell them how he did it. If that's the case, then this is a stupid move by officials to cover the fact that he broke in so easily. Then, of course, this "face-saving" move puts other students off alerting them about other insecurities, which means the next such move will be for nefarious purposes and they won't find out until real damage has been done...

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    DR, Sep 16th, 2008 @ 12:28am

    re

    Similar happened to me only not as bad as this poor guy, our school admin left the backup admain account enabled and the password left as "changeme". When i pointed this out it really got there backs up and i was initially expelled from the school 3 days before leaving for my final exams! After they had time to cool down they allowed me back to take the exams.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Spectere, Sep 16th, 2008 @ 12:31am

    Sheesh

    The worst part about this is that if the student were malicious about it (1) he probably wouldn't have gotten caught and we would be and (2) the hole would have been quickly patched.

    That's a really nice lesson to be teaching a university student -- if you do things the proper way and alert the administration of security holes you get punished. What on earth are they thinking? They should be offering that kid a job.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Sep 16th, 2008 @ 12:37am

    Keyloggers, Magnetic Swipe Readers, and 16 page report, Oh My!

    Yes, a keylogger and magnetic swipe reader was employed to create the desired result.

    Reminds me somehow of the Fake ATM machines we saw several years back.

    Point is, it doesn't seem like a basic "Hey, Patch Your SQL Server" type hack, but something that truly has nefarious intent.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Keep my mouth shut, Sep 16th, 2008 @ 12:46am

    If you haven't figured it out yet, law enforcement is in a business to make a profit, not a public service that protects truth liberty and justice. Sometimes they get it right and preserve justice, while making a buck, but not at the expense of the almighty dollar.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Sep 16th, 2008 @ 12:52am

    Re:

    But because it happened in Canada, I'd say it's kinda Loonie. Haha. Loonie, get it? No Dollars here, just some Loonies. Woah. Tough crowd. Don't worry, I won't quit my day job...

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    IanK, Sep 16th, 2008 @ 2:01am

    Face it, you don't have a day job.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Nogard, Sep 16th, 2008 @ 2:46am

    Re:

    How is it not an insecurity if he was able to break in with resources well within the reach of any determined person? What kind of hole did you expect?

    OK, maybe it wasn't simply a security hole in the software, which but does it really make much difference considering that a lot of people have access to the relevant hardware anyway? He still pulled it off, did no damage and presumably let the officals know how they could have prevented that from happening again. Perhaps he doesn't deserve any praise, but charging him with a crime??? Outrageous, just outrageous. Next time, I hope someone actually screws them royally in the ass, keylogger or not.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Sep 16th, 2008 @ 2:51am

    THAT'S AMERICA

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Sep 16th, 2008 @ 2:58am

    Re: Re:

    Does your boss make you ask "Want Fries with That"?

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Joe MCSE, Sep 16th, 2008 @ 3:03am

    I was hired as a network admin by a data and telcom company 6 years ago. My first assignemt was to do a security audit and write a report to managment with my findings. Then I was to write the security SOP. I used a free program called LOFTcrack to show me 98 percent of the passwords of every user on the domain. I included this bit if info in my report and managment freaked out. They immediately destroyed my "password" portion of the report and implemented sticter password complexity rules. I was rewarded for my efforts because they thought the network was pretty tight

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    bobbknight, Sep 16th, 2008 @ 3:29am

    Oh I Know This Is A Test

    Sorry mike this story doesn't pass the sniff test.
    Are you gaming us to see what gets written about this.
    Here the kid did indeed break the law. He used a keylogger and a mag stripe reader to steal password and user name info.
    This isn't like he typed admin, admin into an NT4 server and got into what ever he wanted.
    His actions were criminal, however benign.
    I would not slam him in the joint, but I would have him under supervised probation for oh 4 years.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Dosquatch, Sep 16th, 2008 @ 4:20am

    short on detail

    The article is awful short on detail. It says he used a keylogger and mag-stripe reader *software*. Commenters so far seem to assume he violated physical security in some fashion.

    The article also says he gained access to the key card system the school uses for all student transactions, from food court to library photocopiers.

    So this could just as easily be a keyboard wedge card reader (a "wedge" in this case is any device that looks to the computer the same as a keyboard). There are physical PS/2 keyloggers that connect inline and store keystrokes in a memory buffer to be dumped later.

    *IF* something like this is the case, and *IF* the cards store their info unencrypted, you could capture a LOT of information just by popping one of those hardware keyloggers on a library photocopier's card reader. No horrible breaches of security, no "hacking" of the system, but a very, VERY real security issue.

    And just as plausible as anything else suggested so far, given the lack of detail.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    free_dum, Sep 16th, 2008 @ 4:23am

    teach by example

    The same type of thing happened last year at my school when some poor student got arrested for sneaking a gun into the cafeteria and killing several students, when he was just trying to show the administration how weak the security at lunch time was.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Sabach, Sep 16th, 2008 @ 4:33am

    Re:

    There are exceptions. Mind you my story is only similar to the situation in the article, not the same. When I was a Correction Officer one of my coworkers spotted a way of circumventing the security of a gate on the perimeter of the prison. He showed it to the Major (Chief of Security) and was rewarded with a promotion.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Ben, Sep 16th, 2008 @ 4:54am

    The hacker isn't always the good guy.

    I'm a student at Carleton and I'm surprised to be reading about this story on Techdirt because, besides the fairly detailed article in the school paper, www.thecharlatan.ca, it was a pretty small issue. There will be those of you who argue that any breach of any supposedly secure network is a big deal, especially when it contains the private and sensitive data that school networks are likely to contain. However, in this case, the hacker was easily tracked, he had to have physical access to the machines on campus, and although he was able to acquire some information from 30 or so student cards and about as many e-mail addresses, he was unable to fit the pieces together into anything usable. Was his original intent in gathering this information malicious? That's hard to say but my guess would be yes. In any case, he did break university rules and Canadian law rendering himself open for (hopefully mild) punishment.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    Ferin (profile), Sep 16th, 2008 @ 5:04am

    Ohio has a long and proud history...

    ...Of burying our heads in the sand over computer security. A buddy of mine got a visit from the FBI in high school when he hacked their system. He'd gotten fed up with the school system ignoring him pointing out all the massive security holes they had.

    I think what's needed is a total change in the nature of how people think of security. The nation as a whole is still in the mindset of old fifties spy shows, where security meant secret codewords and clandestine measures that were death to share. Somehow that has to be shifted to start looking at security as an open and collaborative effort.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Ferd, Sep 16th, 2008 @ 5:43am

    sad sad sad

    There was a time, it seems oh so long ago now, that we were a people of daring, determination, frontier spirit, thinkers of outside the box, creativity, and "damn the torpedoes" mentality. Did lawyers and insurance companies really manage to fully leech our souls away over the past few decades?

    When I was in high school a buddy of mine, with a trusty 300 baud cradle modem, was able to hack into the FBI (nothing was perused or taken and, once the FBI came calling, he only got a slap on the wrist from the University hosting the math camp he was attending). Later, during our senior year of HS, we took some programming classes at a local tech school. I played a prank on him by writing a dummy terminal interface and running it on his system - when he logged in (unsuccessfully 3 times) it notified him of repeated security violations and, since the FBI had been following his activities since the previous incident, he was to remain where he was until FBI officers arrived.

    By the time we got to college, we challenged professors and the precepts of "modern" computing they were teaching at the time (my friend even managed to get an algorithm named after himself). As an offshoot of our willingness to challenge the system, that university hired my friend to create the first mobile platform for their campus police department.

    So, were our pranks sometimes childish and an abuse of university computing resources (surely today leading to arrest and/or sanction)? Of course. On the other hand, over the past 20+ years, he and I have made millions in the software industry, starting from scratch 3 separate IT companies, created hundreds of jobs in the process, and provided our families with a small piece of the American dream.

    Here is a good multiple choice question:
    Students coming out of IT programs at universities these days get to make millions of...
    _French fries
    _PowerPoint reports
    _HIPAA and Sarbox auditing documents
    _Dell computers
    _Phone calls to India to check on development status

    Long live the computer geek!

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Dosquatch, Sep 16th, 2008 @ 5:51am

    Re: The hacker isn't always the good guy.

    You call this a detailed article?? This isn't any more enlightening than the blurb above or the article said blurb also links.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Sep 16th, 2008 @ 6:41am

    Re: Oh I Know This Is A Test

    is't that the point he was trying to make? He showed them how easy it was, and suggested how they fix it. Locks keep honest people honest, but a thief will use the tools available. Saying that what he did was illegal and suggesting punishment seems like a total asinine way of dealing with it. The fact that he was in there and then didn't take advantage suggests trustworthiness to me.

    Sounds like a bunch of uptight stuffed-shirts don't like being told that their not doing a good job. if they were smart they'd hire the student to work with the network security team...sounds like they need a fresh perspective in there.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Norm, Sep 16th, 2008 @ 6:58am

    Mike

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Norm, Sep 16th, 2008 @ 7:00am

    Mike's slant

    Interesting, your take a kid using a keylogger program. How you portrayed this and then what the actual article states are very different. Shame on you Mike.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Ben, Sep 16th, 2008 @ 7:11am

    Re: Re: The hacker isn't always the good guy.

    I apologize for the link I provided, I was in a rush and didn't check the content on the website. I'm holding an actual copy of the paper right now and there is a much more detailed account of the attacks. If you click the link to the PDF of the current issue on the right side of the home page, the article is on page three.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Trevlac, Sep 16th, 2008 @ 7:20am

    Re:

    That's not the point, a keylogger can be stopped and quite easily if you have a hardened system. It's only a problem for a non secure OS or network.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    ehrichweiss, Sep 16th, 2008 @ 7:50am

    Re: Re:

    Not all keyloggers are software.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    ehrichweiss, Sep 16th, 2008 @ 7:54am

    Re: Re:

    Using your same example though, if an inmate had reported this hole, he would be charged with attempted escape. That's kinda what this student would have been since he wasn't a part of the good-ole-boy club(the IT dept).

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Sep 16th, 2008 @ 8:15am

    Too bad . . . .

    Too bad he wasnt a date raping athelete. Then the university would be paying to defend him in court, not throwing him under the bus.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Mark, Sep 16th, 2008 @ 8:24am

    No good deed....

    Let the thick-headed fools fix their systems themselves or suffer the consequences of their ignorance. There are just some people that will refuse the life-ring while busy with drowning.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Yakko Warner, Sep 16th, 2008 @ 8:26am

    Re:

    No, that's CANADA, genius. Read the article.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Yakko Warner, Sep 16th, 2008 @ 8:28am

    Re: Re: Re:

    This one was. From the article:

    "Det. Michel Villeneuve of the Ottawa Police high-tech crime unit said yesterday that a suspect used Keylogger software and magnetic stripe-card reader software to acquire students' information."

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Sep 16th, 2008 @ 9:27am

    I'm old, but back when I went to college, we had pretty much owned every major box on campus rather swiftly. Root and dirmaint passwords. Vast printouts on green and white paper of accounts and their respective passwords. Access to facilities forgotten by the various departments.

    Never once did we consider telling the administration to fix anything. If you do, you're indicating (you, a snot-nosed kid) that you know more than they do. It upsets them and points out that they haven't done their job "correctly."

    If you feel that you must alert the authorities in question, set it up such that, should you not be present to prevent a remote server from sending it out (that is, you're in jail), copies of your document will be mailed to all students, the news, and various black hat groups.

    It is not only not worth it, it is dangerous to tell them anything. Just send it to black hat groups and drop an anonymous note to the administration that you have decided that the only safe way for you to alert security, given the track records of other institutions, is to allow the university in question to be owned.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Sep 16th, 2008 @ 9:56am

    Re: Re: Re: Re:

    How do you read a magnetic stripe just by using software?

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Grae, Sep 16th, 2008 @ 11:04am

    Re: Re: Re: Re: Re:

    The police are saying that he didn't put his own card reader hardware in place, he only overwrote the software on the machine the already-installed reader hardware was attached to.

    If the university uses mag stripe reader hardware for a legitimate business purpose and attaches the hardware to an insecure (physically or over the network) PC, then it'd be simple to use a keylogger to get the credentials for the machine, remote into it/get physical access, overwrite the mag stripe reader software (remember, hardware needs software to actually do anything) with a modified version that could then act normally, but secretly copy all data from the card to where ever the black hat (malicious) cracker wanted for later use.

    In this case, the white hat (benign) cracker wanted to prove a point about how insecure such a setup was.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, Sep 16th, 2008 @ 12:32pm

    Re:

    Its very sad that your post is... realistically the best approach for anyone to follow in reporting problems to the bs-bureaucracy of typical university administrators (or anywhere else). Security vulnerabilities must be broadcast to the world asap to get things fixed in some of these places, because if one person can find it then another can. Security through obscurity is the worst plan for protecting and maintaining networks.

    The recent issue with the Boston metro RFID tags was the same issue.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Norm, Sep 16th, 2008 @ 1:38pm

    Seriously

    If you locked your doors and barred your windows and someone chainsawed through your wall would you appreciate people saying "Should have secured your house pinhead!"

    There is a limit to what an IT Dept can do on a daily basis. So no they hadn't prepared for someone to use a Keylogging device (or software) or to overwrite their Card Reading Software, but that is not a reason to applaud what he did either.

    Could he have simply notified the IT Dept that this was possible and NOT cracked the records of students?

    A crime is still a crime.

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Dan, Sep 16th, 2008 @ 2:24pm

    I guess the next time the details of a flaw should just be posted to the net first.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Norm, Sep 16th, 2008 @ 6:36pm

    Re:

    And if he broke open the computer and took the hard drive would you also call that a "flaw" on the part of IT?

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Dosquatch, Sep 16th, 2008 @ 6:52pm

    Re: Seriously

    I think what you are securing should also factor in. I'd be considerably more sympathetic if this were to happen to your house than, say your bank. That same solid wooden door that is "adequate" to lock your house is unspeakably negligent to secure the vault of cash and property of a few hundred branch customers.

    So, yes, in the age of identity theft, I'm inclined to hold the systems and administrators to a higher standard when those systems are full of thousands of people's personal data.

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    Iron Chef, Sep 17th, 2008 @ 3:24am

    Re: sad sad sad

    Ferd,

    Your message hit a nerve with me. I often think I was born 5 to 25 years too late to truly appreciate some of the antics you had the pleasure to experience in adult life. While I too have performed pranks, but none as glorious as what you and your buddy performed.

    Kudos to you and yours. That spirit you penned about is no stranger to me.

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    williams, Sep 17th, 2008 @ 4:38pm

    Re: anonymous coward

    The campus of Carleton is insecure because people in charge of the security of thousands of students are not competents,they are paid hundreds of thousands $ each year and last year a femal student has been raped in a computer lab on the campus and the rapist has never been arrested.
    There is problem of security in Carleton,charging a student of crime when he has no intention to commit any crime is criminal behavior.
    I think that Mr. Boudreault ,who is in charge of the security on the campus should be replaced by someone else.

     

    reply to this | link to this | view in thread ]

  42.  
    identicon
    NullOp, Sep 18th, 2008 @ 8:09pm

    DA!

    Its OK to "hack" the system, find the holes and tell them about it. But for Gods sake sign the paper: Anon.

     

    reply to this | link to this | view in thread ]

  43.  
    identicon
    Allison, Sep 24th, 2008 @ 7:12am

    Let's thank Carleton hacker

    Let's thank Carleton hacker
    The Ottawa Citizen
    Published: Sunday, September 21, 2008

    Re: Neither friend nor foe, Sept. 13.

    The Carleton University hacker demonstrated for administration and officials that there was at least one weakness in the security of its students' information and use of its on-line campus cards.

    The hacker could have chosen not to inform the students whose accounts he broke into: yet he did. He wrote letters to these students to notify each one of them of the vulnerability of their e-accounts.
    The hacker could have chosen not to inform university officials of the ease with which he accessed electronic records: yet he did. He wrote a letter to alert them of this weakness. Would someone whose intent was malicious have notified the owners and users of these electronic systems of their potential misuse?

    The hacker used a pseudonym when writing these letters, to protect himself from instant condemnation in a delicate situation. Yet he wrote letters of explication and a 16-page document to the university officials, to alert them to the flaws in their system.

    A suspect has since been arrested and now faces a possible prison sentence if convicted. The case should be re-evaluated.

    Wouldn't any university officials rather have a hacker who works for them, lets them know how simple it was to break-in and also prepares a detailed document to outline and explain the flaws and process in order to correct the weakness? Or would they rather have a silent hacker who simply takes and abuses the desired goods or information for malicious intent?

    If a system is weak and flawed, I would want to deter all or any good-willed de-coders from helping correct such a situation. The 20-year-old hacker is obviously a bright young man and adept with electronic technology.

    Thank him, enlist his help in correcting the situation, and drop the charges.

    Sylvia Parent, Gloucester

     

    reply to this | link to this | view in thread ]

  44.  
    icon
    sprearson81 (profile), Jun 9th, 2012 @ 5:56am

    So, they thanked him or what?

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This