Student Charged With Crime For Telling University Officials About Security Hole

from the blame-the-messenger dept

For many years, we’ve covered case after case after case after case after case after case after case of people being blamed, arrested or even jailed for pointing out a security flaw. It should come as no surprise that many security researchers claim that it’s just not worth it to research security vulnerabilities, since the risk is just too high.

It doesn’t seem like those on the other side are getting the message just yet. Slashdot points us to the latest example, where a student at Carleton University has been arrested and charged with computer hacking after discovering a vulnerability and writing up a 16-paged paper to tell university officials about the vulnerability. A criminal doesn’t write up a huge paper telling officials how to fix their problems. This just scares off people from telling universities that their systems are insecure. Remember, a few years back in Ohio there was a similar situation, with the whistleblower blamed — and then the school didn’t bother fixing the vulnerability, leading to more info being leaked.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Student Charged With Crime For Telling University Officials About Security Hole”

Subscribe: RSS Leave a comment
44 Comments
PaulT (profile) says:

Re: Re:

…and how did he install the keylogger? Did he use some special access that only someone with certain levels of physical access could have done? Or (most likely) did he already have sufficient access to the network so that he could install the keylogger without significant risk of exposing himself (it sounds like he was only caught when he forwarded the information he’d gathered in a report)?

The article’s pretty vague on the actual details, but I find it hard to believe that the student would alert the university after installing a keylogger, unless the purpose of the document he wrote was to tell them how he did it. If that’s the case, then this is a stupid move by officials to cover the fact that he broke in so easily. Then, of course, this “face-saving” move puts other students off alerting them about other insecurities, which means the next such move will be for nefarious purposes and they won’t find out until real damage has been done…

Nogard says:

Re: Re:

How is it not an insecurity if he was able to break in with resources well within the reach of any determined person? What kind of hole did you expect?

OK, maybe it wasn’t simply a security hole in the software, which but does it really make much difference considering that a lot of people have access to the relevant hardware anyway? He still pulled it off, did no damage and presumably let the officals know how they could have prevented that from happening again. Perhaps he doesn’t deserve any praise, but charging him with a crime??? Outrageous, just outrageous. Next time, I hope someone actually screws them royally in the ass, keylogger or not.

Grae says:

Re: Re: Re:3 Re:

The police are saying that he didn’t put his own card reader hardware in place, he only overwrote the software on the machine the already-installed reader hardware was attached to.

If the university uses mag stripe reader hardware for a legitimate business purpose and attaches the hardware to an insecure (physically or over the network) PC, then it’d be simple to use a keylogger to get the credentials for the machine, remote into it/get physical access, overwrite the mag stripe reader software (remember, hardware needs software to actually do anything) with a modified version that could then act normally, but secretly copy all data from the card to where ever the black hat (malicious) cracker wanted for later use.

In this case, the white hat (benign) cracker wanted to prove a point about how insecure such a setup was.

williams says:

Re: anonymous coward

The campus of Carleton is insecure because people in charge of the security of thousands of students are not competents,they are paid hundreds of thousands $ each year and last year a femal student has been raped in a computer lab on the campus and the rapist has never been arrested.
There is problem of security in Carleton,charging a student of crime when he has no intention to commit any crime is criminal behavior.
I think that Mr. Boudreault ,who is in charge of the security on the campus should be replaced by someone else.

DR says:

re

Similar happened to me only not as bad as this poor guy, our school admin left the backup admain account enabled and the password left as “changeme”. When i pointed this out it really got there backs up and i was initially expelled from the school 3 days before leaving for my final exams! After they had time to cool down they allowed me back to take the exams.

Spectere (profile) says:

Sheesh

The worst part about this is that if the student were malicious about it (1) he probably wouldn’t have gotten caught and we would be and (2) the hole would have been quickly patched.

That’s a really nice lesson to be teaching a university student — if you do things the proper way and alert the administration of security holes you get punished. What on earth are they thinking? They should be offering that kid a job.

Sabach says:

Re: Re:

There are exceptions. Mind you my story is only similar to the situation in the article, not the same. When I was a Correction Officer one of my coworkers spotted a way of circumventing the security of a gate on the perimeter of the prison. He showed it to the Major (Chief of Security) and was rewarded with a promotion.

Joe MCSE says:

I was hired as a network admin by a data and telcom company 6 years ago. My first assignemt was to do a security audit and write a report to managment with my findings. Then I was to write the security SOP. I used a free program called LOFTcrack to show me 98 percent of the passwords of every user on the domain. I included this bit if info in my report and managment freaked out. They immediately destroyed my “password” portion of the report and implemented sticter password complexity rules. I was rewarded for my efforts because they thought the network was pretty tight

bobbknight says:

Oh I Know This Is A Test

Sorry mike this story doesn’t pass the sniff test.
Are you gaming us to see what gets written about this.
Here the kid did indeed break the law. He used a keylogger and a mag stripe reader to steal password and user name info.
This isn’t like he typed admin, admin into an NT4 server and got into what ever he wanted.
His actions were criminal, however benign.
I would not slam him in the joint, but I would have him under supervised probation for oh 4 years.

Anonymous Coward says:

Re: Oh I Know This Is A Test

is’t that the point he was trying to make? He showed them how easy it was, and suggested how they fix it. Locks keep honest people honest, but a thief will use the tools available. Saying that what he did was illegal and suggesting punishment seems like a total asinine way of dealing with it. The fact that he was in there and then didn’t take advantage suggests trustworthiness to me.

Sounds like a bunch of uptight stuffed-shirts don’t like being told that their not doing a good job. if they were smart they’d hire the student to work with the network security team…sounds like they need a fresh perspective in there.

Dosquatch says:

short on detail

The article is awful short on detail. It says he used a keylogger and mag-stripe reader *software*. Commenters so far seem to assume he violated physical security in some fashion.

The article also says he gained access to the key card system the school uses for all student transactions, from food court to library photocopiers.

So this could just as easily be a keyboard wedge card reader (a “wedge” in this case is any device that looks to the computer the same as a keyboard). There are physical PS/2 keyloggers that connect inline and store keystrokes in a memory buffer to be dumped later.

*IF* something like this is the case, and *IF* the cards store their info unencrypted, you could capture a LOT of information just by popping one of those hardware keyloggers on a library photocopier’s card reader. No horrible breaches of security, no “hacking” of the system, but a very, VERY real security issue.

And just as plausible as anything else suggested so far, given the lack of detail.

Ben says:

The hacker isn't always the good guy.

I’m a student at Carleton and I’m surprised to be reading about this story on Techdirt because, besides the fairly detailed article in the school paper, http://www.thecharlatan.ca, it was a pretty small issue. There will be those of you who argue that any breach of any supposedly secure network is a big deal, especially when it contains the private and sensitive data that school networks are likely to contain. However, in this case, the hacker was easily tracked, he had to have physical access to the machines on campus, and although he was able to acquire some information from 30 or so student cards and about as many e-mail addresses, he was unable to fit the pieces together into anything usable. Was his original intent in gathering this information malicious? That’s hard to say but my guess would be yes. In any case, he did break university rules and Canadian law rendering himself open for (hopefully mild) punishment.

Ben says:

Re: Re: The hacker isn't always the good guy.

I apologize for the link I provided, I was in a rush and didn’t check the content on the website. I’m holding an actual copy of the paper right now and there is a much more detailed account of the attacks. If you click the link to the PDF of the current issue on the right side of the home page, the article is on page three.

Ferin (profile) says:

Ohio has a long and proud history...

…Of burying our heads in the sand over computer security. A buddy of mine got a visit from the FBI in high school when he hacked their system. He’d gotten fed up with the school system ignoring him pointing out all the massive security holes they had.

I think what’s needed is a total change in the nature of how people think of security. The nation as a whole is still in the mindset of old fifties spy shows, where security meant secret codewords and clandestine measures that were death to share. Somehow that has to be shifted to start looking at security as an open and collaborative effort.

Ferd says:

sad sad sad

There was a time, it seems oh so long ago now, that we were a people of daring, determination, frontier spirit, thinkers of outside the box, creativity, and “damn the torpedoes” mentality. Did lawyers and insurance companies really manage to fully leech our souls away over the past few decades?

When I was in high school a buddy of mine, with a trusty 300 baud cradle modem, was able to hack into the FBI (nothing was perused or taken and, once the FBI came calling, he only got a slap on the wrist from the University hosting the math camp he was attending). Later, during our senior year of HS, we took some programming classes at a local tech school. I played a prank on him by writing a dummy terminal interface and running it on his system – when he logged in (unsuccessfully 3 times) it notified him of repeated security violations and, since the FBI had been following his activities since the previous incident, he was to remain where he was until FBI officers arrived.

By the time we got to college, we challenged professors and the precepts of “modern” computing they were teaching at the time (my friend even managed to get an algorithm named after himself). As an offshoot of our willingness to challenge the system, that university hired my friend to create the first mobile platform for their campus police department.

So, were our pranks sometimes childish and an abuse of university computing resources (surely today leading to arrest and/or sanction)? Of course. On the other hand, over the past 20+ years, he and I have made millions in the software industry, starting from scratch 3 separate IT companies, created hundreds of jobs in the process, and provided our families with a small piece of the American dream.

Here is a good multiple choice question:
Students coming out of IT programs at universities these days get to make millions of…
_French fries
_PowerPoint reports
_HIPAA and Sarbox auditing documents
_Dell computers
_Phone calls to India to check on development status

Long live the computer geek!

Iron Chef says:

Re: sad sad sad

Ferd,

Your message hit a nerve with me. I often think I was born 5 to 25 years too late to truly appreciate some of the antics you had the pleasure to experience in adult life. While I too have performed pranks, but none as glorious as what you and your buddy performed.

Kudos to you and yours. That spirit you penned about is no stranger to me.

Anonymous Coward says:

I’m old, but back when I went to college, we had pretty much owned every major box on campus rather swiftly. Root and dirmaint passwords. Vast printouts on green and white paper of accounts and their respective passwords. Access to facilities forgotten by the various departments.

Never once did we consider telling the administration to fix anything. If you do, you’re indicating (you, a snot-nosed kid) that you know more than they do. It upsets them and points out that they haven’t done their job “correctly.”

If you feel that you must alert the authorities in question, set it up such that, should you not be present to prevent a remote server from sending it out (that is, you’re in jail), copies of your document will be mailed to all students, the news, and various black hat groups.

It is not only not worth it, it is dangerous to tell them anything. Just send it to black hat groups and drop an anonymous note to the administration that you have decided that the only safe way for you to alert security, given the track records of other institutions, is to allow the university in question to be owned.

Anonymous Coward says:

Re: Re:

Its very sad that your post is… realistically the best approach for anyone to follow in reporting problems to the bs-bureaucracy of typical university administrators (or anywhere else). Security vulnerabilities must be broadcast to the world asap to get things fixed in some of these places, because if one person can find it then another can. Security through obscurity is the worst plan for protecting and maintaining networks.

The recent issue with the Boston metro RFID tags was the same issue.

Norm says:

Seriously

If you locked your doors and barred your windows and someone chainsawed through your wall would you appreciate people saying “Should have secured your house pinhead!”

There is a limit to what an IT Dept can do on a daily basis. So no they hadn’t prepared for someone to use a Keylogging device (or software) or to overwrite their Card Reading Software, but that is not a reason to applaud what he did either.

Could he have simply notified the IT Dept that this was possible and NOT cracked the records of students?

A crime is still a crime.

Dosquatch says:

Re: Seriously

I think what you are securing should also factor in. I’d be considerably more sympathetic if this were to happen to your house than, say your bank. That same solid wooden door that is “adequate” to lock your house is unspeakably negligent to secure the vault of cash and property of a few hundred branch customers.

So, yes, in the age of identity theft, I’m inclined to hold the systems and administrators to a higher standard when those systems are full of thousands of people’s personal data.

Allison says:

Let's thank Carleton hacker

Let’s thank Carleton hacker
The Ottawa Citizen
Published: Sunday, September 21, 2008

Re: Neither friend nor foe, Sept. 13.

The Carleton University hacker demonstrated for administration and officials that there was at least one weakness in the security of its students’ information and use of its on-line campus cards.

The hacker could have chosen not to inform the students whose accounts he broke into: yet he did. He wrote letters to these students to notify each one of them of the vulnerability of their e-accounts.
The hacker could have chosen not to inform university officials of the ease with which he accessed electronic records: yet he did. He wrote a letter to alert them of this weakness. Would someone whose intent was malicious have notified the owners and users of these electronic systems of their potential misuse?

The hacker used a pseudonym when writing these letters, to protect himself from instant condemnation in a delicate situation. Yet he wrote letters of explication and a 16-page document to the university officials, to alert them to the flaws in their system.

A suspect has since been arrested and now faces a possible prison sentence if convicted. The case should be re-evaluated.

Wouldn’t any university officials rather have a hacker who works for them, lets them know how simple it was to break-in and also prepares a detailed document to outline and explain the flaws and process in order to correct the weakness? Or would they rather have a silent hacker who simply takes and abuses the desired goods or information for malicious intent?

If a system is weak and flawed, I would want to deter all or any good-willed de-coders from helping correct such a situation. The 20-year-old hacker is obviously a bright young man and adept with electronic technology.

Thank him, enlist his help in correcting the situation, and drop the charges.

Sylvia Parent, Gloucester

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...