Ahmed could probably lead the charge to turn around "sloppiness". Besides, his career seems to be in doldrums currently. I don't think it would be a bad choice. FWIW, he might be able to use the same testing software on Skytech's products for which he has expelles at Dawson's. That would be a comeback of epic proportions!
On a serious note, can't he appeal to any education monistry outside college?
After the way this was handled, I'd live in a cardboard box before I worked for this company. You can't have a healthy working environment without trust.
I'd give it a shot if they fired their president, but that's an unrealistic expectation.
The president of the company is the one who allegedly intimidated the student into signing a NDA by threatening to call the police and have him arrested. If that's how it happened, then it's irrelevant what the school did.
Even aside from the fact that he was acting in good faith and did not cause any damage to persons or property (as acknowledged by the software vendor), the procedure used to expel him is woefully lacking. I sat on the highest student discipline tribunal at my (Canadian) university and an expulsion for non-academic reasons - which had to receive final approval from both the President and the Governing Council - would only be recommended in cases involving egregious and likely criminal misconduct and only after the courts had found merit to the allegation.
Furthermore, any student faced with potential expulsion would have been entitled to a series of quasi-judicial hearings and assistance in preparing their defence. To expel someone for non-academic reasons from a publicly-funded institution (which Dawson is) should not be taken lightly and surely never in a fashion where the accused is not permitted to present their case.
It was also really crappy cover-up strategy on the school's part. By refusing due process to Al-Khabaz and expelling him with zeroes for his last semester grades, Al-Khabaz now had nothing to lose exposing both the security flaw and the injustice to the press. If they didn't play all their cards at the same time (like putting him on probation or something), he probably wouldn't have gone public.
Shame on the faculty! Fire the faculty! I am sure this sort of thing wouldn't fly in France. Looks like Quebec is letting down the Fracophone team. Liberté, Égalité, Fraternité!
Do you mean the dean who ran the judicial hearing? If anyone were to have their heads roll so to speak for this it would be his. The faculty that voted were simply acting on the best information which was presented to them.
People who are supposed to be the shepherds of an environment that fosters free-thinking openness, curiosity, creativity and learning should not lend credence to witch-hunts. If they have a critical-thinking faculty to match their titles, then they should very well have realised that the process they rubber-stamped was one-sided and questionable.
There really needs to be legal protection for acts of white-hat hacking like this. Both protection from prosecution, and protection from reprisal. This kind of stuff isn't going to stop happening unless the act of finding and reporting a security vulnerability becomes legally protected behaviour.
Here's the thing: black hats are always scanning you. Where I work, a fairly low-key place, we're currently being scanned on some of our ~100 Internet-facing IP addresses with a frequency of 15 requests per second. This is nothing uncommon. We get people on our guest network scanning us from the "inside" as well (they think they're inside, at least. They have a 10.x.x.x number, they're inside, right?)
Point being, if you can't hold up to a white hat scan, you're likely already hacked. Security is how you enforce your policy. But it's only white hat until data is compromised, and that's where the prosecution comes in.
That's not a justification for punishing white hats.
In the meantime, until we can make this understood, we need to make the workaround understood: if you find a security flaw in a system you don't own, and you haven't been formally hired for the specific purpose of finding that flaw, ignore it and get on with your life; it's not your problem. Going out of your way to help people in normal circumstances is noble. Going out of your way to help people who will reward you with a knife in the back is a mistake. Don't make that mistake.
I love the part of the story where the guy naively assumed that it would take his school less than two days to fix the vulnerability. In reality, would probably take them months.
How long did it take sony to fix their issues? Oh, right, it took someone to explose it publicly. Heh. It's unfortunate how broken some IT organizations are and that they would rather kill the messenger than fix things.
its apathy. The people "responsible" for the service don't actually care, and perhaps probably won't be punished for teh failure of the service. Hence, the vulnerability (and the publicity) only makes more work for them - therefore, they shoot the messenger as a form of blame/revenge.
It involves more or less humongous amounts of pre-meetings, meetings, post-meeting, legal documents, reviews of meeting, implementation strategy, review of implementation, certificating/accepting, post-...
You got the picture.
In big companies it might take some time.
Essentially is is very broken system that destroys itself.
It is like you need a manager to watch over a manager that watches over a manager.
It is funny to work at such companies, I got fired from one when I said everything I think about them.
And meanwhile, the student data is at risk on the Internet. Every org needs a better plan then that, especially when change management takes weeks/months and this requires immediate action.
I found something like this at my school. The administration reacted similarly. But fortunately, I was taking djb's Unix Security Holes at the time, and a harshly-worded note from djb to the Computer Center folks ended up getting me a thank you.
Next semester, though, I refused to sign the new AUP (which included a clause allowing the computer center staff to seize any computer I was using, even at my off-campus home), and they kicked me out of school. (Actually what happened was they locked my course registration account, and wouldn't reinstate it until I signed the policy in their presence. I refused.)
(Sadly, I can't find the full-disclosure thread for this bug. I guess I posted it to my blog, which I deleted after being threatened by school administrators. Oh well. That was 9 years ago!)
I got a B. The homework was to find and write an exploit for 10 security holes in deployed software, but I only found 2. (3 including the one above, which I must have found the week or so after exams. The holes I found were in nasm and in some amateur open-source smtpd.)
FWIW, the exams are quite thought-provoking nearly 10 years later, here's a link to them: http://cr.yp.to/2004-494.html
What did you think of the course textbook ("Exploiting Software", Hoglund & McGraw)? Is there a more modern alternative that you (or anyone) can recommend?
I remember reading the course syllabus online and being jealous despite already having worked in professional vulnerability research for a few years. You're lucky to have been at the class! Was he a good lecturer?
Reading stories/incidents like these makes me believe that education as a whole is stapled for reinvention. As they say: competition doesn't kill your business; attitude kills it.
Agreed. The vendor involved with the security problem was quite pleasant to deal with, of course. It was just the bureaucrats that were worried/afraid/stupid/whatever.
These expulsion stories sound really weird. I mean you pay for all of your studies and still could get axed on a whim? Whereas in my country I get paid to study and have zero chance of being expelled for these kinds of events.
Maybe it's because all of our schools are public?
For example higher ed. providers are funded based on enrollment and rate of graduation. If someone does not graduate, significant chunk (20-30%) of money won't be paid at all. This creates some incentive for the institution to actually guide and see that people don't fall through all kinds of cracks. I guess it's necessary when there is no ordinary paying customer relationship involved.
> Maybe it's because all of our schools are public?
There are Asian countries where this model has failed. Perhaps because of population pressure or other social factors. But I truly like the Nordic way of life.
My experience in the U.S. is that public universities aren't much different from private universities (at least the nonprofit ones) on these kinds of policies. They might be better in other respects, such as lower tuition, but they're run by similar kinds of administrators. Often literally the same administrators: there's a lot of churn as people hop between institutions.
The main problem, in my view, is the professionalization of this institution-hopping class of university administrators. It used to be made up of senior faculty who got promoted to Dean, but now it's made up of an entirely separate group of people, often people who come from business management backgrounds, and who have little grounding in a particular institution's traditions or culture. They tend to think rather differently, in a more locked-down, policy-driven way, and apply broad "best practices" without much regard for how things are done in a particular place. Universities end up getting managed like a corporation, with similar kinds of policies.
Things are a bit better at small colleges (Rose-Hulman, Olin, Harvey Mudd, Wesleyan, Pomona, Colgate, etc.), which typically have much lighter-weight administration and a more pro-student, pro-experimentation attitude, as well as more success in en-culturating their administrators so they "get" the local culture and work with it. But they don't scale very well (I say this despite having gone to one and being a big fan of the undergraduate-college model).
How do you prevent the schools from just lowering graduation requirements in order to artificially boost the percent of graduates and get a better payout?
Since they are either fully government funded or jointly funded with municipalities, there are no incentives to search short term profits by running diploma mills.
Ministry of Education controls the money and conducts yearly performance target negotiations bilaterally with each higher education institution. You actually need a permit from the ministry to run any kind of school. Even our few "private" primary and secondary schools are publicly funded and regulated accordingly.
Independent expert body FINHEEC audits universities quality management schemes regularly. Some European countries use accreditation-based evaluation (for single degree programs) instead of system wide audits. At least one Finnish university has also acquired ISO 9001 cert, but it was seen as more labor intensive and not providing the same benefits (benchmarking, benchlearning) as the required peer-based audits.
Well, that is a problem. But universities also doesn't want to be known for poor quality. And then there is pretty strong government oversight. In Sweden the National Agency for Higher Education do regular audits and have the right to remove a schools privilege to award degrees.
Even countries in Scandanivia will expell people who break college rules. And if you pay for and go on a train in finland and break their rules, you can be kicked off.
It all depends on what rules there are, and how they are enforced/interpreted.
I'm wondering these days if you can be any sort of hacker at all without finding some kind of vulnerability in your college's network.
For me, it was a way to steal the AFS space of the previous user (basically, they didn't expire the token... oops). I actually found the initial vulnerability by accident (something crashed due to network problems, reconnected and went, "WTF, those aren't my files!"), but I did find a good way to reproduce it on demand (yank Ethernet cord at proper time). Thankfully, I had read enough stories like this way back then and submitted the bug anonymously. This was ~2000 or around then, mind you.
I also tried to get university management to switch people over to using SSH way back in 1998, but it was something like 4-5 years before they eventually did so. I'm guessing they had no idea what I was talking about or why it even mattered back then, even though anyone could see everyone's passwords going over the wire with all the people who had to telnet for various reasons. Maybe they assumed that log file they were writing our activity to would catch anybody doing anything weird? It was cleverly named "resugol"--read that backwards if you're confused.
The CS faculty at Dawson (less one) should be embarrassed.
This happened to me twice in college, minus the expulsion part. In the less interesting case the University sent around a form to be used in nominating student speakers for commencement. It included a drop down that was keyed off of student id. Student ids were regarded as private.
The school required everyone to either buy health insurance from them, or provide proof of insurance. They had a webapp where you could report this data. The login required your student id, name, and birth date (thanks Facebook). If you visited the app after using it, the form auto-populated with your health insurance information. I brought it to the attention of the University and they took down their nomination app in a matter of minutes.
In the more exciting incident, someone at Sungard called my university and asked them to have the campus police arrest me. (Edit: Quite boring, really http://seclists.org/bugtraq/2008/Jan/409)
So why exactly did Tazo (The incompetent president of the company responsible for the security breach) mention "police" and "legal consequences" in his conversation if he wasn't making a threat.
If you are going to be a lying asshole and deny something, do yourself a favor and deny it outright. Don't try to imply that you were just having a friendly conversation about "legal consequences" right before you solicit someone to sign a non-disclosure agreement. No one in the world will believe you weren't trying to intimidate this poor kid into compliance.
seeing how we don't have the actual logs of the conversation, who knows what was actually said. This is the biggest problem with these stories: we only get information through very partial observers.
What's upsetting is the 14/15 professors who voted him to be expelled. Do computer science professors not understand the concept of white-hat hacking? Shame on them.
What message does this send to other students at Dawson? Don't be curious; don't go out of your way to do a favour for the safety of your peers; keep your mouth shut and we'll hand you your degree.
Someone give him a scholarship to a legit university!
> Do computer science professors not understand the concept of white-hat hacking?
Unfortunately, if they were at all competent they wouldn't be teaching at a place like that. CS programs at minor universities are notoriously poor and staffed by whoever they could get, and it's not going to be anyone that can make decent pay working on current technology.
Dawson isn't a university. Its a CEGEP. In Quebec high school only goes until grade 11, after which most students do 2 years at a CEGEP before going on to university. It replaces Grade 12 and first year of university.
Perhaps CS is an exception, but I was under the impression that jobs in academia (in general) were in woefully short supply.
While I'm sure they wouldn't get the cream of the crop, there's reportedly an excess of under-employed & under-paid PhD's and post-docs in a number of STEM fields (again, specifically in academia).
CEGEPs are kind of a combination community college/last year of high school/first year of university. They are teaching institutions, not research ones. US community colleges can demand Master's degrees but not Ph.D.s to teach. Mostly people with Ph.D.s who can't get real academic jobs exit that market, not go CC.
Anyone who is actually teach a CS course at a CC or a CEGEP and who is doing it as a full time job is doing it for non-pecuniary reasons, inclusive of being incompetent but having attained a qualification sufficient to teach.
CEGEP teachers don't do any research and aren't really considered academics. The hiring requirement for Dawson is a Master's in CS + 2 years experience, and that requirement can be waived down to a college diploma (DEC, that's less than a bachelor's) if one has enough industry experience to justify it.
I've said this before -- don't bother being a "white hat".
The industry and the legal system doesn't have a pigeon hole for that. You'll be labeled as "hacker" (and not in a positive sense of it). Either disclose the vulnerability immediately to get recognition, hoping it is public enough they'll be ashamed of going after you, or or sell and profit from it. You are already treated as a criminal by these large institutions, so if you go in that direction might as well make some money.
Yeah, Tor->Reddit should work. Alternatively you could fire off some emails to a couple high-ish profile twitter accounts of people/groups that would be interested in taking credit for it.
During undergrad I discovered the university's blackboard-like site sent plaintext passwords over http, and the majority of its use was over wireless. I went to the IT office responsible for the site, told them about it, and refused to give my name when they asked. After reading some of the horror stories on this page, I feel really lucky that the IT department didn't go further to figure out who I was and get me in trouble. End result was that quickly afterward their site forced https on you...
Probably, but not necessarily. They could easily harass you saying that the cost of such an upgrade (probably actually measurable only in the effort of some salaried employee..) are damages that you caused.
edit: see the $800k 'damages' Gary McKinnon allegedly caused. It's not like he smashed their equipment with a sledgehammer or something.
Man. I found an XSS bug in the University of Washington's web portal several years ago. It would allow a hacker to impersonate any user if they clicked on a crafted hyperlink.
After testing this on my own account, I reported it right away to the university. They thanked me and fixed the problem within days.
But after reading these horror stories, I feel extremely lucky that they didn't do something much stupider. My entire academic career could have been destroyed, as well as my professional one if they'd decided to press frivolous charges.
The one does not imply the other. Becoming a criminal is a bad idea (and rtdsc probably knows this and was engaging in hyperbole out of justified frustration), but becoming a martyr is also a bad idea. If you find a security flaw in a system you don't own, the best course of action is to ignore it and get on with your life. This is something every bright young hacker needs to be made aware of.
Maybe on your own, but if you manage to brand yourself as a consultant or get hired explicitly as a white hat, you can do it. Good example would be penetration testers.
I'd revise that to don't be a hobbyist "white hat". If you want to do white hat hacking either get yourself hired by a serious security outfit or set yourself up as a company doing security consulting. On the whole people are far less likely to go after a genuine security company as opposed to 'just some kid in a basement'.
Its certainly a grey area and covering all your bases legally before embarking on a penetration test would be good idea. Even with all the legal formalities, there needs to be a good level of trust between the client and the auditor for things to go smoothly.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected.
If you find a security flaw in a system and report it, receiving positive feedback doesn't automatically imply that you have permission to conduct further tests. A web application vulnerability scanner can cause damage to production systems.
Almost anyone can just download a scanner and run a wild test using default settings. But its illegal to do it without prior authorization.
While his intentions were good, I think it was a bit naive of him to take upon himself the responsibility to make sure the flaws were fixed and conduct a test. Even when you have permission to conduct a test you stick to the scope and limits of the agreement. You cant just keep leapfrogging networks as you find holes.
Manually finding holes/bugs accidentally and reporting them is different from running a vulnerability scanner.
I dont think he should have been expelled without giving a chance to explain his story and the way they did it was not ethical. The management over reacted, especially considering there was no damages mentioned in this case.
> While his intentions were good, I think it was a bit
> naive of him to take upon himself the responsibility to
> make sure the flaws were fixed and conduct a test.
Given that his own personal information could have been exposed by this exploit, it's just as likely that he was acting out of self-preservation rather than merely due to feelings of personal responsibility. The only naive bit here is that he obliterated his plausible deniability via 1) not allowing more time between submitting the report and attempting the scan, and 2) not masking his IP behind seven proxies.
Agreed. While he may say he was trying to verify the flaw was fixed, that just doesn't coincide with running a general purpose vulnerability scanner against their network.
While I doubt his intentions were malicious, it certainly seems like he got curious / excited from his first find and went looking for more.
With that being said, I definitely feel for the guy. I can certainly understand the intrigue and curiosity that would lead him to continue his exploration. It sucks that they decided to bring the hammer down so hard.
Yes, it was naïve, and maybe unwise, but the curiosity would be hard to resist. I might have done the same thing in the same situation, at one time. (Now I'm old and soulless.)
Agreed, when SQL Injections in ASP were all the rage some 10 years ago I contacted a couple dozen companies to inform of their full credit card visible customer admin pages and asked for nothing in return (at that time someone was offered money to help fix a security breach and was arrested for blackmail -- the employee that offered the money for services was actually the police speaking to him, so that saved my ass too) and I got a ton of threats, only one company actually gave me a number to call and thanked me but when I asked for a postcard of their city he got really pissed. Good times.
Like most developers, I've stumbled into lots of security problems over the years. The first few times I attempted responsible disclosure, but that resulted in enough close calls that I simply don't report them anymore. I document them. Sometimes I might mention them to others who have an interest.
I would now never report a security flaw without a iron clad set of laws in place to protect the rights of white-hats, whether we are licensed and approved security researchers or not.
Happened to me in 2000 in France. Same sort of stuff. Didn't kill my career. Just went elsewhere. I guess the French education system at least had this that it couldn't ban me nationwide :)
While it's probable he found some issue with permissions in the queries, stumbling on SQL injection is easier than you'd think. For a very short period I used a completely random (any ASCII character) password generator for websites, but I quickly realised that the ' and " characters were breaking the vast majority of sites I logged in to. Plaintext passwords in a database without escaping; about the worst password storage you can get.
It's likely to be an application logic authorization bug; the application doesn't check the context to see if it should return that info. Being web it's something silly like the student-id stored in the user cookie is used to to build the (parameterized) SQL statement. It's not arbitrary injection per say.
You misunderstand the purpose of an agreement like that.
It's not like it magically binds your tongue. It just makes it easier to sue you if you violate it. The fact that the student could win in a suit is irrelevant. He couldn't afford the time and money to fight.
Before he signed the NDA, they would have had a harder time suing him. Perhaps he could have spent merely $10k and gotten it quickly dismissed. After, the company could make it arbitrarily expensive for him to fight it. If he could have eventually proved coercion (which I'm honestly skeptical of) then he would have been off the hook -- after years of stress and massive lawyer bills.
Back in 1999 when I was a freshman in university, my school had a server for students to host their websites on and use Pine for email. The server did not give shell access... but then there was a security hole in Pine that would allow you to run chsh. So I did that, and got shell access. I think the worst thing I did (other than running ls in a few directories) was use it to connect to IRC.
Since I wasn't really trying to hide anything, so one of the IT guys must have seen me with shell access and reported me. My punishment was having my ethernet turned off in my dorm room (even though the incident occurred in a computer lab while the dorm's ethernet was turned not ready for use yet). I appealed the decision and met with the Dean, and she said I was considered a threat to the school so I should be happy that my punishment wasn't worse.
Anyways, the rest of the year in the dorm was spent playing a cat and mouse game. I used my computer on my roommate's LAN port, so they ended up shutting off his ethernet as well.. I felt bad about that, especially since they refused to give him internet access for the rest of the year. So I ended up making a 50 foot ethernet cable and running it through the bathroom into another person's room (Two 2-person dorm rooms were connected by a common bathroom). That got shut off, so I bought a new LAN card (to get a new MAC address) and connected to another ethernet drop. I was able to get online for the rest of the year, but that sure left a sour taste in my mouth for my school.
Edit: I remember one close call... over a break (I was one of the few people in the dorm), water came out of the shower drain and flooded our rooms. I came back from spending the day out to see the Dean going into our room to inspect the damage, and I quickly had to hide my 50 foot cable that went through the bathroom.
and sadly it won't be in the future. New Intel-wifi cards have them blocked[1], their new drivers even go out of the way to modify/intercept Windows from doing it from the software side. Won't be long until other manufacturers follow suit.
It was, and I did use that to verify the new ethernet drop worked, but I would have to spoof it 24/7 for ~6 months. One slip meant losing the internet. So I thought the $10 on a LAN card was a good investment.
The title is misleading. He wasn't actually expelled for finding the flaw; he was expelled because, after reporting the flaw, he ran an exploit program on the school's server without permission, allegedly to see if it had been fixed. Had he only reported it, he would not have been subject to any disciplinary action.
Well the article is basically written by the student union, so they try to get people on their side I imagine.
"Ethan Cox is a 28-year-old political organizer and writer from Montreal. He cut his political teeth accrediting the Dawson Student Union against ferocious opposition from the college administration and has worked as a union organizer for the Public Service Alliance of Canada."
I've had similar encounters with privately disclosed vulnerabilities that are still live years after the fact. What is the right course of action here? If you just wait out and the vulnerability eventually gets exploited they could blame whoever reported it "because he was the only one who knew". You can't really anonymously disclose it after privately reporting it either, because they'll quickly link it to who reported it before.
Ahmed, if you're reading this, sorry about your college acting like idiots. If finishing college is important to you, I'm sorry they've made it so difficult.
That said, please don't think this is going to end your career. There are a lot of companies and startups that would love to have you for your kind of initiative. Not having a degree that you don't seem to need anyway will not be a sticking point with them. And the option of starting your own consultancy is a possibility - you already have some publicity that can help with initial gigs.
If you'd like to try your hand at a job, do check out ThoughtWorks (www.thoughtworks.com). We don't usually stand on ceremony or make a fuss about qualifications.
No, cegep has either 2 or 3 year programs. Year 1 is equivalent to US high-school 12th grade. Year 2 of 2-year programs is equivalent to 1st year university for B.A. or B.Sc. 3-year programs tend to be terminal degree of a more "technical" nature.
My name is Eduardo Gonzalo Agurto Catalan, I am an entrepreneur in the field of IT security and a digital rights activist. i would like tohave Ahmed Al-Khabaz's e-mail or other contact information in order to contact him and discuss how I and a few fellow experts could help him. We believe it is a great injstice and that the business community cannot stay passive towards this situation which we perceive as a kind of bullying. You can contact me : eduardogonzalo@hotmail.fr
This sort of thing scares me. One time I found a security vulnerability in a popular forum I frequented. I emailed the site owner, and he thanked me and fixed it. Later someone else discovered another weakness and used it to post spam; the site owner emailed me asking about it. My initial thought was that he suspected I was the one doing it, but it turned out he was just trying to see if I could help him.
That scared the crap out of me though and I realized this was a VERY bad idea. Something as harmless as trying to help someone make their website more secure can get you more jail time than robbing a bank.
I also, completely accidentally, logged into another student's account at my university (a big university too). The school gives you an ID number. Your initial password is the same as this ID, and you're supposed to change it later. I didn't remember my ID correctly, swapped two numbers in it, and ended up in someone else's account. Home address, phone number -- all sorts of information staring me in the face. Will I report this issue? Heck no!
It's weird how many of these I discover by accident. My school also had a hackathon hosted by eBay and PayPal. In fact, one of the programmers from PayPal was there. During the hackathon, I stumbled upon a way to get account information without authentication (security tokens were being seriously misused). The PayPal guy was shocked and asked me to send him all the information on what I had found. Never did get any sort of reward out of that... (and I lost the hackathon too).
This meme of "more jail time than robbing a bank" needs to end.
The federal penalty for possessing a firearm while robbing a bank is a mandatory minimum of 5 years and a maximum of life in prison. The mandatory minimum means that a judge could not sentence an armed bank robber for less than 5 years for each bank robbed while holding a gun (you don't even need to show it; just having it is enough). To make it worse, each 5-year gun sentence must run _consecutive_ with each other sentence (ie., be added on after you serve the other sentences). [1] If you brandish the gun, it becomes a mandatory minimum of 7 years, and if you fire it you get a mandatory minimum of 10 years [1].
Contrast that to all of the hacking charges we've discussed recently where the mandatory minimum is zero (a judge could sentence a convicted defendant to no penalty, or to probation).
To go further, the US Sentencing Guidelines [2], which are all-but-mandatory for federal judges (there's a constitutional out, but in effect most defendants are sentenced according to the Guidelines) gives "wire fraud" a base offense level of 7 (of 42+), which gives a sentencing range of either 0-6 months or 4-10 months, depending on how much economic harm is caused. Compare that to robbing a bank, which is a base offense level of 22, brandishing a firearm adds +5 for an offense level of 27, and if you actually make off with any cash add another +2 for an offense level of 29 (of 42+). The sentencing guidelines call for a sentence of 87-108 months (7-9 years) for a first-time bank robber, per bank, assuming that nobody gets hurt---plus the mandatory additional 5+ years for having a gun.
Realistically, bank robbers face a lot more time than even malicious computer criminals.
> "The federal penalty for possessing a firearm while robbing a bank is a mandatory minimum of 5 years and a maximum of life in prison. The mandatory minimum means that a judge could not sentence an armed bank robber for less than 5 years for each bank robbed while holding a gun (you don't even need to show it; just having it is enough).
What's more, you don't even have to have a gun for it to be classed as "armed robbery". In the UK, just the threat of having a fire arm is enough (you could be brandishing a water pistol or even just making a gun gesture behind your unzipped coat).
This seems more like walking up to a teller and asking nicely in a clever way if you could have all the money. Is it even a crime if the teller responds positively to your request?
My suspicion is that yes, that would be a robbery if you ask in such a way that the teller actually gives you money.
You could ask in such a way that it comes across as a joke ("Anything more I can do for you today sir?""A million bucks and a winning lottery ticket would be nice"), but if it comes across as a joke then the teller isn't going to give you any money.. because they think it is a joke.
I think that is a reasonable interpretation, but sets a scary precedent. If you are selling something and I, the buyer, say "I'd really like to get this for free" and you respond, "okay, it's yours!" Can you come back and call on me being a thief later?
> if it comes across as a joke then the teller isn't going to give you any money.. because they think it is a joke.
I'd also add that vast majority of malformed requests are denied. Only computers who have a sense of humour, so to speak, comply to the abnormal requests. Computer security is much closer to this scenario than carrying a gun, I feel.
Yeah, in the real world there are a lot of more factors to consider than just the wording. How threatening the victim/potential victim feels the other party is being is hugely important.
For example, there is a world of difference between a panhandler asking you "Hey, can I have a couple dollars" in a populated touristy area during the day, and the same panhandler following you for several blocks at night before asking you that in an ally. One is just panhandling, but the other is effectively a mugging.
Computers don't really have those sort of cues, so it becomes difficult to make reasonable comparisons between the two.
This phenomenon isn't unique to computer crime. The other day my iPhone was stolen from my car in my apartments parking garage. I forgot to lock the door. I noticed that the guy who parks next to me (we have assigned spaces) also left his door unlocked. I was going to leave a note suggesting he remember to lock his doors because something was stolen from my car, but I thought better of it. If something was stolen from his car, do you want your note to be the only piece of evidence of what happened?
Had a very similar experience at my university. The library worked in the same manner as you described -- the login was a function of your student ID number, and the password was initially the same.
I wondered about the security of that solution, so I checked some random ID numbers to shockingly find out that about 80% of people didn't change their passwords! (I don't remember if you were actually prompted to change it upon first login, or you just had to do it by yourself). I could log in multiple times from the same IP to different accounts.
I hesitated whether to notify someone about it, or to loan a copy of "Mathematical analysis 1" or sth like that for some 100 people in the middle of the holidays within half an hour. That would be hilarious, but they would inevitably throw me out the university if they found out, so I didn't risk the action, neither notifying anyone due to the horror stories here and there.
307 comments
[ 2.6 ms ] story [ 296 ms ] threadOn a serious note, can't he appeal to any education monistry outside college?
I'd give it a shot if they fired their president, but that's an unrealistic expectation.
Missed that part - now it makes me think back on my suggestion. Probably, he should just look around on HN. :-)
http://news.ycombinator.com/item?id=5090108
Furthermore, any student faced with potential expulsion would have been entitled to a series of quasi-judicial hearings and assistance in preparing their defence. To expel someone for non-academic reasons from a publicly-funded institution (which Dawson is) should not be taken lightly and surely never in a fashion where the accused is not permitted to present their case.
What a clusterfuck. Since when do CEGEPs expel students for running security checks?
Point being, if you can't hold up to a white hat scan, you're likely already hacked. Security is how you enforce your policy. But it's only white hat until data is compromised, and that's where the prosecution comes in.
In the meantime, until we can make this understood, we need to make the workaround understood: if you find a security flaw in a system you don't own, and you haven't been formally hired for the specific purpose of finding that flaw, ignore it and get on with your life; it's not your problem. Going out of your way to help people in normal circumstances is noble. Going out of your way to help people who will reward you with a knife in the back is a mistake. Don't make that mistake.
How long did it take sony to fix their issues? Oh, right, it took someone to explose it publicly. Heh. It's unfortunate how broken some IT organizations are and that they would rather kill the messenger than fix things.
You got the picture. In big companies it might take some time.
Essentially is is very broken system that destroys itself.
It is like you need a manager to watch over a manager that watches over a manager.
It is funny to work at such companies, I got fired from one when I said everything I think about them.
Next semester, though, I refused to sign the new AUP (which included a clause allowing the computer center staff to seize any computer I was using, even at my off-campus home), and they kicked me out of school. (Actually what happened was they locked my course registration account, and wouldn't reinstate it until I signed the policy in their presence. I refused.)
(Sadly, I can't find the full-disclosure thread for this bug. I guess I posted it to my blog, which I deleted after being threatened by school administrators. Oh well. That was 9 years ago!)
FWIW, the exams are quite thought-provoking nearly 10 years later, here's a link to them: http://cr.yp.to/2004-494.html
Here's a reading list; I'd add Zalewsky's _Tangled Web_ to it, but change little else: http://amzn.to/cthr46
http://cr.yp.to/courses.html
I remember reading the course syllabus online and being jealous despite already having worked in professional vulnerability research for a few years. You're lucky to have been at the class! Was he a good lecturer?
Maybe it's because all of our schools are public? For example higher ed. providers are funded based on enrollment and rate of graduation. If someone does not graduate, significant chunk (20-30%) of money won't be paid at all. This creates some incentive for the institution to actually guide and see that people don't fall through all kinds of cracks. I guess it's necessary when there is no ordinary paying customer relationship involved.
There are Asian countries where this model has failed. Perhaps because of population pressure or other social factors. But I truly like the Nordic way of life.
The main problem, in my view, is the professionalization of this institution-hopping class of university administrators. It used to be made up of senior faculty who got promoted to Dean, but now it's made up of an entirely separate group of people, often people who come from business management backgrounds, and who have little grounding in a particular institution's traditions or culture. They tend to think rather differently, in a more locked-down, policy-driven way, and apply broad "best practices" without much regard for how things are done in a particular place. Universities end up getting managed like a corporation, with similar kinds of policies.
Things are a bit better at small colleges (Rose-Hulman, Olin, Harvey Mudd, Wesleyan, Pomona, Colgate, etc.), which typically have much lighter-weight administration and a more pro-student, pro-experimentation attitude, as well as more success in en-culturating their administrators so they "get" the local culture and work with it. But they don't scale very well (I say this despite having gone to one and being a big fan of the undergraduate-college model).
Ministry of Education controls the money and conducts yearly performance target negotiations bilaterally with each higher education institution. You actually need a permit from the ministry to run any kind of school. Even our few "private" primary and secondary schools are publicly funded and regulated accordingly.
Independent expert body FINHEEC audits universities quality management schemes regularly. Some European countries use accreditation-based evaluation (for single degree programs) instead of system wide audits. At least one Finnish university has also acquired ISO 9001 cert, but it was seen as more labor intensive and not providing the same benefits (benchmarking, benchlearning) as the required peer-based audits.
It all depends on what rules there are, and how they are enforced/interpreted.
For me, it was a way to steal the AFS space of the previous user (basically, they didn't expire the token... oops). I actually found the initial vulnerability by accident (something crashed due to network problems, reconnected and went, "WTF, those aren't my files!"), but I did find a good way to reproduce it on demand (yank Ethernet cord at proper time). Thankfully, I had read enough stories like this way back then and submitted the bug anonymously. This was ~2000 or around then, mind you.
I also tried to get university management to switch people over to using SSH way back in 1998, but it was something like 4-5 years before they eventually did so. I'm guessing they had no idea what I was talking about or why it even mattered back then, even though anyone could see everyone's passwords going over the wire with all the people who had to telnet for various reasons. Maybe they assumed that log file they were writing our activity to would catch anybody doing anything weird? It was cleverly named "resugol"--read that backwards if you're confused.
This happened to me twice in college, minus the expulsion part. In the less interesting case the University sent around a form to be used in nominating student speakers for commencement. It included a drop down that was keyed off of student id. Student ids were regarded as private.
The school required everyone to either buy health insurance from them, or provide proof of insurance. They had a webapp where you could report this data. The login required your student id, name, and birth date (thanks Facebook). If you visited the app after using it, the form auto-populated with your health insurance information. I brought it to the attention of the University and they took down their nomination app in a matter of minutes.
In the more exciting incident, someone at Sungard called my university and asked them to have the campus police arrest me. (Edit: Quite boring, really http://seclists.org/bugtraq/2008/Jan/409)
Now they are.
If you are going to be a lying asshole and deny something, do yourself a favor and deny it outright. Don't try to imply that you were just having a friendly conversation about "legal consequences" right before you solicit someone to sign a non-disclosure agreement. No one in the world will believe you weren't trying to intimidate this poor kid into compliance.
What message does this send to other students at Dawson? Don't be curious; don't go out of your way to do a favour for the safety of your peers; keep your mouth shut and we'll hand you your degree.
Someone give him a scholarship to a legit university!
Unfortunately, if they were at all competent they wouldn't be teaching at a place like that. CS programs at minor universities are notoriously poor and staffed by whoever they could get, and it's not going to be anyone that can make decent pay working on current technology.
http://en.wikipedia.org/wiki/CEGEP
While I'm sure they wouldn't get the cream of the crop, there's reportedly an excess of under-employed & under-paid PhD's and post-docs in a number of STEM fields (again, specifically in academia).
Anyone who is actually teach a CS course at a CC or a CEGEP and who is doing it as a full time job is doing it for non-pecuniary reasons, inclusive of being incompetent but having attained a qualification sufficient to teach.
The industry and the legal system doesn't have a pigeon hole for that. You'll be labeled as "hacker" (and not in a positive sense of it). Either disclose the vulnerability immediately to get recognition, hoping it is public enough they'll be ashamed of going after you, or or sell and profit from it. You are already treated as a criminal by these large institutions, so if you go in that direction might as well make some money.
People who go after security bug reporters tend to never fix the bugs in question. They're, like, too righteous for it.
edit: see the $800k 'damages' Gary McKinnon allegedly caused. It's not like he smashed their equipment with a sledgehammer or something.
After testing this on my own account, I reported it right away to the university. They thanked me and fixed the problem within days.
But after reading these horror stories, I feel extremely lucky that they didn't do something much stupider. My entire academic career could have been destroyed, as well as my professional one if they'd decided to press frivolous charges.
In the second scenario, you probably are hurting innocent people.
So if you have a moral compass, you should maybe bother being an anonymous white hat.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected.
If you find a security flaw in a system and report it, receiving positive feedback doesn't automatically imply that you have permission to conduct further tests. A web application vulnerability scanner can cause damage to production systems.
Almost anyone can just download a scanner and run a wild test using default settings. But its illegal to do it without prior authorization.
While his intentions were good, I think it was a bit naive of him to take upon himself the responsibility to make sure the flaws were fixed and conduct a test. Even when you have permission to conduct a test you stick to the scope and limits of the agreement. You cant just keep leapfrogging networks as you find holes.
Manually finding holes/bugs accidentally and reporting them is different from running a vulnerability scanner.
I dont think he should have been expelled without giving a chance to explain his story and the way they did it was not ethical. The management over reacted, especially considering there was no damages mentioned in this case.
http://testlab.sit.fraunhofer.de/downloads/Publications/tuer...
http://www.coresecurity.com/content/under-attack
https://en.wikipedia.org/wiki/Randal_L._Schwartz#Intel_case
While I doubt his intentions were malicious, it certainly seems like he got curious / excited from his first find and went looking for more.
With that being said, I definitely feel for the guy. I can certainly understand the intrigue and curiosity that would lead him to continue his exploration. It sucks that they decided to bring the hammer down so hard.
I would now never report a security flaw without a iron clad set of laws in place to protect the rights of white-hats, whether we are licensed and approved security researchers or not.
For it to be a SQL injection, he'd have to have been looking for vulnerabilities.
API not validating correctly. If this is true, it will take a long time to fix.
No, it didn't, because he was blackmailed into the NDA. It's completely unenforceable. It was signed under duress and only benefited one party.
It's not like it magically binds your tongue. It just makes it easier to sue you if you violate it. The fact that the student could win in a suit is irrelevant. He couldn't afford the time and money to fight.
Before he signed the NDA, they would have had a harder time suing him. Perhaps he could have spent merely $10k and gotten it quickly dismissed. After, the company could make it arbitrarily expensive for him to fight it. If he could have eventually proved coercion (which I'm honestly skeptical of) then he would have been off the hook -- after years of stress and massive lawyer bills.
Since I wasn't really trying to hide anything, so one of the IT guys must have seen me with shell access and reported me. My punishment was having my ethernet turned off in my dorm room (even though the incident occurred in a computer lab while the dorm's ethernet was turned not ready for use yet). I appealed the decision and met with the Dean, and she said I was considered a threat to the school so I should be happy that my punishment wasn't worse.
Anyways, the rest of the year in the dorm was spent playing a cat and mouse game. I used my computer on my roommate's LAN port, so they ended up shutting off his ethernet as well.. I felt bad about that, especially since they refused to give him internet access for the rest of the year. So I ended up making a 50 foot ethernet cable and running it through the bathroom into another person's room (Two 2-person dorm rooms were connected by a common bathroom). That got shut off, so I bought a new LAN card (to get a new MAC address) and connected to another ethernet drop. I was able to get online for the rest of the year, but that sure left a sour taste in my mouth for my school.
Edit: I remember one close call... over a break (I was one of the few people in the dorm), water came out of the shower drain and flooded our rooms. I came back from spending the day out to see the Dean going into our room to inspect the damage, and I quickly had to hide my 50 foot cable that went through the bathroom.
[1] http://www.intel.com/support/wireless/wlan/sb/CS-031081.htm
ie: http://security.stackexchange.com/questions/14978/is-scannin...
"Ethan Cox is a 28-year-old political organizer and writer from Montreal. He cut his political teeth accrediting the Dawson Student Union against ferocious opposition from the college administration and has worked as a union organizer for the Public Service Alliance of Canada."
That said, please don't think this is going to end your career. There are a lot of companies and startups that would love to have you for your kind of initiative. Not having a degree that you don't seem to need anyway will not be a sticking point with them. And the option of starting your own consultancy is a possibility - you already have some publicity that can help with initial gigs.
If you'd like to try your hand at a job, do check out ThoughtWorks (www.thoughtworks.com). We don't usually stand on ceremony or make a fuss about qualifications.
We're a little far away (Australia), but otherwise you'd get in the door for an interview at the very least.
That scared the crap out of me though and I realized this was a VERY bad idea. Something as harmless as trying to help someone make their website more secure can get you more jail time than robbing a bank.
I also, completely accidentally, logged into another student's account at my university (a big university too). The school gives you an ID number. Your initial password is the same as this ID, and you're supposed to change it later. I didn't remember my ID correctly, swapped two numbers in it, and ended up in someone else's account. Home address, phone number -- all sorts of information staring me in the face. Will I report this issue? Heck no!
It's weird how many of these I discover by accident. My school also had a hackathon hosted by eBay and PayPal. In fact, one of the programmers from PayPal was there. During the hackathon, I stumbled upon a way to get account information without authentication (security tokens were being seriously misused). The PayPal guy was shocked and asked me to send him all the information on what I had found. Never did get any sort of reward out of that... (and I lost the hackathon too).
This meme of "more jail time than robbing a bank" needs to end.
The federal penalty for possessing a firearm while robbing a bank is a mandatory minimum of 5 years and a maximum of life in prison. The mandatory minimum means that a judge could not sentence an armed bank robber for less than 5 years for each bank robbed while holding a gun (you don't even need to show it; just having it is enough). To make it worse, each 5-year gun sentence must run _consecutive_ with each other sentence (ie., be added on after you serve the other sentences). [1] If you brandish the gun, it becomes a mandatory minimum of 7 years, and if you fire it you get a mandatory minimum of 10 years [1].
Contrast that to all of the hacking charges we've discussed recently where the mandatory minimum is zero (a judge could sentence a convicted defendant to no penalty, or to probation).
To go further, the US Sentencing Guidelines [2], which are all-but-mandatory for federal judges (there's a constitutional out, but in effect most defendants are sentenced according to the Guidelines) gives "wire fraud" a base offense level of 7 (of 42+), which gives a sentencing range of either 0-6 months or 4-10 months, depending on how much economic harm is caused. Compare that to robbing a bank, which is a base offense level of 22, brandishing a firearm adds +5 for an offense level of 27, and if you actually make off with any cash add another +2 for an offense level of 29 (of 42+). The sentencing guidelines call for a sentence of 87-108 months (7-9 years) for a first-time bank robber, per bank, assuming that nobody gets hurt---plus the mandatory additional 5+ years for having a gun.
Realistically, bank robbers face a lot more time than even malicious computer criminals.
[1] See section (c) of 18 USC 924 http://www.law.cornell.edu/uscode/text/18/924
[2] http://www.ussc.gov/guidelines/index.cfm
What's more, you don't even have to have a gun for it to be classed as "armed robbery". In the UK, just the threat of having a fire arm is enough (you could be brandishing a water pistol or even just making a gun gesture behind your unzipped coat).
You could ask in such a way that it comes across as a joke ("Anything more I can do for you today sir?" "A million bucks and a winning lottery ticket would be nice"), but if it comes across as a joke then the teller isn't going to give you any money.. because they think it is a joke.
> if it comes across as a joke then the teller isn't going to give you any money.. because they think it is a joke.
I'd also add that vast majority of malformed requests are denied. Only computers who have a sense of humour, so to speak, comply to the abnormal requests. Computer security is much closer to this scenario than carrying a gun, I feel.
For example, there is a world of difference between a panhandler asking you "Hey, can I have a couple dollars" in a populated touristy area during the day, and the same panhandler following you for several blocks at night before asking you that in an ally. One is just panhandling, but the other is effectively a mugging.
Computers don't really have those sort of cues, so it becomes difficult to make reasonable comparisons between the two.
Also handling stolen goods is a crime. So even if you didn't personally rob the bank, if you know the money is dodgy then you shouldn't accept it.
Not that robbing a bank is all that profitable vs. the risk and penalty's.
http://www.spiegel.de/international/zeitgeist/berlin-bank-ro...
https://en.wikipedia.org/wiki/Good_Samaritan_law
I wondered about the security of that solution, so I checked some random ID numbers to shockingly find out that about 80% of people didn't change their passwords! (I don't remember if you were actually prompted to change it upon first login, or you just had to do it by yourself). I could log in multiple times from the same IP to different accounts.
I hesitated whether to notify someone about it, or to loan a copy of "Mathematical analysis 1" or sth like that for some 100 people in the middle of the holidays within half an hour. That would be hilarious, but they would inevitably throw me out the university if they found out, so I didn't risk the action, neither notifying anyone due to the horror stories here and there.