Main Area and Open Discussion > Living Room
Computer science student expelled for testing university software security
Josh:
Mouser, I am not trying to justify the expulsion, merely trying to showcase that the tool he used has been shown to have the ability to crash a remote system when scanned improperly. I agree, he should not have been expelled, however I feel the school was under pressure from the software owner to take further action after he scanned their network again. Again, had he been a professional tester, he could have faced being fired and a follow-on lawsuit. This is not someone being paranoid as this tool CAN break a system.
Renegade:
+1 for mouser.
As for the legality of it? Meh. Not really all that interested in legal BS. Especially when you've got laws that make it illegal to get drunk and pass out in your own bathroom.
http://cynic.me/2012/08/16/dont-pass-out-on-the-toilet-in-cambridge/
Sure, maybe it's possible that he could crash the system. Only goes to show that they don't have any protection against DOS/DDOS there. Chalk another point up for the good guy. :D
I know what you mean about pros getting fired, and laws, and all that. I've simply lost any kind of interest in "legality" anymore. Laws are created by lobby groups, and not by the people. Why should anyone care what the letter of the law is anymore? Ok, I'm being extremely cynical, but sheesh... Like mouser points out, he's a student trying to help out and doing a damn good job of being a good student! But expulsion? Sheesh. Why throw the baby out with the bath water when you can throw it in the blender?
Is there no balance in the law? Is there no compassion? Is there no justice? Is there no sanity left? Has the letter of the law become so important that we've sacrificed our common sense and humanity on the altar of the "law books"?
What happened to proportionality?
wraith808:
Renegade, unless he was specifically granted permission to re-check the system, it is an illegal scan of the system. Many professional penetration testers have lost their jobs because of such an act.
-Josh (January 21, 2013, 09:07 AM)
--- End quote ---
The utility in question (Acunetix) scans for publicly available information about the system. It wasn't the smartest thing to do, but neither is it illegal- you can get the same information in other ways, and it's a white hat utility. And the way they bullied him with incorrect information about the legality to get an NDA signed, then backed off... yeah...
Josh:
An automatic client script analyzer allowing for security testing of Ajax and Web 2.0 applications
Industries' most advanced and in-depth SQL injection and Cross site scripting testing
Advanced penetration testing tools, such as the HTTP Editor and the HTTP Fuzzer
Visual macro recorder makes testing web forms and password protected areas easy
Support for pages with CAPTCHA, single sign-on and Two Factor authentication mechanisms
Extensive reporting facilities including VISA PCI compliance reports
Multi-threaded and lightning fast scanner crawls hundreds of thousands of pages with ease
Intelligent crawler detects web server type and application language
Acunetix crawls and analyzes websites including flash content, SOAP and AJAX
Port scans a web server and runs security checks against network services running on the server
--- End quote ---
From the Acunetix website...
The difference between scanning for publicly available information (domain owner, email addresses listed on web pages, administrative contacts, etc.) and vulnerability scanning is that information gathering is passive when you talk about publicly available information. Scanning a server can have real consequences on the server if the tool is not configured properly and is NOT passive.
40hz:
From my sysadmin perspective all I can say is: A predictable and avoidable outcome. I'm hardly surprised at the response. Nor should he be.
I'll leave the armchair discussions of social ramifications and "justice" to others. 8)
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version