Just because it's predictable (true), doesn't make it right.
I'm with Mouser & Ren - They should have just counted coo on the kid...not take him out and shoot him - this is crap.
Here's the thing...a university's computer is *NOT* just sitting there for purely educational purposes - or for the students. Most universities these days are also hosting critical and sensitive research projects; running important internal programs (accounting & payroll); and frequently leasing out computer resources on contract to local businesses and government agencies along with the expertise to maintain such systems.
So when some undergrad decides that such a system is his personal playground where everything that happens on it should be purely for his own personal education and experience....well...I have a little trouble dealing with that level of hubris and selfishness.
Running a penetration test (even a white-hat one) sets off alarms, gets the sysadmins steppin' & fetchin' - and sometimes puts outside contracts or internal operations in jeopardy. Especially if the DoD or financial institutions are involved. Disclosure statements to be filed, audits to be performed, re-certifications needed in some cases, and occasionally data or contracts lost, plus a hit to your reputation and a signal to potential hackers that this is a facility worth targeting...all of these things come at a price. And to just say "Well...I'm just
a student and I was trying to learn something." doesn't cut it in this context.
One unfortnate thing I'm seeing more and more with the upcoming generation is how many have consciously or subconsciously embraced the notion that "it's easier to ask for forgiveness than to get permission." Almost like life comes with a reset or "new game" button. Well guess what? It doesn't. It's called reality
. Welcome to Life-101.
And one of the first lessons learned in Life-101 is that just because you say "you're sorry" and "didn't mean anything by it" doesn't automatically absolve you of the consequences of your actions.
In this day of virtual machines and lab setups there are safer and better ways to become educated in network intrusion than to perform an unauthorized 'run' on a live production system
. Doing that is just flat out unacceptable.
In this particular student's case, it was great that he discovered and reported a security problem. And I see he received kudos and full props for it. But going back in after the fact to "verify" the fix had been made? I'd be suspicious too.
I have very little sympathy for this particular kid's self-caused problems even if I do think the school's response borders on being capricious and excessive. However, please note that the headlines are somewhat misleading too. He wasn't
expelled for identifying a security issue. He was expelled for going back
afterwards and running an unauthorized scan using Acunetix. That's a very
different thing than implying that he merely identified
a security hole - and then got promptly expelled from his college by way of a thank-you as some news sources are seeming to say.