topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday November 8, 2024, 7:23 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Computer science student expelled for testing university software security  (Read 53863 times)

cmpm

  • Charter Member
  • Joined in 2006
  • ***
  • default avatar
  • Posts: 2,026
    • View Profile
    • Donate to Member
http://www.acunetix.com/

for anyone interested

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
I believe all agree the given punishment is not the right thing to do.

That's my point.  No one's arguing that what he did was wrong-headed and/or ill-advised, if not arguably wrong.  So why are we arguing that point?

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
@40hz - Yeah, I know he kind of screwed up there. I can see also why he'd think that with a test account that he was given implicit permission to "test".

And yeah, I know keeping large systems up and running smoothly isn't an easy job. I do have sympathy for sysadmins - they seem to have one of those jobs where when the SHTF, it really hits the fan and splatters everywhere.

I've been rather one-sided above there and not very clear - to me, this seems to be about proportionality. So, did he screw up? Sure. Is he a baby seal skull bashing antichrist? Not really. What's a proportional response? I think StoicJoker had the right idea there - reel him in then scare his pants brown.

I hope he manages to get into another school there.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
^ And it's not like kick him to the curb and let him go somewhere else.  This has real academic and financial ramifications that are definitely disproportionate.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
I believe all agree the given punishment is not the right thing to do.


It does seem more than a touch harsh from what I've heard so far about what supposedly happened.

Although all this may also be nothing more than choreography and puppet theater. Much like when the TV industry fires an exec (with full benefit of the entertainment press) and then hires him back (without fanfare) a month or two later. If that's whats really going down, having that NDA is going to be more of a blessing for this student since he can hang tough and unrepentant without being called to task for refusing to discuss whatever deal I'm pretty sure Dawson (or another school) will ultimately cut him.

But the punishment part is totally separate IMO from what he did do. Something that I still see as unarguably wrong. Whether the punishment fits is a separate topic AFAIC.

Here's the problem.. many judicial systems don't allow for "discretionary leniency" since to do so flies in the face of a theory of "equal justice for all" - which is a fancy way of saying a totally impersonal form of justice that completely ignores the individual or their motivations when it comes to sentencing. So in order not to have the judicial system perpetuate an injustice, many  times we're faced with logical disconnect of pronouncing somebody "not guilty" (even though they are) because it's the only way we can get away with not punishing somebody for breaking a law.

I always wished that any judicial action (private, board, or court) be conducted in two phases. Phase one is a simple determination to establish if the individual did - or didn't - do what they've been accused of doing. Leave out motives completely. Did they or didn't they? If you can't prove they actually did - end of case. Everybody gets to go home.

However, if it turns out there's incontrovertible proof they did in fact do the deed, then you then go on to phase two: What, if anything, should we do about it?

This is where I think the real examination of the bigger issues (beyond legal technicalities) should occur. So for this student, I think it would make more sense if somebody could just say (and the student admit) an important access & use rule had been broken - and that there was a solid reason for having such a rule in the first place.

Then we could all get into a good philosophical discussion of personal motives, setting up the future farm team, issues of shared culpability, etc. etc. etc. and what would be an appropriate response in this case.

But please remember - that's not arguing for justice. Most of us think we want justice. But we don't. It's the last thing most of us will ever want if we're in trouble.

Real justice is by nature cruel, cold, dispassionate and impersonal. It negates the individual in exchange for a higher truth. So when we go before somebody to receive judgment, we don't want to be treated in such an impersonal manner. This is us afterall! We want those in authority to see that the case before them (us) is totally unique - a case that is absolutely nothing like anything that ever came before them previously - or ever will again.

In short, we don't really want justice from those who judge us. We want love.

So lets get beyond whether or not what this kid did was wrong. It was.

Once that's out of the way, let's move on and decide how much 'love' we're willing to extend him.
 8)

-----------------

Addendum: in this particular case I'd probably let it go with a few dope-smacks across the back of the head while the school glee club chanted "Dude! What were you thinking?" in 4-part harmony with the coloraturas screaming "Stupid! Stupid! Stupid!" up around high C or C# just to add some computer symbolism. But since corporal punishment is unconstitutional where I live (and I'm not really into hitting people to begin with) I'd probably just let it go with him saying he was sorry and admitting he wasn't thinking clearly.

If he's truly sorry, he won't repeat. If he does...well...we still have a whole pile of nasty responses (and a reduced supply of love) available for next time should that occur.
« Last Edit: January 21, 2013, 10:17 PM by 40hz »

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
And yeah, I know keeping large systems up and running smoothly isn't an easy job. I do have sympathy for sysadmins - they seem to have one of those jobs where when the SHTF, it really hits the fan and splatters everywhere.

You run a kinder and gentler shop than most if that's the case. Most of my experience has taught me when the poo really hits the fan it's shortly followed by a few sysadmins being thrown through those same blades.

"You're only golden until your first major FU!" was never truer than it is in the systems administration world. Most times, having your plant go down on you (if there was even the slightest chance of doing something that might have prevented it) is definitely a career-limiting event for most sysadmins. Especially if there's no incompetent junior operator or summer intern handy to sacrifice to the angry management gods.

 :tellme:
 :tellme:

cmpm

  • Charter Member
  • Joined in 2006
  • ***
  • default avatar
  • Posts: 2,026
    • View Profile
    • Donate to Member
The job offers are starting up now.
He may have fast-tracked his career!

Report says even Skytech is offering.
Hm, I think there will be more info sometime tomorrow.

http://news.national...es-to-reinstate-him/

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
You run a kinder and gentler shop than most if that's the case. Most of my experience has taught me when the poo really hits the fan it's shortly followed by a few sysadmins being thrown through those same blades.

Hahahahaha~! I love the metaphor there! :D

Still, let's remember that this guy is a STUDENT and not a sysadmin professional. He doesn't have 10 years of experience running large systems, and is unlikely to really understand a lot of the issues that sysadmins face. Sure, he may "know" XYZ, but there's a very big difference between "knowing" and "understanding".

Sysadmins are highly educated, well paid, experienced people that have been around the block probably more than a couple times. When they drop the ball through incompetence, well, yeah - there's hell to pay. But I'm not so sure that applying the same standards to amateurs (students) is really, meh. I'll drop it. Not the ball! I mean drop the whole amateur/pro thing. :D
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
The job offers are starting up now.
He may have fast-tracked his career!

Report says even Skytech is offering.
Hm, I think there will be more info sometime tomorrow.

http://news.national...es-to-reinstate-him/

Sounds like things will work out for him! :D Good to hear!  :up:
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

rxantos

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 116
    • View Profile
    • Donate to Member
A classical punishing instead correcting lie of thought.

When a patient is sick, first you try to cure it. You do not shoot him. Thats what this university did. Instead of suspending his computer access to the university network, they choose to expel him.

To those defending the expulsion. Would you prefer if he would just keep the vulnerabilities secret and later he or someone else just abuse them? Because knowingly or not thats what you are advocating here.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
To those defending the expulsion. Would you prefer if he would just keep the vulnerabilities secret and later he or someone else just abuse them? Because knowingly or not thats what you are advocating here.

A thought popped into my head there while reading what you wrote.

What signal will this send to the next student?

  • Report vulnerabilities
  • Don't report vulnerabilities
  • Sell exploits to pay for books & tuition
  • Publish the exploit on Twitter & PasteBin then watch the SHTF? :P

Hmmm... ;D
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,913
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
From that followup article:

Richard Filion, the director general of Dawson College, did not respond to requests for an interview, but told CBC Radio that “We have to abide by this legal requirement not to divulge any personal information of any student. The story that has been reported by many media today … was relying on an incomplete version of what had happened and what had led the college to make such a decision. The other side of the story is related to facts that we cannot divulge.”

I'm so sick of this cowardly lying legal bullshit.

So basically they are saying: You only know half the story, and if we could tell you the other half you'd understand why we did what we did.  But we're not going to tell you because we want to protect the rights of the person we expelled.

But if the reason they weren't telling us the second half of the story was to protect the kid, they would let HIM decide if he wants the information released.

It's typical cowardly ass-covering behavior: insist there are some special secret facts that justify what they did and find some way to stall releasing it until the attention dies down.

If you kick some kid out of college for something like this, you need to be prepared to give him the written justification for why you've done so, so that he can properly defend himself against the institutions.



And for those of you who are saying we need to look at it from system administration perspective.. I'm not saying what he did was right.. In fact I am all for throwing the book at people who are trying to harm computer networks, or profit from stealing private information.. I understand how much hard painful work is involved in system administration and how much harm can be done by people trying to abuse and damage the system.  The point here is that this was a young curious kid who by all accounts had no malicious intent at all and was merely curious about the system.  Punishment was way out of proportion for the crime.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
I'm so sick of this cowardly lying legal bullshit.

So basically they are saying: You only know half the story, and if we could tell you the other half you'd understand why we did what we did.  But we're not going to tell you because we want to protect the rights of the person we expelled.

I'm not a believer when it comes to secret tribunals or Star Chamber judgments.

But I could easily imagine a dozen different scenarios where something might have happened = or been said - where the administration felt expulsion was appropriate and then refused to talk about it afterwards.

You could have had a hypothetical situation where:

   - some attempt was being made to mollify a local prosecutor who became aware of the case and wanted to pursue criminal charges, possibly against the university's desire to handle it in house. Being "sent down" is bad enough - but getting "sent up" would be far worse....

   - when confronted with the possibility of suspension or expulsion, the student made a threat to do something stupid like extract physical/cyber revenge on the school as a whole - or the employee who turned him in...or had threatened to anonymously divulge additional vulnerabilities he had since discovered...

   - made mention of fellow students, university employees, or outside associates who were accomplices - and then refused to name them during the investigation...

   - was guilty of having been caught doing something not allowed a  previous time (or times) and had been warned of the consequences if it happened again...

   - had been caught doing something totally unrelated that was also not allowed, such as running an illegal file sharing server on a PC connected to the university's network...

   - ran afoul of some contract provision (usually government) the university was under that had something in it that makes it required (or "understood") that anybody caught doing certain things while on the network either be expelled or have their employment terminated...

   - was made to understand that the school had previously expelled someone else earlier for similar actions - and now felt compelled (for legal reasons) to be consistent with their previous decision...

   - ran into the agenda of an influential individual (or individuals) at the university who were "fed up" for whatever reason and felt "a strong message needs be delivered"...


I could go on...but it's all hypothetical so why bother?

The point is we don't have the entire story...yet.

But in cases like this, the truth eventually comes out. Schools don't keep secrets very well. It will only be a matter of time.

-----

Regarding the average sysadmin's viewpoint regarding curious children, the best I can offer is that I've personally seen more true grief caused by people screwing around with things they've been told they shouldn't than I ever had (knock wood) caused by people specifically out to punk the system.

Kids play with matches too. Most times nothing happens. Sometimes, the worst that happens is they get a minor burn. Most outgrow it before any real damage gets done. But some have also caused major property damage or deaths while experimenting. So "simple curiosity" is no defense or justification as far as I'm concerned. There are limits - and as long as those limits are clearly communicated, I don't bend over backwards to excuse people who choose to disregard them. But that's because I do respect people enough that I feel most are capable of making their own informed decisions. And it's important that we do. Because if we don't, then the argument for the need for more and more ludicrous and restrictive laws to protect ourselves from ourselves - because none of us can really be trusted - starts to gain traction.

Like the John Hammond character said in Jurassic Park: "I don't blame people for their mistakes. But I do ask that they pay for them."

I think that's both respectful and fair. 8)


Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
^^ You guys have some good points, but no matter how many hypotheticals, I just can't get over this:

It's typical cowardly ass-covering behavior: insist there are some special secret facts that justify what they did and find some way to stall releasing it until the attention dies down.

It seems like the typical answer now. There was another thread with an article posted in it about an FOIA request... Oh sure they got the document. Completely redacted. As in almost 100% - the cover sheet had a few lines of text on it.

While there may be good reasons for some secrets, why is it that everything is a secret?

"We can't divulge that because it's sensitive information." Oh really? Please tell me more about the information's feelings.  :-\
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,913
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
40hz i think you do a good job of explaining how painful these kinds of things can be from a system administrator's perspective.. i just don't see how he even comes close to deserving expulsion.

and that entire list of hypothetical reasons that might justify his expulsion.. i don't see anything in that list that deserves to be covered up and hidden as secret and explained away as: "we have secret reasons that justify expulsion but we're not going to tell you what they are."

if you are going to expel someone from college and cause them serious irreparable harm in continuing their education, you owe it to them to explain exactly why.  no one is complaining about redacting personal names -- but i think we cannot let big organizations get away with this weasel behavior of saying: "trust us, if we explained to you the real reasons behind our actions you would unerstand, but we've decided we are not going to tell you the real reasons because [insert bullshit lie here]".

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,069
    • View Profile
    • Donate to Member
How about looking at this from the other side - university says it is OK to do this sort of thing (which is what a slap on the wrist would say) it would be open season for students to try out hacking skills with no comeback. It would set a terrible president to allow illegal activity to go unpunished.

Having said that if the university had any sense they would have invited him to help with checking the hole wa fixed after he reported it initially.

cmpm

  • Charter Member
  • Joined in 2006
  • ***
  • default avatar
  • Posts: 2,026
    • View Profile
    • Donate to Member
i don't see anything in that list that deserves to be covered up and hidden as secret and explained away as: "we have secret reasons that justify expulsion but we're not going to tell you what they are."

That is a good point.

And the fact (if it is true, according to available facts) that Skytech is offering him a job leads me to think 'it' was not very harmful to anyone or any property.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
@Mouser - FWIW I am on record a few posts back for saying I thought the response seemed unusually harsh and possibly excessive based on the facts made public so far.  :)

I get no joy out of punishing people. Even those who might actually "deserve it."  It's just not my 'thing' personally. I find the act of punishing somebody a depressing experience more than it is anything else.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
but i think we cannot let big organizations get away with this weasel behavior of saying: "trust us, if we explained to you the real reasons behind our actions you would understand, but we've decided we are not going to tell you the real reasons because [insert bullshit lie here]".

THAT! Yes! That!  :Thmbsup:

+1

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
but i think we cannot let big organizations get away with this weasel behavior of saying: "trust us, if we explained to you the real reasons behind our actions you would understand, but we've decided we are not going to tell you the real reasons because [insert bullshit lie here]".

THAT! Yes! That!  :Thmbsup:

+1



All too true.

But that's been the historic response whenever arbitrary acts of authority get challenged. :-\


Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
@Mouser - FWIW I am on record a few posts back for saying I thought the response seemed unusually harsh and possibly excessive based on the facts made public so far.

Which is pretty much where this keeps going in a circle:
Everyone seems to agree that the punishment was excessive.
Everyone seems to agrees that he totally screwed up.

Yet we're debating what exactly?

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
But that's been the historic response whenever arbitrary acts of authority get challenged. :-\

"Why?" seems like a natural enough and reasonable enough question to me. :)

Yet we're debating what exactly?

Good point. I think we should get on to what students SHOULD do. i.e.

  • Report vulnerabilities
  • Don't report vulnerabilities
  • Sell exploits to pay for books & tuition
  • Publish the exploit on Twitter & PasteBin then watch the SHTF? :P

;D

I'm voting for #4 as it would be the most entertaining~! :P  :Thmbsup:
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Having said that if the university had any sense they would have invited him to help with checking the hole wa fixed after he reported it initially.

They wouldn't do that because they were already in CYA mode.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
@Mouser - FWIW I am on record a few posts back for saying I thought the response seemed unusually harsh and possibly excessive based on the facts made public so far.

Which is pretty much where this keeps going in a circle:
Everyone seems to agree that the punishment was excessive.
Everyone seems to agrees that he totally screwed up.

Yet we're debating what exactly?

Exactly  ;D

Good point. I think we should get on to what students SHOULD do. i.e.

  • Report vulnerabilities
  • Don't report vulnerabilities
  • Sell exploits to pay for books & tuition
  • Publish the exploit on Twitter & PasteBin then watch the SHTF? :P

;D

I'm voting for #4 as it would be the most entertaining~! :P  :Thmbsup:


Relevant:



(Although in all reality, I still don't condone that type of stuff.  No matter how douchey one person (or part of the organization) may be, that kind of stuff gets people fired, harms totally unrelated people, and is just evil)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Report says even Skytech is offering.

A good quote from the comments on that article:
Mr. Al-Khabaz-- get a lawyer before you accept Skytech's "scholarship" or "job offer". My guess is they want you to sign something to prevent any future claims against them. The more generous they are, the greater their perceived liability in this case.

Based on the reported news, it seems that they bullied you into signing non-disclosure and then they disclosed your actions to Dawson. That information was used by Dawson to expel you.

I'm sure there is a Montreal lawyer with a sense of justice who would love to take your case, possibly for little or no cost to you.

Proceed with caution.

I hope he takes that seriously...