I remember when I got to college in 1992 there was this guy I met in my dorm who was already way tapped into the Internet and IT security and white hat hacking.
While my own computer skills consisted of playing games and knowing how to write Cobol programs that would produce groups of letters that looked vaguely like Christmas trees on a dot matrix print outs and the like, this kid was hacking into business networks and then sending reports of his findings to the companies’ owners to let them know how lame their security was.
I think he lasted one semester before he quit school to go make lots of money working in IT security for one of said companies on Wall St. He’s probably running his own consulting company somewhere now, or retired drinking cocktails while we all sit here at work.
Anyway, an incident reported this week in the Canadian press points out how far behind some people remain in terms of understanding the value of ethical hacking, even when someone is merely trying to help them help themselves.
Even worse, it was a case where an undergraduate college student was simply trying to inform his own school of how eminently hackable their e-mail system was, yet they’re having him prosecuted for doing his work in seemingly the most ethical manner possible, when instead they should really be thanking him.
Or, you know, doing something crazy like giving him a work study job in the IT department and helping him continue to learn about something that could help him get a good job some day, in a field in which he’s clearly already displayed above-average interest and aptitude, but I guess that’s not what schools are meant for.
As first reported by the Ottawa Citizen, 20 year old Mansour Moufid is instead facing criminal charges for exploiting the network of Carleton University, where he was attending classes at the school’s Ottawa campus, and sending a detailed report to school officials illustrating his work and warning them to bolster their defenses.
Despite merely informing the school of just exactly how he was able to get his hands on the e-mail passwords of some 32 students at the school in this manner, and willingly answering investigators’ questions about the hack, they’re throwing the book at him.
Makes sense, you know, if you’re a bureaucrat whose expensive IT security system just got owned by a kid.
I guess the Carleton officials would have preferred that instead of one of their own students proving his industriousness and intelligence in trying to help them close a gaping security breach, that someone unknown would have scooped the social security numbers of their students or faculty or alumni and sold the information to the highest bidders.
The guy is smart and he did them a favor, but of course they’re embarrassed since they just got exploited by a kid and now they’re making an example of him.
Well, anyone who follows security knows who the real culprits are in this scenario, and they all work for Carleton University.
“Our first concern is for our students and we will continue to review and, if necessary, upgrade our e-mail system in light of this incident,” school officials said in a statement. “The university is confident that its student e-mail and Campus Card system remain viable and at no time was credit card information accessible. A third-party audit of the university’s computer network concluded earlier in the year that the system had multiple security features and was deemed very secure.”
Yeah, well, sounds like a heck on an audit, and how confident were you before this guy showed you how vulnerable you really were?
Kudos to Moufid, it sounds like he’s got a much brighter future than some of his so-called teachers. Too bad they’re too obtuse to realize it, eh?
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.