Canadian student hacker expelled

merry_and_silver

Super Member
Registered
Joined
Aug 13, 2009
Messages
94
Reaction score
3
Location
Conocoto, Ecuador
I guess what I don't understand about this story is that I thought the entire purpose of a network was to share information between computers. In other words, if you're in your lab working somewhere, and want to transfer information to another computer, in your advisor's office, or maybe to a professor that you had a conversation with earlier in the day, then you should be able to do it. Otherwise, why have a network? Everyone should just have their own separate I.P. address. Much safer.

If you accept that the purpose of the network is to share information, and that this student was allowed to be on the network (I don't know; I'm assuming), then how was he supposed to find out where he could and couldn't go? A scan is the only way I know. I don't see how a scan in and of itself can be considered malicious. Again, I'm assuming. Maybe there are rules that say you can't do it. But even clicking on a publicly shared folder triggers a scan, doesn't it?

OK, granted, many people won't know that they have left things open on the network. Yes, that's a big problem.

But would the people who are prosecuting (or persecuting) this student, have qualms about harvesting unprotected information from student computers on the same network, even if it were clear (or probable) that the folders were left open unintentionally?
 

Williebee

Capeless, wingless, & yet I fly.
Super Member
Registered
Joined
May 11, 2007
Messages
20,569
Reaction score
4,814
Location
youtu.be/QRruBVFXjnY
Website
www.ifoundaknife.com
But would the people who are prosecuting (or persecuting) this student, have qualms about harvesting unprotected information from student computers on the same network, even if it were clear (or probable) that the folders were left open unintentionally?

I'd certainly hope so, but that would be subject to the school's AUP (Acceptable Usage Policy.)
 

Torgo

Formerly Phantom of Krankor.
Kind Benefactor
Super Member
Registered
Joined
Apr 7, 2005
Messages
7,632
Reaction score
1,204
Location
London, UK
Website
torgoblog.blogspot.com
If you accept that the purpose of the network is to share information, and that this student was allowed to be on the network (I don't know; I'm assuming), then how was he supposed to find out where he could and couldn't go?

That wasn't the situation, as far as I can see. This was an online service for viewing and managing your own personal student-related stuff. You're not supposed to be able to access records of other students etc. - the security hole the hacker pointed out allowed him to, in theory, get everyone's Social Security numbers. The system was supposed to be protected, but it had flaws.

I don't see how a scan in and of itself can be considered malicious.
The scanning tool he used was designed to be used on offline, archived copies of websites, not live ones, and apparently could have damaged the system.
 

Torgo

Formerly Phantom of Krankor.
Kind Benefactor
Super Member
Registered
Joined
Apr 7, 2005
Messages
7,632
Reaction score
1,204
Location
London, UK
Website
torgoblog.blogspot.com
So this morning, I read this, and am boiling mad about it.

Behind that link you will find a 'statement of responsibility', penned by Andrew Auernheimer, otherwise known as 'weev'. Auernheimer was recently convicted of identity theft and cracking, and is awaiting sentencing. The letter is his court-mandated admission of culpability (but it probably isn't what the prosecutors would have expected him to write.)

Briefly, weev discovered that AT&T had published the email addresses of everyone who had a 3G iPad with them. He took this information to a reporter at Gawker, including a sample of the addresses. When Gawker published an article on the vulnerability, including some redacted addresses, the FBI jumped all over weev with hob-nailed boots.

The case bears some striking similarities with that of the late lamented Aaron Swartz. The information weev was convicted of illegally accessing was publicly accessible via AT&T's own API, just as Swartz's JSTOR dump was something he had free access to as a Harvard faculty member. In both cases prosecutors acted, in my opinion, out of all proportion to the offences. It is no exaggeration to say that Swartz was hounded to his death, and it looks like weev is being targeted in much the same way.

(It's worth remembering the number of HSBC bankers who have been sent to jail for billions of dollars of money laundering on behalf of murderous drug cartels (0) or the number of CIA agents who have been sent to jail over government-sanctioned torture (1 - the guy who blew the whistle.))

I bring this up here because we can debate whether these guys were naughty or not - weev went to the press, Swartz wanted to liberate the JSTOR data, Al-Khabaz acted pretty unwisely - but I don't think there's any debate about the completely disproportionate response in each case. No harm was done, but the reaction of the establishment to a clever young person pointing out what's wrong with their systems is nevertheless to try to crush them like an insect.

These are the people who are going to build the next Google or Apple or Twitter, or they might be the people who find ways to engineer a better and safer society. If we don't manage to kill them or jail them first.