Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
From: Benji <me () b3nji com>
Date: Tue, 22 Jan 2013 08:32:11 +0000

Someone please explain to me why he had to run a vulnerability scanner to
check one vulnerability, and again, how are we still arguing about this?
Whether you think he had a 'right' to test this or not, he was either too
dumb or too naive to know it was against the law.

If anyone would like to start arguing whether it's against the (Canadian)
law:

Section 342.1[4]<http://en.wikipedia.org/wiki/Criminal_code_section_342#cite_note-4>

Unauthorized use of computer is often used to laid charges for hacker or
someone who is involved in computer related offences. This section states:

Every one who, fraudulently and without colour of
right<http://en.wikipedia.org/wiki/Colour_of_right>
,
 (a) obtains, directly or indirectly, any computer service,(b) by means of
an electro-magnetic <http://en.wikipedia.org/wiki/Electro-magnetic>,
acoustic <http://en.wikipedia.org/wiki/Acoustics>, mechanical or other
device, intercepts or causes to be intercepted, directly or indirectly, any
function of a computer system,

I would suggest he broke section (b) and you could argue (a).

On Tue, Jan 22, 2013 at 3:46 AM, Nick FitzGerald
<nick () virus-l demon co uk>wrote:

Sanguinarious Rose to me:

And that is the reason why no one wants to report anything they find,
it's because of people like you and your kind of thinking.

As you seem to have assumed a whole bunch about "my kind of thinking"
that I did not put in the original post, I find the above laughable.

Did they public post all the private information?
No

Agreed.

Did they try to use it for malious or illicit purposes?
No

Not that we know from what seems to be a rather one-sided, self-serving
to the victim, "the system screwed poor little me" telling of the
story.

Did they report it when they found it?
Yes

Agreed.

A horrible moral compass indeed!  ...

No -- I said nothing about what could or should be considered about
their moral compass _in finding_ the problem.  I did say they probably
broke _both_ school/other ToS agreements and unauthorized access laws,
but I did not say what I felt about that.

It is often the case that minor transgressions of such nature are
necessary in doing many useful things in the computer security domain.
That alone makes it precarious territory in which to work and such
issues should obviously be front-of-mind for _anyone_ potentially in
such territory.

...  Arrest these people for being
concerned and reporting it after stumbling upon security flaws!
Amiright?

No, I did not say that either.

What you seem to have missed (other than that you are reading things
into my previous post that are not there) was that _after_ these two
students notified the relevant system owners/operators and/or vendors,
apparently only _one_ of them went back and did stuff that he probably
should not have originally done (but that we can _probably_ excuse
because of a "greater good"), _again_.

_That_ is what tells us something critical about _his_ moral compass
(either he does not have one, it is rather under-developed for a 20-
year old or it is rather broken).

Did you notice that this story was not titled "Youths expelled..." "or
"Students expelled..." _despite_ the first sentence of any substance in
the National Post article starting:

   Ahmed Al-Khabaz ... was working on a mobile app ... when he and a
   colleague discovered what he describes as "sloppy coding" in ...

Did you notice how the rest of story fails to mention that his
colleague was expelled?

Poor journalism, missing a fairly major fact in the story?

Or perhaps evidence that his "colleague" was not expelled because his
colleague did not continue to mess with stuff that he should have (now)
known he should not be messing with?

If _both_ students had been expelled, surely the tone of indignation
and righteousness would have been greater, so I doubt the fact that the
article only talks of one student being expelled is due to journalistic
oversight...

So, Mr Rose, do you now see what you chose to avoid noticing on your
first pass through this story and its "clever hacker cruelly
ostracized" skew?



Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]