Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
From: Gary Baribault <gary () baribault net>
Date: Thu, 24 Jan 2013 10:30:09 -0500

The real funny part is where 15 teachers voted .. you mean there are 15
teachers at Dawson that understand the implications of a pen test tool?
I am in Montreal and I know Dawson, they are usually much saner than that!

Let's see if they now have the guts to do a Mea Culpa and fix this
injustice.

Gary Baribault
Courriel: gary () baribault net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

On 01/24/2013 10:16 AM, Benjamin Kreuter wrote:
On Tue, 22 Jan 2013 08:32:11 +0000
Benji <me () b3nji com> wrote:

Someone please explain to me why he had to run a vulnerability
scanner to check one vulnerability, and again, how are we still
arguing about this? Whether you think he had a 'right' to test this
or not, he was either too dumb or too naive to know it was against
the law.

I do not think the issue is whether or not he broke the law; rather,
the issue is whether or not the law serves the people's interest.  I am
not a Canadian, so maybe I do not really have a say, but given that
this kid did not cause any measurable damage, it seems hard to make the
case that he should have been punished for his actions.  Throwing a
student out of school because he used a pen-testing tool is more
damaging to the school and to society as a whole than what the student
actually did.

There is also the matter of the school itself.  They were presented
with a student who had found a vulnerability, reported it, and then
checked to see if there were still problems.  Does expulsion really
sound like a reasonable punishment to you?  Does any punishment seem in
order, given that the student made no attempt to maliciously exploit
his discoveries?  It seems to me that a much better approach would have
been to offer the student a chance to present the vulnerability in a
computer security class.  The school's mission is, theoretically, to
teach its students -- why, then, would they remove from the student
body someone who could do just that?

Sure, maybe the school has a policy of expulsion for any student who
breaks the law -- but why would the school expel a student
preemptively, before he was even found guilty by a court (or even
charged with a crime)?  If he had been arrested, it would have made
sense for the school to put him on academic suspension until the
conclusion of his criminal case, at which point a guilty verdict might
mean expulsion.

-- Ben


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault