The latest “student hacker” story hitting the the media (after the MIT/Boston subway case) is a Canadian 2nd year Math major student at the Carleton University, who “hacked” the campus card and student emails. I use “hacked” in quotes as the police news release says that the systems were breached via “Keylogger software and Magnetic stripe card reader”; and even though Mansour Moufid wrote the keylogger himself (as is said in this CBC article) — this is hardly something innovative, or insightful. It was a “hack” in a mass-media sense of the word.
What’s really interesting about this story is the duality of the White Hat / Black Hat nature of this event. What’s down-played in the media, and emphasized on technology centric news sources (such as Slashdot and Reddit) is the 16 page report, titled “Appeal for a Carleton Cypherpunk Posse”, that Mansour send to the Carleton administration, affected students, and supposedly circulated around the students of the University as well. The presence of such a paper suggests academic intentions and many are quick to scream “White Hat” in student’s defense. Though as the Carleton student newspaper notes — 9 of those pages were simply a copy of the source code and also “includes a table claiming to contain the personal information for 32 students”.
This is where I have a problem with Mansour’s approach:
Proof-of-concept prototypes and responsible disclosure — good.
Acquiring real passwords, publishing those passwords, and doing so under a fake name — not as good.
@Mansour — it’s good to know that you are interested in researching and strengthening the security of your University, but your execution could have been better. Going after actual students is in bad taste and has landed you in trouble. And now Carleton University isn’t even convinced of the vulnerability that you have shown, as seen in the email that the University has send out to their students:
This message is to notify students that the recent case of a hacking incident at Carleton has been successfully concluded. This morning, officers from Campus Safety brought in for questioning the individual concerned, who is now fully co-operating with university officials. He has confirmed how the hacking incident occurred and the university remains confident that the integrity of its email and Campus Card system has not been compromised.
@Carleton (and other Universities) — this incident doesn’t call for criminal charges. This will not deter students from being interested in security, but only encourage them to stay quieter about what they are doing. What we need to do is to teach a code of conduct — something Engineering students hear about in their very first term of study. Offer an introductory course to digital security, and make it an accessible elective by 2nd year of study. Security is a fascinating subject, it really is, and schools have an opportunity to take one of two positions — assist the students and encourage them towards the best practices, or get in the way and risk letting the students fall to the dark side.
The paper is quite vital to understanding the story.
This report is written by a full-time student of Carleton University, currently enrolled as an undergraduate in the Department of Mathematics and Statistics. The author hereby wishes to elicit a response from the reader and the community leading to greater awareness of the issues of privacy and security (or lack thereof) affecting students.
Though I was disappointed in the Proposed Remediation section. Considering the technical detail of the rest of the report, I was expecting to see something better than:
The author simply recommends the discontinuation of use of the Campus Card in its present form.