// you’re reading...

Education

Mansour Moufid “hacks” Carleton U’s campus card and emails

The latest “student hacker” story hitting the the media (after the MIT/Boston subway case) is a Canadian 2nd year Math major student at the Carleton University, who “hacked” the campus card and student emails. I use “hacked” in quotes as the police news release says that the systems were breached via “Keylogger software and Magnetic stripe card reader”; and even though Mansour Moufid wrote the keylogger himself (as is said in this CBC article) — this is hardly something innovative, or insightful. It was a “hack” in a mass-media sense of the word.

What’s really interesting about this story is the duality of the White Hat / Black Hat nature of this event. What’s down-played in the media, and emphasized on technology centric news sources (such as Slashdot and Reddit) is the 16 page report, titled “Appeal for a Carleton Cypherpunk Posse”, that Mansour send to the Carleton administration, affected students, and supposedly circulated around the students of the University as well. The presence of such a paper suggests academic intentions and many are quick to scream “White Hat” in student’s defense. Though as the Carleton student newspaper notes — 9 of those pages were simply a copy of the source code and also “includes a table claiming to contain the personal information for 32 students”.

This is where I have a problem with Mansour’s approach:

Proof-of-concept prototypes and responsible disclosure — good.

Acquiring real passwords, publishing those passwords, and doing so under a fake name — not as good.

@Mansour — it’s good to know that you are interested in researching and strengthening the security of your University, but your execution could have been better. Going after actual students is in bad taste and has landed you in trouble. And now Carleton University isn’t even convinced of the vulnerability that you have shown, as seen in the email that the University has send out to their students:

This message is to notify students that the recent case of a hacking incident at Carleton has been successfully concluded. This morning, officers from Campus Safety brought in for questioning the individual concerned, who is now fully co-operating with university officials. He has confirmed how the hacking incident occurred and the university remains confident that the integrity of its email and Campus Card system has not been compromised.

@Carleton (and other Universities) — this incident doesn’t call for criminal charges. This will not deter students from being interested in security, but only encourage them to stay quieter about what they are doing. What we need to do is to teach a code of conduct — something Engineering students hear about in their very first term of study. Offer an introductory course to digital security, and make it an accessible elective by 2nd year of study. Security is a fascinating subject, it really is, and schools have an opportunity to take one of two positions — assist the students and encourage them towards the best practices, or get in the way and risk letting the students fall to the dark side.

Update: The above mentioned report — “Appeal for a Carleton Cypherpunk Posse” published under the name of Kasper Holmberg has surfaced on WikiLeaks.org. A copy is mirrored here.

The paper is quite vital to understanding the story.

This report is written by a full-time student of Carleton University, currently enrolled as an undergraduate in the Department of Mathematics and Statistics. The author hereby wishes to elicit a response from the reader and the community leading to greater awareness of the issues of privacy and security (or lack thereof) affecting students.

Though I was disappointed in the Proposed Remediation section. Considering the technical detail of the rest of the report, I was expecting to see something better than:

The author simply recommends the discontinuation of use of the Campus Card in its present form.

Read more

Uhh... nothing else appears to be relevant enough.

Discussion

  1. Posted by Patrick Yeon | September 14, 2008, 4:10 am

    Thanks for your post on my blog. While I agree that collecting and publishing other people’s passwords was shady, keep in mind the timeline: Aug 29th, contacted the proper authorities; Sep 7th contacts the people affected. With, admittedly, no data to back me on this point, I would think he didn’t hear back from the administration. That’s typical of Carleton, and many people when you tell them about security problems in their jurisdiction. Releasing his finds publically is just doing what real security researchers do when they can’t seem to get a hole patched.

    As for Carleton itself, and how it views security, I’d just like to highlight a few things:
    * Carleton’s CIO seems pretty lax on the matter of security. He’s quoted as saying flaws seem “just part of normal business today.” (I know security is a trade-off, we can’t achieve perfection, blahblahblah, but that attitude sure isn’t encouraging)
    * Carleton’s campus cards can be used for purchases without any PIN, password, signature, or even without matching up to the name printed on the card (some people have ALOT of money on those too)
    * Carleton’s print stations are still insecure. A couple nights after we received the “all’s okay” e-mail from Carleton, a friend and I went on campus to check them out. By hitting alt+ctrl+del at the printer station, we got to the standard windows task manager. We could run anything on the computer, and had USB slots we could very easily transfer anything we wanted to through. Finally, the card data is just transmitted through the keyboard’s PS/2 port, as cleartext.

    To their credit, the card doesn’t have any numbers I recognize in cleartext, except maybe an expiry date. We discovered this by running notepad and scanning our own cards (not exactly super-hacking either). This still doesn’t stop card cloning though.

    Reply to comment

    Tony replied on: September 14th, 2008 at 4:32 pm

    I just think his point would have had as much validity without recording student’s passwords. Or he could have at least censored them from the report — from the look of it, a bunch of people used weak “firstname1″ type of password, and it’s likely that publishing this information compromises that user across many platforms, not necessary demonstrates a flaw in Carleton’s system.

    Also, as far as I know the “swipe to pay” system is the same across other Universities (U Waterloo in specific). I don’t think that much can be (reasonably) done, while keeping the same level of convenience. Perhaps have a chip on a card — simply to make cloning that much more difficult.

    Reply to comment

    Pascal Langley replied on: September 20th, 2008 at 1:21 pm

    “I don’t think that much can be (reasonably) done, while keeping the same level of convenience.”

    The University of Toronto uses smart cards for purchases across campus. This is much more secure than debit cards with no PIN, and just as convenient. Of course, the more secure solution is always a bit more expensive…

    Reply to comment

    Clayton replied on: September 14th, 2008 at 4:36 pm

    “* Carleton’s campus cards can be used for purchases without any PIN, password, signature, or even without matching up to the name printed on the card (some people have ALOT of money on those too)”

    This is true. I recently had ~$600 on my campus card to be used for purchasing textbooks and other things from stores on campus, and it is a bit worrysome to me that someone could just clone my card, slap their own picture on it (even though they don’t really check the photo on the cards when the cashier swipes them), and use all of that money.

    Reply to comment

  2. Posted by Brian | September 15, 2008, 10:43 am

    I gotta say when I was at Rutgers 4 years ago there was a similar hacking attempt. The authorities caught the guy and he was expelled. PC security today is at an all time low. It is estimated that 20-30% of all computers have trojan keyloggers installed via java script codes loading on other websites. Use a good virus scanner and be careful!

    Reply to comment

  3. Posted by TeasasTips | September 16, 2008, 7:47 am

    My problem with this whole incident was the way the “hacker” went about exposing the vulnerabilities. Publicizing personal student information only heightened any fears students may have had anyway about sharing private information whether it be on the university level or elsewhere. He should have approached the powers that be with this documentation. I believe our “hacker” was seeking some sort of notoriety or fame amongst his peers first, but it backfired.

    Reply to comment

    Pascal Langley replied on: September 20th, 2008 at 1:26 pm

    “Publicizing personal student information only heightened any fears students may have had …”

    The university received the report in question weeks (they themselves claim Aug. 29th, the student says even earlier) before it was sent to the student’s affected, which gave them plenty of time to issue those students new cards (with new account numbers, thereby nullifying their previous card data). That data in the report was null and void.

    Reply to comment

  4. Posted by Evolving Squid | September 16, 2008, 11:00 am

    @author – This incident DOES call for criminal charges. It doesn’t call for jail time, but what was done was clearly against the law. As long as people mollycoddle the Mansours of the world and think of this sort of crime as “research” and “curiosity”, it will just continue to get more prevalent and more dangerous.

    I agree about your comment with regard to teaching a code of conduct. What’s unfortunate is that parents aren’t teaching the difference between right and wrong when their children are young.

    The simple truth is that if Mansour wanted to show a vulnerability, he could have done it either by getting permission, or by setting up an isolated demonstration. He, instead, chose the illegal route and now he has to live with the consequences.

    Make no mistake, this is no different than walking down the street with a pick-gun and trying people’s front doors. You’ll get arrested for doing that too, even if your reason is “well, I just wanted to test their security, demonstrate a weakness, and send them a report.”

    It is an unfortunate attitude held by many people that because you can’t touch or feel data with your fingers that it is somehow impossible to steal it or commit a crime involving it.

    Reply to comment

    Tony replied on: September 16th, 2008 at 1:17 pm

    I’m just curious. The article 342.1 of Canadian Criminal Code (that you quoted on your post) (besides being dated) is very vague. The “imprisonment for a term not exceeding ten years” covers both identity theft and arguably theft of music (in a case where streaming music is a “computer service” and access to such is obtained illegitimately).

    So that’s quite a gradient that’s covered under the same article. I doubt you’d want to lock up pre-teen girls for collecting music files. So where do you draw the line? And how far pass that line do you want to place Mansour?

    Reply to comment

    Evolving Squid replied on: September 16th, 2008 at 4:53 pm

    342.1 is not “dated”… just because people had the forethought to get a law like that on the books doesn’t mean the law is somehow invalid with the passage of time. Yes, we can both think up examples where the passage of time has invalidated a law, but to think that it is universally the case that time invalidates law is to be deliberately obtuse. The law was put in place to, among other things, deal with exactly the situation that is currently being discussed. 342.1 is also punishable on summary conviction. Thus, the MAXIMUM penalty is 10 years, but the minimum penalty is basically a finger wagging and maybe a nasty wedgie.

    342.1 is not intended to cover theft of music or theft of identity. It covers unauthorized access to computers, obtaining or trafficking in passwords and such. That section of the law proscribes accessing a computer without authorization.

    If you sign up for a pirate music service, log into the service and pirate 10000 GB of music, you have not committed a violation of 342.1.

    If you steal a password and do the same thing, you have committed a violation of 342.1

    Identity theft is usually covered under the other statutes respecting fraud, although presumably if someone stole personal information via computer 342.1 could be added as an additional charge.

    Mansour is past the line. I do not think that it is in dispute whether or not he accessed the computer without authorization. He also published the password information without authorization. Those are both clear violations of 342.1 Again, he could have sanitized his report but chose not to do so. He could have mocked up his experiment in a lab, but chose not to do so. With full clarity of intent, he broke this law. He is solidly, unequivocally over the line.

    The only question that real question is what would constitute a fair punishment. He’s not going to be indicted for this – that would be over the top. Assuming this is his first offence, I’d say something like a conditional discharge (i.e. no criminal record) after 1 year’s probation. That way he gets his wrist slapped, but his life isn’t ruined if he chooses to start doing things by the book. Carleton U should probably suspend him for some period of time (1 semester?). If he continues his “security research” in unauthorized ways, then he gets a criminal record and ruins his life. That would be his choice to make.

    As noted in the following comment I also think students should consider going after Carleton, perhaps under the privacy legislation since it is also quite apparent that their security is not adequate. It might be nice to have Carleton’s IT group demonstrate that this hasn’t happened before but wasn’t found out / leaked to the media.

    Reply to comment

    pascal langley replied on: September 19th, 2008 at 2:27 pm

    Mr. “Spider”

    there is the semantic of the law and there is the spirit of law.
    that’s why we have courts,we have judges and lawyers ,only them can debate about the law.
    You seem to be one of the safety staff of Carleton,I know you are in hot water since the rape of that poor female student last year in a computer lab.
    I know you want to do something about it but let me tell you that it’s ridiculous to kill the messenger,don’t you think that it’s time for you and people like you to retire and let other people with more skills to take responsibility of the security of the students?

    Reply to comment

    Evolving Squid replied on: September 19th, 2008 at 7:05 pm

    That’s an interesting ad hominem attack. It’s also totally incorrect. I have no affiliation with the university whatsoever. Your immature attack has served only to make you look stupid, although that could have been your plan from the outset.

    In this case, it’s not a matter of killing any messenger. The hacker wasn’t a messenger of anything. He was a cranky, disgruntled student who wanted to kick up a stink. Unfortunately, he chose an illegal way to do it instead of a legal one.

    I happen to agree that CU security has issues that should be dealt with – harshly – but the fact of that doesn’t absolve the student who illegally broke the system and published the results.

    As for people with more skills, well, they’re always welcome to replace me. It seems that you equate “more skills” with “doesn’t bother to apply the law”. The spirit of that law was to prevent exactly the kind of thing that was done here. At the time it was written that was a fair bit of “ad hoc security inspection” going on. People began to think that such “research” was unethical, and so a law was passed. Yes, there was more to it than just that, but that was certainly part of it.

    Don’t you think it’s time for you and people like you to learn to take responsibility for your actions? Carleton students are supposed to be adults for the most part.

    Reply to comment

    pascal langley replied on: September 20th, 2008 at 9:46 am

    when you said “The hacker wasn’t a messenger of anything.” you are misleading people,because the student sent a 16 pages report to the University but the safety staff responsible tried to deny the fact that the university did receive a report and I think that’s why the student did sent it again to 32 students and to the university news paper because the safety staff responsible tried to hide this fact from the other university staff,then the student talked to the media and decided to go and see the safety staff,”He has not brought in”that’s totally false.he went by himself and explained the problem to the safety staff for one hour,the next morning he received a call from Ottawa Police.Theses are the facts not speculation.

    Reply to comment

  5. Posted by Evolving Squid | September 16, 2008, 11:02 am

    Oh, and I might add… Student government should be holding Carleton IT to the fire over this too. There should be demands that the IT department provide proof that they have exercised due diligence in the security of the system.

    Whether IT has exercised due diligence or not doesn’t excuse Mansour, but IT has a job to do, and the university’s customers (the students) should be forcing them to do it.

    Reply to comment

  6. Posted by Nathalie | September 16, 2008, 8:16 pm

    Well, they have ‘hacked’ this giant nuclear thing under Swiz, just show that it CAN be hacked, and that the security is not good. Such hackers just proof that there are gaps in the security system, regarding to what that guy above said. :)

    Reply to comment

    Dan replied on: September 17th, 2008 at 1:14 am

    They “hacked” the web server that talks about the “giant nuclear thing”. There is a rather big difference and it’s not a “giant nuclear thing” it’s a particle accelerator that can collider particles at near light speeds called the large hydron collider.

    Reply to comment

  7. Posted by Paul Treggs | September 17, 2008, 9:26 am

    Dan not everyone has time to watch as much news as you to get the correct name for every scientific device. and it is a giant thing being tested at the nuclear research centre so in reality its not that far off why cant you correct people and not try to make them feel stupid

    Reply to comment

    Tony replied on: September 17th, 2008 at 9:51 am

    Considering it was a “OMG, the world is going to end!” type of news, covered everywhere, it was pretty hard to miss. It certainly it’s a trivial piece of a scientific device. And while LHC was build by the European Organization for Nuclear Research (CERN), it is not at a “nuclear research centre”. LHC is a one-of-a-kind research facility.

    Though this hardly has much to do with Carleton ;)

    Reply to comment

    Hacker Dan replied on: September 18th, 2008 at 5:14 pm

    My intent was not to make you feal stupid, i just wanted to correct the factual error that the LHC was hacked witch it was not. There web server was and obvesly the web server does not run the LHC.

    Reply to comment

  8. Posted by Bon Scott | September 18, 2008, 6:48 pm

    Before you read this post I feen need to apologize for my bad English.
    Hopefully for those who are about to read it that they wont have much trouble understanding the meaning behind bad grammar and messy words.

    good luck :)

    As its proove to be those Hacking
    things always turn out to be illegal no matter what was the reason behind its act.
    They are always looking for holes in the system, discovering this and that and doesn’t matter how innocent does it look I think its a criminal act.
    From my point of view its pretty much the same if someone comes to my house,break in and unlock my safe just to show me that can be done.
    Even if he did no damage whatsoever I does bother me.
    There was pretty brutal case in my country(Slovenia) few years ago, where this hacker broke in the bank system via their online banking page.
    He did it just to prove how badly system was protceted.
    He took no money,no damage was done!
    Then he made an offer to the bank that he will sell them a protection for that vulnerability for 100.000€.
    THe case went in public it was in all media and even on TV.
    The bank sued him and he was convicted for 10.000€ of globe.
    Soon after that they somehow menaged to get him fired out of his job and even as damn good software coder he couldnt get a job.
    His girlfriend was fired from her job too, despite the fact that sha had nothnig to do with “hacking”.
    At the end poor guy hang himself couse his life was pretty much ruined for what he done, just to show how good he is.

    Its pretty impressive how far the things can grow from something which does look like a childish game .

    Reply to comment

    Tony replied on: September 18th, 2008 at 11:26 pm

    There are always two sides to everything. In physical security you might want to break into a locked building to save hostages (extreme example). More practical, in digital world, is that most people generally approve of security research (hacking, reverse engineering, etc) of viruses, worms, malware. The researcher is looking for a weakness in software — the intend does matter.

    I don’t know the details of the event you’ve mentioned, so I can’t comment much. Though as soon as money enters the game, things change drastically.

    Reply to comment

    pascal langley replied on: September 19th, 2008 at 2:19 pm

    your English is good, the case of the bank employee that you are talking of is irrelevant and has nothing to do with computer security,
    This guy did not come to ” YOUR ” house ,he revealed the flaw of a system that HE is using everyday

    Reply to comment

    Evolving Squid replied on: September 19th, 2008 at 7:09 pm

    And he could have mocked it up in a lab and generated a nice report with all the relevant information without breaking any laws whatsoever. He chose not to do so.

    He could have asked permission, but he chose not to do so.

    I’m curious, Pascal, why you think it is acceptable that Mansour did neither of these two simple things, either of which would have avoided this trouble?

    Reply to comment

    pascal langley replied on: September 20th, 2008 at 9:33 am

    I agree with you that he could have done that in more responsible way.
    Let me tell you something:
    All the students who has been in Carleton last year and who have to return this year have been traumatized by the rape of that poor female student last year,the rapist has never been arrested and the rape took place in a COMPUTER LAB.
    There is an insecurity climate in Carleton and that may have had an influence on this student to do this “experiment”then send a report to the University explaining them how to fix the problem.

    Reply to comment

  9. Posted by Nathalie | September 19, 2008, 10:44 am

    Dan, sorry but english is not my best friend especially when it comes to terminology, and I’m bored to check in Google. That’s why I used those words in the middle of ” “. I do know however everything about it in my language, just can’t translate. :)

    @ Tony, Couldn’t have said it better myself.

    Reply to comment

  10. Posted by pascal langley | September 19, 2008, 2:13 pm

    a lot of folk want to compare the act of this student to someone who break into a house.
    I think that this comparison is erroneous because he is living in that house,he is student and using that failed system and he was concerned about his safety and the safety of his friends,I am student at Carleton and I think that this guy did us all a favour because last year a female student has been raped in a computer lab on Carleton campus:the rapist has never been arrested and this guy who went by himself and explain everything to tha campus safety staff has been charged,it’s ridiculous,he was exposed to a lot of money and did not take any advantage of any student,instead he wrote a 16 pages report and sent it to the university explaining them how to fix the problem.
    In my opinion it’s the intent that matter and this student has never had any intent to harm any one,his intent was to correct a problem of the system HE is using with his fellow students everyday.

    Reply to comment

  11. Posted by Gaurav | September 19, 2008, 6:49 pm

    hacking now-a-days is rampat. Few months ago a similar event took place in my tech college were a computer science student hacked exam dept server to change his term work grades. However later head of computing dept said nothing was compromised. Hacking can be minimized but not controlled totally.

    Reply to comment

  12. Posted by pascal langley | September 20, 2008, 9:58 am

    “This message is to notify students that the recent case of a hacking incident at Carleton has been successfully concluded. This morning, officers from Campus Safety brought in for questioning the individual concerned, who is now fully co-operating with university officials. He has confirmed how the hacking incident occurred and the university remains confident that the integrity of its email and Campus Card system has not been compromised.”

    This is a lie,the student has not been” brought in” he went to meet the campus safety by himself.

    He has not confirmed how the hacking incident occurred” because they had no clue,even after sending them a 16 pages report,he explained them the vulnerability of the system for more than one hour.

    Reply to comment

    Tony replied on: September 20th, 2008 at 12:08 pm

    Thank you for the update. The lie was the email send out by the University. From what I understand, communication from the Carleton’s end had left more to be desired — there were emails to individual students being told to change their passwords, without any explanation as to why.

    Reply to comment

    Pascal Langley replied on: September 20th, 2008 at 1:12 pm

    You are welcome Tony, what people should have in mind is that the Carleton safety wanted to have the student charged and expelled from the University as soon as possible,and they gave erroneous statement to the University decision maker,they wanted to ignore the report sent to University,that’s why the student sent emails to all the students involved then spoke to the media.

    Reply to comment

  13. Posted by pascal langley | September 21, 2008, 8:20 am

    I remember when I got to college in 1992 there was this guy I met in my dorm who was already way tapped into the Internet and IT security and white hat hacking.

    While my own computer skills consisted of playing games and knowing how to write Cobol programs that would produce groups of letters that looked vaguely like Christmas trees on a dot matrix print outs and the like, this kid was hacking into business networks and then sending reports of his findings to the companies’ owners to let them know how lame their security was.

    I think he lasted one semester before he quit school to go make lots of money working in IT security for one of said companies on Wall St. He’s probably running his own consulting company somewhere now, or retired drinking cocktails while we all sit here at work.

    Anyway, an incident reported this week in the Canadian press points out how far behind some people remain in terms of understanding the value of ethical hacking, even when someone is merely trying to help them help themselves.

    Even worse, it was a case where an undergraduate college student was simply trying to inform his own school of how eminently hackable their e-mail system was, yet they’re having him prosecuted for doing his work in seemingly the most ethical manner possible, when instead they should really be thanking him.

    Or, you know, doing something crazy like giving him a work study job in the IT department and helping him continue to learn about something that could help him get a good job some day, in a field in which he’s clearly already displayed above-average interest and aptitude, but I guess that’s not what schools are meant for.

    As first reported by the Ottawa Citizen, 20 year old Mansour Moufid is instead facing criminal charges for exploiting the network of Carleton University, where he was attending classes at the school’s Ottawa campus, and sending a detailed report to school officials illustrating his work and warning them to bolster their defenses.

    Despite merely informing the school of just exactly how he was able to get his hands on the e-mail passwords of some 32 students at the school in this manner, and willingly answering investigators’ questions about the hack, they’re throwing the book at him.

    Makes sense, you know, if you’re a bureaucrat whose expensive IT security system just got owned by a kid.

    I guess the Carleton officials would have preferred that instead of one of their own students proving his industriousness and intelligence in trying to help them close a gaping security breach, that someone unknown would have scooped the social security numbers of their students or faculty or alumni and sold the information to the highest bidders.

    The guy is smart and he did them a favor, but of course they’re embarrassed since they just got exploited by a kid and now they’re making an example of him.

    Well, anyone who follows security knows who the real culprits are in this scenario, and they all work for Carleton University.

    “Our first concern is for our students and we will continue to review and, if necessary, upgrade our e-mail system in light of this incident,” school officials said in a statement. “The university is confident that its student e-mail and Campus Card system remain viable and at no time was credit card information accessible. A third-party audit of the university’s computer network concluded earlier in the year that the system had multiple security features and was deemed very secure.”

    Yeah, well, sounds like a heck on an audit, and how confident were you before this guy showed you how vulnerable you really were?

    Kudos to Moufid, it sounds like he’s got a much brighter future than some of his so-called teachers. Too bad they’re too obtuse to realize it, eh?

    Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software.

    Reply to comment

  14. Posted by Brad | September 23, 2008, 8:31 pm

    I haven’t heard of a good hacker story recently. Seems like “real” hacking has died out. Any boke off the street can swipe a card an reprogram it. The internet will tell you have to do it step by step with video on youtube lol.

    Reply to comment

    Tony replied on: September 23rd, 2008 at 9:36 pm

    It’s not so much that real hacking has died out; it’s that any off-the-shelf crack gets mixed in under the same term, effectively diluting the real deal. Rest assured that there is plenty of quality hacking still going on.

    Reply to comment

  15. Posted by Zeroth | September 25, 2008, 11:22 am

    Hmm, this is an interesting point to look at, what constitutes ethical hacking, what is out of bounds, and when it is wrong to overreact(people whom run the systems breached). And this was a good perusal of the case, guys. Very well-written.

    Reply to comment

  16. Posted by pascal langley | September 25, 2008, 3:58 pm

    Let’s thank Carleton hacker
    The Ottawa Citizen
    Published: Sunday, September 21, 2008

    Re: Neither friend nor foe, Sept. 13.

    The Carleton University hacker demonstrated for administration and officials that there was at least one weakness in the security of its students’ information and use of its on-line campus cards.

    The hacker could have chosen not to inform the students whose accounts he broke into: yet he did. He wrote letters to these students to notify each one of them of the vulnerability of their e-accounts.

    The hacker could have chosen not to inform university officials of the ease with which he accessed electronic records: yet he did. He wrote a letter to alert them of this weakness. Would someone whose intent was malicious have notified the owners and users of these electronic systems of their potential misuse?

    The hacker used a pseudonym when writing these letters, to protect himself from instant condemnation in a delicate situation. Yet he wrote letters of explication and a 16-page document to the university officials, to alert them to the flaws in their system.

    A suspect has since been arrested and now faces a possible prison sentence if convicted. The case should be re-evaluated.

    Wouldn’t any university officials rather have a hacker who works for them, lets them know how simple it was to break-in and also prepares a detailed document to outline and explain the flaws and process in order to correct the weakness? Or would they rather have a silent hacker who simply takes and abuses the desired goods or information for malicious intent?

    If a system is weak and flawed, I would want to deter all or any good-willed de-coders from helping correct such a situation. The 20-year-old hacker is obviously a bright young man and adept with electronic technology.

    Thank him, enlist his help in correcting the situation, and drop the charges.

    Sylvia Parent, Gloucester

    Reply to comment

  17. Posted by pascal langley | September 26, 2008, 3:23 am

    Hacker quits school to avoid punishment
    Student says he was just pointing out security flaws, but Carleton wants him to admit to offences
    Brendan Kennedy, Ottawa Citizen
    Published: Thursday, September 25, 2008

    OTTAWA — The Carleton University student who hacked into the electronic accounts of 32 students to expose the system’s security flaws has decided to leave the school rather than accept its punishment, which was delivered in a private hearing Thursday.

    Mansour Moufid, a 20-year-old second-year math student, sent a 16-page report to university administrators and students under the pseudonym “Kasper Holmberg” earlier this month, in which he showed that he had accessed the Campus Card accounts of 32 students.

    Mr. Moufid could have accessed student e-mails, course registrations, library records and personal financial information, as well as any money students put on their cards. But he states in his report that he had done it to encourage the university to improve its security.

    Mr. Moufid told the Citizen Thursday that he will not be returning to Carleton this year because the university is asking him to lie.
    “They’re asking me to say I did something I didn’t do,” he said.

    In a two-page letter delivered to Mr. Moufid Thursday and obtained by the Citizen, the university’s associate vice-president, Suzanne Blanchard, lists six sanctions imposed on Mr. Moufid for violating the school’s Student Rights and Responsibilities Policy.

    One of the six sanctions requires Mr. Moufid to write a letter of apology to the 32 students whose accounts he accessed, the university and the university community, and it stipulates that the letter must include “that you lied about alerting the university before distribution (of the report).”

    Mr. Moufid said he mailed a copy of his technical report to Carleton’s Information Privacy Officer and its information co-ordinator in mid-August, two weeks before he sent it to the affected students and campus media.

    A spokesman for the university, Christopher Walters, refused to comment on Mr. Moufid’s hearing, saying it was “a private university matter.” No member of the university’s administration was available for comment.

    The other sanctions against Mr. Moufid include: paying $608 for the cost of 32 new student cards; paying $2,160 for the cost of extra security staff for the residence buildings “due to the unknown risk caused by the breach of the campus card system;” seven hours of community service per week at a food bank; completion of an ethics course; that Mr. Moufid allow the university to monitor all of his online activity through any Carleton University server for as long as he has access to those services, and that information may be shared among university officials; and that, if Mr. Moufid violates the university’s student policy again, he will be expelled.

    The discipline does not include any academic penalty, suspension or expulsion.

    The sanctions are prefaced by a note that states Mr. Moufid’s actions put students at risk and that it was not his first offence.

    Mr. Moufid said he was given a verbal warning by university administration last year when, as a first-year student living in residence, he created different IP addresses for his computer in order to access certain restricted websites and online resources.

    Mr. Moufid said he would have been happy to comply with all of the sanctions and return to the university, except where the letter of apology required him to admit to lying to the university.

    “The way they’re treating me has really bothered me,” he said, but also said that he was thankful he wasn’t suspended or expelled.

    “I wrote the report because I wanted people to know,” he said. “Carleton has to know that there’s a problem. Obviously they didn’t know that certain things were possible with their system, and I thought students should also know because it directly concerns them.”

    In his statement of defence, Mr. Moufid writes that he “never had any intention to harm my fellow students or Carleton University in any way,” and that his ultimate goal was to see security improved.

    “To be clear: I did not create any security problem, but simply revealed it; I did not alter or destroy any data although I could have; I did not take any advantage of any student, either financially or otherwise, although I could have; I was acting in good faith, with the interests of the student body – of which I am a part of – in mind,” reads a portion of his statement.

    Mr. Moufid said that the system wasn’t difficult to crack and that he first noticed its vulnerability last year, but didn’t write the report until the summer.

    The campus cards are used like debit cards throughout campus, and Mr. Moufid said he was able to easily crack the system by using a computer program that captured information when the cards were swiped.

    He said he captured the information simply by running the program on the computers attached to the card-swipe machines.

    The cards do not require students to enter a personal identification number (PIN.)

    Mr. Moufid admitted that he probably could have done things differently to prove his point in a way that would have been more favourable to the university, but he added that he doesn’t think they would have taken it seriously.

    “To make them do something, you have to at least let them believe that it could be made public.”

    He said he followed the information security industry’s standard practices of “responsible disclosure” or “full disclosure” by informing the university and the affected students of the security flaws and that he did not intend any maliciousness, adding that he is interested in pursuing a career in information security.

    In addition to the university’s discipline, Mr. Moufid was also charged under the Criminal Code with mischief to data and unauthorized use of a computer.

    Both charges carry a maximum prison sentence of 10 years. He is scheduled to appear in court on Oct. 15.

    Mr. Moufid said he was surprised by the severity of the charges.

    “Ten years in prison? That’s like the Mafia or something.”

    Mr. Moufid said he had decided to go back to his summer job in Mississauga, where he worked in a warehouse, and was planning to resume his studies at another university next September.

    Reply to comment

  18. Posted by pascal langley | September 26, 2008, 3:47 am

    they want him to commit perjury against himself in order to avoid embarrassment:this is what is criminal

    Reply to comment

  19. Posted by pascal langley | September 26, 2008, 7:25 pm

    you can be sure that Mansour’s lawyer will ask the court to issue a subpoena against Mrs.Blanchard in order to explain to the court why she ordered the student to lie,and if she fail to attend or remain in attendance as required by the subpoena, a warrant may be issued for her arrest.

    Reply to comment

  20. Posted by Ryan | September 27, 2008, 12:47 am

    I think the letter Suzanne Blachard sent to the student asking him to lie is relevant to how the charges has brought against the student in the first place,because thoses charges are based on a document that the university safety obtained from him through intimidation and threats of expulsion.
    His lawyer will discuss if those so called “confessions” obtained by the university safety director Mr. Boudreault can be used in court.
    And by sending him a letter and asking him to deny he sent a letter to the university,Mrs Blanchard is just showing the entire world her collusion with Mr Boudreault:the director of the safety staff of Carleton,it’s clear that we have a collusion here between Boudreault and Blanchard.

    Reply to comment

  21. Posted by David.L | September 30, 2008, 7:07 am

    Carleton administrators who signed the letter sent to Mansour will certainly be charged for extortion of falses confessions in the next few days.

    In Canada, the 2008 version of the Criminal Code prohibits extortion as set out at §346(1):

    “Every one commits extortion who, without reasonable justification or excuse and with intent to obtain anything, by threats, accusations, menaces or violence induces or attempts to induce any person, whether or not he is the person threatened, accused or menaced or to whom violence is shown, to do anything or cause anything to be done.”

    In R v Davis, Chief Justice lamer of Canada’s Supreme Court wrote, in 1999:

    Reply to comment

Post a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>