In Canada, the 2008 version of the Criminal Code prohibits extortion as set out at §346(1):

“Every one commits extortion who, without reasonable justification or excuse and with intent to obtain anything, by threats, accusations, menaces or violence induces or attempts to induce any person, whether or not he is the person threatened, accused or menaced or to whom violence is shown, to do anything or cause anything to be done.”

In R v Davis, Chief Justice lamer of Canada’s Supreme Court wrote, in 1999:

OTTAWA — The Carleton University student who hacked into the electronic accounts of 32 students to expose the system’s security flaws has decided to leave the school rather than accept its punishment, which was delivered in a private hearing Thursday.

Mansour Moufid, a 20-year-old second-year math student, sent a 16-page report to university administrators and students under the pseudonym “Kasper Holmberg” earlier this month, in which he showed that he had accessed the Campus Card accounts of 32 students.

Mr. Moufid could have accessed student e-mails, course registrations, library records and personal financial information, as well as any money students put on their cards. But he states in his report that he had done it to encourage the university to improve its security.

Mr. Moufid told the Citizen Thursday that he will not be returning to Carleton this year because the university is asking him to lie.
“They’re asking me to say I did something I didn’t do,” he said.

In a two-page letter delivered to Mr. Moufid Thursday and obtained by the Citizen, the university’s associate vice-president, Suzanne Blanchard, lists six sanctions imposed on Mr. Moufid for violating the school’s Student Rights and Responsibilities Policy.

One of the six sanctions requires Mr. Moufid to write a letter of apology to the 32 students whose accounts he accessed, the university and the university community, and it stipulates that the letter must include “that you lied about alerting the university before distribution (of the report).”

Mr. Moufid said he mailed a copy of his technical report to Carleton’s Information Privacy Officer and its information co-ordinator in mid-August, two weeks before he sent it to the affected students and campus media.

A spokesman for the university, Christopher Walters, refused to comment on Mr. Moufid’s hearing, saying it was “a private university matter.” No member of the university’s administration was available for comment.

The other sanctions against Mr. Moufid include: paying $608 for the cost of 32 new student cards; paying $2,160 for the cost of extra security staff for the residence buildings “due to the unknown risk caused by the breach of the campus card system;” seven hours of community service per week at a food bank; completion of an ethics course; that Mr. Moufid allow the university to monitor all of his online activity through any Carleton University server for as long as he has access to those services, and that information may be shared among university officials; and that, if Mr. Moufid violates the university’s student policy again, he will be expelled.

The discipline does not include any academic penalty, suspension or expulsion.

The sanctions are prefaced by a note that states Mr. Moufid’s actions put students at risk and that it was not his first offence.

Mr. Moufid said he was given a verbal warning by university administration last year when, as a first-year student living in residence, he created different IP addresses for his computer in order to access certain restricted websites and online resources.

Mr. Moufid said he would have been happy to comply with all of the sanctions and return to the university, except where the letter of apology required him to admit to lying to the university.

“The way they’re treating me has really bothered me,” he said, but also said that he was thankful he wasn’t suspended or expelled.

“I wrote the report because I wanted people to know,” he said. “Carleton has to know that there’s a problem. Obviously they didn’t know that certain things were possible with their system, and I thought students should also know because it directly concerns them.”

In his statement of defence, Mr. Moufid writes that he “never had any intention to harm my fellow students or Carleton University in any way,” and that his ultimate goal was to see security improved.

“To be clear: I did not create any security problem, but simply revealed it; I did not alter or destroy any data although I could have; I did not take any advantage of any student, either financially or otherwise, although I could have; I was acting in good faith, with the interests of the student body – of which I am a part of – in mind,” reads a portion of his statement.

Mr. Moufid said that the system wasn’t difficult to crack and that he first noticed its vulnerability last year, but didn’t write the report until the summer.

The campus cards are used like debit cards throughout campus, and Mr. Moufid said he was able to easily crack the system by using a computer program that captured information when the cards were swiped.

He said he captured the information simply by running the program on the computers attached to the card-swipe machines.

The cards do not require students to enter a personal identification number (PIN.)

Mr. Moufid admitted that he probably could have done things differently to prove his point in a way that would have been more favourable to the university, but he added that he doesn’t think they would have taken it seriously.

“To make them do something, you have to at least let them believe that it could be made public.”

He said he followed the information security industry’s standard practices of “responsible disclosure” or “full disclosure” by informing the university and the affected students of the security flaws and that he did not intend any maliciousness, adding that he is interested in pursuing a career in information security.

In addition to the university’s discipline, Mr. Moufid was also charged under the Criminal Code with mischief to data and unauthorized use of a computer.

Both charges carry a maximum prison sentence of 10 years. He is scheduled to appear in court on Oct. 15.

Mr. Moufid said he was surprised by the severity of the charges.

“Ten years in prison? That’s like the Mafia or something.”

Mr. Moufid said he had decided to go back to his summer job in Mississauga, where he worked in a warehouse, and was planning to resume his studies at another university next September.

Re: Neither friend nor foe, Sept. 13.

The Carleton University hacker demonstrated for administration and officials that there was at least one weakness in the security of its students’ information and use of its on-line campus cards.

The hacker could have chosen not to inform the students whose accounts he broke into: yet he did. He wrote letters to these students to notify each one of them of the vulnerability of their e-accounts.

The hacker could have chosen not to inform university officials of the ease with which he accessed electronic records: yet he did. He wrote a letter to alert them of this weakness. Would someone whose intent was malicious have notified the owners and users of these electronic systems of their potential misuse?

The hacker used a pseudonym when writing these letters, to protect himself from instant condemnation in a delicate situation. Yet he wrote letters of explication and a 16-page document to the university officials, to alert them to the flaws in their system.

A suspect has since been arrested and now faces a possible prison sentence if convicted. The case should be re-evaluated.

Wouldn’t any university officials rather have a hacker who works for them, lets them know how simple it was to break-in and also prepares a detailed document to outline and explain the flaws and process in order to correct the weakness? Or would they rather have a silent hacker who simply takes and abuses the desired goods or information for malicious intent?

If a system is weak and flawed, I would want to deter all or any good-willed de-coders from helping correct such a situation. The 20-year-old hacker is obviously a bright young man and adept with electronic technology.

Thank him, enlist his help in correcting the situation, and drop the charges.

Sylvia Parent, Gloucester

While my own computer skills consisted of playing games and knowing how to write Cobol programs that would produce groups of letters that looked vaguely like Christmas trees on a dot matrix print outs and the like, this kid was hacking into business networks and then sending reports of his findings to the companies’ owners to let them know how lame their security was.

I think he lasted one semester before he quit school to go make lots of money working in IT security for one of said companies on Wall St. He’s probably running his own consulting company somewhere now, or retired drinking cocktails while we all sit here at work.

Anyway, an incident reported this week in the Canadian press points out how far behind some people remain in terms of understanding the value of ethical hacking, even when someone is merely trying to help them help themselves.

Even worse, it was a case where an undergraduate college student was simply trying to inform his own school of how eminently hackable their e-mail system was, yet they’re having him prosecuted for doing his work in seemingly the most ethical manner possible, when instead they should really be thanking him.

Or, you know, doing something crazy like giving him a work study job in the IT department and helping him continue to learn about something that could help him get a good job some day, in a field in which he’s clearly already displayed above-average interest and aptitude, but I guess that’s not what schools are meant for.

As first reported by the Ottawa Citizen, 20 year old Mansour Moufid is instead facing criminal charges for exploiting the network of Carleton University, where he was attending classes at the school’s Ottawa campus, and sending a detailed report to school officials illustrating his work and warning them to bolster their defenses.

Despite merely informing the school of just exactly how he was able to get his hands on the e-mail passwords of some 32 students at the school in this manner, and willingly answering investigators’ questions about the hack, they’re throwing the book at him.

Makes sense, you know, if you’re a bureaucrat whose expensive IT security system just got owned by a kid.

I guess the Carleton officials would have preferred that instead of one of their own students proving his industriousness and intelligence in trying to help them close a gaping security breach, that someone unknown would have scooped the social security numbers of their students or faculty or alumni and sold the information to the highest bidders.

The guy is smart and he did them a favor, but of course they’re embarrassed since they just got exploited by a kid and now they’re making an example of him.

Well, anyone who follows security knows who the real culprits are in this scenario, and they all work for Carleton University.

“Our first concern is for our students and we will continue to review and, if necessary, upgrade our e-mail system in light of this incident,” school officials said in a statement. “The university is confident that its student e-mail and Campus Card system remain viable and at no time was credit card information accessible. A third-party audit of the university’s computer network concluded earlier in the year that the system had multiple security features and was deemed very secure.”

Yeah, well, sounds like a heck on an audit, and how confident were you before this guy showed you how vulnerable you really were?

Kudos to Moufid, it sounds like he’s got a much brighter future than some of his so-called teachers. Too bad they’re too obtuse to realize it, eh?

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software.