Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
It depends on what your objective is. If it is to educate young people and help them to develop into responsible adults, then I think exclusion was the wrong choice. It seems likely to me that by excluding this young person they are just creating the next hacker to go and work for some dodgey organised crime outfit. Why not have a security team that consists of staff and volunteer students who together could assess network security? It sounds like he has an interest in security topics. Imho educators are there to inspire and channel young people - even young people who are wandering into difficult territory. Anyways, that's my take it :) On 27 Jan 2013 16:46, Benji m...@b3nji.com wrote: Arbitrary moral compass? Amazing. Please, explain the morals behind finding a bug, reporting it, getting a slap on the a wrist, and then running a vuln scanner against the site? If his true intent was to see if it was fixed, I would suggest that he checked it with the finesse, logic and precision that I would expect from a baby with a hammer. Morals would tell you to ask, logic would tell you to ask, common sense would tell you to ask before the last step, especially after being told off and AGREEING to the colleges code of conduct aka morals. If he didn't agree with them he shouldn't have agreed to them. 'My banks interest rates seem immoral, I will only pay 6%'. Let me know how that logic works out for you. Pretending that this guy is more than an idiot is astounding. Do you want your university students to follow the law, or does the law not matter if the morals behind it are fine in someone's opinion? 'I robbed the bank and shot the guard, but don't worry it was to keep up on my mortgage payments to house my family' Who uses Acunetix anyway? As far as I can tell, this argument is now debating opinion which is inherently stupid. Sent from my lack of morals, and about 3 cans of taurine/caffeine On 25 Jan 2013, at 22:29, Dan Ballance tzewang.do...@gmail.com wrote: My point being, a degree in computer science should reflect the student's ability in computer science - not compliance with some arbirary moral compass dreamt up in a university board somewhere. Who gave these university beaurocrats the power to exclude this young person from the education system? Why is their moral compass deemed to be correct? I thought university lecturers held positions due to their talents in their respective susbjects - not becuase of their ability to implement social policy? On 25 Jan 2013 17:40, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Jan 25, 2013 at 12:07 PM, valdis.kletni...@vt.edu wrote: On Fri, 25 Jan 2013 09:57:51 +, Dan Ballance said: ... Doesn't matter if he ends up a corporate knob or a freedom fighter. If he says I promise to XYZ you want him to be trustworthy on said promise. You might want to ask the guys in Anonymous who got ratted out by one of their own how they feel about the word trustworthy regarding the rat who said I promise not to rat you out. :) There is no honor among thieves (or corporations, or lawyers, or...) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
On 25-Jan-2013 12:40:01 -0500, Jeffrey Walton wrote: Doesn't matter if he ends up a corporate knob or a freedom fighter. If he says I promise to XYZ you want him to be trustworthy on said promise. You might want to ask the guys in Anonymous who got ratted out by one of their own how they feel about the word trustworthy regarding the rat who said I promise not to rat you out. :) There is no honor among thieves (or corporations, or lawyers, or...) s/no/more/;s/ \(or/, than among/g;s/\)// -- Alexey V. Vissarionov aka Gremlin from Kremlin gremlin ПРИ gremlin ТЧК ru GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
My point being, a degree in computer science should reflect the student's ability in computer science - not compliance with some arbirary moral compass dreamt up in a university board somewhere. Who gave these university beaurocrats the power to exclude this young person from the education system? Why is their moral compass deemed to be correct? I thought university lecturers held positions due to their talents in their respective susbjects - not becuase of their ability to implement social policy? On 25 Jan 2013 17:40, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Jan 25, 2013 at 12:07 PM, valdis.kletni...@vt.edu wrote: On Fri, 25 Jan 2013 09:57:51 +, Dan Ballance said: ... Doesn't matter if he ends up a corporate knob or a freedom fighter. If he says I promise to XYZ you want him to be trustworthy on said promise. You might want to ask the guys in Anonymous who got ratted out by one of their own how they feel about the word trustworthy regarding the rat who said I promise not to rat you out. :) There is no honor among thieves (or corporations, or lawyers, or...) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
Arbitrary moral compass? Amazing. Please, explain the morals behind finding a bug, reporting it, getting a slap on the a wrist, and then running a vuln scanner against the site? If his true intent was to see if it was fixed, I would suggest that he checked it with the finesse, logic and precision that I would expect from a baby with a hammer. Morals would tell you to ask, logic would tell you to ask, common sense would tell you to ask before the last step, especially after being told off and AGREEING to the colleges code of conduct aka morals. If he didn't agree with them he shouldn't have agreed to them. 'My banks interest rates seem immoral, I will only pay 6%'. Let me know how that logic works out for you. Pretending that this guy is more than an idiot is astounding. Do you want your university students to follow the law, or does the law not matter if the morals behind it are fine in someone's opinion? 'I robbed the bank and shot the guard, but don't worry it was to keep up on my mortgage payments to house my family' Who uses Acunetix anyway? As far as I can tell, this argument is now debating opinion which is inherently stupid. Sent from my lack of morals, and about 3 cans of taurine/caffeine On 25 Jan 2013, at 22:29, Dan Ballance tzewang.do...@gmail.com wrote: My point being, a degree in computer science should reflect the student's ability in computer science - not compliance with some arbirary moral compass dreamt up in a university board somewhere. Who gave these university beaurocrats the power to exclude this young person from the education system? Why is their moral compass deemed to be correct? I thought university lecturers held positions due to their talents in their respective susbjects - not becuase of their ability to implement social policy? On 25 Jan 2013 17:40, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Jan 25, 2013 at 12:07 PM, valdis.kletni...@vt.edu wrote: On Fri, 25 Jan 2013 09:57:51 +, Dan Ballance said: ... Doesn't matter if he ends up a corporate knob or a freedom fighter. If he says I promise to XYZ you want him to be trustworthy on said promise. You might want to ask the guys in Anonymous who got ratted out by one of their own how they feel about the word trustworthy regarding the rat who said I promise not to rat you out. :) There is no honor among thieves (or corporations, or lawyers, or...) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
The punishment was harsh. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
I don't personally think a degree should or shouldn't be awarded because a student has or has not met some kind of arbitrary moral standard. It should assess their abilities in computer science, not that their ethics meet with what the dominant powers in society currently deem to be acceptable behaviour. In the future some of these people may be remembered as freedom fighters - and our whole conception of what was ethical action at that time may shift. On 25 January 2013 01:49, Lerie Taylor mr.le...@gmail.com wrote: The punishment was harsh. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
On Fri, 25 Jan 2013 09:57:51 +, Dan Ballance said: I don't personally think a degree should or shouldn't be awarded because a student has or has not met some kind of arbitrary moral standard. It should assess their abilities in computer science, not that their ethics meet with what the dominant powers in society currently deem to be acceptable behaviour. In the future some of these people may be remembered as freedom fighters - and our whole conception of what was ethical action at that time may shift. Doesn't matter if he ends up a corporate knob or a freedom fighter. If he says I promise to XYZ you want him to be trustworthy on said promise. You might want to ask the guys in Anonymous who got ratted out by one of their own how they feel about the word trustworthy regarding the rat who said I promise not to rat you out. pgpycquoQII_p.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
On Fri, Jan 25, 2013 at 12:07 PM, valdis.kletni...@vt.edu wrote: On Fri, 25 Jan 2013 09:57:51 +, Dan Ballance said: ... Doesn't matter if he ends up a corporate knob or a freedom fighter. If he says I promise to XYZ you want him to be trustworthy on said promise. You might want to ask the guys in Anonymous who got ratted out by one of their own how they feel about the word trustworthy regarding the rat who said I promise not to rat you out. :) There is no honor among thieves (or corporations, or lawyers, or...) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Tue, 22 Jan 2013 08:32:11 + Benji m...@b3nji.com wrote: Someone please explain to me why he had to run a vulnerability scanner to check one vulnerability, and again, how are we still arguing about this? Whether you think he had a 'right' to test this or not, he was either too dumb or too naive to know it was against the law. I do not think the issue is whether or not he broke the law; rather, the issue is whether or not the law serves the people's interest. I am not a Canadian, so maybe I do not really have a say, but given that this kid did not cause any measurable damage, it seems hard to make the case that he should have been punished for his actions. Throwing a student out of school because he used a pen-testing tool is more damaging to the school and to society as a whole than what the student actually did. There is also the matter of the school itself. They were presented with a student who had found a vulnerability, reported it, and then checked to see if there were still problems. Does expulsion really sound like a reasonable punishment to you? Does any punishment seem in order, given that the student made no attempt to maliciously exploit his discoveries? It seems to me that a much better approach would have been to offer the student a chance to present the vulnerability in a computer security class. The school's mission is, theoretically, to teach its students -- why, then, would they remove from the student body someone who could do just that? Sure, maybe the school has a policy of expulsion for any student who breaks the law -- but why would the school expel a student preemptively, before he was even found guilty by a court (or even charged with a crime)? If he had been arrested, it would have made sense for the school to put him on academic suspension until the conclusion of his criminal case, at which point a guilty verdict might mean expulsion. - -- Ben - -- Benjamin R Kreuter UVA Computer Science brk...@virginia.edu KK4FJZ - -- If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them. - George Orwell -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iQIcBAEBCgAGBQJRAVBTAAoJEOV0+MnZK9ijzUsP/i6XrD9ruCG/IJEaV7wlAmqm 9/QTXIjQ0HbMdVWfc1PhK4OHeHuGOOuKRMlr6OXl6DGCxn0I1LFkeu624MVRNZyW WhgMFi0tzMBozMyQEElcaQjK5dEnWOBGVUPvfkjnhhA+I4agqoRB2ocqWDPuN6Lq 7DixO1sqWgPksTwhaOPB1XnHKs9naqXKH2aTyS093VOm4FQyWSPASJq+MV93YiUP lkYkbwULnCdnXcUG++FLPZcLxf8ZGb48zlWWcnqowmaHYqm5DqLeGFrFF8wsyWho nK9vdCmPCc/yblRDe+HgjYgVS6zti838YD1IzX2taEGn2Ottbuo4jhmYOdviUM2D 52iKhbrdALy+08d13dM1+E4DMJjL82UGxZwgq5QOwnaUTpkqM/yGVjgNmpna/5LE zBOTkre4p8mgm/77jiFcfyD+gv16CmqsgwytcAqPxFYbOkHkY4WchPkGLccm20kV WTBEzRStOR1I0hi9xUqfiZMgRPIQfEsRsmxFiGUtXjnXhwEM6IJjz06SQ4B1103q iAZNHa/zXZuQl9cG/Ef3Szzc1JOWgR6YZb+tGTrDvtObKZXSpp7MvsyVtilcjHsE klq1HwXsdqXNeHFC9Zr1f+PTLkkpuYLOklhPFuVI+2kUs0ZfQUbFy2JlrvJeioFy nRO0oCbGKhg6Row344Iu =P/Ts -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
The real funny part is where 15 teachers voted .. you mean there are 15 teachers at Dawson that understand the implications of a pen test tool? I am in Montreal and I know Dawson, they are usually much saner than that! Let's see if they now have the guts to do a Mea Culpa and fix this injustice. Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 01/24/2013 10:16 AM, Benjamin Kreuter wrote: On Tue, 22 Jan 2013 08:32:11 + Benji m...@b3nji.com wrote: Someone please explain to me why he had to run a vulnerability scanner to check one vulnerability, and again, how are we still arguing about this? Whether you think he had a 'right' to test this or not, he was either too dumb or too naive to know it was against the law. I do not think the issue is whether or not he broke the law; rather, the issue is whether or not the law serves the people's interest. I am not a Canadian, so maybe I do not really have a say, but given that this kid did not cause any measurable damage, it seems hard to make the case that he should have been punished for his actions. Throwing a student out of school because he used a pen-testing tool is more damaging to the school and to society as a whole than what the student actually did. There is also the matter of the school itself. They were presented with a student who had found a vulnerability, reported it, and then checked to see if there were still problems. Does expulsion really sound like a reasonable punishment to you? Does any punishment seem in order, given that the student made no attempt to maliciously exploit his discoveries? It seems to me that a much better approach would have been to offer the student a chance to present the vulnerability in a computer security class. The school's mission is, theoretically, to teach its students -- why, then, would they remove from the student body someone who could do just that? Sure, maybe the school has a policy of expulsion for any student who breaks the law -- but why would the school expel a student preemptively, before he was even found guilty by a court (or even charged with a crime)? If he had been arrested, it would have made sense for the school to put him on academic suspension until the conclusion of his criminal case, at which point a guilty verdict might mean expulsion. -- Ben ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
yeah, this is why most banks sucks: they won't let me try to break in, even if I have my money there and only doing it for making sure that it is secure. I promise I wouldn't touch anything else. On Tue, Jan 22, 2013 at 3:08 AM, Sanguinarious Rose sanguiner...@occultusterra.com wrote: And that is the reason why no one wants to report anything they find, it's because of people like you and your kind of thinking. Did they public post all the private information? No Did they try to use it for malious or illicit purposes? No Did they report it when they found it? Yes A horrible moral compass indeed! Arrest these people for being concerned and reporting it after stumbling upon security flaws! Amiright? On Mon, Jan 21, 2013 at 8:06 PM, Nick FitzGerald n...@virus-l.demon.co.uk wrote: Jeffrey Walton wrote: On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. If his personal information is in the proprietary system, I believe he has every right to very the security of the system. BUT how can he verify (I assume that was the word you meant?) proper security of _his_ personal details? He would have to test using someone _else's_ access credentials. That is unauthorized access by most relevant legislation in most jurisdictions. Alternately, he could try accessing someone else's data from his login, and that is equally clearly unauthorized access. He and his colleague who originally discovered the flaw may have used each other's access credentials to access their own data, or used their own credentials to access the other's data _in agreement between themselves_ BUT in so doing most likely broke the terms of service of the system/their school/etc, _equally_ putting them afoul of most unauthorized access legislation. Is he allowed to opt-out of the system (probably not)? If not, he has a responsibility to check. BUT he has no resposibility to check on anyone _else's_ data and no _authority_ to use anyone else's credentials to check on his own. So, what responsibility does he really have? It sounds like he should have left well alone once he had reported this to the university and the vendors. That he did not have the sense or moral compass to recognize that tells us something important about him. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
On Thu, 24 Jan 2013 10:16:29 -0500, Benjamin Kreuter said: There is also the matter of the school itself. They were presented with a student who had found a vulnerability, reported it, and then checked to see if there were still problems. Does expulsion really sound like a reasonable punishment to you? Does any punishment seem in order, given that the student made no attempt to maliciously exploit his discoveries? It seems to me that a much better approach would have been to offer the student a chance to present the vulnerability in a computer security class. The school's mission is, theoretically, to teach its students -- why, then, would they remove from the student body someone who could do just that? I've seen reference to a few more details on this - namely: 1) The kid, as part of his major, signed an ethics document. 2) He was either told or agreed to not run the scanner again. 3) He did so anyhow. and that he didn't get kicked out because he ran the scanner, but because he did so *in violation of the ethics standard*. I'll probably have to go back and find references for all that - but even without that, it's something to think about. If somebody agrees not to do something, and then does it anyhow, is he *trustworthy* enough for a degree in that field? pgp9c8S3qSviZ.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
@Valdis, your correct. He was expelled for other reasons. Despite receiving clear directives not to, he attempted repeatedly to intrude into areas of College information systems that had no relation with student information systems. These actions and behaviours breach the *code of professional conducthttp://www.dawsoncollege.qc.ca/public/72b18975-8251-444e-8af8-224b7df11fb7/info_desk/420a0_-_professional_conduct.pdf * for Computer Science students, a serious breach that requires the College to act. /pd On Thu, Jan 24, 2013 at 12:34 PM, valdis.kletni...@vt.edu wrote: On Thu, 24 Jan 2013 10:16:29 -0500, Benjamin Kreuter said: There is also the matter of the school itself. They were presented with a student who had found a vulnerability, reported it, and then checked to see if there were still problems. Does expulsion really sound like a reasonable punishment to you? Does any punishment seem in order, given that the student made no attempt to maliciously exploit his discoveries? It seems to me that a much better approach would have been to offer the student a chance to present the vulnerability in a computer security class. The school's mission is, theoretically, to teach its students -- why, then, would they remove from the student body someone who could do just that? I've seen reference to a few more details on this - namely: 1) The kid, as part of his major, signed an ethics document. 2) He was either told or agreed to not run the scanner again. 3) He did so anyhow. and that he didn't get kicked out because he ran the scanner, but because he did so *in violation of the ethics standard*. I'll probably have to go back and find references for all that - but even without that, it's something to think about. If somebody agrees not to do something, and then does it anyhow, is he *trustworthy* enough for a degree in that field? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
Hello, Am 24. Januar schrieb valdis.kletni...@vt.edu: I've seen reference to a few more details on this - namely: 1) The kid, as part of his major, signed an ethics document. 2) He was either told or agreed to not run the scanner again. 3) He did so anyhow. A better solution would have been to not do the steps 1 and 2 but make an NDA (Ok, we know and you know but that's enough by now.) instead. I mean, some kind of responsible disclosure. By proposing this ethics document it was the college being unprofessional and not the kid. Kind regards Stefan -- make -it ./work GnuPG-Key: B96CF8D2 s...@tanis.toppoint.de Fingerprint: D8AC D5E7 6865 19B1 385F 8850 2AB7 6A82 B96C F8D2 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
On Thu, 24 Jan 2013 19:59:53 +0100, Stefan Weimar said: 1) The kid, as part of his major, signed an ethics document. A better solution would have been to not do the steps 1 and 2 but make an NDA (Ok, we know and you know but that's enough by now.) instead. I mean, some kind of responsible disclosure. By proposing this ethics document it was the college being unprofessional and not the kid. I think you misunderstand - the ethics document was signed *when he applied as a student. If you think that's unprofessional, you might want to consider that doctors, lawyers, and other professions have ethics standards as well. As does anybody who has a CISSP: https://www.isc2.org/ethics/default.aspx I'd say anybody who persisted in doing something after they promised not to would be running afoul of the necessary public trust and confidence clause of the CISSP code of ethics? pgpGXtSgvS14j.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
On Thu, Jan 24, 2013 at 2:22 PM, valdis.kletni...@vt.edu wrote: On Thu, 24 Jan 2013 19:59:53 +0100, Stefan Weimar said: 1) The kid, as part of his major, signed an ethics document. A better solution would have been to not do the steps 1 and 2 but make an NDA (Ok, we know and you know but that's enough by now.) instead. I mean, some kind of responsible disclosure. By proposing this ethics document it was the college being unprofessional and not the kid. I think you misunderstand - the ethics document was signed *when he applied as a student. If you think that's unprofessional, you might want to consider that doctors, lawyers, and other professions have ethics standards as well. As does anybody who has a CISSP: That has not stopped lawyers and judges from perverting the legal system in the US. Judge James Ware FTW! http://en.wikipedia.org/wiki/James_Ware_(judge). https://www.isc2.org/ethics/default.aspx TLDR; Just kidding. Its actually quite short. I wonder of the college gave him a contract, and called it a code of ethics. I'd say anybody who persisted in doing something after they promised not to would be running afoul of the necessary public trust and confidence clause of the CISSP code of ethics? Well, there could be a lot of wiggle room. How much of it is subjective? Is it like Christianity, where the 10 Commandments are taken as 10 Suggestions? Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
Hi Valid, Am 24. Januar schrieb valdis.kletni...@vt.edu: I think you misunderstand - the ethics document was signed *when he applied as a student. Ah, ok. It's a different story then. I'd say anybody who persisted in doing something after they promised not to would be running afoul of the necessary public trust and confidence clause of the CISSP code of ethics? Yes, you're absolutely right. Kind regards Stefan -- make -it ./work GnuPG-Key: B96CF8D2 s...@tanis.toppoint.de Fingerprint: D8AC D5E7 6865 19B1 385F 8850 2AB7 6A82 B96C F8D2 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
Someone please explain to me why he had to run a vulnerability scanner to check one vulnerability, and again, how are we still arguing about this? Whether you think he had a 'right' to test this or not, he was either too dumb or too naive to know it was against the law. If anyone would like to start arguing whether it's against the (Canadian) law: Section 342.1[4]http://en.wikipedia.org/wiki/Criminal_code_section_342#cite_note-4 Unauthorized use of computer is often used to laid charges for hacker or someone who is involved in computer related offences. This section states: Every one who, fraudulently and without colour of righthttp://en.wikipedia.org/wiki/Colour_of_right , (a) obtains, directly or indirectly, any computer service,(b) by means of an electro-magnetic http://en.wikipedia.org/wiki/Electro-magnetic, acoustic http://en.wikipedia.org/wiki/Acoustics, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system, I would suggest he broke section (b) and you could argue (a). On Tue, Jan 22, 2013 at 3:46 AM, Nick FitzGerald n...@virus-l.demon.co.ukwrote: Sanguinarious Rose to me: And that is the reason why no one wants to report anything they find, it's because of people like you and your kind of thinking. As you seem to have assumed a whole bunch about my kind of thinking that I did not put in the original post, I find the above laughable. Did they public post all the private information? No Agreed. Did they try to use it for malious or illicit purposes? No Not that we know from what seems to be a rather one-sided, self-serving to the victim, the system screwed poor little me telling of the story. Did they report it when they found it? Yes Agreed. A horrible moral compass indeed! ... No -- I said nothing about what could or should be considered about their moral compass _in finding_ the problem. I did say they probably broke _both_ school/other ToS agreements and unauthorized access laws, but I did not say what I felt about that. It is often the case that minor transgressions of such nature are necessary in doing many useful things in the computer security domain. That alone makes it precarious territory in which to work and such issues should obviously be front-of-mind for _anyone_ potentially in such territory. ... Arrest these people for being concerned and reporting it after stumbling upon security flaws! Amiright? No, I did not say that either. What you seem to have missed (other than that you are reading things into my previous post that are not there) was that _after_ these two students notified the relevant system owners/operators and/or vendors, apparently only _one_ of them went back and did stuff that he probably should not have originally done (but that we can _probably_ excuse because of a greater good), _again_. _That_ is what tells us something critical about _his_ moral compass (either he does not have one, it is rather under-developed for a 20- year old or it is rather broken). Did you notice that this story was not titled Youths expelled... or Students expelled... _despite_ the first sentence of any substance in the National Post article starting: Ahmed Al-Khabaz ... was working on a mobile app ... when he and a colleague discovered what he describes as sloppy coding in ... Did you notice how the rest of story fails to mention that his colleague was expelled? Poor journalism, missing a fairly major fact in the story? Or perhaps evidence that his colleague was not expelled because his colleague did not continue to mess with stuff that he should have (now) known he should not be messing with? If _both_ students had been expelled, surely the tone of indignation and righteousness would have been greater, so I doubt the fact that the article only talks of one student being expelled is due to journalistic oversight... So, Mr Rose, do you now see what you chose to avoid noticing on your first pass through this story and its clever hacker cruelly ostracized skew? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
On Mon, 21 Jan 2013 22:42:24 + Philip Whitehouse phi...@whiuk.com wrote: Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. I agree with Benji. From a European point of view, I see more a young guy thinking he was doing the right thing, then making sure the flaw's fixed. There are some strange things: he retries and *minutes* after that the phone's ringing - from what I know of Canada's system, only 24/7 official eavesdropping could lead to such a short delay (but even in his case more than minutes). and I don't really think the college nor skytech had triggered such an _official_ survey (otherwise authorities would have call, not the skytech CEO). It looks like more a foreseeable behavior exploited to build a setup to push him signing the NDA. So I think he was rather naïve than a moron. Rise and shine, this completely justify the existence of this wonderful mailing list ;) Jean-Yves -- neonoe what means lp0 on fire ? Naha that your printer's burning neonoe ah ok neonoe actually neonoe shit... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
How is Omnivox's security relevant when this kid is running DoS tools on their sites? (Acunetix is a nice database heavy HTTP flood tool.) 2013/1/22 Jeffrey Walton noloa...@gmail.com On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. If his personal information is in the proprietary system, I believe he has every right to very the security of the system. Is he allowed to opt-out of the system (probably not)? If not, he has a responsibility to check. Open question: does Canada have Security Testing and Evaluation (STE) and Reverse Engoneering (ER) exemptions in its laws? Even the United States' DMCA has them. For reference for others in the US who may be subject to bullying (companies have tried it on me): DMCA (PUBLIC LAW 105–304). It has exceptions for reverse engineering and security testing and evaluation. The RE exemption is in Section 1205 (f) REVERSE ENGINEERING. The STE exemption is in Section 1205 (i) SECURITY TESTING. a class A moron. What does that make Omnivox, which appears to have done no testing? Jeff On 21 Jan 2013, at 21:10, Benji m...@b3nji.com wrote: He found the vulnerability by running Acunetix against the system. He is what most be would describe as, a class A moron. On Mon, Jan 21, 2013 at 8:43 PM, Frank Bures lisfr...@chem.toronto.edu wrote: A student has been expelled from Montreal’s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs (General and Vocational Colleges), one which compromised the security of over 250,000 students’ personal information. Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.” http://tinyurl.com/bcdrelh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
The correct answer you're looking for is: Sell it on the black vulnerability/exploit market. Profit! On Tue, Jan 22, 2013 at 3:08 PM, Sanguinarious Rose sanguiner...@occultusterra.com wrote: And that is the reason why no one wants to report anything they find, it's because of people like you and your kind of thinking. Did they public post all the private information? No Did they try to use it for malious or illicit purposes? No Did they report it when they found it? Yes A horrible moral compass indeed! Arrest these people for being concerned and reporting it after stumbling upon security flaws! Amiright? On Mon, Jan 21, 2013 at 8:06 PM, Nick FitzGerald n...@virus-l.demon.co.uk wrote: Jeffrey Walton wrote: On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. If his personal information is in the proprietary system, I believe he has every right to very the security of the system. BUT how can he verify (I assume that was the word you meant?) proper security of _his_ personal details? He would have to test using someone _else's_ access credentials. That is unauthorized access by most relevant legislation in most jurisdictions. Alternately, he could try accessing someone else's data from his login, and that is equally clearly unauthorized access. He and his colleague who originally discovered the flaw may have used each other's access credentials to access their own data, or used their own credentials to access the other's data _in agreement between themselves_ BUT in so doing most likely broke the terms of service of the system/their school/etc, _equally_ putting them afoul of most unauthorized access legislation. Is he allowed to opt-out of the system (probably not)? If not, he has a responsibility to check. BUT he has no resposibility to check on anyone _else's_ data and no _authority_ to use anyone else's credentials to check on his own. So, what responsibility does he really have? It sounds like he should have left well alone once he had reported this to the university and the vendors. That he did not have the sense or moral compass to recognize that tells us something important about him. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
On Mon, Jan 21, 2013 at 5:54 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. If his personal information is in the proprietary system, I believe he has every right to very the security of the system. what ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
he retries and *minutes* after that the phone's ringing - from what I know of Canada's system, only 24/7 official eavesdropping could lead to such a short delay Website load monitoring == eavesdropping? On Tue, Jan 22, 2013 at 8:37 AM, jason swor...@gmail.com wrote: On Mon, Jan 21, 2013 at 5:54 PM, Jeffrey Walton noloa...@gmail.comwrote: On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. If his personal information is in the proprietary system, I believe he has every right to very the security of the system. what ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
Nick FitzGerald n...@virus-l.demon.co.uk writes: According to at least one legal ruling in Germany, it is hacking (as in the negative, illegal kind) to deliberately try to access upper- level directories of _published_ URLs _if_ the specific URLs to those resources have not also been made publicly available, _despite_ that they are necessarily discernible from the published URL. In the case of the Disasters Emergency Committee hacker, he was found guilty of put[ting] ../../../ into the address line He was fined £400 for the offence and must pay a further £600 in costs, and is considering a career outside the IT industry. http://www.theregister.co.uk/2005/10/05/dec_case/ http://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/ http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/ -- Alan J. Wylie http://www.wylie.me.uk/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
He found the vulnerability by running Acunetix against the system. He is what most be would describe as, a class A moron. On Mon, Jan 21, 2013 at 8:43 PM, Frank Bures lisfr...@chem.toronto.eduwrote: A student has been expelled from Montreal’s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs (General and Vocational Colleges), one which compromised the security of over 250,000 students’ personal information. Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.” http://tinyurl.com/bcdrelh Cheers Frank -- f...@chem.toronto.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. I agree with Benji. Regards Philip Whitehouse On 21 Jan 2013, at 21:10, Benji m...@b3nji.com wrote: He found the vulnerability by running Acunetix against the system. He is what most be would describe as, a class A moron. On Mon, Jan 21, 2013 at 8:43 PM, Frank Bures lisfr...@chem.toronto.edu wrote: A student has been expelled from Montreal’s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs (General and Vocational Colleges), one which compromised the security of over 250,000 students’ personal information. Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.” http://tinyurl.com/bcdrelh Cheers Frank -- f...@chem.toronto.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. If his personal information is in the proprietary system, I believe he has every right to very the security of the system. Is he allowed to opt-out of the system (probably not)? If not, he has a responsibility to check. Open question: does Canada have Security Testing and Evaluation (STE) and Reverse Engoneering (ER) exemptions in its laws? Even the United States' DMCA has them. For reference for others in the US who may be subject to bullying (companies have tried it on me): DMCA (PUBLIC LAW 105–304). It has exceptions for reverse engineering and security testing and evaluation. The RE exemption is in Section 1205 (f) REVERSE ENGINEERING. The STE exemption is in Section 1205 (i) SECURITY TESTING. a class A moron. What does that make Omnivox, which appears to have done no testing? Jeff On 21 Jan 2013, at 21:10, Benji m...@b3nji.com wrote: He found the vulnerability by running Acunetix against the system. He is what most be would describe as, a class A moron. On Mon, Jan 21, 2013 at 8:43 PM, Frank Bures lisfr...@chem.toronto.edu wrote: A student has been expelled from Montreal’s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs (General and Vocational Colleges), one which compromised the security of over 250,000 students’ personal information. Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.” http://tinyurl.com/bcdrelh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
On Mon, Jan 21, 2013 at 2:54 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: a class A moron. What does that make Omnivox, which appears to have done no testing? The two conditions are not mutually exclusive. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
On Mon, Jan 21, 2013 at 5:57 PM, Ian Hayes cthulhucall...@gmail.com wrote: On Mon, Jan 21, 2013 at 2:54 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: a class A moron. What does that make Omnivox, which appears to have done no testing? The two conditions are not mutually exclusive. Hence the reason for appears to have done no testing. Developer driven security is some of the worst security I have seen. Its the reason for this (and few other) list. Obvious flaws (obvious to a security professional) tells me Omnivox has problems with their engineering process (perhaps incomplete testing, perhaps no testing). Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
Open question: does Canada have Security Testing and Evaluation (STE) and Reverse Engoneering (ER) exemptions in its laws? Even the United States' DMCA has them. For reference for others in the US who may be subject to bullying (companies have tried it on me): DMCA (PUBLIC LAW 105–304). It has exceptions for reverse engineering and security testing and evaluation. The RE exemption is in Section 1205 (f) REVERSE ENGINEERING. The STE exemption is in Section 1205 (i) SECURITY TESTING. My understanding was that this allowed you to make copies of a system for security evaluation. The DMCA is about copyright and copyright prevention mechanisms, not unauthorised network intrusion. Having said that, I'm from the UK, so I may be totally wrong - I certainly think it would be covered under by Computer Misuse legislation over here In any case, none of that precludes enforcement of Terms of Service. You may wish to be able to attempt to access and test any system containing data on you, but in most countries this isn't a legal right. Philip Whitehouse ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
Jeffrey Walton wrote: On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. If his personal information is in the proprietary system, I believe he has every right to very the security of the system. BUT how can he verify (I assume that was the word you meant?) proper security of _his_ personal details? He would have to test using someone _else's_ access credentials. That is unauthorized access by most relevant legislation in most jurisdictions. Alternately, he could try accessing someone else's data from his login, and that is equally clearly unauthorized access. He and his colleague who originally discovered the flaw may have used each other's access credentials to access their own data, or used their own credentials to access the other's data _in agreement between themselves_ BUT in so doing most likely broke the terms of service of the system/their school/etc, _equally_ putting them afoul of most unauthorized access legislation. Is he allowed to opt-out of the system (probably not)? If not, he has a responsibility to check. BUT he has no resposibility to check on anyone _else's_ data and no _authority_ to use anyone else's credentials to check on his own. So, what responsibility does he really have? It sounds like he should have left well alone once he had reported this to the university and the vendors. That he did not have the sense or moral compass to recognize that tells us something important about him. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
And that is the reason why no one wants to report anything they find, it's because of people like you and your kind of thinking. Did they public post all the private information? No Did they try to use it for malious or illicit purposes? No Did they report it when they found it? Yes A horrible moral compass indeed! Arrest these people for being concerned and reporting it after stumbling upon security flaws! Amiright? On Mon, Jan 21, 2013 at 8:06 PM, Nick FitzGerald n...@virus-l.demon.co.uk wrote: Jeffrey Walton wrote: On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. If his personal information is in the proprietary system, I believe he has every right to very the security of the system. BUT how can he verify (I assume that was the word you meant?) proper security of _his_ personal details? He would have to test using someone _else's_ access credentials. That is unauthorized access by most relevant legislation in most jurisdictions. Alternately, he could try accessing someone else's data from his login, and that is equally clearly unauthorized access. He and his colleague who originally discovered the flaw may have used each other's access credentials to access their own data, or used their own credentials to access the other's data _in agreement between themselves_ BUT in so doing most likely broke the terms of service of the system/their school/etc, _equally_ putting them afoul of most unauthorized access legislation. Is he allowed to opt-out of the system (probably not)? If not, he has a responsibility to check. BUT he has no resposibility to check on anyone _else's_ data and no _authority_ to use anyone else's credentials to check on his own. So, what responsibility does he really have? It sounds like he should have left well alone once he had reported this to the university and the vendors. That he did not have the sense or moral compass to recognize that tells us something important about him. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
On Mon, Jan 21, 2013 at 7:44 PM, Julius Kivimäki julius.kivim...@gmail.com wrote: How is Omnivox's security relevant when this kid is running DoS tools on their sites? (Acunetix is a nice database heavy HTTP flood tool.) I don't know. Could Acunetix be used to find a 250,000 record information leak (injection?)? If not, perhaps it was exaggerated by the site's owner in order to deflect bad press and tip the scales of justice. Manipulating the justice system is nothing new. Ma Bell did it with Mitnick. They claimed millions in losses due to Mitnick, but failed to list it in their SEC filings (required by law at the time). They would not answer questions pertaining to the 'accounting irregularities' when cross examined during tial. Jeff 2013/1/22 Jeffrey Walton noloa...@gmail.com On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. If his personal information is in the proprietary system, I believe he has every right to very the security of the system. Is he allowed to opt-out of the system (probably not)? If not, he has a responsibility to check. Open question: does Canada have Security Testing and Evaluation (STE) and Reverse Engoneering (ER) exemptions in its laws? Even the United States' DMCA has them. For reference for others in the US who may be subject to bullying (companies have tried it on me): DMCA (PUBLIC LAW 105–304). It has exceptions for reverse engineering and security testing and evaluation. The RE exemption is in Section 1205 (f) REVERSE ENGINEERING. The STE exemption is in Section 1205 (i) SECURITY TESTING. a class A moron. What does that make Omnivox, which appears to have done no testing? Jeff On 21 Jan 2013, at 21:10, Benji m...@b3nji.com wrote: He found the vulnerability by running Acunetix against the system. He is what most be would describe as, a class A moron. On Mon, Jan 21, 2013 at 8:43 PM, Frank Bures lisfr...@chem.toronto.edu wrote: A student has been expelled from Montreal’s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs (General and Vocational Colleges), one which compromised the security of over 250,000 students’ personal information. Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.” http://tinyurl.com/bcdrelh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
On Mon, Jan 21, 2013 at 8:06 PM, Nick FitzGerald n...@virus-l.demon.co.uk wrote: Jeffrey Walton wrote: On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. If his personal information is in the proprietary system, I believe he has every right to very the security of the system. BUT how can he verify (I assume that was the word you meant?) proper security of _his_ personal details? He would have to test using someone _else's_ access credentials. That is unauthorized access by most relevant legislation in most jurisdictions. Yes, my bad. Autocorrect has turned my bad spelling into bad grammar. Alternately, he could try accessing someone else's data from his login, and that is equally clearly unauthorized access. He and his colleague who originally discovered the flaw may have used each other's access credentials to access their own data, or used their own credentials to access the other's data _in agreement between themselves_ BUT in so doing most likely broke the terms of service of the system/their school/etc, _equally_ putting them afoul of most unauthorized access legislation. Is he allowed to opt-out of the system (probably not)? If not, he has a responsibility to check. BUT he has no responsibility to check on anyone _else's_ data and no _authority_ to use anyone else's credentials to check on his own. I would argue that's part of testing the system. If I log in and get a token back, I'm going to try a simple increment (and other transformations on the token) to see if its predictable. If I happen to get another's record, that demonstrates the flaw in the system and not 'testing on behalf of another'. What did he do with the other records he retireived? I suspect he used them as proof of concept; and did not use them for a work visa or credit card. But I could be wrong. So, what responsibility does he really have? We have the responsibility to protect our own data, because class-A fuckups like Omnivox don't do it. Once the data is lost, you can't get it back - the genie is out of the bottle. That's coming from a guy who was part of a breach in the 1990s. It cost me about $10,000 to fix it back then. It started again in the mid-2000's. I'm not fixing it this time. It sounds like he should have left well alone once he had reported this to the university and the vendors. That he did not have the sense or moral compass to recognize that tells us something important about him. Does that sword cut both ways? How about Nokia/Opera and their destrucion of the secure channel? How about Trustwave and their fraudulent certifcates that destroyed the secure channel? Or do these things (law and moral compasses) only apply to individuals? Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
Hi all, Jeffrey Walton to me: [...] BUT he has no responsibility to check on anyone _else's_ data and no _authority_ to use anyone else's credentials to check on his own. I would argue that's part of testing the system. If I log in and get a token back, I'm going to try a simple increment (and other transformations on the token) to see if its predictable. If I happen to get another's record, that demonstrates the flaw in the system and not 'testing on behalf of another'. Which may well put you on very thin legal ice. According to at least one legal ruling in Germany, it is hacking (as in the negative, illegal kind) to deliberately try to access upper- level directories of _published_ URLs _if_ the specific URLs to those resources have not also been made publicly available, _despite_ that they are necessarily discernible from the published URL. Silly as that may seem, I'm pretty sure that tweaking tokens in cookie values and the like would be equally, if not more, egregious hacking in front of that court. What did he do with the other records he retireived? I suspect he used them as proof of concept; and did not use them for a work visa or credit card. But I could be wrong. Indeed, we do not know, but as there is no suggestion that anything further was done with whatever records were illicitly accessed, I suspect that nothing is what was done with that data (and it seems likely the heavy-handed legalistic mouthings of the vendor spokespeople would have touched on this if they had any inkling or evidence that such had happened). So, what responsibility does he really have? We have the responsibility to protect our own data, because class-A fuckups like Omnivox don't do it. Once the data is lost, you can't get it back - the genie is out of the bottle. Sadly, you cannot protect it when it is already in other's hands... It seems that, in general, once you've _en_trusted such data to others our (current) legal system is of the opinion that you have accepted that you _trust_ their ability to maintain its confidentiality, etc. This is not good, but it's also very difficult to see how an individual can really do much _useful_ about that either. A lot of our technological advances have come at the cost of a loss of lot of control of confidentiality of information. This is a trade- off that many have probably made without even realizing it, and certainly without realizing the _scale_ of it. That's coming from a guy who was part of a breach in the 1990s. It cost me about $10,000 to fix it back then. It started again in the mid-2000's. I'm not fixing it this time. I'm sorry, for you, to hear this. It sounds like he should have left well alone once he had reported this to the university and the vendors. That he did not have the sense or moral compass to recognize that tells us something important about him. Does that sword cut both ways? How about Nokia/Opera and their destrucion of the secure channel? How about Trustwave and their fraudulent certifcates that destroyed the secure channel? Or do these things (law and moral compasses) only apply to individuals? In my previous message I did not address the responsibilities -- nor their common, commonly egregious and often entirely predictable failing of such -- of those holding personal, confidential, etc data. I think my opinion of that part of the industry, in general, is pretty obvious though, from this and many other messages I have posted to public lists like this... Sadly, as I said above, our legal (and perhaps societal) mechanisms have not yet caught up with the implications of our recent (last ~70 years) technological progress in the areas of data processing, retention, sharing and mining. I suspect though, that on balance, it is probably better that such legalistic and societal changes lag such technological advances, but I also suspect we are getting to the point where that gap may be too large and too much power (or too little real responsibility) will end up in the hands of those who clearly should not only be doing more, but should be expected and required to do more. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
Sanguinarious Rose to me: And that is the reason why no one wants to report anything they find, it's because of people like you and your kind of thinking. As you seem to have assumed a whole bunch about my kind of thinking that I did not put in the original post, I find the above laughable. Did they public post all the private information? No Agreed. Did they try to use it for malious or illicit purposes? No Not that we know from what seems to be a rather one-sided, self-serving to the victim, the system screwed poor little me telling of the story. Did they report it when they found it? Yes Agreed. A horrible moral compass indeed! ... No -- I said nothing about what could or should be considered about their moral compass _in finding_ the problem. I did say they probably broke _both_ school/other ToS agreements and unauthorized access laws, but I did not say what I felt about that. It is often the case that minor transgressions of such nature are necessary in doing many useful things in the computer security domain. That alone makes it precarious territory in which to work and such issues should obviously be front-of-mind for _anyone_ potentially in such territory. ... Arrest these people for being concerned and reporting it after stumbling upon security flaws! Amiright? No, I did not say that either. What you seem to have missed (other than that you are reading things into my previous post that are not there) was that _after_ these two students notified the relevant system owners/operators and/or vendors, apparently only _one_ of them went back and did stuff that he probably should not have originally done (but that we can _probably_ excuse because of a greater good), _again_. _That_ is what tells us something critical about _his_ moral compass (either he does not have one, it is rather under-developed for a 20- year old or it is rather broken). Did you notice that this story was not titled Youths expelled... or Students expelled... _despite_ the first sentence of any substance in the National Post article starting: Ahmed Al-Khabaz ... was working on a mobile app ... when he and a colleague discovered what he describes as sloppy coding in ... Did you notice how the rest of story fails to mention that his colleague was expelled? Poor journalism, missing a fairly major fact in the story? Or perhaps evidence that his colleague was not expelled because his colleague did not continue to mess with stuff that he should have (now) known he should not be messing with? If _both_ students had been expelled, surely the tone of indignation and righteousness would have been greater, so I doubt the fact that the article only talks of one student being expelled is due to journalistic oversight... So, Mr Rose, do you now see what you chose to avoid noticing on your first pass through this story and its clever hacker cruelly ostracized skew? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/