On 1/22/13, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
On Tuesday, January 22, 2013, Matt Palmer wrote:
What the article may not tell us is, what the applicable College's technology policies would be, or what sort of contacts between student and university staff were taking place. I see this as more as a press relations failure in the College's part; as they failed to have a plausible explanation for their choice published, instead deciding to cite student privacy concerns. Apparently, they bother to have students agree to certain professional codes, but fail also, to require students agree if they reveal disciplinary action against them to the media, they waive the privacy rights over the matter. It's possible there was a warning received or ignored; the first time, that the student chose to ignore. Or the first event was allowed to slide only because of the circumstances: or enforcement of policy was ignored because 1st offense is excused. But after a very blatant and 2nd occurence, or 1st offense actually formally reported to the school, it was just too much. Or the student did not engage properly, or with proper attitude. For example, by failing to mention/discuss any offer or intent to re-test or rescan or help verify the vulnerability was indeed closed. Such institutions often have bureaucratic rules, and internal politics/requirements to be seen enforcing their rules: and enforcing their rules equally (not necessarily fairly, or with any reasonable sort of logic). I believe the same to be true of governments and other large organizations -- intent doesn't always matter, when allowed behaviors are dictated by written rules. The actor may intend to do good, and have in fact done 200x as much good than harm in action, but the rules are clear, and demand action. Violation of security policies often specify expulsion specifically, and choice of rigid enforcement might be part of their defined security plan. The college could very well have a rule to cite; that was reported to them as broken, and therefore their hands were tied, as soon as the 14 profs agreed that yes, this was a breach, and yes, Expulsion required by the policy in that case.
Report - yes. What this kid seems to have done is - reported it, got thanked for it. Then went ahead and pentested the site to see for himself
Yeah... about that. So he didn't just "test" if the vulnerability previously found still existed; the article suggests he ran an in-depth scanning suite against the site a 2nd time. This certainly differentiates the behavior, from the normal malware probing activity -- because it's a return attacker; which may result in escalation of a previously recorded security incident. Discovering a vulnerability by chance, when interfacing with a website, and reporting are one thing. Deliberately running invasive high-impact scanning tools (tools that contain warnings against use on production sites), spidering an entire site, with numerous very obvious attack attempts, potentially generating significant load and setting off many security monitoring alarms -- attempting to exploit a previously found, or find new vulnerabilities, on someone else's server on someone else's network, without permission from the network/server operator is for sure not so a White Hat move. It may be a Gray hat move; however, as far as a security incident response team, would be concerned -- the assumption has to be that any unauthorized obvious protracted intrusion attempt is malicious; therefore, recovery and recourse processes should be initiated, upon detection. The student's word that he wouldn't steal anything, isn't very credible after launching two attack attempts. Indeed... the school's description of violation of professional standards would be accurate. A professional security auditor or white had would generally not be running high volume invasive exploit attempts against foreign networks without securing permission.
Expulsion, maybe not, though the article I read said 14 out of 15 profs in his college voted to boot the kid out.
It didn't say under what circumstances they make that decision though. It may be standard procedure, that its a thing done in private, and the de-facto rule is one person makes a recommendation, and everyone almost always agrees, Or "default is Yes"; unless someone can raises a specific objection. So there's a lot of things that could mean <g>
--srs -- -JH