lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Jan 2013 12:41:46 -0500
From: Peter Dawson <slash.pd@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Student expelled from Montreal college after
 finding vulnerability that compromised security of 250, 000

@Valdis, your correct.

"He was expelled for other reasons. Despite receiving clear directives not
to, he attempted repeatedly to intrude into areas of College information
systems that had no relation with student information systems.

These actions and behaviours breach the *code of professional
conduct<http://www.dawsoncollege.qc.ca/public/72b18975-8251-444e-8af8-224b7df11fb7/info_desk/420a0_-_professional_conduct.pdf>
* for Computer Science students, a serious breach that requires the College
to act."


/pd

On Thu, Jan 24, 2013 at 12:34 PM, <Valdis.Kletnieks@...edu> wrote:

> On Thu, 24 Jan 2013 10:16:29 -0500, Benjamin Kreuter said:
>
> > There is also the matter of the school itself.  They were presented
> > with a student who had found a vulnerability, reported it, and then
> > checked to see if there were still problems.  Does expulsion really
> > sound like a reasonable punishment to you?  Does any punishment seem in
> > order, given that the student made no attempt to maliciously exploit
> > his discoveries?  It seems to me that a much better approach would have
> > been to offer the student a chance to present the vulnerability in a
> > computer security class.  The school's mission is, theoretically, to
> > teach its students -- why, then, would they remove from the student
> > body someone who could do just that?
>
> I've seen reference to a few more details on this - namely:
>
> 1) The kid, as part of his major, signed an ethics document.
> 2) He was either told or agreed to not run the scanner again.
> 3) He did so anyhow.
>
> and that he didn't get kicked out because he ran the scanner, but
> because he did so *in violation of the ethics standard*.
>
> I'll probably have to go back and find references for all that - but
> even without that, it's something to think about.  If somebody
> agrees not to do something, and then does it anyhow, is he *trustworthy*
> enough for a degree in that field?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists